Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1524409
MD5:	983a1a23eb06ef4323ee7a01425e47ef
SHA1:	cbdbfb1f18152b7205e9b4a647b269fe0a413154
SHA256:	c6b13a9fc461010cf268d60923813c067b7b2c382573f16d538067e8210ceba6
Tags:	exeuser-Bitsight
Infos:

Detection

Credential Flusher

Score:	68
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Yara detected Credential Flusher

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Found API chain indicative of debugger detection

Found API chain indicative of sandbox detection

Machine Learning detection for sample

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected potential crypto function

Enables debug privileges

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

OS version to string mapping found (often used in BOTs)

Potential key logger detected (key state polling based)

Sample execution stops while process was sleeping (likely an evasion)

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Uses taskkill to terminate processes

Classification

Process Tree

System is w10x64

file.exe (PID: 6676 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 983A1A23EB06EF4323EE7A01425E47EF)

taskkill.exe (PID: 6724 cmdline: taskkill /F /IM chrome.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 6748 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

chrome.exe (PID: 6916 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --start-fullscreen --no-first-run --disable-session-crashed-bubble --disable-infobars MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 6360 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2348 --field-trial-handle=2280,i,13778231416929703980,17669459964122129621,262144 /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 7864 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5796 --field-trial-handle=2280,i,13778231416929703980,17669459964122129621,262144 /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 7872 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4864 --field-trial-handle=2280,i,13778231416929703980,17669459964122129621,262144 /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
Process Memory Space: file.exe PID: 6676	JoeSecurity_CredentialFlusher	Yara detected Credential Flusher	Joe Security

String found in binary or memory: _.fq(p)+"/familylink/privacy/notice/embedded?langCountry="+_.fq(p);break;case "PuZJUb":a+="https://www.youtube.com/t/terms?chromeless=1&hl="+_.fq(m);break;case "fxTQxb":a+="https://youtube.com/t/terms?gl="+_.fq(_.oq(c))+"&hl="+_.fq(d)+"&override_hl=1"+(f?"&linkless=1":"");break;case "prAmvd":a+="https://www.google.com/intl/"+_.fq(m)+"/chromebook/termsofservice.html?languageCode="+_.fq(d)+"&regionCode="+_.fq(c);break;case "NfnTze":a+="https://policies.google.com/privacy/google-partners"+(f?"/embedded": equals www.youtube.com (Youtube)

Source: global traffic	DNS traffic detected: DNS query: youtube.com
Source: global traffic	DNS traffic detected: DNS query: www.youtube.com
Source: global traffic	DNS traffic detected: DNS query: www.google.com
Source: global traffic	DNS traffic detected: DNS query: accounts.youtube.com
Source: global traffic	DNS traffic detected: DNS query: play.google.com

Source: unknown

HTTP traffic detected: POST /log?format=json&hasfast=true&authuser=0 HTTP/1.1Host: play.google.comConnection: keep-aliveContent-Length: 505sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-arch: "x86"Content-Type: application/x-www-form-urlencoded;charset=UTF-8sec-ch-ua-full-version: "117.0.5938.132"sec-ch-ua-platform-version: "10.0.0"X-Goog-AuthUser: 0sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132"sec-ch-ua-bitness: "64"sec-ch-ua-model: ""sec-ch-ua-wow64: ?0sec-ch-ua-platform: "Windows"Accept: */*Origin: https://accounts.google.comX-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiTocsBCJz+zAEIhaDNAQjcvc0BCLnKzQEIotHNAQiK080BCJ7WzQEIp9jNAQj5wNQVGPbJzQEYutLNARjrjaUXSec-Fetch-Site: same-siteSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: https://accounts.google.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9

Source: chromecache_88.5.dr	String found in binary or memory: https://accounts.google.com
Source: chromecache_88.5.dr	String found in binary or memory: https://accounts.google.com/TOS?loc=
Source: chromecache_85.5.dr	String found in binary or memory: https://apis.google.com/js/api.js
Source: chromecache_88.5.dr	String found in binary or memory: https://apis.google.com/js/rpc:shindig_random.js?onload=credentialservice.postMessage
Source: chromecache_89.5.dr	String found in binary or memory: https://families.google.com/intl/
Source: chromecache_85.5.dr	String found in binary or memory: https://fonts.gstatic.com/s/i/productlogos/drive_2020q4/v10/192px.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://fonts.gstatic.com/s/i/productlogos/gmail_2020q4/v10/web-48dp/logo_gmail_2020q4_color_2x_web_
Source: chromecache_85.5.dr	String found in binary or memory: https://fonts.gstatic.com/s/i/productlogos/maps/v7/192px.svg
Source: chromecache_88.5.dr	String found in binary or memory: https://g.co/recover
Source: chromecache_89.5.dr	String found in binary or memory: https://play.google.com/log?format=json&hasfast=true
Source: chromecache_88.5.dr	String found in binary or memory: https://play.google.com/work/enroll?identifier=
Source: chromecache_89.5.dr	String found in binary or memory: https://play.google/intl/
Source: chromecache_89.5.dr	String found in binary or memory: https://policies.google.com/privacy
Source: chromecache_89.5.dr	String found in binary or memory: https://policies.google.com/privacy/additional
Source: chromecache_89.5.dr	String found in binary or memory: https://policies.google.com/privacy/google-partners
Source: chromecache_89.5.dr	String found in binary or memory: https://policies.google.com/technologies/cookies
Source: chromecache_89.5.dr	String found in binary or memory: https://policies.google.com/technologies/location-data
Source: chromecache_89.5.dr	String found in binary or memory: https://policies.google.com/terms
Source: chromecache_89.5.dr	String found in binary or memory: https://policies.google.com/terms/location
Source: chromecache_89.5.dr	String found in binary or memory: https://policies.google.com/terms/service-specific
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/account-recovery-email-pin.gif
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/account-recovery-password.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/account-recovery-sms-or-voice-pin.gif
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/account-recovery-sms-pin.gif
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/account-recovery-stop-go-landing-page_1x.png
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/animation/
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/ble_device.png
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/ble_pin.png
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/contacts_backup_sync.png
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/contacts_backup_sync_1x.png
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/contacts_backup_sync_2x.png
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/contacts_backup_sync_darkmode_1x.png
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/continue_on_your_phone.png
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/device_phone_number_verification.png
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/device_prompt_silent_tap_yes_darkmode.gif
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/device_prompt_tap_yes.gif
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/device_prompt_tap_yes_darkmode.gif
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kid_success.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kid_success_darkmode.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidfork_who_will_use_dark_v2.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidfork_who_will_use_updated.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidfork_who_will_use_updated_darkmode.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidfork_who_will_use_v2.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignin_not_ready.png
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignin_stick_around_1.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignin_stick_around_dark_1.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_child_account_1.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_child_account_darkmode_1.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_child_privacy_1.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_child_privacy_darkmode_1.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_created.png
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_double_device.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_double_device_darkmode.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_full_house.png
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_link_accounts_1.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_link_accounts_darkmode_1.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_parent_app_decision.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_parent_app_decision_darkmode.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_parent_supervision_1.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_parent_supervision_darkmode_1.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_respect_others_1.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_respect_others_darkmode_1.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_single_device.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_single_device_darkmode.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_stop.png
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/personalization_reminders.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/phone_number_sign_in_2x.png
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/return_to_desktop.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/return_to_desktop_darkmode.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/security_key.gif
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/security_key_ios_center.png
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/security_key_laptop.gif
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/security_key_nfc_discovered.gif
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/security_key_nfc_discovered_darkmode.gif
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/security_key_phone.gif
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/signin_googleapp_ios.gif
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/signin_googleapp_pulldown.gif
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/signin_tapyes.gif
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/smart_lock_2x.png
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/usb_key.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/web_and_app_activity.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/who_will_be_using_this_device.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/you_tube_history.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/feature_not_available.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/feature_not_available_dark.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/gmail_ios_authzen.gif
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/paaskey.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_challenge.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_challenge_darkmode.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_darkmode.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_enrollment.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_enrollment_cross_device.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_enrollment_cross_device_darkmode.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_enrollment_darkmode.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_enrollment_error.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_enrollment_error_darkmode.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_enrollment_reauth.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_enrollment_reauth_darkmode.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_success.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_success_darkmode.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkeyerror.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkeyerror_darkmode.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/red_globe_dark.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/red_globe_light.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/screenlock.png
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/security_key_ipad.gif
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/security_key_iphone.gif
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/security_key_iphone_nfc.gif
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/security_key_iphone_usb.gif
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/security_key_phone.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/security_keys.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/success_checkmark_2.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/success_checkmark_2_darkmode.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/ui/loading_spinner_gm.gif
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/ui/progress_spinner_color_20dp_4x.gif
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/ui/success-gm-default_2x.png
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/apps/signup/resources/custom-email-address.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/images/hpp/shield_security_checkup_green_2x_web_96dp.png
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/chaptering/account_setup_chapter_dark_1.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/chaptering/account_setup_chapter_v1.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/chaptering/device_setup_chapter_dark_v1.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/chaptering/device_setup_chapter_v1.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/chaptering/parental_control_chapter_dark_v1.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/chaptering/parental_control_chapter_v1.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/conversion/conversion_accountslinked.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/conversion/conversion_accountslinked_dark.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/conversion/conversion_childneedshelp.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/conversion/conversion_childneedshelp_dark.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/conversion/conversion_nextstepsforparents.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/conversion/conversion_nextstepsforparents_dark.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_allset.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_allset_dark.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_apps_devices.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_apps_devices_darkmode.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_areyousurekid.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_areyousurekid_dark.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_birthdayemail.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_birthdayemail_dark.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_choose_apps.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_choose_apps_darkmode.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_confirmation.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_exploremore.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_exploremore_dark.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_intro.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_intro_darkmode.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_privacy_terms_a18.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_privacy_terms_a18_darkmode.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_privacyterms.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_privacyterms_dark.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_review_settings.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_review_settings_darkmode.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_safe_search.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_safe_search_darkmode.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_success_unchanged_a18.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_success_unchanged_a18_darkmode.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_success_update_a18.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_success_update_a18_darkmode.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_supervision_choice.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_supervision_choice_a18.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_supervision_choice_a18_darkmode.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_supervision_choice_darkmode.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_supervisiongrad.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_supervisiongrad_dark.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/guardianlinking/linking_complete_0.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/guardianlinking/linking_complete_dark_0.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/ads_personalization.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/ads_personalization_darkmode.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/confirmation.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/confirmation_darkmode.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/eligibility_error.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/eligibility_error_darkmode.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/fork.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/fork_darkmode.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/intro.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/intro_darkmode.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/personal_results.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/personal_results_darkmode.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/safe_search.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/safe_search_darkmode.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/check_notifications.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/check_notifications_dark.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/kid_watch_installing_family_link_2.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/kid_watch_installing_family_link_dark_2.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/kid_watch_set_up_location_sharing_2.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/kid_watch_set_up_location_sharing_dark_2.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/kid_watch_set_up_parental_controls_2.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/kid_watch_set_up_parental_controls_dark_2.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/kid_watch_set_up_school_time_2.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/kid_watch_set_up_school_time_dark_2.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/location_sharing_enabled_2.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/location_sharing_enabled_dark_3.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/parent_sign_in_prologue_1.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/parent_sign_in_prologue_dark_1.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/set_up_complete_1.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/set_up_complete_dark_1.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/set_up_contacts_2.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/set_up_contacts_dark_2.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/set_up_family_link_boy_1.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/set_up_family_link_boy_dark_1.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/set_up_family_link_girl_2.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/set_up_family_link_girl_dark_2.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/ulp_continue_without_gmail_dark_v2.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/ulp_continue_without_gmail_v2.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/all_set.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/all_set_dark.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/are_you_sure_parent.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/are_you_sure_parent_dark.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/content_restriction.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/content_restriction_dark.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/error.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/error_dark.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/how_controls_work.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/how_controls_work_dark.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/next_steps.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/next_steps_dark.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/setup_controls.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/setup_controls_dark.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/who_parent.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/who_parent_dark.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/who_teen.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/who_teen_dark.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teentoadultgraduation/supervision_choice.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teentoadultgraduation/supervision_choice_darkmode.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/ulp_appblock/kid_setup_parent_escalation.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/ulp_appblock/kid_setup_parent_escalation_dark.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/ulp_appblock/send_email_confirmation.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/ulp_appblock/send_email_confirmation_dark.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/ulp_appblock/success_sent_email.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/ulp_appblock/success_sent_email_dark.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/ulpupgrade/kidprofileupgrade_all_set.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/ulpupgrade/kidprofileupgrade_all_set_darkmode.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/all_set.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/all_set_dark.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/almost_done_kids_space_dark.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/almost_done_kids_space_v2.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/devices_connected_tablet_v2.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/devices_connected_tablet_v2_dark.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/devices_connected_v2.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/devices_connected_v2_dark.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/emailinstallfamilylink.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/emailinstallfamilylink_dark.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/familylinkinstalling.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/familylinkinstalling_dark.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/hand_over_device_dark_v2.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/hand_over_device_v2.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/linking_accounts_v2.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/linking_accounts_v2_dark.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/locationsetup.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/locationsetup_dark.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/manage_parental_controls_email.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/manage_parental_controls_email_v2.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/manage_parental_controls_email_v2_dark.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/manage_parental_controls_v2.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/manage_parental_controls_v2_dark.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/open_family_link_v2.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/open_family_link_v2_dark.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/parents_help.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/parents_help_dark.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/set_up_kids_space.png
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/set_up_kids_space_dark.png
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/setupcontrol.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/setupcontrol_dark.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/setuplocation.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/setuplocation_dark.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/setuptimelimits.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/setuptimelimits_dark.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/supervision_ready_v2.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/supervision_ready_v2_dark.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/youtubeaccess.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/youtubeaccess_dark.svg
Source: chromecache_88.5.dr	String found in binary or memory: https://support.google.com/accounts?hl=
Source: chromecache_89.5.dr	String found in binary or memory: https://support.google.com/accounts?p=new-si-ui
Source: chromecache_88.5.dr	String found in binary or memory: https://support.google.com/websearch/answer/4358949?hl=ko&ref_topic=3285072
Source: chromecache_85.5.dr	String found in binary or memory: https://uberproxy-pen-redirect.corp.google.com/uberproxy/pen?url=
Source: chromecache_88.5.dr	String found in binary or memory: https://www.google.com
Source: chromecache_89.5.dr	String found in binary or memory: https://www.google.com/intl/
Source: chromecache_85.5.dr	String found in binary or memory: https://www.gstatic.com/accounts/speedbump/authzen_optin_illustration.gif
Source: chromecache_85.5.dr	String found in binary or memory: https://www.gstatic.com/images/branding/product/2x/chrome_48dp.png
Source: chromecache_85.5.dr	String found in binary or memory: https://www.gstatic.com/images/branding/product/2x/googleg_48dp.png
Source: chromecache_85.5.dr	String found in binary or memory: https://www.gstatic.com/images/branding/product/2x/gsa_48dp.png
Source: chromecache_85.5.dr	String found in binary or memory: https://www.gstatic.com/images/branding/product/2x/play_prism_48dp.png
Source: chromecache_85.5.dr	String found in binary or memory: https://www.gstatic.com/images/branding/product/2x/youtube_48dp.png
Source: chromecache_89.5.dr	String found in binary or memory: https://www.gstatic.com/images/branding/productlogos/googleg/v6/36px.svg
Source: chromecache_89.5.dr	String found in binary or memory: https://www.youtube.com/t/terms?chromeless=1&hl=
Source: file.exe, 00000000.00000002.1785354679.0000000000DC8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd
Source: chromecache_89.5.dr	String found in binary or memory: https://youtube.com/t/terms?gl=

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49766
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49765
Source: unknown	Network traffic detected: HTTP traffic on port 49783 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49787
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49763
Source: unknown	Network traffic detected: HTTP traffic on port 49672 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49785
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49784
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49783
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49782
Source: unknown	Network traffic detected: HTTP traffic on port 49789 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49787 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49766 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49785 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49769 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49793 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown	Network traffic detected: HTTP traffic on port 49759 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49756
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown	Network traffic detected: HTTP traffic on port 49782 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49775
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49672
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49793
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49792
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49790
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49761 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49784 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49765 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49763 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49775 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49769
Source: unknown	Network traffic detected: HTTP traffic on port 49792 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49790 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49756 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49789

Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.4:49755 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.4:49759 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 4.175.87.197:443 -> 192.168.2.4:49769 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 4.175.87.197:443 -> 192.168.2.4:49785 version: TLS 1.2

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_001CEAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_001CEAFF

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_001CED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_001CED6A

Source: C:\Users\user\Desktop\file.exe

0_2_001CEAFF

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_001BAA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,

0_2_001BAA57

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_001E9576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_001E9576

System Summary

Binary is likely a compiled AutoIt script file

Source: file.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: file.exe, 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_2ad8575e-9
Source: file.exe, 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_62ba9946-7
Source: file.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_1c14c61d-a
Source: file.exe	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_5829edae-1

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_001BD5EB: CreateFileW,DeviceIoControl,CloseHandle,

0_2_001BD5EB

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_001B1201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_001B1201

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_001BE8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_001BE8F6

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0015BF40	0_2_0015BF40
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_001C2046	0_2_001C2046
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00158060	0_2_00158060
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_001B8298	0_2_001B8298
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0018E4FF	0_2_0018E4FF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0018676B	0_2_0018676B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_001E4873	0_2_001E4873
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0017CAA0	0_2_0017CAA0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0015CAF0	0_2_0015CAF0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0016CC39	0_2_0016CC39
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00186DD9	0_2_00186DD9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0016B119	0_2_0016B119
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_001591C0	0_2_001591C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00171394	0_2_00171394
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00171706	0_2_00171706
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0017781B	0_2_0017781B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00157920	0_2_00157920
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0016997D	0_2_0016997D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_001719B0	0_2_001719B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00177A4A	0_2_00177A4A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00171C77	0_2_00171C77
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00177CA7	0_2_00177CA7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_001DBE44	0_2_001DBE44
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00189EEE	0_2_00189EEE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00171F32	0_2_00171F32

Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00170A30 appears 46 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 0016F9F2 appears 31 times

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: classification engine

Classification label: mal68.troj.evad.winEXE@34/32@12/7

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_001C37B5 GetLastError,FormatMessageW,

0_2_001C37B5

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_001B10BF AdjustTokenPrivileges,CloseHandle,		0_2_001B10BF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_001B16C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_001B16C3

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_001C51CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_001C51CD

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_001DA67C CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_001DA67C

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_001C648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize,

0_2_001C648E

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_001542A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_001542A2

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6748:120:WilError_03

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\SysWOW64\taskkill.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --start-fullscreen --no-first-run --disable-session-crashed-bubble --disable-infobars
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2348 --field-trial-handle=2280,i,13778231416929703980,17669459964122129621,262144 /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5796 --field-trial-handle=2280,i,13778231416929703980,17669459964122129621,262144 /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4864 --field-trial-handle=2280,i,13778231416929703980,17669459964122129621,262144 /prefetch:8
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --start-fullscreen --no-first-run --disable-session-crashed-bubble --disable-infobars	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2348 --field-trial-handle=2280,i,13778231416929703980,17669459964122129621,262144 /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5796 --field-trial-handle=2280,i,13778231416929703980,17669459964122129621,262144 /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4864 --field-trial-handle=2280,i,13778231416929703980,17669459964122129621,262144 /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_001542DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_001542DE

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00170A76 push ecx; ret

0_2_00170A89

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0016F98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_0016F98E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_001E1C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_001E1C41

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Found API chain indicative of sandbox detection

Source: C:\Users\user\Desktop\file.exe

Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep

graph_0-97509

Source: C:\Users\user\Desktop\file.exe

API coverage: 3.8 %

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_001BDBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	0_2_001BDBBE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_001C68EE FindFirstFileW,FindClose,	0_2_001C68EE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_001C698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	0_2_001C698F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_001BD076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_001BD076
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_001BD3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_001BD3A9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_001C9642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_001C9642
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_001C979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_001C979D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_001C9B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_001C9B2B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_001C5C97 FindFirstFileW,FindNextFileW,FindClose,	0_2_001C5C97

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_001542DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_001542DE

Anti Debugging

Found API chain indicative of debugger detection

Source: C:\Users\user\Desktop\file.exe

Debugger detection routine: QueryPerformanceCounter, DebugActiveProcess, DecisionNodes, ExitProcess or Sleep

graph_0-96630

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_001CEAA2 BlockInput,

0_2_001CEAA2

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00182622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00182622

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_001542DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_001542DE

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00174CE8 mov eax, dword ptr fs:[00000030h]

0_2_00174CE8

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_001B0B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

0_2_001B0B62

Source: C:\Windows\SysWOW64\taskkill.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00182622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00182622
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0017083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0017083F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_001709D5 SetUnhandledExceptionFilter,	0_2_001709D5
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00170C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00170C21

Source: C:\Users\user\Desktop\file.exe

0_2_001B1201

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00192BA5 KiUserCallbackDispatcher,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00192BA5

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0016F98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,

0_2_0016F98E

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_001D22DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event,

0_2_001D22DA

Source: C:\Users\user\Desktop\file.exe

Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

0_2_001B0B62

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_001B1663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_001B1663

Source: file.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: file.exe	Binary or memory string: Shell_TrayWnd

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00170698 cpuid

0_2_00170698

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_001C8195 GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,

0_2_001C8195

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_001AD27A GetUserNameW,

0_2_001AD27A

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0018BB6F _free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

0_2_0018BB6F

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_001542DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_001542DE

Stealing of Sensitive Information

Yara detected Credential Flusher

Source: Yara match

File source: Process Memory Space: file.exe PID: 6676, type: MEMORYSTR

Source: file.exe	Binary or memory string: WIN_81
Source: file.exe	Binary or memory string: WIN_XP
Source: file.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]\|%%\|%[-+ 0#]?([0-9]\|\)?(\.[0-9]\|\.\)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: file.exe	Binary or memory string: WIN_XPe
Source: file.exe	Binary or memory string: WIN_VISTA
Source: file.exe	Binary or memory string: WIN_7
Source: file.exe	Binary or memory string: WIN_8

Remote Access Functionality

Yara detected Credential Flusher

Source: Yara match

File source: Process Memory Space: file.exe PID: 6676, type: MEMORYSTR

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_001D1204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,		0_2_001D1204
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_001D1806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_001D1806

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	2 Disable or Modify Tools	21 Input Capture	2 System Time Discovery	Remote Services	1 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Native API	2 Valid Accounts	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	21 Input Capture	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	2 Valid Accounts	2 Obfuscated Files or Information	Security Account Manager	1 File and Directory Discovery	SMB/Windows Admin Shares	3 Clipboard Data	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	21 Access Token Manipulation	1 DLL Side-Loading	NTDS	16 System Information Discovery	Distributed Component Object Model	Input Capture	4 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	2 Process Injection	2 Valid Accounts	LSA Secrets	22 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	2 Virtualization/Sandbox Evasion	Cached Domain Credentials	2 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	21 Access Token Manipulation	DCSync	2 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	2 Process Injection	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	HTML Smuggling	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
file.exe	11%	ReversingLabs
file.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
https://play.google/intl/	0%	URL Reputation	safe
https://families.google.com/intl/	0%	URL Reputation	safe
https://policies.google.com/technologies/location-data	0%	URL Reputation	safe
https://apis.google.com/js/api.js	0%	URL Reputation	safe
https://policies.google.com/privacy/google-partners	0%	URL Reputation	safe
https://policies.google.com/terms/service-specific	0%	URL Reputation	safe
https://g.co/recover	0%	URL Reputation	safe
https://policies.google.com/privacy/additional	0%	URL Reputation	safe
https://support.google.com/websearch/answer/4358949?hl=ko&ref_topic=3285072	0%	URL Reputation	safe
https://policies.google.com/technologies/cookies	0%	URL Reputation	safe
https://policies.google.com/terms	0%	URL Reputation	safe
https://uberproxy-pen-redirect.corp.google.com/uberproxy/pen?url=	0%	URL Reputation	safe
https://support.google.com/accounts?hl=	0%	URL Reputation	safe
https://policies.google.com/terms/location	0%	URL Reputation	safe
https://policies.google.com/privacy	0%	URL Reputation	safe
https://support.google.com/accounts?p=new-si-ui	0%	URL Reputation	safe
https://apis.google.com/js/rpc:shindig_random.js?onload=credentialservice.postMessage	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
youtube-ui.l.google.com	142.250.185.142	true	false	unknown
www3.l.google.com	142.250.185.78	true	false	unknown
play.google.com	142.250.185.174	true	false	unknown
www.google.com	172.217.23.100	true	false	unknown
youtube.com	142.250.185.78	true	false	unknown
accounts.youtube.com	unknown	unknown	false	unknown
www.youtube.com	unknown	unknown	false	unknown

Contacted URLs

Name	Malicious	Reputation
https://play.google.com/log?format=json&hasfast=true&authuser=0	false	unknown
https://www.google.com/favicon.ico	false	unknown
https://play.google.com/log?hasfast=true&authuser=0&format=json	false	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://play.google/intl/	chromecache_89.5.dr	false	URL Reputation: safe	unknown
https://families.google.com/intl/	chromecache_89.5.dr	false	URL Reputation: safe	unknown
https://youtube.com/t/terms?gl=	chromecache_89.5.dr	false		unknown
https://policies.google.com/technologies/location-data	chromecache_89.5.dr	false	URL Reputation: safe	unknown
https://www.google.com/intl/	chromecache_89.5.dr	false		unknown
https://apis.google.com/js/api.js	chromecache_85.5.dr	false	URL Reputation: safe	unknown
https://policies.google.com/privacy/google-partners	chromecache_89.5.dr	false	URL Reputation: safe	unknown
https://play.google.com/work/enroll?identifier=	chromecache_88.5.dr	false		unknown
https://policies.google.com/terms/service-specific	chromecache_89.5.dr	false	URL Reputation: safe	unknown
https://g.co/recover	chromecache_88.5.dr	false	URL Reputation: safe	unknown
https://policies.google.com/privacy/additional	chromecache_89.5.dr	false	URL Reputation: safe	unknown
https://support.google.com/websearch/answer/4358949?hl=ko&ref_topic=3285072	chromecache_88.5.dr	false	URL Reputation: safe	unknown
https://policies.google.com/technologies/cookies	chromecache_89.5.dr	false	URL Reputation: safe	unknown
https://policies.google.com/terms	chromecache_89.5.dr	false	URL Reputation: safe	unknown
https://uberproxy-pen-redirect.corp.google.com/uberproxy/pen?url=	chromecache_85.5.dr	false	URL Reputation: safe	unknown
https://www.google.com	chromecache_88.5.dr	false		unknown
https://play.google.com/log?format=json&hasfast=true	chromecache_89.5.dr	false		unknown
https://www.youtube.com/t/terms?chromeless=1&hl=	chromecache_89.5.dr	false		unknown
https://support.google.com/accounts?hl=	chromecache_88.5.dr	false	URL Reputation: safe	unknown
https://policies.google.com/terms/location	chromecache_89.5.dr	false	URL Reputation: safe	unknown
https://policies.google.com/privacy	chromecache_89.5.dr	false	URL Reputation: safe	unknown
https://support.google.com/accounts?p=new-si-ui	chromecache_89.5.dr	false	URL Reputation: safe	unknown
https://apis.google.com/js/rpc:shindig_random.js?onload=credentialservice.postMessage	chromecache_88.5.dr	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
142.250.185.78	www3.l.google.com	United States	15169	GOOGLEUS	false
216.58.206.78	unknown	United States	15169	GOOGLEUS	false
239.255.255.250	unknown	Reserved	unknown	unknown	false
142.250.185.174	play.google.com	United States	15169	GOOGLEUS	false
142.250.185.142	youtube-ui.l.google.com	United States	15169	GOOGLEUS	false
172.217.23.100	www.google.com	United States	15169	GOOGLEUS	false

Private

IP
192.168.2.4

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1524409
Start date and time:	2024-10-02 18:59:51 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 54s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	13
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal68.troj.evad.winEXE@34/32@12/7
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 95% Number of executed functions: 46 Number of non-executed functions: 307
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 172.217.16.195, 66.102.1.84, 142.250.185.206, 34.104.35.123, 142.250.184.195, 142.250.185.138, 142.250.184.202, 142.250.185.106, 172.217.16.138, 142.250.184.234, 172.217.18.10, 142.250.185.74, 216.58.206.42, 216.58.212.170, 142.250.185.234, 142.250.186.170, 142.250.185.170, 142.250.186.42, 142.250.181.234, 142.250.186.106, 142.250.185.202, 93.184.221.240, 192.229.221.95, 142.250.186.74, 142.250.186.138, 172.217.16.202, 172.217.18.106, 216.58.212.138, 216.58.206.74, 142.250.185.67, 64.233.166.84, 172.217.16.206
Excluded domains from analysis (whitelisted): clients1.google.com, fs.microsoft.com, accounts.google.com, content-autofill.googleapis.com, slscr.update.microsoft.com, fonts.gstatic.com, ctldl.windowsupdate.com, clientservices.googleapis.com, fe3cr.delivery.mp.microsoft.com, clients2.google.com, ocsp.digicert.com, edgedl.me.gvt1.com, update.googleapis.com, clients.l.google.com, www.gstatic.com, optimizationguide-pa.googleapis.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing disassembly code.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: file.exe

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
239.255.255.250	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	27987136e29b3032ad40982c8b7c2e168112c9601e08da806119dcba615524b5.html	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
28a2c9bd18a11de089ef85a160da29e4	file.exe	Get hash	malicious	Unknown	Browse	4.175.87.197 184.28.90.27
	file.exe	Get hash	malicious	Credential Flusher	Browse	4.175.87.197 184.28.90.27
	file.exe	Get hash	malicious	Credential Flusher	Browse	4.175.87.197 184.28.90.27
	file.exe	Get hash	malicious	Credential Flusher	Browse	4.175.87.197 184.28.90.27
	file.exe	Get hash	malicious	Credential Flusher	Browse	4.175.87.197 184.28.90.27
	27987136e29b3032ad40982c8b7c2e168112c9601e08da806119dcba615524b5.html	Get hash	malicious	Unknown	Browse	4.175.87.197 184.28.90.27
	file.exe	Get hash	malicious	Credential Flusher	Browse	4.175.87.197 184.28.90.27
	file.exe	Get hash	malicious	Credential Flusher	Browse	4.175.87.197 184.28.90.27
	New_Statement-8723107.js	Get hash	malicious	Unknown	Browse	4.175.87.197 184.28.90.27
	file.exe	Get hash	malicious	Credential Flusher	Browse	4.175.87.197 184.28.90.27

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (468)
Category:	downloaded
Size (bytes):	1858
Entropy (8bit):	5.298162049824456
Encrypted:	false
SSDEEP:	48:o7vGoolL3ALFKphnpiu7xOKAcfO/3d/rYh4vZorw:o/QLUFUL4KA+2y0Mw
MD5:	CE055F881BDAB4EF6C1C8AA4B3890348
SHA1:	2671741A70E9F5B608F690AAEEA4972003747654
SHA-256:	9B91C23691D6032CDFE28863E369624B2EDB033E1487A1D1BB0977E3590E5462
SHA-512:	8A22250628985C2E570E6FBADFC0D5CB6753F0735130F9E74962A409476C2859C5C81F8A0F5C427A9F13ED399C8E251FA43FF67AD5F16860640D45E7A538E857
Malicious:	false
Reputation:	moderate, very likely benign file
URL:	"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en.RgRbaBHDctU.es5.O/ck=boq-identity.AccountsSignInUi.gAiX_O5afVA.L.B1.O/am=xIFgKBi2EQjEE54DekBRIOQAAAAAAAAAAKANAAB0DA/d=1/exm=A1yn5d,A7fCU,AvtSve,CMcBD,E87wgc,EEDORb,EFQ78c,EIOG1e,EN3i8d,Fndnac,GwYlN,I6YDgd,IZT63,K0PMbc,K1ZKnb,KUM7Z,L1AAkb,L9OGUe,LDQI,LEikZe,MY7mZe,Mlhmy,MpJwZc,NOeYWe,NTMZac,NwH0H,O6y8ed,OTA3Ae,OmgaI,P6sQOc,PHUIyb,PrPYRd,RMhBfe,Rkm0ef,RqjULd,SCuOPb,SD8Jgb,STuCOe,SpsfSb,Tbb4sb,UUJqVe,Uas9Hd,Ug7Xab,WpP9Yc,XVq9Qb,YHI3We,YTxL4,YgOFye,ZDZcre,ZZ4WUe,ZakeSe,ZfAoz,ZwDk9d,_b,_tp,aC1iue,aW3pY,aurFic,b3kMqb,bSspM,bTi8wc,byfTOb,cYShmd,eVCnO,ebZ3mb,f8Gu1e,fKUV3e,gJzDyc,gychg,hc6Ubd,inNHtf,iyZMqd,kWgXee,lsjVmc,ltDFwf,lwddkf,m9oV,mvkUhe,mzzZzc,n73qwf,njlZCf,oLggrd,ovKuLd,pxq3x,q0xTif,qPYxq,qPfo0c,qmdT9,rCcCxc,rmumx,sOXFj,siKnQd,soHxf,t2srLd,tUnxGc,vHEMJe,vfuNJf,vjKJJ,vvMGie,w9hDv,ws9Tlc,xBaz7b,xQtZb,xUdipf,xiZRqc,y5vRwf,yDVVkb,yRXbo,ywOR5c,z0u0L,zbML3c,ziZ8Mc,zr1jrb,zy0vNb/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlG_aYNE-Dz95N0OV63231Yfi4Jf5g/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:GwYlN;EmZ2Bf:zr1jrb;JsbNhc:Xd8iUd;K5nYTd:ZDZcre;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;ScI3Yc:e7Hzgb;UpnZUd:nnwwYc;Uvc8o:VDovNc;XdiAjb:NLiXbe;YIZmRd:A1yn5d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;dowIGb:ebZ3mb;eBAeSb:zbML3c;iFQyKf:vfuNJf;lOO0Vd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qafBPd:yDVVkb;qddgKe:xQtZb;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=iAskyc,ziXSP"
Preview:	"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi\|\|{};(function(_){var window=this;.try{._.k("iAskyc");._.QZ=function(a){_.W.call(this,a.Fa);this.window=a.Ea.window.get();this.Nc=a.Ea.Nc};_.J(_.QZ,_.W);_.QZ.Ba=function(){return{Ea:{window:_.qu,Nc:_.DE}}};_.QZ.prototype.Po=function(){};_.QZ.prototype.addEncryptionRecoveryMethod=function(){};_.RZ=function(a){return(a==null?void 0:a.Jo)\|\|function(){}};_.SZ=function(a){return(a==null?void 0:a.m3)\|\|function(){}};_.GPb=function(a){return(a==null?void 0:a.Op)\|\|function(){}};._.HPb=function(a){return new Map(Array.from(a,function(b){var c=_.n(b);b=c.next().value;c=c.next().value;return[b,c.map(function(d){return{epoch:d.epoch,key:new Uint8Array(d.key)}})]}))};_.IPb=function(a){setTimeout(function(){throw a;},0)};_.QZ.prototype.kO=function(){return!0};_.nu(_.An,_.QZ);._.l();._.k("ziXSP");.var j_=function(a){_.QZ.call(this,a.Fa)};_.J(j_,_.QZ);j_.Ba=_.QZ.Ba;j_.prototype.Po=function(a,b,c){var d;if((d=this.window.chrome)==nu

Chrome Cache Entry: 79

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows icon resource - 2 icons, 16x16, 32 bits/pixel, 32x32, 32 bits/pixel
Category:	downloaded
Size (bytes):	5430
Entropy (8bit):	3.6534652184263736
Encrypted:	false
SSDEEP:	48:wIJct3xIAxG/7nvWDtZcdYLtX7B6QXL3aqG8Q:wIJct+A47v+rcqlBPG9B
MD5:	F3418A443E7D841097C714D69EC4BCB8
SHA1:	49263695F6B0CDD72F45CF1B775E660FDC36C606
SHA-256:	6DA5620880159634213E197FAFCA1DDE0272153BE3E4590818533FAB8D040770
SHA-512:	82D017C4B7EC8E0C46E8B75DA0CA6A52FD8BCE7FCF4E556CBDF16B49FC81BE9953FE7E25A05F63ECD41C7272E8BB0A9FD9AEDF0AC06CB6032330B096B3702563
Malicious:	false
Reputation:	high, very likely benign file
URL:	https://www.google.com/favicon.ico
Preview:	............ .h...&... .... .........(....... ..... ............................................0...................................................................................................................................v.].X.:.X.:.r.Y........................................q.X.S.4.S.4.S.4.S.4.S.4.S.4...X....................0........q.W.S.4.X.:.................J...A...g.........................K.H.V.8..........................F..B.....................,.......................................B..............................................B..B..B..B..B...u..........................................B..B..B..B..B...{.................5.......k...........................................................7R..8F.................................................2........Vb..5C..;I..................R^.....................0................Xc..5C..5C..5C..5C..5C..5C..lv..........................................]i..<J..:G..Zf....................................................

Chrome Cache Entry: 80

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (683)
Category:	downloaded
Size (bytes):	3131
Entropy (8bit):	5.355381206612617
Encrypted:	false
SSDEEP:	48:o7FEEM3MtH15jNQ8jsK3rnw0dkckTrKEp/OqLE9xz0W5Bzv3M6hIHYA+JITbwrF8:oq675jOArwoAmI/DLaxNPL5m+m6w
MD5:	E2A7251AD83A0D0634FEA2703D10ED07
SHA1:	90D72011F31FC40D3DA3748F2817F90A29EB5C01
SHA-256:	1079B49C4AAF5C10E4F2E6A086623F40D200A71FF2A1F64E88AA6C91E4BE7A6F
SHA-512:	CD6D75580EA8BD97CF7C7C0E0BD9D9A54FB6EA7DF1DDB5A95E94D38B260F9EE1425C640839ECD229B8D01E145CF2786CA374D31EC537EB8FE17FF415D5B985F5
Malicious:	false
Reputation:	moderate, very likely benign file
URL:	"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en.RgRbaBHDctU.es5.O/ck=boq-identity.AccountsSignInUi.gAiX_O5afVA.L.B1.O/am=xIFgKBi2EQjEE54DekBRIOQAAAAAAAAAAKANAAB0DA/d=1/exm=A1yn5d,A7fCU,AvtSve,CMcBD,E87wgc,EEDORb,EFQ78c,EIOG1e,EN3i8d,Fndnac,GwYlN,I6YDgd,IZT63,K0PMbc,K1ZKnb,KUM7Z,L1AAkb,L9OGUe,LDQI,LEikZe,MY7mZe,Mlhmy,MpJwZc,NOeYWe,NTMZac,NwH0H,O6y8ed,OTA3Ae,OmgaI,PHUIyb,PrPYRd,Rkm0ef,RqjULd,SCuOPb,SD8Jgb,STuCOe,SpsfSb,Tbb4sb,UUJqVe,Uas9Hd,Ug7Xab,WpP9Yc,XVq9Qb,YHI3We,YTxL4,YgOFye,ZDZcre,ZZ4WUe,ZakeSe,ZfAoz,_b,_tp,aC1iue,aW3pY,aurFic,b3kMqb,bSspM,bTi8wc,byfTOb,cYShmd,eVCnO,ebZ3mb,f8Gu1e,fKUV3e,gJzDyc,gychg,hc6Ubd,inNHtf,iyZMqd,kWgXee,lsjVmc,ltDFwf,lwddkf,m9oV,mvkUhe,mzzZzc,n73qwf,njlZCf,oLggrd,ovKuLd,pxq3x,q0xTif,qPYxq,qPfo0c,qmdT9,rCcCxc,rmumx,sOXFj,siKnQd,soHxf,t2srLd,tUnxGc,vHEMJe,vfuNJf,vjKJJ,vvMGie,w9hDv,ws9Tlc,xBaz7b,xQtZb,xUdipf,xiZRqc,y5vRwf,yDVVkb,yRXbo,ywOR5c,z0u0L,zbML3c,ziZ8Mc,zr1jrb,zy0vNb/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlG_aYNE-Dz95N0OV63231Yfi4Jf5g/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:GwYlN;EmZ2Bf:zr1jrb;JsbNhc:Xd8iUd;K5nYTd:ZDZcre;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;ScI3Yc:e7Hzgb;UpnZUd:nnwwYc;Uvc8o:VDovNc;XdiAjb:NLiXbe;YIZmRd:A1yn5d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;dowIGb:ebZ3mb;eBAeSb:zbML3c;iFQyKf:vfuNJf;lOO0Vd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qafBPd:yDVVkb;qddgKe:xQtZb;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=ZwDk9d,RMhBfe"
Preview:	"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi\|\|{};(function(_){var window=this;.try{._.k("ZwDk9d");.var gA=function(a){_.W.call(this,a.Fa)};_.J(gA,_.W);gA.Ba=_.W.Ba;gA.prototype.eS=function(a){return _.Xe(this,{Xa:{gT:_.ll}}).then(function(b){var c=window._wjdd,d=window._wjdc;return!c&&d?new _.li(function(e){window._wjdc=function(f){d(f);e(ZJa(f,b,a))}}):ZJa(c,b,a)})};var ZJa=function(a,b,c){return(a=a&&a[c])?a:b.Xa.gT.eS(c)};.gA.prototype.aa=function(a,b){var c=_.Zra(b).Rj;if(c.startsWith("$")){var d=_.gm.get(a);_.uq[b]&&(d\|\|(d={},_.gm.set(a,d)),d[c]=_.uq[b],delete _.uq[b],_.vq--);if(d)if(a=d[c])b=_.af(a);else throw Error("Jb`"+b);else b=null}else b=null;return b};_.nu(_.Lfa,gA);._.l();._.k("SNUn3");._.YJa=new _.pf(_.wg);._.l();._.k("RMhBfe");.var $Ja=function(a){var b=_.tq(a);return b?new _.li(function(c,d){var e=function(){b=_.tq(a);var f=_.Sfa(a,b);f?c(f.getAttribute("jsdata")):window.document.readyState=="complete"?(f=["Unable to find deferred jsdata wit

Chrome Cache Entry: 81

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (395)
Category:	downloaded
Size (bytes):	1652
Entropy (8bit):	5.269909938363071
Encrypted:	false
SSDEEP:	48:o72ZrNZDuZW4yNAbU+15fMxIdf5WENoBCbw7DbG2bEJrw:oyRuZMNAY+1i4HoBNG2Ilw
MD5:	63E5B24335CCDC457DD0B69AD1891CF9
SHA1:	8DD3AED0737BEDBEE133BA564D3CA43579A138F7
SHA-256:	FB72BE79F85659D5AF831FD644C4702EA5BFC6E6A90CDB156DE0816B179278C0
SHA-512:	EC3A143FED571A7FC490433F11DDBD66752E42F0BAC476F79F9B8310DB0419CAE2B8CD65F1283D590F5979F4CC1FB8B2610F106BF38E0B93F384201B8BF5E5DA
Malicious:	false
URL:	"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en.RgRbaBHDctU.es5.O/ck=boq-identity.AccountsSignInUi.gAiX_O5afVA.L.B1.O/am=xIFgKBi2EQjEE54DekBRIOQAAAAAAAAAAKANAAB0DA/d=1/exm=AvtSve,CMcBD,E87wgc,EFQ78c,EIOG1e,EN3i8d,Fndnac,GwYlN,I6YDgd,IZT63,K0PMbc,K1ZKnb,KUM7Z,L1AAkb,L9OGUe,LDQI,LEikZe,MY7mZe,MpJwZc,NOeYWe,NTMZac,O6y8ed,PHUIyb,PrPYRd,Rkm0ef,RqjULd,SCuOPb,SD8Jgb,STuCOe,SpsfSb,Tbb4sb,UUJqVe,Uas9Hd,WpP9Yc,XVq9Qb,YHI3We,YTxL4,YgOFye,ZakeSe,_b,_tp,aC1iue,aW3pY,b3kMqb,bSspM,bTi8wc,byfTOb,cYShmd,eVCnO,f8Gu1e,gJzDyc,hc6Ubd,inNHtf,iyZMqd,lsjVmc,ltDFwf,lwddkf,m9oV,mvkUhe,mzzZzc,n73qwf,njlZCf,oLggrd,pxq3x,qPYxq,qPfo0c,qmdT9,rCcCxc,rmumx,siKnQd,soHxf,t2srLd,tUnxGc,vHEMJe,vfuNJf,vjKJJ,vvMGie,ws9Tlc,xBaz7b,xQtZb,xiZRqc,y5vRwf,yRXbo,ywOR5c,z0u0L,zbML3c,ziZ8Mc,zr1jrb,zy0vNb/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlG_aYNE-Dz95N0OV63231Yfi4Jf5g/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:GwYlN;EmZ2Bf:zr1jrb;JsbNhc:Xd8iUd;K5nYTd:ZDZcre;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;ScI3Yc:e7Hzgb;UpnZUd:nnwwYc;Uvc8o:VDovNc;XdiAjb:NLiXbe;YIZmRd:A1yn5d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;dowIGb:ebZ3mb;eBAeSb:zbML3c;iFQyKf:vfuNJf;lOO0Vd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qafBPd:yDVVkb;qddgKe:xQtZb;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=xUdipf,OTA3Ae,A1yn5d,fKUV3e,aurFic,Ug7Xab,NwH0H,OmgaI,gychg,w9hDv,EEDORb,Mlhmy,ZfAoz,kWgXee,ovKuLd,yDVVkb,ebZ3mb,ZDZcre,A7fCU"
Preview:	"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi\|\|{};(function(_){var window=this;.try{._.k("w9hDv");._.vg(_.Hla);_.eA=function(a){_.W.call(this,a.Fa);this.aa=a.Xa.cache};_.J(_.eA,_.W);_.eA.Ba=function(){return{Xa:{cache:_.dt}}};_.eA.prototype.execute=function(a){_.Bb(a,function(b){var c;_.$e(b)&&(c=b.eb.kc(b.kb));c&&this.aa.xG(c)},this);return{}};_.nu(_.Nla,_.eA);._.l();._.k("lOO0Vd");._.VZa=new _.pf(_.Am);._.l();._.k("ZDZcre");.var fH=function(a){_.W.call(this,a.Fa);this.Wl=a.Ea.Wl;this.d4=a.Ea.metadata;this.aa=a.Ea.ot};_.J(fH,_.W);fH.Ba=function(){return{Ea:{Wl:_.KG,metadata:_.VZa,ot:_.HG}}};fH.prototype.execute=function(a){var b=this;a=this.aa.create(a);return _.Bb(a,function(c){var d=b.d4.getType(c.Od())===2?b.Wl.Rb(c):b.Wl.fetch(c);return _.yl(c,_.LG)?d.then(function(e){return _.Dd(e)}):d},this)};_.nu(_.Sla,fH);._.l();._.k("K5nYTd");._.UZa=new _.pf(_.Ola);._.l();._.k("sP4Vbe");.._.l();._.k("kMFpHd");.._.l();._.k("A7fCU");.var NG=function(a){_.W.call(this,a

Chrome Cache Entry: 82

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (2907)
Category:	downloaded
Size (bytes):	22833
Entropy (8bit):	5.425034548615223
Encrypted:	false
SSDEEP:	384:7lFo6ZEdpgtmyiPixV9OX9gMBpHkHnfst9lZulagGcwYHiRFjJzN7:77o6ZviPixV8xpEHn89l4IgGcwYCRtb7
MD5:	749B18538FE32BFE0815D75F899F5B21
SHA1:	AF95A019211AF69F752A43CAA54A83C2AFD41D28
SHA-256:	116B2687C1D5E00DB56A79894AB0C12D4E2E000B9379B7E7AD751B84DF611F3F
SHA-512:	E4B6F4556AA0FD9979BB52681508F5E26FFB256473803F74F7F5C8D93FA3636D7D0A5835618FBC6123022805CE0D9616A7451A0F302C665E28A6090B5D588505
Malicious:	false
URL:	"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en.RgRbaBHDctU.es5.O/ck=boq-identity.AccountsSignInUi.gAiX_O5afVA.L.B1.O/am=xIFgKBi2EQjEE54DekBRIOQAAAAAAAAAAKANAAB0DA/d=1/exm=AvtSve,CMcBD,E87wgc,EFQ78c,EIOG1e,EN3i8d,Fndnac,GwYlN,I6YDgd,IZT63,K0PMbc,K1ZKnb,KUM7Z,L1AAkb,L9OGUe,LDQI,LEikZe,MY7mZe,MpJwZc,NOeYWe,NTMZac,O6y8ed,PHUIyb,PrPYRd,Rkm0ef,SCuOPb,SD8Jgb,STuCOe,SpsfSb,Tbb4sb,UUJqVe,Uas9Hd,WpP9Yc,XVq9Qb,YHI3We,YTxL4,YgOFye,ZakeSe,_b,_tp,aC1iue,aW3pY,b3kMqb,bSspM,bTi8wc,byfTOb,cYShmd,eVCnO,f8Gu1e,gJzDyc,hc6Ubd,inNHtf,iyZMqd,lsjVmc,ltDFwf,lwddkf,m9oV,mvkUhe,mzzZzc,n73qwf,njlZCf,oLggrd,pxq3x,qPYxq,qPfo0c,qmdT9,rCcCxc,rmumx,siKnQd,soHxf,t2srLd,tUnxGc,vHEMJe,vfuNJf,vjKJJ,vvMGie,ws9Tlc,xBaz7b,xQtZb,xiZRqc,y5vRwf,yRXbo,ywOR5c,z0u0L,zbML3c,ziZ8Mc,zr1jrb,zy0vNb/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlG_aYNE-Dz95N0OV63231Yfi4Jf5g/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:GwYlN;EmZ2Bf:zr1jrb;JsbNhc:Xd8iUd;K5nYTd:ZDZcre;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;ScI3Yc:e7Hzgb;UpnZUd:nnwwYc;Uvc8o:VDovNc;XdiAjb:NLiXbe;YIZmRd:A1yn5d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;dowIGb:ebZ3mb;eBAeSb:zbML3c;iFQyKf:vfuNJf;lOO0Vd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qafBPd:yDVVkb;qddgKe:xQtZb;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=RqjULd"
Preview:	"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi\|\|{};(function(_){var window=this;.try{._.uu.prototype.da=_.ca(40,function(){return _.rj(this,3)});_.$y=function(a,b){this.key=a;this.defaultValue=!1;this.flagName=b};_.$y.prototype.ctor=function(a){return typeof a==="boolean"?a:this.defaultValue};_.az=function(){this.ka=!0;var a=_.vj(_.dk(_.Be("TSDtV",window),_.zya),_.uu,1,_.qj())[0];if(a){var b={};for(var c=_.n(_.vj(a,_.Aya,2,_.qj())),d=c.next();!d.done;d=c.next()){d=d.value;var e=_.Jj(d,1).toString();switch(_.tj(d,_.vu)){case 3:b[e]=_.Hj(d,_.lj(d,_.vu,3));break;case 2:b[e]=_.Jj(d,_.lj(d,_.vu,2));break;case 4:b[e]=_.Kj(d,_.lj(d,_.vu,4));break;case 5:b[e]=_.Lj(d,_.lj(d,_.vu,5));break;case 6:b[e]=_.Pj(d,_.ff,6,_.vu);break;default:throw Error("jd`"+_.tj(d,_.vu));}}}else b={};this.ea=b;this.token=.a?a.da():null};_.az.prototype.aa=function(a){if(!this.ka\|\|a.key in this.ea)a=a.ctor(this.ea[a.key]);else if(_.Be("nQyAE",window)){var b=_.Cya(a.flagName);if(b===null)a=a.de

Chrome Cache Entry: 83

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	Web Open Font Format (Version 2), TrueType, length 52280, version 1.0
Category:	downloaded
Size (bytes):	52280
Entropy (8bit):	7.995413196679271
Encrypted:	true
SSDEEP:	1536:1rvqtK8DZilXxwJ8mMwAZy7phqsFLdG3B4d:xytBZits8bw4wzbFxG3B4d
MD5:	F61F0D4D0F968D5BBA39A84C76277E1A
SHA1:	AA3693EA140ECA418B4B2A30F6A68F6F43B4BEB2
SHA-256:	57147F08949ABABE7DEEF611435AE418475A693E3823769A25C2A39B6EAD9CCC
SHA-512:	6C3BD90F709BCF9151C9ED9FFEA55C4F6883E7FDA2A4E26BF018C83FE1CFBE4F4AA0DB080D6D024070D53B2257472C399C8AC44EEFD38B9445640EFA85D5C487
Malicious:	false
URL:	https://fonts.gstatic.com/s/googlesans/v58/4UaRrENHsxJlGDuGo1OIlJfC6l_24rlCK1Yo_Iq2vgCI.woff2
Preview:	wOF2.......8.....................................^...$..4?HVAR..?MVAR9.`?STAT.',..J/.......`..(..Z.0..R.6.$.... .....K..[..q..c..T.....>.P.j.`.w..#...%......N.".....$..3.0.6......... .L.rX/r[j.y.\|(.4.%#.....2.v.m..-..%.....;-.Y.{..&..O=#l@...k..7g..ZI...#.Z./+T..r7...M..3).Z%.x....s..sL..[A!.51w'/.8V..2Z..%.X.h.o.).]..9..Q`.$.....7..kZ.~O........d..g.n.d.Rw+&....Cz..uy#..fz,(.J....v.%..`..9.....h...?O..:...c%.....6s....xl..#...5..._......1.>.)"U.4 W....?%......6//!$...!.n9C@n...........!""^.....W..Z<.7.x.."UT.T....E.."R>.R..t.....H d..e_.K../.+8.Q.P.ZQ....;...U....]......._.e......71.?.7.ORv.?...l...G\|.P...\|:...I.X..2.,.L........d.g.]}W#uW]QnuP-s.;.-Y.....].......C..j_.M0...y.......J..........NY..@A...,....-.F......'..w./j5g.vUS...U..0.&...y7.LP.....%.....Y......Y..D. e.A..G.?.$.......6...eaK.n5.m...N...,...+BCl..L> .E9~.b[.w.x....6<...}.e...%V....O.......*.?...a..#[eE.4..p..$...].....%......o._......N.._~..El....b..A.0.r8.....\|..D.d..

Chrome Cache Entry: 84

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (533)
Category:	downloaded
Size (bytes):	9210
Entropy (8bit):	5.404371326611379
Encrypted:	false
SSDEEP:	192:EEFZpeip4HzZlY0If0Ma23jcUcrhCx6VD1TYPi8:Es/p4jgjUhtD1TY68
MD5:	21E893B65627B397E22619A9F5BB9662
SHA1:	F561B0F66211C1E7B22F94B4935C312AB7087E85
SHA-256:	FFA9B8BC8EF2CDFF5EB4BA1A0BA1710A253A5B42535E2A369D5026967DCF4673
SHA-512:	3DE3CD6A4E9B06AB3EB324E90A40B5F2AEEA8D7D6A2651C310E993CF79EEB5AC6E2E33C587F46B2DD20CC862354FD1A61AEBB9B990E6805F6629404BA285F8FA
Malicious:	false
URL:	"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en.RgRbaBHDctU.es5.O/ck=boq-identity.AccountsSignInUi.gAiX_O5afVA.L.B1.O/am=xIFgKBi2EQjEE54DekBRIOQAAAAAAAAAAKANAAB0DA/d=1/exm=AvtSve,CMcBD,EFQ78c,EIOG1e,EN3i8d,Fndnac,GwYlN,I6YDgd,IZT63,K0PMbc,K1ZKnb,KUM7Z,L1AAkb,L9OGUe,LDQI,LEikZe,MY7mZe,MpJwZc,NOeYWe,NTMZac,O6y8ed,PrPYRd,Rkm0ef,SCuOPb,STuCOe,SpsfSb,UUJqVe,Uas9Hd,WpP9Yc,XVq9Qb,YHI3We,YTxL4,ZakeSe,_b,_tp,aC1iue,aW3pY,b3kMqb,bSspM,byfTOb,cYShmd,eVCnO,gJzDyc,hc6Ubd,inNHtf,iyZMqd,lsjVmc,lwddkf,m9oV,mvkUhe,mzzZzc,n73qwf,njlZCf,oLggrd,qPfo0c,qmdT9,rCcCxc,siKnQd,t2srLd,tUnxGc,vHEMJe,vfuNJf,vjKJJ,vvMGie,ws9Tlc,xBaz7b,xQtZb,xiZRqc,y5vRwf,z0u0L,zbML3c,ziZ8Mc,zr1jrb,zy0vNb/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlG_aYNE-Dz95N0OV63231Yfi4Jf5g/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:GwYlN;EmZ2Bf:zr1jrb;JsbNhc:Xd8iUd;K5nYTd:ZDZcre;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;ScI3Yc:e7Hzgb;UpnZUd:nnwwYc;Uvc8o:VDovNc;XdiAjb:NLiXbe;YIZmRd:A1yn5d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;dowIGb:ebZ3mb;eBAeSb:zbML3c;iFQyKf:vfuNJf;lOO0Vd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qafBPd:yDVVkb;qddgKe:xQtZb;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=ltDFwf,SD8Jgb,rmumx,E87wgc,qPYxq,Tbb4sb,pxq3x,f8Gu1e,soHxf,YgOFye,yRXbo,bTi8wc,ywOR5c,PHUIyb"
Preview:	"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi\|\|{};(function(_){var window=this;.try{._.qNa=_.y("SD8Jgb",[]);._.GX=function(a,b){if(typeof b==="string")a.Lc(b);else if(b instanceof _.Fp&&b.ia&&b.ia===_.A)b=_.Ya(b.Lw()),a.empty().append(b);else if(b instanceof _.Ua)b=_.Ya(b),a.empty().append(b);else if(b instanceof Node)a.empty().append(b);else throw Error("Vf");};_.HX=function(a){var b=_.Io(a,"[jsslot]");if(b.size()>0)return b;b=new _.Go([_.Kk("span")]);_.Jo(b,"jsslot","");a.empty().append(b);return b};_.NLb=function(a){return a===null\|\|typeof a==="string"&&_.Hi(a)};._.k("SD8Jgb");._.MX=function(a){_.X.call(this,a.Fa);this.Ua=a.controller.Ua;this.od=a.controllers.od[0]\|\|null;this.header=a.controller.header;this.nav=a.controller.nav;var b;(b=this.oa().find("button:not([type])").el())==null\|\|b.setAttribute("type","button")};_.J(_.MX,_.X);_.MX.Ba=function(){return{controller:{Ua:{jsname:"n7vHCb",ctor:_.mv},header:{jsname:"tJHJj",ctor:_.mv},nav:{jsname:"DH6Rkf",ct

Chrome Cache Entry: 85

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (553)
Category:	downloaded
Size (bytes):	743936
Entropy (8bit):	5.791086230020914
Encrypted:	false
SSDEEP:	6144:YVXWBQkPdzg5pTX1ROv/duPzd8C3s891/N:Nfd8j91/N
MD5:	1A3606C746E7B1C949D9078E8E8C1244
SHA1:	56A3EB1E93E61ACD7AAD39DC3526CB60E23651B1
SHA-256:	5F49AE5162183E2EF6F082B29EC99F18DB0212B8ADDB03699B1BFB0AC7869742
SHA-512:	F2D15243311C472331C5F3F083BB6C18D38EC0247A3F3CBAFD96DBA40E4EAE489CDA04176672E39FE3760EF7347596B2A5EAB0FB0125E881EF514475C99863B9
Malicious:	false
URL:	"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en.RgRbaBHDctU.es5.O/am=xIFgKBi2EQjEE54DekBRIOQAAAAAAAAAAKANAAB0DA/d=1/excm=_b,_tp,identifierview/ed=1/dg=0/wt=2/ujg=1/rs=AOaEmlE6O04h0gj7Nu50q-nmaRKM6WWcJw/m=_b,_tp"
Preview:	"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi\|\|{};(function(_){var window=this;.try{._._F_toggles_initialize=function(a){(typeof globalThis!=="undefined"?globalThis:typeof self!=="undefined"?self:this)._F_toggles=a\|\|[]};(0,_._F_toggles_initialize)([0x286081c4, 0x2046d860, 0x39e13c40, 0x14501e80, 0xe420, 0x0, 0x1a000000, 0x1d000003, 0xc, ]);./.. Copyright The Closure Library Authors.. SPDX-License-Identifier: Apache-2.0././.. Copyright Google LLC. SPDX-License-Identifier: Apache-2.0././.. Copyright 2024 Google, Inc. SPDX-License-Identifier: MIT././. SPDX-License-Identifier: Apache-2.0././. Copyright The Closure Library Authors.. SPDX-License-Identifier: Apache-2.0./.var baa,daa,Ma,Sa,gaa,iaa,jb,qaa,waa,Caa,Haa,Kaa,Jb,Laa,Ob,Qb,Rb,Maa,Naa,Sb,Oaa,Paa,Qaa,Yb,Vaa,Xaa,ec,fc,gc,bba,cba,gba,jba,lba,mba,qba,tba,nba,sba,rba,pba,oba,uba,yba,Cba,Dba,Aba,Hc,Ic,Gba,Iba,Mba,Nba,Oba,Pba,Lba,Qba,Sba,dd,Uba,Vba,Xba,Zba,Yba,aca,bca,cca,dca,fca,eca,hca,ica,jca,kca,nca,

Chrome Cache Entry: 86

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (755)
Category:	downloaded
Size (bytes):	1416
Entropy (8bit):	5.275155058463166
Encrypted:	false
SSDEEP:	24:kMYD7hqCsNRxoYTY9/qoVk7hz1l2p6vDMW94uEQOeGbCx4VGbgCSFBV87O/BprGJ:o7hv6oy12kvwKEeGbC6GbHSh/Hrw
MD5:	4DB6842CDFAC9E03D7C1CF87E398B357
SHA1:	08158AB8F5947E048C88A1289E9E8CE9641B7CE9
SHA-256:	8991D23B586608AE114E150355FF192B30A379EAB1DC3F1444109DDC52B13AC1
SHA-512:	FB7C461DFB96B10E099C3BA41C45AA904BB7D473EF0D44BD6A2E841BC44336DD5F1C9B73919B79A6BF4AA13B806E742F2003A16528E995374E210BB4C3E96EFA
Malicious:	false
URL:	"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en.RgRbaBHDctU.es5.O/ck=boq-identity.AccountsSignInUi.gAiX_O5afVA.L.B1.O/am=xIFgKBi2EQjEE54DekBRIOQAAAAAAAAAAKANAAB0DA/d=1/exm=A1yn5d,A7fCU,AvtSve,CMcBD,E87wgc,EEDORb,EFQ78c,EIOG1e,EN3i8d,Fndnac,GwYlN,I6YDgd,IZT63,K0PMbc,K1ZKnb,KUM7Z,L1AAkb,L9OGUe,LDQI,LEikZe,MY7mZe,Mlhmy,MpJwZc,NOeYWe,NTMZac,NwH0H,O6y8ed,OTA3Ae,OmgaI,PHUIyb,PrPYRd,RMhBfe,Rkm0ef,RqjULd,SCuOPb,SD8Jgb,STuCOe,SpsfSb,Tbb4sb,UUJqVe,Uas9Hd,Ug7Xab,WpP9Yc,XVq9Qb,YHI3We,YTxL4,YgOFye,ZDZcre,ZZ4WUe,ZakeSe,ZfAoz,ZwDk9d,_b,_tp,aC1iue,aW3pY,aurFic,b3kMqb,bSspM,bTi8wc,byfTOb,cYShmd,eVCnO,ebZ3mb,f8Gu1e,fKUV3e,gJzDyc,gychg,hc6Ubd,inNHtf,iyZMqd,kWgXee,lsjVmc,ltDFwf,lwddkf,m9oV,mvkUhe,mzzZzc,n73qwf,njlZCf,oLggrd,ovKuLd,pxq3x,q0xTif,qPYxq,qPfo0c,qmdT9,rCcCxc,rmumx,sOXFj,siKnQd,soHxf,t2srLd,tUnxGc,vHEMJe,vfuNJf,vjKJJ,vvMGie,w9hDv,ws9Tlc,xBaz7b,xQtZb,xUdipf,xiZRqc,y5vRwf,yDVVkb,yRXbo,ywOR5c,z0u0L,zbML3c,ziZ8Mc,zr1jrb,zy0vNb/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlG_aYNE-Dz95N0OV63231Yfi4Jf5g/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:GwYlN;EmZ2Bf:zr1jrb;JsbNhc:Xd8iUd;K5nYTd:ZDZcre;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;ScI3Yc:e7Hzgb;UpnZUd:nnwwYc;Uvc8o:VDovNc;XdiAjb:NLiXbe;YIZmRd:A1yn5d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;dowIGb:ebZ3mb;eBAeSb:zbML3c;iFQyKf:vfuNJf;lOO0Vd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qafBPd:yDVVkb;qddgKe:xQtZb;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=P6sQOc"
Preview:	"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi\|\|{};(function(_){var window=this;.try{._.k("P6sQOc");.var $Za=!!(_.Kh[1]&16);var b_a=function(a,b,c,d,e){this.ea=a;this.wa=b;this.ka=c;this.Ca=d;this.Ga=e;this.aa=0;this.da=a_a(this)},c_a=function(a){var b={};_.La(a.yS(),function(e){b[e]=!0});var c=a.pS(),d=a.tS();return new b_a(a.qP(),c.aa()1E3,a.WR(),d.aa()1E3,b)},a_a=function(a){return Math.random()Math.min(a.waMath.pow(a.ka,a.aa),a.Ca)},OG=function(a,b){return a.aa>=a.ea?!1:b!=null?!!a.Ga[b]:!0};var PG=function(a){_.W.call(this,a.Fa);this.da=a.Ea.EV;this.ea=a.Ea.metadata;a=a.Ea.Xga;this.fetch=a.fetch.bind(a)};_.J(PG,_.W);PG.Ba=function(){return{Ea:{EV:_.YZa,metadata:_.VZa,Xga:_.OZa}}};PG.prototype.aa=function(a,b){if(this.ea.getType(a.Od())!==1)return _.Sm(a);var c=this.da.eV;return(c=c?c_a(c):null)&&OG(c)?_.wya(a,d_a(this,a,b,c)):_.Sm(a)};.var d_a=function(a,b,c,d){return c.then(function(e){return e},function(e){if($Za)if(e instanceof _.lf){if(!e.status\|\|

Chrome Cache Entry: 87

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	HTML document, ASCII text, with very long lines (681)
Category:	downloaded
Size (bytes):	4066
Entropy (8bit):	5.363016925556486
Encrypted:	false
SSDEEP:	96:G2CiFZX5BReR68ujioIRVrqtyzBeTV6SfyAKLif9c7w:bCMZXVeR6jiosVrqtyzBaImyAKw9x
MD5:	FC5E597D923838E10390DADD12651A81
SHA1:	C9959F8D539DB5DF07B8246EC12539B6A9CC101F
SHA-256:	A7EBD5280C50AE93C061EAE1E9727329E015E97531F8F2D82D0E3EA76ADB37B4
SHA-512:	784CA572808F184A849388723FBB3701E6981D885BBA8A330A933F90BF0B36A2E4A491D4463A27911B1D9F7A7134F23E15F187FC7CB4554EAE9BC252513EED7C
Malicious:	false
URL:	"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en.RgRbaBHDctU.es5.O/ck=boq-identity.AccountsSignInUi.gAiX_O5afVA.L.B1.O/am=xIFgKBi2EQjEE54DekBRIOQAAAAAAAAAAKANAAB0DA/d=1/exm=A1yn5d,A7fCU,AvtSve,CMcBD,E87wgc,EEDORb,EFQ78c,EIOG1e,EN3i8d,Fndnac,GwYlN,I6YDgd,IZT63,K0PMbc,K1ZKnb,KUM7Z,L1AAkb,L9OGUe,LDQI,LEikZe,MY7mZe,Mlhmy,MpJwZc,NOeYWe,NTMZac,NwH0H,O6y8ed,OTA3Ae,OmgaI,PHUIyb,PrPYRd,Rkm0ef,RqjULd,SCuOPb,SD8Jgb,STuCOe,SpsfSb,Tbb4sb,UUJqVe,Uas9Hd,Ug7Xab,WpP9Yc,XVq9Qb,YHI3We,YTxL4,YgOFye,ZDZcre,ZakeSe,ZfAoz,_b,_tp,aC1iue,aW3pY,aurFic,b3kMqb,bSspM,bTi8wc,byfTOb,cYShmd,eVCnO,ebZ3mb,f8Gu1e,fKUV3e,gJzDyc,gychg,hc6Ubd,inNHtf,iyZMqd,kWgXee,lsjVmc,ltDFwf,lwddkf,m9oV,mvkUhe,mzzZzc,n73qwf,njlZCf,oLggrd,ovKuLd,pxq3x,qPYxq,qPfo0c,qmdT9,rCcCxc,rmumx,siKnQd,soHxf,t2srLd,tUnxGc,vHEMJe,vfuNJf,vjKJJ,vvMGie,w9hDv,ws9Tlc,xBaz7b,xQtZb,xUdipf,xiZRqc,y5vRwf,yDVVkb,yRXbo,ywOR5c,z0u0L,zbML3c,ziZ8Mc,zr1jrb,zy0vNb/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlG_aYNE-Dz95N0OV63231Yfi4Jf5g/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:GwYlN;EmZ2Bf:zr1jrb;JsbNhc:Xd8iUd;K5nYTd:ZDZcre;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;ScI3Yc:e7Hzgb;UpnZUd:nnwwYc;Uvc8o:VDovNc;XdiAjb:NLiXbe;YIZmRd:A1yn5d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;dowIGb:ebZ3mb;eBAeSb:zbML3c;iFQyKf:vfuNJf;lOO0Vd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qafBPd:yDVVkb;qddgKe:xQtZb;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=sOXFj,q0xTif,ZZ4WUe"
Preview:	"use strict";_F_installCss(".N7rBcd{overflow-x:auto}sentinel{}");.this.default_AccountsSignInUi=this.default_AccountsSignInUi\|\|{};(function(_){var window=this;.try{._.vg(_.aqa);._.k("sOXFj");.var tu=function(a){_.W.call(this,a.Fa)};_.J(tu,_.W);tu.Ba=_.W.Ba;tu.prototype.aa=function(a){return a()};_.nu(_.$pa,tu);._.l();._.k("oGtAuc");._.yya=new _.pf(_.aqa);._.l();._.k("q0xTif");.var sza=function(a){var b=function(d){_.Sn(d)&&(_.Sn(d).Jc=null,_.Du(d,null));d.XyHi9&&(d.XyHi9=null)};b(a);a=a.querySelectorAll("[c-wiz]");for(var c=0;c<a.length;c++)b(a[c])},Pu=function(a){_.kt.call(this,a.Fa);this.Qa=this.dom=null;if(this.kl()){var b=_.zm(this.Ug(),[_.Em,_.Dm]);b=_.ni([b[_.Em],b[_.Dm]]).then(function(c){this.Qa=c[0];this.dom=c[1]},null,this);_.hu(this,b)}this.Ra=a.lm.zea};_.J(Pu,_.kt);Pu.Ba=function(){return{lm:{zea:function(a){return _.Ue(a)}}}};Pu.prototype.zp=function(a){return this.Ra.zp(a)};.Pu.prototype.getData=function(a){return this.Ra.getData(a)};Pu.prototype.qo=function(){_.Kt(this.d

Chrome Cache Entry: 88

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (2544)
Category:	downloaded
Size (bytes):	358799
Entropy (8bit):	5.624587482410481
Encrypted:	false
SSDEEP:	6144:T/wM8RGYcBlKmhCxiDlnc0pYMSrBg5X3rU:TD8XxEdA
MD5:	A51DFF6CB98C15CBA0A2B688CC0A862F
SHA1:	5CF15DBD322A0F9CF3A820013E185EC2EDD56BB0
SHA-256:	854215C9FE46B6029883F37C44512F7EB10BA97FC7A623C237DC6824BD92DB1E
SHA-512:	D1036F2C4AE71BE22315D5AEC062E1D59EA2570D7138B97F367149C9622BEE35EAC1DBE9818AC7BE107D88683089EBE220951D025CC11908055B108B27D7BD86
Malicious:	false
URL:	"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en.RgRbaBHDctU.es5.O/ck=boq-identity.AccountsSignInUi.gAiX_O5afVA.L.B1.O/am=xIFgKBi2EQjEE54DekBRIOQAAAAAAAAAAKANAAB0DA/d=1/exm=AvtSve,EFQ78c,EIOG1e,GwYlN,I6YDgd,IZT63,K0PMbc,KUM7Z,L1AAkb,L9OGUe,LDQI,LEikZe,MY7mZe,MpJwZc,NOeYWe,NTMZac,O6y8ed,PrPYRd,Rkm0ef,SCuOPb,STuCOe,SpsfSb,UUJqVe,Uas9Hd,WpP9Yc,XVq9Qb,YHI3We,YTxL4,ZakeSe,_b,_tp,aC1iue,aW3pY,bSspM,byfTOb,cYShmd,eVCnO,gJzDyc,hc6Ubd,inNHtf,iyZMqd,lsjVmc,lwddkf,m9oV,mzzZzc,n73qwf,njlZCf,oLggrd,qPfo0c,qmdT9,rCcCxc,siKnQd,tUnxGc,vHEMJe,vfuNJf,vjKJJ,vvMGie,ws9Tlc,xBaz7b,xQtZb,y5vRwf,zbML3c,zr1jrb,zy0vNb/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlG_aYNE-Dz95N0OV63231Yfi4Jf5g/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:GwYlN;EmZ2Bf:zr1jrb;JsbNhc:Xd8iUd;K5nYTd:ZDZcre;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;ScI3Yc:e7Hzgb;UpnZUd:nnwwYc;Uvc8o:VDovNc;XdiAjb:NLiXbe;YIZmRd:A1yn5d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;dowIGb:ebZ3mb;eBAeSb:zbML3c;iFQyKf:vfuNJf;lOO0Vd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qafBPd:yDVVkb;qddgKe:xQtZb;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=K1ZKnb,ziZ8Mc,b3kMqb,mvkUhe,CMcBD,Fndnac,t2srLd,EN3i8d,z0u0L,xiZRqc"
Preview:	"use strict";_F_installCss(".r4WGQb{position:relative}.Dl08I>:first-child{margin-top:0}.Dl08I>:last-child{margin-bottom:0}.IzwVE{color:#1f1f1f;color:var(--gm3-sys-color-on-surface,#1f1f1f);font-family:\"Google Sans\",roboto,\"Noto Sans Myanmar UI\",arial,sans-serif;font-size:1.25rem;font-weight:400;letter-spacing:0rem;line-height:1.2}.l5PPKe{color:#1f1f1f;color:var(--gm3-sys-color-on-surface,#1f1f1f);font-size:1rem}.l5PPKe .dMNVAe{margin:0;padding:0}.l5PPKe>:first-child{margin-top:0;padding-top:0}.l5PPKe>:last-child{margin-bottom:0;padding-bottom:0}.Dl08I{margin:0;padding:0;position:relative}.Dl08I>.SmR8:only-child{padding-top:1px}.Dl08I>.SmR8:only-child::before{top:0}.Dl08I>.SmR8:not(first-child){padding-bottom:1px}.Dl08I>.SmR8::after{bottom:0}.Dl08I>.SmR8:only-child::before,.Dl08I>.SmR8::after{border-bottom:1px solid #c4c7c5;border-bottom:1px solid var(--gm3-sys-color-outline-variant,#c4c7c5);content:\"\";height:0;left:0;position:absolute;width:100%}.aZvCDf{margin-top:8px;margin-left

Chrome Cache Entry: 89

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (3190)
Category:	downloaded
Size (bytes):	339747
Entropy (8bit):	5.53363647964667
Encrypted:	false
SSDEEP:	3072:Vuv7kVKtaVFuzDXG6ZfzeelpRv9xqjne01T2HemAIaDlC6diGVOY50UlRQQIBeDq:svaKtM6ZfTxene0F2HemAaGP6BBe2
MD5:	D2D05D80ACF53F04C1BEB6A387216F5E
SHA1:	6E8B87D352419E28C5F8E3881787DC6C56CEB26E
SHA-256:	4BA0D4EA27446C609D515539A334E3B16A4AC7BF936A996CF7E3927FFDDD569F
SHA-512:	966582697B455B2DDC52210A0F46EFD77EDC67D668E7FC2F14E18DF38E8595472AB76ED17B9D2928E16FA987E3231C2A45D9BD52D9DC2CE7E4C394E2453518E6
Malicious:	false
URL:	"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en.RgRbaBHDctU.es5.O/ck=boq-identity.AccountsSignInUi.gAiX_O5afVA.L.B1.O/am=xIFgKBi2EQjEE54DekBRIOQAAAAAAAAAAKANAAB0DA/d=1/exm=LEikZe,_b,_tp,byfTOb,lsjVmc/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlG_aYNE-Dz95N0OV63231Yfi4Jf5g/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:GwYlN;EmZ2Bf:zr1jrb;JsbNhc:Xd8iUd;K5nYTd:ZDZcre;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;ScI3Yc:e7Hzgb;UpnZUd:nnwwYc;Uvc8o:VDovNc;XdiAjb:NLiXbe;YIZmRd:A1yn5d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;dowIGb:ebZ3mb;eBAeSb:zbML3c;iFQyKf:vfuNJf;lOO0Vd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qafBPd:yDVVkb;qddgKe:xQtZb;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=n73qwf,SCuOPb,IZT63,vfuNJf,UUJqVe,ws9Tlc,siKnQd,XVq9Qb,STuCOe,njlZCf,m9oV,vjKJJ,y5vRwf,iyZMqd,NTMZac,mzzZzc,rCcCxc,vvMGie,NOeYWe,O6y8ed,L9OGUe,PrPYRd,MpJwZc,qPfo0c,cYShmd,hc6Ubd,Rkm0ef,KUM7Z,oLggrd,inNHtf,L1AAkb,WpP9Yc,lwddkf,gJzDyc,SpsfSb,aC1iue,tUnxGc,aW3pY,ZakeSe,EFQ78c,xQtZb,I6YDgd,zbML3c,zr1jrb,vHEMJe,YHI3We,YTxL4,bSspM,Uas9Hd,zy0vNb,K0PMbc,AvtSve,qmdT9,MY7mZe,xBaz7b,GwYlN,eVCnO,EIOG1e,LDQI"
Preview:	"use strict";_F_installCss(".EE6QGf{border-bottom-style:solid;border-bottom-width:1px;padding:16px;width:100%;z-index:6;background:#fff;background:var(--gm3-sys-color-surface-container-lowest,#fff);border-color:#c4c7c5;border-color:var(--gm3-sys-color-outline-variant,#c4c7c5);display:block;position:relative}.EE6QGf~.S7xv8,.EE6QGf~.gfM9Zd{padding-top:inherit}@media (min-width:600px){.EE6QGf{align-items:center;display:flex;left:0;position:fixed;top:0}.EE6QGf~.S7xv8,.EE6QGf~.gfM9Zd{padding-top:150px}}@media (min-width:600px) and (orientation:landscape){.EE6QGf{display:block;position:relative}.EE6QGf~.S7xv8,.EE6QGf~.gfM9Zd{padding-top:inherit}}@media (min-width:960px) and (orientation:landscape){.EE6QGf{align-items:center;display:flex;left:0;position:fixed;top:0}.EE6QGf~.S7xv8,.EE6QGf~.gfM9Zd{padding-top:150px}}.PZB4Lc{display:flex;width:100%}.YLIzab{font-family:\"Google Sans\",roboto,\"Noto Sans Myanmar UI\",arial,sans-serif;font-size:1rem;font-weight:500;letter-spacing:0rem;line-height:1

Chrome Cache Entry: 90

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with no line terminators
Category:	downloaded
Size (bytes):	84
Entropy (8bit):	4.875266466142591
Encrypted:	false
SSDEEP:	3:DZFJu0+WVTBCq2Bjdw2KsJJuYHSKnZ:lFJuuVTBudw29nu4SKZ
MD5:	87B6333E98B7620EA1FF98D1A837A39E
SHA1:	105DE6815B0885357DE1414BFC0D77FCC9E924EF
SHA-256:	DCD3C133C5C40BECD4100BBE6EDAE84C9735E778E4234A5E8395C56FF8A733BA
SHA-512:	867D7943D813685FAA76394E53199750C55817E836FD19C933F74D11E9657CE66719A6D6B2E39EE1DE62358BCE364E38A55F4E138DF92337DE6985DDCD5D0994
Malicious:	false
URL:	https://content-autofill.googleapis.com/v1/pages/ChVDaHJvbWUvMTE3LjAuNTkzOC4xMzISHgmA6QC9dWevzxIFDRkBE_oSBQ3oIX6GEgUN05ioBw==?alt=proto
Preview:	Cj0KBw0ZARP6GgAKKQ3oIX6GGgQISxgCKhwIClIYCg5AIS4jJF8qLSY/Ky8lLBABGP////8PCgcN05ioBxoA

Chrome Cache Entry: 91

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (522)
Category:	downloaded
Size (bytes):	5050
Entropy (8bit):	5.289052544075544
Encrypted:	false
SSDEEP:	96:o4We0hP7OBFXYvB1sig3Fd8HkaXzLmUrv8Vh1WJlLQXT2v2gqw:655758Fd8HkaPZ0GmAD
MD5:	26E26FD11772DFF5C7004BEA334289CC
SHA1:	638DAAF541BDE31E95AEE4F8ADA677434D7051DB
SHA-256:	ADFE3E4960982F5EF4C043052A9990D8683C5FC2B590E817B6B1A5774DDE2CE3
SHA-512:	C31929EB6D1C60D6A84A2574FF60490394A6D6F9B354972F3328952F570D80B3F2AEC916B0E1B66DDB1AC056EB75BFAC477E7AF631D0AD1810EDBAF025465D66
Malicious:	false
URL:	"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en.RgRbaBHDctU.es5.O/ck=boq-identity.AccountsSignInUi.gAiX_O5afVA.L.B1.O/am=xIFgKBi2EQjEE54DekBRIOQAAAAAAAAAAKANAAB0DA/d=1/exm=A1yn5d,A7fCU,AvtSve,CMcBD,E87wgc,EEDORb,EFQ78c,EIOG1e,EN3i8d,Fndnac,GwYlN,I6YDgd,IZT63,K0PMbc,K1ZKnb,KUM7Z,L1AAkb,L9OGUe,LDQI,LEikZe,MY7mZe,Mlhmy,MpJwZc,NOeYWe,NTMZac,NwH0H,O6y8ed,OTA3Ae,OmgaI,P6sQOc,PHUIyb,PrPYRd,RMhBfe,Rkm0ef,RqjULd,SCuOPb,SD8Jgb,STuCOe,SpsfSb,Tbb4sb,UUJqVe,Uas9Hd,Ug7Xab,WpP9Yc,XVq9Qb,YHI3We,YTxL4,YgOFye,ZDZcre,ZZ4WUe,ZakeSe,ZfAoz,ZwDk9d,_b,_tp,aC1iue,aW3pY,aurFic,b3kMqb,bSspM,bTi8wc,byfTOb,cYShmd,eVCnO,ebZ3mb,f8Gu1e,fKUV3e,gJzDyc,gychg,hc6Ubd,iAskyc,inNHtf,iyZMqd,kWgXee,lsjVmc,ltDFwf,lwddkf,m9oV,mvkUhe,mzzZzc,n73qwf,njlZCf,oLggrd,ovKuLd,pxq3x,q0xTif,qPYxq,qPfo0c,qmdT9,rCcCxc,rmumx,sOXFj,siKnQd,soHxf,t2srLd,tUnxGc,vHEMJe,vfuNJf,vjKJJ,vvMGie,w9hDv,ws9Tlc,xBaz7b,xQtZb,xUdipf,xiZRqc,y5vRwf,yDVVkb,yRXbo,ywOR5c,z0u0L,zbML3c,ziXSP,ziZ8Mc,zr1jrb,zy0vNb/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlG_aYNE-Dz95N0OV63231Yfi4Jf5g/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:GwYlN;EmZ2Bf:zr1jrb;JsbNhc:Xd8iUd;K5nYTd:ZDZcre;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;ScI3Yc:e7Hzgb;UpnZUd:nnwwYc;Uvc8o:VDovNc;XdiAjb:NLiXbe;YIZmRd:A1yn5d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;dowIGb:ebZ3mb;eBAeSb:zbML3c;iFQyKf:vfuNJf;lOO0Vd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qafBPd:yDVVkb;qddgKe:xQtZb;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=wg1P6b"
Preview:	"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi\|\|{};(function(_){var window=this;.try{._.jNa=_.y("wg1P6b",[_.TA,_.Cn,_.Kn]);._.k("wg1P6b");.var Z5a;Z5a=_.mh(["aria-"]);._.uJ=function(a){_.X.call(this,a.Fa);this.Ka=this.wa=this.aa=this.viewportElement=this.Na=null;this.Hc=a.Ea.ff;this.ab=a.Ea.focus;this.Fc=a.Ea.Fc;this.ea=this.Pi();a=-1*parseInt(_.Co(this.Pi().el(),"marginTop")\|\|"0",10);var b=parseInt(_.Co(this.Pi().el(),"marginBottom")\|\|"0",10);this.Ta={top:a,right:0,bottom:b,left:0};a=_.cf(this.getData("isMenuDynamic"),!1);b=_.cf(this.getData("isMenuHoisted"),!1);this.Ga=a?1:b?2:0;this.ka=!1;this.Ca=1;this.Ga!==1&&(this.aa=this.Sa("U0exHf").children().Wc(0),_.ku(this,.$5a(this,this.aa.el())));_.kF(this.oa())&&(a=this.oa().el(),b=this.we.bind(this),a.__soy_skip_handler=b)};_.J(_.uJ,_.X);_.uJ.Ba=function(){return{Ea:{ff:_.ZE,focus:_.KE,Fc:_.ru}}};_.uJ.prototype.xF=function(a){var b=a.source;this.Na=b;var c;((c=a.data)==null?0:c.fz)?(a=a.data.fz,this.Ca=a==="MOUS

Chrome Cache Entry: 92

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (570)
Category:	downloaded
Size (bytes):	3467
Entropy (8bit):	5.514745431912774
Encrypted:	false
SSDEEP:	96:ozbld2fNUmeqJNizhNtt1W8t//loyIpXmdVE2w:onSKE8PWe/Cy4X3j
MD5:	8DEF399E8355ABC23E64505281005099
SHA1:	24FF74C3AEFD7696D84FF148465DF4B1B60B1696
SHA-256:	F128D7218E1286B05DF11310AD3C8F4CF781402698E45448850D2A3A22F5F185
SHA-512:	33721DD47658D8E12ADF6BD9E9316EB89F5B6297927F7FD60F954E04B829DCBF0E1AE6DDD9A3401F45E0011AE4B1397B960C218238A3D0F633A2173D8E604082
Malicious:	false
URL:	"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en.RgRbaBHDctU.es5.O/ck=boq-identity.AccountsSignInUi.gAiX_O5afVA.L.B1.O/am=xIFgKBi2EQjEE54DekBRIOQAAAAAAAAAAKANAAB0DA/d=1/exm=A1yn5d,A7fCU,AvtSve,CMcBD,E87wgc,EEDORb,EFQ78c,EIOG1e,EN3i8d,Fndnac,GwYlN,I6YDgd,IZT63,K0PMbc,K1ZKnb,KUM7Z,L1AAkb,L9OGUe,LDQI,LEikZe,MY7mZe,Mlhmy,MpJwZc,NOeYWe,NTMZac,NwH0H,O6y8ed,OTA3Ae,OmgaI,P6sQOc,PHUIyb,PrPYRd,RMhBfe,Rkm0ef,RqjULd,SCuOPb,SD8Jgb,STuCOe,SpsfSb,Tbb4sb,UUJqVe,Uas9Hd,Ug7Xab,WpP9Yc,XVq9Qb,YHI3We,YTxL4,YgOFye,ZDZcre,ZZ4WUe,ZakeSe,ZfAoz,ZwDk9d,_b,_tp,aC1iue,aW3pY,aurFic,b3kMqb,bSspM,bTi8wc,byfTOb,cYShmd,eVCnO,ebZ3mb,f8Gu1e,fKUV3e,gJzDyc,gychg,hc6Ubd,iAskyc,inNHtf,iyZMqd,kWgXee,lsjVmc,ltDFwf,lwddkf,m9oV,mvkUhe,mzzZzc,n73qwf,njlZCf,oLggrd,ovKuLd,pxq3x,q0xTif,qPYxq,qPfo0c,qmdT9,rCcCxc,rmumx,sOXFj,siKnQd,soHxf,t2srLd,tUnxGc,vHEMJe,vfuNJf,vjKJJ,vvMGie,w9hDv,wg1P6b,ws9Tlc,xBaz7b,xQtZb,xUdipf,xiZRqc,y5vRwf,yDVVkb,yRXbo,ywOR5c,z0u0L,zbML3c,ziXSP,ziZ8Mc,zr1jrb,zy0vNb/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlG_aYNE-Dz95N0OV63231Yfi4Jf5g/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:GwYlN;EmZ2Bf:zr1jrb;JsbNhc:Xd8iUd;K5nYTd:ZDZcre;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;ScI3Yc:e7Hzgb;UpnZUd:nnwwYc;Uvc8o:VDovNc;XdiAjb:NLiXbe;YIZmRd:A1yn5d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;dowIGb:ebZ3mb;eBAeSb:zbML3c;iFQyKf:vfuNJf;lOO0Vd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qafBPd:yDVVkb;qddgKe:xQtZb;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=Wt6vjf,hhhU8,FCpbqb,WhJNk"
Preview:	"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi\|\|{};(function(_){var window=this;.try{._.k("Wt6vjf");.var cya=function(){var a=_.He();return _.Lj(a,1)},Yt=function(a){this.Da=_.t(a,0,Yt.messageId)};_.J(Yt,_.w);Yt.prototype.Ha=function(){return _.Dj(this,1)};Yt.prototype.Va=function(a){return _.Vj(this,1,a)};Yt.messageId="f.bo";var Zt=function(){_.hm.call(this)};_.J(Zt,_.hm);Zt.prototype.xd=function(){this.CT=!1;dya(this);_.hm.prototype.xd.call(this)};Zt.prototype.aa=function(){eya(this);if(this.wC)return fya(this),!1;if(!this.KV)return $t(this),!0;this.dispatchEvent("p");if(!this.zP)return $t(this),!0;this.wM?(this.dispatchEvent("r"),$t(this)):fya(this);return!1};.var gya=function(a){var b=new _.ap(a.W4);a.qQ!=null&&_.Jn(b,"authuser",a.qQ);return b},fya=function(a){a.wC=!0;var b=gya(a),c="rt=r&f_uid="+_.pk(a.zP);_.cn(b,(0,_.bg)(a.ea,a),"POST",c)};.Zt.prototype.ea=function(a){a=a.target;eya(this);if(_.fn(a)){this.cK=0;if(this.wM)this.wC=!1,this.dispatchEvent("r"

Chrome Cache Entry: 93

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (1694)
Category:	downloaded
Size (bytes):	32500
Entropy (8bit):	5.378903546681047
Encrypted:	false
SSDEEP:	768:zYlbuROstb0e39nKGrkysU0smpu4OLOdzIf1p/5GeSsngurz6aKEEEGo/:zYl61Cysbu4OLOdzIfrIen72ZFo/
MD5:	BF4BF9728A7C302FBA5B14F3D0F1878B
SHA1:	2607CA7A93710D629400077FF3602CB207E6F53D
SHA-256:	8981E7B228DF7D6A8797C0CD1E9B0F1F88337D5F0E1C27A04E7A57D2C4309798
SHA-512:	AC9E170FC3AFDC0CF6BB8E926B93EF129A5FAD1BBA51B60BABCF3555E9B652E98F86A00FB099879DED35DD3FFE72ECFA597E20E6CA8CF402BEDEC40F78412EDA
Malicious:	false
URL:	"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en.RgRbaBHDctU.es5.O/ck=boq-identity.AccountsSignInUi.gAiX_O5afVA.L.B1.O/am=xIFgKBi2EQjEE54DekBRIOQAAAAAAAAAAKANAAB0DA/d=1/exm=_b,_tp/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlG_aYNE-Dz95N0OV63231Yfi4Jf5g/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:GwYlN;EmZ2Bf:zr1jrb;JsbNhc:Xd8iUd;K5nYTd:ZDZcre;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;ScI3Yc:e7Hzgb;UpnZUd:nnwwYc;Uvc8o:VDovNc;XdiAjb:NLiXbe;YIZmRd:A1yn5d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;dowIGb:ebZ3mb;eBAeSb:zbML3c;iFQyKf:vfuNJf;lOO0Vd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qafBPd:yDVVkb;qddgKe:xQtZb;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=byfTOb,lsjVmc,LEikZe"
Preview:	"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi\|\|{};(function(_){var window=this;.try{.var Aua=function(a,b){this.da=a;this.ea=b;if(!c){var c=new _.ap("//www.google.com/images/cleardot.gif");_.op(c)}this.ka=c};_.h=Aua.prototype;_.h.Zc=null;_.h.lZ=1E4;_.h.bA=!1;_.h.nQ=0;_.h.zJ=null;_.h.bV=null;_.h.setTimeout=function(a){this.lZ=a};_.h.start=function(){if(this.bA)throw Error("dc");this.bA=!0;this.nQ=0;Bua(this)};_.h.stop=function(){Cua(this);this.bA=!1};.var Bua=function(a){a.nQ++;navigator!==null&&"onLine"in navigator&&!navigator.onLine?_.km((0,_.bg)(a.aH,a,!1),0):(a.aa=new Image,a.aa.onload=(0,_.bg)(a.Fja,a),a.aa.onerror=(0,_.bg)(a.Eja,a),a.aa.onabort=(0,_.bg)(a.Dja,a),a.zJ=_.km(a.Gja,a.lZ,a),a.aa.src=String(a.ka))};_.h=Aua.prototype;_.h.Fja=function(){this.aH(!0)};_.h.Eja=function(){this.aH(!1)};_.h.Dja=function(){this.aH(!1)};_.h.Gja=function(){this.aH(!1)};._.h.aH=function(a){Cua(this);a?(this.bA=!1,this.da.call(this.ea,!0)):this.nQ<=0?Bua(this):(this.bA=!1,

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.582233693166294
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	918'528 bytes
MD5:	983a1a23eb06ef4323ee7a01425e47ef
SHA1:	cbdbfb1f18152b7205e9b4a647b269fe0a413154
SHA256:	c6b13a9fc461010cf268d60923813c067b7b2c382573f16d538067e8210ceba6
SHA512:	0b6a58488a57d4af1c21ad6c7e276c7a48e6b112458f553fc7e2bac2503b5fc42431bc5381cf9adc8605967359623f0759fd868ffb3e26401591bc3d997e1c34
SSDEEP:	12288:PqDEvFo+yo4DdbbMWu/jrQu4M9lBAlKhQcDGB3cuBNGE6iOrpfe4JdaDganTL:PqDEvCTbMWu7rQYlBQcBiT6rprG8aTL
TLSH:	6A159E0273D1C062FFAB92334B5AF6515BBC69260123E61F13981DB9BE701B1563E7A3
File Content Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......................j:......j:..C...j:......@.*...............................n.......~.............{.......{.......{.........z....

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x420577
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x66FD7297 [Wed Oct 2 16:19:35 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	948cc502fe9226992dce9417f952fce3

Entrypoint Preview

Instruction
call 00007FB47D13BE83h
jmp 00007FB47D13B78Fh
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007FB47D13B96Dh
mov dword ptr [esi], 0049FDF0h
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FDF8h
mov dword ptr [ecx], 0049FDF0h
ret
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007FB47D13B93Ah
mov dword ptr [esi], 0049FE0Ch
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FE14h
mov dword ptr [ecx], 0049FE0Ch
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
and dword ptr [eax], 00000000h
and dword ptr [eax+04h], 00000000h
push eax
mov eax, dword ptr [ebp+08h]
add eax, 04h
push eax
call 00007FB47D13E52Dh
pop ecx
pop ecx
mov eax, esi
pop esi
pop ebp
retn 0004h
lea eax, dword ptr [ecx+04h]
mov dword ptr [ecx], 0049FDD0h
push eax
call 00007FB47D13E578h
pop ecx
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
push eax
call 00007FB47D13E561h
test byte ptr [ebp+08h], 00000001h
pop ecx

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc8e64	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xd4000	0x9900	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xde000	0x7594	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xb0ff0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xc3400	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xb1010	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x9c000	0x894	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x9ab1d	0x9ac00	0a1473f3064dcbc32ef93c5c8a90f3a6	False	0.565500681542811	data	6.668273581389308	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x9c000	0x2fb82	0x2fc00	c9cf2468b60bf4f80f136ed54b3989fb	False	0.35289185209424084	data	5.691811547483722	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xcc000	0x706c	0x4800	53b9025d545d65e23295e30afdbd16d9	False	0.04356553819444445	DOS executable (block device driver @\273\)	0.5846666986982398	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xd4000	0x9900	0x9a00	2b772f554bc4074376b7de80ff3b6982	False	0.3019226866883117	data	5.277448268855475	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xde000	0x7594	0x7600	c68ee8931a32d45eb82dc450ee40efc3	False	0.7628111758474576	data	6.7972128181359786	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xd45a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xd46d0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xd47f8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xd4920	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xd4c08	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xd4d30	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xd5bd8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xd6480	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xd69e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xd8f90	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xda038	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xda4a0	0x50	data	English	Great Britain	0.9
RT_STRING	0xda4f0	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xdaa84	0x68a	data	English	Great Britain	0.2735961768219833
RT_STRING	0xdb110	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xdb5a0	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xdbb9c	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xdc1f8	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xdc660	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xdc7b8	0xbc6	data			1.0036496350364963
RT_GROUP_ICON	0xdd380	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0xdd3f8	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0xdd40c	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0xdd420	0x14	data	English	Great Britain	1.25
RT_VERSION	0xdd434	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0xdd510	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	gethostbyname, recv, send, socket, inet_ntoa, setsockopt, ntohs, WSACleanup, WSAStartup, sendto, htons, __WSAFDIsSet, select, accept, listen, bind, inet_addr, ioctlsocket, recvfrom, WSAGetLastError, closesocket, gethostname, connect
VERSION.dll	GetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetGetConnectionW, WNetCancelConnection2W, WNetUseConnectionW, WNetAddConnection2W
WININET.dll	HttpOpenRequestW, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, InternetConnectW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetQueryDataAvailable
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpSendEcho, IcmpCloseHandle, IcmpCreateFile
USERENV.dll	DestroyEnvironmentBlock, LoadUserProfileW, CreateEnvironmentBlock, UnloadUserProfile
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetShortPathNameW, DeleteFileW, IsDebuggerPresent, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, LoadResource, LockResource, SizeofResource, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, LoadLibraryW, GetLocalTime, CompareStringW, GetCurrentThread, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, VirtualAlloc, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, ResetEvent, WaitForSingleObjectEx, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, CloseHandle, GetFullPathNameW, GetStartupInfoW, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, SetLastError, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, ResumeThread, FreeLibraryAndExitThread, GetACP, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetStringTypeW, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, ReadConsoleW, GetTimeZoneInformation, FindFirstFileExW, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableA, SetCurrentDirectoryW, FindNextFileW, WriteConsoleW
USER32.dll	GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, PeekMessageW, GetInputState, UnregisterHotKey, CharLowerBuffW, MonitorFromPoint, MonitorFromRect, LoadImageW, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, ClientToScreen, GetCursorPos, DeleteMenu, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, LockWindowUpdate, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, RegisterHotKey, GetCursorInfo, SetWindowPos, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, TrackPopupMenuEx, GetMessageW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, DispatchMessageW, keybd_event, TranslateMessage, ScreenToClient
GDI32.dll	EndPath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, GetDeviceCaps, SetPixel, CloseFigure, LineTo, AngleArc, MoveToEx, Ellipse, CreateCompatibleBitmap, CreateCompatibleDC, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, SelectObject, StretchBlt, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, GetDIBits, StrokePath
COMDLG32.dll	GetSaveFileNameW, GetOpenFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, RegCreateKeyExW, GetSecurityDescriptorDacl, GetAclInformation, GetUserNameW, AddAce, SetSecurityDescriptorDacl, InitiateSystemShutdownExW
SHELL32.dll	DragFinish, DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
OLEAUT32.dll	CreateStdDispatch, CreateDispTypeInfo, UnRegisterTypeLib, UnRegisterTypeLibForUser, RegisterTypeLibForUser, RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, VariantChangeType, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysStringLen, QueryPathOfRegTypeLib, SysAllocString, VariantInit, VariantClear, DispCallFunc, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, SafeArrayDestroyDescriptor, VariantCopy, OleLoadPicture

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 2, 2024 19:00:50.898499012 CEST	49732	443	192.168.2.4	142.250.185.78
Oct 2, 2024 19:00:50.898551941 CEST	443	49732	142.250.185.78	192.168.2.4
Oct 2, 2024 19:00:50.898607969 CEST	49732	443	192.168.2.4	142.250.185.78
Oct 2, 2024 19:00:50.899785042 CEST	49732	443	192.168.2.4	142.250.185.78
Oct 2, 2024 19:00:50.899800062 CEST	443	49732	142.250.185.78	192.168.2.4
Oct 2, 2024 19:00:51.069084883 CEST	49675	443	192.168.2.4	173.222.162.32
Oct 2, 2024 19:00:51.551424026 CEST	443	49732	142.250.185.78	192.168.2.4
Oct 2, 2024 19:00:51.551942110 CEST	49732	443	192.168.2.4	142.250.185.78
Oct 2, 2024 19:00:51.551959038 CEST	443	49732	142.250.185.78	192.168.2.4
Oct 2, 2024 19:00:51.552401066 CEST	443	49732	142.250.185.78	192.168.2.4
Oct 2, 2024 19:00:51.552462101 CEST	49732	443	192.168.2.4	142.250.185.78
Oct 2, 2024 19:00:51.553390980 CEST	443	49732	142.250.185.78	192.168.2.4
Oct 2, 2024 19:00:51.553442001 CEST	49732	443	192.168.2.4	142.250.185.78
Oct 2, 2024 19:00:51.557650089 CEST	49732	443	192.168.2.4	142.250.185.78
Oct 2, 2024 19:00:51.557746887 CEST	443	49732	142.250.185.78	192.168.2.4
Oct 2, 2024 19:00:51.559902906 CEST	49732	443	192.168.2.4	142.250.185.78
Oct 2, 2024 19:00:51.559923887 CEST	443	49732	142.250.185.78	192.168.2.4
Oct 2, 2024 19:00:51.600235939 CEST	49732	443	192.168.2.4	142.250.185.78
Oct 2, 2024 19:00:51.852585077 CEST	443	49732	142.250.185.78	192.168.2.4
Oct 2, 2024 19:00:51.852688074 CEST	443	49732	142.250.185.78	192.168.2.4
Oct 2, 2024 19:00:51.852910042 CEST	49732	443	192.168.2.4	142.250.185.78
Oct 2, 2024 19:00:51.853228092 CEST	49732	443	192.168.2.4	142.250.185.78
Oct 2, 2024 19:00:51.853245020 CEST	443	49732	142.250.185.78	192.168.2.4
Oct 2, 2024 19:00:51.863426924 CEST	49734	443	192.168.2.4	142.250.185.142
Oct 2, 2024 19:00:51.863482952 CEST	443	49734	142.250.185.142	192.168.2.4
Oct 2, 2024 19:00:51.863575935 CEST	49734	443	192.168.2.4	142.250.185.142
Oct 2, 2024 19:00:51.863857985 CEST	49734	443	192.168.2.4	142.250.185.142
Oct 2, 2024 19:00:51.863888979 CEST	443	49734	142.250.185.142	192.168.2.4
Oct 2, 2024 19:00:52.568443060 CEST	443	49734	142.250.185.142	192.168.2.4
Oct 2, 2024 19:00:52.582029104 CEST	49734	443	192.168.2.4	142.250.185.142
Oct 2, 2024 19:00:52.582066059 CEST	443	49734	142.250.185.142	192.168.2.4
Oct 2, 2024 19:00:52.582649946 CEST	443	49734	142.250.185.142	192.168.2.4
Oct 2, 2024 19:00:52.582742929 CEST	49734	443	192.168.2.4	142.250.185.142
Oct 2, 2024 19:00:52.583359003 CEST	443	49734	142.250.185.142	192.168.2.4
Oct 2, 2024 19:00:52.583415031 CEST	49734	443	192.168.2.4	142.250.185.142
Oct 2, 2024 19:00:52.612472057 CEST	49734	443	192.168.2.4	142.250.185.142
Oct 2, 2024 19:00:52.612641096 CEST	49734	443	192.168.2.4	142.250.185.142
Oct 2, 2024 19:00:52.612649918 CEST	443	49734	142.250.185.142	192.168.2.4
Oct 2, 2024 19:00:52.659404039 CEST	443	49734	142.250.185.142	192.168.2.4
Oct 2, 2024 19:00:52.661525965 CEST	49734	443	192.168.2.4	142.250.185.142
Oct 2, 2024 19:00:52.661572933 CEST	443	49734	142.250.185.142	192.168.2.4
Oct 2, 2024 19:00:52.708410025 CEST	49734	443	192.168.2.4	142.250.185.142
Oct 2, 2024 19:00:52.915081978 CEST	443	49734	142.250.185.142	192.168.2.4
Oct 2, 2024 19:00:52.915164948 CEST	49734	443	192.168.2.4	142.250.185.142
Oct 2, 2024 19:00:52.915188074 CEST	443	49734	142.250.185.142	192.168.2.4
Oct 2, 2024 19:00:52.915200949 CEST	443	49734	142.250.185.142	192.168.2.4
Oct 2, 2024 19:00:52.915255070 CEST	49734	443	192.168.2.4	142.250.185.142
Oct 2, 2024 19:00:52.919553041 CEST	49734	443	192.168.2.4	142.250.185.142
Oct 2, 2024 19:00:52.919565916 CEST	443	49734	142.250.185.142	192.168.2.4
Oct 2, 2024 19:00:55.222531080 CEST	49740	443	192.168.2.4	172.217.23.100
Oct 2, 2024 19:00:55.222589970 CEST	443	49740	172.217.23.100	192.168.2.4
Oct 2, 2024 19:00:55.222652912 CEST	49740	443	192.168.2.4	172.217.23.100
Oct 2, 2024 19:00:55.222839117 CEST	49740	443	192.168.2.4	172.217.23.100
Oct 2, 2024 19:00:55.222855091 CEST	443	49740	172.217.23.100	192.168.2.4
Oct 2, 2024 19:00:55.883508921 CEST	443	49740	172.217.23.100	192.168.2.4
Oct 2, 2024 19:00:55.883734941 CEST	49740	443	192.168.2.4	172.217.23.100
Oct 2, 2024 19:00:55.883763075 CEST	443	49740	172.217.23.100	192.168.2.4
Oct 2, 2024 19:00:55.884685993 CEST	443	49740	172.217.23.100	192.168.2.4
Oct 2, 2024 19:00:55.884751081 CEST	49740	443	192.168.2.4	172.217.23.100
Oct 2, 2024 19:00:55.925347090 CEST	49740	443	192.168.2.4	172.217.23.100
Oct 2, 2024 19:00:55.925508976 CEST	443	49740	172.217.23.100	192.168.2.4
Oct 2, 2024 19:00:55.975574017 CEST	49740	443	192.168.2.4	172.217.23.100
Oct 2, 2024 19:00:55.975589037 CEST	443	49740	172.217.23.100	192.168.2.4
Oct 2, 2024 19:00:56.020895958 CEST	49740	443	192.168.2.4	172.217.23.100
Oct 2, 2024 19:00:59.595680952 CEST	49755	443	192.168.2.4	184.28.90.27
Oct 2, 2024 19:00:59.595719099 CEST	443	49755	184.28.90.27	192.168.2.4
Oct 2, 2024 19:00:59.595803976 CEST	49755	443	192.168.2.4	184.28.90.27
Oct 2, 2024 19:00:59.598339081 CEST	49755	443	192.168.2.4	184.28.90.27
Oct 2, 2024 19:00:59.598351955 CEST	443	49755	184.28.90.27	192.168.2.4
Oct 2, 2024 19:00:59.727281094 CEST	49756	443	192.168.2.4	142.250.185.78
Oct 2, 2024 19:00:59.727324009 CEST	443	49756	142.250.185.78	192.168.2.4
Oct 2, 2024 19:00:59.727395058 CEST	49756	443	192.168.2.4	142.250.185.78
Oct 2, 2024 19:00:59.727828026 CEST	49756	443	192.168.2.4	142.250.185.78
Oct 2, 2024 19:00:59.727838993 CEST	443	49756	142.250.185.78	192.168.2.4
Oct 2, 2024 19:01:00.252151012 CEST	443	49755	184.28.90.27	192.168.2.4
Oct 2, 2024 19:01:00.252302885 CEST	49755	443	192.168.2.4	184.28.90.27
Oct 2, 2024 19:01:00.366313934 CEST	443	49756	142.250.185.78	192.168.2.4
Oct 2, 2024 19:01:00.392584085 CEST	49756	443	192.168.2.4	142.250.185.78
Oct 2, 2024 19:01:00.392653942 CEST	443	49756	142.250.185.78	192.168.2.4
Oct 2, 2024 19:01:00.393307924 CEST	443	49756	142.250.185.78	192.168.2.4
Oct 2, 2024 19:01:00.393384933 CEST	49756	443	192.168.2.4	142.250.185.78
Oct 2, 2024 19:01:00.394025087 CEST	443	49756	142.250.185.78	192.168.2.4
Oct 2, 2024 19:01:00.394083977 CEST	49756	443	192.168.2.4	142.250.185.78
Oct 2, 2024 19:01:00.398821115 CEST	49755	443	192.168.2.4	184.28.90.27
Oct 2, 2024 19:01:00.398834944 CEST	443	49755	184.28.90.27	192.168.2.4
Oct 2, 2024 19:01:00.399805069 CEST	443	49755	184.28.90.27	192.168.2.4
Oct 2, 2024 19:01:00.438499928 CEST	49756	443	192.168.2.4	142.250.185.78
Oct 2, 2024 19:01:00.438925028 CEST	443	49756	142.250.185.78	192.168.2.4
Oct 2, 2024 19:01:00.439349890 CEST	49756	443	192.168.2.4	142.250.185.78
Oct 2, 2024 19:01:00.439409971 CEST	443	49756	142.250.185.78	192.168.2.4
Oct 2, 2024 19:01:00.451936960 CEST	49755	443	192.168.2.4	184.28.90.27
Oct 2, 2024 19:01:00.486951113 CEST	49755	443	192.168.2.4	184.28.90.27
Oct 2, 2024 19:01:00.488550901 CEST	49756	443	192.168.2.4	142.250.185.78
Oct 2, 2024 19:01:00.531409025 CEST	443	49755	184.28.90.27	192.168.2.4
Oct 2, 2024 19:01:00.672152042 CEST	443	49755	184.28.90.27	192.168.2.4
Oct 2, 2024 19:01:00.672337055 CEST	443	49755	184.28.90.27	192.168.2.4
Oct 2, 2024 19:01:00.672398090 CEST	49755	443	192.168.2.4	184.28.90.27
Oct 2, 2024 19:01:00.672507048 CEST	49755	443	192.168.2.4	184.28.90.27
Oct 2, 2024 19:01:00.672507048 CEST	49755	443	192.168.2.4	184.28.90.27
Oct 2, 2024 19:01:00.672528028 CEST	443	49755	184.28.90.27	192.168.2.4
Oct 2, 2024 19:01:00.672538042 CEST	443	49755	184.28.90.27	192.168.2.4
Oct 2, 2024 19:01:00.687371016 CEST	443	49756	142.250.185.78	192.168.2.4
Oct 2, 2024 19:01:00.687545061 CEST	443	49756	142.250.185.78	192.168.2.4
Oct 2, 2024 19:01:00.687611103 CEST	49756	443	192.168.2.4	142.250.185.78
Oct 2, 2024 19:01:00.687644005 CEST	443	49756	142.250.185.78	192.168.2.4
Oct 2, 2024 19:01:00.687695980 CEST	49756	443	192.168.2.4	142.250.185.78
Oct 2, 2024 19:01:00.692981958 CEST	443	49756	142.250.185.78	192.168.2.4
Oct 2, 2024 19:01:00.693104029 CEST	49756	443	192.168.2.4	142.250.185.78
Oct 2, 2024 19:01:00.699189901 CEST	443	49756	142.250.185.78	192.168.2.4
Oct 2, 2024 19:01:00.699276924 CEST	49756	443	192.168.2.4	142.250.185.78
Oct 2, 2024 19:01:00.699296951 CEST	443	49756	142.250.185.78	192.168.2.4
Oct 2, 2024 19:01:00.699347973 CEST	49756	443	192.168.2.4	142.250.185.78
Oct 2, 2024 19:01:00.705423117 CEST	443	49756	142.250.185.78	192.168.2.4
Oct 2, 2024 19:01:00.705490112 CEST	49756	443	192.168.2.4	142.250.185.78
Oct 2, 2024 19:01:00.711653948 CEST	443	49756	142.250.185.78	192.168.2.4
Oct 2, 2024 19:01:00.711724997 CEST	49756	443	192.168.2.4	142.250.185.78
Oct 2, 2024 19:01:00.711752892 CEST	443	49756	142.250.185.78	192.168.2.4
Oct 2, 2024 19:01:00.711813927 CEST	49756	443	192.168.2.4	142.250.185.78
Oct 2, 2024 19:01:00.767782927 CEST	49759	443	192.168.2.4	184.28.90.27
Oct 2, 2024 19:01:00.767867088 CEST	443	49759	184.28.90.27	192.168.2.4
Oct 2, 2024 19:01:00.767950058 CEST	49759	443	192.168.2.4	184.28.90.27
Oct 2, 2024 19:01:00.768304110 CEST	49759	443	192.168.2.4	184.28.90.27
Oct 2, 2024 19:01:00.768327951 CEST	443	49759	184.28.90.27	192.168.2.4
Oct 2, 2024 19:01:00.775548935 CEST	443	49756	142.250.185.78	192.168.2.4
Oct 2, 2024 19:01:00.775621891 CEST	49756	443	192.168.2.4	142.250.185.78
Oct 2, 2024 19:01:00.775665045 CEST	443	49756	142.250.185.78	192.168.2.4
Oct 2, 2024 19:01:00.775712013 CEST	49756	443	192.168.2.4	142.250.185.78
Oct 2, 2024 19:01:00.776019096 CEST	443	49756	142.250.185.78	192.168.2.4
Oct 2, 2024 19:01:00.776072025 CEST	49756	443	192.168.2.4	142.250.185.78
Oct 2, 2024 19:01:00.783473015 CEST	443	49756	142.250.185.78	192.168.2.4
Oct 2, 2024 19:01:00.783540964 CEST	49756	443	192.168.2.4	142.250.185.78
Oct 2, 2024 19:01:00.783565998 CEST	443	49756	142.250.185.78	192.168.2.4
Oct 2, 2024 19:01:00.783617973 CEST	49756	443	192.168.2.4	142.250.185.78
Oct 2, 2024 19:01:00.789338112 CEST	443	49756	142.250.185.78	192.168.2.4
Oct 2, 2024 19:01:00.789400101 CEST	49756	443	192.168.2.4	142.250.185.78
Oct 2, 2024 19:01:00.794596910 CEST	443	49756	142.250.185.78	192.168.2.4
Oct 2, 2024 19:01:00.794660091 CEST	49756	443	192.168.2.4	142.250.185.78
Oct 2, 2024 19:01:00.794682026 CEST	443	49756	142.250.185.78	192.168.2.4
Oct 2, 2024 19:01:00.800853014 CEST	443	49756	142.250.185.78	192.168.2.4
Oct 2, 2024 19:01:00.800904989 CEST	49756	443	192.168.2.4	142.250.185.78
Oct 2, 2024 19:01:00.800918102 CEST	443	49756	142.250.185.78	192.168.2.4
Oct 2, 2024 19:01:00.807559013 CEST	443	49756	142.250.185.78	192.168.2.4
Oct 2, 2024 19:01:00.807614088 CEST	49756	443	192.168.2.4	142.250.185.78
Oct 2, 2024 19:01:00.807631969 CEST	443	49756	142.250.185.78	192.168.2.4
Oct 2, 2024 19:01:00.807888985 CEST	443	49756	142.250.185.78	192.168.2.4
Oct 2, 2024 19:01:00.807950974 CEST	49756	443	192.168.2.4	142.250.185.78
Oct 2, 2024 19:01:00.808015108 CEST	49756	443	192.168.2.4	142.250.185.78
Oct 2, 2024 19:01:00.808048964 CEST	443	49756	142.250.185.78	192.168.2.4
Oct 2, 2024 19:01:01.443876982 CEST	443	49759	184.28.90.27	192.168.2.4
Oct 2, 2024 19:01:01.443984985 CEST	49759	443	192.168.2.4	184.28.90.27
Oct 2, 2024 19:01:01.452440977 CEST	49759	443	192.168.2.4	184.28.90.27
Oct 2, 2024 19:01:01.452474117 CEST	443	49759	184.28.90.27	192.168.2.4
Oct 2, 2024 19:01:01.452769995 CEST	443	49759	184.28.90.27	192.168.2.4
Oct 2, 2024 19:01:01.453850985 CEST	49759	443	192.168.2.4	184.28.90.27
Oct 2, 2024 19:01:01.495438099 CEST	443	49759	184.28.90.27	192.168.2.4
Oct 2, 2024 19:01:01.747569084 CEST	443	49759	184.28.90.27	192.168.2.4
Oct 2, 2024 19:01:01.747638941 CEST	443	49759	184.28.90.27	192.168.2.4
Oct 2, 2024 19:01:01.747703075 CEST	49759	443	192.168.2.4	184.28.90.27
Oct 2, 2024 19:01:01.781202078 CEST	49759	443	192.168.2.4	184.28.90.27
Oct 2, 2024 19:01:01.781233072 CEST	443	49759	184.28.90.27	192.168.2.4
Oct 2, 2024 19:01:01.781244993 CEST	49759	443	192.168.2.4	184.28.90.27
Oct 2, 2024 19:01:01.781251907 CEST	443	49759	184.28.90.27	192.168.2.4
Oct 2, 2024 19:01:01.832036018 CEST	49761	443	192.168.2.4	142.250.185.174
Oct 2, 2024 19:01:01.832091093 CEST	443	49761	142.250.185.174	192.168.2.4
Oct 2, 2024 19:01:01.832149029 CEST	49761	443	192.168.2.4	142.250.185.174
Oct 2, 2024 19:01:01.832479000 CEST	49761	443	192.168.2.4	142.250.185.174
Oct 2, 2024 19:01:01.832489967 CEST	443	49761	142.250.185.174	192.168.2.4
Oct 2, 2024 19:01:01.896907091 CEST	49763	443	192.168.2.4	142.250.185.174
Oct 2, 2024 19:01:01.896956921 CEST	443	49763	142.250.185.174	192.168.2.4
Oct 2, 2024 19:01:01.897016048 CEST	49763	443	192.168.2.4	142.250.185.174
Oct 2, 2024 19:01:01.916538000 CEST	49763	443	192.168.2.4	142.250.185.174
Oct 2, 2024 19:01:01.916558981 CEST	443	49763	142.250.185.174	192.168.2.4
Oct 2, 2024 19:01:02.461762905 CEST	443	49761	142.250.185.174	192.168.2.4
Oct 2, 2024 19:01:02.468525887 CEST	49761	443	192.168.2.4	142.250.185.174
Oct 2, 2024 19:01:02.468535900 CEST	443	49761	142.250.185.174	192.168.2.4
Oct 2, 2024 19:01:02.469187021 CEST	443	49761	142.250.185.174	192.168.2.4
Oct 2, 2024 19:01:02.469250917 CEST	49761	443	192.168.2.4	142.250.185.174
Oct 2, 2024 19:01:02.470242023 CEST	443	49761	142.250.185.174	192.168.2.4
Oct 2, 2024 19:01:02.470305920 CEST	49761	443	192.168.2.4	142.250.185.174
Oct 2, 2024 19:01:02.471451044 CEST	49761	443	192.168.2.4	142.250.185.174
Oct 2, 2024 19:01:02.471539974 CEST	443	49761	142.250.185.174	192.168.2.4
Oct 2, 2024 19:01:02.472009897 CEST	49761	443	192.168.2.4	142.250.185.174
Oct 2, 2024 19:01:02.472021103 CEST	443	49761	142.250.185.174	192.168.2.4
Oct 2, 2024 19:01:02.513377905 CEST	49761	443	192.168.2.4	142.250.185.174
Oct 2, 2024 19:01:02.545026064 CEST	443	49763	142.250.185.174	192.168.2.4
Oct 2, 2024 19:01:02.546793938 CEST	49763	443	192.168.2.4	142.250.185.174
Oct 2, 2024 19:01:02.546803951 CEST	443	49763	142.250.185.174	192.168.2.4
Oct 2, 2024 19:01:02.547195911 CEST	443	49763	142.250.185.174	192.168.2.4
Oct 2, 2024 19:01:02.547254086 CEST	49763	443	192.168.2.4	142.250.185.174
Oct 2, 2024 19:01:02.548012972 CEST	443	49763	142.250.185.174	192.168.2.4
Oct 2, 2024 19:01:02.548064947 CEST	49763	443	192.168.2.4	142.250.185.174
Oct 2, 2024 19:01:02.549513102 CEST	49763	443	192.168.2.4	142.250.185.174
Oct 2, 2024 19:01:02.549582005 CEST	443	49763	142.250.185.174	192.168.2.4
Oct 2, 2024 19:01:02.556035042 CEST	49763	443	192.168.2.4	142.250.185.174
Oct 2, 2024 19:01:02.556041956 CEST	443	49763	142.250.185.174	192.168.2.4
Oct 2, 2024 19:01:02.599534988 CEST	49763	443	192.168.2.4	142.250.185.174
Oct 2, 2024 19:01:02.761703014 CEST	443	49761	142.250.185.174	192.168.2.4
Oct 2, 2024 19:01:02.762214899 CEST	443	49761	142.250.185.174	192.168.2.4
Oct 2, 2024 19:01:02.762269020 CEST	49761	443	192.168.2.4	142.250.185.174
Oct 2, 2024 19:01:02.764193058 CEST	49761	443	192.168.2.4	142.250.185.174
Oct 2, 2024 19:01:02.764215946 CEST	443	49761	142.250.185.174	192.168.2.4
Oct 2, 2024 19:01:02.766172886 CEST	49765	443	192.168.2.4	142.250.185.174
Oct 2, 2024 19:01:02.766216993 CEST	443	49765	142.250.185.174	192.168.2.4
Oct 2, 2024 19:01:02.766292095 CEST	49765	443	192.168.2.4	142.250.185.174
Oct 2, 2024 19:01:02.766813993 CEST	49765	443	192.168.2.4	142.250.185.174
Oct 2, 2024 19:01:02.766832113 CEST	443	49765	142.250.185.174	192.168.2.4
Oct 2, 2024 19:01:02.843847036 CEST	443	49763	142.250.185.174	192.168.2.4
Oct 2, 2024 19:01:02.843966007 CEST	443	49763	142.250.185.174	192.168.2.4
Oct 2, 2024 19:01:02.844027996 CEST	49763	443	192.168.2.4	142.250.185.174
Oct 2, 2024 19:01:02.873557091 CEST	49763	443	192.168.2.4	142.250.185.174
Oct 2, 2024 19:01:02.873584032 CEST	443	49763	142.250.185.174	192.168.2.4
Oct 2, 2024 19:01:02.875680923 CEST	49766	443	192.168.2.4	142.250.185.174
Oct 2, 2024 19:01:02.875725985 CEST	443	49766	142.250.185.174	192.168.2.4
Oct 2, 2024 19:01:02.875881910 CEST	49766	443	192.168.2.4	142.250.185.174
Oct 2, 2024 19:01:02.876815081 CEST	49766	443	192.168.2.4	142.250.185.174
Oct 2, 2024 19:01:02.876827002 CEST	443	49766	142.250.185.174	192.168.2.4
Oct 2, 2024 19:01:03.343283892 CEST	49672	443	192.168.2.4	173.222.162.32
Oct 2, 2024 19:01:03.343373060 CEST	443	49672	173.222.162.32	192.168.2.4
Oct 2, 2024 19:01:03.475723028 CEST	443	49765	142.250.185.174	192.168.2.4
Oct 2, 2024 19:01:03.476130962 CEST	49765	443	192.168.2.4	142.250.185.174
Oct 2, 2024 19:01:03.476149082 CEST	443	49765	142.250.185.174	192.168.2.4
Oct 2, 2024 19:01:03.477699041 CEST	443	49765	142.250.185.174	192.168.2.4
Oct 2, 2024 19:01:03.477797985 CEST	49765	443	192.168.2.4	142.250.185.174
Oct 2, 2024 19:01:03.478825092 CEST	443	49765	142.250.185.174	192.168.2.4
Oct 2, 2024 19:01:03.478884935 CEST	49765	443	192.168.2.4	142.250.185.174
Oct 2, 2024 19:01:03.479157925 CEST	49765	443	192.168.2.4	142.250.185.174
Oct 2, 2024 19:01:03.479218960 CEST	443	49765	142.250.185.174	192.168.2.4
Oct 2, 2024 19:01:03.479271889 CEST	49765	443	192.168.2.4	142.250.185.174
Oct 2, 2024 19:01:03.479271889 CEST	49765	443	192.168.2.4	142.250.185.174
Oct 2, 2024 19:01:03.479290962 CEST	443	49765	142.250.185.174	192.168.2.4
Oct 2, 2024 19:01:03.524370909 CEST	49765	443	192.168.2.4	142.250.185.174
Oct 2, 2024 19:01:03.524379015 CEST	443	49765	142.250.185.174	192.168.2.4
Oct 2, 2024 19:01:03.560266972 CEST	443	49766	142.250.185.174	192.168.2.4
Oct 2, 2024 19:01:03.560519934 CEST	49766	443	192.168.2.4	142.250.185.174
Oct 2, 2024 19:01:03.560532093 CEST	443	49766	142.250.185.174	192.168.2.4
Oct 2, 2024 19:01:03.560976028 CEST	443	49766	142.250.185.174	192.168.2.4
Oct 2, 2024 19:01:03.561036110 CEST	49766	443	192.168.2.4	142.250.185.174
Oct 2, 2024 19:01:03.561731100 CEST	443	49766	142.250.185.174	192.168.2.4
Oct 2, 2024 19:01:03.561777115 CEST	49766	443	192.168.2.4	142.250.185.174
Oct 2, 2024 19:01:03.561973095 CEST	49766	443	192.168.2.4	142.250.185.174
Oct 2, 2024 19:01:03.562037945 CEST	443	49766	142.250.185.174	192.168.2.4
Oct 2, 2024 19:01:03.562150002 CEST	49766	443	192.168.2.4	142.250.185.174
Oct 2, 2024 19:01:03.562160015 CEST	443	49766	142.250.185.174	192.168.2.4
Oct 2, 2024 19:01:03.562174082 CEST	49766	443	192.168.2.4	142.250.185.174
Oct 2, 2024 19:01:03.571048021 CEST	49765	443	192.168.2.4	142.250.185.174
Oct 2, 2024 19:01:03.602302074 CEST	49766	443	192.168.2.4	142.250.185.174
Oct 2, 2024 19:01:03.602312088 CEST	443	49766	142.250.185.174	192.168.2.4
Oct 2, 2024 19:01:03.704380989 CEST	443	49765	142.250.185.174	192.168.2.4
Oct 2, 2024 19:01:03.704724073 CEST	443	49765	142.250.185.174	192.168.2.4
Oct 2, 2024 19:01:03.704778910 CEST	49765	443	192.168.2.4	142.250.185.174
Oct 2, 2024 19:01:03.705657005 CEST	49765	443	192.168.2.4	142.250.185.174
Oct 2, 2024 19:01:03.705677032 CEST	443	49765	142.250.185.174	192.168.2.4
Oct 2, 2024 19:01:03.783330917 CEST	443	49766	142.250.185.174	192.168.2.4
Oct 2, 2024 19:01:03.784457922 CEST	443	49766	142.250.185.174	192.168.2.4
Oct 2, 2024 19:01:03.784579992 CEST	49766	443	192.168.2.4	142.250.185.174
Oct 2, 2024 19:01:03.785444021 CEST	49766	443	192.168.2.4	142.250.185.174
Oct 2, 2024 19:01:03.785468102 CEST	443	49766	142.250.185.174	192.168.2.4
Oct 2, 2024 19:01:03.837894917 CEST	49740	443	192.168.2.4	172.217.23.100
Oct 2, 2024 19:01:03.883404016 CEST	443	49740	172.217.23.100	192.168.2.4
Oct 2, 2024 19:01:04.160641909 CEST	443	49740	172.217.23.100	192.168.2.4
Oct 2, 2024 19:01:04.160712004 CEST	443	49740	172.217.23.100	192.168.2.4
Oct 2, 2024 19:01:04.160759926 CEST	443	49740	172.217.23.100	192.168.2.4
Oct 2, 2024 19:01:04.160785913 CEST	49740	443	192.168.2.4	172.217.23.100
Oct 2, 2024 19:01:04.160805941 CEST	443	49740	172.217.23.100	192.168.2.4
Oct 2, 2024 19:01:04.160846949 CEST	49740	443	192.168.2.4	172.217.23.100
Oct 2, 2024 19:01:04.160854101 CEST	443	49740	172.217.23.100	192.168.2.4
Oct 2, 2024 19:01:04.160957098 CEST	443	49740	172.217.23.100	192.168.2.4
Oct 2, 2024 19:01:04.161072016 CEST	49740	443	192.168.2.4	172.217.23.100
Oct 2, 2024 19:01:04.167298079 CEST	49740	443	192.168.2.4	172.217.23.100
Oct 2, 2024 19:01:04.167314053 CEST	443	49740	172.217.23.100	192.168.2.4
Oct 2, 2024 19:01:04.215734959 CEST	49769	443	192.168.2.4	4.175.87.197
Oct 2, 2024 19:01:04.215842009 CEST	443	49769	4.175.87.197	192.168.2.4
Oct 2, 2024 19:01:04.215934038 CEST	49769	443	192.168.2.4	4.175.87.197
Oct 2, 2024 19:01:04.221970081 CEST	49769	443	192.168.2.4	4.175.87.197
Oct 2, 2024 19:01:04.222007036 CEST	443	49769	4.175.87.197	192.168.2.4
Oct 2, 2024 19:01:05.109705925 CEST	443	49769	4.175.87.197	192.168.2.4
Oct 2, 2024 19:01:05.109885931 CEST	49769	443	192.168.2.4	4.175.87.197
Oct 2, 2024 19:01:05.219377041 CEST	49769	443	192.168.2.4	4.175.87.197
Oct 2, 2024 19:01:05.219480038 CEST	443	49769	4.175.87.197	192.168.2.4
Oct 2, 2024 19:01:05.219851971 CEST	443	49769	4.175.87.197	192.168.2.4
Oct 2, 2024 19:01:05.264374971 CEST	49769	443	192.168.2.4	4.175.87.197
Oct 2, 2024 19:01:06.244827032 CEST	49769	443	192.168.2.4	4.175.87.197
Oct 2, 2024 19:01:06.287400007 CEST	443	49769	4.175.87.197	192.168.2.4
Oct 2, 2024 19:01:06.511349916 CEST	443	49769	4.175.87.197	192.168.2.4
Oct 2, 2024 19:01:06.511373997 CEST	443	49769	4.175.87.197	192.168.2.4
Oct 2, 2024 19:01:06.511380911 CEST	443	49769	4.175.87.197	192.168.2.4
Oct 2, 2024 19:01:06.511430025 CEST	443	49769	4.175.87.197	192.168.2.4
Oct 2, 2024 19:01:06.511440992 CEST	49769	443	192.168.2.4	4.175.87.197
Oct 2, 2024 19:01:06.511491060 CEST	443	49769	4.175.87.197	192.168.2.4
Oct 2, 2024 19:01:06.511516094 CEST	443	49769	4.175.87.197	192.168.2.4
Oct 2, 2024 19:01:06.511574030 CEST	49769	443	192.168.2.4	4.175.87.197
Oct 2, 2024 19:01:06.511574984 CEST	49769	443	192.168.2.4	4.175.87.197
Oct 2, 2024 19:01:06.511594057 CEST	443	49769	4.175.87.197	192.168.2.4
Oct 2, 2024 19:01:06.511621952 CEST	49769	443	192.168.2.4	4.175.87.197
Oct 2, 2024 19:01:06.511642933 CEST	49769	443	192.168.2.4	4.175.87.197
Oct 2, 2024 19:01:06.511873007 CEST	443	49769	4.175.87.197	192.168.2.4
Oct 2, 2024 19:01:06.511938095 CEST	443	49769	4.175.87.197	192.168.2.4
Oct 2, 2024 19:01:06.511986971 CEST	49769	443	192.168.2.4	4.175.87.197
Oct 2, 2024 19:01:07.210269928 CEST	49769	443	192.168.2.4	4.175.87.197
Oct 2, 2024 19:01:07.210314035 CEST	443	49769	4.175.87.197	192.168.2.4
Oct 2, 2024 19:01:07.210333109 CEST	49769	443	192.168.2.4	4.175.87.197
Oct 2, 2024 19:01:07.210344076 CEST	443	49769	4.175.87.197	192.168.2.4
Oct 2, 2024 19:01:08.727724075 CEST	49775	443	192.168.2.4	142.250.185.174
Oct 2, 2024 19:01:08.727767944 CEST	443	49775	142.250.185.174	192.168.2.4
Oct 2, 2024 19:01:08.727890015 CEST	49775	443	192.168.2.4	142.250.185.174
Oct 2, 2024 19:01:08.728210926 CEST	49775	443	192.168.2.4	142.250.185.174
Oct 2, 2024 19:01:08.728224993 CEST	443	49775	142.250.185.174	192.168.2.4
Oct 2, 2024 19:01:09.542891026 CEST	443	49775	142.250.185.174	192.168.2.4
Oct 2, 2024 19:01:09.543320894 CEST	49775	443	192.168.2.4	142.250.185.174
Oct 2, 2024 19:01:09.543351889 CEST	443	49775	142.250.185.174	192.168.2.4
Oct 2, 2024 19:01:09.543796062 CEST	443	49775	142.250.185.174	192.168.2.4
Oct 2, 2024 19:01:09.544090033 CEST	49775	443	192.168.2.4	142.250.185.174
Oct 2, 2024 19:01:09.544173956 CEST	443	49775	142.250.185.174	192.168.2.4
Oct 2, 2024 19:01:09.544234991 CEST	49775	443	192.168.2.4	142.250.185.174
Oct 2, 2024 19:01:09.544258118 CEST	49775	443	192.168.2.4	142.250.185.174
Oct 2, 2024 19:01:09.544267893 CEST	443	49775	142.250.185.174	192.168.2.4
Oct 2, 2024 19:01:09.874568939 CEST	443	49775	142.250.185.174	192.168.2.4
Oct 2, 2024 19:01:09.875149965 CEST	443	49775	142.250.185.174	192.168.2.4
Oct 2, 2024 19:01:09.875211000 CEST	49775	443	192.168.2.4	142.250.185.174
Oct 2, 2024 19:01:09.885853052 CEST	49775	443	192.168.2.4	142.250.185.174
Oct 2, 2024 19:01:09.885895967 CEST	443	49775	142.250.185.174	192.168.2.4
Oct 2, 2024 19:01:32.087793112 CEST	49782	443	192.168.2.4	142.250.185.174
Oct 2, 2024 19:01:32.087855101 CEST	443	49782	142.250.185.174	192.168.2.4
Oct 2, 2024 19:01:32.087943077 CEST	49782	443	192.168.2.4	142.250.185.174
Oct 2, 2024 19:01:32.088172913 CEST	49782	443	192.168.2.4	142.250.185.174
Oct 2, 2024 19:01:32.088191986 CEST	443	49782	142.250.185.174	192.168.2.4
Oct 2, 2024 19:01:32.723623037 CEST	443	49782	142.250.185.174	192.168.2.4
Oct 2, 2024 19:01:32.724097013 CEST	49782	443	192.168.2.4	142.250.185.174
Oct 2, 2024 19:01:32.724114895 CEST	443	49782	142.250.185.174	192.168.2.4
Oct 2, 2024 19:01:32.724486113 CEST	443	49782	142.250.185.174	192.168.2.4
Oct 2, 2024 19:01:32.724780083 CEST	49782	443	192.168.2.4	142.250.185.174
Oct 2, 2024 19:01:32.724837065 CEST	443	49782	142.250.185.174	192.168.2.4
Oct 2, 2024 19:01:32.724922895 CEST	49782	443	192.168.2.4	142.250.185.174
Oct 2, 2024 19:01:32.724941015 CEST	49782	443	192.168.2.4	142.250.185.174
Oct 2, 2024 19:01:32.724946976 CEST	443	49782	142.250.185.174	192.168.2.4
Oct 2, 2024 19:01:32.930612087 CEST	49783	443	192.168.2.4	142.250.185.174
Oct 2, 2024 19:01:32.930705070 CEST	443	49783	142.250.185.174	192.168.2.4
Oct 2, 2024 19:01:32.930813074 CEST	49783	443	192.168.2.4	142.250.185.174
Oct 2, 2024 19:01:32.931209087 CEST	49783	443	192.168.2.4	142.250.185.174
Oct 2, 2024 19:01:32.931226969 CEST	443	49783	142.250.185.174	192.168.2.4
Oct 2, 2024 19:01:33.034229994 CEST	443	49782	142.250.185.174	192.168.2.4
Oct 2, 2024 19:01:33.034926891 CEST	443	49782	142.250.185.174	192.168.2.4
Oct 2, 2024 19:01:33.035000086 CEST	49782	443	192.168.2.4	142.250.185.174
Oct 2, 2024 19:01:33.035161972 CEST	49782	443	192.168.2.4	142.250.185.174
Oct 2, 2024 19:01:33.035180092 CEST	443	49782	142.250.185.174	192.168.2.4
Oct 2, 2024 19:01:33.165591955 CEST	49784	443	192.168.2.4	142.250.185.174
Oct 2, 2024 19:01:33.165651083 CEST	443	49784	142.250.185.174	192.168.2.4
Oct 2, 2024 19:01:33.165750027 CEST	49784	443	192.168.2.4	142.250.185.174
Oct 2, 2024 19:01:33.166479111 CEST	49784	443	192.168.2.4	142.250.185.174
Oct 2, 2024 19:01:33.166493893 CEST	443	49784	142.250.185.174	192.168.2.4
Oct 2, 2024 19:01:33.594170094 CEST	443	49783	142.250.185.174	192.168.2.4
Oct 2, 2024 19:01:33.594516039 CEST	49783	443	192.168.2.4	142.250.185.174
Oct 2, 2024 19:01:33.594578028 CEST	443	49783	142.250.185.174	192.168.2.4
Oct 2, 2024 19:01:33.595865965 CEST	443	49783	142.250.185.174	192.168.2.4
Oct 2, 2024 19:01:33.596519947 CEST	49783	443	192.168.2.4	142.250.185.174
Oct 2, 2024 19:01:33.596714973 CEST	443	49783	142.250.185.174	192.168.2.4
Oct 2, 2024 19:01:33.596733093 CEST	49783	443	192.168.2.4	142.250.185.174
Oct 2, 2024 19:01:33.596756935 CEST	49783	443	192.168.2.4	142.250.185.174
Oct 2, 2024 19:01:33.596827984 CEST	443	49783	142.250.185.174	192.168.2.4
Oct 2, 2024 19:01:33.646248102 CEST	49783	443	192.168.2.4	142.250.185.174
Oct 2, 2024 19:01:33.898339987 CEST	443	49783	142.250.185.174	192.168.2.4
Oct 2, 2024 19:01:33.899169922 CEST	443	49783	142.250.185.174	192.168.2.4
Oct 2, 2024 19:01:33.899260998 CEST	49783	443	192.168.2.4	142.250.185.174
Oct 2, 2024 19:01:33.899399042 CEST	49783	443	192.168.2.4	142.250.185.174
Oct 2, 2024 19:01:33.899442911 CEST	443	49783	142.250.185.174	192.168.2.4
Oct 2, 2024 19:01:33.987958908 CEST	443	49784	142.250.185.174	192.168.2.4
Oct 2, 2024 19:01:33.988713980 CEST	49784	443	192.168.2.4	142.250.185.174
Oct 2, 2024 19:01:33.988743067 CEST	443	49784	142.250.185.174	192.168.2.4
Oct 2, 2024 19:01:33.989109993 CEST	443	49784	142.250.185.174	192.168.2.4
Oct 2, 2024 19:01:33.989522934 CEST	49784	443	192.168.2.4	142.250.185.174
Oct 2, 2024 19:01:33.989592075 CEST	443	49784	142.250.185.174	192.168.2.4
Oct 2, 2024 19:01:33.989701033 CEST	49784	443	192.168.2.4	142.250.185.174
Oct 2, 2024 19:01:33.989723921 CEST	49784	443	192.168.2.4	142.250.185.174
Oct 2, 2024 19:01:33.989737034 CEST	443	49784	142.250.185.174	192.168.2.4
Oct 2, 2024 19:01:34.207262039 CEST	443	49784	142.250.185.174	192.168.2.4
Oct 2, 2024 19:01:34.207653999 CEST	443	49784	142.250.185.174	192.168.2.4
Oct 2, 2024 19:01:34.207732916 CEST	49784	443	192.168.2.4	142.250.185.174
Oct 2, 2024 19:01:34.239334106 CEST	49784	443	192.168.2.4	142.250.185.174
Oct 2, 2024 19:01:34.239362955 CEST	443	49784	142.250.185.174	192.168.2.4
Oct 2, 2024 19:01:43.564158916 CEST	49785	443	192.168.2.4	4.175.87.197
Oct 2, 2024 19:01:43.564208984 CEST	443	49785	4.175.87.197	192.168.2.4
Oct 2, 2024 19:01:43.564332008 CEST	49785	443	192.168.2.4	4.175.87.197
Oct 2, 2024 19:01:43.564688921 CEST	49785	443	192.168.2.4	4.175.87.197
Oct 2, 2024 19:01:43.564703941 CEST	443	49785	4.175.87.197	192.168.2.4
Oct 2, 2024 19:01:44.344053984 CEST	443	49785	4.175.87.197	192.168.2.4
Oct 2, 2024 19:01:44.344142914 CEST	49785	443	192.168.2.4	4.175.87.197
Oct 2, 2024 19:01:44.351213932 CEST	49785	443	192.168.2.4	4.175.87.197
Oct 2, 2024 19:01:44.351223946 CEST	443	49785	4.175.87.197	192.168.2.4
Oct 2, 2024 19:01:44.352202892 CEST	443	49785	4.175.87.197	192.168.2.4
Oct 2, 2024 19:01:44.360353947 CEST	49785	443	192.168.2.4	4.175.87.197
Oct 2, 2024 19:01:44.403412104 CEST	443	49785	4.175.87.197	192.168.2.4
Oct 2, 2024 19:01:44.725258112 CEST	443	49785	4.175.87.197	192.168.2.4
Oct 2, 2024 19:01:44.725286961 CEST	443	49785	4.175.87.197	192.168.2.4
Oct 2, 2024 19:01:44.725305080 CEST	443	49785	4.175.87.197	192.168.2.4
Oct 2, 2024 19:01:44.725393057 CEST	49785	443	192.168.2.4	4.175.87.197
Oct 2, 2024 19:01:44.725415945 CEST	443	49785	4.175.87.197	192.168.2.4
Oct 2, 2024 19:01:44.725471020 CEST	49785	443	192.168.2.4	4.175.87.197
Oct 2, 2024 19:01:44.726257086 CEST	443	49785	4.175.87.197	192.168.2.4
Oct 2, 2024 19:01:44.726296902 CEST	443	49785	4.175.87.197	192.168.2.4
Oct 2, 2024 19:01:44.726319075 CEST	49785	443	192.168.2.4	4.175.87.197
Oct 2, 2024 19:01:44.726325989 CEST	443	49785	4.175.87.197	192.168.2.4
Oct 2, 2024 19:01:44.726352930 CEST	49785	443	192.168.2.4	4.175.87.197
Oct 2, 2024 19:01:44.726963997 CEST	443	49785	4.175.87.197	192.168.2.4
Oct 2, 2024 19:01:44.727029085 CEST	49785	443	192.168.2.4	4.175.87.197
Oct 2, 2024 19:01:44.731017113 CEST	49785	443	192.168.2.4	4.175.87.197
Oct 2, 2024 19:01:44.731031895 CEST	443	49785	4.175.87.197	192.168.2.4
Oct 2, 2024 19:01:44.731057882 CEST	49785	443	192.168.2.4	4.175.87.197
Oct 2, 2024 19:01:44.731062889 CEST	443	49785	4.175.87.197	192.168.2.4
Oct 2, 2024 19:01:55.225718975 CEST	49787	443	192.168.2.4	172.217.23.100
Oct 2, 2024 19:01:55.225764036 CEST	443	49787	172.217.23.100	192.168.2.4
Oct 2, 2024 19:01:55.225863934 CEST	49787	443	192.168.2.4	172.217.23.100
Oct 2, 2024 19:01:55.226099014 CEST	49787	443	192.168.2.4	172.217.23.100
Oct 2, 2024 19:01:55.226114035 CEST	443	49787	172.217.23.100	192.168.2.4
Oct 2, 2024 19:01:55.880779982 CEST	443	49787	172.217.23.100	192.168.2.4
Oct 2, 2024 19:01:55.881612062 CEST	49787	443	192.168.2.4	172.217.23.100
Oct 2, 2024 19:01:55.881633043 CEST	443	49787	172.217.23.100	192.168.2.4
Oct 2, 2024 19:01:55.882097006 CEST	443	49787	172.217.23.100	192.168.2.4
Oct 2, 2024 19:01:55.882359028 CEST	49787	443	192.168.2.4	172.217.23.100
Oct 2, 2024 19:01:55.882440090 CEST	443	49787	172.217.23.100	192.168.2.4
Oct 2, 2024 19:01:55.929183006 CEST	49787	443	192.168.2.4	172.217.23.100
Oct 2, 2024 19:02:02.900083065 CEST	49789	443	192.168.2.4	216.58.206.78
Oct 2, 2024 19:02:02.900115967 CEST	443	49789	216.58.206.78	192.168.2.4
Oct 2, 2024 19:02:02.900180101 CEST	49789	443	192.168.2.4	216.58.206.78
Oct 2, 2024 19:02:02.900424004 CEST	49789	443	192.168.2.4	216.58.206.78
Oct 2, 2024 19:02:02.900437117 CEST	443	49789	216.58.206.78	192.168.2.4
Oct 2, 2024 19:02:03.556391001 CEST	443	49789	216.58.206.78	192.168.2.4
Oct 2, 2024 19:02:03.556688070 CEST	49789	443	192.168.2.4	216.58.206.78
Oct 2, 2024 19:02:03.556704998 CEST	443	49789	216.58.206.78	192.168.2.4
Oct 2, 2024 19:02:03.558374882 CEST	443	49789	216.58.206.78	192.168.2.4
Oct 2, 2024 19:02:03.558778048 CEST	49789	443	192.168.2.4	216.58.206.78
Oct 2, 2024 19:02:03.558836937 CEST	49789	443	192.168.2.4	216.58.206.78
Oct 2, 2024 19:02:03.558842897 CEST	443	49789	216.58.206.78	192.168.2.4
Oct 2, 2024 19:02:03.558856964 CEST	443	49789	216.58.206.78	192.168.2.4
Oct 2, 2024 19:02:03.558859110 CEST	49789	443	192.168.2.4	216.58.206.78
Oct 2, 2024 19:02:03.599112034 CEST	49789	443	192.168.2.4	216.58.206.78
Oct 2, 2024 19:02:03.599117994 CEST	443	49789	216.58.206.78	192.168.2.4
Oct 2, 2024 19:02:03.857779980 CEST	443	49789	216.58.206.78	192.168.2.4
Oct 2, 2024 19:02:03.858982086 CEST	443	49789	216.58.206.78	192.168.2.4
Oct 2, 2024 19:02:03.859040976 CEST	49789	443	192.168.2.4	216.58.206.78
Oct 2, 2024 19:02:03.859268904 CEST	49789	443	192.168.2.4	216.58.206.78
Oct 2, 2024 19:02:03.859286070 CEST	443	49789	216.58.206.78	192.168.2.4
Oct 2, 2024 19:02:04.557351112 CEST	49790	443	192.168.2.4	216.58.206.78
Oct 2, 2024 19:02:04.557382107 CEST	443	49790	216.58.206.78	192.168.2.4
Oct 2, 2024 19:02:04.557465076 CEST	49790	443	192.168.2.4	216.58.206.78
Oct 2, 2024 19:02:04.557787895 CEST	49790	443	192.168.2.4	216.58.206.78
Oct 2, 2024 19:02:04.557802916 CEST	443	49790	216.58.206.78	192.168.2.4
Oct 2, 2024 19:02:05.199815989 CEST	443	49790	216.58.206.78	192.168.2.4
Oct 2, 2024 19:02:05.200298071 CEST	49790	443	192.168.2.4	216.58.206.78
Oct 2, 2024 19:02:05.200325012 CEST	443	49790	216.58.206.78	192.168.2.4
Oct 2, 2024 19:02:05.200650930 CEST	443	49790	216.58.206.78	192.168.2.4
Oct 2, 2024 19:02:05.201083899 CEST	49790	443	192.168.2.4	216.58.206.78
Oct 2, 2024 19:02:05.201143980 CEST	443	49790	216.58.206.78	192.168.2.4
Oct 2, 2024 19:02:05.201286077 CEST	49790	443	192.168.2.4	216.58.206.78
Oct 2, 2024 19:02:05.201353073 CEST	49790	443	192.168.2.4	216.58.206.78
Oct 2, 2024 19:02:05.201359987 CEST	443	49790	216.58.206.78	192.168.2.4
Oct 2, 2024 19:02:05.507905006 CEST	443	49790	216.58.206.78	192.168.2.4
Oct 2, 2024 19:02:05.508217096 CEST	443	49790	216.58.206.78	192.168.2.4
Oct 2, 2024 19:02:05.508297920 CEST	49790	443	192.168.2.4	216.58.206.78
Oct 2, 2024 19:02:05.508527040 CEST	49790	443	192.168.2.4	216.58.206.78
Oct 2, 2024 19:02:05.508569956 CEST	443	49790	216.58.206.78	192.168.2.4
Oct 2, 2024 19:02:05.783701897 CEST	443	49787	172.217.23.100	192.168.2.4
Oct 2, 2024 19:02:05.783879995 CEST	443	49787	172.217.23.100	192.168.2.4
Oct 2, 2024 19:02:05.783927917 CEST	49787	443	192.168.2.4	172.217.23.100
Oct 2, 2024 19:02:19.319885015 CEST	49787	443	192.168.2.4	172.217.23.100
Oct 2, 2024 19:02:19.319921017 CEST	443	49787	172.217.23.100	192.168.2.4
Oct 2, 2024 19:02:32.880994081 CEST	49792	443	192.168.2.4	216.58.206.78
Oct 2, 2024 19:02:32.881050110 CEST	443	49792	216.58.206.78	192.168.2.4
Oct 2, 2024 19:02:32.881177902 CEST	49792	443	192.168.2.4	216.58.206.78
Oct 2, 2024 19:02:32.881846905 CEST	49792	443	192.168.2.4	216.58.206.78
Oct 2, 2024 19:02:32.881861925 CEST	443	49792	216.58.206.78	192.168.2.4
Oct 2, 2024 19:02:33.521349907 CEST	443	49792	216.58.206.78	192.168.2.4
Oct 2, 2024 19:02:33.538386106 CEST	49792	443	192.168.2.4	216.58.206.78
Oct 2, 2024 19:02:33.538420916 CEST	443	49792	216.58.206.78	192.168.2.4
Oct 2, 2024 19:02:33.539721966 CEST	443	49792	216.58.206.78	192.168.2.4
Oct 2, 2024 19:02:33.549936056 CEST	49792	443	192.168.2.4	216.58.206.78
Oct 2, 2024 19:02:33.550096989 CEST	49792	443	192.168.2.4	216.58.206.78
Oct 2, 2024 19:02:33.550101995 CEST	443	49792	216.58.206.78	192.168.2.4
Oct 2, 2024 19:02:33.550117970 CEST	49792	443	192.168.2.4	216.58.206.78
Oct 2, 2024 19:02:33.550127029 CEST	443	49792	216.58.206.78	192.168.2.4
Oct 2, 2024 19:02:33.591423988 CEST	443	49792	216.58.206.78	192.168.2.4
Oct 2, 2024 19:02:33.599826097 CEST	49792	443	192.168.2.4	216.58.206.78
Oct 2, 2024 19:02:33.823932886 CEST	443	49792	216.58.206.78	192.168.2.4
Oct 2, 2024 19:02:33.824286938 CEST	443	49792	216.58.206.78	192.168.2.4
Oct 2, 2024 19:02:33.824350119 CEST	49792	443	192.168.2.4	216.58.206.78
Oct 2, 2024 19:02:33.824511051 CEST	49792	443	192.168.2.4	216.58.206.78
Oct 2, 2024 19:02:33.824526072 CEST	443	49792	216.58.206.78	192.168.2.4
Oct 2, 2024 19:02:36.698565006 CEST	49793	443	192.168.2.4	216.58.206.78
Oct 2, 2024 19:02:36.698615074 CEST	443	49793	216.58.206.78	192.168.2.4
Oct 2, 2024 19:02:36.698697090 CEST	49793	443	192.168.2.4	216.58.206.78
Oct 2, 2024 19:02:36.699129105 CEST	49793	443	192.168.2.4	216.58.206.78
Oct 2, 2024 19:02:36.699143887 CEST	443	49793	216.58.206.78	192.168.2.4
Oct 2, 2024 19:02:37.497634888 CEST	443	49793	216.58.206.78	192.168.2.4
Oct 2, 2024 19:02:37.498145103 CEST	49793	443	192.168.2.4	216.58.206.78
Oct 2, 2024 19:02:37.498167992 CEST	443	49793	216.58.206.78	192.168.2.4
Oct 2, 2024 19:02:37.499078035 CEST	443	49793	216.58.206.78	192.168.2.4
Oct 2, 2024 19:02:37.499504089 CEST	49793	443	192.168.2.4	216.58.206.78
Oct 2, 2024 19:02:37.499572039 CEST	443	49793	216.58.206.78	192.168.2.4
Oct 2, 2024 19:02:37.499696016 CEST	49793	443	192.168.2.4	216.58.206.78
Oct 2, 2024 19:02:37.499717951 CEST	49793	443	192.168.2.4	216.58.206.78
Oct 2, 2024 19:02:37.499732018 CEST	443	49793	216.58.206.78	192.168.2.4
Oct 2, 2024 19:02:37.797348022 CEST	443	49793	216.58.206.78	192.168.2.4
Oct 2, 2024 19:02:37.798361063 CEST	443	49793	216.58.206.78	192.168.2.4
Oct 2, 2024 19:02:37.798424006 CEST	49793	443	192.168.2.4	216.58.206.78
Oct 2, 2024 19:02:37.798754930 CEST	49793	443	192.168.2.4	216.58.206.78
Oct 2, 2024 19:02:37.798775911 CEST	443	49793	216.58.206.78	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 2, 2024 19:00:50.874485016 CEST	53	64883	1.1.1.1	192.168.2.4
Oct 2, 2024 19:00:50.874564886 CEST	59491	53	192.168.2.4	1.1.1.1
Oct 2, 2024 19:00:50.874741077 CEST	62880	53	192.168.2.4	1.1.1.1
Oct 2, 2024 19:00:50.882329941 CEST	53	59491	1.1.1.1	192.168.2.4
Oct 2, 2024 19:00:50.882652044 CEST	53	62880	1.1.1.1	192.168.2.4
Oct 2, 2024 19:00:50.883830070 CEST	53	58395	1.1.1.1	192.168.2.4
Oct 2, 2024 19:00:51.855597019 CEST	55288	53	192.168.2.4	1.1.1.1
Oct 2, 2024 19:00:51.855767012 CEST	56576	53	192.168.2.4	1.1.1.1
Oct 2, 2024 19:00:51.862611055 CEST	53	56576	1.1.1.1	192.168.2.4
Oct 2, 2024 19:00:51.862627983 CEST	53	55288	1.1.1.1	192.168.2.4
Oct 2, 2024 19:00:51.909847975 CEST	53	58062	1.1.1.1	192.168.2.4
Oct 2, 2024 19:00:55.176172018 CEST	59819	53	192.168.2.4	1.1.1.1
Oct 2, 2024 19:00:55.176172018 CEST	50383	53	192.168.2.4	1.1.1.1
Oct 2, 2024 19:00:55.183310986 CEST	53	50383	1.1.1.1	192.168.2.4
Oct 2, 2024 19:00:55.195928097 CEST	53	59819	1.1.1.1	192.168.2.4
Oct 2, 2024 19:00:57.399734020 CEST	53	49300	1.1.1.1	192.168.2.4
Oct 2, 2024 19:00:59.718614101 CEST	54744	53	192.168.2.4	1.1.1.1
Oct 2, 2024 19:00:59.718799114 CEST	49779	53	192.168.2.4	1.1.1.1
Oct 2, 2024 19:00:59.725483894 CEST	53	54744	1.1.1.1	192.168.2.4
Oct 2, 2024 19:00:59.726516962 CEST	53	49779	1.1.1.1	192.168.2.4
Oct 2, 2024 19:01:01.823766947 CEST	53551	53	192.168.2.4	1.1.1.1
Oct 2, 2024 19:01:01.823899031 CEST	59731	53	192.168.2.4	1.1.1.1
Oct 2, 2024 19:01:01.830883026 CEST	53	59731	1.1.1.1	192.168.2.4
Oct 2, 2024 19:01:01.831181049 CEST	53	53551	1.1.1.1	192.168.2.4
Oct 2, 2024 19:01:04.208775043 CEST	138	138	192.168.2.4	192.168.2.255
Oct 2, 2024 19:01:08.915172100 CEST	53	56620	1.1.1.1	192.168.2.4
Oct 2, 2024 19:01:11.623591900 CEST	53	51062	1.1.1.1	192.168.2.4
Oct 2, 2024 19:01:27.702934027 CEST	53	49655	1.1.1.1	192.168.2.4
Oct 2, 2024 19:01:50.528521061 CEST	53	52615	1.1.1.1	192.168.2.4
Oct 2, 2024 19:01:50.528546095 CEST	53	52358	1.1.1.1	192.168.2.4
Oct 2, 2024 19:02:01.814846039 CEST	53	51077	1.1.1.1	192.168.2.4
Oct 2, 2024 19:02:02.723546982 CEST	58768	53	192.168.2.4	1.1.1.1
Oct 2, 2024 19:02:02.723728895 CEST	63973	53	192.168.2.4	1.1.1.1
Oct 2, 2024 19:02:02.899522066 CEST	53	63973	1.1.1.1	192.168.2.4
Oct 2, 2024 19:02:02.899535894 CEST	53	58768	1.1.1.1	192.168.2.4
Oct 2, 2024 19:02:19.328676939 CEST	53	55415	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 2, 2024 19:00:50.874564886 CEST	192.168.2.4	1.1.1.1	0x9ba2	Standard query (0)	youtube.com	A (IP address)	IN (0x0001)	false
Oct 2, 2024 19:00:50.874741077 CEST	192.168.2.4	1.1.1.1	0x132	Standard query (0)	youtube.com	65	IN (0x0001)	false
Oct 2, 2024 19:00:51.855597019 CEST	192.168.2.4	1.1.1.1	0xba1b	Standard query (0)	www.youtube.com	A (IP address)	IN (0x0001)	false
Oct 2, 2024 19:00:51.855767012 CEST	192.168.2.4	1.1.1.1	0xdd45	Standard query (0)	www.youtube.com	65	IN (0x0001)	false
Oct 2, 2024 19:00:55.176172018 CEST	192.168.2.4	1.1.1.1	0xd827	Standard query (0)	www.google.com	A (IP address)	IN (0x0001)	false
Oct 2, 2024 19:00:55.176172018 CEST	192.168.2.4	1.1.1.1	0x5d82	Standard query (0)	www.google.com	65	IN (0x0001)	false
Oct 2, 2024 19:00:59.718614101 CEST	192.168.2.4	1.1.1.1	0xf830	Standard query (0)	accounts.youtube.com	A (IP address)	IN (0x0001)	false
Oct 2, 2024 19:00:59.718799114 CEST	192.168.2.4	1.1.1.1	0x5225	Standard query (0)	accounts.youtube.com	65	IN (0x0001)	false
Oct 2, 2024 19:01:01.823766947 CEST	192.168.2.4	1.1.1.1	0x5477	Standard query (0)	play.google.com	A (IP address)	IN (0x0001)	false
Oct 2, 2024 19:01:01.823899031 CEST	192.168.2.4	1.1.1.1	0xc81a	Standard query (0)	play.google.com	65	IN (0x0001)	false
Oct 2, 2024 19:02:02.723546982 CEST	192.168.2.4	1.1.1.1	0xe61f	Standard query (0)	play.google.com	A (IP address)	IN (0x0001)	false
Oct 2, 2024 19:02:02.723728895 CEST	192.168.2.4	1.1.1.1	0x2645	Standard query (0)	play.google.com	65	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 2, 2024 19:00:50.882329941 CEST	1.1.1.1	192.168.2.4	0x9ba2	No error (0)	youtube.com		142.250.185.78	A (IP address)	IN (0x0001)	false
Oct 2, 2024 19:00:50.882652044 CEST	1.1.1.1	192.168.2.4	0x132	No error (0)	youtube.com			65	IN (0x0001)	false
Oct 2, 2024 19:00:51.862611055 CEST	1.1.1.1	192.168.2.4	0xdd45	No error (0)	www.youtube.com	youtube-ui.l.google.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 2, 2024 19:00:51.862611055 CEST	1.1.1.1	192.168.2.4	0xdd45	No error (0)	youtube-ui.l.google.com			65	IN (0x0001)	false
Oct 2, 2024 19:00:51.862627983 CEST	1.1.1.1	192.168.2.4	0xba1b	No error (0)	www.youtube.com	youtube-ui.l.google.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 2, 2024 19:00:51.862627983 CEST	1.1.1.1	192.168.2.4	0xba1b	No error (0)	youtube-ui.l.google.com		142.250.185.142	A (IP address)	IN (0x0001)	false
Oct 2, 2024 19:00:51.862627983 CEST	1.1.1.1	192.168.2.4	0xba1b	No error (0)	youtube-ui.l.google.com		142.250.184.206	A (IP address)	IN (0x0001)	false
Oct 2, 2024 19:00:51.862627983 CEST	1.1.1.1	192.168.2.4	0xba1b	No error (0)	youtube-ui.l.google.com		142.250.185.110	A (IP address)	IN (0x0001)	false
Oct 2, 2024 19:00:51.862627983 CEST	1.1.1.1	192.168.2.4	0xba1b	No error (0)	youtube-ui.l.google.com		142.250.185.238	A (IP address)	IN (0x0001)	false
Oct 2, 2024 19:00:51.862627983 CEST	1.1.1.1	192.168.2.4	0xba1b	No error (0)	youtube-ui.l.google.com		172.217.16.206	A (IP address)	IN (0x0001)	false
Oct 2, 2024 19:00:51.862627983 CEST	1.1.1.1	192.168.2.4	0xba1b	No error (0)	youtube-ui.l.google.com		172.217.18.14	A (IP address)	IN (0x0001)	false
Oct 2, 2024 19:00:51.862627983 CEST	1.1.1.1	192.168.2.4	0xba1b	No error (0)	youtube-ui.l.google.com		216.58.212.142	A (IP address)	IN (0x0001)	false
Oct 2, 2024 19:00:51.862627983 CEST	1.1.1.1	192.168.2.4	0xba1b	No error (0)	youtube-ui.l.google.com		142.250.186.174	A (IP address)	IN (0x0001)	false
Oct 2, 2024 19:00:51.862627983 CEST	1.1.1.1	192.168.2.4	0xba1b	No error (0)	youtube-ui.l.google.com		142.250.184.238	A (IP address)	IN (0x0001)	false
Oct 2, 2024 19:00:51.862627983 CEST	1.1.1.1	192.168.2.4	0xba1b	No error (0)	youtube-ui.l.google.com		142.250.185.206	A (IP address)	IN (0x0001)	false
Oct 2, 2024 19:00:51.862627983 CEST	1.1.1.1	192.168.2.4	0xba1b	No error (0)	youtube-ui.l.google.com		142.250.186.110	A (IP address)	IN (0x0001)	false
Oct 2, 2024 19:00:51.862627983 CEST	1.1.1.1	192.168.2.4	0xba1b	No error (0)	youtube-ui.l.google.com		142.250.185.78	A (IP address)	IN (0x0001)	false
Oct 2, 2024 19:00:51.862627983 CEST	1.1.1.1	192.168.2.4	0xba1b	No error (0)	youtube-ui.l.google.com		142.250.185.174	A (IP address)	IN (0x0001)	false
Oct 2, 2024 19:00:51.862627983 CEST	1.1.1.1	192.168.2.4	0xba1b	No error (0)	youtube-ui.l.google.com		142.250.181.238	A (IP address)	IN (0x0001)	false
Oct 2, 2024 19:00:51.862627983 CEST	1.1.1.1	192.168.2.4	0xba1b	No error (0)	youtube-ui.l.google.com		216.58.206.46	A (IP address)	IN (0x0001)	false
Oct 2, 2024 19:00:51.862627983 CEST	1.1.1.1	192.168.2.4	0xba1b	No error (0)	youtube-ui.l.google.com		142.250.186.46	A (IP address)	IN (0x0001)	false
Oct 2, 2024 19:00:55.183310986 CEST	1.1.1.1	192.168.2.4	0x5d82	No error (0)	www.google.com			65	IN (0x0001)	false
Oct 2, 2024 19:00:55.195928097 CEST	1.1.1.1	192.168.2.4	0xd827	No error (0)	www.google.com		172.217.23.100	A (IP address)	IN (0x0001)	false
Oct 2, 2024 19:00:59.725483894 CEST	1.1.1.1	192.168.2.4	0xf830	No error (0)	accounts.youtube.com	www3.l.google.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 2, 2024 19:00:59.725483894 CEST	1.1.1.1	192.168.2.4	0xf830	No error (0)	www3.l.google.com		142.250.185.78	A (IP address)	IN (0x0001)	false
Oct 2, 2024 19:00:59.726516962 CEST	1.1.1.1	192.168.2.4	0x5225	No error (0)	accounts.youtube.com	www3.l.google.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 2, 2024 19:01:01.831181049 CEST	1.1.1.1	192.168.2.4	0x5477	No error (0)	play.google.com		142.250.185.174	A (IP address)	IN (0x0001)	false
Oct 2, 2024 19:02:02.899535894 CEST	1.1.1.1	192.168.2.4	0xe61f	No error (0)	play.google.com		216.58.206.78	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

youtube.com

www.youtube.com

https:

accounts.youtube.com

play.google.com

www.google.com

fs.microsoft.com

slscr.update.microsoft.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49732	142.250.185.78	443	6360	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-02 17:00:51 UTC	851	OUT	GET /account?=https://accounts.google.com/v3/signin/challenge/pwd HTTP/1.1 Host: youtube.com Connection: keep-alive sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "Windows" Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 X-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiTocsBCJz+zAEIhaDNAQjcvc0BCLnKzQEIotHNAQiK080BCJ7WzQEIp9jNAQj5wNQVGPbJzQEYutLNARjrjaUX Sec-Fetch-Site: none Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-10-02 17:00:51 UTC	1704	IN	HTTP/1.1 301 Moved Permanently Content-Type: application/binary X-Content-Type-Options: nosniff Expires: Wed, 02 Oct 2024 17:00:51 GMT Date: Wed, 02 Oct 2024 17:00:51 GMT Cache-Control: private, max-age=31536000 Location: https://www.youtube.com/account?=https%3A%2F%2Faccounts.google.com%2Fv3%2Fsignin%2Fchallenge%2Fpwd X-Frame-Options: SAMEORIGIN Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Cross-Origin-Opener-Policy: same-origin-allow-popups; report-to="youtube_main" Origin-Trial: AmhMBR6zCLzDDxpW+HfpP67BqwIknWnyMOXOQGfzYswFmJe+fgaI6XZgAzcxOrzNtP7hEDsOo1jdjFnVr2IdxQ4AAAB4eyJvcmlnaW4iOiJodHRwczovL3lvdXR1YmUuY29tOjQ0MyIsImZlYXR1cmUiOiJXZWJWaWV3WFJlcXVlc3RlZFdpdGhEZXByZWNhdGlvbiIsImV4cGlyeSI6MTc1ODA2NzE5OSwiaXNTdWJkb21haW4iOnRydWV9 Content-Security-Policy: require-trusted-types-for 'script' Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Report-To: {"group":"youtube_main","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/youtube_main"}]} Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Vary: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Server: ESF Content-Length: 0 X-XSS-Protection: 0 Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49734	142.250.185.142	443	6360	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-02 17:00:52 UTC	869	OUT	GET /account?=https%3A%2F%2Faccounts.google.com%2Fv3%2Fsignin%2Fchallenge%2Fpwd HTTP/1.1 Host: www.youtube.com Connection: keep-alive Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 X-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiTocsBCJz+zAEIhaDNAQjcvc0BCLnKzQEIotHNAQiK080BCJ7WzQEIp9jNAQj5wNQVGPbJzQEYutLNARjrjaUX Sec-Fetch-Site: none Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "Windows" Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-10-02 17:00:52 UTC	2634	IN	HTTP/1.1 303 See Other Content-Type: application/binary X-Content-Type-Options: nosniff Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Wed, 02 Oct 2024 17:00:52 GMT Location: https://accounts.google.com/ServiceLogin?service=youtube&uilel=3&passive=true&continue=https%3A%2F%2Fwww.youtube.com%2Fsignin%3Faction_handle_signin%3Dtrue%26app%3Ddesktop%26hl%3Den%26next%3Dhttps%253A%252F%252Fwww.youtube.com%252Faccount%253F%253Dhttps%25253A%25252F%25252Faccounts.google.com%25252Fv3%25252Fsignin%25252Fchallenge%25252Fpwd%26feature%3Dredirect_login&hl=en X-Frame-Options: SAMEORIGIN Strict-Transport-Security: max-age=31536000 Cross-Origin-Opener-Policy: same-origin-allow-popups; report-to="youtube_main" Content-Security-Policy: require-trusted-types-for 'script' Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Vary: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Origin-Trial: AmhMBR6zCLzDDxpW+HfpP67BqwIknWnyMOXOQGfzYswFmJe+fgaI6XZgAzcxOrzNtP7hEDsOo1jdjFnVr2IdxQ4AAAB4eyJvcmlnaW4iOiJodHRwczovL3lvdXR1YmUuY29tOjQ0MyIsImZlYXR1cmUiOiJXZWJWaWV3WFJlcXVlc3RlZFdpdGhEZXByZWNhdGlvbiIsImV4cGlyeSI6MTc1ODA2NzE5OSwiaXNTdWJkb21haW4iOnRydWV9 Report-To: {"group":"youtube_main","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/youtube_main"}]} Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* P3P: CP="This is not a P3P policy! See http://support.google.com/accounts/answer/151657?hl=en for more info." Server: ESF Content-Length: 0 X-XSS-Protection: 0 Set-Cookie: GPS=1; Domain=.youtube.com; Expires=Wed, 02-Oct-2024 17:30:52 GMT; Path=/; Secure; HttpOnly Set-Cookie: YSC=lEgds9_qXGg; Domain=.youtube.com; Path=/; Secure; HttpOnly; SameSite=none; Partitioned Set-Cookie: VISITOR_INFO1_LIVE=PGKimWXImnE; Domain=.youtube.com; Expires=Mon, 31-Mar-2025 17:00:52 GMT; Path=/; Secure; HttpOnly; SameSite=none; Partitioned Set-Cookie: VISITOR_PRIVACY_METADATA=CgJVUxIEGgAgTw%3D%3D; Domain=.youtube.com; Expires=Mon, 31-Mar-2025 17:00:52 GMT; Path=/; Secure; HttpOnly; SameSite=none; Partitioned Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49756	142.250.185.78	443	6360	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-02 17:01:00 UTC	1235	OUT	GET /accounts/CheckConnection?pmpo=https%3A%2F%2Faccounts.google.com&v=555306652&timestamp=1727888458918 HTTP/1.1 Host: accounts.youtube.com Connection: keep-alive sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 sec-ch-ua-full-version: "117.0.5938.132" sec-ch-ua-arch: "x86" sec-ch-ua-platform: "Windows" sec-ch-ua-platform-version: "10.0.0" sec-ch-ua-model: "" sec-ch-ua-bitness: "64" sec-ch-ua-wow64: ?0 sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132" Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 X-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiTocsBCJz+zAEIhaDNAQjcvc0BCLnKzQEIotHNAQiK080BCJ7WzQEIp9jNAQj5wNQVGPbJzQEYutLNARjrjaUX Sec-Fetch-Site: cross-site Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: iframe Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-10-02 17:01:00 UTC	1969	IN	HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 X-Frame-Options: ALLOW-FROM https://accounts.google.com Content-Security-Policy: frame-ancestors https://accounts.google.com Content-Security-Policy: script-src 'report-sample' 'nonce-foKYC8jSKTgs0LzMa4Msyw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/AccountsDomainCookiesCheckConnectionHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/AccountsDomainCookiesCheckConnectionHttp/cspreport/allowlist Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/AccountsDomainCookiesCheckConnectionHttp/cspreport Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Wed, 02 Oct 2024 17:01:00 GMT Cross-Origin-Opener-Policy: same-origin Cross-Origin-Resource-Policy: cross-origin Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* reporting-endpoints: default="/_/AccountsDomainCookiesCheckConnectionHttp/web-reports?context=eJzjstDikmJw05BikPj6kkkDiJ3SZ7AGAXHSv_OsRUB8ufsS63UgVu25xGoKxEUSV1ibgFiIh-PMj6_b2QQ2LLoygUlJLym_MD4zJTWvJLOkMiU_NzEzLzk_Pzsztbg4tagstSjeyMDIxMDSyEjPwCK-wAAA8pMt1Q" Server: ESF X-XSS-Protection: 0 X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2024-10-02 17:01:00 UTC	1969	IN	Data Raw: 37 36 31 39 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 20 6e 6f 6e 63 65 3d 22 66 6f 4b 59 43 38 6a 53 4b 54 67 73 30 4c 7a 4d 61 34 4d 73 79 77 22 3e 22 75 73 65 20 73 74 72 69 63 74 22 3b 74 68 69 73 2e 64 65 66 61 75 6c 74 5f 41 63 63 6f 75 6e 74 73 44 6f 6d 61 69 6e 63 6f 6f 6b 69 65 73 43 68 65 63 6b 63 6f 6e 6e 65 63 74 69 6f 6e 4a 73 3d 74 68 69 73 2e 64 65 66 61 75 6c 74 5f 41 63 63 6f 75 6e 74 73 44 6f 6d 61 69 6e 63 6f 6f 6b 69 65 73 43 68 65 63 6b 63 6f 6e 6e 65 63 74 69 6f 6e 4a 73 7c 7c 7b 7d 3b 28 66 75 6e 63 74 69 6f 6e 28 5f 29 7b 76 61 72 20 77 69 6e 64 6f 77 3d 74 68 69 73 3b 0a 74 72 79 7b 0a 5f 2e 5f 46 5f 74 6f 67 67 6c 65 73 5f 69 6e 69 74 69 61 6c 69 7a 65 3d 66 75 6e 63 74 69 6f 6e 28 61 29 7b 28 74 79 70 65 6f Data Ascii: 7619<html><head><script nonce="foKYC8jSKTgs0LzMa4Msyw">"use strict";this.default_AccountsDomaincookiesCheckconnectionJs=this.default_AccountsDomaincookiesCheckconnectionJs\|\|{};(function(_){var window=this;try{_._F_toggles_initialize=function(a){(typeo
2024-10-02 17:01:00 UTC	1969	IN	Data Raw: 54 72 69 64 65 6e 74 5c 2f 28 5c 64 2e 5c 64 29 2f 2e 65 78 65 63 28 62 29 2c 0a 63 5b 31 5d 3d 3d 22 37 2e 30 22 29 69 66 28 62 26 26 62 5b 31 5d 29 73 77 69 74 63 68 28 62 5b 31 5d 29 7b 63 61 73 65 20 22 34 2e 30 22 3a 61 3d 22 38 2e 30 22 3b 62 72 65 61 6b 3b 63 61 73 65 20 22 35 2e 30 22 3a 61 3d 22 39 2e 30 22 3b 62 72 65 61 6b 3b 63 61 73 65 20 22 36 2e 30 22 3a 61 3d 22 31 30 2e 30 22 3b 62 72 65 61 6b 3b 63 61 73 65 20 22 37 2e 30 22 3a 61 3d 22 31 31 2e 30 22 7d 65 6c 73 65 20 61 3d 22 37 2e 30 22 3b 65 6c 73 65 20 61 3d 63 5b 31 5d 3b 62 3d 61 7d 65 6c 73 65 20 62 3d 22 22 3b 72 65 74 75 72 6e 20 62 7d 76 61 72 20 64 3d 52 65 67 45 78 70 28 22 28 5b 41 2d 5a 5d 5b 5c 5c 77 20 5d 2b 29 2f 28 5b 5e 5c 5c 73 5d 2b 29 5c 5c 73 2a 28 3f 3a 5c 5c 28 Data Ascii: Trident\/(\d.\d)/.exec(b),c[1]=="7.0")if(b&&b[1])switch(b[1]){case "4.0":a="8.0";break;case "5.0":a="9.0";break;case "6.0":a="10.0";break;case "7.0":a="11.0"}else a="7.0";else a=c[1];b=a}else b="";return b}var d=RegExp("([A-Z][\\w ]+)/([^\\s]+)\\s*(?:\\(
2024-10-02 17:01:00 UTC	1969	IN	Data Raw: 74 63 68 28 74 79 70 65 6f 66 20 61 29 7b 63 61 73 65 20 22 6e 75 6d 62 65 72 22 3a 72 65 74 75 72 6e 20 69 73 46 69 6e 69 74 65 28 61 29 3f 61 3a 53 74 72 69 6e 67 28 61 29 3b 63 61 73 65 20 22 62 69 67 69 6e 74 22 3a 72 65 74 75 72 6e 28 41 61 3f 0a 61 3e 3d 42 61 26 26 61 3c 3d 43 61 3a 61 5b 30 5d 3d 3d 3d 22 2d 22 3f 75 61 28 61 2c 44 61 29 3a 75 61 28 61 2c 45 61 29 29 3f 4e 75 6d 62 65 72 28 61 29 3a 53 74 72 69 6e 67 28 61 29 3b 63 61 73 65 20 22 62 6f 6f 6c 65 61 6e 22 3a 72 65 74 75 72 6e 20 61 3f 31 3a 30 3b 63 61 73 65 20 22 6f 62 6a 65 63 74 22 3a 69 66 28 61 29 69 66 28 41 72 72 61 79 2e 69 73 41 72 72 61 79 28 61 29 29 7b 69 66 28 43 28 61 29 29 72 65 74 75 72 6e 7d 65 6c 73 65 20 69 66 28 46 61 26 26 61 21 3d 6e 75 6c 6c 26 26 61 20 69 6e Data Ascii: tch(typeof a){case "number":return isFinite(a)?a:String(a);case "bigint":return(Aa?a>=Ba&&a<=Ca:a[0]==="-"?ua(a,Da):ua(a,Ea))?Number(a):String(a);case "boolean":return a?1:0;case "object":if(a)if(Array.isArray(a)){if(C(a))return}else if(Fa&&a!=null&&a in
2024-10-02 17:01:00 UTC	1969	IN	Data Raw: 7b 76 61 72 20 62 3b 69 66 28 61 26 26 28 62 3d 51 61 29 21 3d 6e 75 6c 6c 26 26 62 2e 68 61 73 28 61 29 26 26 28 62 3d 61 2e 43 29 29 66 6f 72 28 76 61 72 20 63 3d 30 3b 63 3c 62 2e 6c 65 6e 67 74 68 3b 63 2b 2b 29 7b 76 61 72 20 64 3d 62 5b 63 5d 3b 69 66 28 63 3d 3d 3d 62 2e 6c 65 6e 67 74 68 2d 31 26 26 41 28 64 29 29 66 6f 72 28 76 61 72 20 65 20 69 6e 20 64 29 7b 76 61 72 20 66 3d 64 5b 65 5d 3b 41 72 72 61 79 2e 69 73 41 72 72 61 79 28 66 29 26 26 0a 52 61 28 66 2c 61 29 7d 65 6c 73 65 20 41 72 72 61 79 2e 69 73 41 72 72 61 79 28 64 29 26 26 52 61 28 64 2c 61 29 7d 61 3d 45 3f 61 2e 43 3a 4d 61 28 61 2e 43 2c 50 61 2c 76 6f 69 64 20 30 2c 76 6f 69 64 20 30 2c 21 31 29 3b 65 3d 21 45 3b 69 66 28 62 3d 61 2e 6c 65 6e 67 74 68 29 7b 64 3d 61 5b 62 2d Data Ascii: {var b;if(a&&(b=Qa)!=null&&b.has(a)&&(b=a.C))for(var c=0;c<b.length;c++){var d=b[c];if(c===b.length-1&&A(d))for(var e in d){var f=d[e];Array.isArray(f)&&Ra(f,a)}else Array.isArray(d)&&Ra(d,a)}a=E?a.C:Ma(a.C,Pa,void 0,void 0,!1);e=!E;if(b=a.length){d=a[b-
2024-10-02 17:01:00 UTC	1969	IN	Data Raw: 6f 6c 2e 69 74 65 72 61 74 6f 72 22 2c 66 75 6e 63 74 69 6f 6e 28 61 29 7b 69 66 28 61 29 72 65 74 75 72 6e 20 61 3b 61 3d 53 79 6d 62 6f 6c 28 22 63 22 29 3b 66 6f 72 28 76 61 72 20 62 3d 22 41 72 72 61 79 20 49 6e 74 38 41 72 72 61 79 20 55 69 6e 74 38 41 72 72 61 79 20 55 69 6e 74 38 43 6c 61 6d 70 65 64 41 72 72 61 79 20 49 6e 74 31 36 41 72 72 61 79 20 55 69 6e 74 31 36 41 72 72 61 79 20 49 6e 74 33 32 41 72 72 61 79 20 55 69 6e 74 33 32 41 72 72 61 79 20 46 6c 6f 61 74 33 32 41 72 72 61 79 20 46 6c 6f 61 74 36 34 41 72 72 61 79 22 2e 73 70 6c 69 74 28 22 20 22 29 2c 63 3d 30 3b 63 3c 62 2e 6c 65 6e 67 74 68 3b 63 2b 2b 29 7b 76 61 72 20 64 3d 57 61 5b 62 5b 63 5d 5d 3b 74 79 70 65 6f 66 20 64 3d 3d 3d 22 66 75 6e 63 74 69 6f 6e 22 26 26 74 79 70 65 Data Ascii: ol.iterator",function(a){if(a)return a;a=Symbol("c");for(var b="Array Int8Array Uint8Array Uint8ClampedArray Int16Array Uint16Array Int32Array Uint32Array Float32Array Float64Array".split(" "),c=0;c<b.length;c++){var d=Wa[b[c]];typeof d==="function"&&type
2024-10-02 17:01:00 UTC	1969	IN	Data Raw: 29 3b 65 28 22 66 72 65 65 7a 65 22 29 3b 65 28 22 70 72 65 76 65 6e 74 45 78 74 65 6e 73 69 6f 6e 73 22 29 3b 65 28 22 73 65 61 6c 22 29 3b 76 61 72 20 68 3d 30 2c 67 3d 66 75 6e 63 74 69 6f 6e 28 6b 29 7b 74 68 69 73 2e 67 3d 28 68 2b 3d 4d 61 74 68 2e 72 61 6e 64 6f 6d 28 29 2b 31 29 2e 74 6f 53 74 72 69 6e 67 28 29 3b 69 66 28 6b 29 7b 6b 3d 48 28 6b 29 3b 66 6f 72 28 76 61 72 20 6c 3b 21 28 6c 3d 6b 2e 6e 65 78 74 28 29 29 2e 64 6f 6e 65 3b 29 6c 3d 6c 2e 76 61 6c 75 65 2c 74 68 69 73 2e 73 65 74 28 6c 5b 30 5d 2c 6c 5b 31 5d 29 7d 7d 3b 67 2e 70 72 6f 74 6f 74 79 70 65 2e 73 65 74 3d 66 75 6e 63 74 69 6f 6e 28 6b 2c 6c 29 7b 69 66 28 21 63 28 6b 29 29 74 68 72 6f 77 20 45 72 72 6f 72 28 22 69 22 29 3b 64 28 6b 29 3b 69 66 28 21 49 28 6b 2c 66 29 29 Data Ascii: );e("freeze");e("preventExtensions");e("seal");var h=0,g=function(k){this.g=(h+=Math.random()+1).toString();if(k){k=H(k);for(var l;!(l=k.next()).done;)l=l.value,this.set(l[0],l[1])}};g.prototype.set=function(k,l){if(!c(k))throw Error("i");d(k);if(!I(k,f))
2024-10-02 17:01:00 UTC	1969	IN	Data Raw: 75 72 6e 20 67 2e 76 61 6c 75 65 7d 29 7d 3b 63 2e 70 72 6f 74 6f 74 79 70 65 2e 66 6f 72 45 61 63 68 3d 66 75 6e 63 74 69 6f 6e 28 67 2c 6b 29 7b 66 6f 72 28 76 61 72 20 6c 3d 74 68 69 73 2e 65 6e 74 72 69 65 73 28 29 2c 6d 3b 21 28 6d 3d 6c 2e 6e 65 78 74 28 29 29 2e 64 6f 6e 65 3b 29 6d 3d 0a 6d 2e 76 61 6c 75 65 2c 67 2e 63 61 6c 6c 28 6b 2c 6d 5b 31 5d 2c 6d 5b 30 5d 2c 74 68 69 73 29 7d 3b 63 2e 70 72 6f 74 6f 74 79 70 65 5b 53 79 6d 62 6f 6c 2e 69 74 65 72 61 74 6f 72 5d 3d 63 2e 70 72 6f 74 6f 74 79 70 65 2e 65 6e 74 72 69 65 73 3b 76 61 72 20 64 3d 66 75 6e 63 74 69 6f 6e 28 67 2c 6b 29 7b 76 61 72 20 6c 3d 6b 26 26 74 79 70 65 6f 66 20 6b 3b 6c 3d 3d 22 6f 62 6a 65 63 74 22 7c 7c 6c 3d 3d 22 66 75 6e 63 74 69 6f 6e 22 3f 62 2e 68 61 73 28 6b 29 Data Ascii: urn g.value})};c.prototype.forEach=function(g,k){for(var l=this.entries(),m;!(m=l.next()).done;)m=m.value,g.call(k,m[1],m[0],this)};c.prototype[Symbol.iterator]=c.prototype.entries;var d=function(g,k){var l=k&&typeof k;l=="object"\|\|l=="function"?b.has(k)
2024-10-02 17:01:00 UTC	1969	IN	Data Raw: 6f 6e 28 61 29 7b 72 65 74 75 72 6e 20 61 3f 61 3a 66 75 6e 63 74 69 6f 6e 28 62 29 7b 72 65 74 75 72 6e 20 74 79 70 65 6f 66 20 62 3d 3d 3d 22 6e 75 6d 62 65 72 22 26 26 69 73 4e 61 4e 28 62 29 7d 7d 29 3b 76 61 72 20 66 62 3d 66 62 7c 7c 7b 7d 2c 71 3d 74 68 69 73 7c 7c 73 65 6c 66 2c 67 62 3d 71 2e 5f 46 5f 74 6f 67 67 6c 65 73 7c 7c 5b 5d 2c 68 62 3d 66 75 6e 63 74 69 6f 6e 28 61 29 7b 61 3d 61 2e 73 70 6c 69 74 28 22 2e 22 29 3b 66 6f 72 28 76 61 72 20 62 3d 71 2c 63 3d 30 3b 63 3c 61 2e 6c 65 6e 67 74 68 3b 63 2b 2b 29 69 66 28 62 3d 62 5b 61 5b 63 5d 5d 2c 62 3d 3d 6e 75 6c 6c 29 72 65 74 75 72 6e 20 6e 75 6c 6c 3b 72 65 74 75 72 6e 20 62 7d 2c 69 62 3d 22 63 6c 6f 73 75 72 65 5f 75 69 64 5f 22 2b 28 4d 61 74 68 2e 72 61 6e 64 6f 6d 28 29 2a 31 45 Data Ascii: on(a){return a?a:function(b){return typeof b==="number"&&isNaN(b)}});var fb=fb\|\|{},q=this\|\|self,gb=q._F_toggles\|\|[],hb=function(a){a=a.split(".");for(var b=q,c=0;c<a.length;c++)if(b=b[a[c]],b==null)return null;return b},ib="closure_uid_"+(Math.random()*1E
2024-10-02 17:01:00 UTC	1969	IN	Data Raw: 74 65 78 74 5f 5f 39 38 34 33 38 32 3d 7b 7d 29 3b 61 2e 5f 5f 63 6c 6f 73 75 72 65 5f 5f 65 72 72 6f 72 5f 5f 63 6f 6e 74 65 78 74 5f 5f 39 38 34 33 38 32 2e 73 65 76 65 72 69 74 79 3d 62 7d 3b 76 61 72 20 71 62 3d 66 75 6e 63 74 69 6f 6e 28 61 2c 62 2c 63 29 7b 63 3d 63 7c 7c 71 3b 76 61 72 20 64 3d 63 2e 6f 6e 65 72 72 6f 72 2c 65 3d 21 21 62 3b 63 2e 6f 6e 65 72 72 6f 72 3d 66 75 6e 63 74 69 6f 6e 28 66 2c 68 2c 67 2c 6b 2c 6c 29 7b 64 26 26 64 28 66 2c 68 2c 67 2c 6b 2c 6c 29 3b 61 28 7b 6d 65 73 73 61 67 65 3a 66 2c 66 69 6c 65 4e 61 6d 65 3a 68 2c 6c 69 6e 65 3a 67 2c 6c 69 6e 65 4e 75 6d 62 65 72 3a 67 2c 63 61 3a 6b 2c 65 72 72 6f 72 3a 6c 7d 29 3b 72 65 74 75 72 6e 20 65 7d 7d 2c 74 62 3d 66 75 6e 63 74 69 6f 6e 28 61 29 7b 76 61 72 20 62 3d 68 Data Ascii: text__984382={});a.__closure__error__context__984382.severity=b};var qb=function(a,b,c){c=c\|\|q;var d=c.onerror,e=!!b;c.onerror=function(f,h,g,k,l){d&&d(f,h,g,k,l);a({message:f,fileName:h,line:g,lineNumber:g,ca:k,error:l});return e}},tb=function(a){var b=h
2024-10-02 17:01:00 UTC	1969	IN	Data Raw: 22 6e 75 6d 62 65 72 22 3a 66 3d 53 74 72 69 6e 67 28 66 29 3b 62 72 65 61 6b 3b 63 61 73 65 20 22 62 6f 6f 6c 65 61 6e 22 3a 66 3d 66 3f 22 74 72 75 65 22 3a 22 66 61 6c 73 65 22 3b 62 72 65 61 6b 3b 63 61 73 65 20 22 66 75 6e 63 74 69 6f 6e 22 3a 66 3d 28 66 3d 73 62 28 66 29 29 3f 66 3a 22 5b 66 6e 5d 22 3b 62 72 65 61 6b 3b 64 65 66 61 75 6c 74 3a 66 3d 0a 74 79 70 65 6f 66 20 66 7d 66 2e 6c 65 6e 67 74 68 3e 34 30 26 26 28 66 3d 66 2e 73 6c 69 63 65 28 30 2c 34 30 29 2b 22 2e 2e 2e 22 29 3b 63 2e 70 75 73 68 28 66 29 7d 62 2e 70 75 73 68 28 61 29 3b 63 2e 70 75 73 68 28 22 29 5c 6e 22 29 3b 74 72 79 7b 63 2e 70 75 73 68 28 77 62 28 61 2e 63 61 6c 6c 65 72 2c 62 29 29 7d 63 61 74 63 68 28 68 29 7b 63 2e 70 75 73 68 28 22 5b 65 78 63 65 70 74 69 6f 6e Data Ascii: "number":f=String(f);break;case "boolean":f=f?"true":"false";break;case "function":f=(f=sb(f))?f:"[fn]";break;default:f=typeof f}f.length>40&&(f=f.slice(0,40)+"...");c.push(f)}b.push(a);c.push(")\n");try{c.push(wb(a.caller,b))}catch(h){c.push("[exception

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49755	184.28.90.27	443

Timestamp	Bytes transferred	Direction	Data
2024-10-02 17:01:00 UTC	161	OUT	HEAD /fs/windows/config.json HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Encoding: identity User-Agent: Microsoft BITS/7.8 Host: fs.microsoft.com
2024-10-02 17:01:00 UTC	466	IN	HTTP/1.1 200 OK Content-Disposition: attachment; filename=config.json; filename*=UTF-8''config.json Content-Type: application/octet-stream ETag: "0x64667F707FF07D62B733DBCB79EFE3855E6886C9975B0C0B467D46231B3FA5E7" Last-Modified: Tue, 16 May 2017 22:58:00 GMT Server: ECAcc (lpl/EF06) X-CID: 11 X-Ms-ApiVersion: Distribute 1.2 X-Ms-Region: prod-neu-z1 Cache-Control: public, max-age=85490 Date: Wed, 02 Oct 2024 17:01:00 GMT Connection: close X-CID: 2

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49759	184.28.90.27	443

Timestamp	Bytes transferred	Direction	Data
2024-10-02 17:01:01 UTC	239	OUT	GET /fs/windows/config.json HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Encoding: identity If-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMT Range: bytes=0-2147483646 User-Agent: Microsoft BITS/7.8 Host: fs.microsoft.com
2024-10-02 17:01:01 UTC	514	IN	HTTP/1.1 200 OK ApiVersion: Distribute 1.1 Content-Disposition: attachment; filename=config.json; filename*=UTF-8''config.json Content-Type: application/octet-stream ETag: "0x64667F707FF07D62B733DBCB79EFE3855E6886C9975B0C0B467D46231B3FA5E7" Last-Modified: Tue, 16 May 2017 22:58:00 GMT Server: ECAcc (lpl/EF06) X-CID: 11 X-Ms-ApiVersion: Distribute 1.2 X-Ms-Region: prod-weu-z1 Cache-Control: public, max-age=85433 Date: Wed, 02 Oct 2024 17:01:01 GMT Content-Length: 55 Connection: close X-CID: 2
2024-10-02 17:01:01 UTC	55	IN	Data Raw: 7b 22 66 6f 6e 74 53 65 74 55 72 69 22 3a 22 66 6f 6e 74 73 65 74 2d 32 30 31 37 2d 30 34 2e 6a 73 6f 6e 22 2c 22 62 61 73 65 55 72 69 22 3a 22 66 6f 6e 74 73 22 7d Data Ascii: {"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49761	142.250.185.174	443	6360	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-02 17:01:02 UTC	549	OUT	OPTIONS /log?format=json&hasfast=true&authuser=0 HTTP/1.1 Host: play.google.com Connection: keep-alive Accept: / Access-Control-Request-Method: POST Access-Control-Request-Headers: x-goog-authuser Origin: https://accounts.google.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Sec-Fetch-Mode: cors Sec-Fetch-Site: same-site Sec-Fetch-Dest: empty Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-10-02 17:01:02 UTC	520	IN	HTTP/1.1 200 OK Access-Control-Allow-Origin: https://accounts.google.com Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Max-Age: 86400 Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: X-Playlog-Web,authorization,origin,x-goog-authuser Content-Type: text/plain; charset=UTF-8 Date: Wed, 02 Oct 2024 17:01:02 GMT Server: Playlog Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	49763	142.250.185.174	443	6360	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-02 17:01:02 UTC	549	OUT	OPTIONS /log?format=json&hasfast=true&authuser=0 HTTP/1.1 Host: play.google.com Connection: keep-alive Accept: / Access-Control-Request-Method: POST Access-Control-Request-Headers: x-goog-authuser Origin: https://accounts.google.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Sec-Fetch-Mode: cors Sec-Fetch-Site: same-site Sec-Fetch-Dest: empty Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-10-02 17:01:02 UTC	520	IN	HTTP/1.1 200 OK Access-Control-Allow-Origin: https://accounts.google.com Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Max-Age: 86400 Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: X-Playlog-Web,authorization,origin,x-goog-authuser Content-Type: text/plain; charset=UTF-8 Date: Wed, 02 Oct 2024 17:01:02 GMT Server: Playlog Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.4	49765	142.250.185.174	443	6360	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-02 17:01:03 UTC	1124	OUT	POST /log?format=json&hasfast=true&authuser=0 HTTP/1.1 Host: play.google.com Connection: keep-alive Content-Length: 505 sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-arch: "x86" Content-Type: application/x-www-form-urlencoded;charset=UTF-8 sec-ch-ua-full-version: "117.0.5938.132" sec-ch-ua-platform-version: "10.0.0" X-Goog-AuthUser: 0 sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132" sec-ch-ua-bitness: "64" sec-ch-ua-model: "" sec-ch-ua-wow64: ?0 sec-ch-ua-platform: "Windows" Accept: / Origin: https://accounts.google.com X-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiTocsBCJz+zAEIhaDNAQjcvc0BCLnKzQEIotHNAQiK080BCJ7WzQEIp9jNAQj5wNQVGPbJzQEYutLNARjrjaUX Sec-Fetch-Site: same-site Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-10-02 17:01:03 UTC	505	OUT	Data Raw: 5b 5b 31 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 5b 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 22 65 6e 22 2c 6e 75 6c 6c 2c 22 33 30 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 47 6f 6f 67 6c 65 20 43 68 72 6f 6d 65 22 2c 22 31 31 37 22 5d 2c 5b 22 4e 6f 74 3b 41 3d 42 72 61 6e 64 22 2c 22 38 22 5d 2c 5b 22 43 68 72 6f 6d 69 75 6d 22 2c 22 31 31 37 22 5d 5d 2c 30 2c 22 57 69 6e 64 6f 77 73 22 2c 22 31 30 2e 30 2e 30 22 2c 22 78 38 36 22 2c 22 22 2c 22 31 31 37 2e 30 2e 35 39 33 38 2e 31 33 32 22 5d 2c 5b 31 2c 30 2c 30 2c 30 2c 30 5d 5d 5d 2c 31 38 32 38 2c 5b 5b 22 31 37 32 37 38 38 38 34 36 31 30 32 37 22 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c Data Ascii: [[1,null,null,null,null,null,null,null,null,null,[null,null,null,null,"en",null,"30",null,[[["Google Chrome","117"],["Not;A=Brand","8"],["Chromium","117"]],0,"Windows","10.0.0","x86","","117.0.5938.132"],[1,0,0,0,0]]],1828,[["1727888461027",null,null,null
2024-10-02 17:01:03 UTC	932	IN	HTTP/1.1 200 OK Access-Control-Allow-Origin: https://accounts.google.com Cross-Origin-Resource-Policy: cross-origin Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: X-Playlog-Web Set-Cookie: NID=518=PtTTqr4ITDZpG_xcFdMyvOqLCTL1YLgJsmwzoSsxFpANmAj6LkWzmO8M7dM0K9T1g2OjjE7k8_3apY4Q5raIVIPfLqvZaQuhFen2mXZqMYO8YS04WDx5QpvHQTOclKtr_jWm9lNmjWdah_4nSe2sL8ZYpIkmYi2xY8R9A-YgXqjtrWTwZw; expires=Thu, 03-Apr-2025 17:01:03 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=none P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info." Content-Type: text/plain; charset=UTF-8 Date: Wed, 02 Oct 2024 17:01:03 GMT Server: Playlog Cache-Control: private X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Expires: Wed, 02 Oct 2024 17:01:03 GMT Connection: close Transfer-Encoding: chunked
2024-10-02 17:01:03 UTC	137	IN	Data Raw: 38 33 0d 0a 5b 22 2d 31 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 41 4e 44 52 4f 49 44 5f 42 41 43 4b 55 50 22 2c 30 5d 2c 5b 22 42 41 54 54 45 52 59 5f 53 54 41 54 53 22 2c 30 5d 2c 5b 22 53 4d 41 52 54 5f 53 45 54 55 50 22 2c 30 5d 2c 5b 22 54 52 4f 4e 22 2c 30 5d 5d 2c 2d 33 33 33 34 37 33 37 35 39 34 30 32 34 39 37 31 32 32 35 5d 2c 5b 5d 2c 7b 22 31 37 35 32 33 37 33 37 35 22 3a 5b 31 30 30 30 30 5d 7d 5d 0d 0a Data Ascii: 83["-1",null,[[["ANDROID_BACKUP",0],["BATTERY_STATS",0],["SMART_SETUP",0],["TRON",0]],-3334737594024971225],[],{"175237375":[10000]}]
2024-10-02 17:01:03 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.4	49766	142.250.185.174	443	6360	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-02 17:01:03 UTC	1124	OUT	POST /log?format=json&hasfast=true&authuser=0 HTTP/1.1 Host: play.google.com Connection: keep-alive Content-Length: 519 sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-arch: "x86" Content-Type: application/x-www-form-urlencoded;charset=UTF-8 sec-ch-ua-full-version: "117.0.5938.132" sec-ch-ua-platform-version: "10.0.0" X-Goog-AuthUser: 0 sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132" sec-ch-ua-bitness: "64" sec-ch-ua-model: "" sec-ch-ua-wow64: ?0 sec-ch-ua-platform: "Windows" Accept: / Origin: https://accounts.google.com X-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiTocsBCJz+zAEIhaDNAQjcvc0BCLnKzQEIotHNAQiK080BCJ7WzQEIp9jNAQj5wNQVGPbJzQEYutLNARjrjaUX Sec-Fetch-Site: same-site Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-10-02 17:01:03 UTC	519	OUT	Data Raw: 5b 5b 31 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 5b 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 22 65 6e 22 2c 6e 75 6c 6c 2c 22 33 30 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 47 6f 6f 67 6c 65 20 43 68 72 6f 6d 65 22 2c 22 31 31 37 22 5d 2c 5b 22 4e 6f 74 3b 41 3d 42 72 61 6e 64 22 2c 22 38 22 5d 2c 5b 22 43 68 72 6f 6d 69 75 6d 22 2c 22 31 31 37 22 5d 5d 2c 30 2c 22 57 69 6e 64 6f 77 73 22 2c 22 31 30 2e 30 2e 30 22 2c 22 78 38 36 22 2c 22 22 2c 22 31 31 37 2e 30 2e 35 39 33 38 2e 31 33 32 22 5d 2c 5b 31 2c 30 2c 30 2c 30 2c 30 5d 5d 5d 2c 31 38 32 38 2c 5b 5b 22 31 37 32 37 38 38 38 34 36 31 31 30 31 22 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c Data Ascii: [[1,null,null,null,null,null,null,null,null,null,[null,null,null,null,"en",null,"30",null,[[["Google Chrome","117"],["Not;A=Brand","8"],["Chromium","117"]],0,"Windows","10.0.0","x86","","117.0.5938.132"],[1,0,0,0,0]]],1828,[["1727888461101",null,null,null
2024-10-02 17:01:03 UTC	932	IN	HTTP/1.1 200 OK Access-Control-Allow-Origin: https://accounts.google.com Cross-Origin-Resource-Policy: cross-origin Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: X-Playlog-Web Set-Cookie: NID=518=K0eKjaNklXRZ50lSgNrYReWzWA-fsxRiO0RMxlvwkCQ-ug_yL0-9pnttPLyBXSW_1lG0-I4niidVESLRLVXm2mThCQdIkwPXuF30HhtSVKqM7TbAkPdQZqDHCsTTG-4D5a071Cll6VGx9FWmo6b2GtxwDR5mcjZx-sW5vc9wJy3T63FWwg; expires=Thu, 03-Apr-2025 17:01:03 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=none P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info." Content-Type: text/plain; charset=UTF-8 Date: Wed, 02 Oct 2024 17:01:03 GMT Server: Playlog Cache-Control: private X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Expires: Wed, 02 Oct 2024 17:01:03 GMT Connection: close Transfer-Encoding: chunked
2024-10-02 17:01:03 UTC	137	IN	Data Raw: 38 33 0d 0a 5b 22 2d 31 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 41 4e 44 52 4f 49 44 5f 42 41 43 4b 55 50 22 2c 30 5d 2c 5b 22 42 41 54 54 45 52 59 5f 53 54 41 54 53 22 2c 30 5d 2c 5b 22 53 4d 41 52 54 5f 53 45 54 55 50 22 2c 30 5d 2c 5b 22 54 52 4f 4e 22 2c 30 5d 5d 2c 2d 33 33 33 34 37 33 37 35 39 34 30 32 34 39 37 31 32 32 35 5d 2c 5b 5d 2c 7b 22 31 37 35 32 33 37 33 37 35 22 3a 5b 31 30 30 30 30 5d 7d 5d 0d 0a Data Ascii: 83["-1",null,[[["ANDROID_BACKUP",0],["BATTERY_STATS",0],["SMART_SETUP",0],["TRON",0]],-3334737594024971225],[],{"175237375":[10000]}]
2024-10-02 17:01:03 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.4	49740	172.217.23.100	443	6360	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-02 17:01:03 UTC	1213	OUT	GET /favicon.ico HTTP/1.1 Host: www.google.com Connection: keep-alive sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-arch: "x86" sec-ch-ua-full-version: "117.0.5938.132" sec-ch-ua-platform-version: "10.0.0" sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132" sec-ch-ua-bitness: "64" sec-ch-ua-model: "" sec-ch-ua-wow64: ?0 sec-ch-ua-platform: "Windows" Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8 X-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiTocsBCJz+zAEIhaDNAQjcvc0BCLnKzQEIotHNAQiK080BCJ7WzQEIp9jNAQj5wNQVGPbJzQEYutLNARjrjaUX Sec-Fetch-Site: same-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: image Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: NID=518=K0eKjaNklXRZ50lSgNrYReWzWA-fsxRiO0RMxlvwkCQ-ug_yL0-9pnttPLyBXSW_1lG0-I4niidVESLRLVXm2mThCQdIkwPXuF30HhtSVKqM7TbAkPdQZqDHCsTTG-4D5a071Cll6VGx9FWmo6b2GtxwDR5mcjZx-sW5vc9wJy3T63FWwg
2024-10-02 17:01:04 UTC	706	IN	HTTP/1.1 200 OK Accept-Ranges: bytes Cross-Origin-Resource-Policy: cross-origin Cross-Origin-Opener-Policy-Report-Only: same-origin; report-to="static-on-bigtable" Report-To: {"group":"static-on-bigtable","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/static-on-bigtable"}]} Content-Length: 5430 X-Content-Type-Options: nosniff Server: sffe X-XSS-Protection: 0 Date: Wed, 02 Oct 2024 13:38:50 GMT Expires: Thu, 10 Oct 2024 13:38:50 GMT Cache-Control: public, max-age=691200 Last-Modified: Tue, 22 Oct 2019 18:30:00 GMT Content-Type: image/x-icon Vary: Accept-Encoding Age: 12134 Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-10-02 17:01:04 UTC	684	IN	Data Raw: 00 00 01 00 02 00 10 10 00 00 01 00 20 00 68 04 00 00 26 00 00 00 20 20 00 00 01 00 20 00 a8 10 00 00 8e 04 00 00 28 00 00 00 10 00 00 00 20 00 00 00 01 00 20 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff ff ff 30 fd fd fd 96 fd fd fd d8 fd fd fd f9 fd fd fd f9 fd fd fd d7 fd fd fd 94 fe fe fe 2e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fe fe fe 09 fd fd fd 99 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd 95 ff ff ff 08 00 00 00 00 00 00 00 00 00 00 00 00 fe fe fe 09 fd fd fd c1 ff ff ff ff fa fd f9 ff b4 d9 a7 ff 76 ba 5d ff 58 ab 3a ff 58 aa 3a ff 72 b8 59 ff ac d5 9d ff f8 fb f6 ff ff Data Ascii: h& ( 0.v]X:X:rY
2024-10-02 17:01:04 UTC	1390	IN	Data Raw: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd d8 fd fd fd 99 ff ff ff ff 92 cf fb ff 37 52 ec ff 38 46 ea ff d0 d4 fa ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd 96 fe fe fe 32 ff ff ff ff f9 f9 fe ff 56 62 ed ff 35 43 ea ff 3b 49 eb ff 95 9c f4 ff cf d2 fa ff d1 d4 fa ff 96 9d f4 ff 52 5e ed ff e1 e3 fc ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 30 00 00 00 00 fd fd fd 9d ff ff ff ff e8 ea fd ff 58 63 ee ff 35 43 ea ff 35 43 ea ff 35 43 ea ff 35 43 ea ff 35 43 ea ff 35 43 ea ff 6c 76 f0 ff ff ff ff ff ff ff ff ff fd fd fd 98 00 00 00 00 00 00 00 00 ff ff ff 0a fd fd fd c3 ff ff ff ff f9 f9 fe ff a5 ac f6 ff 5d 69 ee ff 3c Data Ascii: 7R8F2Vb5C;IR^0Xc5C5C5C5C5C5Clv]i<
2024-10-02 17:01:04 UTC	1390	IN	Data Raw: ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd d0 ff ff ff 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fd fd fd 8b ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff b1 d8 a3 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 60 a5 35 ff ca 8e 3e ff f9 c1 9f ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd 87 00 00 00 00 00 00 00 00 00 00 00 00 fe fe fe 25 fd fd fd fb ff ff ff ff ff ff ff ff ff ff ff ff c2 e0 b7 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 6e b6 54 ff 9f ce 8d ff b7 da aa ff b8 db ab ff a5 d2 95 ff 7b bc 64 ff 54 a8 35 ff 53 a8 34 ff 77 a0 37 ff e3 89 41 ff f4 85 42 ff f4 85 42 Data Ascii: S4S4S4S4S4S4S4S4S4S4S4S4S4S4`5>%S4S4S4S4S4S4nT{dT5S4w7ABB
2024-10-02 17:01:04 UTC	1390	IN	Data Raw: 42 ff f4 85 42 ff f4 85 42 ff f4 85 42 ff f4 85 42 ff f4 85 42 ff f4 85 42 ff fb d5 bf ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd ea fd fd fd cb ff ff ff ff ff ff ff ff ff ff ff ff 46 cd fc ff 05 bc fb ff 05 bc fb ff 05 bc fb ff 21 ae f9 ff fb fb ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd c8 fd fd fd 9c ff ff ff ff ff ff ff ff ff ff ff ff 86 df fd ff 05 bc fb ff 05 bc fb ff 15 93 f5 ff 34 49 eb ff b3 b8 f7 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff Data Ascii: BBBBBBBF!4I
2024-10-02 17:01:04 UTC	576	IN	Data Raw: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd d2 fe fe fe 24 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff ff ff 0a fd fd fd 8d fd fd fd fc ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd fb fd fd fd 8b fe fe fe 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fe fe fe 27 fd fd fd 9f fd fd fd f7 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff Data Ascii: $'

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.4	49769	4.175.87.197	443

Timestamp	Bytes transferred	Direction	Data
2024-10-02 17:01:06 UTC	306	OUT	GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=4WVoa1EKVMpv428&MD=3agPLFr8 HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33 Host: slscr.update.microsoft.com
2024-10-02 17:01:06 UTC	560	IN	HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Type: application/octet-stream Expires: -1 Last-Modified: Mon, 01 Jan 0001 00:00:00 GMT ETag: "XAopazV00XDWnJCwkmEWRv6JkbjRA9QSSZ2+e/3MzEk=_2880" MS-CorrelationId: 7170f991-83ca-4c8e-bf39-91c1dd11129b MS-RequestId: d549a1ab-110a-4047-b8f4-853b6f5be4b0 MS-CV: bP4b73DE9UCjOPY7.0 X-Microsoft-SLSClientCache: 2880 Content-Disposition: attachment; filename=environment.cab X-Content-Type-Options: nosniff Date: Wed, 02 Oct 2024 17:01:05 GMT Connection: close Content-Length: 24490
2024-10-02 17:01:06 UTC	15824	IN	Data Raw: 4d 53 43 46 00 00 00 00 92 1e 00 00 00 00 00 00 44 00 00 00 00 00 00 00 03 01 01 00 01 00 04 00 23 d0 00 00 14 00 00 00 00 00 10 00 92 1e 00 00 18 41 00 00 00 00 00 00 00 00 00 00 64 00 00 00 01 00 01 00 e6 42 00 00 00 00 00 00 00 00 00 00 00 00 80 00 65 6e 76 69 72 6f 6e 6d 65 6e 74 2e 63 61 62 00 78 cf 8d 5c 26 1e e6 42 43 4b ed 5c 07 54 13 db d6 4e a3 f7 2e d5 d0 3b 4c 42 af 4a 57 10 e9 20 bd 77 21 94 80 88 08 24 2a 02 02 d2 55 10 a4 a8 88 97 22 8a 0a d2 11 04 95 ae d2 8b 20 28 0a 88 20 45 05 f4 9f 80 05 bd ed dd f7 ff 77 dd f7 bf 65 d6 4a 66 ce 99 33 67 4e d9 7b 7f fb db 7b 56 f4 4d 34 b4 21 e0 a7 03 0a d9 fc 68 6e 1d 20 70 28 14 02 85 20 20 ad 61 10 08 e3 66 0d ed 66 9b 1d 6a 90 af 1f 17 f0 4b 68 35 01 83 6c fb 44 42 5c 7d 83 3d 03 30 be 3e ae be 58 Data Ascii: MSCFD#AdBenvironment.cabx\&BCK\TN.;LBJW w!$*U" ( EweJf3gN{{VM4!hn p( affjKh5lDB\}=0>X
2024-10-02 17:01:06 UTC	8666	IN	Data Raw: 04 01 31 2f 30 2d 30 0a 02 05 00 e1 2b 8a 50 02 01 00 30 0a 02 01 00 02 02 12 fe 02 01 ff 30 07 02 01 00 02 02 11 e6 30 0a 02 05 00 e1 2c db d0 02 01 00 30 36 06 0a 2b 06 01 04 01 84 59 0a 04 02 31 28 30 26 30 0c 06 0a 2b 06 01 04 01 84 59 0a 03 02 a0 0a 30 08 02 01 00 02 03 07 a1 20 a1 0a 30 08 02 01 00 02 03 01 86 a0 30 0d 06 09 2a 86 48 86 f7 0d 01 01 05 05 00 03 81 81 00 0c d9 08 df 48 94 57 65 3e ad e7 f2 17 9c 1f ca 3d 4d 6c cd 51 e1 ed 9c 17 a5 52 35 0f fd de 4b bd 22 92 c5 69 e5 d7 9f 29 23 72 40 7a ca 55 9d 8d 11 ad d5 54 00 bb 53 b4 87 7b 72 84 da 2d f6 e3 2c 4f 7e ba 1a 58 88 6e d6 b9 6d 16 ae 85 5b b5 c2 81 a8 e0 ee 0a 9c 60 51 3a 7b e4 61 f8 c3 e4 38 bd 7d 28 17 d6 79 f0 c8 58 c6 ef 1f f7 88 65 b1 ea 0a c0 df f7 ee 5c 23 c2 27 fd 98 63 08 31 Data Ascii: 1/0-0+P000,06+Y1(0&0+Y0 00*HHWe>=MlQR5K"i)#r@zUTS{r-,O~Xnm[`Q:{a8}(yXe\#'c1

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.4	49775	142.250.185.174	443	6360	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-02 17:01:09 UTC	1298	OUT	POST /log?format=json&hasfast=true&authuser=0 HTTP/1.1 Host: play.google.com Connection: keep-alive Content-Length: 1221 sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-arch: "x86" Content-Type: text/plain;charset=UTF-8 sec-ch-ua-full-version: "117.0.5938.132" sec-ch-ua-platform-version: "10.0.0" X-Goog-AuthUser: 0 sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132" sec-ch-ua-bitness: "64" sec-ch-ua-model: "" sec-ch-ua-wow64: ?0 sec-ch-ua-platform: "Windows" Accept: / Origin: https://accounts.google.com X-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiTocsBCJz+zAEIhaDNAQjcvc0BCLnKzQEIotHNAQiK080BCJ7WzQEIp9jNAQj5wNQVGPbJzQEYutLNARjrjaUX Sec-Fetch-Site: same-site Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: NID=518=K0eKjaNklXRZ50lSgNrYReWzWA-fsxRiO0RMxlvwkCQ-ug_yL0-9pnttPLyBXSW_1lG0-I4niidVESLRLVXm2mThCQdIkwPXuF30HhtSVKqM7TbAkPdQZqDHCsTTG-4D5a071Cll6VGx9FWmo6b2GtxwDR5mcjZx-sW5vc9wJy3T63FWwg
2024-10-02 17:01:09 UTC	1221	OUT	Data Raw: 5b 5b 31 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 5b 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 22 65 6e 22 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 5b 5b 5b 22 47 6f 6f 67 6c 65 20 43 68 72 6f 6d 65 22 2c 22 31 31 37 22 5d 2c 5b 22 4e 6f 74 3b 41 3d 42 72 61 6e 64 22 2c 22 38 22 5d 2c 5b 22 43 68 72 6f 6d 69 75 6d 22 2c 22 31 31 37 22 5d 5d 2c 30 2c 22 57 69 6e 64 6f 77 73 22 2c 22 31 30 2e 30 2e 30 22 2c 22 78 38 36 22 2c 22 22 2c 22 31 31 37 2e 30 2e 35 39 33 38 2e 31 33 32 22 5d 2c 5b 34 2c 30 2c 30 2c 30 2c 30 5d 5d 5d 2c 35 35 38 2c 5b 5b 22 31 37 32 37 38 38 38 34 35 37 30 30 30 22 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c Data Ascii: [[1,null,null,null,null,null,null,null,null,null,[null,null,null,null,"en",null,null,null,[[["Google Chrome","117"],["Not;A=Brand","8"],["Chromium","117"]],0,"Windows","10.0.0","x86","","117.0.5938.132"],[4,0,0,0,0]]],558,[["1727888457000",null,null,null,
2024-10-02 17:01:09 UTC	940	IN	HTTP/1.1 200 OK Access-Control-Allow-Origin: https://accounts.google.com Cross-Origin-Resource-Policy: cross-origin Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: X-Playlog-Web Set-Cookie: NID=518=Itk0ef3qh2g15oNps52V8xhYoIa5ibeMcSq0NCU2b2D3JogP_FLrvKD9OHDdDnMjsE_zfh8KFpSZlk3cFWzQ8a67EC2ozi-R6XV_fruy4iYsq7z-eNldHzLHHfwCDwAd0NG4cZiNmA4vmUxUAbitC2fdnHiUJp4qLwCqtAIfOCge3jvUKWB7BZInKg; expires=Thu, 03-Apr-2025 17:01:09 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=none P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info." Content-Type: text/plain; charset=UTF-8 Date: Wed, 02 Oct 2024 17:01:09 GMT Server: Playlog Cache-Control: private X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Expires: Wed, 02 Oct 2024 17:01:09 GMT Connection: close Transfer-Encoding: chunked
2024-10-02 17:01:09 UTC	137	IN	Data Raw: 38 33 0d 0a 5b 22 2d 31 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 41 4e 44 52 4f 49 44 5f 42 41 43 4b 55 50 22 2c 30 5d 2c 5b 22 42 41 54 54 45 52 59 5f 53 54 41 54 53 22 2c 30 5d 2c 5b 22 53 4d 41 52 54 5f 53 45 54 55 50 22 2c 30 5d 2c 5b 22 54 52 4f 4e 22 2c 30 5d 5d 2c 2d 33 33 33 34 37 33 37 35 39 34 30 32 34 39 37 31 32 32 35 5d 2c 5b 5d 2c 7b 22 31 37 35 32 33 37 33 37 35 22 3a 5b 31 30 30 30 30 5d 7d 5d 0d 0a Data Ascii: 83["-1",null,[[["ANDROID_BACKUP",0],["BATTERY_STATS",0],["SMART_SETUP",0],["TRON",0]],-3334737594024971225],[],{"175237375":[10000]}]
2024-10-02 17:01:09 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.4	49782	142.250.185.174	443	6360	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-02 17:01:32 UTC	1329	OUT	POST /log?format=json&hasfast=true&authuser=0 HTTP/1.1 Host: play.google.com Connection: keep-alive Content-Length: 1245 sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-arch: "x86" Content-Type: application/x-www-form-urlencoded;charset=UTF-8 sec-ch-ua-full-version: "117.0.5938.132" sec-ch-ua-platform-version: "10.0.0" X-Goog-AuthUser: 0 sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132" sec-ch-ua-bitness: "64" sec-ch-ua-model: "" sec-ch-ua-wow64: ?0 sec-ch-ua-platform: "Windows" Accept: / Origin: https://accounts.google.com X-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiTocsBCJz+zAEIhaDNAQjcvc0BCLnKzQEIotHNAQiK080BCJ7WzQEIp9jNAQj5wNQVGPbJzQEYutLNARjrjaUX Sec-Fetch-Site: same-site Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: NID=518=Itk0ef3qh2g15oNps52V8xhYoIa5ibeMcSq0NCU2b2D3JogP_FLrvKD9OHDdDnMjsE_zfh8KFpSZlk3cFWzQ8a67EC2ozi-R6XV_fruy4iYsq7z-eNldHzLHHfwCDwAd0NG4cZiNmA4vmUxUAbitC2fdnHiUJp4qLwCqtAIfOCge3jvUKWB7BZInKg
2024-10-02 17:01:32 UTC	1245	OUT	Data Raw: 5b 5b 31 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 5b 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 22 65 6e 22 2c 6e 75 6c 6c 2c 22 33 30 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 47 6f 6f 67 6c 65 20 43 68 72 6f 6d 65 22 2c 22 31 31 37 22 5d 2c 5b 22 4e 6f 74 3b 41 3d 42 72 61 6e 64 22 2c 22 38 22 5d 2c 5b 22 43 68 72 6f 6d 69 75 6d 22 2c 22 31 31 37 22 5d 5d 2c 30 2c 22 57 69 6e 64 6f 77 73 22 2c 22 31 30 2e 30 2e 30 22 2c 22 78 38 36 22 2c 22 22 2c 22 31 31 37 2e 30 2e 35 39 33 38 2e 31 33 32 22 5d 2c 5b 31 2c 30 2c 30 2c 30 2c 30 5d 5d 5d 2c 31 38 32 38 2c 5b 5b 22 31 37 32 37 38 38 38 34 39 31 32 39 32 22 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c Data Ascii: [[1,null,null,null,null,null,null,null,null,null,[null,null,null,null,"en",null,"30",null,[[["Google Chrome","117"],["Not;A=Brand","8"],["Chromium","117"]],0,"Windows","10.0.0","x86","","117.0.5938.132"],[1,0,0,0,0]]],1828,[["1727888491292",null,null,null
2024-10-02 17:01:33 UTC	523	IN	HTTP/1.1 200 OK Access-Control-Allow-Origin: https://accounts.google.com Cross-Origin-Resource-Policy: cross-origin Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: X-Playlog-Web Content-Type: text/plain; charset=UTF-8 Date: Wed, 02 Oct 2024 17:01:32 GMT Server: Playlog Cache-Control: private X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2024-10-02 17:01:33 UTC	137	IN	Data Raw: 38 33 0d 0a 5b 22 2d 31 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 41 4e 44 52 4f 49 44 5f 42 41 43 4b 55 50 22 2c 30 5d 2c 5b 22 42 41 54 54 45 52 59 5f 53 54 41 54 53 22 2c 30 5d 2c 5b 22 53 4d 41 52 54 5f 53 45 54 55 50 22 2c 30 5d 2c 5b 22 54 52 4f 4e 22 2c 30 5d 5d 2c 2d 33 33 33 34 37 33 37 35 39 34 30 32 34 39 37 31 32 32 35 5d 2c 5b 5d 2c 7b 22 31 37 35 32 33 37 33 37 35 22 3a 5b 31 30 30 30 30 5d 7d 5d 0d 0a Data Ascii: 83["-1",null,[[["ANDROID_BACKUP",0],["BATTERY_STATS",0],["SMART_SETUP",0],["TRON",0]],-3334737594024971225],[],{"175237375":[10000]}]
2024-10-02 17:01:33 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.4	49783	142.250.185.174	443	6360	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-02 17:01:33 UTC	1329	OUT	POST /log?format=json&hasfast=true&authuser=0 HTTP/1.1 Host: play.google.com Connection: keep-alive Content-Length: 1285 sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-arch: "x86" Content-Type: application/x-www-form-urlencoded;charset=UTF-8 sec-ch-ua-full-version: "117.0.5938.132" sec-ch-ua-platform-version: "10.0.0" X-Goog-AuthUser: 0 sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132" sec-ch-ua-bitness: "64" sec-ch-ua-model: "" sec-ch-ua-wow64: ?0 sec-ch-ua-platform: "Windows" Accept: / Origin: https://accounts.google.com X-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiTocsBCJz+zAEIhaDNAQjcvc0BCLnKzQEIotHNAQiK080BCJ7WzQEIp9jNAQj5wNQVGPbJzQEYutLNARjrjaUX Sec-Fetch-Site: same-site Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: NID=518=Itk0ef3qh2g15oNps52V8xhYoIa5ibeMcSq0NCU2b2D3JogP_FLrvKD9OHDdDnMjsE_zfh8KFpSZlk3cFWzQ8a67EC2ozi-R6XV_fruy4iYsq7z-eNldHzLHHfwCDwAd0NG4cZiNmA4vmUxUAbitC2fdnHiUJp4qLwCqtAIfOCge3jvUKWB7BZInKg
2024-10-02 17:01:33 UTC	1285	OUT	Data Raw: 5b 5b 31 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 5b 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 22 65 6e 22 2c 6e 75 6c 6c 2c 22 33 30 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 47 6f 6f 67 6c 65 20 43 68 72 6f 6d 65 22 2c 22 31 31 37 22 5d 2c 5b 22 4e 6f 74 3b 41 3d 42 72 61 6e 64 22 2c 22 38 22 5d 2c 5b 22 43 68 72 6f 6d 69 75 6d 22 2c 22 31 31 37 22 5d 5d 2c 30 2c 22 57 69 6e 64 6f 77 73 22 2c 22 31 30 2e 30 2e 30 22 2c 22 78 38 36 22 2c 22 22 2c 22 31 31 37 2e 30 2e 35 39 33 38 2e 31 33 32 22 5d 2c 5b 31 2c 30 2c 30 2c 30 2c 30 5d 5d 5d 2c 31 38 32 38 2c 5b 5b 22 31 37 32 37 38 38 38 34 39 32 33 37 30 22 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c Data Ascii: [[1,null,null,null,null,null,null,null,null,null,[null,null,null,null,"en",null,"30",null,[[["Google Chrome","117"],["Not;A=Brand","8"],["Chromium","117"]],0,"Windows","10.0.0","x86","","117.0.5938.132"],[1,0,0,0,0]]],1828,[["1727888492370",null,null,null
2024-10-02 17:01:33 UTC	523	IN	HTTP/1.1 200 OK Access-Control-Allow-Origin: https://accounts.google.com Cross-Origin-Resource-Policy: cross-origin Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: X-Playlog-Web Content-Type: text/plain; charset=UTF-8 Date: Wed, 02 Oct 2024 17:01:33 GMT Server: Playlog Cache-Control: private X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2024-10-02 17:01:33 UTC	137	IN	Data Raw: 38 33 0d 0a 5b 22 2d 31 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 41 4e 44 52 4f 49 44 5f 42 41 43 4b 55 50 22 2c 30 5d 2c 5b 22 42 41 54 54 45 52 59 5f 53 54 41 54 53 22 2c 30 5d 2c 5b 22 53 4d 41 52 54 5f 53 45 54 55 50 22 2c 30 5d 2c 5b 22 54 52 4f 4e 22 2c 30 5d 5d 2c 2d 33 33 33 34 37 33 37 35 39 34 30 32 34 39 37 31 32 32 35 5d 2c 5b 5d 2c 7b 22 31 37 35 32 33 37 33 37 35 22 3a 5b 31 30 30 30 30 5d 7d 5d 0d 0a Data Ascii: 83["-1",null,[[["ANDROID_BACKUP",0],["BATTERY_STATS",0],["SMART_SETUP",0],["TRON",0]],-3334737594024971225],[],{"175237375":[10000]}]
2024-10-02 17:01:33 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.4	49784	142.250.185.174	443	6360	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-02 17:01:33 UTC	1288	OUT	POST /log?hasfast=true&authuser=0&format=json HTTP/1.1 Host: play.google.com Connection: keep-alive Content-Length: 865 sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-arch: "x86" sec-ch-ua-full-version: "117.0.5938.132" Content-Type: text/plain;charset=UTF-8 sec-ch-ua-platform-version: "10.0.0" sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132" sec-ch-ua-bitness: "64" sec-ch-ua-model: "" sec-ch-ua-wow64: ?0 sec-ch-ua-platform: "Windows" Accept: / Origin: https://accounts.google.com X-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiTocsBCJz+zAEIhaDNAQjcvc0BCLnKzQEIotHNAQiK080BCJ7WzQEIp9jNAQj5wNQVGPbJzQEYutLNARjrjaUX Sec-Fetch-Site: same-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: NID=518=Itk0ef3qh2g15oNps52V8xhYoIa5ibeMcSq0NCU2b2D3JogP_FLrvKD9OHDdDnMjsE_zfh8KFpSZlk3cFWzQ8a67EC2ozi-R6XV_fruy4iYsq7z-eNldHzLHHfwCDwAd0NG4cZiNmA4vmUxUAbitC2fdnHiUJp4qLwCqtAIfOCge3jvUKWB7BZInKg
2024-10-02 17:01:33 UTC	865	OUT	Data Raw: 5b 5b 31 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 5b 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 22 65 6e 22 2c 6e 75 6c 6c 2c 22 62 6f 71 5f 69 64 65 6e 74 69 74 79 66 72 6f 6e 74 65 6e 64 61 75 74 68 75 69 73 65 72 76 65 72 5f 32 30 32 34 30 39 32 39 2e 30 37 5f 70 30 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 47 6f 6f 67 6c 65 20 43 68 72 6f 6d 65 22 2c 22 31 31 37 22 5d 2c 5b 22 4e 6f 74 3b 41 3d 42 72 61 6e 64 22 2c 22 38 22 5d 2c 5b 22 43 68 72 6f 6d 69 75 6d 22 2c 22 31 31 37 22 5d 5d 2c 30 2c 22 57 69 6e 64 6f 77 73 22 2c 22 31 30 2e 30 2e 30 22 2c 22 78 38 36 22 2c 22 22 2c 22 31 31 37 2e 30 2e 35 39 33 38 2e 31 33 32 22 5d 2c 5b 33 2c 30 2c 30 Data Ascii: [[1,null,null,null,null,null,null,null,null,null,[null,null,null,null,"en",null,"boq_identityfrontendauthuiserver_20240929.07_p0",null,[[["Google Chrome","117"],["Not;A=Brand","8"],["Chromium","117"]],0,"Windows","10.0.0","x86","","117.0.5938.132"],[3,0,0
2024-10-02 17:01:34 UTC	523	IN	HTTP/1.1 200 OK Access-Control-Allow-Origin: https://accounts.google.com Cross-Origin-Resource-Policy: cross-origin Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: X-Playlog-Web Content-Type: text/plain; charset=UTF-8 Date: Wed, 02 Oct 2024 17:01:34 GMT Server: Playlog Cache-Control: private X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2024-10-02 17:01:34 UTC	137	IN	Data Raw: 38 33 0d 0a 5b 22 2d 31 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 41 4e 44 52 4f 49 44 5f 42 41 43 4b 55 50 22 2c 30 5d 2c 5b 22 42 41 54 54 45 52 59 5f 53 54 41 54 53 22 2c 30 5d 2c 5b 22 53 4d 41 52 54 5f 53 45 54 55 50 22 2c 30 5d 2c 5b 22 54 52 4f 4e 22 2c 30 5d 5d 2c 2d 33 33 33 34 37 33 37 35 39 34 30 32 34 39 37 31 32 32 35 5d 2c 5b 5d 2c 7b 22 31 37 35 32 33 37 33 37 35 22 3a 5b 31 30 30 30 30 5d 7d 5d 0d 0a Data Ascii: 83["-1",null,[[["ANDROID_BACKUP",0],["BATTERY_STATS",0],["SMART_SETUP",0],["TRON",0]],-3334737594024971225],[],{"175237375":[10000]}]
2024-10-02 17:01:34 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.4	49785	4.175.87.197	443

Timestamp	Bytes transferred	Direction	Data
2024-10-02 17:01:44 UTC	306	OUT	GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=4WVoa1EKVMpv428&MD=3agPLFr8 HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33 Host: slscr.update.microsoft.com
2024-10-02 17:01:44 UTC	560	IN	HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Type: application/octet-stream Expires: -1 Last-Modified: Mon, 01 Jan 0001 00:00:00 GMT ETag: "vic+p1MiJJ+/WMnK08jaWnCBGDfvkGRzPk9f8ZadQHg=_1440" MS-CorrelationId: 739750a1-faac-40ab-9f62-57a8242d5622 MS-RequestId: 1fbfad41-34dc-45d1-ae33-df58afd03c33 MS-CV: G+0o13AstkS7meCk.0 X-Microsoft-SLSClientCache: 1440 Content-Disposition: attachment; filename=environment.cab X-Content-Type-Options: nosniff Date: Wed, 02 Oct 2024 17:01:43 GMT Connection: close Content-Length: 30005
2024-10-02 17:01:44 UTC	15824	IN	Data Raw: 4d 53 43 46 00 00 00 00 8d 2b 00 00 00 00 00 00 44 00 00 00 00 00 00 00 03 01 01 00 01 00 04 00 5b 49 00 00 14 00 00 00 00 00 10 00 8d 2b 00 00 a8 49 00 00 00 00 00 00 00 00 00 00 64 00 00 00 01 00 01 00 72 4d 00 00 00 00 00 00 00 00 00 00 00 00 80 00 65 6e 76 69 72 6f 6e 6d 65 6e 74 2e 63 61 62 00 fe f6 51 be 21 2b 72 4d 43 4b ed 7c 05 58 54 eb da f6 14 43 49 37 0a 02 d2 b9 86 0e 41 52 a4 1b 24 a5 bb 43 24 44 18 94 90 92 52 41 3a 05 09 95 ee 54 b0 00 91 2e e9 12 10 04 11 c9 6f 10 b7 a2 67 9f bd cf 3e ff b7 ff b3 bf 73 ed e1 9a 99 f5 c6 7a d7 bb de f5 3e cf fd 3c f7 dc 17 4a 1a 52 e7 41 a8 97 1e 14 f4 e5 25 7d f4 05 82 82 c1 20 30 08 06 ba c3 05 02 11 7f a9 c1 ff d2 87 5c 1e f4 ed 65 8e 7a 1f f6 0a 40 03 1d 7b f9 83 2c 1c 2f db b8 3a 39 3a 58 38 ba 73 5e Data Ascii: MSCF+D[I+IdrMenvironment.cabQ!+rMCK\|XTCI7AR$C$DRA:T.og>sz><JRA%} 0\ez@{,/:9:X8s^
2024-10-02 17:01:44 UTC	14181	IN	Data Raw: 06 03 55 04 06 13 02 55 53 31 13 30 11 06 03 55 04 08 13 0a 57 61 73 68 69 6e 67 74 6f 6e 31 10 30 0e 06 03 55 04 07 13 07 52 65 64 6d 6f 6e 64 31 1e 30 1c 06 03 55 04 0a 13 15 4d 69 63 72 6f 73 6f 66 74 20 43 6f 72 70 6f 72 61 74 69 6f 6e 31 26 30 24 06 03 55 04 03 13 1d 4d 69 63 72 6f 73 6f 66 74 20 54 69 6d 65 2d 53 74 61 6d 70 20 50 43 41 20 32 30 31 30 30 1e 17 0d 32 33 31 30 31 32 31 39 30 37 32 35 5a 17 0d 32 35 30 31 31 30 31 39 30 37 32 35 5a 30 81 d2 31 0b 30 09 06 03 55 04 06 13 02 55 53 31 13 30 11 06 03 55 04 08 13 0a 57 61 73 68 69 6e 67 74 6f 6e 31 10 30 0e 06 03 55 04 07 13 07 52 65 64 6d 6f 6e 64 31 1e 30 1c 06 03 55 04 0a 13 15 4d 69 63 72 6f 73 6f 66 74 20 43 6f 72 70 6f 72 61 74 69 6f 6e 31 2d 30 2b 06 03 55 04 0b 13 24 4d 69 63 72 6f Data Ascii: UUS10UWashington10URedmond10UMicrosoft Corporation1&0$UMicrosoft Time-Stamp PCA 20100231012190725Z250110190725Z010UUS10UWashington10URedmond10UMicrosoft Corporation1-0+U$Micro

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.4	49789	216.58.206.78	443	6360	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-02 17:02:03 UTC	1329	OUT	POST /log?format=json&hasfast=true&authuser=0 HTTP/1.1 Host: play.google.com Connection: keep-alive Content-Length: 1335 sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-arch: "x86" Content-Type: application/x-www-form-urlencoded;charset=UTF-8 sec-ch-ua-full-version: "117.0.5938.132" sec-ch-ua-platform-version: "10.0.0" X-Goog-AuthUser: 0 sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132" sec-ch-ua-bitness: "64" sec-ch-ua-model: "" sec-ch-ua-wow64: ?0 sec-ch-ua-platform: "Windows" Accept: / Origin: https://accounts.google.com X-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiTocsBCJz+zAEIhaDNAQjcvc0BCLnKzQEIotHNAQiK080BCJ7WzQEIp9jNAQj5wNQVGPbJzQEYutLNARjrjaUX Sec-Fetch-Site: same-site Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: NID=518=Itk0ef3qh2g15oNps52V8xhYoIa5ibeMcSq0NCU2b2D3JogP_FLrvKD9OHDdDnMjsE_zfh8KFpSZlk3cFWzQ8a67EC2ozi-R6XV_fruy4iYsq7z-eNldHzLHHfwCDwAd0NG4cZiNmA4vmUxUAbitC2fdnHiUJp4qLwCqtAIfOCge3jvUKWB7BZInKg
2024-10-02 17:02:03 UTC	1335	OUT	Data Raw: 5b 5b 31 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 5b 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 22 65 6e 22 2c 6e 75 6c 6c 2c 22 33 30 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 47 6f 6f 67 6c 65 20 43 68 72 6f 6d 65 22 2c 22 31 31 37 22 5d 2c 5b 22 4e 6f 74 3b 41 3d 42 72 61 6e 64 22 2c 22 38 22 5d 2c 5b 22 43 68 72 6f 6d 69 75 6d 22 2c 22 31 31 37 22 5d 5d 2c 30 2c 22 57 69 6e 64 6f 77 73 22 2c 22 31 30 2e 30 2e 30 22 2c 22 78 38 36 22 2c 22 22 2c 22 31 31 37 2e 30 2e 35 39 33 38 2e 31 33 32 22 5d 2c 5b 31 2c 30 2c 30 2c 30 2c 30 5d 5d 5d 2c 31 38 32 38 2c 5b 5b 22 31 37 32 37 38 38 38 35 32 31 39 33 39 22 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c Data Ascii: [[1,null,null,null,null,null,null,null,null,null,[null,null,null,null,"en",null,"30",null,[[["Google Chrome","117"],["Not;A=Brand","8"],["Chromium","117"]],0,"Windows","10.0.0","x86","","117.0.5938.132"],[1,0,0,0,0]]],1828,[["1727888521939",null,null,null
2024-10-02 17:02:03 UTC	523	IN	HTTP/1.1 200 OK Access-Control-Allow-Origin: https://accounts.google.com Cross-Origin-Resource-Policy: cross-origin Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: X-Playlog-Web Content-Type: text/plain; charset=UTF-8 Date: Wed, 02 Oct 2024 17:02:03 GMT Server: Playlog Cache-Control: private X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2024-10-02 17:02:03 UTC	137	IN	Data Raw: 38 33 0d 0a 5b 22 2d 31 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 41 4e 44 52 4f 49 44 5f 42 41 43 4b 55 50 22 2c 30 5d 2c 5b 22 42 41 54 54 45 52 59 5f 53 54 41 54 53 22 2c 30 5d 2c 5b 22 53 4d 41 52 54 5f 53 45 54 55 50 22 2c 30 5d 2c 5b 22 54 52 4f 4e 22 2c 30 5d 5d 2c 2d 33 33 33 34 37 33 37 35 39 34 30 32 34 39 37 31 32 32 35 5d 2c 5b 5d 2c 7b 22 31 37 35 32 33 37 33 37 35 22 3a 5b 31 30 30 30 30 5d 7d 5d 0d 0a Data Ascii: 83["-1",null,[[["ANDROID_BACKUP",0],["BATTERY_STATS",0],["SMART_SETUP",0],["TRON",0]],-3334737594024971225],[],{"175237375":[10000]}]
2024-10-02 17:02:03 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.4	49790	216.58.206.78	443	6360	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-02 17:02:05 UTC	1329	OUT	POST /log?format=json&hasfast=true&authuser=0 HTTP/1.1 Host: play.google.com Connection: keep-alive Content-Length: 1462 sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-arch: "x86" Content-Type: application/x-www-form-urlencoded;charset=UTF-8 sec-ch-ua-full-version: "117.0.5938.132" sec-ch-ua-platform-version: "10.0.0" X-Goog-AuthUser: 0 sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132" sec-ch-ua-bitness: "64" sec-ch-ua-model: "" sec-ch-ua-wow64: ?0 sec-ch-ua-platform: "Windows" Accept: / Origin: https://accounts.google.com X-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiTocsBCJz+zAEIhaDNAQjcvc0BCLnKzQEIotHNAQiK080BCJ7WzQEIp9jNAQj5wNQVGPbJzQEYutLNARjrjaUX Sec-Fetch-Site: same-site Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: NID=518=Itk0ef3qh2g15oNps52V8xhYoIa5ibeMcSq0NCU2b2D3JogP_FLrvKD9OHDdDnMjsE_zfh8KFpSZlk3cFWzQ8a67EC2ozi-R6XV_fruy4iYsq7z-eNldHzLHHfwCDwAd0NG4cZiNmA4vmUxUAbitC2fdnHiUJp4qLwCqtAIfOCge3jvUKWB7BZInKg
2024-10-02 17:02:05 UTC	1462	OUT	Data Raw: 5b 5b 31 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 5b 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 22 65 6e 22 2c 6e 75 6c 6c 2c 22 33 30 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 47 6f 6f 67 6c 65 20 43 68 72 6f 6d 65 22 2c 22 31 31 37 22 5d 2c 5b 22 4e 6f 74 3b 41 3d 42 72 61 6e 64 22 2c 22 38 22 5d 2c 5b 22 43 68 72 6f 6d 69 75 6d 22 2c 22 31 31 37 22 5d 5d 2c 30 2c 22 57 69 6e 64 6f 77 73 22 2c 22 31 30 2e 30 2e 30 22 2c 22 78 38 36 22 2c 22 22 2c 22 31 31 37 2e 30 2e 35 39 33 38 2e 31 33 32 22 5d 2c 5b 31 2c 30 2c 30 2c 30 2c 30 5d 5d 5d 2c 31 38 32 38 2c 5b 5b 22 31 37 32 37 38 38 38 35 32 33 37 37 33 22 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c Data Ascii: [[1,null,null,null,null,null,null,null,null,null,[null,null,null,null,"en",null,"30",null,[[["Google Chrome","117"],["Not;A=Brand","8"],["Chromium","117"]],0,"Windows","10.0.0","x86","","117.0.5938.132"],[1,0,0,0,0]]],1828,[["1727888523773",null,null,null
2024-10-02 17:02:05 UTC	523	IN	HTTP/1.1 200 OK Access-Control-Allow-Origin: https://accounts.google.com Cross-Origin-Resource-Policy: cross-origin Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: X-Playlog-Web Content-Type: text/plain; charset=UTF-8 Date: Wed, 02 Oct 2024 17:02:05 GMT Server: Playlog Cache-Control: private X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2024-10-02 17:02:05 UTC	137	IN	Data Raw: 38 33 0d 0a 5b 22 2d 31 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 41 4e 44 52 4f 49 44 5f 42 41 43 4b 55 50 22 2c 30 5d 2c 5b 22 42 41 54 54 45 52 59 5f 53 54 41 54 53 22 2c 30 5d 2c 5b 22 53 4d 41 52 54 5f 53 45 54 55 50 22 2c 30 5d 2c 5b 22 54 52 4f 4e 22 2c 30 5d 5d 2c 2d 33 33 33 34 37 33 37 35 39 34 30 32 34 39 37 31 32 32 35 5d 2c 5b 5d 2c 7b 22 31 37 35 32 33 37 33 37 35 22 3a 5b 31 30 30 30 30 5d 7d 5d 0d 0a Data Ascii: 83["-1",null,[[["ANDROID_BACKUP",0],["BATTERY_STATS",0],["SMART_SETUP",0],["TRON",0]],-3334737594024971225],[],{"175237375":[10000]}]
2024-10-02 17:02:05 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.4	49792	216.58.206.78	443	6360	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-02 17:02:33 UTC	1329	OUT	POST /log?format=json&hasfast=true&authuser=0 HTTP/1.1 Host: play.google.com Connection: keep-alive Content-Length: 1182 sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-arch: "x86" Content-Type: application/x-www-form-urlencoded;charset=UTF-8 sec-ch-ua-full-version: "117.0.5938.132" sec-ch-ua-platform-version: "10.0.0" X-Goog-AuthUser: 0 sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132" sec-ch-ua-bitness: "64" sec-ch-ua-model: "" sec-ch-ua-wow64: ?0 sec-ch-ua-platform: "Windows" Accept: / Origin: https://accounts.google.com X-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiTocsBCJz+zAEIhaDNAQjcvc0BCLnKzQEIotHNAQiK080BCJ7WzQEIp9jNAQj5wNQVGPbJzQEYutLNARjrjaUX Sec-Fetch-Site: same-site Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: NID=518=Itk0ef3qh2g15oNps52V8xhYoIa5ibeMcSq0NCU2b2D3JogP_FLrvKD9OHDdDnMjsE_zfh8KFpSZlk3cFWzQ8a67EC2ozi-R6XV_fruy4iYsq7z-eNldHzLHHfwCDwAd0NG4cZiNmA4vmUxUAbitC2fdnHiUJp4qLwCqtAIfOCge3jvUKWB7BZInKg
2024-10-02 17:02:33 UTC	1182	OUT	Data Raw: 5b 5b 31 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 5b 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 22 65 6e 22 2c 6e 75 6c 6c 2c 22 33 30 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 47 6f 6f 67 6c 65 20 43 68 72 6f 6d 65 22 2c 22 31 31 37 22 5d 2c 5b 22 4e 6f 74 3b 41 3d 42 72 61 6e 64 22 2c 22 38 22 5d 2c 5b 22 43 68 72 6f 6d 69 75 6d 22 2c 22 31 31 37 22 5d 5d 2c 30 2c 22 57 69 6e 64 6f 77 73 22 2c 22 31 30 2e 30 2e 30 22 2c 22 78 38 36 22 2c 22 22 2c 22 31 31 37 2e 30 2e 35 39 33 38 2e 31 33 32 22 5d 2c 5b 31 2c 30 2c 30 2c 30 2c 30 5d 5d 5d 2c 31 38 32 38 2c 5b 5b 22 31 37 32 37 38 38 38 35 35 32 30 39 36 22 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c Data Ascii: [[1,null,null,null,null,null,null,null,null,null,[null,null,null,null,"en",null,"30",null,[[["Google Chrome","117"],["Not;A=Brand","8"],["Chromium","117"]],0,"Windows","10.0.0","x86","","117.0.5938.132"],[1,0,0,0,0]]],1828,[["1727888552096",null,null,null
2024-10-02 17:02:33 UTC	523	IN	HTTP/1.1 200 OK Access-Control-Allow-Origin: https://accounts.google.com Cross-Origin-Resource-Policy: cross-origin Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: X-Playlog-Web Content-Type: text/plain; charset=UTF-8 Date: Wed, 02 Oct 2024 17:02:33 GMT Server: Playlog Cache-Control: private X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2024-10-02 17:02:33 UTC	137	IN	Data Raw: 38 33 0d 0a 5b 22 2d 31 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 41 4e 44 52 4f 49 44 5f 42 41 43 4b 55 50 22 2c 30 5d 2c 5b 22 42 41 54 54 45 52 59 5f 53 54 41 54 53 22 2c 30 5d 2c 5b 22 53 4d 41 52 54 5f 53 45 54 55 50 22 2c 30 5d 2c 5b 22 54 52 4f 4e 22 2c 30 5d 5d 2c 2d 33 33 33 34 37 33 37 35 39 34 30 32 34 39 37 31 32 32 35 5d 2c 5b 5d 2c 7b 22 31 37 35 32 33 37 33 37 35 22 3a 5b 31 30 30 30 30 5d 7d 5d 0d 0a Data Ascii: 83["-1",null,[[["ANDROID_BACKUP",0],["BATTERY_STATS",0],["SMART_SETUP",0],["TRON",0]],-3334737594024971225],[],{"175237375":[10000]}]
2024-10-02 17:02:33 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.4	49793	216.58.206.78	443	6360	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-02 17:02:37 UTC	1329	OUT	POST /log?format=json&hasfast=true&authuser=0 HTTP/1.1 Host: play.google.com Connection: keep-alive Content-Length: 1276 sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-arch: "x86" Content-Type: application/x-www-form-urlencoded;charset=UTF-8 sec-ch-ua-full-version: "117.0.5938.132" sec-ch-ua-platform-version: "10.0.0" X-Goog-AuthUser: 0 sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132" sec-ch-ua-bitness: "64" sec-ch-ua-model: "" sec-ch-ua-wow64: ?0 sec-ch-ua-platform: "Windows" Accept: / Origin: https://accounts.google.com X-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiTocsBCJz+zAEIhaDNAQjcvc0BCLnKzQEIotHNAQiK080BCJ7WzQEIp9jNAQj5wNQVGPbJzQEYutLNARjrjaUX Sec-Fetch-Site: same-site Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: NID=518=Itk0ef3qh2g15oNps52V8xhYoIa5ibeMcSq0NCU2b2D3JogP_FLrvKD9OHDdDnMjsE_zfh8KFpSZlk3cFWzQ8a67EC2ozi-R6XV_fruy4iYsq7z-eNldHzLHHfwCDwAd0NG4cZiNmA4vmUxUAbitC2fdnHiUJp4qLwCqtAIfOCge3jvUKWB7BZInKg
2024-10-02 17:02:37 UTC	1276	OUT	Data Raw: 5b 5b 31 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 5b 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 22 65 6e 22 2c 6e 75 6c 6c 2c 22 33 30 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 47 6f 6f 67 6c 65 20 43 68 72 6f 6d 65 22 2c 22 31 31 37 22 5d 2c 5b 22 4e 6f 74 3b 41 3d 42 72 61 6e 64 22 2c 22 38 22 5d 2c 5b 22 43 68 72 6f 6d 69 75 6d 22 2c 22 31 31 37 22 5d 5d 2c 30 2c 22 57 69 6e 64 6f 77 73 22 2c 22 31 30 2e 30 2e 30 22 2c 22 78 38 36 22 2c 22 22 2c 22 31 31 37 2e 30 2e 35 39 33 38 2e 31 33 32 22 5d 2c 5b 31 2c 30 2c 30 2c 30 2c 30 5d 5d 5d 2c 31 38 32 38 2c 5b 5b 22 31 37 32 37 38 38 38 35 35 35 39 31 34 22 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c Data Ascii: [[1,null,null,null,null,null,null,null,null,null,[null,null,null,null,"en",null,"30",null,[[["Google Chrome","117"],["Not;A=Brand","8"],["Chromium","117"]],0,"Windows","10.0.0","x86","","117.0.5938.132"],[1,0,0,0,0]]],1828,[["1727888555914",null,null,null
2024-10-02 17:02:37 UTC	523	IN	HTTP/1.1 200 OK Access-Control-Allow-Origin: https://accounts.google.com Cross-Origin-Resource-Policy: cross-origin Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: X-Playlog-Web Content-Type: text/plain; charset=UTF-8 Date: Wed, 02 Oct 2024 17:02:37 GMT Server: Playlog Cache-Control: private X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2024-10-02 17:02:37 UTC	137	IN	Data Raw: 38 33 0d 0a 5b 22 2d 31 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 41 4e 44 52 4f 49 44 5f 42 41 43 4b 55 50 22 2c 30 5d 2c 5b 22 42 41 54 54 45 52 59 5f 53 54 41 54 53 22 2c 30 5d 2c 5b 22 53 4d 41 52 54 5f 53 45 54 55 50 22 2c 30 5d 2c 5b 22 54 52 4f 4e 22 2c 30 5d 5d 2c 2d 33 33 33 34 37 33 37 35 39 34 30 32 34 39 37 31 32 32 35 5d 2c 5b 5d 2c 7b 22 31 37 35 32 33 37 33 37 35 22 3a 5b 31 30 30 30 30 5d 7d 5d 0d 0a Data Ascii: 83["-1",null,[[["ANDROID_BACKUP",0],["BATTERY_STATS",0],["SMART_SETUP",0],["TRON",0]],-3334737594024971225],[],{"175237375":[10000]}]
2024-10-02 17:02:37 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Target ID:	0
Start time:	13:00:46
Start date:	02/10/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0x150000
File size:	918'528 bytes
MD5 hash:	983A1A23EB06EF4323EE7A01425E47EF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	13:00:47
Start date:	02/10/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM chrome.exe /T
Imagebase:	0x20000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	13:00:47
Start date:	02/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	13:00:48
Start date:	02/10/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --start-fullscreen --no-first-run --disable-session-crashed-bubble --disable-infobars
Imagebase:	0x7ff76e190000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	5
Start time:	13:00:49
Start date:	02/10/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2348 --field-trial-handle=2280,i,13778231416929703980,17669459964122129621,262144 /prefetch:8
Imagebase:	0x7ff76e190000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	6
Start time:	13:01:01
Start date:	02/10/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5796 --field-trial-handle=2280,i,13778231416929703980,17669459964122129621,262144 /prefetch:8
Imagebase:	0x7ff76e190000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	7
Start time:	13:01:01
Start date:	02/10/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4864 --field-trial-handle=2280,i,13778231416929703980,17669459964122129621,262144 /prefetch:8
Imagebase:	0x7ff76e190000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	2.2%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	7.1%
Total number of Nodes:	1656
Total number of Limit Nodes:	63

Executed Functions

Function 0016F98E Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130
keyboardthreadwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetForegroundWindow.USER32(00000000,00000000,00000000), ref: 0016F998
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 001AF474
IsIconic.USER32(00000000), ref: 001AF47D
ShowWindow.USER32(00000000,00000009), ref: 001AF48A
SetForegroundWindow.USER32(00000000), ref: 001AF494
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 001AF4AA
GetCurrentThreadId.KERNEL32 ref: 001AF4B1
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 001AF4BD
AttachThreadInput.USER32(?,00000000,00000001), ref: 001AF4CE
AttachThreadInput.USER32(?,00000000,00000001), ref: 001AF4D6
AttachThreadInput.USER32(00000000,000000FF,00000001), ref: 001AF4DE
SetForegroundWindow.USER32(00000000), ref: 001AF4E1
MapVirtualKeyW.USER32(00000012,00000000), ref: 001AF4F6
keybd_event.USER32(00000012,00000000), ref: 001AF501
MapVirtualKeyW.USER32(00000012,00000000), ref: 001AF50B
keybd_event.USER32(00000012,00000000), ref: 001AF510
MapVirtualKeyW.USER32(00000012,00000000), ref: 001AF519
keybd_event.USER32(00000012,00000000), ref: 001AF51E
MapVirtualKeyW.USER32(00000012,00000000), ref: 001AF528
keybd_event.USER32(00000012,00000000), ref: 001AF52D
SetForegroundWindow.USER32(00000000), ref: 001AF530
AttachThreadInput.USER32(?,000000FF,00000000), ref: 001AF557

Strings

Shell_TrayWnd, xrefs: 001AF46F

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: 1a57ac36e70ee863361d0286729292ccb6460a3fcfcb008be90bd732da5a462b
Instruction ID: 69f32ccf145a88b4cdcabd124d56a2d5d4e21a39452486ed25d48656a4cbcedd
Opcode Fuzzy Hash: 1a57ac36e70ee863361d0286729292ccb6460a3fcfcb008be90bd732da5a462b
Instruction Fuzzy Hash: 79314175B40258BFEB206BE55C89FBF7E6DEB45B50F100029FA00EA1D1C7B05942AAA0

Function 001542DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 0015430D

Part of subcall function 00156B57: _wcslen.LIBCMT ref: 00156B6A

GetCurrentProcess.KERNEL32(?,001ECB64,00000000,?,?), ref: 00154422
IsWow64Process.KERNEL32(00000000,?,?), ref: 00154429
LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 00154454
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00154466
GetNativeSystemInfo.KERNELBASE(?,?,?), ref: 00154474
FreeLibrary.KERNEL32(00000000,?,?), ref: 0015447B
GetSystemInfo.KERNEL32(?,?,?), ref: 001544A0

Strings

kernel32.dll, xrefs: 0015444F
|O, xrefs: 001936F8
GetNativeSystemInfo, xrefs: 00154460

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
String ID: GetNativeSystemInfo$kernel32.dll$|O
API String ID: 3290436268-3101561225
Opcode ID: 240c760eb0e82da9d2a588675ec6738c74e7775eb517bcdbb185bff271dcdb08
Instruction ID: 22279f1435e5948761dc6f94fb5d01f71915e6be01572e06a91aeca22725e525
Opcode Fuzzy Hash: 240c760eb0e82da9d2a588675ec6738c74e7775eb517bcdbb185bff271dcdb08
Instruction Fuzzy Hash: DCA1B66290A2C0EFCB35CBE97C4C9997FA67B36304B0874D9E45197A61D33046ABCB61

Function 001542A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,001550AA,?,?,00000000,00000000), ref: 001542B2
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,001550AA,?,?,00000000,00000000), ref: 001542C9
LoadResource.KERNEL32(?,00000000,?,?,001550AA,?,?,00000000,00000000,?,?,?,?,?,?,00154F20), ref: 001935BE
SizeofResource.KERNEL32(?,00000000,?,?,001550AA,?,?,00000000,00000000,?,?,?,?,?,?,00154F20), ref: 001935D3
LockResource.KERNEL32(001550AA,?,?,001550AA,?,?,00000000,00000000,?,?,?,?,?,?,00154F20,?), ref: 001935E6

Strings

SCRIPT, xrefs: 001542BF

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: ac72ea9211f716bc877a8379519253496d4644c31e57652ac41b0543c50c65cb
Instruction ID: 2d84d6eb4e90176d410e896e0c7df889038c66e723828ae807ea6bd24b13b1cf
Opcode Fuzzy Hash: ac72ea9211f716bc877a8379519253496d4644c31e57652ac41b0543c50c65cb
Instruction Fuzzy Hash: 2711C270200701FFD7218BA5EC88F2B7BB9EBC5B56F104169F913CA550DB71DC458660

Function 00192BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetCurrentDirectoryW.KERNEL32(?), ref: 00152B6B

Part of subcall function 00153A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00221418,?,00152E7F,?,?,?,00000000), ref: 00153A78

Part of subcall function 00159CB3: _wcslen.LIBCMT ref: 00159CBD

GetForegroundWindow.USER32(runas,?,?,?,?,?,00212224), ref: 00192C10
ShellExecuteW.SHELL32(00000000,?,?,00212224), ref: 00192C17

Strings

runas, xrefs: 00192C0B

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: CurrentDirectoryExecuteFileForegroundModuleNameShellWindow_wcslen
String ID: runas
API String ID: 448630720-4000483414
Opcode ID: 58abb66e652f029451d8be3b290df8b1e8e54d27d2da737d9dcad6638761366b
Instruction ID: ebea74c824aaa9a418887711b52f2fa7500cc38d7cba04a52d75cc58b4ae3fb6
Opcode Fuzzy Hash: 58abb66e652f029451d8be3b290df8b1e8e54d27d2da737d9dcad6638761366b
Instruction Fuzzy Hash: AC119332204345EAC718FFA0E851DAD77A4ABB6342F44142DF8765F0A2DF31955EC752

Function 001BDBBE Relevance: 6.0, APIs: 4, Instructions: 29filestringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,00195222), ref: 001BDBCE
GetFileAttributesW.KERNELBASE(?), ref: 001BDBDD
FindFirstFileW.KERNEL32(?,?), ref: 001BDBEE
FindClose.KERNEL32(00000000), ref: 001BDBFA

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: FileFind$AttributesCloseFirstlstrlen
String ID:
API String ID: 2695905019-0
Opcode ID: 8ca1aac5982ec2a1784c3ff525446598cc6e5b3461bb71809edcd7d85cfb7ce7
Instruction ID: c9b63c0114dc520e3fbedca63bea8d9aed94008bfbd053fa7e804c1cc7e91434
Opcode Fuzzy Hash: 8ca1aac5982ec2a1784c3ff525446598cc6e5b3461bb71809edcd7d85cfb7ce7
Instruction Fuzzy Hash: BAF0A0308109109782246BB8AC4E8AE3B6D9F06334B10470AF936C24E0FBB05D9686D5

Function 00174CE8 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(001828E9,?,00174CBE,001828E9,002188B8,0000000C,00174E15,001828E9,00000002,00000000,?,001828E9), ref: 00174D09
TerminateProcess.KERNEL32(00000000,?,00174CBE,001828E9,002188B8,0000000C,00174E15,001828E9,00000002,00000000,?,001828E9), ref: 00174D10
ExitProcess.KERNEL32 ref: 00174D22

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: dfa6e6311f33323395abbf339abff63f72ffdd7b3eda6dc1f8acb25304a6499f
Instruction ID: 1c807072b102770047d93a06dc622fd4619fab239725dec4ea4504903891d686
Opcode Fuzzy Hash: dfa6e6311f33323395abbf339abff63f72ffdd7b3eda6dc1f8acb25304a6499f
Instruction Fuzzy Hash: 93E0B631000188AFCF21AFD4DD59A583B79FB61781B158014FC599A522DB35EE92CB80

Function 0015BF40 Relevance: 2.4, Strings: 1, Instructions: 1178COMMON

Download Yara Rule

Strings

p#", xrefs: 001A07CE

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: BuffCharUpper
String ID: p#"
API String ID: 3964851224-3229190087
Opcode ID: bebad4bafeacc2f56bfb03c623d06e4edfca6a3de2017df10a03b7e0ad61e928
Instruction ID: 18b92ae40d694f8b4b1cb67cbbd9c609072b49c9e47cf5b2eff5ebb1d2d24c39
Opcode Fuzzy Hash: bebad4bafeacc2f56bfb03c623d06e4edfca6a3de2017df10a03b7e0ad61e928
Instruction Fuzzy Hash: 2EA26A74A08301DFC715DF18C480B6ABBE1BF99304F15896DE8AA9B352D771EC49CB92

Function 001DAFF9 Relevance: 24.4, APIs: 16, Instructions: 418
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_wcslen.LIBCMT ref: 001DB198
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 001DB1B0
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 001DB1D4
_wcslen.LIBCMT ref: 001DB200
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 001DB214
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 001DB236
_wcslen.LIBCMT ref: 001DB332

Part of subcall function 001C05A7: GetStdHandle.KERNEL32(000000F6), ref: 001C05C6

_wcslen.LIBCMT ref: 001DB34B
_wcslen.LIBCMT ref: 001DB366
CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 001DB3B6
GetLastError.KERNEL32(00000000), ref: 001DB407
CloseHandle.KERNEL32(?), ref: 001DB439
CloseHandle.KERNEL32(00000000), ref: 001DB44A
CloseHandle.KERNEL32(00000000), ref: 001DB45C
CloseHandle.KERNEL32(00000000), ref: 001DB46E
CloseHandle.KERNEL32(?), ref: 001DB4E3

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
String ID:
API String ID: 2178637699-0
Opcode ID: 3017bf7c211ed9630610a7373bf6bc972ca070e788065e81f699e31d6338e0be
Instruction ID: 7f5e906cb782ac9c7ac8d13197de103f6d8500bbf66caaa21838b6687145cb3e
Opcode Fuzzy Hash: 3017bf7c211ed9630610a7373bf6bc972ca070e788065e81f699e31d6338e0be
Instruction Fuzzy Hash: 8CF16731608340DFC714EF24D891A6EBBE1AF95314F15855EF89A8B3A2DB31EC45CB92

Function 0015D730 Relevance: 21.6, APIs: 14, Instructions: 621windowsleeptimeCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 0015D807
timeGetTime.WINMM ref: 0015DA07
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0015DB28
TranslateMessage.USER32(?), ref: 0015DB7B
DispatchMessageW.USER32(?), ref: 0015DB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0015DB9F
Sleep.KERNELBASE(0000000A), ref: 0015DBB1

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: Message$Peek$DispatchInputSleepStateTimeTranslatetime
String ID:
API String ID: 2189390790-0
Opcode ID: 97d665ee2d89d46247adca0fb2a8fea9557ffc7dae491fd19864908920691ffd
Instruction ID: 9eef2bd8b21c24a71ea063b0ad71f7351fae7f4cc0c81e5461f4bfac29f06e6a
Opcode Fuzzy Hash: 97d665ee2d89d46247adca0fb2a8fea9557ffc7dae491fd19864908920691ffd
Instruction Fuzzy Hash: C0422434608341EFD739CF24D884BAAB7E1BF56315F14851DF8668B2A1D770E888CB92

Function 00152CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00152D07
RegisterClassExW.USER32(00000030), ref: 00152D31
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00152D42
InitCommonControlsEx.COMCTL32(?), ref: 00152D5F
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00152D6F
LoadIconW.USER32(000000A9), ref: 00152D85
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00152D94

Strings

AutoIt v3 GUI, xrefs: 00152D23
+, xrefs: 00152CF0
0, xrefs: 00152CE9
TaskbarCreated, xrefs: 00152D37

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 393e87357262f625bcd433c5f229192c53d5805d20eff818350458c81381a417
Instruction ID: f220f92beb78e75089e2b27634b59152673c77134e32fc2e4ae806c0524f9357
Opcode Fuzzy Hash: 393e87357262f625bcd433c5f229192c53d5805d20eff818350458c81381a417
Instruction Fuzzy Hash: E521B2B5D01258AFDB10DFE8ED89A9DBBB4FB08704F00511AF911AA2A0D7B14596CF91

Function 0019065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0019039A: CreateFileW.KERNELBASE(00000000,00000000,?,00190704,?,?,00000000,?,00190704,00000000,0000000C), ref: 001903B7

GetLastError.KERNEL32 ref: 0019076F
__dosmaperr.LIBCMT ref: 00190776
GetFileType.KERNELBASE(00000000), ref: 00190782
GetLastError.KERNEL32 ref: 0019078C
__dosmaperr.LIBCMT ref: 00190795
CloseHandle.KERNEL32(00000000), ref: 001907B5
CloseHandle.KERNEL32(?), ref: 001908FF
GetLastError.KERNEL32 ref: 00190931
__dosmaperr.LIBCMT ref: 00190938

Strings

H, xrefs: 001908BD

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: dd29e7648831ef77aae96efeb2537e84f0c64d52af1e53b066db5272329f35da
Instruction ID: 896c7a75568dfb04cb60b2deaf355aae5e2707f52066c283392bd72e4042ca27
Opcode Fuzzy Hash: dd29e7648831ef77aae96efeb2537e84f0c64d52af1e53b066db5272329f35da
Instruction Fuzzy Hash: 60A12632A041449FDF1AEFA8DC95BAE7BA1AB0A320F14415DF8159F392DB319D13CB91

Function 0015344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00153A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00221418,?,00152E7F,?,?,?,00000000), ref: 00153A78

Part of subcall function 00153357: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00153379

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 0015356A
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 0019318D
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 001931CE
RegCloseKey.ADVAPI32(?), ref: 00193210
_wcslen.LIBCMT ref: 00193277
_wcslen.LIBCMT ref: 00193286

Strings

\Include\, xrefs: 00153527
Software\AutoIt v3\AutoIt, xrefs: 00153560
\, xrefs: 0019328C
Include, xrefs: 00193184, 001931C5

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 98802146-2727554177
Opcode ID: 13d87e701b947bbf71acab6e8132497211baf7e303c6c9a875d096a8739255e7
Instruction ID: 387e2a8fa13d084288f1438e1125601ca0a7066f27d1997106f025b3993c0680
Opcode Fuzzy Hash: 13d87e701b947bbf71acab6e8132497211baf7e303c6c9a875d096a8739255e7
Instruction Fuzzy Hash: 58717D71404301FEC724EFA5EC8586BBBE8FFA4340B80146EF955971A1EB359A4ECB52

Function 00152B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00152B8E
LoadCursorW.USER32(00000000,00007F00), ref: 00152B9D
LoadIconW.USER32(00000063), ref: 00152BB3
LoadIconW.USER32(000000A4), ref: 00152BC5
LoadIconW.USER32(000000A2), ref: 00152BD7
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00152BEF
RegisterClassExW.USER32(?), ref: 00152C40

Part of subcall function 00152CD4: GetSysColorBrush.USER32(0000000F), ref: 00152D07
Part of subcall function 00152CD4: RegisterClassExW.USER32(00000030), ref: 00152D31
Part of subcall function 00152CD4: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00152D42
Part of subcall function 00152CD4: InitCommonControlsEx.COMCTL32(?), ref: 00152D5F
Part of subcall function 00152CD4: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00152D6F
Part of subcall function 00152CD4: LoadIconW.USER32(000000A9), ref: 00152D85
Part of subcall function 00152CD4: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00152D94

Strings

#, xrefs: 00152C16
AutoIt v3, xrefs: 00152C2F
0, xrefs: 00152C0F

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: c619eebd999e65a80e4f93fded6aea761491e80e4d3b47599afd59e7125f83f3
Instruction ID: 1304dc6d78f2f16c4ba3c4b46fe6eae8ac0fdc18bf6d3dc6ab4368f21da69224
Opcode Fuzzy Hash: c619eebd999e65a80e4f93fded6aea761491e80e4d3b47599afd59e7125f83f3
Instruction Fuzzy Hash: 0021FA71E00354BBDB20DFE5FC99E9D7FB6FB58B50F0410AAE500A66A0D7B105528F90

Function 0015B710 Relevance: 16.3, APIs: 1, Strings: 8, Instructions: 587COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 0015BB4E

Strings

p%", xrefs: 0015B8DC
p#", xrefs: 0015BA72
p#", xrefs: 001A024F
x#", xrefs: 001A0168
x#", xrefs: 001A0207
p%", xrefs: 0015BB32
p#", xrefs: 0015BB6B
p#", xrefs: 001A0263

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID: p#"$p#"$p#"$p#"$p%"$p%"$x#"$x#"
API String ID: 1385522511-472378502
Opcode ID: 15778a0b257ee92b2b05a7bb567d38ed372a2caaff1021fb0e865a11935c64d9
Instruction ID: ea858f5c6a0ce23db74ff6d3d8262d06f45044c58e647233fbd964ba8a41ae3d
Opcode Fuzzy Hash: 15778a0b257ee92b2b05a7bb567d38ed372a2caaff1021fb0e865a11935c64d9
Instruction Fuzzy Hash: CC32EB78A08209EFCB24CF54C884ABAB7B9FF49301F158059ED25AF291C775ED49CB91

Function 00153170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,0015316A,?,?), ref: 001531D8
KillTimer.USER32(?,00000001,?,?,?,?,?,0015316A,?,?), ref: 00153204
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00153227
RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,0015316A,?,?), ref: 00153232
CreatePopupMenu.USER32 ref: 00153246
PostQuitMessage.USER32(00000000), ref: 00153267

Strings

TaskbarCreated, xrefs: 0015322D

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: d58a2f3e1fceae2401e52c66054e8fd08b7eae91e3c0f67f98f52ad4c1e12e4e
Instruction ID: 389454fc490a789ce3d0748bcb41b302b47e659529619440398dac85b043004b
Opcode Fuzzy Hash: d58a2f3e1fceae2401e52c66054e8fd08b7eae91e3c0f67f98f52ad4c1e12e4e
Instruction Fuzzy Hash: 36416B34600644FBDF286BF8AC8DF7D3A5AE715382F040125FD318F1A1CB718A9997A1

Function 00151410 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00151459
CoUninitialize.COMBASE ref: 001514F8
UnregisterHotKey.USER32(?), ref: 001516DD
DestroyWindow.USER32(?), ref: 001924B9
FreeLibrary.KERNEL32(?), ref: 0019251E
VirtualFree.KERNEL32(?,00000000,00008000), ref: 0019254B

Strings

close all, xrefs: 00151454

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: ea043cb78ef0be16bb36fea8cf1bb7349a27371b7b1da6edc238e1e8c64f8194
Instruction ID: 82f84ae62a18c6b537ae1d07f9b465c31bb818a333fab6c1dc3d7db47daa79d0
Opcode Fuzzy Hash: ea043cb78ef0be16bb36fea8cf1bb7349a27371b7b1da6edc238e1e8c64f8194
Instruction Fuzzy Hash: B5D1BD31701212EFDB2AEF14D899B69F7A0BF15301F1541ADE85A6B252DB30EC16CF90

Function 00152C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00152C91
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00152CB2
ShowWindow.USER32(00000000,?,?,?,?,?,?,00151CAD,?), ref: 00152CC6
ShowWindow.USER32(00000000,?,?,?,?,?,?,00151CAD,?), ref: 00152CCF

Strings

edit, xrefs: 00152CAC
AutoIt v3, xrefs: 00152C89, 00152C8E, 00152C8F

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: 609bedc9f948df990950406489f3f230b16dc9bb547066eab377f04b45e4842f
Instruction ID: b3610b9807e9c10911eb4002153c4be3c31df604297b6eb06743b222432c2d5d
Opcode Fuzzy Hash: 609bedc9f948df990950406489f3f230b16dc9bb547066eab377f04b45e4842f
Instruction Fuzzy Hash: 6BF03A759403D47AEB304797BC4CE7B3EBED7DAF50B0110AAF900A65A0C2710862DAB0

Function 001BE97B Relevance: 7.5, APIs: 5, Instructions: 47
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

QueryPerformanceCounter.KERNEL32(?), ref: 001BE997
QueryPerformanceFrequency.KERNEL32(?), ref: 001BE9A5
Sleep.KERNEL32(00000000), ref: 001BE9AD
QueryPerformanceCounter.KERNEL32(?), ref: 001BE9B7
Sleep.KERNELBASE ref: 001BE9F3

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: 6a1925cb3ca0607944f05eadc184df51a5ffd1a0c906d7128ed5216db8e2cc24
Instruction ID: fa44b8d00f33f95147c47a4bbdbc8ef91c4de7321d3296911f926bbd54e334ef
Opcode Fuzzy Hash: 6a1925cb3ca0607944f05eadc184df51a5ffd1a0c906d7128ed5216db8e2cc24
Instruction Fuzzy Hash: 99012531C01629DBCF00AFE5DC99AEDBBB8FF09705F010556E902B6241CB30A699CBA1

Function 00153B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,00153B0F,SwapMouseButtons,00000004,?), ref: 00153B40
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,00153B0F,SwapMouseButtons,00000004,?), ref: 00153B61
RegCloseKey.KERNELBASE(00000000,?,?,?,80000001,80000001,?,00153B0F,SwapMouseButtons,00000004,?), ref: 00153B83

Strings

Control Panel\Mouse, xrefs: 00153B3E

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: f48dbbc770470e6fda1ec9a14b0e8887d808ae09f95cbef7ccf183ce99fb5b9c
Instruction ID: f0334f4aea488dab96224e12e8b01e6d658bb8a024b8cbc38965afd9d38cb95c
Opcode Fuzzy Hash: f48dbbc770470e6fda1ec9a14b0e8887d808ae09f95cbef7ccf183ce99fb5b9c
Instruction Fuzzy Hash: F1112AB5510218FFDB21CFA5DC84AAEB7B8EF44785B104459F825DB110D3319F4597A0

Function 00153923 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94windowCOMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 001933A2

Part of subcall function 00156B57: _wcslen.LIBCMT ref: 00156B6A

Shell_NotifyIconW.SHELL32(00000001,?), ref: 00153A04

Strings

Line: , xrefs: 001933EB

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: IconLoadNotifyShell_String_wcslen
String ID: Line:
API String ID: 2289894680-1585850449
Opcode ID: 796872d8faad18f842dfc9db2350fa4cd7c57b16d0731a0f27b18f7209947c80
Instruction ID: 45db604e97f9be54285074f500d90cd7ba81e5562891da5f36c691529aec36c2
Opcode Fuzzy Hash: 796872d8faad18f842dfc9db2350fa4cd7c57b16d0731a0f27b18f7209947c80
Instruction Fuzzy Hash: B031D071408304EAC725EB60EC45FEBB7E8AB64355F00496AF9B98B091DB70965DC7C2

Function 00152DE3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 64COMMON

Download Yara Rule

APIs

GetOpenFileNameW.COMDLG32(?), ref: 00192C8C

Part of subcall function 00153AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00153A97,?,?,00152E7F,?,?,?,00000000), ref: 00153AC2

Part of subcall function 00152DA5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00152DC4

Strings

X, xrefs: 00192C5A
`e!, xrefs: 00192C85

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen
String ID: X$`e!
API String ID: 779396738-4247064546
Opcode ID: b61e56b9f93613f5df470afa4b12179bcfd770656f9c41f8629f370578f00c78
Instruction ID: 23da9e6a72118012514a764e8b9dee6ff7fd8b9a096deeb11fa974ccc1de7399
Opcode Fuzzy Hash: b61e56b9f93613f5df470afa4b12179bcfd770656f9c41f8629f370578f00c78
Instruction Fuzzy Hash: 4F21C671A10258AFDF01DF94C849BEE7BF8AF59305F004059E815AB241DBB4558DCBA1

Function 0016FDDB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 00170668

Part of subcall function 001732A4: RaiseException.KERNEL32(?,?,?,0017068A,?,00221444,?,?,?,?,?,?,0017068A,00151129,00218738,00151129), ref: 00173304

__CxxThrowException@8.LIBVCRUNTIME ref: 00170685

Strings

Unknown exception, xrefs: 00170692

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID: Unknown exception
API String ID: 3476068407-410509341
Opcode ID: 74b1f0236fa26702e3205815963ea2cdb4fac2bb2d48f05228676e405ea36782
Instruction ID: db31edd7bda9dbad8db7d786f4887efe2cb9241e137d192a7372764bbf91e7e1
Opcode Fuzzy Hash: 74b1f0236fa26702e3205815963ea2cdb4fac2bb2d48f05228676e405ea36782
Instruction Fuzzy Hash: 95F0C23490030DB7CB05BAA4EC96C9E7BBC5E64350B60C135B82C965D2EF71EB76C980

Function 001510F3 Relevance: 4.7, APIs: 3, Instructions: 153comCOMMON

Download Yara Rule

APIs

Part of subcall function 00151BC3: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00151BF4
Part of subcall function 00151BC3: MapVirtualKeyW.USER32(00000010,00000000), ref: 00151BFC
Part of subcall function 00151BC3: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00151C07
Part of subcall function 00151BC3: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00151C12
Part of subcall function 00151BC3: MapVirtualKeyW.USER32(00000011,00000000), ref: 00151C1A
Part of subcall function 00151BC3: MapVirtualKeyW.USER32(00000012,00000000), ref: 00151C22

Part of subcall function 00151B4A: RegisterWindowMessageW.USER32(00000004,?,001512C4), ref: 00151BA2

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 0015136A
OleInitialize.OLE32 ref: 00151388
CloseHandle.KERNEL32(00000000,00000000), ref: 001924AB

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID:
API String ID: 1986988660-0
Opcode ID: f6e48753ab9ad0e9a226bbaf785cbd2e583a9f3741b804c79c95fdc552d722d9
Instruction ID: b7e3722a0c2ae6b87b1220d582af9d9f125d0cca09defd9e3b1e8167a2f9fc4c
Opcode Fuzzy Hash: f6e48753ab9ad0e9a226bbaf785cbd2e583a9f3741b804c79c95fdc552d722d9
Instruction Fuzzy Hash: 4171D1B4811244BED7A4EFF9BD89E553AE0BBB834439462BAD41ACB261E7344437CF41

Function 001BC161 Relevance: 4.6, APIs: 3, Instructions: 74timewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00153923: Shell_NotifyIconW.SHELL32(00000001,?), ref: 00153A04

Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 001BC259
KillTimer.USER32(?,00000001,?,?), ref: 001BC261
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 001BC270

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: IconNotifyShell_Timer$Kill
String ID:
API String ID: 3500052701-0
Opcode ID: a82246037934b604775699073ae2849e52c8b39b84a9ace372196ee44c009a42
Instruction ID: 230647a0e1a6dedd0183bc54085b31e116e958e85f8156986c221c994491767f
Opcode Fuzzy Hash: a82246037934b604775699073ae2849e52c8b39b84a9ace372196ee44c009a42
Instruction Fuzzy Hash: 99319570904384AFEB32DF648895BEBBBED9B16304F0004DAD5DAA7241C7745A85CB91

Function 001886AE Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE

Download Yara Rule

APIs

CloseHandle.KERNELBASE(00000000,00000000,?,?,001885CC,?,00218CC8,0000000C), ref: 00188704
GetLastError.KERNEL32(?,001885CC,?,00218CC8,0000000C), ref: 0018870E
__dosmaperr.LIBCMT ref: 00188739

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: CloseErrorHandleLast__dosmaperr
String ID:
API String ID: 2583163307-0
Opcode ID: fe54fc5881fbe1bb2b9ba0caba8ad4ec6a26aa326cad3875413a445b5667cc96
Instruction ID: e18fbbcb7a22c04552bfd8c4311a74cff24dfe44b4008bbd8a2a9dba4590c955
Opcode Fuzzy Hash: fe54fc5881fbe1bb2b9ba0caba8ad4ec6a26aa326cad3875413a445b5667cc96
Instruction Fuzzy Hash: AA018932A0466026C3347374A889B7E275A9B92774F79011DFC188B1D3EFA0DE828F90

Function 0015DB38 Relevance: 4.5, APIs: 3, Instructions: 29windowsleepCOMMON

Download Yara Rule

APIs

TranslateMessage.USER32(?), ref: 0015DB7B
DispatchMessageW.USER32(?), ref: 0015DB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0015DB9F
Sleep.KERNELBASE(0000000A), ref: 0015DBB1
TranslateAcceleratorW.USER32(?,?,?), ref: 001A1CC9

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchPeekSleep
String ID:
API String ID: 3288985973-0
Opcode ID: b4c9737810332ffb2b6898ff120c0b7b435930c6a10d862223827feefc31282c
Instruction ID: 3b3628171a57941c0aad52fa53eb6add6d126ae4343e1e72b2528c76eeb6a29c
Opcode Fuzzy Hash: b4c9737810332ffb2b6898ff120c0b7b435930c6a10d862223827feefc31282c
Instruction Fuzzy Hash: A1F0FE31644380EBE734CBF09C89FAA73A9EF55711F104629EA5ACB4D0DB3094998B56

Function 00161310 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 001617F6

Strings

CALL, xrefs: 001617C6

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID: CALL
API String ID: 1385522511-4196123274
Opcode ID: 354d888e0f19b7a0703a919f613ea948c2f30de8a091307803cef30d45310f32
Instruction ID: e62a7f3171b7e9c9f78c7abf41bc3218ac573b2289cfa89c4ddb93691e861322
Opcode Fuzzy Hash: 354d888e0f19b7a0703a919f613ea948c2f30de8a091307803cef30d45310f32
Instruction Fuzzy Hash: 93229C74608341EFC714DF14C884A2ABBF1BF9A314F19895DF49A8B361D771E865CB82

Function 001E1EDA Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 166COMMON

Download Yara Rule

APIs

Part of subcall function 00156B57: _wcslen.LIBCMT ref: 00156B6A

GetWindowTextW.USER32(?,?,00007FFF), ref: 001E2043

Part of subcall function 00159CB3: _wcslen.LIBCMT ref: 00159CBD

Strings

all, xrefs: 001E1F09

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: _wcslen$TextWindow
String ID: all
API String ID: 4161112387-991457757
Opcode ID: e6c401d5214aaa9e80f20d3eb1e3d845ff4d76b50b34399f9e599d773a731d07
Instruction ID: 6f0737346af9787a1575e5989369260dee3e1281bdedea6640b59ffa042ac41b
Opcode Fuzzy Hash: e6c401d5214aaa9e80f20d3eb1e3d845ff4d76b50b34399f9e599d773a731d07
Instruction Fuzzy Hash: 3A51BD71204341AFC304EF24C882EAEB7E5BF98300F40451DF86A9B292DB71ED58CB91

Function 00153837 Relevance: 3.1, APIs: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000000,?), ref: 00153908

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: bf5512c0029c98896f892e4a8930ac1ae1fbeda0acfdf5a615a9c0a76a8bbe44
Instruction ID: a4d6993749833659bc8b2e26ca2dc6817443b920e4babc63e1648584db71ec1c
Opcode Fuzzy Hash: bf5512c0029c98896f892e4a8930ac1ae1fbeda0acfdf5a615a9c0a76a8bbe44
Instruction Fuzzy Hash: 4C31C370504300DFD721DF64D884B97BBE4FB59349F00096EF9B98B240E771AA58CB52

Function 0016F645 Relevance: 3.0, APIs: 2, Instructions: 29sleeptimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 0016F661

Part of subcall function 0015D730: GetInputState.USER32 ref: 0015D807

Sleep.KERNEL32(00000000), ref: 001AF2DE

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: InputSleepStateTimetime
String ID:
API String ID: 4149333218-0
Opcode ID: 82fe8e39ccf81bdab1933997127f3b2fdc7726fdb7ef2b3b316420723d4de38f
Instruction ID: f0d6b388c59ccf14ad73c33e23fc5fc28244b819ad817031bbe7dad9bc10c4c3
Opcode Fuzzy Hash: 82fe8e39ccf81bdab1933997127f3b2fdc7726fdb7ef2b3b316420723d4de38f
Instruction Fuzzy Hash: 61F08231244205DFD314EF75E885B5AB7E4EF59761F000029E859CB260DB70A845CB90

Function 001E13B7 Relevance: 1.6, APIs: 1, Instructions: 76COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000001,?), ref: 001E1420

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: ForegroundWindow
String ID:
API String ID: 2020703349-0
Opcode ID: dc0c62333c292a53169afa7f7b1713e99b203ac2a601bbf56949f5124f0c33d9
Instruction ID: 882514f565f472005aca5ff16c2b18b3a8e83606e17082c6463a900c9f1670b5
Opcode Fuzzy Hash: dc0c62333c292a53169afa7f7b1713e99b203ac2a601bbf56949f5124f0c33d9
Instruction Fuzzy Hash: 02316D30604642AFD714EF2AC891B69B7A2BF95329F048169E8254F392DB71EC45CBD1

Function 00154ECB Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00154E90: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00154EDD,?,00221418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00154E9C
Part of subcall function 00154E90: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00154EAE
Part of subcall function 00154E90: FreeLibrary.KERNEL32(00000000,?,?,00154EDD,?,00221418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00154EC0

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,00221418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00154EFD

Part of subcall function 00154E59: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00193CDE,?,00221418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00154E62
Part of subcall function 00154E59: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00154E74
Part of subcall function 00154E59: FreeLibrary.KERNEL32(00000000,?,?,00193CDE,?,00221418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00154E87

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: Library$Load$AddressFreeProc
String ID:
API String ID: 2632591731-0
Opcode ID: f32eeda59d358b207b6d847c99ae75751666db2f49ae4877ae19baa38fbebb68
Instruction ID: 501098067aefdcdbef2e4c27f7a51e3fbaababab33a5ad6c587006d69eddd621
Opcode Fuzzy Hash: f32eeda59d358b207b6d847c99ae75751666db2f49ae4877ae19baa38fbebb68
Instruction Fuzzy Hash: DE112731600205EBCF14AB68DC03FAD77A59F60716F10842EF962AE1C1EF749A899B90

Function 001E2658 Relevance: 1.6, APIs: 1, Instructions: 60COMMON

Download Yara Rule

APIs

ShowWindow.USER32(?,00000000,00000001,?), ref: 001E26E0

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 9db755e4467249b6508c802bb6c35f411cbd12fe1fb52fab0cb07e4d34a58369
Instruction ID: 4539dce3a0e394e29df6cdd63a42bf03b89a642de5b2d2782d3c1fa129268c75
Opcode Fuzzy Hash: 9db755e4467249b6508c802bb6c35f411cbd12fe1fb52fab0cb07e4d34a58369
Instruction Fuzzy Hash: 2B11E270200A819FD714EF2AC8A1F2EB7A9FB98364F54415DE8168F652C771EC81CB90

Function 00188402 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT ref: 00188440

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: 80122547a7aed2b4037712062a4c4b51d6ddb010f8cf338af3cda2cc05d62ff4
Instruction ID: 237f13ae5aae9d315b32253252335dde486ff305c5ad59a887ca06a2d954d51f
Opcode Fuzzy Hash: 80122547a7aed2b4037712062a4c4b51d6ddb010f8cf338af3cda2cc05d62ff4
Instruction Fuzzy Hash: 4C11187690410AAFCF15DF58E945A9A7BF5EF48314F114059FC08AB312DB31EA11CBA5

Function 00185000 Relevance: 1.6, APIs: 1, Instructions: 52COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00184C7D: RtlAllocateHeap.NTDLL(00000008,00151129,00000000,?,00182E29,00000001,00000364,?,?,?,0017F2DE,00183863,00221444,?,0016FDF5,?), ref: 00184CBE

_free.LIBCMT ref: 0018506C

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
Instruction ID: 266b106783a09d40fc3a11361281d71a201ecbff4244b16dab8b766888f416d1
Opcode Fuzzy Hash: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
Instruction Fuzzy Hash: 1A0126726047056BE3219E699881A9AFBEDFB89370F25051DF19483280EB30AA05CBB4

Function 001E29BF Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,?,?,?,001E14B5,?), ref: 001E2A01

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: ForegroundWindow
String ID:
API String ID: 2020703349-0
Opcode ID: 06a01a16a4766c4e2db7e2cda0d437450d7d35effe25dc08e77778b657d42fa6
Instruction ID: a30add268c4de2c9c2139e6be8580e5ab5e7f3081d59d5afe1410210cf63d8e9
Opcode Fuzzy Hash: 06a01a16a4766c4e2db7e2cda0d437450d7d35effe25dc08e77778b657d42fa6
Instruction Fuzzy Hash: BA019236700ED19FD3248A2EC464F2A779AEBC5318F298468D0478B651D732EC42C790

Function 0017E602 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction ID: 9192162ffa43677d8bf2b1cab57c54a852e11a505a80a1161616c7fa7224d287
Opcode Fuzzy Hash: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction Fuzzy Hash: F1F0F432510A14A6C7323A699C05B5A33F89F76334F218759F829931D2DB74D9028EA5

Function 00184C7D Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,00151129,00000000,?,00182E29,00000001,00000364,?,?,?,0017F2DE,00183863,00221444,?,0016FDF5,?), ref: 00184CBE

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 4186f91697133df72af486308c6d68f2f8b73cec8d19e3f3014b224e4eae5759
Instruction ID: 8db534bfd4602312ff9ad2ea16adc138193b03fff17381b268addba93e7c215b
Opcode Fuzzy Hash: 4186f91697133df72af486308c6d68f2f8b73cec8d19e3f3014b224e4eae5759
Instruction Fuzzy Hash: C3F0E231602226A7DB217F629C09F6B779CBF517B0B158125F819AA281CF30DA019FE0

Function 00183820 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,00221444,?,0016FDF5,?,?,0015A976,00000010,00221440,001513FC,?,001513C6,?,00151129), ref: 00183852

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 9ef2e33a7c6039a8854e25277eeb00b2972a405547d0d93aa9bd63c05781e6dd
Instruction ID: ca1e5ffeb78cbc3c9f5ffbcdd1f886644a5b74298dc14cf5c30ea4e0e75842e8
Opcode Fuzzy Hash: 9ef2e33a7c6039a8854e25277eeb00b2972a405547d0d93aa9bd63c05781e6dd
Instruction Fuzzy Hash: 24E06531601224A7D63137A69C05B9B3659AB53FB0F1D4225BC39A65D1DB21DF028BE1

Function 00154F39 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,00221418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00154F6D

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: f06c731ea1d0295a420e8a1efd795d577c73adf9c90e477d90118cc40548df0d
Instruction ID: c274e3cab27d9c4fe7ca6e658373c3cfeed37e84bc4eb7e34f6a84454f370eab
Opcode Fuzzy Hash: f06c731ea1d0295a420e8a1efd795d577c73adf9c90e477d90118cc40548df0d
Instruction Fuzzy Hash: 9FF03071105751CFDB389F6CD490856B7F4AF1431E324897FE5EA8A511C7319888DF50

Function 001E2A55 Relevance: 1.5, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 001E2A66

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: Window
String ID:
API String ID: 2353593579-0
Opcode ID: 79fdba2c3613d7660eec6ccef7b9c08b2a0065371dc1a76045bf5d0dc52410cf
Instruction ID: c122ab9e257a02b32369f82f3ead8a2fdbd1d75c226d16c55bc4bb1171bcd0a9
Opcode Fuzzy Hash: 79fdba2c3613d7660eec6ccef7b9c08b2a0065371dc1a76045bf5d0dc52410cf
Instruction Fuzzy Hash: BBE0DF36340556ABC714EA31EC908FE734CEBA0398704443AEC26C3500DB30999182E0

Function 001530F2 Relevance: 1.5, APIs: 1, Instructions: 24windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000002,?), ref: 0015314E

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: 050d4b4db50c28e5ae96b3b90c77079c696bee7f5028e7bfc121455c1a76b6d6
Instruction ID: c1f4b7135ad379ed69f02c171d4136c2ea59627b5c5ae35e4d591989b214af0d
Opcode Fuzzy Hash: 050d4b4db50c28e5ae96b3b90c77079c696bee7f5028e7bfc121455c1a76b6d6
Instruction Fuzzy Hash: FEF0A770900348AFE762DB64EC49BD97BBCA701708F0000E5A54897181D7704799CF41

Function 00152DA5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00152DC4

Part of subcall function 00156B57: _wcslen.LIBCMT ref: 00156B6A

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: LongNamePath_wcslen
String ID:
API String ID: 541455249-0
Opcode ID: 63b820c59a015440930083b23cc156460eca80ee5d47d6f3796c1450b1e73343
Instruction ID: 0f8d8b00ee095c2fad70037e07bc94a94d6d71952ed2b50350fbd9ea1d371ab0
Opcode Fuzzy Hash: 63b820c59a015440930083b23cc156460eca80ee5d47d6f3796c1450b1e73343
Instruction Fuzzy Hash: 1FE0CD726001245BCB1092989C06FEA77DDDFC8790F040071FD09D7248DA70ADC48590

Function 00152B3D Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00153837: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00153908

Part of subcall function 0015D730: GetInputState.USER32 ref: 0015D807

SetCurrentDirectoryW.KERNEL32(?), ref: 00152B6B

Part of subcall function 001530F2: Shell_NotifyIconW.SHELL32(00000002,?), ref: 0015314E

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: IconNotifyShell_$CurrentDirectoryInputState
String ID:
API String ID: 3667716007-0
Opcode ID: ca8f35003897ed88ce3060dd21152de808bc4bfafd6b44802d12217b5ac19837
Instruction ID: 6a5e2ced6c320aa542ad8b84e63477d3500cb0dcd2ff9d8b2cef9be1383cd4d6
Opcode Fuzzy Hash: ca8f35003897ed88ce3060dd21152de808bc4bfafd6b44802d12217b5ac19837
Instruction Fuzzy Hash: 64E0262230024492C608BBB0B8528ADB7599BF1393F40153EF8768F1A3CF20459EC352

Function 0019039A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,00000000,?,00190704,?,?,00000000,?,00190704,00000000,0000000C), ref: 001903B7

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 92ad80be1a8b5e84785cd9e18822406134445285d4fa554f582d6f6398a23406
Instruction ID: 263ca8a7be3c85cdedb0e1741aa2d76239c49ba3c2e2e45523dbede234988dcb
Opcode Fuzzy Hash: 92ad80be1a8b5e84785cd9e18822406134445285d4fa554f582d6f6398a23406
Instruction Fuzzy Hash: A8D06C3204014DFBDF029F84DD46EDA3FAAFB48714F014000BE1856020C732E862AB91

Function 00151CAD Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00002001,00000000,00000002), ref: 00151CBC

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: InfoParametersSystem
String ID:
API String ID: 3098949447-0
Opcode ID: b3970d8e762584551636f77641a773482374235680d34a3536d592eef430d3c5
Instruction ID: 5095d367b59a5931935b5d184ef67e570825c68cac49f9b677528450d7295d32
Opcode Fuzzy Hash: b3970d8e762584551636f77641a773482374235680d34a3536d592eef430d3c5
Instruction Fuzzy Hash: 0AC09B35380345FFF23487C0BC4EF147755A75CB00F449001F609695E3C3A21471D690

Non-executed Functions

Function 001E9576 Relevance: 74.1, APIs: 39, Strings: 3, Instructions: 625windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00169BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00169BB2

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 001E961A
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 001E965B
GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 001E969F
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 001E96C9
SendMessageW.USER32 ref: 001E96F2
GetKeyState.USER32(00000011), ref: 001E978B
GetKeyState.USER32(00000009), ref: 001E9798
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 001E97AE
GetKeyState.USER32(00000010), ref: 001E97B8
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 001E97E9
SendMessageW.USER32 ref: 001E9810
SendMessageW.USER32(?,00001030,?,001E7E95), ref: 001E9918
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 001E992E
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 001E9941
SetCapture.USER32(?), ref: 001E994A
ClientToScreen.USER32(?,?), ref: 001E99AF
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 001E99BC
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 001E99D6
ReleaseCapture.USER32 ref: 001E99E1
GetCursorPos.USER32(?), ref: 001E9A19
ScreenToClient.USER32(?,?), ref: 001E9A26
SendMessageW.USER32(?,00001012,00000000,?), ref: 001E9A80
SendMessageW.USER32 ref: 001E9AAE
SendMessageW.USER32(?,00001111,00000000,?), ref: 001E9AEB
SendMessageW.USER32 ref: 001E9B1A
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 001E9B3B
SendMessageW.USER32(?,0000110B,00000009,?), ref: 001E9B4A
GetCursorPos.USER32(?), ref: 001E9B68
ScreenToClient.USER32(?,?), ref: 001E9B75
GetParent.USER32(?), ref: 001E9B93
SendMessageW.USER32(?,00001012,00000000,?), ref: 001E9BFA
SendMessageW.USER32 ref: 001E9C2B
ClientToScreen.USER32(?,?), ref: 001E9C84
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 001E9CB4
SendMessageW.USER32(?,00001111,00000000,?), ref: 001E9CDE
SendMessageW.USER32 ref: 001E9D01
ClientToScreen.USER32(?,?), ref: 001E9D4E
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 001E9D82

Part of subcall function 00169944: GetWindowLongW.USER32(?,000000EB), ref: 00169952

GetWindowLongW.USER32(?,000000F0), ref: 001E9E05

Strings

p#", xrefs: 001E9990
@GUI_DRAGID, xrefs: 001E997D
F, xrefs: 001E9D07

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease
String ID: @GUI_DRAGID$F$p#"
API String ID: 3429851547-1047118953
Opcode ID: 7c7c4c579d1bf95f24224205720e7e107deeda4b4aef068e47f0d70e960e33b0
Instruction ID: 279d97150fe9a2c962686be5d7b86b5a0e154bd01ffcf9c16e3175b489333b5b
Opcode Fuzzy Hash: 7c7c4c579d1bf95f24224205720e7e107deeda4b4aef068e47f0d70e960e33b0
Instruction Fuzzy Hash: 91428C70604680AFD724CF66CC84EAEBBF5FF49310F14061AFA598B2A1D77198A5CF81

Function 001E4873 Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 566windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000408,00000000,00000000), ref: 001E48F3
SendMessageW.USER32(00000000,00000188,00000000,00000000), ref: 001E4908
SendMessageW.USER32(00000000,0000018A,00000000,00000000), ref: 001E4927
SendMessageW.USER32(?,00000148,00000000,00000000), ref: 001E494B
SendMessageW.USER32(00000000,00000147,00000000,00000000), ref: 001E495C
SendMessageW.USER32(00000000,00000149,00000000,00000000), ref: 001E497B
SendMessageW.USER32(00000000,0000130B,00000000,00000000), ref: 001E49AE
SendMessageW.USER32(00000000,0000133C,00000000,?), ref: 001E49D4
SendMessageW.USER32(00000000,0000110A,00000009,00000000), ref: 001E4A0F
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 001E4A56
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 001E4A7E
IsMenu.USER32(?), ref: 001E4A97
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 001E4AF2
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 001E4B20
GetWindowLongW.USER32(?,000000F0), ref: 001E4B94
SendMessageW.USER32(?,0000113E,00000000,00000008), ref: 001E4BE3
SendMessageW.USER32(00000000,00001001,00000000,?), ref: 001E4C82
wsprintfW.USER32 ref: 001E4CAE
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 001E4CC9
GetWindowTextW.USER32(?,00000000,00000001), ref: 001E4CF1
SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 001E4D13
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 001E4D33
GetWindowTextW.USER32(?,00000000,00000001), ref: 001E4D5A

Strings

%d/%02d/%02d, xrefs: 001E4CA8

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: MessageSend$MenuWindow$InfoItemText$Longwsprintf
String ID: %d/%02d/%02d
API String ID: 4054740463-328681919
Opcode ID: 7483bcb825beef74b93fe145693805d2454a3532fdc89c1223502cdadc95a313
Instruction ID: 79083e14ba169be7842d394b5b2c23bfa05bba7b125f48832ccfb2d3e4092715
Opcode Fuzzy Hash: 7483bcb825beef74b93fe145693805d2454a3532fdc89c1223502cdadc95a313
Instruction Fuzzy Hash: 9912F231A00684ABEB248F69DC49FAF7BF8EF49710F144129F916EB2E1D7749941CB50

Function 001B1201 Relevance: 40.5, APIs: 19, Strings: 4, Instructions: 241COMMON

Download Yara Rule

APIs

Part of subcall function 001B16C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 001B170D
Part of subcall function 001B16C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 001B173A
Part of subcall function 001B16C3: GetLastError.KERNEL32 ref: 001B174A

LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 001B1286
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 001B12A8
CloseHandle.KERNEL32(?), ref: 001B12B9
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 001B12D1
GetProcessWindowStation.USER32 ref: 001B12EA
SetProcessWindowStation.USER32(00000000), ref: 001B12F4
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 001B1310

Part of subcall function 001B10BF: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,001B11FC), ref: 001B10D4
Part of subcall function 001B10BF: CloseHandle.KERNEL32(?,?,001B11FC), ref: 001B10E9

Strings

, xrefs: 001B125A
winsta0, xrefs: 001B12CC
Z!, xrefs: 001B1392
default, xrefs: 001B130B

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
String ID: $default$winsta0$Z!
API String ID: 22674027-3215132610
Opcode ID: a0ca423ed5b901a5cf2ac82c74b186699c0666767a2d833bb3b4c27afb33f5f0
Instruction ID: 9105ee5edfa453d83b831d06af66bc9ea284ba980c8a85a69b11ae768dd9df97
Opcode Fuzzy Hash: a0ca423ed5b901a5cf2ac82c74b186699c0666767a2d833bb3b4c27afb33f5f0
Instruction Fuzzy Hash: F6818B71900249BFDF219FA4DC99FEE7BB9FF08704F154129F910A62A0DB718A95CB60

Function 001B0B62 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 001B10F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 001B1114
Part of subcall function 001B10F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,001B0B9B,?,?,?), ref: 001B1120
Part of subcall function 001B10F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,001B0B9B,?,?,?), ref: 001B112F
Part of subcall function 001B10F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,001B0B9B,?,?,?), ref: 001B1136
Part of subcall function 001B10F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 001B114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 001B0BCC
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 001B0C00
GetLengthSid.ADVAPI32(?), ref: 001B0C17
GetAce.ADVAPI32(?,00000000,?), ref: 001B0C51
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 001B0C6D
GetLengthSid.ADVAPI32(?), ref: 001B0C84
GetProcessHeap.KERNEL32(00000008,00000008), ref: 001B0C8C
HeapAlloc.KERNEL32(00000000), ref: 001B0C93
GetLengthSid.ADVAPI32(?,00000008,?), ref: 001B0CB4
CopySid.ADVAPI32(00000000), ref: 001B0CBB
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 001B0CEA
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 001B0D0C
SetUserObjectSecurity.USER32(?,00000004,?), ref: 001B0D1E
GetProcessHeap.KERNEL32(00000000,00000000), ref: 001B0D45
HeapFree.KERNEL32(00000000), ref: 001B0D4C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 001B0D55
HeapFree.KERNEL32(00000000), ref: 001B0D5C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 001B0D65
HeapFree.KERNEL32(00000000), ref: 001B0D6C
GetProcessHeap.KERNEL32(00000000,?), ref: 001B0D78
HeapFree.KERNEL32(00000000), ref: 001B0D7F

Part of subcall function 001B1193: GetProcessHeap.KERNEL32(00000008,001B0BB1,?,00000000,?,001B0BB1,?), ref: 001B11A1
Part of subcall function 001B1193: HeapAlloc.KERNEL32(00000000,?,00000000,?,001B0BB1,?), ref: 001B11A8
Part of subcall function 001B1193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,001B0BB1,?), ref: 001B11B7

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 424fbaa48e33db09396dd5ce3b43a5bd04a0ec4b881c71cf12a0398e6243f98d
Instruction ID: e85c926202946918aaaaf372646a74cb385abfe11c4194fb40c47030a80f5435
Opcode Fuzzy Hash: 424fbaa48e33db09396dd5ce3b43a5bd04a0ec4b881c71cf12a0398e6243f98d
Instruction Fuzzy Hash: B2716B7690020AABDF11DFE4DC84BEFBBB8BF09310F044515F915AA1A1D771AA46CBA0

Function 001CEAFF Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(001ECC08), ref: 001CEB29
IsClipboardFormatAvailable.USER32(0000000D), ref: 001CEB37
GetClipboardData.USER32(0000000D), ref: 001CEB43
CloseClipboard.USER32 ref: 001CEB4F
GlobalLock.KERNEL32(00000000), ref: 001CEB87
CloseClipboard.USER32 ref: 001CEB91
GlobalUnlock.KERNEL32(00000000), ref: 001CEBBC
IsClipboardFormatAvailable.USER32(00000001), ref: 001CEBC9
GetClipboardData.USER32(00000001), ref: 001CEBD1
GlobalLock.KERNEL32(00000000), ref: 001CEBE2
GlobalUnlock.KERNEL32(00000000), ref: 001CEC22
IsClipboardFormatAvailable.USER32(0000000F), ref: 001CEC38
GetClipboardData.USER32(0000000F), ref: 001CEC44
GlobalLock.KERNEL32(00000000), ref: 001CEC55
DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 001CEC77
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 001CEC94
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 001CECD2
GlobalUnlock.KERNEL32(00000000), ref: 001CECF3
CountClipboardFormats.USER32 ref: 001CED14
CloseClipboard.USER32 ref: 001CED59

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
String ID:
API String ID: 420908878-0
Opcode ID: 3fa127d3b071b0cdee6813af2fdf217bb8de672520feed363cba390c4ee90b52
Instruction ID: b52ee8486c02a4bbff46c1c70372c36913a94d289e6207ee75a2f7f202f06d9e
Opcode Fuzzy Hash: 3fa127d3b071b0cdee6813af2fdf217bb8de672520feed363cba390c4ee90b52
Instruction Fuzzy Hash: 2B619D342042429FD310EFA4DC85F7A77E4AFA4714F14451DF8669B2A2DB31DD8ACBA2

Function 001C698F Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 001C69BE
FindClose.KERNEL32(00000000), ref: 001C6A12
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 001C6A4E
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 001C6A75

Part of subcall function 00159CB3: _wcslen.LIBCMT ref: 00159CBD

FileTimeToSystemTime.KERNEL32(?,?), ref: 001C6AB2
FileTimeToSystemTime.KERNEL32(?,?), ref: 001C6ADF

Strings

%02d, xrefs: 001C6C00, 001C6C0A, 001C6C5A, 001C6CAA, 001C6CFA, 001C6D4A
%4d%02d%02d%02d%02d%02d%03d, xrefs: 001C6B32
%4d%02d%02d%02d%02d%02d, xrefs: 001C6B6A
%03d, xrefs: 001C6DA2
%4d, xrefs: 001C6BB1

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
API String ID: 3830820486-3289030164
Opcode ID: 3c206e481cd911739daa3c373707ecef4cd55955af9806c6fd752ca51386184f
Instruction ID: ede99f6efc3b507eb69c58265ab1bb8cc1c1694130bedb3542276015a1c5e269
Opcode Fuzzy Hash: 3c206e481cd911739daa3c373707ecef4cd55955af9806c6fd752ca51386184f
Instruction Fuzzy Hash: 0DD15071508300AEC314DBA4DC82EAFB7E8AFA8705F44491DF995CB191EB74DA48C7A2

Function 001C9642 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 001C9663
GetFileAttributesW.KERNEL32(?), ref: 001C96A1
SetFileAttributesW.KERNEL32(?,?), ref: 001C96BB
FindNextFileW.KERNEL32(00000000,?), ref: 001C96D3
FindClose.KERNEL32(00000000), ref: 001C96DE
FindFirstFileW.KERNEL32(*.*,?), ref: 001C96FA
SetCurrentDirectoryW.KERNEL32(?), ref: 001C974A
SetCurrentDirectoryW.KERNEL32(00216B7C), ref: 001C9768
FindNextFileW.KERNEL32(00000000,00000010), ref: 001C9772
FindClose.KERNEL32(00000000), ref: 001C977F
FindClose.KERNEL32(00000000), ref: 001C978F

Strings

*.*, xrefs: 001C96F5

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1409584000-438819550
Opcode ID: a0875ab335729fed06abc33b7698cacb29cdcf37b3b4eb0621efc9c2fbb20c7d
Instruction ID: 55954cf24a365900b1bbc544dc4939497ab7b6ea0c1479575ac82afad1bc5e79
Opcode Fuzzy Hash: a0875ab335729fed06abc33b7698cacb29cdcf37b3b4eb0621efc9c2fbb20c7d
Instruction Fuzzy Hash: 2731DF3254125AAACB14AFF4DC4DEDE77ACAF19320F104059E914E60A0DB70DE818E94

Function 001C979D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 001C97BE
FindNextFileW.KERNEL32(00000000,?), ref: 001C9819
FindClose.KERNEL32(00000000), ref: 001C9824
FindFirstFileW.KERNEL32(*.*,?), ref: 001C9840
SetCurrentDirectoryW.KERNEL32(?), ref: 001C9890
SetCurrentDirectoryW.KERNEL32(00216B7C), ref: 001C98AE
FindNextFileW.KERNEL32(00000000,00000010), ref: 001C98B8
FindClose.KERNEL32(00000000), ref: 001C98C5
FindClose.KERNEL32(00000000), ref: 001C98D5

Part of subcall function 001BDAE5: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 001BDB00

Strings

*.*, xrefs: 001C983B

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 2640511053-438819550
Opcode ID: d95f823b25e9b20222e8a974e1e2374fc93aa01a22958857989c0ea7bc4a903f
Instruction ID: b41d630f7744eeec3afe4bd7041c9a53935a670594df71fe497f711e8abff7e2
Opcode Fuzzy Hash: d95f823b25e9b20222e8a974e1e2374fc93aa01a22958857989c0ea7bc4a903f
Instruction Fuzzy Hash: B831E13250069EAADB10AFB4EC4DFDE77ACAF26320F108159E914A30D1DB71DE858A64

Function 001DBE44 Relevance: 17.0, APIs: 11, Instructions: 456registryCOMMON

Download Yara Rule

APIs

Part of subcall function 001DC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,001DB6AE,?,?), ref: 001DC9B5
Part of subcall function 001DC998: _wcslen.LIBCMT ref: 001DC9F1
Part of subcall function 001DC998: _wcslen.LIBCMT ref: 001DCA68
Part of subcall function 001DC998: _wcslen.LIBCMT ref: 001DCA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 001DBF3E
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?), ref: 001DBFA9
RegCloseKey.ADVAPI32(00000000), ref: 001DBFCD
RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 001DC02C
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 001DC0E7
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 001DC154
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 001DC1E9
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,?,?,?,00000000), ref: 001DC23A
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 001DC2E3
RegCloseKey.ADVAPI32(?,?,00000000), ref: 001DC382
RegCloseKey.ADVAPI32(00000000), ref: 001DC38F

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: QueryValue$Close_wcslen$BuffCharConnectOpenRegistryUpper
String ID:
API String ID: 3102970594-0
Opcode ID: 0c86737d302735599f81086e6c3466a749a58ff64ddd9ef91cbbcfe33ec44754
Instruction ID: 15635fce2e1cc84095b97bab2fdd0b92282964ede9f4703f54ced1d569b6d1b3
Opcode Fuzzy Hash: 0c86737d302735599f81086e6c3466a749a58ff64ddd9ef91cbbcfe33ec44754
Instruction Fuzzy Hash: E0023C71604201EFD714CF28C895E2ABBE5AF49318F19889DF85A8F3A2D731ED45CB91

Function 001C8195 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 001C8257
SystemTimeToFileTime.KERNEL32(?,?), ref: 001C8267
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 001C8273
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 001C8310
SetCurrentDirectoryW.KERNEL32(?), ref: 001C8324
SetCurrentDirectoryW.KERNEL32(?), ref: 001C8356
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 001C838C
SetCurrentDirectoryW.KERNEL32(?), ref: 001C8395

Strings

*.*, xrefs: 001C839B

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local$System
String ID: *.*
API String ID: 1464919966-438819550
Opcode ID: 6517d764fe60f7c8030f16a84aac0dcb98d34eb60eeb5e5be57fe7dbc5f55f35
Instruction ID: 631fa9b0e7218815ae8d74771f6bacdd26f1ae552c13aeea003fb732116d9ff5
Opcode Fuzzy Hash: 6517d764fe60f7c8030f16a84aac0dcb98d34eb60eeb5e5be57fe7dbc5f55f35
Instruction Fuzzy Hash: 8D618D715143459FC710EF64D884EAEB3E8FFA9310F04881EF99987251EB31E949CB92

Function 001BD076 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00153AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00153A97,?,?,00152E7F,?,?,?,00000000), ref: 00153AC2

Part of subcall function 001BE199: GetFileAttributesW.KERNEL32(?,001BCF95), ref: 001BE19A

FindFirstFileW.KERNEL32(?,?), ref: 001BD122
DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 001BD1DD
MoveFileW.KERNEL32(?,?), ref: 001BD1F0
DeleteFileW.KERNEL32(?,?,?,?), ref: 001BD20D
FindNextFileW.KERNEL32(00000000,00000010), ref: 001BD237

Part of subcall function 001BD29C: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,001BD21C,?,?), ref: 001BD2B2

FindClose.KERNEL32(00000000,?,?,?), ref: 001BD253
FindClose.KERNEL32(00000000), ref: 001BD264

Strings

\*.*, xrefs: 001BD0CD, 001BD0D6, 001BD0EB

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 1946585618-1173974218
Opcode ID: acee6ecf1205a955fd102b88fec908fe313efe80d9a39f42fe1975be56589274
Instruction ID: 10f6049485debdbb7d8d068a47dae82dcce15a862d70293689e2f54112e65920
Opcode Fuzzy Hash: acee6ecf1205a955fd102b88fec908fe313efe80d9a39f42fe1975be56589274
Instruction Fuzzy Hash: 4A616E3180114DEBCF09EBE0ED929EDB7B5AF25305F6041A5E8127B192EB309F49CB61

Function 001CED6A Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 001CED91
EmptyClipboard.USER32 ref: 001CED97
GlobalAlloc.KERNEL32(00000002,?), ref: 001CEDAC
CloseClipboard.USER32 ref: 001CEEA3

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: 4491312509fa7833efb0df3316c5a74ad42b492f25fb97aa9e21489763a5ca9c
Instruction ID: bc904c38d51d00df5a90d8906bfcdd02f592ed1869a5f704d955e96fb1c58be3
Opcode Fuzzy Hash: 4491312509fa7833efb0df3316c5a74ad42b492f25fb97aa9e21489763a5ca9c
Instruction Fuzzy Hash: DF419D31204251AFD720DF55D889F2ABBE1EF54358F14809DE8268FA62C735EC82CBD0

Function 001BE8F6 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 001B16C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 001B170D
Part of subcall function 001B16C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 001B173A
Part of subcall function 001B16C3: GetLastError.KERNEL32 ref: 001B174A

ExitWindowsEx.USER32(?,00000000), ref: 001BE932

Strings

@, xrefs: 001BE925
, xrefs: 001BE95C
, xrefs: 001BE920
SeShutdownPrivilege, xrefs: 001BE902

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $ $@$SeShutdownPrivilege
API String ID: 2234035333-3163812486
Opcode ID: d246d29cdf8dff98294542e5aa11ff17d8d71a180b02c0de9fedc5728404da5e
Instruction ID: 250e3ff05877f975ac3ae262b09e96de3e3dc1b2fbcee6b75fd64deb8ed9de82
Opcode Fuzzy Hash: d246d29cdf8dff98294542e5aa11ff17d8d71a180b02c0de9fedc5728404da5e
Instruction Fuzzy Hash: 3E01D673610311AFEB5826B49C8ABFF72DCAB14758F160422F913E61D1D7A05C8885D0

Function 001D1204 Relevance: 12.1, APIs: 8, Instructions: 113networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006), ref: 001D1276
WSAGetLastError.WSOCK32 ref: 001D1283
bind.WSOCK32(00000000,?,00000010), ref: 001D12BA
WSAGetLastError.WSOCK32 ref: 001D12C5
closesocket.WSOCK32(00000000), ref: 001D12F4
listen.WSOCK32(00000000,00000005), ref: 001D1303
WSAGetLastError.WSOCK32 ref: 001D130D
closesocket.WSOCK32(00000000), ref: 001D133C

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: ErrorLast$closesocket$bindlistensocket
String ID:
API String ID: 540024437-0
Opcode ID: 33eb14acc38c5fa0b4f8b4d93dd902e12cf82fe67d35e261b38bb9d8f45fd821
Instruction ID: 2824b1ddf449cbe5d90ddc281371746f36721b56db1a5eca6484104ad14ef15a
Opcode Fuzzy Hash: 33eb14acc38c5fa0b4f8b4d93dd902e12cf82fe67d35e261b38bb9d8f45fd821
Instruction Fuzzy Hash: 89416E31600240BFD714DF64D9C4B29BBE6AF46318F288189E8568F392C771ED86CBE1

Function 001BD3A9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00153AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00153A97,?,?,00152E7F,?,?,?,00000000), ref: 00153AC2

Part of subcall function 001BE199: GetFileAttributesW.KERNEL32(?,001BCF95), ref: 001BE19A

FindFirstFileW.KERNEL32(?,?), ref: 001BD420
DeleteFileW.KERNEL32(?,?,?,?), ref: 001BD470
FindNextFileW.KERNEL32(00000000,00000010), ref: 001BD481
FindClose.KERNEL32(00000000), ref: 001BD498
FindClose.KERNEL32(00000000), ref: 001BD4A1

Strings

\*.*, xrefs: 001BD3F2

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: 0149f194342dd33c1115827d969cce777fe77bd484e969be630d2f22c8f48617
Instruction ID: 8e1928faaa61526c1fe3562a54a7601e2343824e696ea88b82348d5551492a0a
Opcode Fuzzy Hash: 0149f194342dd33c1115827d969cce777fe77bd484e969be630d2f22c8f48617
Instruction Fuzzy Hash: ED315071008385DBC304EF64D8918EF77E8BEA5315F844A2DF8E597191EB20AA0DC7A3

Function 0018E4FF Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 0018E645

Strings

1#IND, xrefs: 0018F83D
1#SNAN, xrefs: 0018F844
1#INF, xrefs: 0018F852
1#QNAN, xrefs: 0018F84B

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: 93cb1c46b9e5e13d8024ebc4a86ea0e8a6ec144539d1401132164a8017ee99bf
Instruction ID: 0d67b57e32c1b7215673050b53335ccb7e66ec660e97ca35eb17efe3af968a72
Opcode Fuzzy Hash: 93cb1c46b9e5e13d8024ebc4a86ea0e8a6ec144539d1401132164a8017ee99bf
Instruction Fuzzy Hash: E1C22A71E086288FDB29DE28DD447EAB7B5EB49305F1541EAD84DE7240E774AF828F40

Function 001C648E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 001C64DC
CoInitialize.OLE32(00000000), ref: 001C6639
CoCreateInstance.OLE32(001EFCF8,00000000,00000001,001EFB68,?), ref: 001C6650
CoUninitialize.OLE32 ref: 001C68D4

Strings

.lnk, xrefs: 001C64BA, 001C6524, 001C65E0

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_wcslen
String ID: .lnk
API String ID: 886957087-24824748
Opcode ID: f269b60f4b412a028ac788b171de0271ba79ac33755ff22e8e12b310379f5315
Instruction ID: 9b8994dd53980e347a7bd9ef2b3789f0887e634f7e7562bfa3f5a9a73bbdb77e
Opcode Fuzzy Hash: f269b60f4b412a028ac788b171de0271ba79ac33755ff22e8e12b310379f5315
Instruction Fuzzy Hash: 5BD13971508301AFC304EF24C881E6BB7E9FFA9705F50496DF9958B291EB70E949CB92

Function 001D22DA Relevance: 9.1, APIs: 6, Instructions: 103COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,00000000), ref: 001D22E8

Part of subcall function 001CE4EC: GetWindowRect.USER32(?,?), ref: 001CE504

GetDesktopWindow.USER32 ref: 001D2312
GetWindowRect.USER32(00000000), ref: 001D2319
mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 001D2355
GetCursorPos.USER32(?), ref: 001D2381
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 001D23DF

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForeground
String ID:
API String ID: 2387181109-0
Opcode ID: e013cab2f8fa3cae4a554daa5faac9102685f9b56f84155f16e258eee19b9681
Instruction ID: f9c07c8710d9d9a2e10f417a60e3b8b817a5220b3e61fe86275b92693d15ae2f
Opcode Fuzzy Hash: e013cab2f8fa3cae4a554daa5faac9102685f9b56f84155f16e258eee19b9681
Instruction Fuzzy Hash: 9C31CF72504355ABCB20DF54CC45B9BB7E9FF98314F00091AF9959B281DB34E949CBD2

Function 001C9B2B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00159CB3: _wcslen.LIBCMT ref: 00159CBD

FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 001C9B78
FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 001C9C8B

Part of subcall function 001C3874: GetInputState.USER32 ref: 001C38CB
Part of subcall function 001C3874: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 001C3966

Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 001C9BA8
FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 001C9C75

Strings

*.*, xrefs: 001C9B5D

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
String ID: *.*
API String ID: 1972594611-438819550
Opcode ID: 8abffcfa6d2883f4cbc07e65b5286961b5821130041000374da561e245b797cd
Instruction ID: bfbe55b58f696b5d16cb5ea3b184bef5cf8e25d0ef12880b6e97f59811b68495
Opcode Fuzzy Hash: 8abffcfa6d2883f4cbc07e65b5286961b5821130041000374da561e245b797cd
Instruction Fuzzy Hash: F7417E7190420AEBCF14DFA4C889FEEBBB4EF25311F204159E815A6191EB31DE85CBA4

Function 0016997D Relevance: 7.9, APIs: 5, Instructions: 375COMMON

Download Yara Rule

APIs

Part of subcall function 00169BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00169BB2

DefDlgProcW.USER32(?,?,?,?,?), ref: 00169A4E
GetSysColor.USER32(0000000F), ref: 00169B23
SetBkColor.GDI32(?,00000000), ref: 00169B36

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: Color$LongProcWindow
String ID:
API String ID: 3131106179-0
Opcode ID: 790e4faa0e81b3b50514defcbd69403a941cf8e452adcd6897fb16e8bf2a00ff
Instruction ID: 44a15f85a88c5a92fd172d527e7b4458376fb4b2c2849127a40e9710d6f2890e
Opcode Fuzzy Hash: 790e4faa0e81b3b50514defcbd69403a941cf8e452adcd6897fb16e8bf2a00ff
Instruction Fuzzy Hash: 40A10671208444BFE728AAAD9C9CE7F369DDB53300B16021AF502C76D1CB359E62C672

Function 001D1806 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON

Download Yara Rule

APIs

Part of subcall function 001D304E: inet_addr.WSOCK32(?), ref: 001D307A
Part of subcall function 001D304E: _wcslen.LIBCMT ref: 001D309B

socket.WSOCK32(00000002,00000002,00000011), ref: 001D185D
WSAGetLastError.WSOCK32 ref: 001D1884
bind.WSOCK32(00000000,?,00000010), ref: 001D18DB
WSAGetLastError.WSOCK32 ref: 001D18E6
closesocket.WSOCK32(00000000), ref: 001D1915

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
String ID:
API String ID: 1601658205-0
Opcode ID: 524c8709c6816e60cba6a91478b6c1d9939614e38fd67cfebc168d441014fad2
Instruction ID: d3abde47b7a8b9bf9dbb6058febb4e778c510e69e17f0cf00898e8a0277756ac
Opcode Fuzzy Hash: 524c8709c6816e60cba6a91478b6c1d9939614e38fd67cfebc168d441014fad2
Instruction Fuzzy Hash: 2351A071A00200AFDB10EF64D886F2A77E5AB58718F48805DF9155F3D3DB71AD428BE1

Function 001E1C41 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 001E1CC0
IsWindowEnabled.USER32 ref: 001E1CCE
GetForegroundWindow.USER32(?,?,00000001,?), ref: 001E1CDB
IsIconic.USER32 ref: 001E1CE9
IsZoomed.USER32 ref: 001E1CF7

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: 4060ece4fc90a3b873f8c4b965057dade70966dac7c6bb473e495ff5da0c2d00
Instruction ID: 19510b2c76c8a6d85591cca520aef6554ac492868229785db59ea51f18c7b4f8
Opcode Fuzzy Hash: 4060ece4fc90a3b873f8c4b965057dade70966dac7c6bb473e495ff5da0c2d00
Instruction Fuzzy Hash: E3218231740A916FD7208F1BC894B6E7BA5BF95315B298068E846CB351C771EC82CB90

Function 00158060 Relevance: 7.4, Strings: 5, Instructions: 1151COMMON

Download Yara Rule

Strings

VUUU, xrefs: 001583E8
VUUU, xrefs: 001583FA
ERCP, xrefs: 0015813C
VUUU, xrefs: 00195DF0
VUUU, xrefs: 0015843C

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID:
String ID: ERCP$VUUU$VUUU$VUUU$VUUU
API String ID: 0-1546025612
Opcode ID: a280816d2047eeb631aab91fa2114c35197f7463e651139ff1a3ef53474c07a5
Instruction ID: 537a44b064c303331cce422b7ee4cd13fde73b36ce28a5fc3f9f3a82b083f821
Opcode Fuzzy Hash: a280816d2047eeb631aab91fa2114c35197f7463e651139ff1a3ef53474c07a5
Instruction Fuzzy Hash: 77A28070E0061ACBDF25CF58C9807ADB7B2BF54315F2581A9EC25BB285EB709D85CB50

Function 001B8298 Relevance: 6.6, APIs: 1, Strings: 3, Instructions: 568stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 001B82AA

Strings

(, xrefs: 001B82F0
tb!, xrefs: 001B84F4
|, xrefs: 001B82DA

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: lstrlen
String ID: ($tb!$|
API String ID: 1659193697-4054476356
Opcode ID: 33aba86ea8fa958e24c6801b4fa4549d291f672375dc40197b5af3cbf301b3ff
Instruction ID: 7ad4624306908a307f1f2c5d7fae134fb6b9cb67a3fa46e875f93df43a15572f
Opcode Fuzzy Hash: 33aba86ea8fa958e24c6801b4fa4549d291f672375dc40197b5af3cbf301b3ff
Instruction Fuzzy Hash: 02322775A00605DFC728DF59C481AAAB7F4FF48B10B15C56EE49ADB3A1EB70E981CB40

Function 001DA67C Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 001DA6AC
Process32FirstW.KERNEL32(00000000,?), ref: 001DA6BA

Part of subcall function 00159CB3: _wcslen.LIBCMT ref: 00159CBD

Process32NextW.KERNEL32(00000000,?), ref: 001DA79C
CloseHandle.KERNEL32(00000000), ref: 001DA7AB

Part of subcall function 0016CE60: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,00193303,?), ref: 0016CE8A

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
String ID:
API String ID: 1991900642-0
Opcode ID: 05aa67381aa2d26b9b377795adf588938911689e95b095b03b682bac854579ce
Instruction ID: f79779971db662369d5db8a15bece0f87c69b7aaf9b38d1ac70d47b540af7d7e
Opcode Fuzzy Hash: 05aa67381aa2d26b9b377795adf588938911689e95b095b03b682bac854579ce
Instruction Fuzzy Hash: 31516C71508300EFD710EF24D886A6BBBE8FF99754F40491DF9999B252EB70D908CB92

Function 001BAA57 Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 001BAAAC
SetKeyboardState.USER32(00000080), ref: 001BAAC8
PostMessageW.USER32(?,00000102,00000001,00000001), ref: 001BAB36
SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 001BAB88

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: f1c9dc47794938a000995dbf99f6b7e781b72d45a494111d35cd1099ae68ba98
Instruction ID: eba3e0e6f83b455b085a864aa64c0a34aea105aa19d058d50d192e65d19810a2
Opcode Fuzzy Hash: f1c9dc47794938a000995dbf99f6b7e781b72d45a494111d35cd1099ae68ba98
Instruction Fuzzy Hash: 58313730A80248AEFF35CB65CD45BFE7BAAAF48310F84421AF5A1961D0D3759D85C7A2

Function 0018BB6F Relevance: 6.1, APIs: 4, Instructions: 90timeCOMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0018BB7F

Part of subcall function 001829C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0018D7D1,00000000,00000000,00000000,00000000,?,0018D7F8,00000000,00000007,00000000,?,0018DBF5,00000000), ref: 001829DE
Part of subcall function 001829C8: GetLastError.KERNEL32(00000000,?,0018D7D1,00000000,00000000,00000000,00000000,?,0018D7F8,00000000,00000007,00000000,?,0018DBF5,00000000,00000000), ref: 001829F0

GetTimeZoneInformation.KERNEL32 ref: 0018BB91
WideCharToMultiByte.KERNEL32(00000000,?,0022121C,000000FF,?,0000003F,?,?), ref: 0018BC09
WideCharToMultiByte.KERNEL32(00000000,?,00221270,000000FF,?,0000003F,?,?,?,0022121C,000000FF,?,0000003F,?,?), ref: 0018BC36

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorFreeHeapInformationLastTimeZone_free
String ID:
API String ID: 806657224-0
Opcode ID: bbaf9cabe5871c6bcfd121269fe38806ca7a417a43ebc2f1d7b76bd68ad8c7f1
Instruction ID: a744c47bf4ac9a918cab322c97127f6483cf9904637e8e52caa8cd0903d1443a
Opcode Fuzzy Hash: bbaf9cabe5871c6bcfd121269fe38806ca7a417a43ebc2f1d7b76bd68ad8c7f1
Instruction Fuzzy Hash: AA319E70908255EFCB15EFA9ACC0969BBB8BF65310715426AF460DB2A1D7309A51CF50

Function 001CCE44 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON

Download Yara Rule

APIs

InternetReadFile.WININET(?,?,00000400,?), ref: 001CCE89
GetLastError.KERNEL32(?,00000000), ref: 001CCEEA
SetEvent.KERNEL32(?,?,00000000), ref: 001CCEFE

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: ErrorEventFileInternetLastRead
String ID:
API String ID: 234945975-0
Opcode ID: f2bda7f1f5815093911e0c6cde5d56d7d7f2cdbc154b883f0d9a066105f9a64d
Instruction ID: f3dd7ab47a16324c9a616c4d148f51cfdbc35423217bfa8d4b534f5ebc07753e
Opcode Fuzzy Hash: f2bda7f1f5815093911e0c6cde5d56d7d7f2cdbc154b883f0d9a066105f9a64d
Instruction Fuzzy Hash: 3E21BD719003059BD720DFA5C988FAA7BF8EB61314F10841EE64AD6551E770EE45CBA0

Function 001C5C97 Relevance: 4.6, APIs: 3, Instructions: 138fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 001C5CC1
FindNextFileW.KERNEL32(00000000,?), ref: 001C5D17
FindClose.KERNEL32(?), ref: 001C5D5F

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: Find$File$CloseFirstNext
String ID:
API String ID: 3541575487-0
Opcode ID: 47713eb1686de38bcde8413adfb7e1fbca18c452af9b1f83442c19afa072b426
Instruction ID: 3aa5a40e9a81877dfe905de42779a6ed7a94c32b9cc077ea3eb1ae0c3185cb9c
Opcode Fuzzy Hash: 47713eb1686de38bcde8413adfb7e1fbca18c452af9b1f83442c19afa072b426
Instruction Fuzzy Hash: 8D5189346047019FC714CF68C894EAAB7E5FF19314F14855EE96A8B3A2CB30F985CB91

Function 00182622 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 0018271A
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00182724
UnhandledExceptionFilter.KERNEL32(?), ref: 00182731

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 87c4ecdf8546e1b95c3ea30659d5f79569a847b4fd813c0876e129ec67fcf48b
Instruction ID: 2e0e93659f5268022adf931b90bcf71c4fe7f2d16c43b9cb06fd36b2f5620cf3
Opcode Fuzzy Hash: 87c4ecdf8546e1b95c3ea30659d5f79569a847b4fd813c0876e129ec67fcf48b
Instruction Fuzzy Hash: D031B474951328ABCB21DF64DC8979DB7B8BF18310F5081EAE81CA7261E7309F818F45

Function 001C51CD Relevance: 4.6, APIs: 3, Instructions: 76COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 001C51DA
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 001C5238
SetErrorMode.KERNEL32(00000000), ref: 001C52A1

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: e8e668b4601b23c38ce0f574e84d22a172d85f3a5361bcd5f7c4d69853ceca44
Instruction ID: 765cc65b53c6edbaf20f4e4f7ae455fe4d61f71e1ba2a6f387c559e3cbd989ca
Opcode Fuzzy Hash: e8e668b4601b23c38ce0f574e84d22a172d85f3a5361bcd5f7c4d69853ceca44
Instruction Fuzzy Hash: 9A310975A00618DFDB00DF94D884EADBBF5FF59314F048099E805AF2A2DB31E85ACB91

Function 001B16C3 Relevance: 4.6, APIs: 3, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 0016FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00170668
Part of subcall function 0016FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00170685

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 001B170D
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 001B173A
GetLastError.KERNEL32 ref: 001B174A

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
String ID:
API String ID: 577356006-0
Opcode ID: 41161249f765dd4313de5910492e85ce4c9b8424882748dbed0ef3729a353b31
Instruction ID: dc4db161f5a45bd7269fa87509e9129cad179ef4441af2565a9f268150a024c3
Opcode Fuzzy Hash: 41161249f765dd4313de5910492e85ce4c9b8424882748dbed0ef3729a353b31
Instruction Fuzzy Hash: 991191B2404304BFD718AF94ECC6DABB7BDEB45714B21852EF45657681EB70BC428B60

Function 001BD5EB Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 001BD608
DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 001BD645
CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 001BD650

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle
String ID:
API String ID: 33631002-0
Opcode ID: 72fe3e8a5982f03c42408e34d9e3032dc0a07cb69a7ed1a1128890ebd2fb647c
Instruction ID: 7accb0fec2b4bf41894f3732a82e6eabbd09bab834b209508cd83eb0436649da
Opcode Fuzzy Hash: 72fe3e8a5982f03c42408e34d9e3032dc0a07cb69a7ed1a1128890ebd2fb647c
Instruction Fuzzy Hash: 86113C75E05228BBDB148F95AC85FEFBFBCEB45B50F108115F904E7290D7704A058BA1

Function 001B1663 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 001B168C
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 001B16A1
FreeSid.ADVAPI32(?), ref: 001B16B1

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: c6644a2e5a34488b4a3a10b85e61d13284a20a88ecec5c5820418322c17872f2
Instruction ID: f0c3502245d358522e38f40fb83de7eb29c0cabb3634b64058d89c4596c47703
Opcode Fuzzy Hash: c6644a2e5a34488b4a3a10b85e61d13284a20a88ecec5c5820418322c17872f2
Instruction Fuzzy Hash: FDF0F475950309FBDB00DFE49C89AAEBBBCFB08704F504565E501E6181E774AA448A90

Function 001AD27A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 001AD28C

Strings

X64, xrefs: 001AD2A8

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: NameUser
String ID: X64
API String ID: 2645101109-893830106
Opcode ID: 8d96aa1334d777ada449dcaff991e04b4b3da82e6d1f975c5c6701caa68e7455
Instruction ID: da603a9316b1ca49e03ba00c6a7ae9b626bed7a79e83e9d299d45527a55fb86a
Opcode Fuzzy Hash: 8d96aa1334d777ada449dcaff991e04b4b3da82e6d1f975c5c6701caa68e7455
Instruction Fuzzy Hash: E2D0C9B880111DEACB94DB90ECC8DDEB37CBB04305F110152F506A2000DB3095498F50

Function 0017CAA0 Relevance: 3.5, APIs: 2, Instructions: 464COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction ID: 353e45805d69377230ec44f27d0e511099c3c35a3d332279eba0220d56fcbe14
Opcode Fuzzy Hash: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction Fuzzy Hash: 06021B71E002199BDF24CFA9C8906ADFBF1EF58314F25816ED919E7384D731AA418BD4

Function 0015CAF0 Relevance: 3.2, Strings: 2, Instructions: 659COMMON

Download Yara Rule

Strings

p#", xrefs: 0015CF7F
Variable is not of type 'Object'., xrefs: 001A0C40

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID:
String ID: Variable is not of type 'Object'.$p#"
API String ID: 0-2226386633
Opcode ID: a5f6d7b2d28701e149a667edb00a63f1a7972424c2257ced4afa37505c223cdd
Instruction ID: e6788ab9e68f919d5ae92f26a5c0e20fefbddc94f7d5f6762ae3879121acd0a4
Opcode Fuzzy Hash: a5f6d7b2d28701e149a667edb00a63f1a7972424c2257ced4afa37505c223cdd
Instruction Fuzzy Hash: 6B327974900318DFCF19DF94C881AEDB7B5BF1A305F144059E826AF292D775AE49CBA0

Function 001C68EE Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 001C6918
FindClose.KERNEL32(00000000), ref: 001C6961

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: aedafde08dcd7b9990856c0ba85b717a0798850d58ce5772da3595ed1b633e8b
Instruction ID: cb8cebed15263defe83a7d9a38091470666a780f663452734b99ad9b7b08e580
Opcode Fuzzy Hash: aedafde08dcd7b9990856c0ba85b717a0798850d58ce5772da3595ed1b633e8b
Instruction Fuzzy Hash: 8311BE316042019FC710CF69D885E1ABBE1EF98329F04C69DE8698F6A2C730EC45CBD0

Function 001C37B5 Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,001D4891,?,?,00000035,?), ref: 001C37E4
FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,001D4891,?,?,00000035,?), ref: 001C37F4

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 929267a09dca4236884481de27772d90db3929d3b47556769a39ceaa1b5beae0
Instruction ID: 0d806c60f141454299a9fe1ae095506f788598809ec2eb0a897d291245ee0e3b
Opcode Fuzzy Hash: 929267a09dca4236884481de27772d90db3929d3b47556769a39ceaa1b5beae0
Instruction Fuzzy Hash: EFF0E5B16043296AEB2017A68C8DFEB7AAEEFC5761F000165F519D2281DA609944C6F0

Function 001B10BF Relevance: 3.0, APIs: 2, Instructions: 24COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,001B11FC), ref: 001B10D4
CloseHandle.KERNEL32(?,?,001B11FC), ref: 001B10E9

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: 31d9f6ba180838b707cbed5e18fca25cf5742795f2e2150263d2aa51ab7e76c3
Instruction ID: 226fd330bbba92d0709267fe84b32f6bfd97537d7d80a80ee7159cb8d4d119a5
Opcode Fuzzy Hash: 31d9f6ba180838b707cbed5e18fca25cf5742795f2e2150263d2aa51ab7e76c3
Instruction Fuzzy Hash: 67E04F32004600AEE7252B51FC05EB77BA9FB04310B10882EF4A5844B1DB626CE1DB50

Function 0018676B Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00186766,?,?,00000008,?,?,0018FEFE,00000000), ref: 00186998

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 7efdca6b6de1e8e9f838ceb9e88d152baab41f40cf381180628403ae2db99702
Instruction ID: 9bfe75c222f64e5ec982550b100e19866e543599ca4d78efbf4873f1714a709b
Opcode Fuzzy Hash: 7efdca6b6de1e8e9f838ceb9e88d152baab41f40cf381180628403ae2db99702
Instruction Fuzzy Hash: 7EB13B31610609DFD719DF28C48AB657BE0FF45368F258658E89ACF2A2C735EA91CF40

Function 0016B119 Relevance: 1.8, Strings: 1, Instructions: 511COMMON

Download Yara Rule

Strings

, xrefs: 001A851F

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 82aa001afdb5d6f65a5e020ab521dfae21cd02f4d58943eac68545285ed04267
Instruction ID: 313af184affb30cb9f5ea653d44c337edcd3bb2866dcfb1bbdad865218d7e918
Opcode Fuzzy Hash: 82aa001afdb5d6f65a5e020ab521dfae21cd02f4d58943eac68545285ed04267
Instruction Fuzzy Hash: E0124075D042299BDB24CF58C8807EEB7F5FF48710F1581AAE849EB255EB309E91CB90

Function 001CEAA2 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 001CEABD

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: bcf00c57f613047c4544b588b4e39f11e078695fea6f1e51366c5ae0b102192a
Instruction ID: 024d7c106a67a6646738c74a8a72d81279c34f3de4f4968b0fd84092d86be4b0
Opcode Fuzzy Hash: bcf00c57f613047c4544b588b4e39f11e078695fea6f1e51366c5ae0b102192a
Instruction Fuzzy Hash: 69E04F312102049FC710EF69D844E9AF7E9AFA8760F00841AFC49CB751DBB0E8458B90

Function 001709D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_000209E1,001703EE), ref: 001709DA

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 802fb7797659b3b728709d5b70caf001c6ae58f0c7cc04cbf027d018100d0a5c
Instruction ID: 154f79b0d7f5f09755330166283a257bd882121cb5ff6d08619dcd53b9fca18e
Opcode Fuzzy Hash: 802fb7797659b3b728709d5b70caf001c6ae58f0c7cc04cbf027d018100d0a5c
Instruction Fuzzy Hash:

Function 0017781B Relevance: 1.5, Strings: 1, Instructions: 214COMMON

Download Yara Rule

Strings

0, xrefs: 0017798B

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction ID: 51a7e498feb8b096793290e993707060369b2d86b0323a33945bddb6f5a2ed3a
Opcode Fuzzy Hash: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction Fuzzy Hash: CF51887164C705ABDF388568C85EBBE63B99B12358F18C919E98EC72C2C711DE41D393

Function 001C2046 Relevance: 1.3, Strings: 1, Instructions: 72COMMON

Download Yara Rule

Strings

0&", xrefs: 001C2053

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID:
String ID: 0&"
API String ID: 0-3449093698
Opcode ID: 2627cc5f48510c8a37ac77796b6f6e8dfead87f0c9f1fb73ecefabd65589e713
Instruction ID: cd654b31cc05e0e0be617e21116041658166cab8eb6d2b65d112cb4e55a30b73
Opcode Fuzzy Hash: 2627cc5f48510c8a37ac77796b6f6e8dfead87f0c9f1fb73ecefabd65589e713
Instruction Fuzzy Hash: 4821B7326206119BD728CF79D92367E73E9A764310F15862EE4A7C77D1DE3AE904CB80

Function 00186DD9 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77d7abe44138616d7bd2ef4e51195efccc77e87f9baa4961c8739b9fa3a81edc
Instruction ID: 34283e9119d23779ff2c4252e097093873a9d9afd2a2f44c0ba8dc2d5cb560f4
Opcode Fuzzy Hash: 77d7abe44138616d7bd2ef4e51195efccc77e87f9baa4961c8739b9fa3a81edc
Instruction Fuzzy Hash: 4532F321D29F014DD723A634D822335A649AFB73C5F25D737E81AB5DAAEB39C5C38600

Function 0016CC39 Relevance: .6, Instructions: 635COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f49192fc4c1b10feb3632740c1fd46f237f3380d41a39de5cbd48247e7256cd
Instruction ID: b2c1d17542a7bec7d5957da00b4372dac64ca418dcf669dc1f19bd9aa3f1f886
Opcode Fuzzy Hash: 6f49192fc4c1b10feb3632740c1fd46f237f3380d41a39de5cbd48247e7256cd
Instruction Fuzzy Hash: 5E32373AA041158BCF28CF6CC8946BD7BA1EF46314F29856AD49ADB391E730DD81DBD0

Function 00157920 Relevance: .6, Instructions: 563COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 314a0e8bd3ae0b78e49b280e904aa3cce8091a733e92b7c8328df19f5d657e42
Instruction ID: 9ee16eb595346af47c890bd2842d56c3da12b36eb881c4dd2ae70674a3140bae
Opcode Fuzzy Hash: 314a0e8bd3ae0b78e49b280e904aa3cce8091a733e92b7c8328df19f5d657e42
Instruction Fuzzy Hash: CF22C2B0A04609DFDF14CF64D882AAEB7F6FF54301F144529E826EB291EB36AD15CB50

Function 001591C0 Relevance: .5, Instructions: 475COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8e3e2f8280d24b103d56052f44f935b56550597f1f0c11f67ba8dc5a509421d
Instruction ID: ce52f3b31a2a47d720de1609251c19317ece2e914cea1ee3e4952525fa969d8d
Opcode Fuzzy Hash: b8e3e2f8280d24b103d56052f44f935b56550597f1f0c11f67ba8dc5a509421d
Instruction Fuzzy Hash: C402B6B1E00209EBDF04DF64D881AADBBF5FF54300F118169E816DB291EB31EA65CB95

Function 00189EEE Relevance: .3, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8cd5c29f7e84876c433d9bee6b35e664f3dcce33c76ffdad6d7147caafccac88
Instruction ID: f1287b067714f99d941a7b98e3cd260437632ab916a9f1837bf1089897950f23
Opcode Fuzzy Hash: 8cd5c29f7e84876c433d9bee6b35e664f3dcce33c76ffdad6d7147caafccac88
Instruction Fuzzy Hash: 6DB1D120D2AF414DD62396398835336B65CBFBB6D5F91D71BFC2674D62EB2286C38240

Function 00171C77 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction ID: b353f8d3a72e557f59149b42d8492c632099f8f23664a6b0ca0e3bffe41ce1c6
Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction Fuzzy Hash: C59188731080A35ADB2E467E857907EFFF15A923A131A479DD4FACA1C1FF20C954DA20

Function 00171F32 Relevance: .2, Instructions: 244COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
Instruction ID: 2f5a88cf45f12962adebefe3254c12b56a43252c9d0b9f51007378b19c337009
Opcode Fuzzy Hash: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
Instruction Fuzzy Hash: B49156732090A34ADB6D463D847403EFFF15A923A131A879EE4FACA1C5EF34C659D620

Function 001719B0 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction ID: 815156f3c3dd5adc3df66e13d35b1b868088af752db7552e44a448c99f7c8796
Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction Fuzzy Hash: B99130722090E25ADB2D467E857403DFEF15A923A131A879DD4FACB1C1FF248659D620

Function 00177A4A Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0462ae075220569421503736d0015834fdb0a28793959f49ad4d55881531e2fe
Instruction ID: 7104e99ce7bf15d4157ad1316843741d0bbf4cc2354614b711f26d50d2626b90
Opcode Fuzzy Hash: 0462ae075220569421503736d0015834fdb0a28793959f49ad4d55881531e2fe
Instruction Fuzzy Hash: 48616831748709A6EE38AA288C95BBE23B4DF55700F18C91AE94EDB2C1DB119F42C755

Function 00177CA7 Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 711debf40cff32ea406a9928e790c72c4170a930c4cb149341a94855b4854f48
Instruction ID: db3063e48f74f371eb1fd36d67097496aded9c63a64ad7b6a5c993431ac33766
Opcode Fuzzy Hash: 711debf40cff32ea406a9928e790c72c4170a930c4cb149341a94855b4854f48
Instruction Fuzzy Hash: B861993124C709A6DE394AE8D855BBF23B4EF52744F10C85AE94ECB2C1EB12DD42C355

Function 00171706 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction ID: f633d32736c9c6c9d2fbf2fc55baca527b92d4ba7fe3de46f20a2499283c0b80
Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction Fuzzy Hash: 7D8184336080A319DB6D463E853407EFFF15A923A531A879DD4FACB1C1EF24C659E620

Function 001D2ADE Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 486filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 001D2B30
DeleteObject.GDI32(00000000), ref: 001D2B43
DestroyWindow.USER32 ref: 001D2B52
GetDesktopWindow.USER32 ref: 001D2B6D
GetWindowRect.USER32(00000000), ref: 001D2B74
SetRect.USER32(?,00000000,00000000,00000007,00000002), ref: 001D2CA3
AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 001D2CB1
CreateWindowExW.USER32(?,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 001D2CF8
GetClientRect.USER32(00000000,?), ref: 001D2D04
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 001D2D40
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 001D2D62
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 001D2D75
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 001D2D80
GlobalLock.KERNEL32(00000000), ref: 001D2D89
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 001D2D98
GlobalUnlock.KERNEL32(00000000), ref: 001D2DA1
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 001D2DA8
GlobalFree.KERNEL32(00000000), ref: 001D2DB3
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 001D2DC5
OleLoadPicture.OLEAUT32(?,00000000,00000000,001EFC38,00000000), ref: 001D2DDB
GlobalFree.KERNEL32(00000000), ref: 001D2DEB
CopyImage.USER32(00000007,00000000,00000000,00000000,00002000), ref: 001D2E11
SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 001D2E30
SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 001D2E52
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 001D303F

Strings

DISPLAY, xrefs: 001D2EA2
, xrefs: 001D2FC5
static, xrefs: 001D2D3A, 001D2E91
AutoIt v3, xrefs: 001D2CF2

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: bdbce7ab3199b405c73918352b6fda58f087aff008c3610c3d916937fcd7f5a4
Instruction ID: 93cb1c733b231ba24f17ad85398abc25f9440797df77b5f07980b71f74e5f624
Opcode Fuzzy Hash: bdbce7ab3199b405c73918352b6fda58f087aff008c3610c3d916937fcd7f5a4
Instruction Fuzzy Hash: C4028D71900205EFDB14DFA4DC89EAE7BB9FF58311F008559F925AB2A1D770AD42CBA0

Function 001E70D5 Relevance: 49.8, APIs: 33, Instructions: 273COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 001E712F
GetSysColorBrush.USER32(0000000F), ref: 001E7160
GetSysColor.USER32(0000000F), ref: 001E716C
SetBkColor.GDI32(?,000000FF), ref: 001E7186
SelectObject.GDI32(?,?), ref: 001E7195
InflateRect.USER32(?,000000FF,000000FF), ref: 001E71C0
GetSysColor.USER32(00000010), ref: 001E71C8
CreateSolidBrush.GDI32(00000000), ref: 001E71CF
FrameRect.USER32(?,?,00000000), ref: 001E71DE
DeleteObject.GDI32(00000000), ref: 001E71E5
InflateRect.USER32(?,000000FE,000000FE), ref: 001E7230
FillRect.USER32(?,?,?), ref: 001E7262
GetWindowLongW.USER32(?,000000F0), ref: 001E7284

Part of subcall function 001E73E8: GetSysColor.USER32(00000012), ref: 001E7421
Part of subcall function 001E73E8: SetTextColor.GDI32(?,?), ref: 001E7425
Part of subcall function 001E73E8: GetSysColorBrush.USER32(0000000F), ref: 001E743B
Part of subcall function 001E73E8: GetSysColor.USER32(0000000F), ref: 001E7446
Part of subcall function 001E73E8: GetSysColor.USER32(00000011), ref: 001E7463
Part of subcall function 001E73E8: CreatePen.GDI32(00000000,00000001,00743C00), ref: 001E7471
Part of subcall function 001E73E8: SelectObject.GDI32(?,00000000), ref: 001E7482
Part of subcall function 001E73E8: SetBkColor.GDI32(?,00000000), ref: 001E748B
Part of subcall function 001E73E8: SelectObject.GDI32(?,?), ref: 001E7498
Part of subcall function 001E73E8: InflateRect.USER32(?,000000FF,000000FF), ref: 001E74B7
Part of subcall function 001E73E8: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 001E74CE
Part of subcall function 001E73E8: GetWindowLongW.USER32(00000000,000000F0), ref: 001E74DB

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
String ID:
API String ID: 4124339563-0
Opcode ID: 88ddf72be2270f9fca0e27178a74bdb911625f6da6ae0cead44284877bca339a
Instruction ID: a9449cc8ad0ee7238bf51cf2e7250b22b577f3f6b3cbcb47a3b0ae037e9a534a
Opcode Fuzzy Hash: 88ddf72be2270f9fca0e27178a74bdb911625f6da6ae0cead44284877bca339a
Instruction Fuzzy Hash: 15A1B472108741EFD7049FA0DC88E5F7BA9FF49720F100A19FA629A1E1D731D985CB91

Function 00168D85 Relevance: 47.7, APIs: 26, Strings: 1, Instructions: 480windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?), ref: 00168E14
SendMessageW.USER32(?,00001308,?,00000000), ref: 001A6AC5
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 001A6AFE
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 001A6F43

Part of subcall function 00168F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00168BE8,?,00000000,?,?,?,?,00168BBA,00000000,?), ref: 00168FC5

SendMessageW.USER32(?,00001053), ref: 001A6F7F
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 001A6F96
ImageList_Destroy.COMCTL32(00000000,?), ref: 001A6FAC
ImageList_Destroy.COMCTL32(00000000,?), ref: 001A6FB7

Strings

0, xrefs: 001A6DCF

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: DestroyImageList_MessageSend$Window$InvalidateMoveRectRemove
String ID: 0
API String ID: 2760611726-4108050209
Opcode ID: b01689f40c329f0fde5526cc91832acd6e4d17ac4e1a7ce6dad196f4613f04a0
Instruction ID: 473aac98cc1af3dea423040815ac39ec440190bfae81421ca191733310bfa069
Opcode Fuzzy Hash: b01689f40c329f0fde5526cc91832acd6e4d17ac4e1a7ce6dad196f4613f04a0
Instruction Fuzzy Hash: 7912B038200251EFD725CF54DC98BAAB7E1FB5A310F184569F4858B661CB32ECA2CB91

Function 001D2711 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 330windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 001D273E
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 001D286A
SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 001D28A9
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 001D28B9
CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 001D2900
GetClientRect.USER32(00000000,?), ref: 001D290C
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 001D2955
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 001D2964
GetStockObject.GDI32(00000011), ref: 001D2974
SelectObject.GDI32(00000000,00000000), ref: 001D2978
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 001D2988
GetDeviceCaps.GDI32(00000000,0000005A), ref: 001D2991
DeleteDC.GDI32(00000000), ref: 001D299A
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 001D29C6
SendMessageW.USER32(00000030,00000000,00000001), ref: 001D29DD
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 001D2A1D
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 001D2A31
SendMessageW.USER32(00000404,00000001,00000000), ref: 001D2A42
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 001D2A77
GetStockObject.GDI32(00000011), ref: 001D2A82
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 001D2A8D
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 001D2A97

Strings

DISPLAY, xrefs: 001D295A
static, xrefs: 001D294F, 001D2A71
msctls_progress32, xrefs: 001D2A13
AutoIt v3, xrefs: 001D28F8

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: 1b2810f6353bd85250225cfc6bf5ee3f62afb3181a3601218adaa97e1021ab11
Instruction ID: 17cb5870b8562eb448c83c801850bed6b8b7020c03c95e6f60ef50bff37256ef
Opcode Fuzzy Hash: 1b2810f6353bd85250225cfc6bf5ee3f62afb3181a3601218adaa97e1021ab11
Instruction Fuzzy Hash: 39B14D71A00215BFEB24DFA8DC89FAE7BA9EF18711F004155F925EB290D774AD41CB90

Function 001C4ADF Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 001C4AED
GetDriveTypeW.KERNEL32(?,001ECB68,?,\\.\,001ECC08), ref: 001C4BCA
SetErrorMode.KERNEL32(00000000,001ECB68,?,\\.\,001ECC08), ref: 001C4D36

Strings

CDROM, xrefs: 001C4BFB
USB, xrefs: 001C4CB4
SAS, xrefs: 001C4CC9
ATAPI, xrefs: 001C4C91
iSCSI, xrefs: 001C4CC2
Fixed, xrefs: 001C4C09
1394, xrefs: 001C4C9F
SCSI, xrefs: 001C4C8A
Unknown, xrefs: 001C4BED, 001C4C83
RAID, xrefs: 001C4CBB
Network, xrefs: 001C4C02
SSD, xrefs: 001C4C4A
Fibre, xrefs: 001C4CAD
Virtual, xrefs: 001C4CE5
\\.\, xrefs: 001C4B3F
ATA, xrefs: 001C4C98
MMC, xrefs: 001C4CDE
SATA, xrefs: 001C4CD0
PhysicalDrive, xrefs: 001C4B76
SSA, xrefs: 001C4CA6
Removable, xrefs: 001C4C10, 001C4C15
FileBackedVirtual, xrefs: 001C4CEC
RAMDisk, xrefs: 001C4BF4

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: e2fb8bd397bdee21bb57ffdd2ec9c572f4d2103c7818c8e65998ec08802c32c1
Instruction ID: bab4435372af537b66c9769d7ea0faaf7a15a1a38088cd0e74721ec1406a7f3f
Opcode Fuzzy Hash: e2fb8bd397bdee21bb57ffdd2ec9c572f4d2103c7818c8e65998ec08802c32c1
Instruction Fuzzy Hash: 0861E430619105DBCB18DF64DAA6FBD77F0AB35300B25401DF806AB6A1DB31ED91DB85

Function 001E73E8 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 001E7421
SetTextColor.GDI32(?,?), ref: 001E7425
GetSysColorBrush.USER32(0000000F), ref: 001E743B
GetSysColor.USER32(0000000F), ref: 001E7446
CreateSolidBrush.GDI32(?), ref: 001E744B
GetSysColor.USER32(00000011), ref: 001E7463
CreatePen.GDI32(00000000,00000001,00743C00), ref: 001E7471
SelectObject.GDI32(?,00000000), ref: 001E7482
SetBkColor.GDI32(?,00000000), ref: 001E748B
SelectObject.GDI32(?,?), ref: 001E7498
InflateRect.USER32(?,000000FF,000000FF), ref: 001E74B7
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 001E74CE
GetWindowLongW.USER32(00000000,000000F0), ref: 001E74DB
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 001E752A
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 001E7554
InflateRect.USER32(?,000000FD,000000FD), ref: 001E7572
DrawFocusRect.USER32(?,?), ref: 001E757D
GetSysColor.USER32(00000011), ref: 001E758E
SetTextColor.GDI32(?,00000000), ref: 001E7596
DrawTextW.USER32(?,001E70F5,000000FF,?,00000000), ref: 001E75A8
SelectObject.GDI32(?,?), ref: 001E75BF
DeleteObject.GDI32(?), ref: 001E75CA
SelectObject.GDI32(?,?), ref: 001E75D0
DeleteObject.GDI32(?), ref: 001E75D5
SetTextColor.GDI32(?,?), ref: 001E75DB
SetBkColor.GDI32(?,?), ref: 001E75E5

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: 05b5f6413368c5ea7afebf02b658f8ce07531b10f3310511066c8bf3785ff6c5
Instruction ID: 9e9bfa0b927b88eb5b451ceeb98e7c533c50149b534e23c2c99257dc8bcdc63f
Opcode Fuzzy Hash: 05b5f6413368c5ea7afebf02b658f8ce07531b10f3310511066c8bf3785ff6c5
Instruction Fuzzy Hash: 3B616B72900658AFEB059FA4DC89EEEBFB9EF08720F114115F911AB2E1D7709981DF90

Function 001E0FF3 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 001E1128
GetDesktopWindow.USER32 ref: 001E113D
GetWindowRect.USER32(00000000), ref: 001E1144
GetWindowLongW.USER32(?,000000F0), ref: 001E1199
DestroyWindow.USER32(?), ref: 001E11B9
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 001E11ED
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 001E120B
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 001E121D
SendMessageW.USER32(00000000,00000421,?,?), ref: 001E1232
SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 001E1245
IsWindowVisible.USER32(00000000), ref: 001E12A1
SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 001E12BC
SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 001E12D0
GetWindowRect.USER32(00000000,?), ref: 001E12E8
MonitorFromPoint.USER32(?,?,00000002), ref: 001E130E
GetMonitorInfoW.USER32(00000000,?), ref: 001E1328
CopyRect.USER32(?,?), ref: 001E133F
SendMessageW.USER32(00000000,00000412,00000000), ref: 001E13AA

Strings

tooltips_class32, xrefs: 001E11E6
0, xrefs: 001E10D3
(, xrefs: 001E131B

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: f399afb9ab7c2b6a135886147c178710555e6e8ac1ec5143bf23919f1a0ab41a
Instruction ID: db30d930097fb3911154dec201ef2e76b74d6876501bfdd7ead7364d144a3d93
Opcode Fuzzy Hash: f399afb9ab7c2b6a135886147c178710555e6e8ac1ec5143bf23919f1a0ab41a
Instruction Fuzzy Hash: E1B17971608781AFDB14DF65C884B6FBBE5FF88350F008918F9999B2A1D731E845CB92

Function 00168891 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 282windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00168968
GetSystemMetrics.USER32(00000007), ref: 00168970
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 0016899B
GetSystemMetrics.USER32(00000008), ref: 001689A3
GetSystemMetrics.USER32(00000004), ref: 001689C8
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 001689E5
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 001689F5
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00168A28
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00168A3C
GetClientRect.USER32(00000000,000000FF), ref: 00168A5A
GetStockObject.GDI32(00000011), ref: 00168A76
SendMessageW.USER32(00000000,00000030,00000000), ref: 00168A81

Part of subcall function 0016912D: GetCursorPos.USER32(?), ref: 00169141
Part of subcall function 0016912D: ScreenToClient.USER32(00000000,?), ref: 0016915E
Part of subcall function 0016912D: GetAsyncKeyState.USER32(00000001), ref: 00169183
Part of subcall function 0016912D: GetAsyncKeyState.USER32(00000002), ref: 0016919D

SetTimer.USER32(00000000,00000000,00000028,001690FC), ref: 00168AA8

Strings

AutoIt v3 GUI, xrefs: 00168A20

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: 4cdb050dc06f7917c6d172ebe8fb2e7cca83af0d26b62d6ac3a3c90f9d510447
Instruction ID: a2672b45cb9fbf618d7c18b9ba919e0908ddd171aa6545aeabe2858f37659a8d
Opcode Fuzzy Hash: 4cdb050dc06f7917c6d172ebe8fb2e7cca83af0d26b62d6ac3a3c90f9d510447
Instruction Fuzzy Hash: 46B19D75A00209AFDB14DFA8DC89FAE7BB5FB48314F154219FA15AB290DB30A851CF51

Function 001B0D8B Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 001B10F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 001B1114
Part of subcall function 001B10F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,001B0B9B,?,?,?), ref: 001B1120
Part of subcall function 001B10F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,001B0B9B,?,?,?), ref: 001B112F
Part of subcall function 001B10F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,001B0B9B,?,?,?), ref: 001B1136
Part of subcall function 001B10F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 001B114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 001B0DF5
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 001B0E29
GetLengthSid.ADVAPI32(?), ref: 001B0E40
GetAce.ADVAPI32(?,00000000,?), ref: 001B0E7A
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 001B0E96
GetLengthSid.ADVAPI32(?), ref: 001B0EAD
GetProcessHeap.KERNEL32(00000008,00000008), ref: 001B0EB5
HeapAlloc.KERNEL32(00000000), ref: 001B0EBC
GetLengthSid.ADVAPI32(?,00000008,?), ref: 001B0EDD
CopySid.ADVAPI32(00000000), ref: 001B0EE4
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 001B0F13
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 001B0F35
SetUserObjectSecurity.USER32(?,00000004,?), ref: 001B0F47
GetProcessHeap.KERNEL32(00000000,00000000), ref: 001B0F6E
HeapFree.KERNEL32(00000000), ref: 001B0F75
GetProcessHeap.KERNEL32(00000000,00000000), ref: 001B0F7E
HeapFree.KERNEL32(00000000), ref: 001B0F85
GetProcessHeap.KERNEL32(00000000,00000000), ref: 001B0F8E
HeapFree.KERNEL32(00000000), ref: 001B0F95
GetProcessHeap.KERNEL32(00000000,?), ref: 001B0FA1
HeapFree.KERNEL32(00000000), ref: 001B0FA8

Part of subcall function 001B1193: GetProcessHeap.KERNEL32(00000008,001B0BB1,?,00000000,?,001B0BB1,?), ref: 001B11A1
Part of subcall function 001B1193: HeapAlloc.KERNEL32(00000000,?,00000000,?,001B0BB1,?), ref: 001B11A8
Part of subcall function 001B1193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,001B0BB1,?), ref: 001B11B7

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 365165600e43cbaca138e706d2db661535369f410b0f9a8ca5d5c62b782e2fcf
Instruction ID: e4dca2856a8dd8ec66b152bc9d0124a020c05f6b5a6599d5e7ad154cd698a19e
Opcode Fuzzy Hash: 365165600e43cbaca138e706d2db661535369f410b0f9a8ca5d5c62b782e2fcf
Instruction Fuzzy Hash: 13713E71A0020AEBDF219FA4DC45FEFBBB8BF09310F148159F919EA191D7719A45CBA0

Function 001DC3B7 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 001DC4BD
RegCreateKeyExW.ADVAPI32(?,?,00000000,001ECC08,00000000,?,00000000,?,?), ref: 001DC544
RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 001DC5A4
_wcslen.LIBCMT ref: 001DC5F4
_wcslen.LIBCMT ref: 001DC66F
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 001DC6B2
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 001DC7C1
RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 001DC84D
RegCloseKey.ADVAPI32(?), ref: 001DC881
RegCloseKey.ADVAPI32(00000000), ref: 001DC88E
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 001DC960

Strings

REG_BINARY, xrefs: 001DC913
REG_SZ, xrefs: 001DC644
REG_DWORD, xrefs: 001DC804
REG_MULTI_SZ, xrefs: 001DC6F5
REG_QWORD, xrefs: 001DC8C3
REG_EXPAND_SZ, xrefs: 001DC5CD

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: Value$Close$_wcslen$ConnectCreateRegistry
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 9721498-966354055
Opcode ID: 1852dbfff8015573873daed53c43a23f5af79adc150683e465566d74672f2c27
Instruction ID: d8912816042648fcee3af71ac8376a4ba1b1e875d11ed8f19c5a5d9af54deae1
Opcode Fuzzy Hash: 1852dbfff8015573873daed53c43a23f5af79adc150683e465566d74672f2c27
Instruction Fuzzy Hash: 6B125635604201DFCB14DF24D881A2AB7E5EF88725F04885DF89A9B3A2DB31ED45CB81

Function 001E091E Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 372windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 001E09C6
_wcslen.LIBCMT ref: 001E0A01
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 001E0A54
_wcslen.LIBCMT ref: 001E0A8A
_wcslen.LIBCMT ref: 001E0B06
_wcslen.LIBCMT ref: 001E0B81

Part of subcall function 0016F9F2: _wcslen.LIBCMT ref: 0016F9FD

Part of subcall function 001B2BE8: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 001B2BFA

Strings

GETTOTALCOUNT, xrefs: 001E09F2, 001E0A17
EXISTS, xrefs: 001E0B7C, 001E0B97
CHECK, xrefs: 001E0A85, 001E0AA0
EXPAND, xrefs: 001E0BF8
UNCHECK, xrefs: 001E0D3E
GETITEMCOUNT, xrefs: 001E0C1E
COLLAPSE, xrefs: 001E0B01, 001E0B1C
ISCHECKED, xrefs: 001E0CE1
GETSELECTED, xrefs: 001E0C4E
GETTEXT, xrefs: 001E0C97
SELECT, xrefs: 001E0D11

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 1103490817-4258414348
Opcode ID: 252e72f6885c459ff379819bee2d6aec2075036b8b5cc0b1313d4a0a2d875e10
Instruction ID: 80427f7f087eb66a85ac83602308ddba293a2fa3b0ac98c233842aa4a15e79bb
Opcode Fuzzy Hash: 252e72f6885c459ff379819bee2d6aec2075036b8b5cc0b1313d4a0a2d875e10
Instruction Fuzzy Hash: E8E1CF35208781CFC715DF25C85086EB7E1BFA8318B15895DF8969B3A2D770ED89CB81

Function 001DC998 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,001DB6AE,?,?), ref: 001DC9B5
_wcslen.LIBCMT ref: 001DC9F1
_wcslen.LIBCMT ref: 001DCA68
_wcslen.LIBCMT ref: 001DCA9E
_wcslen.LIBCMT ref: 001DCAF9
_wcslen.LIBCMT ref: 001DCB2F
_wcslen.LIBCMT ref: 001DCB7F

Strings

HKCC, xrefs: 001DCBAC
HKEY_CURRENT_USER, xrefs: 001DCBBD
HKEY_CLASSES_ROOT, xrefs: 001DCAF3, 001DCAF8
HKEY_USERS, xrefs: 001DCBDF
HKU, xrefs: 001DCBF0
HKEY_LOCAL_MACHINE, xrefs: 001DCA62, 001DCA67
HKCR, xrefs: 001DCB29, 001DCB2E
HKEY_CURRENT_CONFIG, xrefs: 001DCB79, 001DCB7E
HKCU, xrefs: 001DCBCE
HKLM, xrefs: 001DCA98, 001DCA9D

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 1256254125-909552448
Opcode ID: 20b88b47279353510ec4cf1d1d31a46b78242ebb47bf285d58f9a4c05d1fd41c
Instruction ID: d6245dd430dde039f165571733629b2fe9eb1e58e217e3a2b12c72540eed256d
Opcode Fuzzy Hash: 20b88b47279353510ec4cf1d1d31a46b78242ebb47bf285d58f9a4c05d1fd41c
Instruction Fuzzy Hash: 7A71E23261016B8BCB20DE6CCD515BB33A5ABB4794B150A2AF8669B384F731CD95C3E0

Function 001E833C Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 196windowlibraryCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 001E835A
_wcslen.LIBCMT ref: 001E836E
_wcslen.LIBCMT ref: 001E8391
_wcslen.LIBCMT ref: 001E83B4
LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 001E83F2
LoadLibraryExW.KERNEL32(?,00000000,00000032,?,?,00000001,?,?,?,001E361A,?), ref: 001E844E
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 001E8487
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 001E84CA
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 001E8501
FreeLibrary.KERNEL32(?), ref: 001E850D
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 001E851D
DestroyIcon.USER32(?), ref: 001E852C
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 001E8549
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 001E8555

Strings

.icl, xrefs: 001E8368
.dll, xrefs: 001E83AB
.exe, xrefs: 001E8388

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
String ID: .dll$.exe$.icl
API String ID: 799131459-1154884017
Opcode ID: e210cd6324be3034f49bcf58c00d27e57b901f29b9a9821d503ad88d9bf70393
Instruction ID: fc55935db32132765dd03179264695d372ea9979399e8fb44e639ddb7af06e65
Opcode Fuzzy Hash: e210cd6324be3034f49bcf58c00d27e57b901f29b9a9821d503ad88d9bf70393
Instruction Fuzzy Hash: D961DD71500A55BBEB14DF65CC81BBE77A8FF18B11F104609F919EA0D1EF74A990CBA0

Function 00157778 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 273COMMON

Download Yara Rule

Strings

#requireadmin, xrefs: 001577FF
#include-once, xrefs: 0015782F
#notrayicon, xrefs: 001577E7
', xrefs: 00195169
#pragma compile, xrefs: 001577D3
#comments-start, xrefs: 0015785F, 001578B1
Unterminated group of comments, xrefs: 0019528C
#cs, xrefs: 00157873, 001578C5
#include, xrefs: 00157847
#comments-end, xrefs: 001578D9
Bad directive syntax error, xrefs: 0019519A
Cannot parse #include, xrefs: 00195279
#ce, xrefs: 001578ED
#OnAutoItStartRegister, xrefs: 00157817
", xrefs: 00195153

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID:
String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 0-1645009161
Opcode ID: e7a80dc27dd89e100d62400993a15836ae85a28c54b28ec72d94f95b19b99acd
Instruction ID: 7247a3f6008b533b1c2e1aaa10308fff320aa1767db4cc3ed6eb313b38e1e8a2
Opcode Fuzzy Hash: e7a80dc27dd89e100d62400993a15836ae85a28c54b28ec72d94f95b19b99acd
Instruction Fuzzy Hash: DC81F371640605EBDB25AF60EC47FAE37A9AF25301F144024FD18AF1D6EB70DA16C7A1

Function 001C3E79 Relevance: 28.2, APIs: 8, Strings: 8, Instructions: 205COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 001C3EF8
_wcslen.LIBCMT ref: 001C3F03
_wcslen.LIBCMT ref: 001C3F5A
_wcslen.LIBCMT ref: 001C3F98
GetDriveTypeW.KERNEL32(?), ref: 001C3FD6
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 001C401E
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 001C4059
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 001C4087

Strings

type cdaudio alias cd wait, xrefs: 001C4001
closed, xrefs: 001C3F08, 001C3F2D, 001C3F46, 001C3F7E, 001C3F97
wait, xrefs: 001C4044
open, xrefs: 001C3F54, 001C3F59
open , xrefs: 001C3FE5
set cd door , xrefs: 001C4028
close, xrefs: 001C3EFE, 001C3F18
close cd wait, xrefs: 001C4072

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: SendString_wcslen$BuffCharDriveLowerType
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 1839972693-4113822522
Opcode ID: 2a02ad73e86a19edbf78d0f739cf14832760f2a9ee12e8c050f93c8ae8e6bd07
Instruction ID: 38371ae4ce0eccdd8646e59eb6cb3bad0adf499414161b234ae0a18d525c59c7
Opcode Fuzzy Hash: 2a02ad73e86a19edbf78d0f739cf14832760f2a9ee12e8c050f93c8ae8e6bd07
Instruction Fuzzy Hash: 1571B0326042019FC310DF24C8919AEB7F4EFB4758F50892DF9A59B251EB30DD49CB92

Function 001B5A1B Relevance: 27.2, APIs: 18, Instructions: 198windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 001B5A2E
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 001B5A40
SetWindowTextW.USER32(?,?), ref: 001B5A57
GetDlgItem.USER32(?,000003EA), ref: 001B5A6C
SetWindowTextW.USER32(00000000,?), ref: 001B5A72
GetDlgItem.USER32(?,000003E9), ref: 001B5A82
SetWindowTextW.USER32(00000000,?), ref: 001B5A88
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 001B5AA9
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 001B5AC3
GetWindowRect.USER32(?,?), ref: 001B5ACC
_wcslen.LIBCMT ref: 001B5B33
SetWindowTextW.USER32(?,?), ref: 001B5B6F
GetDesktopWindow.USER32 ref: 001B5B75
GetWindowRect.USER32(00000000), ref: 001B5B7C
MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 001B5BD3
GetClientRect.USER32(?,?), ref: 001B5BE0
PostMessageW.USER32(?,00000005,00000000,?), ref: 001B5C05
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 001B5C2F

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
String ID:
API String ID: 895679908-0
Opcode ID: e4da5687edfecad64d0ec3c3a4fa2d26272cdff695b096afeb86de434ca3f5a2
Instruction ID: f1ac7fb0f1c883ce79a91c4ca64db9b0c92fe5a110eaac1490b8a1067f55c896
Opcode Fuzzy Hash: e4da5687edfecad64d0ec3c3a4fa2d26272cdff695b096afeb86de434ca3f5a2
Instruction Fuzzy Hash: 4E716D31900B09AFDB20DFA9CE85BAEBBF6FF48704F104518E542A76A0D775E945CB50

Function 001CFE0E Relevance: 27.1, APIs: 18, Instructions: 128COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F89), ref: 001CFE27
LoadCursorW.USER32(00000000,00007F8A), ref: 001CFE32
LoadCursorW.USER32(00000000,00007F00), ref: 001CFE3D
LoadCursorW.USER32(00000000,00007F03), ref: 001CFE48
LoadCursorW.USER32(00000000,00007F8B), ref: 001CFE53
LoadCursorW.USER32(00000000,00007F01), ref: 001CFE5E
LoadCursorW.USER32(00000000,00007F81), ref: 001CFE69
LoadCursorW.USER32(00000000,00007F88), ref: 001CFE74
LoadCursorW.USER32(00000000,00007F80), ref: 001CFE7F
LoadCursorW.USER32(00000000,00007F86), ref: 001CFE8A
LoadCursorW.USER32(00000000,00007F83), ref: 001CFE95
LoadCursorW.USER32(00000000,00007F85), ref: 001CFEA0
LoadCursorW.USER32(00000000,00007F82), ref: 001CFEAB
LoadCursorW.USER32(00000000,00007F84), ref: 001CFEB6
LoadCursorW.USER32(00000000,00007F04), ref: 001CFEC1
LoadCursorW.USER32(00000000,00007F02), ref: 001CFECC
GetCursorInfo.USER32(?), ref: 001CFEDC
GetLastError.KERNEL32 ref: 001CFF1E

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: Cursor$Load$ErrorInfoLast
String ID:
API String ID: 3215588206-0
Opcode ID: 921c7b0c0518151aaf58f34f0c5bc3a0020e68280784996f3f4e2696f0d4df44
Instruction ID: 2bd156a8d462a121a90638d5bc7ce9e18600bba913d463d2b9fd130ee5969797
Opcode Fuzzy Hash: 921c7b0c0518151aaf58f34f0c5bc3a0020e68280784996f3f4e2696f0d4df44
Instruction Fuzzy Hash: 4C4152B0D04319AADB109FBA8C89D5EBFE9FF04754B50452EE11DEB281DB78E901CE91

Function 001B30F7 Relevance: 26.6, APIs: 8, Strings: 7, Instructions: 400COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 001B318D
_wcslen.LIBCMT ref: 001B31F8

Strings

REGEXPCLASS, xrefs: 001B3255, 001B3266
[!, xrefs: 001B339A
CLASSNN, xrefs: 001B31F3, 001B3204
INSTANCE, xrefs: 001B3453
CLASS, xrefs: 001B3188, 001B31A5
TEXT, xrefs: 001B347C
NAME, xrefs: 001B3335, 001B3346

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: _wcslen
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT$[!
API String ID: 176396367-2891400992
Opcode ID: c9babb239876d378d57653d0dd10fbcf10029a962191d244b7042387136036d1
Instruction ID: 341570cc986afb8cc324ff6d4a9055ec64c6e8ee38ae2350151a07c70473d904
Opcode Fuzzy Hash: c9babb239876d378d57653d0dd10fbcf10029a962191d244b7042387136036d1
Instruction Fuzzy Hash: 5FE1F731A00526EBCB289F78C8416EEFBB4BF64714F558159E476E7240DB30AFA9C790

Function 001700C6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON

Download Yara Rule

APIs

__scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 001700C6

Part of subcall function 001700ED: InitializeCriticalSectionAndSpinCount.KERNEL32(0022070C,00000FA0,4EF0259B,?,?,?,?,001923B3,000000FF), ref: 0017011C
Part of subcall function 001700ED: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,001923B3,000000FF), ref: 00170127
Part of subcall function 001700ED: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,001923B3,000000FF), ref: 00170138
Part of subcall function 001700ED: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 0017014E
Part of subcall function 001700ED: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 0017015C
Part of subcall function 001700ED: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 0017016A
Part of subcall function 001700ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00170195
Part of subcall function 001700ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 001701A0

___scrt_fastfail.LIBCMT ref: 001700E7

Part of subcall function 001700A3: __onexit.LIBCMT ref: 001700A9

Strings

kernel32.dll, xrefs: 00170133
api-ms-win-core-synch-l1-2-0.dll, xrefs: 00170122
SleepConditionVariableCS, xrefs: 00170154
WakeAllConditionVariable, xrefs: 00170162
InitializeConditionVariable, xrefs: 00170148

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 66158676-1714406822
Opcode ID: 3bbcb1bf2e22a07ec908ea673c29008e07f2816c6265658d8e00a029e88e7184
Instruction ID: e356922bb1980496ccd717467a1baf5552c58520123243afcaa1d9daacac54b2
Opcode Fuzzy Hash: 3bbcb1bf2e22a07ec908ea673c29008e07f2816c6265658d8e00a029e88e7184
Instruction Fuzzy Hash: 9A21F932A44750EBD7226BE4BC89B6E77F4EB0DB61F01813DFC0596691DBB09C418A90

Function 001C44C0 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(00000000,00000000,001ECC08), ref: 001C4527
_wcslen.LIBCMT ref: 001C453B
_wcslen.LIBCMT ref: 001C4599
_wcslen.LIBCMT ref: 001C45F4
_wcslen.LIBCMT ref: 001C463F
_wcslen.LIBCMT ref: 001C46A7

Part of subcall function 0016F9F2: _wcslen.LIBCMT ref: 0016F9FD

GetDriveTypeW.KERNEL32(?,00216BF0,00000061), ref: 001C4743

Strings

network, xrefs: 001C469D, 001C46A2
fixed, xrefs: 001C4635, 001C463A
ramdisk, xrefs: 001C46F1
removable, xrefs: 001C45EA, 001C45EF
all, xrefs: 001C4531, 001C4536
cdrom, xrefs: 001C458F, 001C4594
unknown, xrefs: 001C4708

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: _wcslen$BuffCharDriveLowerType
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2055661098-1000479233
Opcode ID: 786217f83316d2d2488c395c19c9af77e7c26d07260b9c40ffb14c9e905a8aca
Instruction ID: aed63cb13965299cfd2ff0b53bc85122b9afc9b19351049dc1e64fd06d21307e
Opcode Fuzzy Hash: 786217f83316d2d2488c395c19c9af77e7c26d07260b9c40ffb14c9e905a8aca
Instruction Fuzzy Hash: 58B1EE3160C3129FC724DF28C8A0E6EB7E5AFB5724F50491DF4A6C7291E730D989CA92

Function 001E911E Relevance: 24.7, APIs: 10, Strings: 4, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00169BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00169BB2

DragQueryPoint.SHELL32(?,?), ref: 001E9147

Part of subcall function 001E7674: ClientToScreen.USER32(?,?), ref: 001E769A
Part of subcall function 001E7674: GetWindowRect.USER32(?,?), ref: 001E7710
Part of subcall function 001E7674: PtInRect.USER32(?,?,001E8B89), ref: 001E7720

SendMessageW.USER32(?,000000B0,?,?), ref: 001E91B0
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 001E91BB
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 001E91DE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 001E9225
SendMessageW.USER32(?,000000B0,?,?), ref: 001E923E
SendMessageW.USER32(?,000000B1,?,?), ref: 001E9255
SendMessageW.USER32(?,000000B1,?,?), ref: 001E9277
DragFinish.SHELL32(?), ref: 001E927E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 001E9371

Strings

@GUI_DROPID, xrefs: 001E929E
@GUI_DRAGFILE, xrefs: 001E9320
@GUI_DRAGID, xrefs: 001E92E9
p#", xrefs: 001E92BB

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID$p#"
API String ID: 221274066-2770955705
Opcode ID: a842275943251ea8e1eae865721eac10eb7c78a8ca96714ad7a0d06066b38838
Instruction ID: 66afaa6a605685e56af0162986c42b66183c84e9430487698f711a4cc01eea3c
Opcode Fuzzy Hash: a842275943251ea8e1eae865721eac10eb7c78a8ca96714ad7a0d06066b38838
Instruction Fuzzy Hash: BA618A71108341AFC701DFA4DC85DAFBBE8EF99750F40091EF9A1961A1DB709A4ACB92

Function 0015326F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(00221990), ref: 00192F8D
GetMenuItemCount.USER32(00221990), ref: 0019303D
GetCursorPos.USER32(?), ref: 00193081
SetForegroundWindow.USER32(00000000), ref: 0019308A
TrackPopupMenuEx.USER32(00221990,00000000,?,00000000,00000000,00000000), ref: 0019309D
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 001930A9

Strings

0, xrefs: 0015327D

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
String ID: 0
API String ID: 36266755-4108050209
Opcode ID: 85a7c4504ba4286bb48374c7a11d557fe90473f3c288edde4ec3cf77dc7a1434
Instruction ID: f82545977a383ce4f6b3b62799d1f15469a782a4ed6e4240c5ea91909b126c7f
Opcode Fuzzy Hash: 85a7c4504ba4286bb48374c7a11d557fe90473f3c288edde4ec3cf77dc7a1434
Instruction Fuzzy Hash: 65710470644205BEEF258F64CC89FAABF64FF05364F244216F939AA1E0C7B1A954DB90

Function 001E6CD9 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 194windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,?), ref: 001E6DEB

Part of subcall function 00156B57: _wcslen.LIBCMT ref: 00156B6A

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 001E6E5F
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 001E6E81
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 001E6E94
DestroyWindow.USER32(?), ref: 001E6EB5
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00150000,00000000), ref: 001E6EE4
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 001E6EFD
GetDesktopWindow.USER32 ref: 001E6F16
GetWindowRect.USER32(00000000), ref: 001E6F1D
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 001E6F35
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 001E6F4D

Part of subcall function 00169944: GetWindowLongW.USER32(?,000000EB), ref: 00169952

Strings

tooltips_class32, xrefs: 001E6E58, 001E6EDD
0, xrefs: 001E6D98

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
String ID: 0$tooltips_class32
API String ID: 2429346358-3619404913
Opcode ID: c1d002fefd6d54685eceda1c8ab1198487b4ae895c87943848e72e03d428e9cb
Instruction ID: eb917520e619384ba7993f3df8a2800c38f0cdcf99eaf7480dad1bf9fb1fb6d5
Opcode Fuzzy Hash: c1d002fefd6d54685eceda1c8ab1198487b4ae895c87943848e72e03d428e9cb
Instruction Fuzzy Hash: 2B718870104684AFDB20CF59DC98EAABBE9FBA9340F84041DF999872A1C770AD46CB51

Function 001CC476 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 001CC4B0
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 001CC4C3
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 001CC4D7
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 001CC4F0
InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 001CC533
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 001CC549
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 001CC554
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 001CC584
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 001CC5DC
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 001CC5F0
InternetCloseHandle.WININET(00000000), ref: 001CC5FB

Strings

, xrefs: 001CC575

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
String ID:
API String ID: 3800310941-3916222277
Opcode ID: d0f0f76b83423dd72d93ddf2fa1c3bedb57acacc4740357d7e79515415217e37
Instruction ID: 57bc27fd7e66794e956fa27ecd59b972446767756cdc8f9238d22c7ca00916d9
Opcode Fuzzy Hash: d0f0f76b83423dd72d93ddf2fa1c3bedb57acacc4740357d7e79515415217e37
Instruction Fuzzy Hash: 1E515CB1600245BFDB218FA4CD88FAB7BBCFB28744F00841DF94996650DB30ED459BA1

Function 001E856F Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,00000000,?), ref: 001E8592
GetFileSize.KERNEL32(00000000,00000000), ref: 001E85A2
GlobalAlloc.KERNEL32(00000002,00000000), ref: 001E85AD
CloseHandle.KERNEL32(00000000), ref: 001E85BA
GlobalLock.KERNEL32(00000000), ref: 001E85C8
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 001E85D7
GlobalUnlock.KERNEL32(00000000), ref: 001E85E0
CloseHandle.KERNEL32(00000000), ref: 001E85E7
CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 001E85F8
OleLoadPicture.OLEAUT32(?,00000000,00000000,001EFC38,?), ref: 001E8611
GlobalFree.KERNEL32(00000000), ref: 001E8621
GetObjectW.GDI32(?,00000018,000000FF), ref: 001E8641
CopyImage.USER32(?,00000000,00000000,?,00002000), ref: 001E8671
DeleteObject.GDI32(00000000), ref: 001E8699
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 001E86AF

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: 6e4242230b918421bf117b330e8e8bdfea36f6de314ddba5b61a4f423f712ffc
Instruction ID: 531392b2a654cf94237b56636f7f2ef4b03352c59a4201793c89ade2b9574e06
Opcode Fuzzy Hash: 6e4242230b918421bf117b330e8e8bdfea36f6de314ddba5b61a4f423f712ffc
Instruction Fuzzy Hash: 18411975600285AFDB11DFA5CC88EAEBBB8FF89715F104158F919EB260DB309942DB60

Function 001C14BD Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 360timeCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000000), ref: 001C1502
VariantCopy.OLEAUT32(?,?), ref: 001C150B
VariantClear.OLEAUT32(?), ref: 001C1517
VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 001C15FB
VarR8FromDec.OLEAUT32(?,?), ref: 001C1657
VariantInit.OLEAUT32(?), ref: 001C1708
SysFreeString.OLEAUT32(?), ref: 001C178C
VariantClear.OLEAUT32(?), ref: 001C17D8
VariantClear.OLEAUT32(?), ref: 001C17E7
VariantInit.OLEAUT32(00000000), ref: 001C1823

Strings

%4d%02d%02d%02d%02d%02d, xrefs: 001C1625
Default, xrefs: 001C16AF

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem
String ID: %4d%02d%02d%02d%02d%02d$Default
API String ID: 1234038744-3931177956
Opcode ID: 6edbe6de115b5b106095eba924dcab14363a2173bc2b7253061c9817abcc79ca
Instruction ID: b0af2e6ba45a7b19a998427d4a83240d02c3140056abde2e82de3e0814636c8b
Opcode Fuzzy Hash: 6edbe6de115b5b106095eba924dcab14363a2173bc2b7253061c9817abcc79ca
Instruction Fuzzy Hash: F1D12232A40210EBCB049F64E885F7DB7B1BF67B00F51809EE806AB182DB30EC55DB91

Function 001DB60E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00159CB3: _wcslen.LIBCMT ref: 00159CBD

Part of subcall function 001DC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,001DB6AE,?,?), ref: 001DC9B5
Part of subcall function 001DC998: _wcslen.LIBCMT ref: 001DC9F1
Part of subcall function 001DC998: _wcslen.LIBCMT ref: 001DCA68
Part of subcall function 001DC998: _wcslen.LIBCMT ref: 001DCA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 001DB6F4
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 001DB772
RegDeleteValueW.ADVAPI32(?,?), ref: 001DB80A
RegCloseKey.ADVAPI32(?), ref: 001DB87E
RegCloseKey.ADVAPI32(?), ref: 001DB89C
LoadLibraryA.KERNEL32(advapi32.dll), ref: 001DB8F2
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 001DB904
RegDeleteKeyW.ADVAPI32(?,?), ref: 001DB922
FreeLibrary.KERNEL32(00000000), ref: 001DB983
RegCloseKey.ADVAPI32(00000000), ref: 001DB994

Strings

RegDeleteKeyExW, xrefs: 001DB8FE
advapi32.dll, xrefs: 001DB8ED

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 146587525-4033151799
Opcode ID: 0f4a728cbc8a2ee426d097ce7c55b1c0d4b2bdd07961685afdbea9c89a2d4df1
Instruction ID: 41cdf8b803d9a026a25f816a7d21db6a6efdbdd8aff31dec16152f68b0cbb75a
Opcode Fuzzy Hash: 0f4a728cbc8a2ee426d097ce7c55b1c0d4b2bdd07961685afdbea9c89a2d4df1
Instruction Fuzzy Hash: 67C17A34208241EFD714DF24C8D5B2ABBE1BF84318F55855DF8AA4B3A2CB75E846CB91

Function 001D255C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 001D25D8
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 001D25E8
CreateCompatibleDC.GDI32(?), ref: 001D25F4
SelectObject.GDI32(00000000,?), ref: 001D2601
StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 001D266D
GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 001D26AC
GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 001D26D0
SelectObject.GDI32(?,?), ref: 001D26D8
DeleteObject.GDI32(?), ref: 001D26E1
DeleteDC.GDI32(?), ref: 001D26E8
ReleaseDC.USER32(00000000,?), ref: 001D26F3

Strings

(, xrefs: 001D268D

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: 8f40086addcdb11f39bd9d65203257d84e9fa5fb4666297c23038875ca98d804
Instruction ID: 32366ef68d2cb7e2b455021d5073a523e199db7b50ffaf7f8f4b15dac6d7b865
Opcode Fuzzy Hash: 8f40086addcdb11f39bd9d65203257d84e9fa5fb4666297c23038875ca98d804
Instruction Fuzzy Hash: 8F61C1B5D00219EFCB14CFA8DC84AAEBBB6FF58310F20852AE955A7350D774A951CF90

Function 0018DA5D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 0018DAA1

Part of subcall function 0018D63C: _free.LIBCMT ref: 0018D659
Part of subcall function 0018D63C: _free.LIBCMT ref: 0018D66B
Part of subcall function 0018D63C: _free.LIBCMT ref: 0018D67D
Part of subcall function 0018D63C: _free.LIBCMT ref: 0018D68F
Part of subcall function 0018D63C: _free.LIBCMT ref: 0018D6A1
Part of subcall function 0018D63C: _free.LIBCMT ref: 0018D6B3
Part of subcall function 0018D63C: _free.LIBCMT ref: 0018D6C5
Part of subcall function 0018D63C: _free.LIBCMT ref: 0018D6D7
Part of subcall function 0018D63C: _free.LIBCMT ref: 0018D6E9
Part of subcall function 0018D63C: _free.LIBCMT ref: 0018D6FB
Part of subcall function 0018D63C: _free.LIBCMT ref: 0018D70D
Part of subcall function 0018D63C: _free.LIBCMT ref: 0018D71F
Part of subcall function 0018D63C: _free.LIBCMT ref: 0018D731

_free.LIBCMT ref: 0018DA96

Part of subcall function 001829C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0018D7D1,00000000,00000000,00000000,00000000,?,0018D7F8,00000000,00000007,00000000,?,0018DBF5,00000000), ref: 001829DE
Part of subcall function 001829C8: GetLastError.KERNEL32(00000000,?,0018D7D1,00000000,00000000,00000000,00000000,?,0018D7F8,00000000,00000007,00000000,?,0018DBF5,00000000,00000000), ref: 001829F0

_free.LIBCMT ref: 0018DAB8
_free.LIBCMT ref: 0018DACD
_free.LIBCMT ref: 0018DAD8
_free.LIBCMT ref: 0018DAFA
_free.LIBCMT ref: 0018DB0D
_free.LIBCMT ref: 0018DB1B
_free.LIBCMT ref: 0018DB26
_free.LIBCMT ref: 0018DB5E
_free.LIBCMT ref: 0018DB65
_free.LIBCMT ref: 0018DB82
_free.LIBCMT ref: 0018DB9A

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: cbc8953d7d4b8dcb9b4ee82a4b2ca2b9f702201be4733a06482567f12a8bd0b8
Instruction ID: 4a91c1c0325c8934cdcf5674f1353731a7c9c8fa52d13f36c735cf8abada8a20
Opcode Fuzzy Hash: cbc8953d7d4b8dcb9b4ee82a4b2ca2b9f702201be4733a06482567f12a8bd0b8
Instruction Fuzzy Hash: F4313731A443059FEB26BA39F845B5AB7E9FF21324F264429E449D7191DF35AE808F20

Function 001B365B Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 267windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 001B369C
_wcslen.LIBCMT ref: 001B36A7
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 001B3797
GetClassNameW.USER32(?,?,00000400), ref: 001B380C
GetDlgCtrlID.USER32(?), ref: 001B385D
GetWindowRect.USER32(?,?), ref: 001B3882
GetParent.USER32(?), ref: 001B38A0
ScreenToClient.USER32(00000000), ref: 001B38A7
GetClassNameW.USER32(?,?,00000100), ref: 001B3921
GetWindowTextW.USER32(?,?,00000400), ref: 001B395D

Strings

%s%u, xrefs: 001B3734

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout_wcslen
String ID: %s%u
API String ID: 4010501982-679674701
Opcode ID: c787450e7e13e4d5d7a767ccadc07dc49ecf575722502a244da1af47334fcc6c
Instruction ID: 562c0c7536aecb1dcd698c691e8e14177ee4be895276a20283c89927e1c7e8fe
Opcode Fuzzy Hash: c787450e7e13e4d5d7a767ccadc07dc49ecf575722502a244da1af47334fcc6c
Instruction Fuzzy Hash: 2891D571204706EFD718DF64C885BEAF7A9FF44304F008619F9A9C6190DB30EA66CB91

Function 001B4954 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 253COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000400), ref: 001B4994
GetWindowTextW.USER32(?,?,00000400), ref: 001B49DA
_wcslen.LIBCMT ref: 001B49EB
CharUpperBuffW.USER32(?,00000000), ref: 001B49F7
_wcsstr.LIBVCRUNTIME ref: 001B4A2C
GetClassNameW.USER32(00000018,?,00000400), ref: 001B4A64
GetWindowTextW.USER32(?,?,00000400), ref: 001B4A9D
GetClassNameW.USER32(00000018,?,00000400), ref: 001B4AE6
GetClassNameW.USER32(?,?,00000400), ref: 001B4B20
GetWindowRect.USER32(?,?), ref: 001B4B8B

Strings

ThumbnailClass, xrefs: 001B4A6F, 001B4AF1

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
String ID: ThumbnailClass
API String ID: 1311036022-1241985126
Opcode ID: d91afb4ae12f5918d7dc65362296f35fddf88aee4794562557d6aefcb9e458de
Instruction ID: cc9497b8ce8579cdc645bca5a38b5642e3ee7f90f4c532047cbef99853791775
Opcode Fuzzy Hash: d91afb4ae12f5918d7dc65362296f35fddf88aee4794562557d6aefcb9e458de
Instruction Fuzzy Hash: E691BE710042059FDB04DF14C981BEA7BE9FF98714F048469FE869A197DB30ED46CBA1

Function 001BBF30 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 190windowsleepCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00221990,000000FF,00000000,00000030), ref: 001BBFAC
SetMenuItemInfoW.USER32(00221990,00000004,00000000,00000030), ref: 001BBFE1
Sleep.KERNEL32(000001F4), ref: 001BBFF3
GetMenuItemCount.USER32(?), ref: 001BC039
GetMenuItemID.USER32(?,00000000), ref: 001BC056
GetMenuItemID.USER32(?,-00000001), ref: 001BC082
GetMenuItemID.USER32(?,?), ref: 001BC0C9
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 001BC10F
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 001BC124
SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 001BC145

Strings

0, xrefs: 001BBF3D

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep
String ID: 0
API String ID: 1460738036-4108050209
Opcode ID: c3424c8a3b19b608ac9559f1d44dbcc3db2d9e9c0a06c6cb6f4152468a927256
Instruction ID: 8d3c596c33066416010e7c6d3c6a2cd3b915fc307e6e7413dd2685db03a8245d
Opcode Fuzzy Hash: c3424c8a3b19b608ac9559f1d44dbcc3db2d9e9c0a06c6cb6f4152468a927256
Instruction Fuzzy Hash: C1618DB0A0024AEFDF15DFA8DC88AFEBBA8EF15344F144059F811A7291C771AD45CBA0

Function 001DCC34 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 001DCC64
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 001DCC8D
FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 001DCD48

Part of subcall function 001DCC34: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 001DCCAA
Part of subcall function 001DCC34: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 001DCCBD
Part of subcall function 001DCC34: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 001DCCCF
Part of subcall function 001DCC34: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 001DCD05
Part of subcall function 001DCC34: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 001DCD28

RegDeleteKeyW.ADVAPI32(?,?), ref: 001DCCF3

Strings

RegDeleteKeyExW, xrefs: 001DCCC9
advapi32.dll, xrefs: 001DCCB8

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2734957052-4033151799
Opcode ID: 774cda740f2d10a310b63a88f5e3ba1a871d8827ab1530984c51ba8b3999df5b
Instruction ID: dd7cd1413a60e28c124265ad56957fa8bff1d218fe38e6e5c8bc205270a94f93
Opcode Fuzzy Hash: 774cda740f2d10a310b63a88f5e3ba1a871d8827ab1530984c51ba8b3999df5b
Instruction Fuzzy Hash: BD316F7590112ABBDB208B94DC88EFFBBBDEF55750F000566F905E6240DB349A86DAE0

Function 001C3D1E Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 101fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 001C3D40
_wcslen.LIBCMT ref: 001C3D6D
CreateDirectoryW.KERNEL32(?,00000000), ref: 001C3D9D
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 001C3DBE
RemoveDirectoryW.KERNEL32(?), ref: 001C3DCE
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 001C3E55
CloseHandle.KERNEL32(00000000), ref: 001C3E60
CloseHandle.KERNEL32(00000000), ref: 001C3E6B

Strings

\, xrefs: 001C3D77
:, xrefs: 001C3D82
\??\%s, xrefs: 001C3D5B

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove_wcslen
String ID: :$\$\??\%s
API String ID: 1149970189-3457252023
Opcode ID: 1b95dbfcdd9583b01f9b52e27aae575f69693dfd39ca9e02b1aee5603b0ff9d8
Instruction ID: eb6072a984074663496d2be41e9e7db1a09e8451816bd3f6bf0567997897a170
Opcode Fuzzy Hash: 1b95dbfcdd9583b01f9b52e27aae575f69693dfd39ca9e02b1aee5603b0ff9d8
Instruction Fuzzy Hash: BB31A37190024AABDB209BE0DC89FEF37BDEF99700F5081A9F619D6050EB70D7858B64

Function 001BE6B0 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 001BE6B4

Part of subcall function 0016E551: timeGetTime.WINMM(?,?,001BE6D4), ref: 0016E555

Sleep.KERNEL32(0000000A), ref: 001BE6E1
EnumThreadWindows.USER32(?,Function_0006E665,00000000), ref: 001BE705
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 001BE727
SetActiveWindow.USER32 ref: 001BE746
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 001BE754
SendMessageW.USER32(00000010,00000000,00000000), ref: 001BE773
Sleep.KERNEL32(000000FA), ref: 001BE77E
IsWindow.USER32 ref: 001BE78A
EndDialog.USER32(00000000), ref: 001BE79B

Strings

BUTTON, xrefs: 001BE719

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: 8d406aad15bd029285a84607ee4b49d85aa534fac1cde1823edbb2ea3edaf226
Instruction ID: a7fe1fcf2dd765c1a3cf34a865e1e397d956cd75ab2c05ca43d3e281d7e7ad1b
Opcode Fuzzy Hash: 8d406aad15bd029285a84607ee4b49d85aa534fac1cde1823edbb2ea3edaf226
Instruction Fuzzy Hash: AE216571600244FFEB205FE0FCCDEBA3BADEB65348F102424F815956B1DB729C568A94

Function 001BE9FC Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 00159CB3: _wcslen.LIBCMT ref: 00159CBD

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 001BEA5D
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 001BEA73
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 001BEA84
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 001BEA96
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 001BEAA7

Strings

close PlayMe, xrefs: 001BEA6E, 001BEA9B
alias PlayMe, xrefs: 001BEA36
open , xrefs: 001BEA0C
status PlayMe mode, xrefs: 001BEA58
play PlayMe, xrefs: 001BEAA2
play PlayMe wait, xrefs: 001BEA91

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: SendString$_wcslen
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2420728520-1007645807
Opcode ID: 6466f490cdd02d90104a296621b63d52dbb4a838e671d42eae625ca75735855c
Instruction ID: 02e5f37ec66adec7f56aed0b63ca405075908daf2cbc269bf4993a754cb72b87
Opcode Fuzzy Hash: 6466f490cdd02d90104a296621b63d52dbb4a838e671d42eae625ca75735855c
Instruction Fuzzy Hash: 7E115431A50259BAD710A7A1DC4ADFF6ABCEBE2B44F400429B821A70D1DF701999C5B0

Function 001B9F91 Relevance: 18.2, APIs: 12, Instructions: 188keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 001BA012
SetKeyboardState.USER32(?), ref: 001BA07D
GetAsyncKeyState.USER32(000000A0), ref: 001BA09D
GetKeyState.USER32(000000A0), ref: 001BA0B4
GetAsyncKeyState.USER32(000000A1), ref: 001BA0E3
GetKeyState.USER32(000000A1), ref: 001BA0F4
GetAsyncKeyState.USER32(00000011), ref: 001BA120
GetKeyState.USER32(00000011), ref: 001BA12E
GetAsyncKeyState.USER32(00000012), ref: 001BA157
GetKeyState.USER32(00000012), ref: 001BA165
GetAsyncKeyState.USER32(0000005B), ref: 001BA18E
GetKeyState.USER32(0000005B), ref: 001BA19C

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 312193e72dbf1481e33d9a46dcadce4f8c118d8408948b0e010694612e6a4849
Instruction ID: 3b7d99fe83ecab957caa7340aeaac980ca43b1ecc65fb2c3f6d7c45bd18553a2
Opcode Fuzzy Hash: 312193e72dbf1481e33d9a46dcadce4f8c118d8408948b0e010694612e6a4849
Instruction Fuzzy Hash: FE51EA2090478829FB35EBA488517EEBFF49F12380F48459DD5C25B5C2DB54AA8CC762

Function 001B5CC6 Relevance: 18.2, APIs: 12, Instructions: 173COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 001B5CE2
GetWindowRect.USER32(00000000,?), ref: 001B5CFB
MoveWindow.USER32(?,0000000A,00000004,?,?,00000004,00000000), ref: 001B5D59
GetDlgItem.USER32(?,00000002), ref: 001B5D69
GetWindowRect.USER32(00000000,?), ref: 001B5D7B
MoveWindow.USER32(?,?,00000004,00000000,?,00000004,00000000), ref: 001B5DCF
GetDlgItem.USER32(?,000003E9), ref: 001B5DDD
GetWindowRect.USER32(00000000,?), ref: 001B5DEF
MoveWindow.USER32(?,0000000A,00000000,?,00000004,00000000), ref: 001B5E31
GetDlgItem.USER32(?,000003EA), ref: 001B5E44
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 001B5E5A
InvalidateRect.USER32(?,00000000,00000001), ref: 001B5E67

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: 3eab44d0210ce33abb52f4df6f2e7d4dffaa33dc92893f4b68bf0a59ff076a43
Instruction ID: 1c8e8f26108f1c1af2a3d94489d0627a954006183a796c8e4340b5ea095757eb
Opcode Fuzzy Hash: 3eab44d0210ce33abb52f4df6f2e7d4dffaa33dc92893f4b68bf0a59ff076a43
Instruction Fuzzy Hash: 4C512F70A00605AFDF18CFA8CD89AAEBBB6FB48300F148229F915E6690D7709E41CB50

Function 00168BCD Relevance: 18.2, APIs: 12, Instructions: 168timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00168F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00168BE8,?,00000000,?,?,?,?,00168BBA,00000000,?), ref: 00168FC5

DestroyWindow.USER32(?), ref: 00168C81
KillTimer.USER32(00000000,?,?,?,?,00168BBA,00000000,?), ref: 00168D1B
DestroyAcceleratorTable.USER32(00000000), ref: 001A6973
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,00168BBA,00000000,?), ref: 001A69A1
ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,00168BBA,00000000,?), ref: 001A69B8
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,00168BBA,00000000), ref: 001A69D4
DeleteObject.GDI32(00000000), ref: 001A69E6

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: 1ec6eda0ddf23a7c79e96976abe0e8ef65044d5ce10e54a59839f2161630bf14
Instruction ID: 2484baa8373aab9d9dfb2bdb719269d21726a97cca42459797a11b5def6ff1c9
Opcode Fuzzy Hash: 1ec6eda0ddf23a7c79e96976abe0e8ef65044d5ce10e54a59839f2161630bf14
Instruction Fuzzy Hash: 3161AA35502700EFCB359F64DD98B6AB7F1FB65316F145618E0429B960CB31A8E2CBA1

Function 00169838 Relevance: 18.1, APIs: 12, Instructions: 137COMMON

Download Yara Rule

APIs

Part of subcall function 00169944: GetWindowLongW.USER32(?,000000EB), ref: 00169952

GetSysColor.USER32(0000000F), ref: 00169862

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: 1cff851c32d916beb631d83b3fc2ba3dc9246a1ca9c3076d36517eb0d2d4ddf5
Instruction ID: 1217693e04c5ee152832095e56ca4c860b89f30e4fe8b459753f5f3ee5dab72e
Opcode Fuzzy Hash: 1cff851c32d916beb631d83b3fc2ba3dc9246a1ca9c3076d36517eb0d2d4ddf5
Instruction Fuzzy Hash: 23419E31504684EFDB205F789C88BBA3BADAB47330F144619F9A28B1E1D7319D92DB50

Function 001B96E2 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,?,?,0019F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?), ref: 001B9717
LoadStringW.USER32(00000000,?,0019F7F8,00000001), ref: 001B9720

Part of subcall function 00159CB3: _wcslen.LIBCMT ref: 00159CBD

GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,0019F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?,00000000), ref: 001B9742
LoadStringW.USER32(00000000,?,0019F7F8,00000001), ref: 001B9745
MessageBoxW.USER32(00000000,00000000,?,00011010), ref: 001B9866

Strings

Line %d (File "%s"):, xrefs: 001B978F
Line %d:, xrefs: 001B97A0
%s (%d) : ==> %s: %s %s, xrefs: 001B984A
Error: , xrefs: 001B981D
^ ERROR, xrefs: 001B97FB

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wcslen
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 747408836-2268648507
Opcode ID: 203c470dd0b5dadda985d3462125ac13f861cc82cfcbfbffc6065d69a0495776
Instruction ID: e1f1c025bb7d0780bb62b89cdd62c2d3f49248572ed3d7e59db53190ad649068
Opcode Fuzzy Hash: 203c470dd0b5dadda985d3462125ac13f861cc82cfcbfbffc6065d69a0495776
Instruction Fuzzy Hash: ED413C7280021DEACF14EBE0DD86DEE7779AF25341F500065FA157A092EB356F49CBA1

Function 001B06DE Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 00156B57: _wcslen.LIBCMT ref: 00156B6A

WNetAddConnection2W.MPR(?,?,?,00000000), ref: 001B07A2
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 001B07BE
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 001B07DA
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 001B0804
CLSIDFromString.OLE32(?,000001FE,?,SOFTWARE\Classes\), ref: 001B082C
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 001B0837
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 001B083C

Strings

\CLSID, xrefs: 001B0724
SOFTWARE\Classes\, xrefs: 001B070E
\IPC$, xrefs: 001B0784

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 323675364-22481851
Opcode ID: ce4973bae295c3564bee1d718aa577c969757c4d9d284924b85acdc7af21c940
Instruction ID: 00c5535d042c9921350b5755f4c8305ec752e7450b33a897d962b13103482d21
Opcode Fuzzy Hash: ce4973bae295c3564bee1d718aa577c969757c4d9d284924b85acdc7af21c940
Instruction Fuzzy Hash: 57410772C1022DEBCF15EBA4DC958EEB7B8BF58350B444169F911AB161EB309E48CB90

Function 001E3F98 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 001E403B
CreateCompatibleDC.GDI32(00000000), ref: 001E4042
SendMessageW.USER32(?,00000173,00000000,00000000), ref: 001E4055
SelectObject.GDI32(00000000,00000000), ref: 001E405D
GetPixel.GDI32(00000000,00000000,00000000), ref: 001E4068
DeleteDC.GDI32(00000000), ref: 001E4072
GetWindowLongW.USER32(?,000000EC), ref: 001E407C
SetLayeredWindowAttributes.USER32(?,?,00000000,00000001,?,00000000,?), ref: 001E4092
DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?), ref: 001E409E

Strings

static, xrefs: 001E3FD3

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
String ID: static
API String ID: 2559357485-2160076837
Opcode ID: 2361a604c81841ca1e0cb2f8441f5f3b87d5b32e58971599a190db17e2f92288
Instruction ID: 56517d1107cb38d3439faeb478bc51d1dae22c83fd65a110e1a820154b91b30a
Opcode Fuzzy Hash: 2361a604c81841ca1e0cb2f8441f5f3b87d5b32e58971599a190db17e2f92288
Instruction Fuzzy Hash: 42317C32500695ABDF219FA5DC49FDE3B69FF0D320F010220FA28A61A0C775D851DB90

Function 001D3C30 Relevance: 16.8, APIs: 11, Instructions: 344fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 001D3C5C
CoInitialize.OLE32(00000000), ref: 001D3C8A
CoUninitialize.OLE32 ref: 001D3C94
_wcslen.LIBCMT ref: 001D3D2D
GetRunningObjectTable.OLE32(00000000,?), ref: 001D3DB1
SetErrorMode.KERNEL32(00000001,00000029), ref: 001D3ED5
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,?), ref: 001D3F0E
CoGetObject.OLE32(?,00000000,001EFB98,?), ref: 001D3F2D
SetErrorMode.KERNEL32(00000000), ref: 001D3F40
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 001D3FC4
VariantClear.OLEAUT32(?), ref: 001D3FD8

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize_wcslen
String ID:
API String ID: 429561992-0
Opcode ID: 55f4faa9a142e70f32f42ebb0e0f52a895ffb4ea349b9a57e24e70a7653eae97
Instruction ID: b3c89a55e26e99e775d534a3ae951f3c15edf3a68ddaa2239f9453e028731bee
Opcode Fuzzy Hash: 55f4faa9a142e70f32f42ebb0e0f52a895ffb4ea349b9a57e24e70a7653eae97
Instruction Fuzzy Hash: 08C133716082059FD700DF68C88496BB7E9FF89748F14491EF99A9B250D730EE46CB92

Function 001C7A96 Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 001C7AF3
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 001C7B8F
SHGetDesktopFolder.SHELL32(?), ref: 001C7BA3
CoCreateInstance.OLE32(001EFD08,00000000,00000001,00216E6C,?), ref: 001C7BEF
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 001C7C74
CoTaskMemFree.OLE32(?,?), ref: 001C7CCC
SHBrowseForFolderW.SHELL32(?), ref: 001C7D57
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 001C7D7A
CoTaskMemFree.OLE32(00000000), ref: 001C7D81
CoTaskMemFree.OLE32(00000000), ref: 001C7DD6
CoUninitialize.OLE32 ref: 001C7DDC

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
String ID:
API String ID: 2762341140-0
Opcode ID: 0230e3a5d48034fca18eb341df77bf2917072143300227ae0d2c81229419d7f4
Instruction ID: 00f931a8079ca45e1618bee603a9d069ef4387307a83f7f701c2944ccce73a14
Opcode Fuzzy Hash: 0230e3a5d48034fca18eb341df77bf2917072143300227ae0d2c81229419d7f4
Instruction Fuzzy Hash: 2BC10975A04109EFCB14DFA4C884EAEBBF9FF58304B148499E81A9B661D770EE45CF90

Function 001E541D Relevance: 16.7, APIs: 11, Instructions: 191windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 001E5504
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 001E5515
CharNextW.USER32(00000158), ref: 001E5544
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 001E5585
SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 001E559B
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 001E55AC

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: MessageSend$CharNext
String ID:
API String ID: 1350042424-0
Opcode ID: d8d359b3c944f9d770401aaac1613ac68531bd924f783580325ee42b7905436c
Instruction ID: 32101e79f093324e8bbafb7bcab77169bfba30422f68549bffd7ee1ed6d92dd6
Opcode Fuzzy Hash: d8d359b3c944f9d770401aaac1613ac68531bd924f783580325ee42b7905436c
Instruction Fuzzy Hash: D1619034900A89EFDF108F96CC84DFE7BBAEF09728F144145F925AB291D7748A81DB61

Function 001AFA88 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 001AFAAF
SafeArrayAllocData.OLEAUT32(?), ref: 001AFB08
VariantInit.OLEAUT32(?), ref: 001AFB1A
SafeArrayAccessData.OLEAUT32(?,?), ref: 001AFB3A
VariantCopy.OLEAUT32(?,?), ref: 001AFB8D
SafeArrayUnaccessData.OLEAUT32(?), ref: 001AFBA1
VariantClear.OLEAUT32(?), ref: 001AFBB6
SafeArrayDestroyData.OLEAUT32(?), ref: 001AFBC3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 001AFBCC
VariantClear.OLEAUT32(?), ref: 001AFBDE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 001AFBE9

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: 99fd3ee76717eb4a2f2eb8879ddc951686047fa752d5c48f2b3f37f4b27c3b3d
Instruction ID: 4afe7de2c2263cb75fbb847ad64e3d4d71254cd5f565be7edb3790a241e0ad45
Opcode Fuzzy Hash: 99fd3ee76717eb4a2f2eb8879ddc951686047fa752d5c48f2b3f37f4b27c3b3d
Instruction Fuzzy Hash: D5414175A00219DFCB04DFA8DC94DEEBBB9FF59344F008069F955AB661C730A946CBA0

Function 001B9C79 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 001B9CA1
GetAsyncKeyState.USER32(000000A0), ref: 001B9D22
GetKeyState.USER32(000000A0), ref: 001B9D3D
GetAsyncKeyState.USER32(000000A1), ref: 001B9D57
GetKeyState.USER32(000000A1), ref: 001B9D6C
GetAsyncKeyState.USER32(00000011), ref: 001B9D84
GetKeyState.USER32(00000011), ref: 001B9D96
GetAsyncKeyState.USER32(00000012), ref: 001B9DAE
GetKeyState.USER32(00000012), ref: 001B9DC0
GetAsyncKeyState.USER32(0000005B), ref: 001B9DD8
GetKeyState.USER32(0000005B), ref: 001B9DEA

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 91ea4c7d8fdc298655e952c339eae9cb3fcea6364138f5d996f8e2fb97abf660
Instruction ID: a0037fca92a5cdf4cf5dc20a4c4ba3f63520da8c8e2f8bcc027352eb09982a7d
Opcode Fuzzy Hash: 91ea4c7d8fdc298655e952c339eae9cb3fcea6364138f5d996f8e2fb97abf660
Instruction Fuzzy Hash: 4741F8346047CA6DFF3197A1C8443F5BEB06F15344F44805ADBC65A6C2DBA4A9CACBA2

Function 001D055B Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 001D05BC
inet_addr.WSOCK32(?), ref: 001D061C
gethostbyname.WSOCK32(?), ref: 001D0628
IcmpCreateFile.IPHLPAPI ref: 001D0636
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 001D06C6
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 001D06E5
IcmpCloseHandle.IPHLPAPI(?), ref: 001D07B9
WSACleanup.WSOCK32 ref: 001D07BF

Strings

Ping, xrefs: 001D0676

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: 44c32890822c9c532b2425f2cade3adbcb48019f3d798834ccd20d2fc51d01e8
Instruction ID: 58194f9d0007fd674435a1c6157beaeea044071dd070097ae3f2063987b2d907
Opcode Fuzzy Hash: 44c32890822c9c532b2425f2cade3adbcb48019f3d798834ccd20d2fc51d01e8
Instruction Fuzzy Hash: F3918D35604241DFD321CF15D888F1ABBE0AF48318F1585AAE8A98F7A2C730ED85CF91

Function 001D8CD3 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,00000000,?), ref: 001D8CF3

Part of subcall function 001B8E54: _wcslen.LIBCMT ref: 001B8E77

_wcslen.LIBCMT ref: 001D8D4E
_wcslen.LIBCMT ref: 001D8D9C
_wcslen.LIBCMT ref: 001D8DDC
_wcslen.LIBCMT ref: 001D8E6E

Strings

cdecl, xrefs: 001D8D48, 001D8D4D
none, xrefs: 001D8E65, 001D8E6A
stdcall, xrefs: 001D8DD6, 001D8DDB
winapi, xrefs: 001D8D96, 001D8D9B

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: _wcslen$BuffCharLower
String ID: cdecl$none$stdcall$winapi
API String ID: 707087890-567219261
Opcode ID: 97e319cc1f4d1c63df0c3dc43182b8fd5bd714363d02bb423b07143cc3c0fd47
Instruction ID: 5f0982ae894e8238029aeefaaa77e074638e24d98e989f3428fa7595c8818f0b
Opcode Fuzzy Hash: 97e319cc1f4d1c63df0c3dc43182b8fd5bd714363d02bb423b07143cc3c0fd47
Instruction Fuzzy Hash: 2F518F31A005169BCB14DFACC9519BEB7B6BF64724B21422AE926EB3C5DB31DD40CB90

Function 001D372C Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32 ref: 001D3774
CoUninitialize.OLE32 ref: 001D377F
CoCreateInstance.OLE32(?,00000000,00000017,001EFB78,?), ref: 001D37D9
IIDFromString.OLE32(?,?), ref: 001D384C
VariantInit.OLEAUT32(?), ref: 001D38E4
VariantClear.OLEAUT32(?), ref: 001D3936

Strings

Invalid parameter, xrefs: 001D3865
Failed to create object, xrefs: 001D37E4, 001D389A
NULL Pointer assignment, xrefs: 001D381E

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 636576611-1287834457
Opcode ID: 26a34605ebde82765aea5b88fd4a9beb71e586d2d7afcaf8289edb1ab7af3523
Instruction ID: a01d85e0f76755317210e505bc02e54ef19713a25eea21aaa94ba7c70586d895
Opcode Fuzzy Hash: 26a34605ebde82765aea5b88fd4a9beb71e586d2d7afcaf8289edb1ab7af3523
Instruction Fuzzy Hash: CA61BD71608701AFD311DF54D889FAAB7E4AF59710F00090AF9A59B391D770EE49CB93

Function 001C3388 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 149COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,?), ref: 001C33CF

Part of subcall function 00159CB3: _wcslen.LIBCMT ref: 00159CBD

LoadStringW.USER32(00000072,?,00000FFF,?), ref: 001C33F0

Strings

"%s" (%d) : ==> %s:%s%s, xrefs: 001C3504
^ ERROR , xrefs: 001C349E
Line %d (File "%s"):, xrefs: 001C3443, 001C345C
Incorrect parameters to object property !, xrefs: 001C34AB
"%s" (%d) : ==> %s:, xrefs: 001C3522
Error: , xrefs: 001C34D1

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-3080491070
Opcode ID: 9d0e6b5906814e35bb7101453653720f41cd8d1f576ad78a51f99b10e66dcbc3
Instruction ID: 2f3be01a5cb4db2a74959dc6d7d2a698dab39e530f351fa7e56499b1aee0ab2f
Opcode Fuzzy Hash: 9d0e6b5906814e35bb7101453653720f41cd8d1f576ad78a51f99b10e66dcbc3
Instruction Fuzzy Hash: 2E517D32900209EADF14EBE0DD46EEEB3B9AF24341F104065F92576052EB316F99DB61

Function 001BB5C8 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 142COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 001BB5FC
_wcslen.LIBCMT ref: 001BB608
_wcslen.LIBCMT ref: 001BB64D
_wcslen.LIBCMT ref: 001BB68C
_wcslen.LIBCMT ref: 001BB6C7

Strings

EXISTS, xrefs: 001BB686, 001BB68B
APPEND, xrefs: 001BB6C1, 001BB6C6
REMOVE, xrefs: 001BB602, 001BB607
KEYS, xrefs: 001BB647, 001BB64C

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 1256254125-769500911
Opcode ID: 5e61cc796b8e4d4dd46140f3a79dcc512ff5b9a6e0f3924c92c80154015e6503
Instruction ID: 7d84508857b8142904e97931d9160cb344dc29acd4ebfb873b12cc164c0e5ad0
Opcode Fuzzy Hash: 5e61cc796b8e4d4dd46140f3a79dcc512ff5b9a6e0f3924c92c80154015e6503
Instruction Fuzzy Hash: 2141E532A080269BCB206F7DCCD05FEB7B5AFB0758B254229E425DB684E771CD82C790

Function 001C5393 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 103COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 001C53A0
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 001C5416
GetLastError.KERNEL32 ref: 001C5420
SetErrorMode.KERNEL32(00000000,READY), ref: 001C54A7

Strings

INVALID, xrefs: 001C5459
NOTREADY, xrefs: 001C544B
READY, xrefs: 001C5460, 001C5468
UNKNOWN, xrefs: 001C5444
READONLY, xrefs: 001C5452

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: 96bf70644df40201847325b98e59b23318903a3cf59f32ecd3435cd3864d6435
Instruction ID: 09da3bc0d98dc47d871e7cf9f78152a67f4f57bbabdeb86ccc921b447bb7e0ee
Opcode Fuzzy Hash: 96bf70644df40201847325b98e59b23318903a3cf59f32ecd3435cd3864d6435
Instruction Fuzzy Hash: 84317035A00504DFC718DF68D884FA97BB5EB65305F148059E805CF292EB71EDC6CB91

Function 001E3C46 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON

Download Yara Rule

APIs

CreateMenu.USER32 ref: 001E3C79
SetMenu.USER32(?,00000000), ref: 001E3C88
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 001E3D10
IsMenu.USER32(?), ref: 001E3D24
CreatePopupMenu.USER32 ref: 001E3D2E
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 001E3D5B
DrawMenuBar.USER32 ref: 001E3D63

Strings

0, xrefs: 001E3C54
F, xrefs: 001E3D4E

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup
String ID: 0$F
API String ID: 161812096-3044882817
Opcode ID: ae89c32054be88d12ee2ae11e2c5db99d982552d5f3ec11c8b875881c19e8e51
Instruction ID: 18ae5f605ad9eac59235659bf2f7f5eaa3b9ef28176a4dc0ee9ee0b86a5e9bdb
Opcode Fuzzy Hash: ae89c32054be88d12ee2ae11e2c5db99d982552d5f3ec11c8b875881c19e8e51
Instruction Fuzzy Hash: 44417974A01649AFDB14CFA5EC88EAE7BB5FF49310F140029E916AB360D730AA11CF90

Function 001B1EDF Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00159CB3: _wcslen.LIBCMT ref: 00159CBD

Part of subcall function 001B3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 001B3CCA

SendMessageW.USER32(?,0000018C,000000FF,00020000), ref: 001B1F64
GetDlgCtrlID.USER32 ref: 001B1F6F
GetParent.USER32 ref: 001B1F8B
SendMessageW.USER32(00000000,?,00000111,?), ref: 001B1F8E
GetDlgCtrlID.USER32(?), ref: 001B1F97
GetParent.USER32(?), ref: 001B1FAB
SendMessageW.USER32(00000000,?,00000111,?), ref: 001B1FAE

Strings

ListBox, xrefs: 001B1F21
ComboBox, xrefs: 001B1EEC

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_wcslen
String ID: ComboBox$ListBox
API String ID: 711023334-1403004172
Opcode ID: d946f6fd9f5236bff5ec66642eb24c2e7f2401d4fd51b6f8be52217a669fda23
Instruction ID: 2598b0d1373d26fc443f973232432081995f111fedf2495d41765fcfb99638b1
Opcode Fuzzy Hash: d946f6fd9f5236bff5ec66642eb24c2e7f2401d4fd51b6f8be52217a669fda23
Instruction Fuzzy Hash: 9C21C274900214FBCF04AFA0DC95DFFBBB9EF19310B500159F961AB291CB345959DBA0

Function 001E3A23 Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 001E3A9D
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 001E3AA0
GetWindowLongW.USER32(?,000000F0), ref: 001E3AC7
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 001E3AEA
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 001E3B62
SendMessageW.USER32(?,00001074,00000000,00000007), ref: 001E3BAC
SendMessageW.USER32(?,00001057,00000000,00000000), ref: 001E3BC7
SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 001E3BE2
SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 001E3BF6
SendMessageW.USER32(?,00001008,00000000,00000007), ref: 001E3C13

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: MessageSend$LongWindow
String ID:
API String ID: 312131281-0
Opcode ID: a272117b10d27682ed1aae2a90248ca6001dff02e0c67bf8b3ea85c3cb7579b7
Instruction ID: 04b3a16f3d4495431c7aa6e41ade9547e4e6684a0eed5e7b73af732561a361a7
Opcode Fuzzy Hash: a272117b10d27682ed1aae2a90248ca6001dff02e0c67bf8b3ea85c3cb7579b7
Instruction Fuzzy Hash: 22617D75900248AFDB20DFA8CC85EEE77F8EF09700F14419AFA15A72A1C770AE95DB50

Function 001BB12F Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 001BB151
GetForegroundWindow.USER32(00000000,?,?,?,?,?,001BA1E1,?,00000001), ref: 001BB165
GetWindowThreadProcessId.USER32(00000000), ref: 001BB16C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,001BA1E1,?,00000001), ref: 001BB17B
GetWindowThreadProcessId.USER32(?,00000000), ref: 001BB18D
AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,001BA1E1,?,00000001), ref: 001BB1A6
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,001BA1E1,?,00000001), ref: 001BB1B8
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,001BA1E1,?,00000001), ref: 001BB1FD
AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,001BA1E1,?,00000001), ref: 001BB212
AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,001BA1E1,?,00000001), ref: 001BB21D

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: 654c62a27570b78ee19c8b28fabfbcd65993d1b3a5e2c3037fdaaf554e8df0b6
Instruction ID: 2d175b4aff59a45bd72852dfd78aa8648763b920c98e66da49e93ea10a1f8351
Opcode Fuzzy Hash: 654c62a27570b78ee19c8b28fabfbcd65993d1b3a5e2c3037fdaaf554e8df0b6
Instruction Fuzzy Hash: 85318D75604204BFDB20DFA5ECC8FAE7BA9BB55311F104005FA11DA690D7B8AE428FB0

Function 00182C80 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00182C94

Part of subcall function 001829C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0018D7D1,00000000,00000000,00000000,00000000,?,0018D7F8,00000000,00000007,00000000,?,0018DBF5,00000000), ref: 001829DE
Part of subcall function 001829C8: GetLastError.KERNEL32(00000000,?,0018D7D1,00000000,00000000,00000000,00000000,?,0018D7F8,00000000,00000007,00000000,?,0018DBF5,00000000,00000000), ref: 001829F0

_free.LIBCMT ref: 00182CA0
_free.LIBCMT ref: 00182CAB
_free.LIBCMT ref: 00182CB6
_free.LIBCMT ref: 00182CC1
_free.LIBCMT ref: 00182CCC
_free.LIBCMT ref: 00182CD7
_free.LIBCMT ref: 00182CE2
_free.LIBCMT ref: 00182CED
_free.LIBCMT ref: 00182CFB

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 95da1c031ee306122840be37cedad6da0b2b5c24fc6b2fc5828e86c81bcf99d8
Instruction ID: 0c113e094b7362c6eeb317cd355b9f83e54567ea10f099f10c4a71faef98aed4
Opcode Fuzzy Hash: 95da1c031ee306122840be37cedad6da0b2b5c24fc6b2fc5828e86c81bcf99d8
Instruction Fuzzy Hash: 0E119076900118AFCB02FF94D982CDD3BA9FF15354F8245A5FA489B222DB35EB509F90

Function 001C7DF0 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 001C7FAD
SetCurrentDirectoryW.KERNEL32(?), ref: 001C7FC1
GetFileAttributesW.KERNEL32(?), ref: 001C7FEB
SetFileAttributesW.KERNEL32(?,00000000), ref: 001C8005
SetCurrentDirectoryW.KERNEL32(?), ref: 001C8017
SetCurrentDirectoryW.KERNEL32(?), ref: 001C8060
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 001C80B0

Strings

*.*, xrefs: 001C8066

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile
String ID: *.*
API String ID: 769691225-438819550
Opcode ID: 6fe8a42e36619df4613b1963c7ba7c68caa64e2cf5fd802dfd1b25f4baba19a9
Instruction ID: 63f228ac712a63086bdaff6c73e5c3d1aac54a86de6cf9e3b6ccae7736f52cfd
Opcode Fuzzy Hash: 6fe8a42e36619df4613b1963c7ba7c68caa64e2cf5fd802dfd1b25f4baba19a9
Instruction Fuzzy Hash: C08180725082459BCB24DF54C884EAEB3E8BBA5310F144C5EF895DB290EB74DD49CB92

Function 00155BEA Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 00155C7A

Part of subcall function 00155D0A: GetClientRect.USER32(?,?), ref: 00155D30
Part of subcall function 00155D0A: GetWindowRect.USER32(?,?), ref: 00155D71
Part of subcall function 00155D0A: ScreenToClient.USER32(?,?), ref: 00155D99

GetDC.USER32 ref: 001946F5
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00194708
SelectObject.GDI32(00000000,00000000), ref: 00194716
SelectObject.GDI32(00000000,00000000), ref: 0019472B
ReleaseDC.USER32(?,00000000), ref: 00194733
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 001947C4

Strings

U, xrefs: 00194693

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: 4709d1af2c0a1db88f00c5d80f646fae261bed71f98ea2bc973abc356df29a41
Instruction ID: 6498488b2e8d0f5ba0a78d6018628a6710811319da89850cd1f0c2fb30ad8ad8
Opcode Fuzzy Hash: 4709d1af2c0a1db88f00c5d80f646fae261bed71f98ea2bc973abc356df29a41
Instruction Fuzzy Hash: 4971E035400209DFCF29CFA4CD84EBA3BB6FF5A365F144269ED655A266C3319882DF60

Function 001C359C Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 150COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 001C35E4

Part of subcall function 00159CB3: _wcslen.LIBCMT ref: 00159CBD

LoadStringW.USER32(00222390,?,00000FFF,?), ref: 001C360A

Strings

"%s" (%d) : ==> %s:%s%s, xrefs: 001C3724
Line %d (File "%s"):, xrefs: 001C366B
"%s" (%d) : ==> %s:, xrefs: 001C3742
Error: , xrefs: 001C36EF
^ ERROR, xrefs: 001C36C9

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-2391861430
Opcode ID: 468ca24d5d2432641f9604b3b3dab55d5257b032a5302de04b206e46e17be89b
Instruction ID: 7853ff7d389bcda5a24bc83ca19cb1c897d87b501431a0cb87e1abdaa31dc9a3
Opcode Fuzzy Hash: 468ca24d5d2432641f9604b3b3dab55d5257b032a5302de04b206e46e17be89b
Instruction Fuzzy Hash: 04518F72800209FACF14EBE0DC46EEEBB75AF24341F144169F525760A1EB315B99DFA1

Function 001CC253 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 001CC272
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 001CC29A
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 001CC2CA
GetLastError.KERNEL32 ref: 001CC322
SetEvent.KERNEL32(?), ref: 001CC336
InternetCloseHandle.WININET(00000000), ref: 001CC341

Strings

, xrefs: 001CC2BB

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: a299f9cefe0df17a29c746ef53ee6a913507f031fa5333c2c3f3b005b0f1d451
Instruction ID: f663a7b71e98c8daa85890c1a540bafe6b9a7abfa7ca6c5661b1e4a7fbc249f9
Opcode Fuzzy Hash: a299f9cefe0df17a29c746ef53ee6a913507f031fa5333c2c3f3b005b0f1d451
Instruction Fuzzy Hash: 80319AB1A00248AFD7219FA49C88FAF7BFCFB69740B14851EF44A96601DB30DD458BE1

Function 001B989B Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00193AAF,?,?,Bad directive syntax error,001ECC08,00000000,00000010,?,?,>>>AUTOIT SCRIPT<<<), ref: 001B98BC
LoadStringW.USER32(00000000,?,00193AAF,?), ref: 001B98C3

Part of subcall function 00159CB3: _wcslen.LIBCMT ref: 00159CBD

MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 001B9987

Strings

%s (%d) : ==> %s.: %s %s, xrefs: 001B98F1
Line %d (File "%s"):, xrefs: 001B992D
Line %d:, xrefs: 001B9912
., xrefs: 001B996D
Error: , xrefs: 001B9955

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: HandleLoadMessageModuleString_wcslen
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 858772685-4153970271
Opcode ID: a7e18f179cff5b06543278216a804e5208ae76de2d69f84a5d381ad4e6c6c8fc
Instruction ID: 4f2232bbc9713799403ba3055ec96d59f5f482d8336c8012b1ae1e8af6dc32bb
Opcode Fuzzy Hash: a7e18f179cff5b06543278216a804e5208ae76de2d69f84a5d381ad4e6c6c8fc
Instruction Fuzzy Hash: CA21B131C0021EEBCF15AF90CC0AEEE7775FF29305F044469F9256A0A2EB319668DB51

Function 001B209F Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 001B20AB
GetClassNameW.USER32(00000000,?,00000100), ref: 001B20C0
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 001B214D

Strings

details, xrefs: 001B20FB
list, xrefs: 001B212F
largeicons, xrefs: 001B20E1
SHELLDLL_DefView, xrefs: 001B20CC
smallicons, xrefs: 001B2115

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: ClassMessageNameParentSend
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1290815626-3381328864
Opcode ID: 9794a5faadf5d0027b5845e033ed6e04e597a550aa79247c64fcb5bc973b4163
Instruction ID: 5c76f2a68032a52c293b56e7d136ac733978ade2fbf1b443d5b427bb16202958
Opcode Fuzzy Hash: 9794a5faadf5d0027b5845e033ed6e04e597a550aa79247c64fcb5bc973b4163
Instruction Fuzzy Hash: 1A1159B668C316FAF6052224DC07CEB33ECCB25328B204056FB09E50D6FF7568965A54

Function 00188D45 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 166d44584bb2a3a6ae2c315804138d004fc902f27391e7d01e07fc3301890a7c
Instruction ID: 59b25734382bd75dfe965338c452cb5e218d0faaa72605c97b3ccbbd90172988
Opcode Fuzzy Hash: 166d44584bb2a3a6ae2c315804138d004fc902f27391e7d01e07fc3301890a7c
Instruction Fuzzy Hash: 56C1D474904249AFDB21EFE8D845BBDBBB4AF19310F184199F518A7392CB349A42CF61

Function 0018CE90 Relevance: 13.7, APIs: 9, Instructions: 209COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 0018CEB7
_free.LIBCMT ref: 0018CF22
_free.LIBCMT ref: 0018CF48
_free.LIBCMT ref: 0018CF71
_free.LIBCMT ref: 0018CFA9
_free.LIBCMT ref: 0018CFDA
_free.LIBCMT ref: 0018D01B
SetEnvironmentVariableA.KERNEL32(00000000,00000000), ref: 0018D09C
_free.LIBCMT ref: 0018D0B5

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: _free$EnvironmentVariable___from_strstr_to_strchr
String ID:
API String ID: 1282221369-0
Opcode ID: 3c98c0c01e8ab96126cf09d17c0149d01e21dcfcbe47278aada8a34afc7f2f91
Instruction ID: eb05ad79db7cda97b2499ddfc2d2978f60a8ebdad785d0a0874c8060534e4d5e
Opcode Fuzzy Hash: 3c98c0c01e8ab96126cf09d17c0149d01e21dcfcbe47278aada8a34afc7f2f91
Instruction Fuzzy Hash: 3A616971904311AFEF32BFB4A885A6A7BA5EF11310F15416EFA4497282D7319F028FE0

Function 001E50D4 Relevance: 13.7, APIs: 9, Instructions: 162windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00002001,00000000,00000000), ref: 001E5186
ShowWindow.USER32(?,00000000), ref: 001E51C7
ShowWindow.USER32(?,00000005,?,00000000), ref: 001E51CD
SetFocus.USER32(?,?,00000005,?,00000000), ref: 001E51D1

Part of subcall function 001E6FBA: DeleteObject.GDI32(00000000), ref: 001E6FE6

GetWindowLongW.USER32(?,000000F0), ref: 001E520D
SetWindowLongW.USER32(?,000000F0,00000000), ref: 001E521A
InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 001E524D
SendMessageW.USER32(?,00001001,00000000,000000FE), ref: 001E5287
SendMessageW.USER32(?,00001026,00000000,000000FE), ref: 001E5296

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: Window$MessageSend$LongShow$DeleteFocusInvalidateObjectRect
String ID:
API String ID: 3210457359-0
Opcode ID: 9dba0700e5ccaf4e96dcd9072f219bf48a1f6cbef9c34d8f61afc09c4abdb25d
Instruction ID: 244c8ace9472afdb358f2c5fe20ab65c57c4035b10a20edc66d7e0a6973e05b4
Opcode Fuzzy Hash: 9dba0700e5ccaf4e96dcd9072f219bf48a1f6cbef9c34d8f61afc09c4abdb25d
Instruction Fuzzy Hash: 1F51B230A40E89FFEF249F66CC49BDD3B67EB15369F188011FA159A2E1C3719990DB41

Function 00168B06 Relevance: 13.7, APIs: 9, Instructions: 155windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 001A6890
ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 001A68A9
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 001A68B9
ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 001A68D1
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 001A68F2
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00168874,00000000,00000000,00000000,000000FF,00000000), ref: 001A6901
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 001A691E
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00168874,00000000,00000000,00000000,000000FF,00000000), ref: 001A692D

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend
String ID:
API String ID: 1268354404-0
Opcode ID: b809d38f7904bdd02e0fd44cc2a41862e0ffb10893d197b789fa7a246a38eeea
Instruction ID: 23563d28ac4f9157639af88e1291395521a0c3b3e5e40ad5a8840b47bc7470ee
Opcode Fuzzy Hash: b809d38f7904bdd02e0fd44cc2a41862e0ffb10893d197b789fa7a246a38eeea
Instruction Fuzzy Hash: 0F5178B4600309EFDB24CF64CC95FAA7BB5FB58750F144618F9129B2A0DB70E9A1DB50

Function 001CC143 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 001CC182
GetLastError.KERNEL32 ref: 001CC195
SetEvent.KERNEL32(?), ref: 001CC1A9

Part of subcall function 001CC253: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 001CC272
Part of subcall function 001CC253: GetLastError.KERNEL32 ref: 001CC322
Part of subcall function 001CC253: SetEvent.KERNEL32(?), ref: 001CC336
Part of subcall function 001CC253: InternetCloseHandle.WININET(00000000), ref: 001CC341

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
String ID:
API String ID: 337547030-0
Opcode ID: d8deb1957c58f06fecd4321a1dbf19ffd959cb8d525f61751e650bf6b2231cdc
Instruction ID: 25cae97be8119d56c23748b4a9aa0add55b2472566ab07a1cd5b4c9dbfc4242b
Opcode Fuzzy Hash: d8deb1957c58f06fecd4321a1dbf19ffd959cb8d525f61751e650bf6b2231cdc
Instruction Fuzzy Hash: BC317A71600645AFDB219FE5DC44F6ABBF9FF28300B04441DF95A86A10D730EC559BE0

Function 001B25A2 Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 001B3A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 001B3A57
Part of subcall function 001B3A3D: GetCurrentThreadId.KERNEL32 ref: 001B3A5E
Part of subcall function 001B3A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,001B25B3), ref: 001B3A65

MapVirtualKeyW.USER32(00000025,00000000), ref: 001B25BD
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 001B25DB
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 001B25DF
MapVirtualKeyW.USER32(00000025,00000000), ref: 001B25E9
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 001B2601
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 001B2605
MapVirtualKeyW.USER32(00000025,00000000), ref: 001B260F
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 001B2623
Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 001B2627

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: c65987e5c2d811c1baad515b5560ecf26abb241ecc88b76545e4857b9323a341
Instruction ID: b43eff342e9c73de3b9872ca5f6e660d22253134738b3947eeb015e9637f06dc
Opcode Fuzzy Hash: c65987e5c2d811c1baad515b5560ecf26abb241ecc88b76545e4857b9323a341
Instruction Fuzzy Hash: BA01D830390250BBFB1067A99CCAFD93F59DB5EB12F100011F314AF1D1CAF114858AA9

Function 001B1803 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,001B1449,?,?,00000000), ref: 001B180C
HeapAlloc.KERNEL32(00000000,?,001B1449,?,?,00000000), ref: 001B1813
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,001B1449,?,?,00000000), ref: 001B1828
GetCurrentProcess.KERNEL32(?,00000000,?,001B1449,?,?,00000000), ref: 001B1830
DuplicateHandle.KERNEL32(00000000,?,001B1449,?,?,00000000), ref: 001B1833
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,001B1449,?,?,00000000), ref: 001B1843
GetCurrentProcess.KERNEL32(001B1449,00000000,?,001B1449,?,?,00000000), ref: 001B184B
DuplicateHandle.KERNEL32(00000000,?,001B1449,?,?,00000000), ref: 001B184E
CreateThread.KERNEL32(00000000,00000000,001B1874,00000000,00000000,00000000), ref: 001B1868

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: 77764c59e3e4698007a99c9d2c179cb6a73aba88014122f389d4bd1131be896f
Instruction ID: 5aaefe370039c895dcac839bfbf80743a51b81909f3c5b68d74561d24ab566c4
Opcode Fuzzy Hash: 77764c59e3e4698007a99c9d2c179cb6a73aba88014122f389d4bd1131be896f
Instruction Fuzzy Hash: D301BBB5240348FFE710ABA5DC8DF6B3BACEB89B11F414411FA05DF5A1CA709841CB60

Function 001DA0E2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON

Download Yara Rule

APIs

Part of subcall function 001BD4DC: CreateToolhelp32Snapshot.KERNEL32 ref: 001BD501
Part of subcall function 001BD4DC: Process32FirstW.KERNEL32(00000000,?), ref: 001BD50F
Part of subcall function 001BD4DC: CloseHandle.KERNEL32(00000000), ref: 001BD5DC

OpenProcess.KERNEL32(00000001,00000000,?), ref: 001DA16D
GetLastError.KERNEL32 ref: 001DA180
OpenProcess.KERNEL32(00000001,00000000,?), ref: 001DA1B3
TerminateProcess.KERNEL32(00000000,00000000), ref: 001DA268
GetLastError.KERNEL32(00000000), ref: 001DA273
CloseHandle.KERNEL32(00000000), ref: 001DA2C4

Strings

SeDebugPrivilege, xrefs: 001DA18F

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: 1d85f2412a1624c35d63f182410d6e6fb2cad18fdb0bf258e654341f79e88175
Instruction ID: ec99e688dc56277af0985ba8bf64f683c6444608c4532f39bcc007c735729e7f
Opcode Fuzzy Hash: 1d85f2412a1624c35d63f182410d6e6fb2cad18fdb0bf258e654341f79e88175
Instruction Fuzzy Hash: E6618C312042429FD714DF19C894F1ABBE1AF54318F58849DE8668FBA2C772ED49CBD2

Function 001E3886 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 001E3925
SendMessageW.USER32(00000000,00001036,00000000,?), ref: 001E393A
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 001E3954
_wcslen.LIBCMT ref: 001E3999
SendMessageW.USER32(?,00001057,00000000,?), ref: 001E39C6
SendMessageW.USER32(?,00001061,?,0000000F), ref: 001E39F4

Strings

SysListView32, xrefs: 001E38F7

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: MessageSend$Window_wcslen
String ID: SysListView32
API String ID: 2147712094-78025650
Opcode ID: a135c13ea51f2964d0751807dc5f4ca7809efabed0c4a4e2975d80a924fa7936
Instruction ID: 9db0d4df2c00c80341ee16081c51dc1334948c9655e67df7deb285624b15314b
Opcode Fuzzy Hash: a135c13ea51f2964d0751807dc5f4ca7809efabed0c4a4e2975d80a924fa7936
Instruction Fuzzy Hash: 1241E371A00658ABEF219FA5CC49FEE7BA9EF18354F100126F958E7281D3719E90CB90

Function 001BBC5E Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 001BBCFD
IsMenu.USER32(00000000), ref: 001BBD1D
CreatePopupMenu.USER32 ref: 001BBD53
GetMenuItemCount.USER32(00DD55F8), ref: 001BBDA4
InsertMenuItemW.USER32(00DD55F8,?,00000001,00000030), ref: 001BBDCC

Strings

0, xrefs: 001BBCA8
2, xrefs: 001BBD37

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup
String ID: 0$2
API String ID: 93392585-3793063076
Opcode ID: 52128056aaac85130923b9c62f084c4e0da1d7efccbd9cc5b6b8c93d01afd0c2
Instruction ID: bb0bc936a68165adbb68e0296196e86f49f71d1afac3797594fbcbf068e24f87
Opcode Fuzzy Hash: 52128056aaac85130923b9c62f084c4e0da1d7efccbd9cc5b6b8c93d01afd0c2
Instruction Fuzzy Hash: CB51BC70A082059BDF20DFE8C8C4BEEBBF4AF55318F148219E4119B690D7B89941CB61

Function 001BC874 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 001BC913

Strings

info, xrefs: 001BC8B4
question, xrefs: 001BC8CC
stop, xrefs: 001BC8E4
blank, xrefs: 001BC895
warning, xrefs: 001BC8FC

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: 2c514eccabfc15adf1696b9e52baa5edfa602c58915372d3cc96f08d92bc6db4
Instruction ID: f98782c61d5c66b75660f51c44c93885ee7c5e7323db40f275ea99c727471dd4
Opcode Fuzzy Hash: 2c514eccabfc15adf1696b9e52baa5edfa602c58915372d3cc96f08d92bc6db4
Instruction Fuzzy Hash: 85112732689307BBB7049B549C83CEE67ECDF66328B20402EF504E61C2E7A05E4152E4

Function 001BDE27 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 70networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 001BDE42
gethostname.WSOCK32(?,00000100), ref: 001BDE5C
gethostbyname.WSOCK32(?), ref: 001BDE69
inet_ntoa.WSOCK32(?), ref: 001BDEAB
_strcat.LIBCMT ref: 001BDEB9
WSACleanup.WSOCK32 ref: 001BDEDE

Strings

0.0.0.0, xrefs: 001BDE87

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: CleanupStartup_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 642191829-3771769585
Opcode ID: 90693481f88aa3ed509c73087e45359321f67f0e423fc76ee864dcc4deba3996
Instruction ID: bf29c6a1b8a5b6bb706dbc54f105d5284fb8d8e6e3a6aa3477d1274e07d1fad6
Opcode Fuzzy Hash: 90693481f88aa3ed509c73087e45359321f67f0e423fc76ee864dcc4deba3996
Instruction Fuzzy Hash: E7112C31904205AFDB28AB64EC4ADDE77BCDF25715F0101A9F5059B091FF71CAC18A90

Function 001BED19 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 001BED2A
_wcslen.LIBCMT ref: 001BED3B
_wcslen.LIBCMT ref: 001BED79
_wcslen.LIBCMT ref: 001BEDAF
_wcslen.LIBCMT ref: 001BEDDF
_wcslen.LIBCMT ref: 001BEDEF
_wcslen.LIBCMT ref: 001BEE2B
_wcslen.LIBCMT ref: 001BEE5A

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: _wcslen$LocalTime
String ID:
API String ID: 952045576-0
Opcode ID: bfab4b97eef427081d69d092a41d3d82759b8c6cce71aa5053466bf0277e0a68
Instruction ID: 19010e2562ae34a959a41287c8e3916f8784c6c51ea4b9a37a15ce89ceb5bf6a
Opcode Fuzzy Hash: bfab4b97eef427081d69d092a41d3d82759b8c6cce71aa5053466bf0277e0a68
Instruction Fuzzy Hash: 8F41B065D1021876CB11EBF48C8A9CFB7B8AF59310F50C566E618E3122FB34E245C3A6

Function 0016F8D8 Relevance: 12.1, APIs: 8, Instructions: 124COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,001A682C,00000004,00000000,00000000), ref: 0016F953
ShowWindow.USER32(FFFFFFFF,00000006,?,00000000,?,001A682C,00000004,00000000,00000000), ref: 001AF3D1
ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,001A682C,00000004,00000000,00000000), ref: 001AF454

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: be84a904a8e80a95fb94e1221479de74dc49398edc38001597caacc69e0811f2
Instruction ID: e94ceb3c56ffcf0ba9b214efb9f8b4485fb1dc5b55187ef507d9665cf6d71f23
Opcode Fuzzy Hash: be84a904a8e80a95fb94e1221479de74dc49398edc38001597caacc69e0811f2
Instruction Fuzzy Hash: 4A410935608780BAD73D8B69AC8872A7BA2AF5631CF15443CF09756661C731A8D3C751

Function 001E2D03 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 001E2D1B
GetDC.USER32(00000000), ref: 001E2D23
GetDeviceCaps.GDI32(00000000,0000005A), ref: 001E2D2E
ReleaseDC.USER32(00000000,00000000), ref: 001E2D3A
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 001E2D76
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 001E2D87
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,001E5A65,?,?,000000FF,00000000,?,000000FF,?), ref: 001E2DC2
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 001E2DE1

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: a3777eac07b0b9a47bbecdd9593234ed874a199dd105b77f9ad4691d74c1b790
Instruction ID: afb106ebb2db59178556dfafee4bfa6ac45bd29c4be9e90473ad9daad599c3e4
Opcode Fuzzy Hash: a3777eac07b0b9a47bbecdd9593234ed874a199dd105b77f9ad4691d74c1b790
Instruction Fuzzy Hash: C4318B72201694BBEB118F958C8AFEB3BADFB49721F044055FE089E291C6759C81CBA0

Function 001B5622 Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 001B5637
_memcmp.LIBVCRUNTIME ref: 001B5659
_memcmp.LIBVCRUNTIME ref: 001B5671
_memcmp.LIBVCRUNTIME ref: 001B5684
_memcmp.LIBVCRUNTIME ref: 001B569E
_memcmp.LIBVCRUNTIME ref: 001B56B1
_memcmp.LIBVCRUNTIME ref: 001B56C9
_memcmp.LIBVCRUNTIME ref: 001B56E4

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: c8b9c143c3571e2200eac6c3bafb2ce8a2e75001a987776ff9b8f08d8493fb09
Instruction ID: 682f8180fb140e0e32a4be302102a355d1615436a367aa8c72d12408b50f7651
Opcode Fuzzy Hash: c8b9c143c3571e2200eac6c3bafb2ce8a2e75001a987776ff9b8f08d8493fb09
Instruction Fuzzy Hash: C5219571B40E0977E31857259D82FFE336FAF34398F644024FD099A581FB60EE1182A5

Function 001D4FAE Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON

Download Yara Rule

Strings

Not an Object type, xrefs: 001D5007
NULL Pointer assignment, xrefs: 001D502E, 001D5383

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: d54a8c75f8e0c8d6a7d3744647d111d5be6de08642d1b251c2aa446cf6d1831e
Instruction ID: 3560b28db44aeef5e7eabe52e4c8c202c8b89c5d13e623014a1a6dceb9ec4828
Opcode Fuzzy Hash: d54a8c75f8e0c8d6a7d3744647d111d5be6de08642d1b251c2aa446cf6d1831e
Instruction Fuzzy Hash: B0D1A375A0060AAFDF14CF98C881FAEB7B6BF58344F14816AE915AB381D770DD45CB90

Function 00191522 Relevance: 10.8, APIs: 7, Instructions: 268COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(?,?), ref: 001915CE
MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 00191651
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 001916E4
MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 001916FB

Part of subcall function 00183820: RtlAllocateHeap.NTDLL(00000000,?,00221444,?,0016FDF5,?,?,0015A976,00000010,00221440,001513FC,?,001513C6,?,00151129), ref: 00183852

MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00191777
__freea.LIBCMT ref: 001917A2
__freea.LIBCMT ref: 001917AE

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
String ID:
API String ID: 2829977744-0
Opcode ID: 5049ad808e388f8e04065e17c1c95628c894ec8347da765511675c85cfeac180
Instruction ID: 810b5fdb06090c8d00c7f64b38a95847b10edb0fcfd4a2fd07fd7a2f8f47280d
Opcode Fuzzy Hash: 5049ad808e388f8e04065e17c1c95628c894ec8347da765511675c85cfeac180
Instruction Fuzzy Hash: 6691C672E00217BAEF258EB4CC81AEE7BB5AF5A710F1A4659E901E7141D735DDC0CBA0

Function 001D4523 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 001D4648
VariantInit.OLEAUT32(?), ref: 001D4749
VariantClear.OLEAUT32(?), ref: 001D4753
VariantClear.OLEAUT32(?), ref: 001D47B0

Strings

Null Object assignment in FOR..IN loop, xrefs: 001D45D8, 001D4706, 001D47BE
Incorrect Object type in FOR..IN loop, xrefs: 001D472C

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: Variant$ClearInit
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2610073882-625585964
Opcode ID: 7c62e2ce4a4624d320c31713099a65d7dabb0f76144df37ab751f91c775b7449
Instruction ID: 57a0338dcf22794d1dad4bf5452eefe52044abafc1237a82b094850b477e9130
Opcode Fuzzy Hash: 7c62e2ce4a4624d320c31713099a65d7dabb0f76144df37ab751f91c775b7449
Instruction Fuzzy Hash: D8919E71A00219ABDF24CFA5DC88FEEBBB8EF56714F10855AF515AB280D7709941CFA0

Function 001C1187 Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000001,?), ref: 001C125C
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 001C1284
SafeArrayUnaccessData.OLEAUT32(00000001), ref: 001C12A8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 001C12D8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 001C135F
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 001C13C4
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 001C1430

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: ArraySafe$Data$Access$UnaccessVartype
String ID:
API String ID: 2550207440-0
Opcode ID: 921e0cbefb5adac7149d1a894ad38be9f62d63271bd779683035abdc6e61d72e
Instruction ID: 5adb90f8b5bb69ad778708e3e2fd8a1adf3db86139209ecab48879971ab4994a
Opcode Fuzzy Hash: 921e0cbefb5adac7149d1a894ad38be9f62d63271bd779683035abdc6e61d72e
Instruction Fuzzy Hash: A791CE76A40218AFDB059FA4C885FAEB7B5FF66315F204029E910EB292D774E941CB90

Function 0016948A Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: f8768f430eebdfdda10ec9d8c8cfe4aae5b670a84d9c746c21577591209478ba
Instruction ID: ef8d196e12e32cea5d0e1c3bcd1193507a7d2b171d7817dbc55942b3080245ad
Opcode Fuzzy Hash: f8768f430eebdfdda10ec9d8c8cfe4aae5b670a84d9c746c21577591209478ba
Instruction Fuzzy Hash: 6C913975D00219EFCB14CFA9CC84AEEBBB8FF49320F14415AE516B7251D774AA52CBA0

Function 001D3947 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 001D396B
CharUpperBuffW.USER32(?,?), ref: 001D3A7A
_wcslen.LIBCMT ref: 001D3A8A
VariantClear.OLEAUT32(?), ref: 001D3C1F

Part of subcall function 001C0CDF: VariantInit.OLEAUT32(00000000), ref: 001C0D1F
Part of subcall function 001C0CDF: VariantCopy.OLEAUT32(?,?), ref: 001C0D28
Part of subcall function 001C0CDF: VariantClear.OLEAUT32(?), ref: 001C0D34

Strings

Incorrect Parameter format, xrefs: 001D39A6, 001D3BA1
AUTOIT.ERROR, xrefs: 001D3A80, 001D3A85

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4137639002-1221869570
Opcode ID: 5d30af63a06233fcf2c5405885f3cb769c4738bfc932db06cd6582530efe114f
Instruction ID: d59f9b4b4d00e01cb4ea84a3029495dd67bd2261d3ee5dee213dc65927c66740
Opcode Fuzzy Hash: 5d30af63a06233fcf2c5405885f3cb769c4738bfc932db06cd6582530efe114f
Instruction Fuzzy Hash: 889146756083059FC704DF68C48196AB7E4FF99314F14892EF8A99B351DB30EE4ACB92

Function 001D4BAD Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

APIs

Part of subcall function 001B000E: CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,001AFF41,80070057,?,?,?,001B035E), ref: 001B002B
Part of subcall function 001B000E: ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,001AFF41,80070057,?,?), ref: 001B0046
Part of subcall function 001B000E: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,001AFF41,80070057,?,?), ref: 001B0054
Part of subcall function 001B000E: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,001AFF41,80070057,?), ref: 001B0064

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,00000001,?,?), ref: 001D4C51
_wcslen.LIBCMT ref: 001D4D59
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 001D4DCF
CoTaskMemFree.OLE32(?), ref: 001D4DDA

Strings

NULL Pointer assignment, xrefs: 001D4E23, 001D4E52

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
String ID: NULL Pointer assignment
API String ID: 614568839-2785691316
Opcode ID: a28cd172c980bb7c2b72dfe04b3e9b985ea876434fb7076bf28810a20e567230
Instruction ID: 497e6a480804c7b526e933b0ee2296550c55920cdd8f40c58cd4bd61804da7a2
Opcode Fuzzy Hash: a28cd172c980bb7c2b72dfe04b3e9b985ea876434fb7076bf28810a20e567230
Instruction Fuzzy Hash: AD912871D0021DEFDF14DFA4D890AEEB7B9BF18300F10856AE915AB251EB349A45CFA0

Function 001E20FD Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 001E2183
GetMenuItemCount.USER32(00000000), ref: 001E21B5
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 001E21DD
_wcslen.LIBCMT ref: 001E2213
GetMenuItemID.USER32(?,?), ref: 001E224D
GetSubMenu.USER32(?,?), ref: 001E225B

Part of subcall function 001B3A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 001B3A57
Part of subcall function 001B3A3D: GetCurrentThreadId.KERNEL32 ref: 001B3A5E
Part of subcall function 001B3A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,001B25B3), ref: 001B3A65

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 001E22E3

Part of subcall function 001BE97B: Sleep.KERNELBASE ref: 001BE9F3

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
String ID:
API String ID: 4196846111-0
Opcode ID: 00c92e01c3c42516e365e10efe8d32462d1542abf922bf45dea17304762dfc64
Instruction ID: 6abf312e980f005740193208f491d0deae66b1fa474671bff13df6a85d3f70ab
Opcode Fuzzy Hash: 00c92e01c3c42516e365e10efe8d32462d1542abf922bf45dea17304762dfc64
Instruction Fuzzy Hash: 6C71AE35A00645AFCB14DFA5C891AAEB7F9FF88310F158459E916EB341D734AE42CB90

Function 001E7E9E Relevance: 10.7, APIs: 7, Instructions: 193windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(00DD5698), ref: 001E7F37
IsWindowEnabled.USER32(00DD5698), ref: 001E7F43
SendMessageW.USER32(00000000,0000041C,00000000,00000000), ref: 001E801E
SendMessageW.USER32(00DD5698,000000B0,?,?), ref: 001E8051
IsDlgButtonChecked.USER32(?,?), ref: 001E8089
GetWindowLongW.USER32(00DD5698,000000EC), ref: 001E80AB
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 001E80C3

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID:
API String ID: 4072528602-0
Opcode ID: 1880ba6eab208c07eae9ce929a97bdb9f7cffe61b5dc80ac2902afa0b0a725da
Instruction ID: ff185b5b5b1fa90f811d22d83a4a6d411a4aaa74a8088efb7cf4871b5b729cce
Opcode Fuzzy Hash: 1880ba6eab208c07eae9ce929a97bdb9f7cffe61b5dc80ac2902afa0b0a725da
Instruction Fuzzy Hash: E571BE34608A84AFEF259F56CC84FEE7BB9EF19300F140459F965972A1CB31AC85CB50

Function 001BAEBA Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 001BAEF9
GetKeyboardState.USER32(?), ref: 001BAF0E
SetKeyboardState.USER32(?), ref: 001BAF6F
PostMessageW.USER32(?,00000101,00000010,?), ref: 001BAF9D
PostMessageW.USER32(?,00000101,00000011,?), ref: 001BAFBC
PostMessageW.USER32(?,00000101,00000012,?), ref: 001BAFFD
PostMessageW.USER32(?,00000101,0000005B,?), ref: 001BB020

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 786c580ce47c0f453a70814c55d2e0c58b5650b15826ce62ce52383e5c87b576
Instruction ID: dac5de2974aca9ccb496804d4b9a7f551d9fde4a4f99d0f320c6b5ec96ce985f
Opcode Fuzzy Hash: 786c580ce47c0f453a70814c55d2e0c58b5650b15826ce62ce52383e5c87b576
Instruction Fuzzy Hash: AF5190A06086D53DFB3652348C85BFBBEA95F06304F088589F1D9958C2D3D9ECC8D751

Function 001BACDA Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 001BAD19
GetKeyboardState.USER32(?), ref: 001BAD2E
SetKeyboardState.USER32(?), ref: 001BAD8F
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 001BADBB
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 001BADD8
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 001BAE17
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 001BAE38

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: e489662e0194fa4dc151e090ed9b9a636defc6ab207cb37ed695ea6895ba3db1
Instruction ID: b387c0bd654c96bad5cc1972d8742514232456cafa250787bba7d2ce5f0491fc
Opcode Fuzzy Hash: e489662e0194fa4dc151e090ed9b9a636defc6ab207cb37ed695ea6895ba3db1
Instruction Fuzzy Hash: D751E4A15487D53DFB378374CC95BFABEA96F46300F488588E1D54A8C2D394EC88D7A2

Function 0018542E Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(00193CD6,?,?,?,?,?,?,?,?,00185BA3,?,?,00193CD6,?,?), ref: 00185470
__fassign.LIBCMT ref: 001854EB
__fassign.LIBCMT ref: 00185506
WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,00193CD6,00000005,00000000,00000000), ref: 0018552C
WriteFile.KERNEL32(?,00193CD6,00000000,00185BA3,00000000,?,?,?,?,?,?,?,?,?,00185BA3,?), ref: 0018554B
WriteFile.KERNEL32(?,?,00000001,00185BA3,00000000,?,?,?,?,?,?,?,?,?,00185BA3,?), ref: 00185584

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: 1d5916ab0e68bb1553ee2df6cfac5778df7a8bc65b6980f6f076bf363dcf3b42
Instruction ID: dbde87495da6e2d9df10f0ebd46500292045b2dffb53d838f70d18f6778a6993
Opcode Fuzzy Hash: 1d5916ab0e68bb1553ee2df6cfac5778df7a8bc65b6980f6f076bf363dcf3b42
Instruction Fuzzy Hash: 87519F71A00649AFDB11DFA8D885AEEBBFAEF09300F14415AF955E7291E7309B41CF60

Function 00172D20 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00172D4B
___except_validate_context_record.LIBVCRUNTIME ref: 00172D53
_ValidateLocalCookies.LIBCMT ref: 00172DE1
__IsNonwritableInCurrentImage.LIBCMT ref: 00172E0C
_ValidateLocalCookies.LIBCMT ref: 00172E61

Strings

csm, xrefs: 00172DF6

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: 0557981be209ae9319fdff673b4b2b91529861c63093b03076ed0b93eef9aebd
Instruction ID: 477094b1e5a97a89e4be78ca1f042e6d51c198d0134c82dffcc25e615776d1cc
Opcode Fuzzy Hash: 0557981be209ae9319fdff673b4b2b91529861c63093b03076ed0b93eef9aebd
Instruction Fuzzy Hash: 7741A234E00209ABCF20DFA8C855A9EBBB5BF58324F14C155E91C6B352D731EA42CB91

Function 001D10B8 Relevance: 10.6, APIs: 7, Instructions: 110networkCOMMON

Download Yara Rule

APIs

Part of subcall function 001D304E: inet_addr.WSOCK32(?), ref: 001D307A
Part of subcall function 001D304E: _wcslen.LIBCMT ref: 001D309B

socket.WSOCK32(00000002,00000001,00000006), ref: 001D1112
WSAGetLastError.WSOCK32 ref: 001D1121
WSAGetLastError.WSOCK32 ref: 001D11C9
closesocket.WSOCK32(00000000), ref: 001D11F9

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: ErrorLast$_wcslenclosesocketinet_addrsocket
String ID:
API String ID: 2675159561-0
Opcode ID: cf86a321b6baff0bdfecc682bbd388cb8f7aba57d0507fac539f2506e8293487
Instruction ID: 5d46c9ce26849d8d226e5e75222893cc1dfccead930eb3cead6aa1fa482eb0b6
Opcode Fuzzy Hash: cf86a321b6baff0bdfecc682bbd388cb8f7aba57d0507fac539f2506e8293487
Instruction Fuzzy Hash: 9441CE31600214BFDB109F68DC85BAABBAAEF45324F14805AFD159F392C770AD85CBE1

Function 001BCF00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 001BDDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,001BCF22,?), ref: 001BDDFD

Part of subcall function 001BDDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,001BCF22,?), ref: 001BDE16

lstrcmpiW.KERNEL32(?,?), ref: 001BCF45
MoveFileW.KERNEL32(?,?), ref: 001BCF7F
_wcslen.LIBCMT ref: 001BD005
_wcslen.LIBCMT ref: 001BD01B
SHFileOperationW.SHELL32(?), ref: 001BD061

Strings

\*.*, xrefs: 001BCFF3

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
String ID: \*.*
API String ID: 3164238972-1173974218
Opcode ID: 07b6e038156d44a0bfaa710b1aa537ad17ad3965e000988f53cd3c14596d8c86
Instruction ID: 7a6d321314dcc24ece057635c3078f6289e0fde1407336d2bcc319d23819d719
Opcode Fuzzy Hash: 07b6e038156d44a0bfaa710b1aa537ad17ad3965e000988f53cd3c14596d8c86
Instruction Fuzzy Hash: EF4149719452199FDF16EFA4DD81AEE77F9AF18340F1000EAE509EB141EB34A689CB50

Function 001E2DFD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 001E2E1C
GetWindowLongW.USER32(?,000000F0), ref: 001E2E4F
GetWindowLongW.USER32(?,000000F0), ref: 001E2E84
SendMessageW.USER32(?,000000F1,00000000,00000000), ref: 001E2EB6
SendMessageW.USER32(?,000000F1,00000001,00000000), ref: 001E2EE0
GetWindowLongW.USER32(?,000000F0), ref: 001E2EF1
SetWindowLongW.USER32(?,000000F0,00000000), ref: 001E2F0B

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: f7137c6276b2d57230518f611f7896d7d5b5296c6f3e617d9a52161d17c3f965
Instruction ID: 43202794b62cd06218753f4d3c693f5e34e20336130b2ecdf1239d843a037169
Opcode Fuzzy Hash: f7137c6276b2d57230518f611f7896d7d5b5296c6f3e617d9a52161d17c3f965
Instruction Fuzzy Hash: 7B3108316046A0AFDB21CF99DC98FA937E9FB5A710F1911A4F9009F2B1CB71AC91DB41

Function 001B7726 Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 001B7769
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 001B778F
SysAllocString.OLEAUT32(00000000), ref: 001B7792
SysAllocString.OLEAUT32(?), ref: 001B77B0
SysFreeString.OLEAUT32(?), ref: 001B77B9
StringFromGUID2.OLE32(?,?,00000028), ref: 001B77DE
SysAllocString.OLEAUT32(?), ref: 001B77EC

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: c799e7ffcbd6c0c30fb9daf707d713eaf6656848437e85a63ba27047449cd644
Instruction ID: cb906dba4ee217f17cb50b36e21795b3167de9c0b65025e98744507b7e5a2b72
Opcode Fuzzy Hash: c799e7ffcbd6c0c30fb9daf707d713eaf6656848437e85a63ba27047449cd644
Instruction Fuzzy Hash: E4218E76604259AFDB10EFA8DC88CFB77ACEB49764B148425FA15DB190DB70DC8287A0

Function 001B77FD Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 001B7842
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 001B7868
SysAllocString.OLEAUT32(00000000), ref: 001B786B
SysAllocString.OLEAUT32 ref: 001B788C
SysFreeString.OLEAUT32 ref: 001B7895
StringFromGUID2.OLE32(?,?,00000028), ref: 001B78AF
SysAllocString.OLEAUT32(?), ref: 001B78BD

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 0c62123319802057dec801d0f1e9b5f2eaeabc68eb51afb7a61f0faf754ecbf1
Instruction ID: f5bbfd388f81a2a7d1f77b45d8f07e63d5060fe6299f6363995339b153d9a049
Opcode Fuzzy Hash: 0c62123319802057dec801d0f1e9b5f2eaeabc68eb51afb7a61f0faf754ecbf1
Instruction Fuzzy Hash: 5C214135608204AFDB109FF8DC88DAA77ECEB497607118125F915CB2E1D774DC82CB64

Function 001C04D2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 001C04F2
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 001C052E

Strings

nul, xrefs: 001C0567

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: f2b1110ed284eba0a4c570e5795ea07994b71ffdff7ce92f006843478f2dd7c7
Instruction ID: 17f9f21cde42401f42a5918665583ef1816dec9b1ca6d7bf3b88edd325880499
Opcode Fuzzy Hash: f2b1110ed284eba0a4c570e5795ea07994b71ffdff7ce92f006843478f2dd7c7
Instruction Fuzzy Hash: 88218B70500345EFCF218F68DC44F9A7BA4AF69724F204A1CE8A1D62E0D770D981CF60

Function 001C05A7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 001C05C6
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 001C0601

Strings

nul, xrefs: 001C0639

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: f6686247d817808ab471dd7bd956ee89a994200f721d1f5ca1d488c6ea65df39
Instruction ID: b46ab60be6f027d9cb72d937c48068b8a0203cb22c03c77b3bffcc88db29af56
Opcode Fuzzy Hash: f6686247d817808ab471dd7bd956ee89a994200f721d1f5ca1d488c6ea65df39
Instruction Fuzzy Hash: 56217175500325DBDB219F698C44F9A77E4BFA9720F200A1DE9A1E72D0D770D8A1CB50

Function 001E40AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0015600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0015604C
Part of subcall function 0015600E: GetStockObject.GDI32(00000011), ref: 00156060
Part of subcall function 0015600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 0015606A

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 001E4112
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 001E411F
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 001E412A
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 001E4139
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 001E4145

Strings

Msctls_Progress32, xrefs: 001E40E3

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: 88281d5183de89c9579b2907bcb0cdaf2ec05bac6c18a2bbe1e285c695779c11
Instruction ID: 3af6deb1c6b9e997a32f805ed98ea598e133ac3b3ad986c9a2aa0f468f19b244
Opcode Fuzzy Hash: 88281d5183de89c9579b2907bcb0cdaf2ec05bac6c18a2bbe1e285c695779c11
Instruction Fuzzy Hash: 5311E2B2140219BFEF108FA5CC85EEB7FADEF18798F014110BA18A6190C7729C61DBA0

Function 0018D7DF Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0018D7A3: _free.LIBCMT ref: 0018D7CC

_free.LIBCMT ref: 0018D82D

Part of subcall function 001829C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0018D7D1,00000000,00000000,00000000,00000000,?,0018D7F8,00000000,00000007,00000000,?,0018DBF5,00000000), ref: 001829DE
Part of subcall function 001829C8: GetLastError.KERNEL32(00000000,?,0018D7D1,00000000,00000000,00000000,00000000,?,0018D7F8,00000000,00000007,00000000,?,0018DBF5,00000000,00000000), ref: 001829F0

_free.LIBCMT ref: 0018D838
_free.LIBCMT ref: 0018D843
_free.LIBCMT ref: 0018D897
_free.LIBCMT ref: 0018D8A2
_free.LIBCMT ref: 0018D8AD
_free.LIBCMT ref: 0018D8B8

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction ID: 38369d7d34ce96af2da375efbfe2ed07394711bc4936eb74495af0a8db797c9b
Opcode Fuzzy Hash: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction Fuzzy Hash: 08112971940B14AAD622BFF0DC46FCB7B9CAF20704F400825F299A60D2DB79A6058B61

Function 001BDA5A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 001BDA74
LoadStringW.USER32(00000000), ref: 001BDA7B
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 001BDA91
LoadStringW.USER32(00000000), ref: 001BDA98
MessageBoxW.USER32(00000000,?,?,00011010), ref: 001BDADC

Strings

%s (%d) : ==> %s: %s %s, xrefs: 001BDAB9

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: HandleLoadModuleString$Message
String ID: %s (%d) : ==> %s: %s %s
API String ID: 4072794657-3128320259
Opcode ID: e3c8d6bf6de33e032070eb1b0c6644fb44f5e2ebde7c211be519373dfb529808
Instruction ID: 307d98c1b663cc4adc1a5832b386f99eec24c4ff6b4d9f4371b1c27d420e7ec3
Opcode Fuzzy Hash: e3c8d6bf6de33e032070eb1b0c6644fb44f5e2ebde7c211be519373dfb529808
Instruction Fuzzy Hash: F0014FF6900248BBEB109BE09D89EEB736CEB08301F400491F716E6041E7749EC58BB4

Function 001C096B Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(00DCE408,00DCE408), ref: 001C097B
EnterCriticalSection.KERNEL32(00DCE3E8,00000000), ref: 001C098D
TerminateThread.KERNEL32(?,000001F6), ref: 001C099B
WaitForSingleObject.KERNEL32(?,000003E8), ref: 001C09A9
CloseHandle.KERNEL32(?), ref: 001C09B8
InterlockedExchange.KERNEL32(00DCE408,000001F6), ref: 001C09C8
LeaveCriticalSection.KERNEL32(00DCE3E8), ref: 001C09CF

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: 8c7c595000582326b13e72698e6cbc663c3232aa1937eb027db5723c46413683
Instruction ID: 809dfcb7bcae9916308aae877948b78256cccded7a25d989e805f40c1b95000a
Opcode Fuzzy Hash: 8c7c595000582326b13e72698e6cbc663c3232aa1937eb027db5723c46413683
Instruction Fuzzy Hash: 06F0C932442A52EBD7525BA4EEC9BDABA29BF05706F402025F20298CA1C77595A6CFD0

Function 00155D0A Relevance: 9.3, APIs: 6, Instructions: 276COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 00155D30
GetWindowRect.USER32(?,?), ref: 00155D71
ScreenToClient.USER32(?,?), ref: 00155D99
GetClientRect.USER32(?,?), ref: 00155ED7
GetWindowRect.USER32(?,?), ref: 00155EF8

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: Rect$Client$Window$Screen
String ID:
API String ID: 1296646539-0
Opcode ID: fe950350cae687c8c08077fbb9ef60d3171a77c43c0f18a7684714fc24d76ccc
Instruction ID: 4c766da0461c17d82fafdd4c819ca0270f04f63460b0889441dc47fcffc00df1
Opcode Fuzzy Hash: fe950350cae687c8c08077fbb9ef60d3171a77c43c0f18a7684714fc24d76ccc
Instruction Fuzzy Hash: B7B17B35A0064ADBDF14CFA9C481BEEB7F2FF48311F14851AE8A9DB250D730AA55DB50

Function 001801B7 Relevance: 9.3, APIs: 6, Instructions: 269COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 001800BA
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 001800D6
__allrem.LIBCMT ref: 001800ED
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0018010B
__allrem.LIBCMT ref: 00180122
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00180140

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: c0aa086816e9a6b10c8594d9af3fc1b6618250ddc70608c46d0048b3e4fbc764
Instruction ID: 8eb06c957246371daf8fd1cdcdf86d21b5240b5f5e0fa4e087c60e3c9423260f
Opcode Fuzzy Hash: c0aa086816e9a6b10c8594d9af3fc1b6618250ddc70608c46d0048b3e4fbc764
Instruction Fuzzy Hash: 1D81F672600B0AABE725AE68CC41B6B73F8AF55374F24823EF415D6281EB70DA458F50

Function 001D1D10 Relevance: 9.3, APIs: 6, Instructions: 254networkCOMMON

Download Yara Rule

APIs

Part of subcall function 001D3149: select.WSOCK32(00000000,?,00000000,00000000,?), ref: 001D3195

__WSAFDIsSet.WSOCK32(00000000,?), ref: 001D1DC0
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 001D1DE1
WSAGetLastError.WSOCK32 ref: 001D1DF2
inet_ntoa.WSOCK32(?), ref: 001D1E8C
htons.WSOCK32(?), ref: 001D1EDB
_strlen.LIBCMT ref: 001D1F35

Part of subcall function 001B39E8: _strlen.LIBCMT ref: 001B39F2

Part of subcall function 00156D9E: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000002,?,?,?,?,0016CF58,?,?,?), ref: 00156DBA
Part of subcall function 00156D9E: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,?,?,?,0016CF58,?,?,?), ref: 00156DED

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: ByteCharMultiWide_strlen$ErrorLasthtonsinet_ntoaselect
String ID:
API String ID: 1923757996-0
Opcode ID: b90d66eac06ed0af1e87091fe54e4c70452fe4c6dae8f9ce5424067251839339
Instruction ID: 110e27a0a9d4169029ca6dbeff3527576870741600fb1bc50af3ac1c4a03e356
Opcode Fuzzy Hash: b90d66eac06ed0af1e87091fe54e4c70452fe4c6dae8f9ce5424067251839339
Instruction Fuzzy Hash: 6DA1AD31604340BFC324DF64C895E2A7BA5AF94318F54894DF8665F3A2DB31ED4ACB92

Function 001861FE Relevance: 9.2, APIs: 6, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,001782D9,001782D9,?,?,?,0018644F,00000001,00000001,8BE85006), ref: 00186258
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,0018644F,00000001,00000001,8BE85006,?,?,?), ref: 001862DE
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 001863D8
__freea.LIBCMT ref: 001863E5

Part of subcall function 00183820: RtlAllocateHeap.NTDLL(00000000,?,00221444,?,0016FDF5,?,?,0015A976,00000010,00221440,001513FC,?,001513C6,?,00151129), ref: 00183852

__freea.LIBCMT ref: 001863EE
__freea.LIBCMT ref: 00186413

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: 3b728338001f96fdbd858df7ad3b8e3f30e12f9ea88e87cb2f77bbe62de9dd68
Instruction ID: 1fd19a3a683dd90f9c3194d2452c255ec1e1fcf483ff6df57f1810c5a722df95
Opcode Fuzzy Hash: 3b728338001f96fdbd858df7ad3b8e3f30e12f9ea88e87cb2f77bbe62de9dd68
Instruction Fuzzy Hash: 2A51E372A00216ABEB25AF64DC81EBF77AAEB54710F154669FC09D6140EB34DE40CBA0

Function 001DBBDB Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00159CB3: _wcslen.LIBCMT ref: 00159CBD

Part of subcall function 001DC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,001DB6AE,?,?), ref: 001DC9B5
Part of subcall function 001DC998: _wcslen.LIBCMT ref: 001DC9F1
Part of subcall function 001DC998: _wcslen.LIBCMT ref: 001DCA68
Part of subcall function 001DC998: _wcslen.LIBCMT ref: 001DCA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 001DBCCA
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 001DBD25
RegCloseKey.ADVAPI32(00000000), ref: 001DBD6A
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 001DBD99
RegCloseKey.ADVAPI32(?,?,00000000), ref: 001DBDF3
RegCloseKey.ADVAPI32(?), ref: 001DBDFF

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
String ID:
API String ID: 1120388591-0
Opcode ID: 2f03d28d106bb028b584cf4c598d7f7d6267ad02a09dd6e6b9af564612bda3c8
Instruction ID: 42bde17ac3582255cd1b4549f87c6d3955c3115c7d467b7c781cb4737f9ff630
Opcode Fuzzy Hash: 2f03d28d106bb028b584cf4c598d7f7d6267ad02a09dd6e6b9af564612bda3c8
Instruction Fuzzy Hash: 58815830218241EFD714DF64C8D5E2ABBE5BF84308F15895DF45A8B2A2DB31ED49CB92

Function 001AF7AD Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000035), ref: 001AF7B9
SysAllocString.OLEAUT32(00000001), ref: 001AF860
VariantCopy.OLEAUT32(001AFA64,00000000), ref: 001AF889
VariantClear.OLEAUT32(001AFA64), ref: 001AF8AD
VariantCopy.OLEAUT32(001AFA64,00000000), ref: 001AF8B1
VariantClear.OLEAUT32(?), ref: 001AF8BB

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: Variant$ClearCopy$AllocInitString
String ID:
API String ID: 3859894641-0
Opcode ID: fb230199f9239bab9506fc33bce02f669c2af21c4ce9a9633f6695a316a5faba
Instruction ID: f1f7d82d9ffd6fe9d8fbcbf07cba01a9535c2d1ee1c0cf9bb178335d808c3762
Opcode Fuzzy Hash: fb230199f9239bab9506fc33bce02f669c2af21c4ce9a9633f6695a316a5faba
Instruction Fuzzy Hash: EC51E639600310FACF24AFE5D895B2AB3A4EF56314F24846EF805DF292DB708C46C796

Function 001C910C Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 383COMMON

Download Yara Rule

APIs

Part of subcall function 00157620: _wcslen.LIBCMT ref: 00157625

Part of subcall function 00156B57: _wcslen.LIBCMT ref: 00156B6A

GetOpenFileNameW.COMDLG32(00000058), ref: 001C94E5
_wcslen.LIBCMT ref: 001C9506
_wcslen.LIBCMT ref: 001C952D
GetSaveFileNameW.COMDLG32(00000058), ref: 001C9585

Strings

X, xrefs: 001C9412

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: _wcslen$FileName$OpenSave
String ID: X
API String ID: 83654149-3081909835
Opcode ID: 3f7a7b556660c17dd6d1908441e770d7d3334eefdf97e9a15f8cdff40c7b3f46
Instruction ID: 37d7729b8ed6b7631e48bcc52184e210e9ec09c6ecc407711d5054586c10c067
Opcode Fuzzy Hash: 3f7a7b556660c17dd6d1908441e770d7d3334eefdf97e9a15f8cdff40c7b3f46
Instruction Fuzzy Hash: 78E17D31608340CFD724DF24D885F6AB7E4BFA5314F04896DE8999B2A2DB31ED05CB92

Function 0016920C Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00169BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00169BB2

BeginPaint.USER32(?,?,?), ref: 00169241
GetWindowRect.USER32(?,?), ref: 001692A5
ScreenToClient.USER32(?,?), ref: 001692C2
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 001692D3
EndPaint.USER32(?,?,?,?,?), ref: 00169321
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 001A71EA

Part of subcall function 00169339: BeginPath.GDI32(00000000), ref: 00169357

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
String ID:
API String ID: 3050599898-0
Opcode ID: ac00d48b234ae191ff4e56c95280cddfd7c12fccb12e865502c1375fbe6f4afd
Instruction ID: e3f17082091fab33466ab6a96b2a2e448dee293f57cc5e4513a5d86994d9b1a0
Opcode Fuzzy Hash: ac00d48b234ae191ff4e56c95280cddfd7c12fccb12e865502c1375fbe6f4afd
Instruction Fuzzy Hash: 16419C70104340AFD721DF64DC98FBA7BF8EF6A320F040629F9958A2E1C7309996DB61

Function 001C07EF Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 001C080C
ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 001C0847
EnterCriticalSection.KERNEL32(?), ref: 001C0863
LeaveCriticalSection.KERNEL32(?), ref: 001C08DC
ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 001C08F3
InterlockedExchange.KERNEL32(?,000001F6), ref: 001C0921

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
String ID:
API String ID: 3368777196-0
Opcode ID: 710a286bc8a4f5f8632926e9791bc4181fd32d9cde98bfd14573262b8aabad18
Instruction ID: 40eefa7bc225ed5c3c96a4aef5b264e3deb351253f720c211d7a5a8b59bb16a6
Opcode Fuzzy Hash: 710a286bc8a4f5f8632926e9791bc4181fd32d9cde98bfd14573262b8aabad18
Instruction Fuzzy Hash: 5C415971900205EFDF15DF94DC85AAA7B78FF18304F1480A9ED049E296DB31DE61DBA0

Function 001E81DB Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,001AF3AB,00000000,?,?,00000000,?,001A682C,00000004,00000000,00000000), ref: 001E824C
EnableWindow.USER32(?,00000000), ref: 001E8272
ShowWindow.USER32(FFFFFFFF,00000000), ref: 001E82D1
ShowWindow.USER32(?,00000004), ref: 001E82E5
EnableWindow.USER32(?,00000001), ref: 001E830B
SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 001E832F

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: 5f6f30066f2ed0836497ab1acaa18070f89960b560cc21f93387ad9b6bf64ce7
Instruction ID: cca08732221f6631991a18f305139e08a607bd0108c0290c16858dab09530b92
Opcode Fuzzy Hash: 5f6f30066f2ed0836497ab1acaa18070f89960b560cc21f93387ad9b6bf64ce7
Instruction Fuzzy Hash: 8741B730601A85AFDB25CF56DC99FEC7BF1BB0A714F185165E60C5F262C7329892CB50

Function 001B4C7D Relevance: 9.1, APIs: 6, Instructions: 87windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 001B4C95
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 001B4CB2
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 001B4CEA
_wcslen.LIBCMT ref: 001B4D08
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 001B4D10
_wcsstr.LIBVCRUNTIME ref: 001B4D1A

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
String ID:
API String ID: 72514467-0
Opcode ID: 55405821e6d6521242f49b7f227f97b47d79c2351698a50f83aec591f2365c51
Instruction ID: 742ff14f090db849000eaef8a71943afa85fa0da5945b6a5960d49622edf07c3
Opcode Fuzzy Hash: 55405821e6d6521242f49b7f227f97b47d79c2351698a50f83aec591f2365c51
Instruction Fuzzy Hash: F821D7726042407BEB155B69AC49EBF7FA8DF59750F11C02DF805CA192DB61DC4196A0

Function 001C581E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON

Download Yara Rule

APIs

Part of subcall function 00153AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00153A97,?,?,00152E7F,?,?,?,00000000), ref: 00153AC2

_wcslen.LIBCMT ref: 001C587B
CoInitialize.OLE32(00000000), ref: 001C5995
CoCreateInstance.OLE32(001EFCF8,00000000,00000001,001EFB68,?), ref: 001C59AE
CoUninitialize.OLE32 ref: 001C59CC

Strings

.lnk, xrefs: 001C5876, 001C58C1, 001C5985

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
String ID: .lnk
API String ID: 3172280962-24824748
Opcode ID: 63a2ac4eb045eee8d551f8bc96e8d1394cddc385fe33bbe81a88d39b485360d8
Instruction ID: d60a67b7bd19b24fd414f12727999b67ecb328df10f6bf7501a01f0b5f8f4a22
Opcode Fuzzy Hash: 63a2ac4eb045eee8d551f8bc96e8d1394cddc385fe33bbe81a88d39b485360d8
Instruction Fuzzy Hash: BFD15370608601DFC714DF25C480E2ABBE2EFA9714F14895DF8999B261DB31EC85CB92

Function 001B175D Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 001B0FB4: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 001B0FCA
Part of subcall function 001B0FB4: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 001B0FD6
Part of subcall function 001B0FB4: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 001B0FE5
Part of subcall function 001B0FB4: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 001B0FEC
Part of subcall function 001B0FB4: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 001B1002

GetLengthSid.ADVAPI32(?,00000000,001B1335), ref: 001B17AE
GetProcessHeap.KERNEL32(00000008,00000000), ref: 001B17BA
HeapAlloc.KERNEL32(00000000), ref: 001B17C1
CopySid.ADVAPI32(00000000,00000000,?), ref: 001B17DA
GetProcessHeap.KERNEL32(00000000,00000000,001B1335), ref: 001B17EE
HeapFree.KERNEL32(00000000), ref: 001B17F5

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: d529cdcaea8919bbba34e8a3e708cb6df7df20d351e1be0a536e471bcb4253ca
Instruction ID: 9bdba7d5ed79effe2f19decd985b90da71ac4154b65a8dae48d3fded57f53bca
Opcode Fuzzy Hash: d529cdcaea8919bbba34e8a3e708cb6df7df20d351e1be0a536e471bcb4253ca
Instruction Fuzzy Hash: 63118E32610205FFDB14DFA4CC99BEF7BA9EB46355F514018F8419B210DB35A985CBA0

Function 001B14CE Relevance: 9.1, APIs: 6, Instructions: 64processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 001B14FF
OpenProcessToken.ADVAPI32(00000000), ref: 001B1506
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 001B1515
CloseHandle.KERNEL32(00000004), ref: 001B1520
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 001B154F
DestroyEnvironmentBlock.USERENV(00000000), ref: 001B1563

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: 13078e0fb678091ec4689d2016869440b71f2c6a7601e65975d610e4f2c178bf
Instruction ID: 9fd0c342ae758b208084461b0f4f77411ebec2354e7fd8ba1775e9e794bc42df
Opcode Fuzzy Hash: 13078e0fb678091ec4689d2016869440b71f2c6a7601e65975d610e4f2c178bf
Instruction Fuzzy Hash: 6C111472504249BBDB11CFA8ED89BDE7BA9EB49744F054025FA05A6060C3758EA19BA0

Function 00173382 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00173379,00172FE5), ref: 00173390
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0017339E
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 001733B7
SetLastError.KERNEL32(00000000,?,00173379,00172FE5), ref: 00173409

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: c5869a3557cd8b4b953a3c7c438a6d82c3ba8c25f823f62f4ac0bab58f51314d
Instruction ID: 89c7aa992c07e4f2d5d8f5472a7b7dc0ee6c9981b0f26c1bfde835c32abed7be
Opcode Fuzzy Hash: c5869a3557cd8b4b953a3c7c438a6d82c3ba8c25f823f62f4ac0bab58f51314d
Instruction Fuzzy Hash: 5E01FC33649311BFA62927B57CC95A72A75FB29379730C229F538851F0EF114E017654

Function 00182D74 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00185686,00193CD6,?,00000000,?,00185B6A,?,?,?,?,?,0017E6D1,?,00218A48), ref: 00182D78
_free.LIBCMT ref: 00182DAB
_free.LIBCMT ref: 00182DD3
SetLastError.KERNEL32(00000000,?,?,?,?,0017E6D1,?,00218A48,00000010,00154F4A,?,?,00000000,00193CD6), ref: 00182DE0
SetLastError.KERNEL32(00000000,?,?,?,?,0017E6D1,?,00218A48,00000010,00154F4A,?,?,00000000,00193CD6), ref: 00182DEC
_abort.LIBCMT ref: 00182DF2

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: 732914827ea0b020e70616f0097c1712b017bfc59f0676c7a5c677014eec9bed
Instruction ID: 06ce1f5bb1f56df62892971ed08033989545e869672a7a90e9e54b7da99d5976
Opcode Fuzzy Hash: 732914827ea0b020e70616f0097c1712b017bfc59f0676c7a5c677014eec9bed
Instruction Fuzzy Hash: 79F0C83664561037C61337B8BC0AE5F295ABFE27A1F254618F824972D2EF349B425F60

Function 001E8A24 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 00169639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00169693
Part of subcall function 00169639: SelectObject.GDI32(?,00000000), ref: 001696A2
Part of subcall function 00169639: BeginPath.GDI32(?), ref: 001696B9
Part of subcall function 00169639: SelectObject.GDI32(?,00000000), ref: 001696E2

MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 001E8A4E
LineTo.GDI32(?,00000003,00000000), ref: 001E8A62
MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 001E8A70
LineTo.GDI32(?,00000000,00000003), ref: 001E8A80
EndPath.GDI32(?), ref: 001E8A90
StrokePath.GDI32(?), ref: 001E8AA0

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: 5af7783120f87bfc5e09a2d44b479914eb499d7e4c244e4242c019e68754f018
Instruction ID: eeb7f5a6344fb4375fe8bca76424d5e19332916df040813432f6a0332e282022
Opcode Fuzzy Hash: 5af7783120f87bfc5e09a2d44b479914eb499d7e4c244e4242c019e68754f018
Instruction Fuzzy Hash: 6B11FA7600018CFFDF129F90DC88E9A7F6CEB04354F048021FA199A161C7719D96DFA0

Function 001B51FD Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 001B5218
GetDeviceCaps.GDI32(00000000,00000058), ref: 001B5229
GetDeviceCaps.GDI32(00000000,0000005A), ref: 001B5230
ReleaseDC.USER32(00000000,00000000), ref: 001B5238
MulDiv.KERNEL32(000009EC,?,00000000), ref: 001B524F
MulDiv.KERNEL32(000009EC,00000001,?), ref: 001B5261

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: e510246554c4b1418858a633d4e769a26d89ed7a70a0326823cd3c7e72d21dcf
Instruction ID: a92306d1311c1b2ddf1f1949c95f44c5d1bd7ad9d0cfa792bbf260d037287369
Opcode Fuzzy Hash: e510246554c4b1418858a633d4e769a26d89ed7a70a0326823cd3c7e72d21dcf
Instruction Fuzzy Hash: 56014F75A01758BBEB109BE59C89B5EBFB9EB48751F044065FA04AB681D7709801CBA0

Function 00151BC3 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 00151BF4
MapVirtualKeyW.USER32(00000010,00000000), ref: 00151BFC
MapVirtualKeyW.USER32(000000A0,00000000), ref: 00151C07
MapVirtualKeyW.USER32(000000A1,00000000), ref: 00151C12
MapVirtualKeyW.USER32(00000011,00000000), ref: 00151C1A
MapVirtualKeyW.USER32(00000012,00000000), ref: 00151C22

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: 444314952d53945dd294172417cb2fb18c8b4022d8512ac8f28cdbf4b0f084c4
Instruction ID: 9449716f2269e0a604b0a56bf2ae3351ee80d5c4276e1efa883046dac3c74053
Opcode Fuzzy Hash: 444314952d53945dd294172417cb2fb18c8b4022d8512ac8f28cdbf4b0f084c4
Instruction Fuzzy Hash: 950148B09027597DE3008F5A8C85A56FFA8FF19354F04411B915C4BA41C7B5A864CBE5

Function 001BEB20 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 001BEB30
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 001BEB46
GetWindowThreadProcessId.USER32(?,?), ref: 001BEB55
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 001BEB64
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 001BEB6E
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 001BEB75

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: 90f1e167e3778356be1f20d07af77b06a633e7c8ffac300ac057b837ddc04efc
Instruction ID: 03cee1823f82090a5c5afe3b0c74c039e346dcc77282acf413ae6adfe08b9561
Opcode Fuzzy Hash: 90f1e167e3778356be1f20d07af77b06a633e7c8ffac300ac057b837ddc04efc
Instruction Fuzzy Hash: E9F03072140198BBE72157929C4DEEF3A7CEFCAB11F000158FA01D5591D7A05A42C6F5

Function 001A7439 Relevance: 9.0, APIs: 6, Instructions: 37windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?), ref: 001A7452
SendMessageW.USER32(?,00001328,00000000,?), ref: 001A7469
GetWindowDC.USER32(?), ref: 001A7475
GetPixel.GDI32(00000000,?,?), ref: 001A7484
ReleaseDC.USER32(?,00000000), ref: 001A7496
GetSysColor.USER32(00000005), ref: 001A74B0

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: ClientColorMessagePixelRectReleaseSendWindow
String ID:
API String ID: 272304278-0
Opcode ID: 1dd899051d4d56dabb49643fdd02a47a7a83219362e87867ca21e9a0695880b8
Instruction ID: 21c2492fb191562cf68c09642062bb26093381affaf7d2154fb6c6b33d76eeba
Opcode Fuzzy Hash: 1dd899051d4d56dabb49643fdd02a47a7a83219362e87867ca21e9a0695880b8
Instruction Fuzzy Hash: 9B018B31500255EFDB105FA4DC48BEEBBB6FF48311F110064F926A65A0CB311E92AB90

Function 001B1874 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 001B187F
UnloadUserProfile.USERENV(?,?), ref: 001B188B
CloseHandle.KERNEL32(?), ref: 001B1894
CloseHandle.KERNEL32(?), ref: 001B189C
GetProcessHeap.KERNEL32(00000000,?), ref: 001B18A5
HeapFree.KERNEL32(00000000), ref: 001B18AC

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: ec06589542ab737535113294c191bfa64577150a24cffe8e71841a4fb023e7e6
Instruction ID: be25b518466eaa1fdf5bf89df514c9f5f956db2d9e383008f828890ecafd2c38
Opcode Fuzzy Hash: ec06589542ab737535113294c191bfa64577150a24cffe8e71841a4fb023e7e6
Instruction Fuzzy Hash: 14E0E536004241FBDB015FE1ED4C90EBF39FF4AB22B108220F62589870CB3294A2DF90

Function 0015BBE0 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 232COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 0015BEB3

Strings

D%", xrefs: 0015BCA2
D%", xrefs: 0015BE9A
D%", xrefs: 0015BDED, 0015BD91, 0015BD1B
D%"D%", xrefs: 0015BCA5

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID: D%"$D%"$D%"$D%"D%"
API String ID: 1385522511-2824579510
Opcode ID: adda9341f65259f804ef7e67853dc30e166aad948748640bf68615323035af01
Instruction ID: 25f4e7b776448bdbb4891d8ed75c567522f66192cd249da84d1df6a27f3a6db5
Opcode Fuzzy Hash: adda9341f65259f804ef7e67853dc30e166aad948748640bf68615323035af01
Instruction Fuzzy Hash: 85916A75A0820ADFCB18CF98C0D16A9B7F1FF58315F248169E965AB350E731ED89CB90

Function 001BC5D0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00157620: _wcslen.LIBCMT ref: 00157625

GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 001BC6EE
_wcslen.LIBCMT ref: 001BC735
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 001BC79C
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 001BC7CA

Strings

0, xrefs: 001BC6AF

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: ItemMenu$Info_wcslen$Default
String ID: 0
API String ID: 1227352736-4108050209
Opcode ID: e27c1fc924828078d3c980864bb09c58faacf82ca5f61302ee9e48bcd49f3f16
Instruction ID: ce6e03d37aafc10d1c07db169108cfe29392bfab8b7c8360c9daa3319b160de5
Opcode Fuzzy Hash: e27c1fc924828078d3c980864bb09c58faacf82ca5f61302ee9e48bcd49f3f16
Instruction Fuzzy Hash: 6251FF726043019BD714DF68C885BEBB7E8AFA9310F040A2DF9A5D72A0DB70D814CBD2

Function 001DAD64 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(0000003C), ref: 001DAEA3

Part of subcall function 00157620: _wcslen.LIBCMT ref: 00157625

GetProcessId.KERNEL32(00000000), ref: 001DAF38
CloseHandle.KERNEL32(00000000), ref: 001DAF67

Strings

@, xrefs: 001DAE72
<, xrefs: 001DAE6B

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: CloseExecuteHandleProcessShell_wcslen
String ID: <$@
API String ID: 146682121-1426351568
Opcode ID: 4c3b222d6c60d4d78c0bcefaa976f48587f84fa86f0505dbbd3ab6d0ca595b28
Instruction ID: d979d4b7092b142707d0d6f89055401a653f01793b977740b9181b5ea0f54bc4
Opcode Fuzzy Hash: 4c3b222d6c60d4d78c0bcefaa976f48587f84fa86f0505dbbd3ab6d0ca595b28
Instruction Fuzzy Hash: 6F717771A00618DFCB14DFA4D485A9EBBF0BF08301F44849AE866AF392D770ED45CB91

Function 001B719E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 001B7206
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 001B723C
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 001B724D
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 001B72CF

Strings

DllGetClassObject, xrefs: 001B7242

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: 78e58e9e41c1ba3d7ab008f865c23814530678ffc25eec974ab7e97eae850844
Instruction ID: f7efbdecb95adbb24db153f526c3ba531b84d2f0095e49ae899cdcdc5970d26a
Opcode Fuzzy Hash: 78e58e9e41c1ba3d7ab008f865c23814530678ffc25eec974ab7e97eae850844
Instruction Fuzzy Hash: 0C413171A04204EFDB15CF94C984ADA7BA9EF98310F1580ADFD05DF28AD7B1DA45CBA0

Function 001E3D7C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 001E3E35
IsMenu.USER32(?), ref: 001E3E4A
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 001E3E92
DrawMenuBar.USER32 ref: 001E3EA5

Strings

0, xrefs: 001E3D89

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert
String ID: 0
API String ID: 3076010158-4108050209
Opcode ID: d8a12d2934cb9476736179d6a3e49271f5256e0f7e6f5699a9aecdedce7f236e
Instruction ID: 22d57d3796b875e35a2fbaee2e2503188e99102955be85117e2f42da572caa05
Opcode Fuzzy Hash: d8a12d2934cb9476736179d6a3e49271f5256e0f7e6f5699a9aecdedce7f236e
Instruction Fuzzy Hash: 1C418A74A00649EFDB14DF91D888EAEBBB5FF48350F044129F825AB250D330AE42CF90

Function 001B1DE2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00159CB3: _wcslen.LIBCMT ref: 00159CBD

Part of subcall function 001B3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 001B3CCA

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 001B1E66
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 001B1E79
SendMessageW.USER32(?,00000189,?,00000000), ref: 001B1EA9

Part of subcall function 00156B57: _wcslen.LIBCMT ref: 00156B6A

Strings

ListBox, xrefs: 001B1E25
ComboBox, xrefs: 001B1DF0

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: MessageSend$_wcslen$ClassName
String ID: ComboBox$ListBox
API String ID: 2081771294-1403004172
Opcode ID: 6249bd73941faf86893cf3fb99e1a02e5c5e75deab5dcedbf27ed131c44b4ba1
Instruction ID: 049a35a52cbbd5588a56f9212f69565ce58bee781df664f6186c34d139814ff1
Opcode Fuzzy Hash: 6249bd73941faf86893cf3fb99e1a02e5c5e75deab5dcedbf27ed131c44b4ba1
Instruction Fuzzy Hash: DD218B71A00104FEDB049BA4DC95CFFBBB8DF66350B954019FC21AB1E1DB34890A8660

Function 001DC9EA Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 91COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 001DC9F1
_wcslen.LIBCMT ref: 001DCA68
_wcslen.LIBCMT ref: 001DCA9E
_wcslen.LIBCMT ref: 001DCAF9
_wcslen.LIBCMT ref: 001DCB2F
_wcslen.LIBCMT ref: 001DCB7F

Strings

HKEY_LOCAL_MACHINE, xrefs: 001DCA62, 001DCA67
HKLM, xrefs: 001DCA98, 001DCA9D

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: _wcslen
String ID: HKEY_LOCAL_MACHINE$HKLM
API String ID: 176396367-4004644295
Opcode ID: 27fc46ba6fb8a7f48fc0d4d02aab15a0a8ece011215031036b1428d6501eecd1
Instruction ID: 5f135a7f760bd5fe5267a9102ef60e1fd3ce509823afd09426383623b947191c
Opcode Fuzzy Hash: 27fc46ba6fb8a7f48fc0d4d02aab15a0a8ece011215031036b1428d6501eecd1
Instruction Fuzzy Hash: F731D273A1016B8BCB20DE6C99405BE33A29BB1794B15492BF855AB345FB71CE84D3E0

Function 001E2F17 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 001E2F8D
LoadLibraryW.KERNEL32(?), ref: 001E2F94
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 001E2FA9
DestroyWindow.USER32(?), ref: 001E2FB1

Strings

SysAnimate32, xrefs: 001E2F68

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: MessageSend$DestroyLibraryLoadWindow
String ID: SysAnimate32
API String ID: 3529120543-1011021900
Opcode ID: 0f189231cb64986254bb52c54fba3cc42cb69864f476434765eacebaa4d637ab
Instruction ID: 220eab493e316ff1c9be479fe09a3f774dc70ef901ddde7ff06ab4797fb5cb11
Opcode Fuzzy Hash: 0f189231cb64986254bb52c54fba3cc42cb69864f476434765eacebaa4d637ab
Instruction Fuzzy Hash: 0E21CD72600685ABEB204FA6DCA1FBF77BDEB69364F100228FA50D7190D771DC9197A0

Function 00174D6D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00174D1E,001828E9,?,00174CBE,001828E9,002188B8,0000000C,00174E15,001828E9,00000002), ref: 00174D8D
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00174DA0
FreeLibrary.KERNEL32(00000000,?,?,?,00174D1E,001828E9,?,00174CBE,001828E9,002188B8,0000000C,00174E15,001828E9,00000002,00000000), ref: 00174DC3

Strings

CorExitProcess, xrefs: 00174D98
mscoree.dll, xrefs: 00174D86

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 073e18a6e9af43fd527c4f976406648d54d2c504603394560a2b8660a0ccaf5e
Instruction ID: 42286adc43b6447e5a1c4ceec0a82dc098da173af7116daf8408f076b1ae984d
Opcode Fuzzy Hash: 073e18a6e9af43fd527c4f976406648d54d2c504603394560a2b8660a0ccaf5e
Instruction Fuzzy Hash: F3F04F35A40308FBDB129FD4DC49BEDBBB5EF58752F0441A8F949A6660DB309A81CAD0

Function 00154E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00154EDD,?,00221418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00154E9C
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00154EAE
FreeLibrary.KERNEL32(00000000,?,?,00154EDD,?,00221418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00154EC0

Strings

kernel32.dll, xrefs: 00154E94
Wow64DisableWow64FsRedirection, xrefs: 00154EA8

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 145871493-3689287502
Opcode ID: 1a6024698cd0fe5148168b84e6f8a5dfd18af3e8c7689f190f5cfefc9d67495a
Instruction ID: be3d013bd8dfdbdf47974ead1180368ea9011aa367aadbbc6be0b0770b288f19
Opcode Fuzzy Hash: 1a6024698cd0fe5148168b84e6f8a5dfd18af3e8c7689f190f5cfefc9d67495a
Instruction Fuzzy Hash: 4FE0CD35E01622DBD2311765AC1DB9F6595EF82F677090115FC10DB100DB74CD8744F4

Function 00154E59 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00193CDE,?,00221418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00154E62
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00154E74
FreeLibrary.KERNEL32(00000000,?,?,00193CDE,?,00221418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00154E87

Strings

kernel32.dll, xrefs: 00154E5B
Wow64RevertWow64FsRedirection, xrefs: 00154E6E

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 145871493-1355242751
Opcode ID: 832668110094dc01b2eabea40d258678c640547807e14ce180f749cbe5bca192
Instruction ID: b7639192e3c66d02ee714366046c33bc27093985dbd3e6533818d3e8189d924e
Opcode Fuzzy Hash: 832668110094dc01b2eabea40d258678c640547807e14ce180f749cbe5bca192
Instruction Fuzzy Hash: A5D0C231902A61E7A6221B256C09DCF2A18EF85F563090114BC10AA110CF34CD8285D0

Function 001C2947 Relevance: 7.8, APIs: 5, Instructions: 313fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 001C2C05
DeleteFileW.KERNEL32(?), ref: 001C2C87
CopyFileW.KERNEL32(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 001C2C9D
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 001C2CAE
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 001C2CC0

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: File$Delete$Copy
String ID:
API String ID: 3226157194-0
Opcode ID: ae190ce48830e2ed874799ac27b081a834222fb516a7dd5b191b3003b5e3f892
Instruction ID: 4615b53e8d2ec19ea7ace31d2033b3696d09487e5d0c7df43563d4651fcfb31f
Opcode Fuzzy Hash: ae190ce48830e2ed874799ac27b081a834222fb516a7dd5b191b3003b5e3f892
Instruction Fuzzy Hash: 35B13E71900119ABDF25DBA4CC85FDEB7BDEF69350F1040AAF909A7141EB30DA448B61

Function 001DA387 Relevance: 7.8, APIs: 5, Instructions: 256COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 001DA427
OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 001DA435
GetProcessIoCounters.KERNEL32(00000000,?), ref: 001DA468
CloseHandle.KERNEL32(?), ref: 001DA63D

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: Process$CloseCountersCurrentHandleOpen
String ID:
API String ID: 3488606520-0
Opcode ID: f43d970dd46c7b9cccfa8862d3ac88050b9e8cf3c76993083068f06eea1ff8c2
Instruction ID: d81b1adf4ea3605746f018c4429fd4f90e5c0d04b8711bf956d938dc5d1db309
Opcode Fuzzy Hash: f43d970dd46c7b9cccfa8862d3ac88050b9e8cf3c76993083068f06eea1ff8c2
Instruction Fuzzy Hash: 11A1A1716043009FD720DF28D886F2AB7E5AF94714F54885DF96A9B392DBB0EC45CB82

Function 001BE3FB Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 001BDDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,001BCF22,?), ref: 001BDDFD

Part of subcall function 001BDDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,001BCF22,?), ref: 001BDE16

Part of subcall function 001BE199: GetFileAttributesW.KERNEL32(?,001BCF95), ref: 001BE19A

lstrcmpiW.KERNEL32(?,?), ref: 001BE473
MoveFileW.KERNEL32(?,?), ref: 001BE4AC
_wcslen.LIBCMT ref: 001BE5EB
_wcslen.LIBCMT ref: 001BE603
SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 001BE650

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
String ID:
API String ID: 3183298772-0
Opcode ID: e9f1f7f81ed2d22c12e80ecce6dd7347809beb3ab4a770d954dd7ea69db08126
Instruction ID: e4e14eb6f10e32388944786fbd4b372fe7c38388edb07f83c299f04b5d9b5507
Opcode Fuzzy Hash: e9f1f7f81ed2d22c12e80ecce6dd7347809beb3ab4a770d954dd7ea69db08126
Instruction Fuzzy Hash: 5E5153B24083859BC724DBA4DC819DF73ECAF95340F00492EF689D7191EF75A68C8766

Function 001DB9C9 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00159CB3: _wcslen.LIBCMT ref: 00159CBD

Part of subcall function 001DC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,001DB6AE,?,?), ref: 001DC9B5
Part of subcall function 001DC998: _wcslen.LIBCMT ref: 001DC9F1
Part of subcall function 001DC998: _wcslen.LIBCMT ref: 001DCA68
Part of subcall function 001DC998: _wcslen.LIBCMT ref: 001DCA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 001DBAA5
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 001DBB00
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 001DBB63
RegCloseKey.ADVAPI32(?,?), ref: 001DBBA6
RegCloseKey.ADVAPI32(00000000), ref: 001DBBB3

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
String ID:
API String ID: 826366716-0
Opcode ID: 657680c8d6d806752cbe68fd602fd7a1dd4213e762a873070bc820da0ce8ae33
Instruction ID: 794fa9a652abc7f52174d00c4422fd1d865f7f802576022efa2c4b45f9ce44a3
Opcode Fuzzy Hash: 657680c8d6d806752cbe68fd602fd7a1dd4213e762a873070bc820da0ce8ae33
Instruction Fuzzy Hash: B2612A31208241EFD714DF54C8D1E2ABBE5BF84308F55895EF49A8B2A2DB31ED45CB92

Function 001B8BB0 Relevance: 7.7, APIs: 5, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 001B8BCD
VariantClear.OLEAUT32 ref: 001B8C3E
VariantClear.OLEAUT32 ref: 001B8C9D
VariantClear.OLEAUT32(?), ref: 001B8D10
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 001B8D3B

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType
String ID:
API String ID: 4136290138-0
Opcode ID: f007cf2f633de0a7c347d8c86cdebb41ad97e14fcdd33fdb89f0eae85f3bf2ca
Instruction ID: 5d89eaa1567797e7967c3384e7f7852d5be5ffef6afd645e0db0477f1390e12d
Opcode Fuzzy Hash: f007cf2f633de0a7c347d8c86cdebb41ad97e14fcdd33fdb89f0eae85f3bf2ca
Instruction Fuzzy Hash: F6516AB5A00219EFCB14CF68C894AEAB7F8FF8D710B15855AE909DB350E730E911CB90

Function 001C8AFB Relevance: 7.6, APIs: 5, Instructions: 143COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 001C8BAE
GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 001C8BDA
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 001C8C32
WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 001C8C57
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 001C8C5F

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String
String ID:
API String ID: 2832842796-0
Opcode ID: ed09fd88a96d02a45e1fa77c92dd10c8ee91ea5e02adc7def147bab61f591f25
Instruction ID: 2780e3c34c26c0cf3772a560e3aedfe3f933597bdbdd8a201400bd3eba70c0ca
Opcode Fuzzy Hash: ed09fd88a96d02a45e1fa77c92dd10c8ee91ea5e02adc7def147bab61f591f25
Instruction Fuzzy Hash: 70513835A00215DFCB04DF64D881EADBBF5BF58314F088458E859AB3A2DB31ED55CB90

Function 001D8EE4 Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(?,00000000,?), ref: 001D8F40
GetProcAddress.KERNEL32(00000000,?), ref: 001D8FD0
GetProcAddress.KERNEL32(00000000,00000000), ref: 001D8FEC
GetProcAddress.KERNEL32(00000000,?), ref: 001D9032
FreeLibrary.KERNEL32(00000000), ref: 001D9052

Part of subcall function 0016F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,001C1043,?,753CE610), ref: 0016F6E6
Part of subcall function 0016F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,001AFA64,00000000,00000000,?,?,001C1043,?,753CE610,?,001AFA64), ref: 0016F70D

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
String ID:
API String ID: 666041331-0
Opcode ID: 1bcb264de524da8c68fd97e4c9c86c691c9a87ff137934c8bbd553fb17d63559
Instruction ID: 55dbca4feff6290d00a17cd06bc149cb10f36b5ead40adc4df62f888b0303c59
Opcode Fuzzy Hash: 1bcb264de524da8c68fd97e4c9c86c691c9a87ff137934c8bbd553fb17d63559
Instruction Fuzzy Hash: 6F515C35604205DFCB15EF68D4848ADBBF1FF59314B0580A9E81A9F362DB31ED8ACB91

Function 001E6B76 Relevance: 7.6, APIs: 5, Instructions: 131windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(00000002,000000F0,?), ref: 001E6C33
SetWindowLongW.USER32(?,000000EC,?), ref: 001E6C4A
SendMessageW.USER32(00000002,00001036,00000000,?), ref: 001E6C73
ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,001CAB79,00000000,00000000), ref: 001E6C98
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 001E6CC7

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: Window$Long$MessageSendShow
String ID:
API String ID: 3688381893-0
Opcode ID: 9a7d9f05e04da60fdc43c99a4b5471cb8341ddb7ae7ae70d8a2750c2954d00bf
Instruction ID: 8bde7ba1e71ddbf6e67be9aae008adb3258c26e98a2492320cafce4b546be42b
Opcode Fuzzy Hash: 9a7d9f05e04da60fdc43c99a4b5471cb8341ddb7ae7ae70d8a2750c2954d00bf
Instruction Fuzzy Hash: 8741F735600584AFD724CF6ACC98FAD7BA5EB19390F650228FC99A73E0C371ED41CA80

Function 00182051 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 001820C3
_free.LIBCMT ref: 001820E3

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 63a239796ca843c4b27a952fbeee5dd19c71b93c954a33a1c89f9c7b6852653a
Instruction ID: 70b838e9fca00b8ca448654e9b1d255c0162866eaf89ada6b0eb898f84553216
Opcode Fuzzy Hash: 63a239796ca843c4b27a952fbeee5dd19c71b93c954a33a1c89f9c7b6852653a
Instruction Fuzzy Hash: BB41D376A002009FCB25EF78C885A9DB7F5EF99314F268569E515EB391DB31EE01CB80

Function 0016912D Relevance: 7.6, APIs: 5, Instructions: 121keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00169141
ScreenToClient.USER32(00000000,?), ref: 0016915E
GetAsyncKeyState.USER32(00000001), ref: 00169183
GetAsyncKeyState.USER32(00000002), ref: 0016919D

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: 9f756a24147d76ac289acef590693bb1f4f4333c7f1c6cb7949cb0da69e48891
Instruction ID: c32a2d5036ef5c5d77177310a138939da6bd5106d9c9cecd2e6a31c48aa97bb3
Opcode Fuzzy Hash: 9f756a24147d76ac289acef590693bb1f4f4333c7f1c6cb7949cb0da69e48891
Instruction Fuzzy Hash: 2B415E75A0864AEBDF199F68CC44BEEB7B8FF06330F248215E425A72D0C7346A54CB91

Function 001C3874 Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 001C38CB
TranslateAcceleratorW.USER32(?,00000000,?), ref: 001C3922
TranslateMessage.USER32(?), ref: 001C394B
DispatchMessageW.USER32(?), ref: 001C3955
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 001C3966

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchInputPeekState
String ID:
API String ID: 2256411358-0
Opcode ID: 104c46737bd892c78bc9a54177bc9779ed329bcccbc24e76a682f429c596af81
Instruction ID: de07da64279ef1423df1163ddd52559559d8c7e2f1c386c9d47191b31e3a7bcf
Opcode Fuzzy Hash: 104c46737bd892c78bc9a54177bc9779ed329bcccbc24e76a682f429c596af81
Instruction Fuzzy Hash: 7731B970904381AEEB35CBB4AC4DFB677A4AB35308F04856DE472865A0D3F5D686CB51

Function 001CCF1A Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,00000000,?,?,?,001CC21E,00000000), ref: 001CCF38
InternetReadFile.WININET(?,00000000,?,?), ref: 001CCF6F
GetLastError.KERNEL32(?,00000000,?,?,?,001CC21E,00000000), ref: 001CCFB4
SetEvent.KERNEL32(?,?,00000000,?,?,?,001CC21E,00000000), ref: 001CCFC8
SetEvent.KERNEL32(?,?,00000000,?,?,?,001CC21E,00000000), ref: 001CCFF2

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: EventInternet$AvailableDataErrorFileLastQueryRead
String ID:
API String ID: 3191363074-0
Opcode ID: 4bb4ba25f0acecce699c0f44626891e9ba85824c3d35a95482f2d6a41ade4ed5
Instruction ID: 4c06c71d1c9792f0457488f15fef66c0b22df8b005b0fb17a822d8f05329ce31
Opcode Fuzzy Hash: 4bb4ba25f0acecce699c0f44626891e9ba85824c3d35a95482f2d6a41ade4ed5
Instruction Fuzzy Hash: 5C314B71900205AFDB24DFA5D884EAEBBF9EB24350B10442EF51AD6540DB30EE41DBA0

Function 001B1901 Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 001B1915
PostMessageW.USER32(00000001,00000201,00000001), ref: 001B19C1
Sleep.KERNEL32(00000000,?,?,?), ref: 001B19C9
PostMessageW.USER32(00000001,00000202,00000000), ref: 001B19DA
Sleep.KERNEL32(00000000,?,?,?,?), ref: 001B19E2

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: dac19da16d6f1bf9f99bf966ab993ad51d96ebde6e24deb9460be94268ee72a9
Instruction ID: 00f8b5812e3b08875a98a42a7f0d70d1515674c032fa034aed988536738ffd84
Opcode Fuzzy Hash: dac19da16d6f1bf9f99bf966ab993ad51d96ebde6e24deb9460be94268ee72a9
Instruction Fuzzy Hash: 6A31C072A00259FFCB04CFA8CDA9ADE3BB5EB05319F514229F921EB2D1C7709944CB90

Function 001E5706 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001053,000000FF,?), ref: 001E5745
SendMessageW.USER32(?,00001074,?,00000001), ref: 001E579D
_wcslen.LIBCMT ref: 001E57AF
_wcslen.LIBCMT ref: 001E57BA
SendMessageW.USER32(?,00001002,00000000,?), ref: 001E5816

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: MessageSend$_wcslen
String ID:
API String ID: 763830540-0
Opcode ID: 483fbff1a91d98e8a25715c84f16fb7f69900c74e6250a69d474c852f9994732
Instruction ID: eb62fbbe09eb0fbf4546a175201c600512fb0a6b3e4760f3f22ee9e8a4d0a58c
Opcode Fuzzy Hash: 483fbff1a91d98e8a25715c84f16fb7f69900c74e6250a69d474c852f9994732
Instruction Fuzzy Hash: 8021A531D04A989ADB208FA1CC84AEE7BB9FF14328F148216E919EB1C1E7708985CF50

Function 001D0930 Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 001D0951
GetForegroundWindow.USER32 ref: 001D0968
GetDC.USER32(00000000), ref: 001D09A4
GetPixel.GDI32(00000000,?,00000003), ref: 001D09B0
ReleaseDC.USER32(00000000,00000003), ref: 001D09E8

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: 5e5597632bce9635dd8546a505fe3e8fab7f1da0714272e41b1629c03a08f3ef
Instruction ID: a79f7cd2c16cf434429be110859946a4f6b2228885591f96f115cf7f3228d353
Opcode Fuzzy Hash: 5e5597632bce9635dd8546a505fe3e8fab7f1da0714272e41b1629c03a08f3ef
Instruction Fuzzy Hash: 7A216F35600204AFD704EFA9DC94AAEBBE5FF58701F04846DE85ADB752DB70AC45CB90

Function 0018CDBD Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 0018CDC6
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0018CDE9

Part of subcall function 00183820: RtlAllocateHeap.NTDLL(00000000,?,00221444,?,0016FDF5,?,?,0015A976,00000010,00221440,001513FC,?,001513C6,?,00151129), ref: 00183852

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0018CE0F
_free.LIBCMT ref: 0018CE22
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0018CE31

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: f4b2845e8363dc79ed137dc846a2b53a77e1cc5a9c44b2e77522147284e53798
Instruction ID: e958602a2ae63b4e5817c00d4e1eae09f62383bd76fd0888ea4d19a03a944981
Opcode Fuzzy Hash: f4b2845e8363dc79ed137dc846a2b53a77e1cc5a9c44b2e77522147284e53798
Instruction Fuzzy Hash: D40184726016557F232136BA6C88D7F6E6DEFC6BA13154129F905C7201EB718F028BF0

Function 00169639 Relevance: 7.6, APIs: 5, Instructions: 66COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00169693
SelectObject.GDI32(?,00000000), ref: 001696A2
BeginPath.GDI32(?), ref: 001696B9
SelectObject.GDI32(?,00000000), ref: 001696E2

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 5169f6e42dfb5c5c2bc93393e032814e41d3b6068bffa3a63fa961d53a09697d
Instruction ID: e44c796555f198626d25065c5465cccc452d12356bef9d7c3f5710b95ac31fdf
Opcode Fuzzy Hash: 5169f6e42dfb5c5c2bc93393e032814e41d3b6068bffa3a63fa961d53a09697d
Instruction Fuzzy Hash: F9214CB0802385EBDB219FA4EC58BAD3BA9BF61755F10061AF410A61B0D37099F3CF94

Function 001B5711 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 001B5726
_memcmp.LIBVCRUNTIME ref: 001B5744
_memcmp.LIBVCRUNTIME ref: 001B5757
_memcmp.LIBVCRUNTIME ref: 001B576F
_memcmp.LIBVCRUNTIME ref: 001B5787

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 3a57c3e1db3537d09648e8c684d3ce9d96f5964333bab13e0d5b8ee069afe72a
Instruction ID: 3e744240950d7f23664eb20e4685a98fd9e3055b593b1d9a5091baeb7cab6983
Opcode Fuzzy Hash: 3a57c3e1db3537d09648e8c684d3ce9d96f5964333bab13e0d5b8ee069afe72a
Instruction Fuzzy Hash: 0F017971741A05BBE30857159D82FFF736FAB713A8FA44025FD089B641FB61EE1282A1

Function 00182DF8 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,0017F2DE,00183863,00221444,?,0016FDF5,?,?,0015A976,00000010,00221440,001513FC,?,001513C6), ref: 00182DFD
_free.LIBCMT ref: 00182E32
_free.LIBCMT ref: 00182E59
SetLastError.KERNEL32(00000000,00151129), ref: 00182E66
SetLastError.KERNEL32(00000000,00151129), ref: 00182E6F

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: bf65d64b554494f2a9de40a0d988fbf98899517144fcb6ad5a623077a1ae846c
Instruction ID: b74181cce1624f5f65229d36570dc6011b31d137c78fe4e5194cb2eb77382830
Opcode Fuzzy Hash: bf65d64b554494f2a9de40a0d988fbf98899517144fcb6ad5a623077a1ae846c
Instruction Fuzzy Hash: D3012836645A007BC62377747C89D6F265EABE17B5B364028F825A32D2EF348F014F64

Function 001B000E Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,001AFF41,80070057,?,?,?,001B035E), ref: 001B002B
ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,001AFF41,80070057,?,?), ref: 001B0046
lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,001AFF41,80070057,?,?), ref: 001B0054
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,001AFF41,80070057,?), ref: 001B0064
CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,001AFF41,80070057,?,?), ref: 001B0070

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: c10d0cd7b368cf0e37a33ae62399fbd4a67cc09aadead78c4f029ad64945c1b7
Instruction ID: 5e82318942e018037074c7c26c7a91e17c5eb2299172f563645bd6342c1c84dc
Opcode Fuzzy Hash: c10d0cd7b368cf0e37a33ae62399fbd4a67cc09aadead78c4f029ad64945c1b7
Instruction Fuzzy Hash: CA018F72600204BFDB125FA8DC44FEF7AADEB48791F144128F905D6210D771DD818BA0

Function 001B10F9 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 001B1114
GetLastError.KERNEL32(?,00000000,00000000,?,?,001B0B9B,?,?,?), ref: 001B1120
GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,001B0B9B,?,?,?), ref: 001B112F
HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,001B0B9B,?,?,?), ref: 001B1136
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 001B114D

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: f76494255bdeda662568a3f15695662905a798cffad94144f2a9fcc165262753
Instruction ID: 465eebd2543eb461139ff385fef29d4f5b5d0c48c1df7439c1ab3acb9955c346
Opcode Fuzzy Hash: f76494255bdeda662568a3f15695662905a798cffad94144f2a9fcc165262753
Instruction Fuzzy Hash: FB018179500205BFDB114FA8DC89EAE3F6EEF86360B150418FA41C7350DB31DC418BA0

Function 001B0FB4 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 001B0FCA
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 001B0FD6
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 001B0FE5
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 001B0FEC
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 001B1002

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: f2ce5e3445e4cb6bb67e75d652101ae0854e26ba7e2259fe31d57c8f6447a040
Instruction ID: 599e9936f87d08dfc6ea5be66b7b6e55289394f4995e8dd25743e20eae4b6c2e
Opcode Fuzzy Hash: f2ce5e3445e4cb6bb67e75d652101ae0854e26ba7e2259fe31d57c8f6447a040
Instruction Fuzzy Hash: C1F04939200345FBDB215FA49C8DF9A3BADEF8A762F614415FE45CA651CB70DC818BA0

Function 001B1014 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 001B102A
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 001B1036
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 001B1045
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 001B104C
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 001B1062

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 56869306bf8377c448402fe25ccb47275ff7832e29634f1e5da809ec873a3120
Instruction ID: cdb0f7641aa69fefaf5f8958020618415bc2e9da5b5d7ae4a01c25d16c6d56bd
Opcode Fuzzy Hash: 56869306bf8377c448402fe25ccb47275ff7832e29634f1e5da809ec873a3120
Instruction Fuzzy Hash: 61F04F39100341FBD7215FA4EC99F9A3B6DEF8A761F610414FD45CA650CB70D8818AA0

Function 001C030F Relevance: 7.5, APIs: 6, Instructions: 41COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,?,?,001C017D,?,001C32FC,?,00000001,00192592,?), ref: 001C0324
CloseHandle.KERNEL32(?,?,?,?,001C017D,?,001C32FC,?,00000001,00192592,?), ref: 001C0331
CloseHandle.KERNEL32(?,?,?,?,001C017D,?,001C32FC,?,00000001,00192592,?), ref: 001C033E
CloseHandle.KERNEL32(?,?,?,?,001C017D,?,001C32FC,?,00000001,00192592,?), ref: 001C034B
CloseHandle.KERNEL32(?,?,?,?,001C017D,?,001C32FC,?,00000001,00192592,?), ref: 001C0358
CloseHandle.KERNEL32(?,?,?,?,001C017D,?,001C32FC,?,00000001,00192592,?), ref: 001C0365

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: fdc14175c91c69d7c468d612b0cadb219369c9fbd1fec103cba9190b497c596e
Instruction ID: a38da16d7f258c06d9e74c4272991f74404e954a857839e5a82c99d01665fd7a
Opcode Fuzzy Hash: fdc14175c91c69d7c468d612b0cadb219369c9fbd1fec103cba9190b497c596e
Instruction Fuzzy Hash: FB01EE72800B81CFCB32AF66D880802FBF9BF603153059A3FD19252931C3B1A989CF80

Function 0018D73A Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0018D752

Part of subcall function 001829C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0018D7D1,00000000,00000000,00000000,00000000,?,0018D7F8,00000000,00000007,00000000,?,0018DBF5,00000000), ref: 001829DE
Part of subcall function 001829C8: GetLastError.KERNEL32(00000000,?,0018D7D1,00000000,00000000,00000000,00000000,?,0018D7F8,00000000,00000007,00000000,?,0018DBF5,00000000,00000000), ref: 001829F0

_free.LIBCMT ref: 0018D764
_free.LIBCMT ref: 0018D776
_free.LIBCMT ref: 0018D788
_free.LIBCMT ref: 0018D79A

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 4983f00e7595060a01d7321fc2dc210ae95114eae5681df88db95a08c6e502d4
Instruction ID: c65d8b95ff346c1a461134dce79e44d5ca6767d63c1cfe7225bc4c62264a7d1c
Opcode Fuzzy Hash: 4983f00e7595060a01d7321fc2dc210ae95114eae5681df88db95a08c6e502d4
Instruction Fuzzy Hash: 94F03632944314AB8622FB68F9C6C5677EDBB547187A64C05F048D7541CB34FD808F64

Function 001B5C44 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 001B5C58
GetWindowTextW.USER32(00000000,?,00000100), ref: 001B5C6F
MessageBeep.USER32(00000000), ref: 001B5C87
KillTimer.USER32(?,0000040A), ref: 001B5CA3
EndDialog.USER32(?,00000001), ref: 001B5CBD

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: 61c168d5ba03c7aaabecb895d54a4a86fcd26dc61b36cba3664dd5106a27d5e0
Instruction ID: e3dcab7e899e61fb01312033fd6db4893d599fc4163af640aded9e4908bcc629
Opcode Fuzzy Hash: 61c168d5ba03c7aaabecb895d54a4a86fcd26dc61b36cba3664dd5106a27d5e0
Instruction Fuzzy Hash: 61018130500B44ABEB245B50DD8EFEA7BBEBB04B05F000559E583A55E1DBF0A9898BD0

Function 001822A0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 001822BE

Part of subcall function 001829C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0018D7D1,00000000,00000000,00000000,00000000,?,0018D7F8,00000000,00000007,00000000,?,0018DBF5,00000000), ref: 001829DE
Part of subcall function 001829C8: GetLastError.KERNEL32(00000000,?,0018D7D1,00000000,00000000,00000000,00000000,?,0018D7F8,00000000,00000007,00000000,?,0018DBF5,00000000,00000000), ref: 001829F0

_free.LIBCMT ref: 001822D0
_free.LIBCMT ref: 001822E3
_free.LIBCMT ref: 001822F4
_free.LIBCMT ref: 00182305

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 2253b49d67bf9e44c06f505277f11ad871e710050b80465cff6056c6cfb44e0a
Instruction ID: 107266f03a7132f327449c6597ddb6fe465b9aa4763c1166d01daab8b524b9b5
Opcode Fuzzy Hash: 2253b49d67bf9e44c06f505277f11ad871e710050b80465cff6056c6cfb44e0a
Instruction Fuzzy Hash: 3CF030B4880130AB8623BFD4BC498483B65B7387507122606F814D3272CF3416639FA4

Function 001695C5 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 001695D4
StrokeAndFillPath.GDI32(?,?,001A71F7,00000000,?,?,?), ref: 001695F0
SelectObject.GDI32(?,00000000), ref: 00169603
DeleteObject.GDI32 ref: 00169616
StrokePath.GDI32(?), ref: 00169631

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: de59e9464d4e1be9db61c502809dd9f6839b8909dedc0c1e2b735deb374f4970
Instruction ID: 4c524640da1133d827d86fe88e92990ec3bcc0cd4ca179ec3a1cad6367edb3fb
Opcode Fuzzy Hash: de59e9464d4e1be9db61c502809dd9f6839b8909dedc0c1e2b735deb374f4970
Instruction Fuzzy Hash: B2F0C9350053C8EBDB265FA9ED5CB683B65AB11322F049214F465594F0C73089F7DF60

Function 00180F47 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE

Download Yara Rule

APIs

__freea.LIBCMT ref: 001810F9
__freea.LIBCMT ref: 00181117

Part of subcall function 00181537: _free.LIBCMT ref: 0018154F

Strings

a/p, xrefs: 001811DE
am/pm, xrefs: 0018117A

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: __freea$_free
String ID: a/p$am/pm
API String ID: 3432400110-3206640213
Opcode ID: 162ae20fbf80fe996205bb6fa14d8d49e0f359ea18329e70d1903acecf63fb78
Instruction ID: 6a427964ef79f1e446761cf10dcdfe939daafe30cd2ebca6cab6a48620859363
Opcode Fuzzy Hash: 162ae20fbf80fe996205bb6fa14d8d49e0f359ea18329e70d1903acecf63fb78
Instruction Fuzzy Hash: BED10433900206EACB28BF68C845BFAB7B9FF16710F294159E9059B650D3759F82CF51

Function 001D61D0 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 324COMMON

Download Yara Rule

APIs

Part of subcall function 00170242: EnterCriticalSection.KERNEL32(0022070C,00221884,?,?,0016198B,00222518,?,?,?,001512F9,00000000), ref: 0017024D
Part of subcall function 00170242: LeaveCriticalSection.KERNEL32(0022070C,?,0016198B,00222518,?,?,?,001512F9,00000000), ref: 0017028A

Part of subcall function 001700A3: __onexit.LIBCMT ref: 001700A9

__Init_thread_footer.LIBCMT ref: 001D6238

Part of subcall function 001701F8: EnterCriticalSection.KERNEL32(0022070C,?,?,00168747,00222514), ref: 00170202
Part of subcall function 001701F8: LeaveCriticalSection.KERNEL32(0022070C,?,00168747,00222514), ref: 00170235

Part of subcall function 001C359C: LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 001C35E4
Part of subcall function 001C359C: LoadStringW.USER32(00222390,?,00000FFF,?), ref: 001C360A

Strings

x#", xrefs: 001D6353
x#", xrefs: 001D633A
x#", xrefs: 001D636F

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: CriticalSection$EnterLeaveLoadString$Init_thread_footer__onexit
String ID: x#"$x#"$x#"
API String ID: 1072379062-2717048500
Opcode ID: 406a1dc8afe65632503b262d9c69ac15d3583292a07f08d2689170b148a151a9
Instruction ID: bfa7aa91f0c1e63cc613c375ecdcdee27f9cb44ede8b36ed7d4e646dc2912c9d
Opcode Fuzzy Hash: 406a1dc8afe65632503b262d9c69ac15d3583292a07f08d2689170b148a151a9
Instruction Fuzzy Hash: 31C16A71A00205AFCB14DF98D891EBEB7B9EF58340F10816AF915AB391DB70E985CB90

Function 001D7B7E Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 230COMMON

Download Yara Rule

APIs

Part of subcall function 00170242: EnterCriticalSection.KERNEL32(0022070C,00221884,?,?,0016198B,00222518,?,?,?,001512F9,00000000), ref: 0017024D
Part of subcall function 00170242: LeaveCriticalSection.KERNEL32(0022070C,?,0016198B,00222518,?,?,?,001512F9,00000000), ref: 0017028A

Part of subcall function 00159CB3: _wcslen.LIBCMT ref: 00159CBD

Part of subcall function 001700A3: __onexit.LIBCMT ref: 001700A9

__Init_thread_footer.LIBCMT ref: 001D7BFB

Part of subcall function 001701F8: EnterCriticalSection.KERNEL32(0022070C,?,?,00168747,00222514), ref: 00170202
Part of subcall function 001701F8: LeaveCriticalSection.KERNEL32(0022070C,?,00168747,00222514), ref: 00170235

Strings

G, xrefs: 001D7C7F
5, xrefs: 001D7C78
Variable must be of type 'Object'., xrefs: 001D7C3A

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit_wcslen
String ID: 5$G$Variable must be of type 'Object'.
API String ID: 535116098-3733170431
Opcode ID: 6a80c0a9eb841456cba3d513b1fa83283e26a32446ae5f82bb7422fdabd96e7b
Instruction ID: 2bb7329ad05a93c68b79b5e72f6bb6aacdf846d9924152d66c3431f61775a775
Opcode Fuzzy Hash: 6a80c0a9eb841456cba3d513b1fa83283e26a32446ae5f82bb7422fdabd96e7b
Instruction Fuzzy Hash: 3A918B71A04609EFCB14EF94D891DADB7B2FF59300F50805AF806AB392EB71AE45CB51

Function 001B2716 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON

Download Yara Rule

APIs

Part of subcall function 001BB403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,001B21D0,?,?,00000034,00000800,?,00000034), ref: 001BB42D

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 001B2760

Part of subcall function 001BB3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,001B21FF,?,?,00000800,?,00001073,00000000,?,?), ref: 001BB3F8

Part of subcall function 001BB32A: GetWindowThreadProcessId.USER32(?,?), ref: 001BB355
Part of subcall function 001BB32A: OpenProcess.KERNEL32(00000438,00000000,?,?,?,001B2194,00000034,?,?,00001004,00000000,00000000), ref: 001BB365
Part of subcall function 001BB32A: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,001B2194,00000034,?,?,00001004,00000000,00000000), ref: 001BB37B

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 001B27CD
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 001B281A

Strings

@, xrefs: 001B2832

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: 2116ec2efc49bd195ccf14a50201a144ab3cb7d4e618b75d7f7b3af22e78c2db
Instruction ID: 51ce2d8a171ee64ab2b5187b5b6f20aa083fb550fe0eb2cd5cef0171e9208ecd
Opcode Fuzzy Hash: 2116ec2efc49bd195ccf14a50201a144ab3cb7d4e618b75d7f7b3af22e78c2db
Instruction Fuzzy Hash: 25410B76900218AFDB10DBA4CD85AEEBBB8AF19700F104095FA55B7191DB706E89CBA1

Function 0018172E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\file.exe,00000104), ref: 00181769
_free.LIBCMT ref: 00181834
_free.LIBCMT ref: 0018183E

Strings

C:\Users\user\Desktop\file.exe, xrefs: 00181760, 00181767, 00181796, 001817CE

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\file.exe
API String ID: 2506810119-1957095476
Opcode ID: 20dbab01b37013ac8751977ca752f9e95c8b61901e9df788cbc846e0edb112c0
Instruction ID: 25b1637e87d1ea04a8131f135ee3485f8733aac8d797f9f7df5d295462f39acd
Opcode Fuzzy Hash: 20dbab01b37013ac8751977ca752f9e95c8b61901e9df788cbc846e0edb112c0
Instruction Fuzzy Hash: 46318E72A00218FBDB21EB999885D9EBBFCEBA5310B1041AAF80497211D7708F42CF90

Function 001BC27D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 001BC306
DeleteMenu.USER32(?,00000007,00000000), ref: 001BC34C
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00221990,00DD55F8), ref: 001BC395

Strings

0, xrefs: 001BC2DF

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: Menu$Delete$InfoItem
String ID: 0
API String ID: 135850232-4108050209
Opcode ID: 501a6b8ced9f348cc5f2ab86fab17f6472a3952dbd62d5fe6d05180bbe4a62a1
Instruction ID: 194bb264b45e44a142006ff3f8f18a22a391342694e33586f5769a1dbbed6b14
Opcode Fuzzy Hash: 501a6b8ced9f348cc5f2ab86fab17f6472a3952dbd62d5fe6d05180bbe4a62a1
Instruction Fuzzy Hash: D341AE312043419FD724DF25D884F9BBBE4BF95320F048A1EF8A59B2E1D770A904CBA2

Function 001E4416 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,001ECC08,00000000,?,?,?,?), ref: 001E44AA
GetWindowLongW.USER32 ref: 001E44C7
SetWindowLongW.USER32(?,000000F0,00000000), ref: 001E44D7

Strings

SysTreeView32, xrefs: 001E447C

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: 17955d300f21d9198d66d35a70e32a25e6088c222b784d9d642d671db42a6d95
Instruction ID: 4f948de105af6f83bcd7a292fd7c517870a6fff8396bcedd57766362a476087a
Opcode Fuzzy Hash: 17955d300f21d9198d66d35a70e32a25e6088c222b784d9d642d671db42a6d95
Instruction Fuzzy Hash: 35319C32210A85AFDB208E79DC45BEA77A9EF08334F204325F975921D0D770AC519790

Function 001D304E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON

Download Yara Rule

APIs

Part of subcall function 001D335B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,001D3077,?,?), ref: 001D3378

inet_addr.WSOCK32(?), ref: 001D307A
_wcslen.LIBCMT ref: 001D309B
htons.WSOCK32(00000000), ref: 001D3106

Strings

255.255.255.255, xrefs: 001D3095, 001D309A

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: ByteCharMultiWide_wcslenhtonsinet_addr
String ID: 255.255.255.255
API String ID: 946324512-2422070025
Opcode ID: fed38efe02cac8b68d036469b11cb5287a50e4a2b2ba62b4e4e72457dd62ba2c
Instruction ID: 36302389bd5b74fc7963aeda48b6f4581fe5c78bd5deb5353fde337ffd33a6ed
Opcode Fuzzy Hash: fed38efe02cac8b68d036469b11cb5287a50e4a2b2ba62b4e4e72457dd62ba2c
Instruction Fuzzy Hash: 8D31E739200206DFC710CF68C985EA977F0EF54318F25815AE9258F792D771EE45C762

Function 001E3EB8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 001E3F40
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 001E3F54
SendMessageW.USER32(?,00001002,00000000,?), ref: 001E3F78

Strings

SysMonthCal32, xrefs: 001E3F0B

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: 8eb197c1462b58c79c10457f422fe0326e82cceb01a9d71582fab179219b30fa
Instruction ID: 62871996ee1bea0a938621e82ff4699780f2478d46b38363542471b570526bd8
Opcode Fuzzy Hash: 8eb197c1462b58c79c10457f422fe0326e82cceb01a9d71582fab179219b30fa
Instruction Fuzzy Hash: 2D21AD32600259BBDF218F91CC86FEE3BB5EF48714F110214FA156B1D0D7B1A9918B90

Function 001E4653 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 001E4705
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 001E4713
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 001E471A

Strings

msctls_updown32, xrefs: 001E4684

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: 9445f19e3b451023975e108c6747f6949870f3ccc3e210c36d671110fa1eaf0c
Instruction ID: dcb127bb1972fdd92ed84acc346042486dc44a093492411b7665f8c063e11d23
Opcode Fuzzy Hash: 9445f19e3b451023975e108c6747f6949870f3ccc3e210c36d671110fa1eaf0c
Instruction Fuzzy Hash: A42160B5600648AFDB10DF65DCC1DAB37EDEF5A7A4B040059FA009B351CB70EC62CAA0

Function 001B95AD Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 85COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 001B961D

Strings

#requireadmin, xrefs: 001B95D9
#notrayicon, xrefs: 001B95B7
#OnAutoItStartRegister, xrefs: 001B95F3

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: _wcslen
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 176396367-2734436370
Opcode ID: 2c67811d84d465d490382df9eaf49a0512ace1820f3d3f73c4af246ca5209a89
Instruction ID: 08d58ab944dd2d163dffa6f409810c5fcdfc3863f4d01ead0195c5f079be93af
Opcode Fuzzy Hash: 2c67811d84d465d490382df9eaf49a0512ace1820f3d3f73c4af246ca5209a89
Instruction Fuzzy Hash: 0D216A32244650A6D331AB25EC06FFB73E8AFA5300F10802AFF499B081EB51AD57C2D5

Function 001E37B7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 001E3840
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 001E3850
MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 001E3876

Strings

Listbox, xrefs: 001E380F

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: 902d0cd89c69e3caa52ac9ccaf1e7a7b522e829fe37bdf703a4c42d8b240ca3b
Instruction ID: c6b3af4d9b76458da474c0d44e8630a58ffee346f63180ec1bd1da2dd3f0f71e
Opcode Fuzzy Hash: 902d0cd89c69e3caa52ac9ccaf1e7a7b522e829fe37bdf703a4c42d8b240ca3b
Instruction Fuzzy Hash: 95218072610158BBEB218F96DC89EAF376AEF99750F118124F9149B190C771DC5287A0

Function 001C49F4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 001C4A08
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 001C4A5C
SetErrorMode.KERNEL32(00000000,?,?,001ECC08), ref: 001C4AD0

Strings

%lu, xrefs: 001C4A6F

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: ErrorMode$InformationVolume
String ID: %lu
API String ID: 2507767853-685833217
Opcode ID: 2011558527290d1fe8a3e3c8fe38caf8e63b1b3159c92361473511acfa11f66a
Instruction ID: 274e549ec4d2a4b158e85a112dadda25490d7f5c1a6a5db5bdf618cb7d555f1d
Opcode Fuzzy Hash: 2011558527290d1fe8a3e3c8fe38caf8e63b1b3159c92361473511acfa11f66a
Instruction Fuzzy Hash: A7312D75A00109EFDB10DF54C885EAA77E8EF15308F148099E905DF252D771ED46CBA1

Function 001E41EB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 001E424F
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 001E4264
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 001E4271

Strings

msctls_trackbar32, xrefs: 001E4226

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: 256f8d92df48c74b7ab759dd77d445611d8363fc571a1b77503eb1e69e51c881
Instruction ID: 3c6b4881a58c3e623445cdec4c664c663ae3b4479144e521d80e5917a8b9eb99
Opcode Fuzzy Hash: 256f8d92df48c74b7ab759dd77d445611d8363fc571a1b77503eb1e69e51c881
Instruction Fuzzy Hash: 7011E331240288BFEF205F69DC46FAB7BACEF99B64F010124FA55E6090D371D8619B50

Function 001B2F52 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00156B57: _wcslen.LIBCMT ref: 00156B6A

Part of subcall function 001B2DA7: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 001B2DC5
Part of subcall function 001B2DA7: GetWindowThreadProcessId.USER32(?,00000000), ref: 001B2DD6
Part of subcall function 001B2DA7: GetCurrentThreadId.KERNEL32 ref: 001B2DDD
Part of subcall function 001B2DA7: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 001B2DE4

GetFocus.USER32 ref: 001B2F78

Part of subcall function 001B2DEE: GetParent.USER32(00000000), ref: 001B2DF9

GetClassNameW.USER32(?,?,00000100), ref: 001B2FC3
EnumChildWindows.USER32(?,001B303B), ref: 001B2FEB

Strings

%s%d, xrefs: 001B2FFF

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
String ID: %s%d
API String ID: 1272988791-1110647743
Opcode ID: e0311200b85fdea131d6ef3f919d41024adc6766e37fd0f756edb1ee1a12dfda
Instruction ID: aeb4f28968df2c37d281e3ec64f33db628ec5389d756338d2afc41b5962f4cbc
Opcode Fuzzy Hash: e0311200b85fdea131d6ef3f919d41024adc6766e37fd0f756edb1ee1a12dfda
Instruction Fuzzy Hash: CF11B471700205ABCF147FB08CC5EEE776AAFA9304F044075FD199B252DF70994A8BA0

Function 001E5882 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 001E58C1
SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 001E58EE
DrawMenuBar.USER32(?), ref: 001E58FD

Strings

0, xrefs: 001E588F

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: Menu$InfoItem$Draw
String ID: 0
API String ID: 3227129158-4108050209
Opcode ID: e3de92ad32b4a62f0baf462da8ad6ce62c102cb367570aa35ac91c7ad7a90246
Instruction ID: f4d0346a56bdf7918586f3873aa8091c0fb720261c98aef7a2bb8f9728d75ccb
Opcode Fuzzy Hash: e3de92ad32b4a62f0baf462da8ad6ce62c102cb367570aa35ac91c7ad7a90246
Instruction Fuzzy Hash: E701AD31600688EFDB209F52EC44BEEBFB5FF45369F008099E848DA152DB308A91DF20

Function 001AD3A0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 30libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,GetSystemWow64DirectoryW), ref: 001AD3BF
FreeLibrary.KERNEL32 ref: 001AD3E5

Strings

X64, xrefs: 001AD2A8
GetSystemWow64DirectoryW, xrefs: 001AD3B9

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: AddressFreeLibraryProc
String ID: GetSystemWow64DirectoryW$X64
API String ID: 3013587201-2590602151
Opcode ID: cff1ae8270fda0e63b141e4d0fb782356f8e9515f18fa6d2f27ce5feb5cea9fd
Instruction ID: 7fbf4d3b65e264529e84065f51a90e0024ba89d40263040fbe092a3435428beb
Opcode Fuzzy Hash: cff1ae8270fda0e63b141e4d0fb782356f8e9515f18fa6d2f27ce5feb5cea9fd
Instruction Fuzzy Hash: 5AF05569802E21DBCB3543116C54AAD3324BF12741B5A415AF403F5808DB20CD95C2C2

Function 001B007F Relevance: 6.3, APIs: 4, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a280207e0aecd811d9e1302a72bde27c76ea24e314fe2f10bf85aab834fddc70
Instruction ID: cb3ccee6a1ee809fd691ac93f07862a2dd6d692361922131878023ea9a06bf95
Opcode Fuzzy Hash: a280207e0aecd811d9e1302a72bde27c76ea24e314fe2f10bf85aab834fddc70
Instruction Fuzzy Hash: 58C14C75A0021AEFDB15CFA8C898AAEB7B5FF48704F118598E505EB261D731ED81CB90

Function 00183E80 Relevance: 6.3, APIs: 4, Instructions: 305COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 00183F0B
__alldvrm.LIBCMT ref: 0018410C
__alldvrm.LIBCMT ref: 0018412E

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: __alldvrm$_strrchr
String ID:
API String ID: 1036877536-0
Opcode ID: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
Instruction ID: 7445ef4685ab88ceb853f0eacf85e1820f6bb22b5d30660a64c4433eab6d54b6
Opcode Fuzzy Hash: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
Instruction Fuzzy Hash: 71A15871E003879FEB15EF18C8917AEBBE4EF61350F18416DE5959B282CB349A81CF91

Function 001D342E Relevance: 6.3, APIs: 4, Instructions: 257COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 001D3459
CoUninitialize.OLE32 ref: 001D3463
VariantInit.OLEAUT32(?), ref: 001D346E
VariantClear.OLEAUT32(?), ref: 001D371B

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: Variant$ClearInitInitializeUninitialize
String ID:
API String ID: 1998397398-0
Opcode ID: 6ab6c429bc4c692a0afacbb95eafda965b9316f7f7db1ea370120169f8298a08
Instruction ID: e7d70af082f41b1b90189db9ab7fba10cf62b3b0b52a78c2ed31423220d1313b
Opcode Fuzzy Hash: 6ab6c429bc4c692a0afacbb95eafda965b9316f7f7db1ea370120169f8298a08
Instruction Fuzzy Hash: CBA13D75604300DFC704DF28D485A2AB7E5FF98715F05885AF9999B3A1DB30EE05CB92

Function 001B0436 Relevance: 6.2, APIs: 4, Instructions: 230COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,001EFC08,?), ref: 001B05F0
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,001EFC08,?), ref: 001B0608
CLSIDFromProgID.OLE32(?,?,00000000,001ECC40,000000FF,?,00000000,00000800,00000000,?,001EFC08,?), ref: 001B062D
_memcmp.LIBVCRUNTIME ref: 001B064E

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: 228ce35680434a1cd5918676e3822a2dd4220a4df71b777d3281d910ec8ea6fe
Instruction ID: e39592b26319df60fdc9b23054b8e0f4436dd13f782a0ead90e763e7c9cc0fb0
Opcode Fuzzy Hash: 228ce35680434a1cd5918676e3822a2dd4220a4df71b777d3281d910ec8ea6fe
Instruction Fuzzy Hash: 53810971A00209EFCB05DF98C984EEEB7B9FF89315F204558E516EB250DB71AE46CB60

Function 00191391 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 001914C0

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: d19c58542035b89ec82fb8ae987c8fb0d57feb8534b5642bd6f4274a760b994c
Instruction ID: bb03df5c9737b60ce2ec77978f155002fe242829ef646c085acb5c293937fe60
Opcode Fuzzy Hash: d19c58542035b89ec82fb8ae987c8fb0d57feb8534b5642bd6f4274a760b994c
Instruction Fuzzy Hash: B4414731A00102BBDF257BF89C466BE3AB4FF69370F254225F81897192E73489C18762

Function 001E6278 Relevance: 6.1, APIs: 4, Instructions: 138COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 001E62E2
ScreenToClient.USER32(?,?), ref: 001E6315
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 001E6382

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: 8b681f46cfa9fff5615ef6bea497bbac3969f2a407c1632820a731b0ba257b3d
Instruction ID: 15959797951c1ad14625715ee0d381cd75643190966e0d75b73b29a7f73d56c2
Opcode Fuzzy Hash: 8b681f46cfa9fff5615ef6bea497bbac3969f2a407c1632820a731b0ba257b3d
Instruction Fuzzy Hash: BF516274900685EFCF10DF55D8849AE7BB6FF653A0F508159F9159B290D730ED81CB90

Function 001D1AD6 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 001D1AFD
WSAGetLastError.WSOCK32 ref: 001D1B0B
#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 001D1B8A
WSAGetLastError.WSOCK32 ref: 001D1B94

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: ErrorLast$socket
String ID:
API String ID: 1881357543-0
Opcode ID: 882fd889794751b86f880626c1f64a85ddf3807fb70bab3d8b8ec18415d88373
Instruction ID: dc9e653a9dbf206e6a483291d1a077dc99d5ca9fe0ebd34a7cc33a2bfb1aca87
Opcode Fuzzy Hash: 882fd889794751b86f880626c1f64a85ddf3807fb70bab3d8b8ec18415d88373
Instruction Fuzzy Hash: B041A034600200BFE720AF24D886F2A77E5AB58718F54845DF96A9F7D2D772ED42CB90

Function 0018B41F Relevance: 6.1, APIs: 4, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b7e1381281c8f8686ab8de43496ab58c45e9420f108623c2a2f6f954c5b532fe
Instruction ID: f2e776e55a859074d6a0b3395ef26b1f5ccc7a646f84079ab6d2fdb41c2dc6b4
Opcode Fuzzy Hash: b7e1381281c8f8686ab8de43496ab58c45e9420f108623c2a2f6f954c5b532fe
Instruction Fuzzy Hash: 60412B72A04304BFD725AF38CC82B6B7BE9EB94710F10452EF546DB292D3719A418B90

Function 001C56D9 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 001C5783
GetLastError.KERNEL32(?,00000000), ref: 001C57A9
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 001C57CE
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 001C57FA

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: 30d101164f9f194c94368aeefd8349b2dd5f9df86e0b44b440dcdd8d9c743948
Instruction ID: 733dc6b9b03cdf19e4a0c0efbcba7eb371cf318c280a8343bf32ded21fccd3d1
Opcode Fuzzy Hash: 30d101164f9f194c94368aeefd8349b2dd5f9df86e0b44b440dcdd8d9c743948
Instruction Fuzzy Hash: 74415D39600610DFCB10DF55D485A5EBBE2EF99321B198488EC5AAF3A2DB30FD45CB91

Function 0018D8C3 Relevance: 6.1, APIs: 4, Instructions: 110COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,8BE85006,00176D71,00000000,00000000,001782D9,?,001782D9,?,00000001,00176D71,8BE85006,00000001,001782D9,001782D9), ref: 0018D910
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0018D999
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 0018D9AB
__freea.LIBCMT ref: 0018D9B4

Part of subcall function 00183820: RtlAllocateHeap.NTDLL(00000000,?,00221444,?,0016FDF5,?,?,0015A976,00000010,00221440,001513FC,?,001513C6,?,00151129), ref: 00183852

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: 3e76ae07e1325d50afdaa2586979d84d27a519f733d59ce19434bdb47ceb0573
Instruction ID: fd4bb9f7dea0009ab7939417fff7d172ac2bddd42fa3f90be23e9203136373e1
Opcode Fuzzy Hash: 3e76ae07e1325d50afdaa2586979d84d27a519f733d59ce19434bdb47ceb0573
Instruction Fuzzy Hash: B731D272A0021AABDF25AF65EC41EAE7BA5EB41714F054168FC08D7190EB35CE51CB90

Function 001E52C1 Relevance: 6.1, APIs: 4, Instructions: 104windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001024,00000000,?), ref: 001E5352
GetWindowLongW.USER32(?,000000F0), ref: 001E5375
SetWindowLongW.USER32(?,000000F0,00000000), ref: 001E5382
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 001E53A8

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: LongWindow$InvalidateMessageRectSend
String ID:
API String ID: 3340791633-0
Opcode ID: 6ddcfbc5c881e481c6dcf27d6a83fc9ead0e6f431b5b1ac3b676930c20402cbf
Instruction ID: 2f491a41d5217aa22529be37b900f4ffd0c0111fb5350edc33af9b2b97fbca84
Opcode Fuzzy Hash: 6ddcfbc5c881e481c6dcf27d6a83fc9ead0e6f431b5b1ac3b676930c20402cbf
Instruction Fuzzy Hash: BA31DE34A55E88EFEB349A56CC46FED7767BB04398F584102FA10962E1C7B09980DB82

Function 001BAB9C Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,75C0C0D0,?,00008000), ref: 001BABF1
SetKeyboardState.USER32(00000080,?,00008000), ref: 001BAC0D
PostMessageW.USER32(00000000,00000101,00000000), ref: 001BAC74
SendInput.USER32(00000001,?,0000001C,75C0C0D0,?,00008000), ref: 001BACC6

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 6477ab89c30603a7aba665810f201caeed835101f4099f51ddf11a32736d61c5
Instruction ID: f37f863ee7e4d19b67551c6ca7b10cd812deb7ff55473df822427f5c7b52313f
Opcode Fuzzy Hash: 6477ab89c30603a7aba665810f201caeed835101f4099f51ddf11a32736d61c5
Instruction Fuzzy Hash: E9314630A00358AFFF35CB65CC497FE7FA5AF89310F84431AE481962D1D374998187A2

Function 001E7674 Relevance: 6.1, APIs: 4, Instructions: 102windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 001E769A
GetWindowRect.USER32(?,?), ref: 001E7710
PtInRect.USER32(?,?,001E8B89), ref: 001E7720
MessageBeep.USER32(00000000), ref: 001E778C

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: 4629f8127e45e0c8963f1aa0c37110ea99fda3b5b60cafb8b862a192fbb9d5a2
Instruction ID: a3581d90bca773694823afcefeba1646b45447e3f13d2e62680492b372ca3202
Opcode Fuzzy Hash: 4629f8127e45e0c8963f1aa0c37110ea99fda3b5b60cafb8b862a192fbb9d5a2
Instruction Fuzzy Hash: 0841A034A05694EFEB11CF9AD898EADB7F4FF59304F1540A8E4149B2A1C330A982CF90

Function 001E16DA Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 001E16EB

Part of subcall function 001B3A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 001B3A57
Part of subcall function 001B3A3D: GetCurrentThreadId.KERNEL32 ref: 001B3A5E
Part of subcall function 001B3A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,001B25B3), ref: 001B3A65

GetCaretPos.USER32(?), ref: 001E16FF
ClientToScreen.USER32(00000000,?), ref: 001E174C
GetForegroundWindow.USER32 ref: 001E1752

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: d3b4568b24014f481bf9af61d4623a5633ab50429f6427e0f9ca334ea04c68d4
Instruction ID: c278c9112368146cd88649b30dac667456a3d0518a0da61756d4290197422b01
Opcode Fuzzy Hash: d3b4568b24014f481bf9af61d4623a5633ab50429f6427e0f9ca334ea04c68d4
Instruction Fuzzy Hash: B7314171D00249AFC704EFAAC8C1CEEB7F9EF59304B50806AE425EB251D7719E45CBA0

Function 001BD4DC Relevance: 6.1, APIs: 4, Instructions: 86processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 001BD501
Process32FirstW.KERNEL32(00000000,?), ref: 001BD50F
Process32NextW.KERNEL32(00000000,?), ref: 001BD52F
CloseHandle.KERNEL32(00000000), ref: 001BD5DC

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: eee654ed68d241c6c11964aca8c6868bb4f5b5e50700c708d461648c4cd63562
Instruction ID: 47fcbbaa182a48eac7e539164a4c5f0a60f023f616c78ad5da5e7a6c0caacac8
Opcode Fuzzy Hash: eee654ed68d241c6c11964aca8c6868bb4f5b5e50700c708d461648c4cd63562
Instruction Fuzzy Hash: 19319031008340DFD314EF54D881AAFBBF8EFA9344F54092DF9918A1A1EB719989CB92

Function 001E8FC9 Relevance: 6.1, APIs: 4, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00169BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00169BB2

GetCursorPos.USER32(?), ref: 001E9001
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,001A7711,?,?,?,?,?), ref: 001E9016
GetCursorPos.USER32(?), ref: 001E905E
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,001A7711,?,?,?), ref: 001E9094

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: e535c185c1f15933aca1b70ebabde5f8722bf9a449ea88d2e62c704b2825381c
Instruction ID: 07a48393b80b178ff8dc94814b513866549663635535062e04964ad28ab26fb0
Opcode Fuzzy Hash: e535c185c1f15933aca1b70ebabde5f8722bf9a449ea88d2e62c704b2825381c
Instruction Fuzzy Hash: C221D172600558FFCB258F95CC98EFE7BB9EF89350F444055F9058B261C3319AA1DBA0

Function 001BD2C1 Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,001ECB68), ref: 001BD2FB
GetLastError.KERNEL32 ref: 001BD30A
CreateDirectoryW.KERNEL32(?,00000000), ref: 001BD319
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,001ECB68), ref: 001BD376

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: 4c441b3c6af76c3074bbbad3764ad812c3a8915df5723480c79fb1e8f9c9d735
Instruction ID: 63dc299bb64272bf914e0637f6592426d026b28c3aae46a2320fdac3ec6dcbea
Opcode Fuzzy Hash: 4c441b3c6af76c3074bbbad3764ad812c3a8915df5723480c79fb1e8f9c9d735
Instruction Fuzzy Hash: 9D2171B0505301DF8718DF68D8814AE77E4BF55764F104A1DF8A9CB2A2E731D94ACB93

Function 001B1571 Relevance: 6.1, APIs: 4, Instructions: 78memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 001B1014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 001B102A
Part of subcall function 001B1014: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 001B1036
Part of subcall function 001B1014: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 001B1045
Part of subcall function 001B1014: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 001B104C
Part of subcall function 001B1014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 001B1062

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 001B15BE
_memcmp.LIBVCRUNTIME ref: 001B15E1
GetProcessHeap.KERNEL32(00000000,00000000), ref: 001B1617
HeapFree.KERNEL32(00000000), ref: 001B161E

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: ac69ad9dd6e82f02be1710118516b122188af3c4a00bab0af07b2e88e27ccdeb
Instruction ID: 43b7fdb36078d8ec6117ca69dadcea068772ad06f5cd4ad79c6a2b8bf60ef420
Opcode Fuzzy Hash: ac69ad9dd6e82f02be1710118516b122188af3c4a00bab0af07b2e88e27ccdeb
Instruction Fuzzy Hash: 1E21AC32E00208FFDF10DFA5C965BEEB7B8EF45354F4A8459E441AB241E770AA45CBA0

Function 001E2782 Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 001E280A
SetWindowLongW.USER32(?,000000EC,00000000), ref: 001E2824
SetWindowLongW.USER32(?,000000EC,00000000), ref: 001E2832
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 001E2840

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: 39f6c055cb0768054cfa28b04f092c7c6bfece6c8a63bf8af3c608e777d961ad
Instruction ID: 5418bf91bd2b4b1b0f5f122f834d851e36490f72e5258ff4e49beafd6c6d075e
Opcode Fuzzy Hash: 39f6c055cb0768054cfa28b04f092c7c6bfece6c8a63bf8af3c608e777d961ad
Instruction Fuzzy Hash: 1121F431604990AFD7149B25CC95FAE7799AF95324F148158F8268F6D2C771FC82C7D0

Function 001B78F5 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON

Download Yara Rule

APIs

Part of subcall function 001B8D7D: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,001B790A,?,000000FF,?,001B8754,00000000,?,0000001C,?,?), ref: 001B8D8C
Part of subcall function 001B8D7D: lstrcpyW.KERNEL32(00000000,?,?,001B790A,?,000000FF,?,001B8754,00000000,?,0000001C,?,?,00000000), ref: 001B8DB2
Part of subcall function 001B8D7D: lstrcmpiW.KERNEL32(00000000,?,001B790A,?,000000FF,?,001B8754,00000000,?,0000001C,?,?), ref: 001B8DE3

lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,001B8754,00000000,?,0000001C,?,?,00000000), ref: 001B7923
lstrcpyW.KERNEL32(00000000,?,?,001B8754,00000000,?,0000001C,?,?,00000000), ref: 001B7949
lstrcmpiW.KERNEL32(00000002,cdecl,?,001B8754,00000000,?,0000001C,?,?,00000000), ref: 001B7984

Strings

cdecl, xrefs: 001B797B

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: 078ca9ed4b6346f1e9b2cafaba37f4315a893ac254beeab059ce12216a136874
Instruction ID: 446d6b0ead6fe286b82933afe4687ab0f7115d3e0fded0719ee9be3b60822383
Opcode Fuzzy Hash: 078ca9ed4b6346f1e9b2cafaba37f4315a893ac254beeab059ce12216a136874
Instruction Fuzzy Hash: 1D11263A200342ABCB15AF74DC44DBA77A9FF95764B00402AF802CB2A4EB31D812C7A1

Function 001E7CC2 Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 001E7D0B
SetWindowLongW.USER32(00000000,000000F0,?), ref: 001E7D2A
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 001E7D42
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,001CB7AD,00000000), ref: 001E7D6B

Part of subcall function 00169BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00169BB2

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: Window$Long
String ID:
API String ID: 847901565-0
Opcode ID: 2a77bd631556dfb89eb9bc08660b8b87f50442ae81bcfa2361f67333869f35ad
Instruction ID: 3ae8975035c771faa20d49b498750345ea4753a893dc68b995211411eabc8d78
Opcode Fuzzy Hash: 2a77bd631556dfb89eb9bc08660b8b87f50442ae81bcfa2361f67333869f35ad
Instruction Fuzzy Hash: 8E11AE31204A95AFDB108FA9DC44EBA3BA4BF45360B154724F835CB2F0D73089A1CB80

Function 001E5660 Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001060,?,00000004), ref: 001E56BB
_wcslen.LIBCMT ref: 001E56CD
_wcslen.LIBCMT ref: 001E56D8
SendMessageW.USER32(?,00001002,00000000,?), ref: 001E5816

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: MessageSend_wcslen
String ID:
API String ID: 455545452-0
Opcode ID: 40bf852205a2e3ed2b573aec4d818db821c837c8d2ef5a682801f3d5bfe88e61
Instruction ID: 67c7610adf6a37e576d34c0914502f3ebba8f9f4fd3809ff34131aaf7ff82c02
Opcode Fuzzy Hash: 40bf852205a2e3ed2b573aec4d818db821c837c8d2ef5a682801f3d5bfe88e61
Instruction Fuzzy Hash: 1111D375A00A99A6DF209FA2CCC5AEE77BCEF15768F148026F915D6081E770CA80CB60

Function 00181D09 Relevance: 6.1, APIs: 4, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 410a2a542dbd98e980337777be7eb31321473d5b1e2807328fe84dcbe564e28c
Instruction ID: 9bbe75c181fffc123f813da08482c2208d971a37fec86231d4fbec59caab65ad
Opcode Fuzzy Hash: 410a2a542dbd98e980337777be7eb31321473d5b1e2807328fe84dcbe564e28c
Instruction Fuzzy Hash: E301DBB3209A567EF62136F86CC8F2B665CDF513B8B310725F520A11D2DB208E424A60

Function 001B1A27 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 001B1A47
SendMessageW.USER32(?,000000C9,?,00000000), ref: 001B1A59
SendMessageW.USER32(?,000000C9,?,00000000), ref: 001B1A6F
SendMessageW.USER32(?,000000C9,?,00000000), ref: 001B1A8A

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 085ab49516526fe55bbdb1cd7b8be5f960e25dc62bcd9746105befc6a88761b8
Instruction ID: a40292b94913eb253cdb6edad3f77eaaf9eccec4fbceb0a93fb475b6c635bbc8
Opcode Fuzzy Hash: 085ab49516526fe55bbdb1cd7b8be5f960e25dc62bcd9746105befc6a88761b8
Instruction Fuzzy Hash: 5011273A901219FFEB109BA4CD85FEDBB79EB08750F210091EA00B7290D7716E50DB94

Function 001BE1D6 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 001BE1FD
MessageBoxW.USER32(?,?,?,?), ref: 001BE230
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 001BE246
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 001BE24D

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait
String ID:
API String ID: 2880819207-0
Opcode ID: eaabe47dd14afea5e5b6b30c73dfd3e87c169bd923cad747b24d822996b34f39
Instruction ID: abe6a3688d147d811b50f25573720d6fc33585df944201ba5b598f0da026f622
Opcode Fuzzy Hash: eaabe47dd14afea5e5b6b30c73dfd3e87c169bd923cad747b24d822996b34f39
Instruction Fuzzy Hash: E411E176904258BBC721DBE8AC49ADE7BEDAB45320F104299F825E3291D7B099018BA0

Function 0017D1CC Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,?,0017CFF9,00000000,00000004,00000000), ref: 0017D218
GetLastError.KERNEL32 ref: 0017D224
__dosmaperr.LIBCMT ref: 0017D22B
ResumeThread.KERNEL32(00000000), ref: 0017D249

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: Thread$CreateErrorLastResume__dosmaperr
String ID:
API String ID: 173952441-0
Opcode ID: 5311b664bebd7f6934e739e5906f2a7be05184c1ebcc9170ca65c972c1a7ca5a
Instruction ID: fc3e66a432cae2e91e78886cfc5a2491d5d5ed5b3eac17a5a9f6fa94db7edfa8
Opcode Fuzzy Hash: 5311b664bebd7f6934e739e5906f2a7be05184c1ebcc9170ca65c972c1a7ca5a
Instruction Fuzzy Hash: DD01D236805208BBCB116BA5EC09BAF7A79EF91731F208219F929961D1CF70C942C6E0

Function 001E9EF3 Relevance: 6.1, APIs: 4, Instructions: 55COMMON

Download Yara Rule

APIs

Part of subcall function 00169BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00169BB2

GetClientRect.USER32(?,?), ref: 001E9F31
GetCursorPos.USER32(?), ref: 001E9F3B
ScreenToClient.USER32(?,?), ref: 001E9F46
DefDlgProcW.USER32(?,00000020,?,00000000,?,?,?), ref: 001E9F7A

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID:
API String ID: 4127811313-0
Opcode ID: 60fd14a6cc96986b21fed97eee685a68f536580fc6cdf52e45ba8fa14f02d8ba
Instruction ID: 74a082ac1d24f3f880566378d7b2ab32b8f7a65ce48c5ed8fe5c0768bb4689ec
Opcode Fuzzy Hash: 60fd14a6cc96986b21fed97eee685a68f536580fc6cdf52e45ba8fa14f02d8ba
Instruction Fuzzy Hash: B211367290069AABDB10DFAAD889DEE7BB9FF05311F000451F911E7151D330BA92CBE1

Function 0015600E Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0015604C
GetStockObject.GDI32(00000011), ref: 00156060
SendMessageW.USER32(00000000,00000030,00000000), ref: 0015606A

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID:
API String ID: 3970641297-0
Opcode ID: 1cb52e8c67ebc31763f474ecf7ef256dc508458a9acce96b84c2275b1ab25be6
Instruction ID: ca1273e21113052dea6ccfbe7369bdc883fc8abeabe74e4c71ce7eeee7016993
Opcode Fuzzy Hash: 1cb52e8c67ebc31763f474ecf7ef256dc508458a9acce96b84c2275b1ab25be6
Instruction Fuzzy Hash: 23118B72501648FFEF164FA4DC84EEABB69EF183A5F440201FE245A150C7369CA19BE0

Function 00173B3C Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 00173B56

Part of subcall function 00173AA3: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 00173AD2
Part of subcall function 00173AA3: ___AdjustPointer.LIBCMT ref: 00173AED

_UnwindNestedFrames.LIBCMT ref: 00173B6B
__FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 00173B7C
CallCatchBlock.LIBVCRUNTIME ref: 00173BA4

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
String ID:
API String ID: 737400349-0
Opcode ID: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction ID: 63fdb484111fcd34d67418c56c921a40c69e77d129e60978e7f4185fed160a71
Opcode Fuzzy Hash: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction Fuzzy Hash: 6901E932100149BBDF125E95CC46EEB7B79EF58754F048018FE6C96121C732E961EBA1

Function 00183073 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,001513C6,00000000,00000000,?,0018301A,001513C6,00000000,00000000,00000000,?,0018328B,00000006,FlsSetValue), ref: 001830A5
GetLastError.KERNEL32(?,0018301A,001513C6,00000000,00000000,00000000,?,0018328B,00000006,FlsSetValue,001F2290,FlsSetValue,00000000,00000364,?,00182E46), ref: 001830B1
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,0018301A,001513C6,00000000,00000000,00000000,?,0018328B,00000006,FlsSetValue,001F2290,FlsSetValue,00000000), ref: 001830BF

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 4468cca49bc91ffa9d4a19c46fcc8eabdb0abbd636da834eb60b895b1fb29170
Instruction ID: e03e78561e1531b4bf3e80a5f7e45164ccd89b6627098c43311297549a8ccc8e
Opcode Fuzzy Hash: 4468cca49bc91ffa9d4a19c46fcc8eabdb0abbd636da834eb60b895b1fb29170
Instruction Fuzzy Hash: AA01A732751322EBCB315BF9AC8896B7B98AF45F61B190720F925E7540D721DB42CBE0

Function 001B7464 Relevance: 6.1, APIs: 4, Instructions: 51registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000), ref: 001B747F
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 001B7497
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 001B74AC
RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 001B74CA

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: 70be6c84edc64d056eb4cf2f5221a74543564703f454e3d7ed28dda09cd4a20a
Instruction ID: 8a6267883d3a965de25dc564b9630db69c10a9853cea973606a28e5af70636d8
Opcode Fuzzy Hash: 70be6c84edc64d056eb4cf2f5221a74543564703f454e3d7ed28dda09cd4a20a
Instruction Fuzzy Hash: 5611A1B12093149BE7209F54DC48FD67BFCEB40B01F108969E616DA5D1D770E944DB90

Function 001BB0A8 Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,001BACD3,?,00008000), ref: 001BB0C4
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,001BACD3,?,00008000), ref: 001BB0E9
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,001BACD3,?,00008000), ref: 001BB0F3
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,001BACD3,?,00008000), ref: 001BB126

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: eba3e359d5183d3f03802919c0f87f922b98df4edd21ec01882598df3b64316f
Instruction ID: d7d6ca2225c388a499725ca3b9db81e3dd8fdecdda71b296ed4896f4ad965c4d
Opcode Fuzzy Hash: eba3e359d5183d3f03802919c0f87f922b98df4edd21ec01882598df3b64316f
Instruction Fuzzy Hash: 4E113971C0552CE7CF04AFE8E9E86FEBB78FF0A711F114085E941B6681CBB096518B91

Function 001E7E14 Relevance: 6.0, APIs: 4, Instructions: 46COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 001E7E33
ScreenToClient.USER32(?,?), ref: 001E7E4B
ScreenToClient.USER32(?,?), ref: 001E7E6F
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 001E7E8A

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: 65afbec5e2a805e3d5a04422289538ba9e167b3ffce2aa9741b6fc4711205582
Instruction ID: bffb23cd39a0255700f9c6d34ddafb1c8953016e9a434207c6277de24a4af33c
Opcode Fuzzy Hash: 65afbec5e2a805e3d5a04422289538ba9e167b3ffce2aa9741b6fc4711205582
Instruction Fuzzy Hash: 3F1186B9D0024AAFDB41CF99D8849EEBBF5FF08310F104056E911E3610D734AA95CF90

Function 001B2DA7 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 001B2DC5
GetWindowThreadProcessId.USER32(?,00000000), ref: 001B2DD6
GetCurrentThreadId.KERNEL32 ref: 001B2DDD
AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 001B2DE4

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: 95c7b3b8bc58545193677c83e39086546a2ee8db14cb9dbf3674ceedbd74ee75
Instruction ID: 78eb0e92972cfff952966d3d02f5f642e533261d353615e6875261b07e5b2489
Opcode Fuzzy Hash: 95c7b3b8bc58545193677c83e39086546a2ee8db14cb9dbf3674ceedbd74ee75
Instruction Fuzzy Hash: 9DE09272101224BBDB201BF29C4DFEF7E6CEF46BA1F000019F105D55809BA0C886C6F0

Function 001E8863 Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00169639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00169693
Part of subcall function 00169639: SelectObject.GDI32(?,00000000), ref: 001696A2
Part of subcall function 00169639: BeginPath.GDI32(?), ref: 001696B9
Part of subcall function 00169639: SelectObject.GDI32(?,00000000), ref: 001696E2

MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 001E8887
LineTo.GDI32(?,?,?), ref: 001E8894
EndPath.GDI32(?), ref: 001E88A4
StrokePath.GDI32(?), ref: 001E88B2

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: c9951a552a88de4d3937dbfa378370f2818589534fd3bfa2054bf335c16571eb
Instruction ID: 50293e575f18c032634952dc56eae5cdf6e1a3facc1927af38d952f567ffc050
Opcode Fuzzy Hash: c9951a552a88de4d3937dbfa378370f2818589534fd3bfa2054bf335c16571eb
Instruction Fuzzy Hash: 22F03A3A041698FADB125FD4AC0DFCE3A59AF16310F048000FE12690E1C77555A2CFE5

Function 001698B0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 001698CC
SetTextColor.GDI32(?,?), ref: 001698D6
SetBkMode.GDI32(?,00000001), ref: 001698E9
GetStockObject.GDI32(00000005), ref: 001698F1

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: Color$ModeObjectStockText
String ID:
API String ID: 4037423528-0
Opcode ID: 9311caa5f2984efbdd564183020a999d9506f759f0d93f20172307b240d09d65
Instruction ID: f1722d5a1ba19309466168c2a872140b64be357324a72ec4c6b13aadee6ecc6e
Opcode Fuzzy Hash: 9311caa5f2984efbdd564183020a999d9506f759f0d93f20172307b240d09d65
Instruction Fuzzy Hash: 13E06D31244680EADB215BB8EC49BEC3F61EB52736F048219F6FA584E1C37146919F10

Function 001B162B Relevance: 6.0, APIs: 4, Instructions: 22threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 001B1634
OpenThreadToken.ADVAPI32(00000000,?,?,?,001B11D9), ref: 001B163B
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,001B11D9), ref: 001B1648
OpenProcessToken.ADVAPI32(00000000,?,?,?,001B11D9), ref: 001B164F

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: 3377e023383d48d1d342e99c16e6af86068c9f8d71506c7b86d0552998e938a4
Instruction ID: 33f6b75816b53be5178a26024104fdc0deba0cd74ffa4cfa1b1d376cc20cebad
Opcode Fuzzy Hash: 3377e023383d48d1d342e99c16e6af86068c9f8d71506c7b86d0552998e938a4
Instruction Fuzzy Hash: 4DE08C36602211EBD7201FE4AE4DB8F3B7CAF547A2F158808F646CD080E7748482CBA0

Function 001AD858 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 001AD858
GetDC.USER32(00000000), ref: 001AD862
GetDeviceCaps.GDI32(00000000,0000000C), ref: 001AD882
ReleaseDC.USER32(?), ref: 001AD8A3

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 5fb5b6bfd601eb650301cc96854fc33d617fcd7509aa6ed00e3b556a6c8c8354
Instruction ID: 7683996b03be14eb6ceeeea1f4397ea6a63391dbab261563ee672c46cb96b620
Opcode Fuzzy Hash: 5fb5b6bfd601eb650301cc96854fc33d617fcd7509aa6ed00e3b556a6c8c8354
Instruction Fuzzy Hash: A0E01AB8800204DFCF419FE4DC4866EBBB1FB48311F118409F816EB750C7384992AF80

Function 001AD86C Relevance: 6.0, APIs: 4, Instructions: 18COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 001AD86C
GetDC.USER32(00000000), ref: 001AD876
GetDeviceCaps.GDI32(00000000,0000000C), ref: 001AD882
ReleaseDC.USER32(?), ref: 001AD8A3

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: cdb952920b08dc96e74f81485cc875cd62b1e671e0f2a6c62b62080191c4e14d
Instruction ID: f3099c2a4f126f4b9dd719f364912cdb8a383943c695fdb07094f23851925816
Opcode Fuzzy Hash: cdb952920b08dc96e74f81485cc875cd62b1e671e0f2a6c62b62080191c4e14d
Instruction Fuzzy Hash: 93E012B4C00200EFCF40AFE4DC8866EBBB1BB48311B108409F81AEB750CB385982AF80

Function 001C4D87 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON

Download Yara Rule

APIs

Part of subcall function 00157620: _wcslen.LIBCMT ref: 00157625

WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 001C4ED4

Strings

*, xrefs: 001C4E10
LPT, xrefs: 001C4DFB

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: Connection_wcslen
String ID: *$LPT
API String ID: 1725874428-3443410124
Opcode ID: d9f3a8be085910c2e63ed4b791bf2db02fb62bced4a17ad3ca48650111fa84e8
Instruction ID: bdccafb17d88d01912f4a739ad55d167985cfabd5715cb449c37e88f0b010c42
Opcode Fuzzy Hash: d9f3a8be085910c2e63ed4b791bf2db02fb62bced4a17ad3ca48650111fa84e8
Instruction Fuzzy Hash: C0917B74A042049FDB14DF58C494FAABBF1AF64304F19809DE84A9F3A2D735EE85CB90

Function 0017E27D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 0017E30D

Strings

pow, xrefs: 0017E2E5, 0017E302

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: dfb2ac2cefe9cf1b69acf60ad67a50187fc8e5ce56ec6775b6a127ff2838a1e4
Instruction ID: 2f0414df68c60a4ff7c075c712b45b4cffc0499d565ba97df42b11ec6c2f4479
Opcode Fuzzy Hash: dfb2ac2cefe9cf1b69acf60ad67a50187fc8e5ce56ec6775b6a127ff2838a1e4
Instruction Fuzzy Hash: D7513761A0C20296CB157724C94137A3BF4AB54740F34CED8E09A832E9EB35CED1DF46

Function 001D7771 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(001A569E,00000000,?,001ECC08,?,00000000,00000000), ref: 001D78DD

Part of subcall function 00156B57: _wcslen.LIBCMT ref: 00156B6A

CharUpperBuffW.USER32(001A569E,00000000,?,001ECC08,00000000,?,00000000,00000000), ref: 001D783B

Strings

<s!, xrefs: 001D77C8

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: BuffCharUpper$_wcslen
String ID: <s!
API String ID: 3544283678-2588671885
Opcode ID: 6f136ba13e0a4b870e11e2b5d7d5b78700fcc5ea3454ab223baa48ae8a086b43
Instruction ID: cfb542ee91d69d090ebdbc296683a686a1a9c4ac2d9e7329ceb66f450223305a
Opcode Fuzzy Hash: 6f136ba13e0a4b870e11e2b5d7d5b78700fcc5ea3454ab223baa48ae8a086b43
Instruction Fuzzy Hash: 31615E72914118EACF08EBA4DCA1DFDB374BF28305B844526E952AB191FF345A49DBA0

Function 0016E187 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON

Download Yara Rule

Strings

#, xrefs: 0016E1B1

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: 9574b104a20e4939a1bbffa454db2f51c8352f6b9520a6ff3fd0df1306f4e243
Instruction ID: ed717b7508800db7161ba330e6c7f9fe28721e13770d2ac604829c4ad372bcc3
Opcode Fuzzy Hash: 9574b104a20e4939a1bbffa454db2f51c8352f6b9520a6ff3fd0df1306f4e243
Instruction Fuzzy Hash: C6516479900346DFDB19DFA8C891ABA7BE5EF26310F244119FC919B2C0DB349D56CBA0

Function 0016F291 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 0016F2A2
GlobalMemoryStatusEx.KERNEL32(?), ref: 0016F2BB

Strings

@, xrefs: 0016F2AF

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: c534eb53d9e58a9fb66d7975ec36ffa046410414bcd45b34734075e68dc9858d
Instruction ID: 33689b676728d23587d7eb94e7320452bb124306e9654ff776032c993270386d
Opcode Fuzzy Hash: c534eb53d9e58a9fb66d7975ec36ffa046410414bcd45b34734075e68dc9858d
Instruction Fuzzy Hash: D0515771408744DBD320AF14EC86BAFBBF8FB95301F81884DF5E945196EB708529CBA6

Function 001D5745 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,00000003,?,?), ref: 001D57E0
_wcslen.LIBCMT ref: 001D57EC

Strings

CALLARGARRAY, xrefs: 001D57E6, 001D57EB

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: BuffCharUpper_wcslen
String ID: CALLARGARRAY
API String ID: 157775604-1150593374
Opcode ID: 7bfc63b134682a0018854c82a073104d85b78877134c8315c3802770e8a9dd96
Instruction ID: 40d88311a2f2c46150392b930240810290fb121da801e6ccbc20ad61cddd0d03
Opcode Fuzzy Hash: 7bfc63b134682a0018854c82a073104d85b78877134c8315c3802770e8a9dd96
Instruction Fuzzy Hash: 2041A031A00209DFCF14DFA9C8818AEBBB6FF69314F10416AE515AB391E7349D81CB90

Function 001CD0F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98networkCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 001CD130
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 001CD13A

Strings

|, xrefs: 001CD10B

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: CrackInternet_wcslen
String ID: |
API String ID: 596671847-2343686810
Opcode ID: f7dab63c0d5173c1dae1e644be3577186482e02f7b2f5395021a4b3b01ad5c8a
Instruction ID: 6b5276cf5ae7eddfe0135b784975c3185359ca399ad6f7b1fcc47067c3dbb471
Opcode Fuzzy Hash: f7dab63c0d5173c1dae1e644be3577186482e02f7b2f5395021a4b3b01ad5c8a
Instruction Fuzzy Hash: 3531F871D01109ABCF15EFA4DC85AEE7BB9FF24300F040069F815AA161D731AA46CB90

Function 001E356C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 001E3621
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 001E365C

Strings

static, xrefs: 001E35BC

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: 51e80e53f5804a8a948efc91d1a4844604631b45b099b4a336ddb2ab66057a44
Instruction ID: 5d4caa35a8b88a046845d9e54ab0ff147b3ea99aeab738c1e5c243c3dfea4321
Opcode Fuzzy Hash: 51e80e53f5804a8a948efc91d1a4844604631b45b099b4a336ddb2ab66057a44
Instruction Fuzzy Hash: D5319E71100A44AEDB109F79DC85EFF73A9FF98760F009619F8A597280DB31AD92D760

Function 001E4537 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000027,00001132,00000000,?), ref: 001E461F
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 001E4634

Strings

', xrefs: 001E458E

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: 7bd75c92e11d5884fc8a1643aa7ee902166f9d95ee5799a480e48513329f153a
Instruction ID: b6af29e73e9d958a400243e0d7b8fb02bc79c841d8dd976b76299186daa41de7
Opcode Fuzzy Hash: 7bd75c92e11d5884fc8a1643aa7ee902166f9d95ee5799a480e48513329f153a
Instruction Fuzzy Hash: A8311874A01759AFDB14CFAAC990BDEBBB5FF49300F14406AE905AB391D770A941CF90

Function 001E31EF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 001E327C
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 001E3287

Strings

Combobox, xrefs: 001E3249

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: 31a78315ff84cecf971bcfecaf67ee4313a099e4dff3df5d7238d289c3a7603f
Instruction ID: 61100ad46a4a10fd3b6e7eb7e646975c4849a0d3ace3081b4f5205181d7079c5
Opcode Fuzzy Hash: 31a78315ff84cecf971bcfecaf67ee4313a099e4dff3df5d7238d289c3a7603f
Instruction Fuzzy Hash: E411D3712005497FEF259E95DC88EAF37AAEB943A4F100124FA6897290D7319D518760

Function 001E3710 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 0015600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0015604C
Part of subcall function 0015600E: GetStockObject.GDI32(00000011), ref: 00156060
Part of subcall function 0015600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 0015606A

GetWindowRect.USER32(00000000,?), ref: 001E377A
GetSysColor.USER32(00000012), ref: 001E3794

Strings

static, xrefs: 001E3757

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: 8969c02eae11e5655311b9cdea95ac4e08c5541c350db938185578f0e17809ba
Instruction ID: 6d1e68bef1bee937c8da48ced31df3082846c384055d3c08ef292048b5d043fe
Opcode Fuzzy Hash: 8969c02eae11e5655311b9cdea95ac4e08c5541c350db938185578f0e17809ba
Instruction Fuzzy Hash: A51159B2610649AFDF10DFA8CC49EEE7BB8EB08314F004514F965E3250D735E8519B90

Function 001CCD1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 001CCD7D
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 001CCDA6

Strings

<local>, xrefs: 001CCD66

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: d580bc24f97e4b7c508f3d516a5a667eca1366e0a2cbcabb5e4752a965975b2b
Instruction ID: 5686faf0816ecec6b156ccb49130a1defc4513729ce8fb24d54205a304b25af1
Opcode Fuzzy Hash: d580bc24f97e4b7c508f3d516a5a667eca1366e0a2cbcabb5e4752a965975b2b
Instruction Fuzzy Hash: 7B11A77151563179D7284AA69C45FF7BE68EB227A4F014229F10E86080D770DC41D6F0

Function 001E3429 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 001E34AB
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 001E34BA

Strings

edit, xrefs: 001E348F

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: ddd86182a93c3f961c219c02b1f293b0538c88fddaac7c062cb46e43173933a9
Instruction ID: 2e7d0b47a85f17fb0774e0d2f9c84b999c345e4860e683ef4b12bf70871a6acc
Opcode Fuzzy Hash: ddd86182a93c3f961c219c02b1f293b0538c88fddaac7c062cb46e43173933a9
Instruction Fuzzy Hash: C111BF71100588AFEB124E65DC88AEF376AEF15374F504324F970971D0C731DD929B50

Function 001B6C86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 00159CB3: _wcslen.LIBCMT ref: 00159CBD

CharUpperBuffW.USER32(?,?,?), ref: 001B6CB6
_wcslen.LIBCMT ref: 001B6CC2

Strings

STOP, xrefs: 001B6CBC, 001B6CC1

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: STOP
API String ID: 1256254125-2411985666
Opcode ID: 91e21ff79c13f1c8dd8489e4829a7e8263a8e7334f4f2a885158b862f756da5d
Instruction ID: 088d5af765dcec3b54c479d4915abd5065ead735fc314680db80a61a70d89301
Opcode Fuzzy Hash: 91e21ff79c13f1c8dd8489e4829a7e8263a8e7334f4f2a885158b862f756da5d
Instruction Fuzzy Hash: C9010032A00526CBCB20AFFDDC918FF7BB5EB75710B400928E8A29A190EB39D844C650

Function 001B1CDE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00159CB3: _wcslen.LIBCMT ref: 00159CBD

Part of subcall function 001B3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 001B3CCA

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 001B1D4C

Strings

ListBox, xrefs: 001B1D16
ComboBox, xrefs: 001B1CEB

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 74b53c938c029581be1a84848072f13b5fa4ab1d1f2cd46f30c2dee73a0db3c1
Instruction ID: 26c9c6cb9fa50c3f74982c47d15f2773704bcaea59804380c91aeeb32e56d0d6
Opcode Fuzzy Hash: 74b53c938c029581be1a84848072f13b5fa4ab1d1f2cd46f30c2dee73a0db3c1
Instruction Fuzzy Hash: A101B575601218EB8B08EBE4CC658FE77A9EB66350B54091AF8325B2C1EB30591D8661

Function 001B1BD8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00159CB3: _wcslen.LIBCMT ref: 00159CBD

Part of subcall function 001B3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 001B3CCA

SendMessageW.USER32(?,00000180,00000000,?), ref: 001B1C46

Strings

ListBox, xrefs: 001B1C10
ComboBox, xrefs: 001B1BE5

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 3bb148c78f0c87b09cfd7c153e5a91d5d2fdbe4c2b6aa68ebd58a94232f74a9b
Instruction ID: 5ea96a0037408dc0ed90dbceca7d08da76d8461c0481d1c237844bb828086abf
Opcode Fuzzy Hash: 3bb148c78f0c87b09cfd7c153e5a91d5d2fdbe4c2b6aa68ebd58a94232f74a9b
Instruction Fuzzy Hash: 8B01A775681108F6CB08EB90D9629FF7BA89F66340F540019E8166B282EB209F1C96B2

Function 001B1C5C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00159CB3: _wcslen.LIBCMT ref: 00159CBD

Part of subcall function 001B3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 001B3CCA

SendMessageW.USER32(?,00000182,?,00000000), ref: 001B1CC8

Strings

ListBox, xrefs: 001B1C94
ComboBox, xrefs: 001B1C69

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: ccd710074e37496f2a0f6bd8c0bca5809918a0e0541a350b01f0907db9488ae3
Instruction ID: 012fd4836a20d8bef3b827731a48e106013bbdb927a636c28b6f9f120157e76a
Opcode Fuzzy Hash: ccd710074e37496f2a0f6bd8c0bca5809918a0e0541a350b01f0907db9488ae3
Instruction Fuzzy Hash: DF01DB75640118F7CB04E794CA11AFF7BE89B21340F950015FC1177281EB209F1DD672

Function 001B1D68 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00159CB3: _wcslen.LIBCMT ref: 00159CBD

Part of subcall function 001B3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 001B3CCA

SendMessageW.USER32(?,0000018B,00000000,00000000), ref: 001B1DD3

Strings

ListBox, xrefs: 001B1DA0
ComboBox, xrefs: 001B1D75

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 32c25943b9c8436c5e63264a2fe75d7f5b0835e516f35f9d6854d7c95d2df20c
Instruction ID: 4161c3fa190f5b91a2bf0ea86fbe66ca092153f56646e78bcda81bfffc5da089
Opcode Fuzzy Hash: 32c25943b9c8436c5e63264a2fe75d7f5b0835e516f35f9d6854d7c95d2df20c
Instruction Fuzzy Hash: 85F0A975A51218F6D704E7E4CC55AFF77B8AB22350F940915F8326B2C5DB605A1C8261

Function 001E8172 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 40processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00223018,0022305C), ref: 001E81BF
CloseHandle.KERNEL32 ref: 001E81D1

Strings

\0", xrefs: 001E818A

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: \0"
API String ID: 3712363035-2428598737
Opcode ID: 1bff300e1ea180ed003e92d528049b2b12445c057370e66278166a4e0005ba96
Instruction ID: 2e40c9d42616838996e9349ade22f8f60ebb21a2413dba469735e65309b06851
Opcode Fuzzy Hash: 1bff300e1ea180ed003e92d528049b2b12445c057370e66278166a4e0005ba96
Instruction Fuzzy Hash: 4FF054B1640310BEE220A7A17C49F773A5CEB04751F004420FB0CD91A1D6798B5282F8

Function 001D747E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 001D7493
_wcslen.LIBCMT ref: 001D74B9

Strings

3, 3, 16, 1, xrefs: 001D7483

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: _wcslen
String ID: 3, 3, 16, 1
API String ID: 176396367-3042988571
Opcode ID: 37e5b951eaf50a0f7e34debccb44a6d083bad41796b274c1f5f677d0e314550e
Instruction ID: d8b50a33ec9524ef5f72f4682182af5cf1362b8ede9105729b58e483d968d7e4
Opcode Fuzzy Hash: 37e5b951eaf50a0f7e34debccb44a6d083bad41796b274c1f5f677d0e314550e
Instruction Fuzzy Hash: BCE02B0221422012923212799CC197F56D9CFE9750710182BFA89C23A6FB948D9193A1

Function 001B0B15 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 001B0B23

Strings

Error allocating memory., xrefs: 001B0B1C
AutoIt, xrefs: 001B0B17

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: Message
String ID: AutoIt$Error allocating memory.
API String ID: 2030045667-4017498283
Opcode ID: 7cff0a2107ba497ac92726ea5889c3c8b57d8d1806037835608c77d1c8eb0213
Instruction ID: b522ed2816181fe1fa2d91f2f4153885c91ced9d734d2f32e260b30b0f567427
Opcode Fuzzy Hash: 7cff0a2107ba497ac92726ea5889c3c8b57d8d1806037835608c77d1c8eb0213
Instruction Fuzzy Hash: A0E0D8312843586BD21437957C03FCD7A848F19F25F20046AFB58994C38BE228A106E9

Function 00170D42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 0016F7C9: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00170D71,?,?,?,0015100A), ref: 0016F7CE

IsDebuggerPresent.KERNEL32(?,?,?,0015100A), ref: 00170D75
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,0015100A), ref: 00170D84

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00170D7F

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 55579361-631824599
Opcode ID: 767e5cc5c23725548c49dff5bea51ddb57795cea1c013934f6da556870e0da2c
Instruction ID: 1ecf9bbbeb07ae63412d363eacc90ded98c658e9610da08c45e8baff5d4faca0
Opcode Fuzzy Hash: 767e5cc5c23725548c49dff5bea51ddb57795cea1c013934f6da556870e0da2c
Instruction Fuzzy Hash: 8FE06D742007818FD3319FF9E94874A7BF1EB18744F00896DE89ACA651EBB0E4868B91

Function 0016E398 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 21COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 0016E3D5

Strings

0%", xrefs: 0016E3B5
8%", xrefs: 0016E3CA

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID: 0%"$8%"
API String ID: 1385522511-3788803983
Opcode ID: 6327a739b9408ed411e364921c35949e7bdaf554e2ddf2df6ae23832d3ba7f46
Instruction ID: d619edb0e12bfc303d7e298afb9e4b9e67d831740ed940c398311992d8affb43
Opcode Fuzzy Hash: 6327a739b9408ed411e364921c35949e7bdaf554e2ddf2df6ae23832d3ba7f46
Instruction Fuzzy Hash: 06E02636810A20FBCA1D975CFE58A8833A1BF18320BD0A268E4028F2D19B3628768644

Function 001C3017 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?,00000001), ref: 001C302F
GetTempFileNameW.KERNEL32(?,aut,00000000,?), ref: 001C3044

Strings

aut, xrefs: 001C3038

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: 3b53b76085a8121009f87d432492e180ab02e1e188c50920210ee1498e0725ba
Instruction ID: 410ae1509be0c9d4359b6a238850cdf57ee8c7a2887503001cb1b80c720b5ab3
Opcode Fuzzy Hash: 3b53b76085a8121009f87d432492e180ab02e1e188c50920210ee1498e0725ba
Instruction Fuzzy Hash: 39D05E7290032867DA20A7E4AC4EFCF7A7CEB05751F0002A1BB55E6091DAB099C5CAD0

Function 001AD21C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 001AD220

Strings

X64, xrefs: 001AD2A8
%.3d, xrefs: 001AD22B

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: LocalTime
String ID: %.3d$X64
API String ID: 481472006-1077770165
Opcode ID: d6bf02c5a1160943136f4d806227390f76325b91ebe04c43ee7aa0d744fe9dcf
Instruction ID: afa0c6353f5650894943ad4bd79274df72d4393c238372b3ec9a200c448fb1b7
Opcode Fuzzy Hash: d6bf02c5a1160943136f4d806227390f76325b91ebe04c43ee7aa0d744fe9dcf
Instruction Fuzzy Hash: 53D012A9C08509E9CB5496D0EC45AFAB3BCBB1A341F528453FD07D1440D724C559E762

Function 001E2322 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 001E232C
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 001E233F

Part of subcall function 001BE97B: Sleep.KERNELBASE ref: 001BE9F3

Strings

Shell_TrayWnd, xrefs: 001E2325

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: e649d085abb80793aef17b7c43b1aeeaaa72b0408a2973f2926fa216584a7c30
Instruction ID: e57750987ea396fa223f91b42a4b32ff763b37ced48f95a6e1ec01358bf0cdca
Opcode Fuzzy Hash: e649d085abb80793aef17b7c43b1aeeaaa72b0408a2973f2926fa216584a7c30
Instruction Fuzzy Hash: 8DD0C9363D5350BAE664A7B0DC4FFCBAA549B14B14F044916B645AA1D0CAA0A8868A94

Function 001E2356 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 001E236C
PostMessageW.USER32(00000000), ref: 001E2373

Part of subcall function 001BE97B: Sleep.KERNELBASE ref: 001BE9F3

Strings

Shell_TrayWnd, xrefs: 001E2365

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 581fda15cc5c104fabd72139bf22147c5faa438d81ea8a6baabc4f134b46b2b8
Instruction ID: 1ce3e3fba8c06d0c8eee10c6219fc57525596253e0336a4c8d25ef29e51092d7
Opcode Fuzzy Hash: 581fda15cc5c104fabd72139bf22147c5faa438d81ea8a6baabc4f134b46b2b8
Instruction Fuzzy Hash: 0DD0C9363D1350BAE664A7B0DC4FFCBA6549B15B14F044916B645AA1D0CAA0B8868A94

Function 0018BDFD Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,?,?,00000000,?,?,?,?,?,00000000,?), ref: 0018BE93
GetLastError.KERNEL32 ref: 0018BEA1
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0018BEFC

Memory Dump Source

Source File: 00000000.00000002.1784789230.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.1784771279.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784849266.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784904133.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1784919214.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: 86a543253729a9f11f06067ed46e88676fa99409e99810c2cc6f6b52f8227fc4
Instruction ID: c697e2697df75e250a9df4318d00ec40c141fbbd990f4732ec6e1962e281821f
Opcode Fuzzy Hash: 86a543253729a9f11f06067ed46e88676fa99409e99810c2cc6f6b52f8227fc4
Instruction Fuzzy Hash: 5D41FA35608206EFCF25AFA4CCC4ABA7BB5EF42310F154169FA595B1A1DB308E41CF50

Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /account?=https://accounts.google.com/v3/signin/challenge/pwd HTTP/1.1Host: youtube.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7X-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiTocsBCJz+zAEIhaDNAQjcvc0BCLnKzQEIotHNAQiK080BCJ7WzQEIp9jNAQj5wNQVGPbJzQEYutLNARjrjaUXSec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /account?=https%3A%2F%2Faccounts.google.com%2Fv3%2Fsignin%2Fchallenge%2Fpwd HTTP/1.1Host: www.youtube.comConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7X-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiTocsBCJz+zAEIhaDNAQjcvc0BCLnKzQEIotHNAQiK080BCJ7WzQEIp9jNAQj5wNQVGPbJzQEYutLNARjrjaUXSec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentsec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /accounts/CheckConnection?pmpo=https%3A%2F%2Faccounts.google.com&v=555306652&timestamp=1727888458918 HTTP/1.1Host: accounts.youtube.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-full-version: "117.0.5938.132"sec-ch-ua-arch: "x86"sec-ch-ua-platform: "Windows"sec-ch-ua-platform-version: "10.0.0"sec-ch-ua-model: ""sec-ch-ua-bitness: "64"sec-ch-ua-wow64: ?0sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7X-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiTocsBCJz+zAEIhaDNAQjcvc0BCLnKzQEIotHNAQiK080BCJ7WzQEIp9jNAQj5wNQVGPbJzQEYutLNARjrjaUXSec-Fetch-Site: cross-siteSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: iframeReferer: https://accounts.google.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /fs/windows/config.json HTTP/1.1Connection: Keep-AliveAccept: /Accept-Encoding: identityIf-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMTRange: bytes=0-2147483646User-Agent: Microsoft BITS/7.8Host: fs.microsoft.com
Source: global traffic	HTTP traffic detected: GET /favicon.ico HTTP/1.1Host: www.google.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-arch: "x86"sec-ch-ua-full-version: "117.0.5938.132"sec-ch-ua-platform-version: "10.0.0"sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132"sec-ch-ua-bitness: "64"sec-ch-ua-model: ""sec-ch-ua-wow64: ?0sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8X-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiTocsBCJz+zAEIhaDNAQjcvc0BCLnKzQEIotHNAQiK080BCJ7WzQEIp9jNAQj5wNQVGPbJzQEYutLNARjrjaUXSec-Fetch-Site: same-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://accounts.google.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: NID=518=K0eKjaNklXRZ50lSgNrYReWzWA-fsxRiO0RMxlvwkCQ-ug_yL0-9pnttPLyBXSW_1lG0-I4niidVESLRLVXm2mThCQdIkwPXuF30HhtSVKqM7TbAkPdQZqDHCsTTG-4D5a071Cll6VGx9FWmo6b2GtxwDR5mcjZx-sW5vc9wJy3T63FWwg
Source: global traffic	HTTP traffic detected: GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=4WVoa1EKVMpv428&MD=3agPLFr8 HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic	HTTP traffic detected: GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=4WVoa1EKVMpv428&MD=3agPLFr8 HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Chrome Cache Entry: 78

Chrome Cache Entry: 79

Chrome Cache Entry: 80

Chrome Cache Entry: 81

Chrome Cache Entry: 82

Chrome Cache Entry: 83

Chrome Cache Entry: 84

Chrome Cache Entry: 85

Chrome Cache Entry: 86

Chrome Cache Entry: 87

Chrome Cache Entry: 88

Chrome Cache Entry: 89

Chrome Cache Entry: 90

Chrome Cache Entry: 91

Chrome Cache Entry: 92

Chrome Cache Entry: 93

Static File Info

General

Windows Analysis Report
file.exe

Function 0016F98E Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130
keyboardthreadwindowCOMMON

Function 001542DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Function 001542A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Function 00192BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Function 001DAFF9 Relevance: 24.4, APIs: 16, Instructions: 418
processCOMMON

Function 00152CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Function 0019065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Function 0015344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre