Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1524413
MD5:	17e81ded92e36f3d9cb2e548e9765cbe
SHA1:	7bad6623b670b99f64e4796c96bd3151efe94c10
SHA256:	96dcbbee1239cbb0d455b0b00532cd8d8b8bbe292f1ad5926670c91c88acc154
Tags:	exeuser-Bitsight
Infos:

Detection

Credential Flusher

Score:	68
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Yara detected Credential Flusher

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Found API chain indicative of debugger detection

Found API chain indicative of sandbox detection

Machine Learning detection for sample

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected potential crypto function

Enables debug privileges

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

OS version to string mapping found (often used in BOTs)

Potential key logger detected (key state polling based)

Sample execution stops while process was sleeping (likely an evasion)

Stores files to the Windows start menu directory

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Uses taskkill to terminate processes

Classification

Process Tree

System is w10x64

file.exe (PID: 4872 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 17E81DED92E36F3D9CB2E548E9765CBE)

taskkill.exe (PID: 7000 cmdline: taskkill /F /IM chrome.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 7108 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

chrome.exe (PID: 1020 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --start-fullscreen --no-first-run --disable-session-crashed-bubble --disable-infobars MD5: 5BBFA6CBDF4C254EB368D534F9E23C92)

chrome.exe (PID: 7232 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2392 --field-trial-handle=2352,i,15969125917398102169,18062438457060757556,262144 /prefetch:8 MD5: 5BBFA6CBDF4C254EB368D534F9E23C92)

chrome.exe (PID: 2984 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5528 --field-trial-handle=2352,i,15969125917398102169,18062438457060757556,262144 /prefetch:8 MD5: 5BBFA6CBDF4C254EB368D534F9E23C92)

chrome.exe (PID: 316 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5580 --field-trial-handle=2352,i,15969125917398102169,18062438457060757556,262144 /prefetch:8 MD5: 5BBFA6CBDF4C254EB368D534F9E23C92)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
Process Memory Space: file.exe PID: 4872	JoeSecurity_CredentialFlusher	Yara detected Credential Flusher	Joe Security

String found in binary or memory: _.fq(p)+"/familylink/privacy/notice/embedded?langCountry="+_.fq(p);break;case "PuZJUb":a+="https://www.youtube.com/t/terms?chromeless=1&hl="+_.fq(m);break;case "fxTQxb":a+="https://youtube.com/t/terms?gl="+_.fq(_.oq(c))+"&hl="+_.fq(d)+"&override_hl=1"+(f?"&linkless=1":"");break;case "prAmvd":a+="https://www.google.com/intl/"+_.fq(m)+"/chromebook/termsofservice.html?languageCode="+_.fq(d)+"&regionCode="+_.fq(c);break;case "NfnTze":a+="https://policies.google.com/privacy/google-partners"+(f?"/embedded": equals www.youtube.com (Youtube)

Source: global traffic	DNS traffic detected: DNS query: youtube.com
Source: global traffic	DNS traffic detected: DNS query: www.youtube.com
Source: global traffic	DNS traffic detected: DNS query: www.google.com
Source: global traffic	DNS traffic detected: DNS query: accounts.youtube.com
Source: global traffic	DNS traffic detected: DNS query: play.google.com

Source: unknown

HTTP traffic detected: POST /log?format=json&hasfast=true&authuser=0 HTTP/1.1Host: play.google.comConnection: keep-aliveContent-Length: 519sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-arch: "x86"Content-Type: application/x-www-form-urlencoded;charset=UTF-8sec-ch-ua-full-version: "117.0.5938.134"sec-ch-ua-platform-version: "10.0.0"X-Goog-AuthUser: 0sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.134", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.134"sec-ch-ua-bitness: "64"sec-ch-ua-model: ""sec-ch-ua-wow64: ?0sec-ch-ua-platform: "Windows"Accept: */*Origin: https://accounts.google.comX-Client-Data: CIu2yQEIo7bJAQipncoBCNT9ygEIlqHLAQiFoM0BCNy9zQEIucrNAQip0c0BCInTzQEIqdXNAQjJ1s0BCPTWzQEIqNjNAQj5wNQVGOmYzQEY642lFw==Sec-Fetch-Site: same-siteSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: https://accounts.google.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9

Source: chromecache_105.6.dr	String found in binary or memory: https://accounts.google.com
Source: chromecache_105.6.dr	String found in binary or memory: https://accounts.google.com/TOS?loc=
Source: chromecache_106.6.dr	String found in binary or memory: https://apis.google.com/js/api.js
Source: chromecache_105.6.dr	String found in binary or memory: https://apis.google.com/js/rpc:shindig_random.js?onload=credentialservice.postMessage
Source: chromecache_105.6.dr	String found in binary or memory: https://families.google.com/intl/
Source: chromecache_106.6.dr	String found in binary or memory: https://fonts.gstatic.com/s/i/productlogos/drive_2020q4/v10/192px.svg
Source: chromecache_106.6.dr	String found in binary or memory: https://fonts.gstatic.com/s/i/productlogos/gmail_2020q4/v10/web-48dp/logo_gmail_2020q4_color_2x_web_
Source: chromecache_106.6.dr	String found in binary or memory: https://fonts.gstatic.com/s/i/productlogos/maps/v7/192px.svg
Source: chromecache_105.6.dr	String found in binary or memory: https://g.co/recover
Source: chromecache_105.6.dr	String found in binary or memory: https://play.google.com/log?format=json&hasfast=true
Source: chromecache_105.6.dr	String found in binary or memory: https://play.google.com/work/enroll?identifier=
Source: chromecache_105.6.dr	String found in binary or memory: https://play.google/intl/
Source: chromecache_105.6.dr	String found in binary or memory: https://policies.google.com/privacy
Source: chromecache_105.6.dr	String found in binary or memory: https://policies.google.com/privacy/additional
Source: chromecache_105.6.dr	String found in binary or memory: https://policies.google.com/privacy/google-partners
Source: chromecache_105.6.dr	String found in binary or memory: https://policies.google.com/technologies/cookies
Source: chromecache_105.6.dr	String found in binary or memory: https://policies.google.com/technologies/location-data
Source: chromecache_105.6.dr	String found in binary or memory: https://policies.google.com/terms
Source: chromecache_105.6.dr	String found in binary or memory: https://policies.google.com/terms/location
Source: chromecache_105.6.dr	String found in binary or memory: https://policies.google.com/terms/service-specific
Source: chromecache_106.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/account-recovery-email-pin.gif
Source: chromecache_106.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/account-recovery-password.svg
Source: chromecache_106.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/account-recovery-sms-or-voice-pin.gif
Source: chromecache_106.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/account-recovery-sms-pin.gif
Source: chromecache_106.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/account-recovery-stop-go-landing-page_1x.png
Source: chromecache_106.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/animation/
Source: chromecache_106.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/ble_device.png
Source: chromecache_106.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/ble_pin.png
Source: chromecache_106.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/contacts_backup_sync.png
Source: chromecache_106.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/contacts_backup_sync_1x.png
Source: chromecache_106.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/contacts_backup_sync_2x.png
Source: chromecache_106.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/contacts_backup_sync_darkmode_1x.png
Source: chromecache_106.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/continue_on_your_phone.png
Source: chromecache_106.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/device_phone_number_verification.png
Source: chromecache_106.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/device_prompt_silent_tap_yes_darkmode.gif
Source: chromecache_106.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/device_prompt_tap_yes.gif
Source: chromecache_106.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/device_prompt_tap_yes_darkmode.gif
Source: chromecache_106.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kid_success.svg
Source: chromecache_106.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kid_success_darkmode.svg
Source: chromecache_106.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidfork_who_will_use_dark_v2.svg
Source: chromecache_106.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidfork_who_will_use_updated.svg
Source: chromecache_106.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidfork_who_will_use_updated_darkmode.svg
Source: chromecache_106.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidfork_who_will_use_v2.svg
Source: chromecache_106.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignin_not_ready.png
Source: chromecache_106.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignin_stick_around_1.svg
Source: chromecache_106.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignin_stick_around_dark_1.svg
Source: chromecache_106.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_child_account_1.svg
Source: chromecache_106.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_child_account_darkmode_1.svg
Source: chromecache_106.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_child_privacy_1.svg
Source: chromecache_106.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_child_privacy_darkmode_1.svg
Source: chromecache_106.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_created.png
Source: chromecache_106.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_double_device.svg
Source: chromecache_106.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_double_device_darkmode.svg
Source: chromecache_106.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_full_house.png
Source: chromecache_106.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_link_accounts_1.svg
Source: chromecache_106.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_link_accounts_darkmode_1.svg
Source: chromecache_106.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_parent_app_decision.svg
Source: chromecache_106.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_parent_app_decision_darkmode.svg
Source: chromecache_106.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_parent_supervision_1.svg
Source: chromecache_106.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_parent_supervision_darkmode_1.svg
Source: chromecache_106.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_respect_others_1.svg
Source: chromecache_106.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_respect_others_darkmode_1.svg
Source: chromecache_106.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_single_device.svg
Source: chromecache_106.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_single_device_darkmode.svg
Source: chromecache_106.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_stop.png
Source: chromecache_106.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/personalization_reminders.svg
Source: chromecache_106.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/phone_number_sign_in_2x.png
Source: chromecache_106.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/return_to_desktop.svg
Source: chromecache_106.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/return_to_desktop_darkmode.svg
Source: chromecache_106.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/security_key.gif
Source: chromecache_106.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/security_key_ios_center.png
Source: chromecache_106.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/security_key_laptop.gif
Source: chromecache_106.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/security_key_nfc_discovered.gif
Source: chromecache_106.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/security_key_nfc_discovered_darkmode.gif
Source: chromecache_106.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/security_key_phone.gif
Source: chromecache_106.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/signin_googleapp_ios.gif
Source: chromecache_106.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/signin_googleapp_pulldown.gif
Source: chromecache_106.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/signin_tapyes.gif
Source: chromecache_106.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/smart_lock_2x.png
Source: chromecache_106.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/usb_key.svg
Source: chromecache_106.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/web_and_app_activity.svg
Source: chromecache_106.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/who_will_be_using_this_device.svg
Source: chromecache_106.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/you_tube_history.svg
Source: chromecache_106.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/feature_not_available.svg
Source: chromecache_106.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/feature_not_available_dark.svg
Source: chromecache_106.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/gmail_ios_authzen.gif
Source: chromecache_106.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/paaskey.svg
Source: chromecache_106.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_challenge.svg
Source: chromecache_106.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_challenge_darkmode.svg
Source: chromecache_106.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_darkmode.svg
Source: chromecache_106.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_enrollment.svg
Source: chromecache_106.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_enrollment_cross_device.svg
Source: chromecache_106.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_enrollment_cross_device_darkmode.svg
Source: chromecache_106.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_enrollment_darkmode.svg
Source: chromecache_106.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_enrollment_error.svg
Source: chromecache_106.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_enrollment_error_darkmode.svg
Source: chromecache_106.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_enrollment_reauth.svg
Source: chromecache_106.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_enrollment_reauth_darkmode.svg
Source: chromecache_106.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_success.svg
Source: chromecache_106.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_success_darkmode.svg
Source: chromecache_106.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkeyerror.svg
Source: chromecache_106.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkeyerror_darkmode.svg
Source: chromecache_106.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/red_globe_dark.svg
Source: chromecache_106.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/red_globe_light.svg
Source: chromecache_106.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/screenlock.png
Source: chromecache_106.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/security_key_ipad.gif
Source: chromecache_106.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/security_key_iphone.gif
Source: chromecache_106.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/security_key_iphone_nfc.gif
Source: chromecache_106.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/security_key_iphone_usb.gif
Source: chromecache_106.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/security_key_phone.svg
Source: chromecache_106.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/security_keys.svg
Source: chromecache_106.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/success_checkmark_2.svg
Source: chromecache_106.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/success_checkmark_2_darkmode.svg
Source: chromecache_106.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/ui/loading_spinner_gm.gif
Source: chromecache_106.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/ui/progress_spinner_color_20dp_4x.gif
Source: chromecache_106.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/ui/success-gm-default_2x.png
Source: chromecache_106.6.dr	String found in binary or memory: https://ssl.gstatic.com/apps/signup/resources/custom-email-address.svg
Source: chromecache_106.6.dr	String found in binary or memory: https://ssl.gstatic.com/images/hpp/shield_security_checkup_green_2x_web_96dp.png
Source: chromecache_106.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/chaptering/account_setup_chapter_dark_1.svg
Source: chromecache_106.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/chaptering/account_setup_chapter_v1.svg
Source: chromecache_106.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/chaptering/device_setup_chapter_dark_v1.svg
Source: chromecache_106.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/chaptering/device_setup_chapter_v1.svg
Source: chromecache_106.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/chaptering/parental_control_chapter_dark_v1.svg
Source: chromecache_106.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/chaptering/parental_control_chapter_v1.svg
Source: chromecache_106.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/conversion/conversion_accountslinked.svg
Source: chromecache_106.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/conversion/conversion_accountslinked_dark.svg
Source: chromecache_106.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/conversion/conversion_childneedshelp.svg
Source: chromecache_106.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/conversion/conversion_childneedshelp_dark.svg
Source: chromecache_106.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/conversion/conversion_nextstepsforparents.svg
Source: chromecache_106.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/conversion/conversion_nextstepsforparents_dark.svg
Source: chromecache_106.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_allset.svg
Source: chromecache_106.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_allset_dark.svg
Source: chromecache_106.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_apps_devices.svg
Source: chromecache_106.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_apps_devices_darkmode.svg
Source: chromecache_106.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_areyousurekid.svg
Source: chromecache_106.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_areyousurekid_dark.svg
Source: chromecache_106.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_birthdayemail.svg
Source: chromecache_106.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_birthdayemail_dark.svg
Source: chromecache_106.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_choose_apps.svg
Source: chromecache_106.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_choose_apps_darkmode.svg
Source: chromecache_106.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_confirmation.svg
Source: chromecache_106.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_exploremore.svg
Source: chromecache_106.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_exploremore_dark.svg
Source: chromecache_106.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_intro.svg
Source: chromecache_106.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_intro_darkmode.svg
Source: chromecache_106.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_privacy_terms_a18.svg
Source: chromecache_106.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_privacy_terms_a18_darkmode.svg
Source: chromecache_106.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_privacyterms.svg
Source: chromecache_106.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_privacyterms_dark.svg
Source: chromecache_106.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_review_settings.svg
Source: chromecache_106.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_review_settings_darkmode.svg
Source: chromecache_106.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_safe_search.svg
Source: chromecache_106.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_safe_search_darkmode.svg
Source: chromecache_106.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_success_unchanged_a18.svg
Source: chromecache_106.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_success_unchanged_a18_darkmode.svg
Source: chromecache_106.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_success_update_a18.svg
Source: chromecache_106.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_success_update_a18_darkmode.svg
Source: chromecache_106.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_supervision_choice.svg
Source: chromecache_106.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_supervision_choice_a18.svg
Source: chromecache_106.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_supervision_choice_a18_darkmode.svg
Source: chromecache_106.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_supervision_choice_darkmode.svg
Source: chromecache_106.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_supervisiongrad.svg
Source: chromecache_106.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_supervisiongrad_dark.svg
Source: chromecache_106.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/guardianlinking/linking_complete_0.svg
Source: chromecache_106.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/guardianlinking/linking_complete_dark_0.svg
Source: chromecache_106.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/ads_personalization.svg
Source: chromecache_106.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/ads_personalization_darkmode.svg
Source: chromecache_106.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/confirmation.svg
Source: chromecache_106.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/confirmation_darkmode.svg
Source: chromecache_106.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/eligibility_error.svg
Source: chromecache_106.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/eligibility_error_darkmode.svg
Source: chromecache_106.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/fork.svg
Source: chromecache_106.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/fork_darkmode.svg
Source: chromecache_106.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/intro.svg
Source: chromecache_106.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/intro_darkmode.svg
Source: chromecache_106.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/personal_results.svg
Source: chromecache_106.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/personal_results_darkmode.svg
Source: chromecache_106.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/safe_search.svg
Source: chromecache_106.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/safe_search_darkmode.svg
Source: chromecache_106.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/check_notifications.svg
Source: chromecache_106.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/check_notifications_dark.svg
Source: chromecache_106.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/kid_watch_installing_family_link_2.svg
Source: chromecache_106.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/kid_watch_installing_family_link_dark_2.svg
Source: chromecache_106.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/kid_watch_set_up_location_sharing_2.svg
Source: chromecache_106.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/kid_watch_set_up_location_sharing_dark_2.svg
Source: chromecache_106.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/kid_watch_set_up_parental_controls_2.svg
Source: chromecache_106.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/kid_watch_set_up_parental_controls_dark_2.svg
Source: chromecache_106.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/kid_watch_set_up_school_time_2.svg
Source: chromecache_106.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/kid_watch_set_up_school_time_dark_2.svg
Source: chromecache_106.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/location_sharing_enabled_2.svg
Source: chromecache_106.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/location_sharing_enabled_dark_3.svg
Source: chromecache_106.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/parent_sign_in_prologue_1.svg
Source: chromecache_106.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/parent_sign_in_prologue_dark_1.svg
Source: chromecache_106.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/set_up_complete_1.svg
Source: chromecache_106.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/set_up_complete_dark_1.svg
Source: chromecache_106.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/set_up_contacts_2.svg
Source: chromecache_106.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/set_up_contacts_dark_2.svg
Source: chromecache_106.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/set_up_family_link_boy_1.svg
Source: chromecache_106.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/set_up_family_link_boy_dark_1.svg
Source: chromecache_106.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/set_up_family_link_girl_2.svg
Source: chromecache_106.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/set_up_family_link_girl_dark_2.svg
Source: chromecache_106.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/ulp_continue_without_gmail_dark_v2.svg
Source: chromecache_106.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/ulp_continue_without_gmail_v2.svg
Source: chromecache_106.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/all_set.svg
Source: chromecache_106.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/all_set_dark.svg
Source: chromecache_106.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/are_you_sure_parent.svg
Source: chromecache_106.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/are_you_sure_parent_dark.svg
Source: chromecache_106.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/content_restriction.svg
Source: chromecache_106.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/content_restriction_dark.svg
Source: chromecache_106.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/error.svg
Source: chromecache_106.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/error_dark.svg
Source: chromecache_106.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/how_controls_work.svg
Source: chromecache_106.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/how_controls_work_dark.svg
Source: chromecache_106.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/next_steps.svg
Source: chromecache_106.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/next_steps_dark.svg
Source: chromecache_106.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/setup_controls.svg
Source: chromecache_106.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/setup_controls_dark.svg
Source: chromecache_106.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/who_parent.svg
Source: chromecache_106.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/who_parent_dark.svg
Source: chromecache_106.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/who_teen.svg
Source: chromecache_106.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/who_teen_dark.svg
Source: chromecache_106.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teentoadultgraduation/supervision_choice.svg
Source: chromecache_106.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teentoadultgraduation/supervision_choice_darkmode.svg
Source: chromecache_106.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/ulp_appblock/kid_setup_parent_escalation.svg
Source: chromecache_106.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/ulp_appblock/kid_setup_parent_escalation_dark.svg
Source: chromecache_106.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/ulp_appblock/send_email_confirmation.svg
Source: chromecache_106.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/ulp_appblock/send_email_confirmation_dark.svg
Source: chromecache_106.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/ulp_appblock/success_sent_email.svg
Source: chromecache_106.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/ulp_appblock/success_sent_email_dark.svg
Source: chromecache_106.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/ulpupgrade/kidprofileupgrade_all_set.svg
Source: chromecache_106.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/ulpupgrade/kidprofileupgrade_all_set_darkmode.svg
Source: chromecache_106.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/all_set.svg
Source: chromecache_106.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/all_set_dark.svg
Source: chromecache_106.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/almost_done_kids_space_dark.svg
Source: chromecache_106.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/almost_done_kids_space_v2.svg
Source: chromecache_106.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/devices_connected_tablet_v2.svg
Source: chromecache_106.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/devices_connected_tablet_v2_dark.svg
Source: chromecache_106.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/devices_connected_v2.svg
Source: chromecache_106.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/devices_connected_v2_dark.svg
Source: chromecache_106.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/emailinstallfamilylink.svg
Source: chromecache_106.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/emailinstallfamilylink_dark.svg
Source: chromecache_106.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/familylinkinstalling.svg
Source: chromecache_106.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/familylinkinstalling_dark.svg
Source: chromecache_106.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/hand_over_device_dark_v2.svg
Source: chromecache_106.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/hand_over_device_v2.svg
Source: chromecache_106.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/linking_accounts_v2.svg
Source: chromecache_106.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/linking_accounts_v2_dark.svg
Source: chromecache_106.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/locationsetup.svg
Source: chromecache_106.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/locationsetup_dark.svg
Source: chromecache_106.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/manage_parental_controls_email.svg
Source: chromecache_106.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/manage_parental_controls_email_v2.svg
Source: chromecache_106.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/manage_parental_controls_email_v2_dark.svg
Source: chromecache_106.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/manage_parental_controls_v2.svg
Source: chromecache_106.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/manage_parental_controls_v2_dark.svg
Source: chromecache_106.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/open_family_link_v2.svg
Source: chromecache_106.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/open_family_link_v2_dark.svg
Source: chromecache_106.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/parents_help.svg
Source: chromecache_106.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/parents_help_dark.svg
Source: chromecache_106.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/set_up_kids_space.png
Source: chromecache_106.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/set_up_kids_space_dark.png
Source: chromecache_106.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/setupcontrol.svg
Source: chromecache_106.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/setupcontrol_dark.svg
Source: chromecache_106.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/setuplocation.svg
Source: chromecache_106.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/setuplocation_dark.svg
Source: chromecache_106.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/setuptimelimits.svg
Source: chromecache_106.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/setuptimelimits_dark.svg
Source: chromecache_106.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/supervision_ready_v2.svg
Source: chromecache_106.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/supervision_ready_v2_dark.svg
Source: chromecache_106.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/youtubeaccess.svg
Source: chromecache_106.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/youtubeaccess_dark.svg
Source: chromecache_105.6.dr	String found in binary or memory: https://support.google.com/accounts?hl=
Source: chromecache_105.6.dr	String found in binary or memory: https://support.google.com/accounts?p=new-si-ui
Source: chromecache_105.6.dr	String found in binary or memory: https://support.google.com/websearch/answer/4358949?hl=ko&ref_topic=3285072
Source: chromecache_106.6.dr	String found in binary or memory: https://uberproxy-pen-redirect.corp.google.com/uberproxy/pen?url=
Source: chromecache_105.6.dr	String found in binary or memory: https://www.google.com
Source: chromecache_105.6.dr	String found in binary or memory: https://www.google.com/intl/
Source: chromecache_106.6.dr	String found in binary or memory: https://www.gstatic.com/accounts/speedbump/authzen_optin_illustration.gif
Source: chromecache_106.6.dr	String found in binary or memory: https://www.gstatic.com/images/branding/product/2x/chrome_48dp.png
Source: chromecache_106.6.dr	String found in binary or memory: https://www.gstatic.com/images/branding/product/2x/googleg_48dp.png
Source: chromecache_106.6.dr	String found in binary or memory: https://www.gstatic.com/images/branding/product/2x/gsa_48dp.png
Source: chromecache_106.6.dr	String found in binary or memory: https://www.gstatic.com/images/branding/product/2x/play_prism_48dp.png
Source: chromecache_106.6.dr	String found in binary or memory: https://www.gstatic.com/images/branding/product/2x/youtube_48dp.png
Source: chromecache_105.6.dr	String found in binary or memory: https://www.gstatic.com/images/branding/productlogos/googleg/v6/36px.svg
Source: chromecache_105.6.dr	String found in binary or memory: https://www.youtube.com/t/terms?chromeless=1&hl=
Source: file.exe, 00000000.00000002.1428812963.00000000017B8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd
Source: chromecache_105.6.dr	String found in binary or memory: https://youtube.com/t/terms?gl=

Source: unknown	Network traffic detected: HTTP traffic on port 49674 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 49758 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown	Network traffic detected: HTTP traffic on port 49676 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown	Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49762 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49758
Source: unknown	Network traffic detected: HTTP traffic on port 49759 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49757
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49756
Source: unknown	Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49677 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49704
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745
Source: unknown	Network traffic detected: HTTP traffic on port 49756 -> 443

Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.9:49722 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.9:49727 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.114.59.183:443 -> 192.168.2.9:49749 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.114.59.183:443 -> 192.168.2.9:49760 version: TLS 1.2

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_000EEAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_000EEAFF

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_000EED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_000EED6A

Source: C:\Users\user\Desktop\file.exe

0_2_000EEAFF

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_000DAA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,

0_2_000DAA57

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00109576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_00109576

System Summary

Binary is likely a compiled AutoIt script file

Source: file.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: file.exe, 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_5d348c21-9
Source: file.exe, 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_7fde3694-8
Source: file.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_cdc47121-3
Source: file.exe	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_512eb57d-1

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_000DD5EB: CreateFileW,DeviceIoControl,CloseHandle,

0_2_000DD5EB

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_000D1201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_000D1201

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_000DE8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_000DE8F6

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_000E2046	0_2_000E2046
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00078060	0_2_00078060
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_000D8298	0_2_000D8298
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_000AE4FF	0_2_000AE4FF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_000A676B	0_2_000A676B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00104873	0_2_00104873
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0009CAA0	0_2_0009CAA0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0007CAF0	0_2_0007CAF0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0008CC39	0_2_0008CC39
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_000A6DD9	0_2_000A6DD9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0008B119	0_2_0008B119
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_000791C0	0_2_000791C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00091394	0_2_00091394
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00091706	0_2_00091706
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0009781B	0_2_0009781B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00077920	0_2_00077920
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0008997D	0_2_0008997D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_000919B0	0_2_000919B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00097A4A	0_2_00097A4A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00091C77	0_2_00091C77
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00097CA7	0_2_00097CA7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_000FBE44	0_2_000FBE44
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_000A9EEE	0_2_000A9EEE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00091F32	0_2_00091F32

Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00079CB3 appears 31 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00094963 appears 31 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 0008F9F2 appears 40 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00090A30 appears 46 times

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: classification engine

Classification label: mal68.troj.evad.winEXE@42/36@12/7

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_000E37B5 GetLastError,FormatMessageW,

0_2_000E37B5

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_000D10BF AdjustTokenPrivileges,CloseHandle,		0_2_000D10BF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_000D16C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_000D16C3

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_000E51CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_000E51CD

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_000FA67C CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_000FA67C

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_000E648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize,

0_2_000E648E

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_000742A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_000742A2

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps

Jump to behavior

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7108:120:WilError_03

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\SysWOW64\taskkill.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --start-fullscreen --no-first-run --disable-session-crashed-bubble --disable-infobars
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2392 --field-trial-handle=2352,i,15969125917398102169,18062438457060757556,262144 /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5528 --field-trial-handle=2352,i,15969125917398102169,18062438457060757556,262144 /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5580 --field-trial-handle=2352,i,15969125917398102169,18062438457060757556,262144 /prefetch:8
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --start-fullscreen --no-first-run --disable-session-crashed-bubble --disable-infobars	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2392 --field-trial-handle=2352,i,15969125917398102169,18062438457060757556,262144 /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5528 --field-trial-handle=2352,i,15969125917398102169,18062438457060757556,262144 /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5580 --field-trial-handle=2352,i,15969125917398102169,18062438457060757556,262144 /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior

Source: Google Drive.lnk.4.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: YouTube.lnk.4.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Sheets.lnk.4.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Gmail.lnk.4.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Slides.lnk.4.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Docs.lnk.4.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_000742DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_000742DE

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00090A76 push ecx; ret

0_2_00090A89

Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0008F98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_0008F98E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00101C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_00101C41

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Found API chain indicative of sandbox detection

Source: C:\Users\user\Desktop\file.exe

Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep

graph_0-96403

Source: C:\Users\user\Desktop\file.exe

API coverage: 4.1 %

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_000DDBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	0_2_000DDBBE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_000AC2A2 FindFirstFileExW,	0_2_000AC2A2
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_000E68EE FindFirstFileW,FindClose,	0_2_000E68EE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_000E698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	0_2_000E698F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_000DD076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_000DD076
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_000DD3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_000DD3A9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_000E9642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_000E9642
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_000E979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_000E979D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_000E9B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_000E9B2B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_000E5C97 FindFirstFileW,FindNextFileW,FindClose,	0_2_000E5C97

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_000742DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_000742DE

Anti Debugging

Found API chain indicative of debugger detection

Source: C:\Users\user\Desktop\file.exe

Debugger detection routine: QueryPerformanceCounter, DebugActiveProcess, DecisionNodes, ExitProcess or Sleep

graph_0-96550

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_000EEAA2 BlockInput,

0_2_000EEAA2

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_000A2622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_000A2622

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_000742DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_000742DE

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00094CE8 mov eax, dword ptr fs:[00000030h]

0_2_00094CE8

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_000D0B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

0_2_000D0B62

Source: C:\Windows\SysWOW64\taskkill.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_000A2622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_000A2622
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0009083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0009083F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_000909D5 SetUnhandledExceptionFilter,	0_2_000909D5
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00090C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00090C21

Source: C:\Users\user\Desktop\file.exe

0_2_000D1201

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_000B2BA5 KiUserCallbackDispatcher,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_000B2BA5

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0008F98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,

0_2_0008F98E

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_000F22DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event,

0_2_000F22DA

Source: C:\Users\user\Desktop\file.exe

Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

0_2_000D0B62

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_000D1663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_000D1663

Source: file.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: file.exe	Binary or memory string: Shell_TrayWnd

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00090698 cpuid

0_2_00090698

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_000E8195 GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,

0_2_000E8195

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_000CD27A GetUserNameW,

0_2_000CD27A

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_000AB952 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,

0_2_000AB952

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_000742DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_000742DE

Stealing of Sensitive Information

Yara detected Credential Flusher

Source: Yara match

File source: Process Memory Space: file.exe PID: 4872, type: MEMORYSTR

Source: file.exe	Binary or memory string: WIN_81
Source: file.exe	Binary or memory string: WIN_XP
Source: file.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]\|%%\|%[-+ 0#]?([0-9]\|\)?(\.[0-9]\|\.\)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: file.exe	Binary or memory string: WIN_XPe
Source: file.exe	Binary or memory string: WIN_VISTA
Source: file.exe	Binary or memory string: WIN_7
Source: file.exe	Binary or memory string: WIN_8

Remote Access Functionality

Yara detected Credential Flusher

Source: Yara match

File source: Process Memory Space: file.exe PID: 4872, type: MEMORYSTR

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_000F1204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,		0_2_000F1204
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_000F1806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_000F1806

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	2 Disable or Modify Tools	21 Input Capture	2 System Time Discovery	Remote Services	1 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Native API	2 Valid Accounts	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	21 Input Capture	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	1 Registry Run Keys / Startup Folder	2 Valid Accounts	2 Obfuscated Files or Information	Security Account Manager	1 File and Directory Discovery	SMB/Windows Admin Shares	3 Clipboard Data	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	21 Access Token Manipulation	1 DLL Side-Loading	NTDS	16 System Information Discovery	Distributed Component Object Model	Input Capture	4 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	2 Process Injection	1 Masquerading	LSA Secrets	22 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	1 Registry Run Keys / Startup Folder	2 Valid Accounts	Cached Domain Credentials	2 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Virtualization/Sandbox Evasion	DCSync	2 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	21 Access Token Manipulation	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	2 Process Injection	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
file.exe	11%	ReversingLabs
file.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
https://play.google/intl/	0%	URL Reputation	safe
https://families.google.com/intl/	0%	URL Reputation	safe
https://policies.google.com/technologies/location-data	0%	URL Reputation	safe
https://apis.google.com/js/api.js	0%	URL Reputation	safe
https://policies.google.com/privacy/google-partners	0%	URL Reputation	safe
https://policies.google.com/terms/service-specific	0%	URL Reputation	safe
https://g.co/recover	0%	URL Reputation	safe
https://policies.google.com/privacy/additional	0%	URL Reputation	safe
https://support.google.com/websearch/answer/4358949?hl=ko&ref_topic=3285072	0%	URL Reputation	safe
https://policies.google.com/technologies/cookies	0%	URL Reputation	safe
https://policies.google.com/terms	0%	URL Reputation	safe
https://uberproxy-pen-redirect.corp.google.com/uberproxy/pen?url=	0%	URL Reputation	safe
https://support.google.com/accounts?hl=	0%	URL Reputation	safe
https://policies.google.com/terms/location	0%	URL Reputation	safe
https://policies.google.com/privacy	0%	URL Reputation	safe
https://support.google.com/accounts?p=new-si-ui	0%	URL Reputation	safe
https://apis.google.com/js/rpc:shindig_random.js?onload=credentialservice.postMessage	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
youtube-ui.l.google.com	216.58.206.46	true	false	unknown
www3.l.google.com	142.250.185.110	true	false	unknown
play.google.com	142.250.185.142	true	false	unknown
www.google.com	216.58.206.68	true	false	unknown
youtube.com	142.250.185.78	true	false	unknown
accounts.youtube.com	unknown	unknown	false	unknown
www.youtube.com	unknown	unknown	false	unknown

Contacted URLs

Name	Malicious	Reputation
https://play.google.com/log?format=json&hasfast=true&authuser=0	false	unknown
https://www.google.com/favicon.ico	false	unknown
https://play.google.com/log?hasfast=true&authuser=0&format=json	false	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://play.google/intl/	chromecache_105.6.dr	false	URL Reputation: safe	unknown
https://families.google.com/intl/	chromecache_105.6.dr	false	URL Reputation: safe	unknown
https://youtube.com/t/terms?gl=	chromecache_105.6.dr	false		unknown
https://policies.google.com/technologies/location-data	chromecache_105.6.dr	false	URL Reputation: safe	unknown
https://www.google.com/intl/	chromecache_105.6.dr	false		unknown
https://apis.google.com/js/api.js	chromecache_106.6.dr	false	URL Reputation: safe	unknown
https://policies.google.com/privacy/google-partners	chromecache_105.6.dr	false	URL Reputation: safe	unknown
https://play.google.com/work/enroll?identifier=	chromecache_105.6.dr	false		unknown
https://policies.google.com/terms/service-specific	chromecache_105.6.dr	false	URL Reputation: safe	unknown
https://g.co/recover	chromecache_105.6.dr	false	URL Reputation: safe	unknown
https://policies.google.com/privacy/additional	chromecache_105.6.dr	false	URL Reputation: safe	unknown
https://support.google.com/websearch/answer/4358949?hl=ko&ref_topic=3285072	chromecache_105.6.dr	false	URL Reputation: safe	unknown
https://policies.google.com/technologies/cookies	chromecache_105.6.dr	false	URL Reputation: safe	unknown
https://policies.google.com/terms	chromecache_105.6.dr	false	URL Reputation: safe	unknown
https://uberproxy-pen-redirect.corp.google.com/uberproxy/pen?url=	chromecache_106.6.dr	false	URL Reputation: safe	unknown
https://www.google.com	chromecache_105.6.dr	false		unknown
https://play.google.com/log?format=json&hasfast=true	chromecache_105.6.dr	false		unknown
https://www.youtube.com/t/terms?chromeless=1&hl=	chromecache_105.6.dr	false		unknown
https://support.google.com/accounts?hl=	chromecache_105.6.dr	false	URL Reputation: safe	unknown
https://policies.google.com/terms/location	chromecache_105.6.dr	false	URL Reputation: safe	unknown
https://policies.google.com/privacy	chromecache_105.6.dr	false	URL Reputation: safe	unknown
https://support.google.com/accounts?p=new-si-ui	chromecache_105.6.dr	false	URL Reputation: safe	unknown
https://apis.google.com/js/rpc:shindig_random.js?onload=credentialservice.postMessage	chromecache_105.6.dr	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
142.250.185.78	youtube.com	United States	15169	GOOGLEUS	false
142.250.185.110	www3.l.google.com	United States	15169	GOOGLEUS	false
216.58.206.46	youtube-ui.l.google.com	United States	15169	GOOGLEUS	false
216.58.206.68	www.google.com	United States	15169	GOOGLEUS	false
239.255.255.250	unknown	Reserved	unknown	unknown	false
142.250.185.142	play.google.com	United States	15169	GOOGLEUS	false

Private

IP
192.168.2.9

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1524413
Start date and time:	2024-10-02 19:03:54 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 57s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	15
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal68.troj.evad.winEXE@42/36@12/7
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 95% Number of executed functions: 46 Number of non-executed functions: 322
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 172.217.16.195, 74.125.71.84, 142.250.184.206, 34.104.35.123, 142.250.186.99, 142.250.185.234, 142.250.185.202, 172.217.18.106, 216.58.212.138, 142.250.186.138, 142.250.185.74, 216.58.206.74, 142.250.185.170, 142.250.74.202, 142.250.186.74, 142.250.186.42, 172.217.18.10, 142.250.186.106, 172.217.16.202, 142.250.185.138, 142.250.185.106, 142.250.185.227, 216.58.212.170, 142.250.184.234, 142.250.184.202, 142.250.181.234, 142.250.186.170, 216.58.206.42, 192.229.221.95, 142.250.186.67, 64.233.167.84, 142.250.186.174
Excluded domains from analysis (whitelisted): clients1.google.com, fs.microsoft.com, accounts.google.com, content-autofill.googleapis.com, slscr.update.microsoft.com, fonts.gstatic.com, clientservices.googleapis.com, fe3cr.delivery.mp.microsoft.com, clients2.google.com, ocsp.digicert.com, edgedl.me.gvt1.com, update.googleapis.com, clients.l.google.com, www.gstatic.com, optimizationguide-pa.googleapis.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing disassembly code.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: file.exe

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
239.255.255.250	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	27987136e29b3032ad40982c8b7c2e168112c9601e08da806119dcba615524b5.html	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
28a2c9bd18a11de089ef85a160da29e4	file.exe	Get hash	malicious	Credential Flusher	Browse	184.28.90.27 20.114.59.183
	file.exe	Get hash	malicious	Unknown	Browse	184.28.90.27 20.114.59.183
	file.exe	Get hash	malicious	Credential Flusher	Browse	184.28.90.27 20.114.59.183
	file.exe	Get hash	malicious	Credential Flusher	Browse	184.28.90.27 20.114.59.183
	file.exe	Get hash	malicious	Credential Flusher	Browse	184.28.90.27 20.114.59.183
	file.exe	Get hash	malicious	Credential Flusher	Browse	184.28.90.27 20.114.59.183
	27987136e29b3032ad40982c8b7c2e168112c9601e08da806119dcba615524b5.html	Get hash	malicious	Unknown	Browse	184.28.90.27 20.114.59.183
	file.exe	Get hash	malicious	Credential Flusher	Browse	184.28.90.27 20.114.59.183
	file.exe	Get hash	malicious	Credential Flusher	Browse	184.28.90.27 20.114.59.183
	New_Statement-8723107.js	Get hash	malicious	Unknown	Browse	184.28.90.27 20.114.59.183

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Wed Oct 2 16:04:53 2024, atime=Wed Sep 27 08:36:55 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2673
Entropy (8bit):	3.9815714560277438
Encrypted:	false
SSDEEP:	48:8FdaZTXwqHmidAKZdA1P4ehwiZUklqeh1y+3:8C8LOmy
MD5:	B25FA5DDF11334CAE2A248DB6BE8BAA4
SHA1:	E7E3A8A9FEEDE8A38FE9F8EAFE07E110FE4DB29C
SHA-256:	AB0FEEC1797EC2CEC53A55C1BDD4FBF77ABB1EF8A5FB30CF67C95C18FFDA8CFC
SHA-512:	8890E9470736842835A320AC7AFD5C398A89F818EDB9313AC76F976C1FA28EF02D618086B8AF8D4B95B28D42450E0B11C73E8708DD33D7664B045410625282E9
Malicious:	false
Reputation:	low
Preview:	L..................F.@.. ...$+.,.....S3......v'&... w......................1....P.O. .:i.....+00.../C:\.....................1.....EW.I..PROGRA~1..t......O.IBY......B...............J.....\...P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.VBY......L.....................p+j.G.o.o.g.l.e.....T.1.....EW.F..Chrome..>......CW.VBY......M......................O..C.h.r.o.m.e.....`.1.....EW.F..APPLIC~1..H......CW.VBY...............................A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.L .CHROME~1.EXE..R......CW.VBY.............................).c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i.............f.....C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Wed Oct 2 16:04:53 2024, atime=Wed Sep 27 08:36:55 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2675
Entropy (8bit):	3.997701998426123
Encrypted:	false
SSDEEP:	48:8WdaZTXwqHmidAKZdA1+4eh/iZUkAQkqehWy+2:8f86F9QLy
MD5:	E84FD941DD753B0EB0A32712AEE9F8FA
SHA1:	C2113769BCB40D09816682EFB3398DCC621ADD18
SHA-256:	9E62D47CB0C652E3A1D766227ED73D06CABCAB9A186569C84EB0A62C5DAA0E2C
SHA-512:	EF969F22437EE3EEE72B36C811C2467DEBF8CBCE4018F4854BE1DF240878228557F1CCB2C46FE312228EF060CDC7C4CA666274E087B7A94F0E9B7B6D4E7C2780
Malicious:	false
Reputation:	low
Preview:	L..................F.@.. ...$+.,....v.B3......v'&... w......................1....P.O. .:i.....+00.../C:\.....................1.....EW.I..PROGRA~1..t......O.IBY......B...............J.....\...P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.VBY......L.....................p+j.G.o.o.g.l.e.....T.1.....EW.F..Chrome..>......CW.VBY......M......................O..C.h.r.o.m.e.....`.1.....EW.F..APPLIC~1..H......CW.VBY...............................A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.L .CHROME~1.EXE..R......CW.VBY.............................).c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i.............f.....C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Thu Oct 5 07:56:51 2023, atime=Wed Sep 27 08:36:55 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2689
Entropy (8bit):	4.006162035631228
Encrypted:	false
SSDEEP:	48:8WdaZTXwVHmidAKZdA1404eh7sFiZUkmgqeh7sEy+BX:8f8WInqy
MD5:	214E76306C05741BF264358A14CB023F
SHA1:	689792FE28C96487A70DF03CAAE513C67AC70669
SHA-256:	F93A651E44D57E9CC4FC53EFE77ECC307F073C644265618C6BFCE627143CE1F5
SHA-512:	C0619D729427D48B88D4FC070C460F858C165651A7B528186240A20F067E58FF1709AEC0DD3562DC2510F6BE45D3B4327CFAE85E26C383C21C2114654C623C29
Malicious:	false
Reputation:	low
Preview:	L..................F.@.. ...$+.,.....<}.i.....v'&... w......................1....P.O. .:i.....+00.../C:\.....................1.....EW.I..PROGRA~1..t......O.IBY......B...............J.....\...P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.VBY......L.....................p+j.G.o.o.g.l.e.....T.1.....EW.F..Chrome..>......CW.VBY......M......................O..C.h.r.o.m.e.....`.1.....EW.F..APPLIC~1..H......CW.VBY...............................A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.L .CHROME~1.EXE..R......CW.VEW.F...........................).c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i.............f.....C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Wed Oct 2 16:04:53 2024, atime=Wed Sep 27 08:36:55 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2677
Entropy (8bit):	3.9973792530372303
Encrypted:	false
SSDEEP:	48:8MdaZTXwqHmidAKZdA1p4ehDiZUkwqehCy+R:898t58y
MD5:	B88A4C3372031099896592ECAB0C4B07
SHA1:	11B142FED21F1D85E9C54909D316A78462BB6531
SHA-256:	72B422F164B901B47FAD77184A97FE9064309E5BC2700BE9524B3CCF9A39F8C6
SHA-512:	220287570DF2551019193B9B3CE16E909147BA9289A8058A3E21D231B1EC624065E464BEA3A2AC14766610AA5F0AC8751B323F39E92A30419CC68289985692FA
Malicious:	false
Reputation:	low
Preview:	L..................F.@.. ...$+.,......;3......v'&... w......................1....P.O. .:i.....+00.../C:\.....................1.....EW.I..PROGRA~1..t......O.IBY......B...............J.....\...P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.VBY......L.....................p+j.G.o.o.g.l.e.....T.1.....EW.F..Chrome..>......CW.VBY......M......................O..C.h.r.o.m.e.....`.1.....EW.F..APPLIC~1..H......CW.VBY...............................A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.L .CHROME~1.EXE..R......CW.VBY.............................).c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i.............f.....C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Wed Oct 2 16:04:53 2024, atime=Wed Sep 27 08:36:55 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2677
Entropy (8bit):	3.983384486453405
Encrypted:	false
SSDEEP:	48:8/daZTXwqHmidAKZdA1X4ehBiZUk1W1qehIy+C:8s8Tb9oy
MD5:	776CFC9FD950959F18D6C23C51E0E406
SHA1:	9CFA7A379C56294AA42D413B88F4B9CA42CD36AB
SHA-256:	7D86E4F93C0F024437243AF648EE072E9BFBB10FE1C2BBB4D69A4371F94DB0E2
SHA-512:	62D2633F2F58277DAECBF3699A8A15EF198A033D1C81A11585ED3E160DA4CCD20F7FEE983271E6D9F9288001048E446C7570D6278E3314323F7C7C6199E85494
Malicious:	false
Reputation:	low
Preview:	L..................F.@.. ...$+.,.....\L3......v'&... w......................1....P.O. .:i.....+00.../C:\.....................1.....EW.I..PROGRA~1..t......O.IBY......B...............J.....\...P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.VBY......L.....................p+j.G.o.o.g.l.e.....T.1.....EW.F..Chrome..>......CW.VBY......M......................O..C.h.r.o.m.e.....`.1.....EW.F..APPLIC~1..H......CW.VBY...............................A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.L .CHROME~1.EXE..R......CW.VBY.............................).c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i.............f.....C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Wed Oct 2 16:04:53 2024, atime=Wed Sep 27 08:36:55 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2679
Entropy (8bit):	3.9931629131599196
Encrypted:	false
SSDEEP:	48:8JdaZTXwqHmidAKZdA1duTc4ehOuTbbiZUk5OjqehOuTbqy+yT+:8m88TcJTbxWOvTbqy7T
MD5:	9CD93C70A1F44F06D7F332A99E42AEF8
SHA1:	AD664A6257229EE8C489E9B4242C339407BFE0B8
SHA-256:	EB9A71F78EA8CF201E939203F086B8116AF394157A47D960059E6D9BCBF6E1F4
SHA-512:	B1403642E52B3A9F1B0EEDFA44773ED3465A0A797D6348AF08AD5444CFE9F5E07950EC85789311A9901B4BD817FCB0346DDA9E4D743E836097F7B79CDF6DD4ED
Malicious:	false
Preview:	L..................F.@.. ...$+.,....7#23......v'&... w......................1....P.O. .:i.....+00.../C:\.....................1.....EW.I..PROGRA~1..t......O.IBY......B...............J.....\...P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.VBY......L.....................p+j.G.o.o.g.l.e.....T.1.....EW.F..Chrome..>......CW.VBY......M......................O..C.h.r.o.m.e.....`.1.....EW.F..APPLIC~1..H......CW.VBY...............................A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.L .CHROME~1.EXE..R......CW.VBY.............................).c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i.............f.....C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

Chrome Cache Entry: 101

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows icon resource - 2 icons, 16x16, 32 bits/pixel, 32x32, 32 bits/pixel
Category:	downloaded
Size (bytes):	5430
Entropy (8bit):	3.6534652184263736
Encrypted:	false
SSDEEP:	48:wIJct3xIAxG/7nvWDtZcdYLtX7B6QXL3aqG8Q:wIJct+A47v+rcqlBPG9B
MD5:	F3418A443E7D841097C714D69EC4BCB8
SHA1:	49263695F6B0CDD72F45CF1B775E660FDC36C606
SHA-256:	6DA5620880159634213E197FAFCA1DDE0272153BE3E4590818533FAB8D040770
SHA-512:	82D017C4B7EC8E0C46E8B75DA0CA6A52FD8BCE7FCF4E556CBDF16B49FC81BE9953FE7E25A05F63ECD41C7272E8BB0A9FD9AEDF0AC06CB6032330B096B3702563
Malicious:	false
URL:	https://www.google.com/favicon.ico
Preview:	............ .h...&... .... .........(....... ..... ............................................0...................................................................................................................................v.].X.:.X.:.r.Y........................................q.X.S.4.S.4.S.4.S.4.S.4.S.4...X....................0........q.W.S.4.X.:.................J...A...g.........................K.H.V.8..........................F..B.....................,.......................................B..............................................B..B..B..B..B...u..........................................B..B..B..B..B...{.................5.......k...........................................................7R..8F.................................................2........Vb..5C..;I..................R^.....................0................Xc..5C..5C..5C..5C..5C..5C..lv..........................................]i..<J..:G..Zf....................................................

Chrome Cache Entry: 102

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	Web Open Font Format (Version 2), TrueType, length 52280, version 1.0
Category:	downloaded
Size (bytes):	52280
Entropy (8bit):	7.995413196679271
Encrypted:	true
SSDEEP:	1536:1rvqtK8DZilXxwJ8mMwAZy7phqsFLdG3B4d:xytBZits8bw4wzbFxG3B4d
MD5:	F61F0D4D0F968D5BBA39A84C76277E1A
SHA1:	AA3693EA140ECA418B4B2A30F6A68F6F43B4BEB2
SHA-256:	57147F08949ABABE7DEEF611435AE418475A693E3823769A25C2A39B6EAD9CCC
SHA-512:	6C3BD90F709BCF9151C9ED9FFEA55C4F6883E7FDA2A4E26BF018C83FE1CFBE4F4AA0DB080D6D024070D53B2257472C399C8AC44EEFD38B9445640EFA85D5C487
Malicious:	false
URL:	https://fonts.gstatic.com/s/googlesans/v58/4UaRrENHsxJlGDuGo1OIlJfC6l_24rlCK1Yo_Iq2vgCI.woff2
Preview:	wOF2.......8.....................................^...$..4?HVAR..?MVAR9.`?STAT.',..J/.......`..(..Z.0..R.6.$.... .....K..[..q..c..T.....>.P.j.`.w..#...%......N.".....$..3.0.6......... .L.rX/r[j.y.\|(.4.%#.....2.v.m..-..%.....;-.Y.{..&..O=#l@...k..7g..ZI...#.Z./+T..r7...M..3).Z%.x....s..sL..[A!.51w'/.8V..2Z..%.X.h.o.).]..9..Q`.$.....7..kZ.~O........d..g.n.d.Rw+&....Cz..uy#..fz,(.J....v.%..`..9.....h...?O..:...c%.....6s....xl..#...5..._......1.>.)"U.4 W....?%......6//!$...!.n9C@n...........!""^.....W..Z<.7.x.."UT.T....E.."R>.R..t.....H d..e_.K../.+8.Q.P.ZQ....;...U....]......._.e......71.?.7.ORv.?...l...G\|.P...\|:...I.X..2.,.L........d.g.]}W#uW]QnuP-s.;.-Y.....].......C..j_.M0...y.......J..........NY..@A...,....-.F......'..w./j5g.vUS...U..0.&...y7.LP.....%.....Y......Y..D. e.A..G.?.$.......6...eaK.n5.m...N...,...+BCl..L> .E9~.b[.w.x....6<...}.e...%V....O.......*.?...a..#[eE.4..p..$...].....%......o._......N.._~..El....b..A.0.r8.....\|..D.d..

Chrome Cache Entry: 103

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (468)
Category:	downloaded
Size (bytes):	1858
Entropy (8bit):	5.298162049824456
Encrypted:	false
SSDEEP:	48:o7vGoolL3ALFKphnpiu7xOKAcfO/3d/rYh4vZorw:o/QLUFUL4KA+2y0Mw
MD5:	CE055F881BDAB4EF6C1C8AA4B3890348
SHA1:	2671741A70E9F5B608F690AAEEA4972003747654
SHA-256:	9B91C23691D6032CDFE28863E369624B2EDB033E1487A1D1BB0977E3590E5462
SHA-512:	8A22250628985C2E570E6FBADFC0D5CB6753F0735130F9E74962A409476C2859C5C81F8A0F5C427A9F13ED399C8E251FA43FF67AD5F16860640D45E7A538E857
Malicious:	false
URL:	"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en.RgRbaBHDctU.es5.O/ck=boq-identity.AccountsSignInUi.gAiX_O5afVA.L.B1.O/am=5IFgKBi2EQjEE54DekBRIOQAAAAAAAAAAKANAAB0DA/d=1/exm=A7fCU,AvtSve,CMcBD,E87wgc,EFQ78c,EIOG1e,EN3i8d,Fndnac,GwYlN,I6YDgd,IZT63,K0PMbc,K1ZKnb,KUM7Z,L1AAkb,L9OGUe,LDQI,LEikZe,MY7mZe,MpJwZc,NOeYWe,NTMZac,O6y8ed,P6sQOc,PHUIyb,PrPYRd,RMhBfe,Rkm0ef,RqjULd,SCuOPb,SD8Jgb,STuCOe,SpsfSb,Tbb4sb,UUJqVe,Uas9Hd,WpP9Yc,XVq9Qb,YHI3We,YTxL4,YgOFye,ZDZcre,ZZ4WUe,ZakeSe,ZwDk9d,_b,_tp,aC1iue,aW3pY,b3kMqb,bSspM,bTi8wc,byfTOb,cYShmd,eVCnO,f8Gu1e,gJzDyc,hc6Ubd,inNHtf,iyZMqd,lsjVmc,ltDFwf,lwddkf,m9oV,mvkUhe,mzzZzc,n73qwf,njlZCf,oLggrd,pxq3x,q0xTif,qPYxq,qPfo0c,qmdT9,rCcCxc,rmumx,sOXFj,siKnQd,soHxf,t2srLd,tUnxGc,vHEMJe,vfuNJf,vjKJJ,vvMGie,w9hDv,ws9Tlc,xBaz7b,xQtZb,xiZRqc,y5vRwf,yRXbo,ywOR5c,z0u0L,zbML3c,ziZ8Mc,zr1jrb,zy0vNb/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlEr6KOaFsGvhdDsnkaRQWWkVkg2lQ/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:GwYlN;EmZ2Bf:zr1jrb;JsbNhc:Xd8iUd;K5nYTd:ZDZcre;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;ScI3Yc:e7Hzgb;UpnZUd:nnwwYc;Uvc8o:VDovNc;XdiAjb:NLiXbe;YIZmRd:A1yn5d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;dowIGb:ebZ3mb;eBAeSb:zbML3c;iFQyKf:vfuNJf;lOO0Vd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qafBPd:yDVVkb;qddgKe:xQtZb;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=iAskyc,ziXSP"
Preview:	"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi\|\|{};(function(_){var window=this;.try{._.k("iAskyc");._.QZ=function(a){_.W.call(this,a.Fa);this.window=a.Ea.window.get();this.Nc=a.Ea.Nc};_.J(_.QZ,_.W);_.QZ.Ba=function(){return{Ea:{window:_.qu,Nc:_.DE}}};_.QZ.prototype.Po=function(){};_.QZ.prototype.addEncryptionRecoveryMethod=function(){};_.RZ=function(a){return(a==null?void 0:a.Jo)\|\|function(){}};_.SZ=function(a){return(a==null?void 0:a.m3)\|\|function(){}};_.GPb=function(a){return(a==null?void 0:a.Op)\|\|function(){}};._.HPb=function(a){return new Map(Array.from(a,function(b){var c=_.n(b);b=c.next().value;c=c.next().value;return[b,c.map(function(d){return{epoch:d.epoch,key:new Uint8Array(d.key)}})]}))};_.IPb=function(a){setTimeout(function(){throw a;},0)};_.QZ.prototype.kO=function(){return!0};_.nu(_.An,_.QZ);._.l();._.k("ziXSP");.var j_=function(a){_.QZ.call(this,a.Fa)};_.J(j_,_.QZ);j_.Ba=_.QZ.Ba;j_.prototype.Po=function(a,b,c){var d;if((d=this.window.chrome)==nu

Chrome Cache Entry: 104

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	HTML document, ASCII text, with very long lines (681)
Category:	downloaded
Size (bytes):	4066
Entropy (8bit):	5.363016925556486
Encrypted:	false
SSDEEP:	96:G2CiFZX5BReR68ujioIRVrqtyzBeTV6SfyAKLif9c7w:bCMZXVeR6jiosVrqtyzBaImyAKw9x
MD5:	FC5E597D923838E10390DADD12651A81
SHA1:	C9959F8D539DB5DF07B8246EC12539B6A9CC101F
SHA-256:	A7EBD5280C50AE93C061EAE1E9727329E015E97531F8F2D82D0E3EA76ADB37B4
SHA-512:	784CA572808F184A849388723FBB3701E6981D885BBA8A330A933F90BF0B36A2E4A491D4463A27911B1D9F7A7134F23E15F187FC7CB4554EAE9BC252513EED7C
Malicious:	false
URL:	"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en.RgRbaBHDctU.es5.O/ck=boq-identity.AccountsSignInUi.gAiX_O5afVA.L.B1.O/am=5IFgKBi2EQjEE54DekBRIOQAAAAAAAAAAKANAAB0DA/d=1/exm=A7fCU,AvtSve,CMcBD,E87wgc,EFQ78c,EIOG1e,EN3i8d,Fndnac,GwYlN,I6YDgd,IZT63,K0PMbc,K1ZKnb,KUM7Z,L1AAkb,L9OGUe,LDQI,LEikZe,MY7mZe,MpJwZc,NOeYWe,NTMZac,O6y8ed,P6sQOc,PHUIyb,PrPYRd,RMhBfe,Rkm0ef,RqjULd,SCuOPb,SD8Jgb,STuCOe,SpsfSb,Tbb4sb,UUJqVe,Uas9Hd,WpP9Yc,XVq9Qb,YHI3We,YTxL4,YgOFye,ZDZcre,ZakeSe,ZwDk9d,_b,_tp,aC1iue,aW3pY,b3kMqb,bSspM,bTi8wc,byfTOb,cYShmd,eVCnO,f8Gu1e,gJzDyc,hc6Ubd,inNHtf,iyZMqd,lsjVmc,ltDFwf,lwddkf,m9oV,mvkUhe,mzzZzc,n73qwf,njlZCf,oLggrd,pxq3x,qPYxq,qPfo0c,qmdT9,rCcCxc,rmumx,siKnQd,soHxf,t2srLd,tUnxGc,vHEMJe,vfuNJf,vjKJJ,vvMGie,w9hDv,ws9Tlc,xBaz7b,xQtZb,xiZRqc,y5vRwf,yRXbo,ywOR5c,z0u0L,zbML3c,ziZ8Mc,zr1jrb,zy0vNb/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlEr6KOaFsGvhdDsnkaRQWWkVkg2lQ/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:GwYlN;EmZ2Bf:zr1jrb;JsbNhc:Xd8iUd;K5nYTd:ZDZcre;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;ScI3Yc:e7Hzgb;UpnZUd:nnwwYc;Uvc8o:VDovNc;XdiAjb:NLiXbe;YIZmRd:A1yn5d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;dowIGb:ebZ3mb;eBAeSb:zbML3c;iFQyKf:vfuNJf;lOO0Vd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qafBPd:yDVVkb;qddgKe:xQtZb;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=sOXFj,q0xTif,ZZ4WUe"
Preview:	"use strict";_F_installCss(".N7rBcd{overflow-x:auto}sentinel{}");.this.default_AccountsSignInUi=this.default_AccountsSignInUi\|\|{};(function(_){var window=this;.try{._.vg(_.aqa);._.k("sOXFj");.var tu=function(a){_.W.call(this,a.Fa)};_.J(tu,_.W);tu.Ba=_.W.Ba;tu.prototype.aa=function(a){return a()};_.nu(_.$pa,tu);._.l();._.k("oGtAuc");._.yya=new _.pf(_.aqa);._.l();._.k("q0xTif");.var sza=function(a){var b=function(d){_.Sn(d)&&(_.Sn(d).Jc=null,_.Du(d,null));d.XyHi9&&(d.XyHi9=null)};b(a);a=a.querySelectorAll("[c-wiz]");for(var c=0;c<a.length;c++)b(a[c])},Pu=function(a){_.kt.call(this,a.Fa);this.Qa=this.dom=null;if(this.kl()){var b=_.zm(this.Ug(),[_.Em,_.Dm]);b=_.ni([b[_.Em],b[_.Dm]]).then(function(c){this.Qa=c[0];this.dom=c[1]},null,this);_.hu(this,b)}this.Ra=a.lm.zea};_.J(Pu,_.kt);Pu.Ba=function(){return{lm:{zea:function(a){return _.Ue(a)}}}};Pu.prototype.zp=function(a){return this.Ra.zp(a)};.Pu.prototype.getData=function(a){return this.Ra.getData(a)};Pu.prototype.qo=function(){_.Kt(this.d

Chrome Cache Entry: 105

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (5693)
Category:	downloaded
Size (bytes):	698314
Entropy (8bit):	5.595120835898624
Encrypted:	false
SSDEEP:	6144:TJvaKtQfcxene0F2HhPM8RGYcBlKmd5r6XISxi7SlncOpYMSrBg5X3O4mAEFD7:TJyKtkIct842ISxXJ09
MD5:	F82438F9EAD5F57493C673008EED9E09
SHA1:	E4681E68FD66D8C76C6ACBC21E2C45F36FD645BC
SHA-256:	B4B092F54EAAA82BFAA159B8D61FB867B51C3067CBD60F4904A205A11F503250
SHA-512:	89027A7B1B3A080D40411F2E6E3B62BF57AC60879223566E71BD41D900C17051F0A058EFE04F8F1FED5E05DC54617D7A86F83D21BDED0F79347795C8B980B4B2
Malicious:	false
URL:	"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en.RgRbaBHDctU.es5.O/ck=boq-identity.AccountsSignInUi.gAiX_O5afVA.L.B1.O/am=5IFgKBi2EQjEE54DekBRIOQAAAAAAAAAAKANAAB0DA/d=1/exm=LEikZe,_b,_tp,byfTOb,lsjVmc/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlEr6KOaFsGvhdDsnkaRQWWkVkg2lQ/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:GwYlN;EmZ2Bf:zr1jrb;JsbNhc:Xd8iUd;K5nYTd:ZDZcre;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;ScI3Yc:e7Hzgb;UpnZUd:nnwwYc;Uvc8o:VDovNc;XdiAjb:NLiXbe;YIZmRd:A1yn5d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;dowIGb:ebZ3mb;eBAeSb:zbML3c;iFQyKf:vfuNJf;lOO0Vd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qafBPd:yDVVkb;qddgKe:xQtZb;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=n73qwf,SCuOPb,IZT63,vfuNJf,UUJqVe,ws9Tlc,siKnQd,XVq9Qb,STuCOe,njlZCf,m9oV,vjKJJ,y5vRwf,iyZMqd,NTMZac,mzzZzc,rCcCxc,vvMGie,K1ZKnb,ziZ8Mc,b3kMqb,mvkUhe,CMcBD,Fndnac,t2srLd,EN3i8d,z0u0L,xiZRqc,NOeYWe,O6y8ed,L9OGUe,PrPYRd,MpJwZc,qPfo0c,cYShmd,hc6Ubd,Rkm0ef,KUM7Z,oLggrd,inNHtf,L1AAkb,WpP9Yc,lwddkf,gJzDyc,SpsfSb,aC1iue,tUnxGc,aW3pY,ZakeSe,EFQ78c,xQtZb,I6YDgd,zbML3c,zr1jrb,vHEMJe,YHI3We,YTxL4,bSspM,Uas9Hd,zy0vNb,K0PMbc,AvtSve,qmdT9,MY7mZe,xBaz7b,GwYlN,eVCnO,EIOG1e,LDQI"
Preview:	"use strict";_F_installCss(".r4WGQb{position:relative}.Dl08I>:first-child{margin-top:0}.Dl08I>:last-child{margin-bottom:0}.IzwVE{color:#1f1f1f;color:var(--gm3-sys-color-on-surface,#1f1f1f);font-family:\"Google Sans\",roboto,\"Noto Sans Myanmar UI\",arial,sans-serif;font-size:1.25rem;font-weight:400;letter-spacing:0rem;line-height:1.2}.l5PPKe{color:#1f1f1f;color:var(--gm3-sys-color-on-surface,#1f1f1f);font-size:1rem}.l5PPKe .dMNVAe{margin:0;padding:0}.l5PPKe>:first-child{margin-top:0;padding-top:0}.l5PPKe>:last-child{margin-bottom:0;padding-bottom:0}.Dl08I{margin:0;padding:0;position:relative}.Dl08I>.SmR8:only-child{padding-top:1px}.Dl08I>.SmR8:only-child::before{top:0}.Dl08I>.SmR8:not(first-child){padding-bottom:1px}.Dl08I>.SmR8::after{bottom:0}.Dl08I>.SmR8:only-child::before,.Dl08I>.SmR8::after{border-bottom:1px solid #c4c7c5;border-bottom:1px solid var(--gm3-sys-color-outline-variant,#c4c7c5);content:\"\";height:0;left:0;position:absolute;width:100%}.aZvCDf{margin-top:8px;margin-left

Chrome Cache Entry: 106

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (553)
Category:	downloaded
Size (bytes):	743936
Entropy (8bit):	5.791085889652278
Encrypted:	false
SSDEEP:	6144:aVXWBQkPdzg5pTX1ROv/duPzd8C3s891/N:7fd8j91/N
MD5:	D20AA383CD31013B68BB10390CBE0230
SHA1:	2DF35559BBA0B93FE305C4B828324E9F9EFA234D
SHA-256:	9F91BD315E202B9EC035C25EFFCE646CEC9AB1E8599496198AA8BEC437CDD228
SHA-512:	EA023EEB24C48A2F463E0CFC9107C6FCD76BBA9292ED49839AAF0AC7845DBD48AB4876376A6A7D4EE902B0649BFE5E0AC2960D954079A94BF2F64A5BC2CBCD9C
Malicious:	false
URL:	"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en.RgRbaBHDctU.es5.O/am=5IFgKBi2EQjEE54DekBRIOQAAAAAAAAAAKANAAB0DA/d=1/excm=_b,_tp,identifierview/ed=1/dg=0/wt=2/ujg=1/rs=AOaEmlHJL2nU2EL_uUPBIEb5OQMKdqHGhg/m=_b,_tp"
Preview:	"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi\|\|{};(function(_){var window=this;.try{._._F_toggles_initialize=function(a){(typeof globalThis!=="undefined"?globalThis:typeof self!=="undefined"?self:this)._F_toggles=a\|\|[]};(0,_._F_toggles_initialize)([0x286081e4, 0x2046d860, 0x39e13c40, 0x14501e80, 0xe420, 0x0, 0x1a000000, 0x1d000003, 0xc, ]);./.. Copyright The Closure Library Authors.. SPDX-License-Identifier: Apache-2.0././.. Copyright Google LLC. SPDX-License-Identifier: Apache-2.0././.. Copyright 2024 Google, Inc. SPDX-License-Identifier: MIT././. SPDX-License-Identifier: Apache-2.0././. Copyright The Closure Library Authors.. SPDX-License-Identifier: Apache-2.0./.var baa,daa,Ma,Sa,gaa,iaa,jb,qaa,waa,Caa,Haa,Kaa,Jb,Laa,Ob,Qb,Rb,Maa,Naa,Sb,Oaa,Paa,Qaa,Yb,Vaa,Xaa,ec,fc,gc,bba,cba,gba,jba,lba,mba,qba,tba,nba,sba,rba,pba,oba,uba,yba,Cba,Dba,Aba,Hc,Ic,Gba,Iba,Mba,Nba,Oba,Pba,Lba,Qba,Sba,dd,Uba,Vba,Xba,Zba,Yba,aca,bca,cca,dca,fca,eca,hca,ica,jca,kca,nca,

Chrome Cache Entry: 107

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (1694)
Category:	downloaded
Size (bytes):	32500
Entropy (8bit):	5.378903546681047
Encrypted:	false
SSDEEP:	768:zYlbuROstb0e39nKGrkysU0smpu4OLOdzIf1p/5GeSsngurz6aKEEEGo/:zYl61Cysbu4OLOdzIfrIen72ZFo/
MD5:	BF4BF9728A7C302FBA5B14F3D0F1878B
SHA1:	2607CA7A93710D629400077FF3602CB207E6F53D
SHA-256:	8981E7B228DF7D6A8797C0CD1E9B0F1F88337D5F0E1C27A04E7A57D2C4309798
SHA-512:	AC9E170FC3AFDC0CF6BB8E926B93EF129A5FAD1BBA51B60BABCF3555E9B652E98F86A00FB099879DED35DD3FFE72ECFA597E20E6CA8CF402BEDEC40F78412EDA
Malicious:	false
URL:	"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en.RgRbaBHDctU.es5.O/ck=boq-identity.AccountsSignInUi.gAiX_O5afVA.L.B1.O/am=5IFgKBi2EQjEE54DekBRIOQAAAAAAAAAAKANAAB0DA/d=1/exm=_b,_tp/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlEr6KOaFsGvhdDsnkaRQWWkVkg2lQ/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:GwYlN;EmZ2Bf:zr1jrb;JsbNhc:Xd8iUd;K5nYTd:ZDZcre;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;ScI3Yc:e7Hzgb;UpnZUd:nnwwYc;Uvc8o:VDovNc;XdiAjb:NLiXbe;YIZmRd:A1yn5d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;dowIGb:ebZ3mb;eBAeSb:zbML3c;iFQyKf:vfuNJf;lOO0Vd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qafBPd:yDVVkb;qddgKe:xQtZb;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=byfTOb,lsjVmc,LEikZe"
Preview:	"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi\|\|{};(function(_){var window=this;.try{.var Aua=function(a,b){this.da=a;this.ea=b;if(!c){var c=new _.ap("//www.google.com/images/cleardot.gif");_.op(c)}this.ka=c};_.h=Aua.prototype;_.h.Zc=null;_.h.lZ=1E4;_.h.bA=!1;_.h.nQ=0;_.h.zJ=null;_.h.bV=null;_.h.setTimeout=function(a){this.lZ=a};_.h.start=function(){if(this.bA)throw Error("dc");this.bA=!0;this.nQ=0;Bua(this)};_.h.stop=function(){Cua(this);this.bA=!1};.var Bua=function(a){a.nQ++;navigator!==null&&"onLine"in navigator&&!navigator.onLine?_.km((0,_.bg)(a.aH,a,!1),0):(a.aa=new Image,a.aa.onload=(0,_.bg)(a.Fja,a),a.aa.onerror=(0,_.bg)(a.Eja,a),a.aa.onabort=(0,_.bg)(a.Dja,a),a.zJ=_.km(a.Gja,a.lZ,a),a.aa.src=String(a.ka))};_.h=Aua.prototype;_.h.Fja=function(){this.aH(!0)};_.h.Eja=function(){this.aH(!1)};_.h.Dja=function(){this.aH(!1)};_.h.Gja=function(){this.aH(!1)};._.h.aH=function(a){Cua(this);a?(this.bA=!1,this.da.call(this.ea,!0)):this.nQ<=0?Bua(this):(this.bA=!1,

Chrome Cache Entry: 108

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (522)
Category:	downloaded
Size (bytes):	5050
Entropy (8bit):	5.289052544075544
Encrypted:	false
SSDEEP:	96:o4We0hP7OBFXYvB1sig3Fd8HkaXzLmUrv8Vh1WJlLQXT2v2gqw:655758Fd8HkaPZ0GmAD
MD5:	26E26FD11772DFF5C7004BEA334289CC
SHA1:	638DAAF541BDE31E95AEE4F8ADA677434D7051DB
SHA-256:	ADFE3E4960982F5EF4C043052A9990D8683C5FC2B590E817B6B1A5774DDE2CE3
SHA-512:	C31929EB6D1C60D6A84A2574FF60490394A6D6F9B354972F3328952F570D80B3F2AEC916B0E1B66DDB1AC056EB75BFAC477E7AF631D0AD1810EDBAF025465D66
Malicious:	false
URL:	"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en.RgRbaBHDctU.es5.O/ck=boq-identity.AccountsSignInUi.gAiX_O5afVA.L.B1.O/am=5IFgKBi2EQjEE54DekBRIOQAAAAAAAAAAKANAAB0DA/d=1/exm=A7fCU,AvtSve,CMcBD,E87wgc,EFQ78c,EIOG1e,EN3i8d,Fndnac,GwYlN,I6YDgd,IZT63,K0PMbc,K1ZKnb,KUM7Z,L1AAkb,L9OGUe,LDQI,LEikZe,MY7mZe,MpJwZc,NOeYWe,NTMZac,O6y8ed,P6sQOc,PHUIyb,PrPYRd,RMhBfe,Rkm0ef,RqjULd,SCuOPb,SD8Jgb,STuCOe,SpsfSb,Tbb4sb,UUJqVe,Uas9Hd,WpP9Yc,XVq9Qb,YHI3We,YTxL4,YgOFye,ZDZcre,ZZ4WUe,ZakeSe,ZwDk9d,_b,_tp,aC1iue,aW3pY,b3kMqb,bSspM,bTi8wc,byfTOb,cYShmd,eVCnO,f8Gu1e,gJzDyc,hc6Ubd,iAskyc,inNHtf,iyZMqd,lsjVmc,ltDFwf,lwddkf,m9oV,mvkUhe,mzzZzc,n73qwf,njlZCf,oLggrd,pxq3x,q0xTif,qPYxq,qPfo0c,qmdT9,rCcCxc,rmumx,sOXFj,siKnQd,soHxf,t2srLd,tUnxGc,vHEMJe,vfuNJf,vjKJJ,vvMGie,w9hDv,ws9Tlc,xBaz7b,xQtZb,xiZRqc,y5vRwf,yRXbo,ywOR5c,z0u0L,zbML3c,ziXSP,ziZ8Mc,zr1jrb,zy0vNb/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlEr6KOaFsGvhdDsnkaRQWWkVkg2lQ/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:GwYlN;EmZ2Bf:zr1jrb;JsbNhc:Xd8iUd;K5nYTd:ZDZcre;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;ScI3Yc:e7Hzgb;UpnZUd:nnwwYc;Uvc8o:VDovNc;XdiAjb:NLiXbe;YIZmRd:A1yn5d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;dowIGb:ebZ3mb;eBAeSb:zbML3c;iFQyKf:vfuNJf;lOO0Vd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qafBPd:yDVVkb;qddgKe:xQtZb;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=wg1P6b"
Preview:	"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi\|\|{};(function(_){var window=this;.try{._.jNa=_.y("wg1P6b",[_.TA,_.Cn,_.Kn]);._.k("wg1P6b");.var Z5a;Z5a=_.mh(["aria-"]);._.uJ=function(a){_.X.call(this,a.Fa);this.Ka=this.wa=this.aa=this.viewportElement=this.Na=null;this.Hc=a.Ea.ff;this.ab=a.Ea.focus;this.Fc=a.Ea.Fc;this.ea=this.Pi();a=-1*parseInt(_.Co(this.Pi().el(),"marginTop")\|\|"0",10);var b=parseInt(_.Co(this.Pi().el(),"marginBottom")\|\|"0",10);this.Ta={top:a,right:0,bottom:b,left:0};a=_.cf(this.getData("isMenuDynamic"),!1);b=_.cf(this.getData("isMenuHoisted"),!1);this.Ga=a?1:b?2:0;this.ka=!1;this.Ca=1;this.Ga!==1&&(this.aa=this.Sa("U0exHf").children().Wc(0),_.ku(this,.$5a(this,this.aa.el())));_.kF(this.oa())&&(a=this.oa().el(),b=this.we.bind(this),a.__soy_skip_handler=b)};_.J(_.uJ,_.X);_.uJ.Ba=function(){return{Ea:{ff:_.ZE,focus:_.KE,Fc:_.ru}}};_.uJ.prototype.xF=function(a){var b=a.source;this.Na=b;var c;((c=a.data)==null?0:c.fz)?(a=a.data.fz,this.Ca=a==="MOUS

Chrome Cache Entry: 109

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (755)
Category:	downloaded
Size (bytes):	1460
Entropy (8bit):	5.291808298251231
Encrypted:	false
SSDEEP:	24:kMYD7DuZvuhqCsNRxoYTY9/qoVk7hz1l2p6vDMW94uEQOeGbCx4VGbgCSFBV87OU:o7DuZWhv6oy12kvwKEeGbC6GbHSh/Hrw
MD5:	4CA7ADFE744A690411EA4D3EA8DB9E4B
SHA1:	2CF1777A199E25378D330DA68BED1871B5C5BC32
SHA-256:	128129BA736B3094323499B0498A5B3A909C1529717461C34B70080A5B1603BD
SHA-512:	8BD3477AF41D1F0FE74AFFCB177BEC0F5F4FDCBBA6BD29D9C2567E6FFDEF5DEB7FF74BF348F33209C39D7BB4958E748DF6731D3DC8F6947352276BC92EAF9E79
Malicious:	false
URL:	"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en.RgRbaBHDctU.es5.O/ck=boq-identity.AccountsSignInUi.gAiX_O5afVA.L.B1.O/am=5IFgKBi2EQjEE54DekBRIOQAAAAAAAAAAKANAAB0DA/d=1/exm=AvtSve,CMcBD,E87wgc,EFQ78c,EIOG1e,EN3i8d,Fndnac,GwYlN,I6YDgd,IZT63,K0PMbc,K1ZKnb,KUM7Z,L1AAkb,L9OGUe,LDQI,LEikZe,MY7mZe,MpJwZc,NOeYWe,NTMZac,O6y8ed,PHUIyb,PrPYRd,RMhBfe,Rkm0ef,RqjULd,SCuOPb,SD8Jgb,STuCOe,SpsfSb,Tbb4sb,UUJqVe,Uas9Hd,WpP9Yc,XVq9Qb,YHI3We,YTxL4,YgOFye,ZakeSe,ZwDk9d,_b,_tp,aC1iue,aW3pY,b3kMqb,bSspM,bTi8wc,byfTOb,cYShmd,eVCnO,f8Gu1e,gJzDyc,hc6Ubd,inNHtf,iyZMqd,lsjVmc,ltDFwf,lwddkf,m9oV,mvkUhe,mzzZzc,n73qwf,njlZCf,oLggrd,pxq3x,qPYxq,qPfo0c,qmdT9,rCcCxc,rmumx,siKnQd,soHxf,t2srLd,tUnxGc,vHEMJe,vfuNJf,vjKJJ,vvMGie,ws9Tlc,xBaz7b,xQtZb,xiZRqc,y5vRwf,yRXbo,ywOR5c,z0u0L,zbML3c,ziZ8Mc,zr1jrb,zy0vNb/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlEr6KOaFsGvhdDsnkaRQWWkVkg2lQ/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:GwYlN;EmZ2Bf:zr1jrb;JsbNhc:Xd8iUd;K5nYTd:ZDZcre;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;ScI3Yc:e7Hzgb;UpnZUd:nnwwYc;Uvc8o:VDovNc;XdiAjb:NLiXbe;YIZmRd:A1yn5d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;dowIGb:ebZ3mb;eBAeSb:zbML3c;iFQyKf:vfuNJf;lOO0Vd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qafBPd:yDVVkb;qddgKe:xQtZb;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=P6sQOc"
Preview:	"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi\|\|{};(function(_){var window=this;.try{._.k("lOO0Vd");._.VZa=new _.pf(_.Am);._.l();._.k("P6sQOc");.var $Za=!!(_.Kh[1]&16);var b_a=function(a,b,c,d,e){this.ea=a;this.wa=b;this.ka=c;this.Ca=d;this.Ga=e;this.aa=0;this.da=a_a(this)},c_a=function(a){var b={};_.La(a.yS(),function(e){b[e]=!0});var c=a.pS(),d=a.tS();return new b_a(a.qP(),c.aa()1E3,a.WR(),d.aa()1E3,b)},a_a=function(a){return Math.random()Math.min(a.waMath.pow(a.ka,a.aa),a.Ca)},OG=function(a,b){return a.aa>=a.ea?!1:b!=null?!!a.Ga[b]:!0};var PG=function(a){_.W.call(this,a.Fa);this.da=a.Ea.EV;this.ea=a.Ea.metadata;a=a.Ea.Xga;this.fetch=a.fetch.bind(a)};_.J(PG,_.W);PG.Ba=function(){return{Ea:{EV:_.YZa,metadata:_.VZa,Xga:_.OZa}}};PG.prototype.aa=function(a,b){if(this.ea.getType(a.Od())!==1)return _.Sm(a);var c=this.da.eV;return(c=c?c_a(c):null)&&OG(c)?_.wya(a,d_a(this,a,b,c)):_.Sm(a)};.var d_a=function(a,b,c,d){return c.then(function(e){return e},function(e)

Chrome Cache Entry: 110

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (683)
Category:	downloaded
Size (bytes):	3131
Entropy (8bit):	5.355381206612617
Encrypted:	false
SSDEEP:	48:o7FEEM3MtH15jNQ8jsK3rnw0dkckTrKEp/OqLE9xz0W5Bzv3M6hIHYA+JITbwrF8:oq675jOArwoAmI/DLaxNPL5m+m6w
MD5:	E2A7251AD83A0D0634FEA2703D10ED07
SHA1:	90D72011F31FC40D3DA3748F2817F90A29EB5C01
SHA-256:	1079B49C4AAF5C10E4F2E6A086623F40D200A71FF2A1F64E88AA6C91E4BE7A6F
SHA-512:	CD6D75580EA8BD97CF7C7C0E0BD9D9A54FB6EA7DF1DDB5A95E94D38B260F9EE1425C640839ECD229B8D01E145CF2786CA374D31EC537EB8FE17FF415D5B985F5
Malicious:	false
URL:	"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en.RgRbaBHDctU.es5.O/ck=boq-identity.AccountsSignInUi.gAiX_O5afVA.L.B1.O/am=5IFgKBi2EQjEE54DekBRIOQAAAAAAAAAAKANAAB0DA/d=1/exm=AvtSve,CMcBD,E87wgc,EFQ78c,EIOG1e,EN3i8d,Fndnac,GwYlN,I6YDgd,IZT63,K0PMbc,K1ZKnb,KUM7Z,L1AAkb,L9OGUe,LDQI,LEikZe,MY7mZe,MpJwZc,NOeYWe,NTMZac,O6y8ed,PHUIyb,PrPYRd,Rkm0ef,RqjULd,SCuOPb,SD8Jgb,STuCOe,SpsfSb,Tbb4sb,UUJqVe,Uas9Hd,WpP9Yc,XVq9Qb,YHI3We,YTxL4,YgOFye,ZakeSe,_b,_tp,aC1iue,aW3pY,b3kMqb,bSspM,bTi8wc,byfTOb,cYShmd,eVCnO,f8Gu1e,gJzDyc,hc6Ubd,inNHtf,iyZMqd,lsjVmc,ltDFwf,lwddkf,m9oV,mvkUhe,mzzZzc,n73qwf,njlZCf,oLggrd,pxq3x,qPYxq,qPfo0c,qmdT9,rCcCxc,rmumx,siKnQd,soHxf,t2srLd,tUnxGc,vHEMJe,vfuNJf,vjKJJ,vvMGie,ws9Tlc,xBaz7b,xQtZb,xiZRqc,y5vRwf,yRXbo,ywOR5c,z0u0L,zbML3c,ziZ8Mc,zr1jrb,zy0vNb/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlEr6KOaFsGvhdDsnkaRQWWkVkg2lQ/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:GwYlN;EmZ2Bf:zr1jrb;JsbNhc:Xd8iUd;K5nYTd:ZDZcre;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;ScI3Yc:e7Hzgb;UpnZUd:nnwwYc;Uvc8o:VDovNc;XdiAjb:NLiXbe;YIZmRd:A1yn5d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;dowIGb:ebZ3mb;eBAeSb:zbML3c;iFQyKf:vfuNJf;lOO0Vd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qafBPd:yDVVkb;qddgKe:xQtZb;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=ZwDk9d,RMhBfe"
Preview:	"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi\|\|{};(function(_){var window=this;.try{._.k("ZwDk9d");.var gA=function(a){_.W.call(this,a.Fa)};_.J(gA,_.W);gA.Ba=_.W.Ba;gA.prototype.eS=function(a){return _.Xe(this,{Xa:{gT:_.ll}}).then(function(b){var c=window._wjdd,d=window._wjdc;return!c&&d?new _.li(function(e){window._wjdc=function(f){d(f);e(ZJa(f,b,a))}}):ZJa(c,b,a)})};var ZJa=function(a,b,c){return(a=a&&a[c])?a:b.Xa.gT.eS(c)};.gA.prototype.aa=function(a,b){var c=_.Zra(b).Rj;if(c.startsWith("$")){var d=_.gm.get(a);_.uq[b]&&(d\|\|(d={},_.gm.set(a,d)),d[c]=_.uq[b],delete _.uq[b],_.vq--);if(d)if(a=d[c])b=_.af(a);else throw Error("Jb`"+b);else b=null}else b=null;return b};_.nu(_.Lfa,gA);._.l();._.k("SNUn3");._.YJa=new _.pf(_.wg);._.l();._.k("RMhBfe");.var $Ja=function(a){var b=_.tq(a);return b?new _.li(function(c,d){var e=function(){b=_.tq(a);var f=_.Sfa(a,b);f?c(f.getAttribute("jsdata")):window.document.readyState=="complete"?(f=["Unable to find deferred jsdata wit

Chrome Cache Entry: 111

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with no line terminators
Category:	downloaded
Size (bytes):	84
Entropy (8bit):	4.875266466142591
Encrypted:	false
SSDEEP:	3:DZFJu0+WVTBCq2Bjdw2KsJJuYHSKnZ:lFJuuVTBudw29nu4SKZ
MD5:	87B6333E98B7620EA1FF98D1A837A39E
SHA1:	105DE6815B0885357DE1414BFC0D77FCC9E924EF
SHA-256:	DCD3C133C5C40BECD4100BBE6EDAE84C9735E778E4234A5E8395C56FF8A733BA
SHA-512:	867D7943D813685FAA76394E53199750C55817E836FD19C933F74D11E9657CE66719A6D6B2E39EE1DE62358BCE364E38A55F4E138DF92337DE6985DDCD5D0994
Malicious:	false
URL:	https://content-autofill.googleapis.com/v1/pages/ChVDaHJvbWUvMTE3LjAuNTkzOC4xMzQSHgmA6QC9dWevzxIFDRkBE_oSBQ3oIX6GEgUN05ioBw==?alt=proto
Preview:	Cj0KBw0ZARP6GgAKKQ3oIX6GGgQISxgCKhwIClIYCg5AIS4jJF8qLSY/Ky8lLBABGP////8PCgcN05ioBxoA

Chrome Cache Entry: 112

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (2907)
Category:	downloaded
Size (bytes):	22833
Entropy (8bit):	5.425034548615223
Encrypted:	false
SSDEEP:	384:7lFo6ZEdpgtmyiPixV9OX9gMBpHkHnfst9lZulagGcwYHiRFjJzN7:77o6ZviPixV8xpEHn89l4IgGcwYCRtb7
MD5:	749B18538FE32BFE0815D75F899F5B21
SHA1:	AF95A019211AF69F752A43CAA54A83C2AFD41D28
SHA-256:	116B2687C1D5E00DB56A79894AB0C12D4E2E000B9379B7E7AD751B84DF611F3F
SHA-512:	E4B6F4556AA0FD9979BB52681508F5E26FFB256473803F74F7F5C8D93FA3636D7D0A5835618FBC6123022805CE0D9616A7451A0F302C665E28A6090B5D588505
Malicious:	false
URL:	"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en.RgRbaBHDctU.es5.O/ck=boq-identity.AccountsSignInUi.gAiX_O5afVA.L.B1.O/am=5IFgKBi2EQjEE54DekBRIOQAAAAAAAAAAKANAAB0DA/d=1/exm=AvtSve,CMcBD,E87wgc,EFQ78c,EIOG1e,EN3i8d,Fndnac,GwYlN,I6YDgd,IZT63,K0PMbc,K1ZKnb,KUM7Z,L1AAkb,L9OGUe,LDQI,LEikZe,MY7mZe,MpJwZc,NOeYWe,NTMZac,O6y8ed,PHUIyb,PrPYRd,Rkm0ef,SCuOPb,SD8Jgb,STuCOe,SpsfSb,Tbb4sb,UUJqVe,Uas9Hd,WpP9Yc,XVq9Qb,YHI3We,YTxL4,YgOFye,ZakeSe,_b,_tp,aC1iue,aW3pY,b3kMqb,bSspM,bTi8wc,byfTOb,cYShmd,eVCnO,f8Gu1e,gJzDyc,hc6Ubd,inNHtf,iyZMqd,lsjVmc,ltDFwf,lwddkf,m9oV,mvkUhe,mzzZzc,n73qwf,njlZCf,oLggrd,pxq3x,qPYxq,qPfo0c,qmdT9,rCcCxc,rmumx,siKnQd,soHxf,t2srLd,tUnxGc,vHEMJe,vfuNJf,vjKJJ,vvMGie,ws9Tlc,xBaz7b,xQtZb,xiZRqc,y5vRwf,yRXbo,ywOR5c,z0u0L,zbML3c,ziZ8Mc,zr1jrb,zy0vNb/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlEr6KOaFsGvhdDsnkaRQWWkVkg2lQ/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:GwYlN;EmZ2Bf:zr1jrb;JsbNhc:Xd8iUd;K5nYTd:ZDZcre;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;ScI3Yc:e7Hzgb;UpnZUd:nnwwYc;Uvc8o:VDovNc;XdiAjb:NLiXbe;YIZmRd:A1yn5d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;dowIGb:ebZ3mb;eBAeSb:zbML3c;iFQyKf:vfuNJf;lOO0Vd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qafBPd:yDVVkb;qddgKe:xQtZb;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=RqjULd"
Preview:	"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi\|\|{};(function(_){var window=this;.try{._.uu.prototype.da=_.ca(40,function(){return _.rj(this,3)});_.$y=function(a,b){this.key=a;this.defaultValue=!1;this.flagName=b};_.$y.prototype.ctor=function(a){return typeof a==="boolean"?a:this.defaultValue};_.az=function(){this.ka=!0;var a=_.vj(_.dk(_.Be("TSDtV",window),_.zya),_.uu,1,_.qj())[0];if(a){var b={};for(var c=_.n(_.vj(a,_.Aya,2,_.qj())),d=c.next();!d.done;d=c.next()){d=d.value;var e=_.Jj(d,1).toString();switch(_.tj(d,_.vu)){case 3:b[e]=_.Hj(d,_.lj(d,_.vu,3));break;case 2:b[e]=_.Jj(d,_.lj(d,_.vu,2));break;case 4:b[e]=_.Kj(d,_.lj(d,_.vu,4));break;case 5:b[e]=_.Lj(d,_.lj(d,_.vu,5));break;case 6:b[e]=_.Pj(d,_.ff,6,_.vu);break;default:throw Error("jd`"+_.tj(d,_.vu));}}}else b={};this.ea=b;this.token=.a?a.da():null};_.az.prototype.aa=function(a){if(!this.ka\|\|a.key in this.ea)a=a.ctor(this.ea[a.key]);else if(_.Be("nQyAE",window)){var b=_.Cya(a.flagName);if(b===null)a=a.de

Chrome Cache Entry: 113

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (533)
Category:	downloaded
Size (bytes):	9210
Entropy (8bit):	5.404371326611379
Encrypted:	false
SSDEEP:	192:EEFZpeip4HzZlY0If0Ma23jcUcrhCx6VD1TYPi8:Es/p4jgjUhtD1TY68
MD5:	21E893B65627B397E22619A9F5BB9662
SHA1:	F561B0F66211C1E7B22F94B4935C312AB7087E85
SHA-256:	FFA9B8BC8EF2CDFF5EB4BA1A0BA1710A253A5B42535E2A369D5026967DCF4673
SHA-512:	3DE3CD6A4E9B06AB3EB324E90A40B5F2AEEA8D7D6A2651C310E993CF79EEB5AC6E2E33C587F46B2DD20CC862354FD1A61AEBB9B990E6805F6629404BA285F8FA
Malicious:	false
URL:	"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en.RgRbaBHDctU.es5.O/ck=boq-identity.AccountsSignInUi.gAiX_O5afVA.L.B1.O/am=5IFgKBi2EQjEE54DekBRIOQAAAAAAAAAAKANAAB0DA/d=1/exm=AvtSve,CMcBD,EFQ78c,EIOG1e,EN3i8d,Fndnac,GwYlN,I6YDgd,IZT63,K0PMbc,K1ZKnb,KUM7Z,L1AAkb,L9OGUe,LDQI,LEikZe,MY7mZe,MpJwZc,NOeYWe,NTMZac,O6y8ed,PrPYRd,Rkm0ef,SCuOPb,STuCOe,SpsfSb,UUJqVe,Uas9Hd,WpP9Yc,XVq9Qb,YHI3We,YTxL4,ZakeSe,_b,_tp,aC1iue,aW3pY,b3kMqb,bSspM,byfTOb,cYShmd,eVCnO,gJzDyc,hc6Ubd,inNHtf,iyZMqd,lsjVmc,lwddkf,m9oV,mvkUhe,mzzZzc,n73qwf,njlZCf,oLggrd,qPfo0c,qmdT9,rCcCxc,siKnQd,t2srLd,tUnxGc,vHEMJe,vfuNJf,vjKJJ,vvMGie,ws9Tlc,xBaz7b,xQtZb,xiZRqc,y5vRwf,z0u0L,zbML3c,ziZ8Mc,zr1jrb,zy0vNb/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlEr6KOaFsGvhdDsnkaRQWWkVkg2lQ/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:GwYlN;EmZ2Bf:zr1jrb;JsbNhc:Xd8iUd;K5nYTd:ZDZcre;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;ScI3Yc:e7Hzgb;UpnZUd:nnwwYc;Uvc8o:VDovNc;XdiAjb:NLiXbe;YIZmRd:A1yn5d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;dowIGb:ebZ3mb;eBAeSb:zbML3c;iFQyKf:vfuNJf;lOO0Vd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qafBPd:yDVVkb;qddgKe:xQtZb;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=ltDFwf,SD8Jgb,rmumx,E87wgc,qPYxq,Tbb4sb,pxq3x,f8Gu1e,soHxf,YgOFye,yRXbo,bTi8wc,ywOR5c,PHUIyb"
Preview:	"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi\|\|{};(function(_){var window=this;.try{._.qNa=_.y("SD8Jgb",[]);._.GX=function(a,b){if(typeof b==="string")a.Lc(b);else if(b instanceof _.Fp&&b.ia&&b.ia===_.A)b=_.Ya(b.Lw()),a.empty().append(b);else if(b instanceof _.Ua)b=_.Ya(b),a.empty().append(b);else if(b instanceof Node)a.empty().append(b);else throw Error("Vf");};_.HX=function(a){var b=_.Io(a,"[jsslot]");if(b.size()>0)return b;b=new _.Go([_.Kk("span")]);_.Jo(b,"jsslot","");a.empty().append(b);return b};_.NLb=function(a){return a===null\|\|typeof a==="string"&&_.Hi(a)};._.k("SD8Jgb");._.MX=function(a){_.X.call(this,a.Fa);this.Ua=a.controller.Ua;this.od=a.controllers.od[0]\|\|null;this.header=a.controller.header;this.nav=a.controller.nav;var b;(b=this.oa().find("button:not([type])").el())==null\|\|b.setAttribute("type","button")};_.J(_.MX,_.X);_.MX.Ba=function(){return{controller:{Ua:{jsname:"n7vHCb",ctor:_.mv},header:{jsname:"tJHJj",ctor:_.mv},nav:{jsname:"DH6Rkf",ct

Chrome Cache Entry: 114

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (570)
Category:	downloaded
Size (bytes):	3467
Entropy (8bit):	5.514745431912774
Encrypted:	false
SSDEEP:	96:ozbld2fNUmeqJNizhNtt1W8t//loyIpXmdVE2w:onSKE8PWe/Cy4X3j
MD5:	8DEF399E8355ABC23E64505281005099
SHA1:	24FF74C3AEFD7696D84FF148465DF4B1B60B1696
SHA-256:	F128D7218E1286B05DF11310AD3C8F4CF781402698E45448850D2A3A22F5F185
SHA-512:	33721DD47658D8E12ADF6BD9E9316EB89F5B6297927F7FD60F954E04B829DCBF0E1AE6DDD9A3401F45E0011AE4B1397B960C218238A3D0F633A2173D8E604082
Malicious:	false
URL:	"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en.RgRbaBHDctU.es5.O/ck=boq-identity.AccountsSignInUi.gAiX_O5afVA.L.B1.O/am=5IFgKBi2EQjEE54DekBRIOQAAAAAAAAAAKANAAB0DA/d=1/exm=A7fCU,AvtSve,CMcBD,E87wgc,EFQ78c,EIOG1e,EN3i8d,Fndnac,GwYlN,I6YDgd,IZT63,K0PMbc,K1ZKnb,KUM7Z,L1AAkb,L9OGUe,LDQI,LEikZe,MY7mZe,MpJwZc,NOeYWe,NTMZac,O6y8ed,P6sQOc,PHUIyb,PrPYRd,RMhBfe,Rkm0ef,RqjULd,SCuOPb,SD8Jgb,STuCOe,SpsfSb,Tbb4sb,UUJqVe,Uas9Hd,WpP9Yc,XVq9Qb,YHI3We,YTxL4,YgOFye,ZDZcre,ZZ4WUe,ZakeSe,ZwDk9d,_b,_tp,aC1iue,aW3pY,b3kMqb,bSspM,bTi8wc,byfTOb,cYShmd,eVCnO,f8Gu1e,gJzDyc,hc6Ubd,iAskyc,inNHtf,iyZMqd,lsjVmc,ltDFwf,lwddkf,m9oV,mvkUhe,mzzZzc,n73qwf,njlZCf,oLggrd,pxq3x,q0xTif,qPYxq,qPfo0c,qmdT9,rCcCxc,rmumx,sOXFj,siKnQd,soHxf,t2srLd,tUnxGc,vHEMJe,vfuNJf,vjKJJ,vvMGie,w9hDv,wg1P6b,ws9Tlc,xBaz7b,xQtZb,xiZRqc,y5vRwf,yRXbo,ywOR5c,z0u0L,zbML3c,ziXSP,ziZ8Mc,zr1jrb,zy0vNb/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlEr6KOaFsGvhdDsnkaRQWWkVkg2lQ/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:GwYlN;EmZ2Bf:zr1jrb;JsbNhc:Xd8iUd;K5nYTd:ZDZcre;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;ScI3Yc:e7Hzgb;UpnZUd:nnwwYc;Uvc8o:VDovNc;XdiAjb:NLiXbe;YIZmRd:A1yn5d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;dowIGb:ebZ3mb;eBAeSb:zbML3c;iFQyKf:vfuNJf;lOO0Vd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qafBPd:yDVVkb;qddgKe:xQtZb;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=Wt6vjf,hhhU8,FCpbqb,WhJNk"
Preview:	"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi\|\|{};(function(_){var window=this;.try{._.k("Wt6vjf");.var cya=function(){var a=_.He();return _.Lj(a,1)},Yt=function(a){this.Da=_.t(a,0,Yt.messageId)};_.J(Yt,_.w);Yt.prototype.Ha=function(){return _.Dj(this,1)};Yt.prototype.Va=function(a){return _.Vj(this,1,a)};Yt.messageId="f.bo";var Zt=function(){_.hm.call(this)};_.J(Zt,_.hm);Zt.prototype.xd=function(){this.CT=!1;dya(this);_.hm.prototype.xd.call(this)};Zt.prototype.aa=function(){eya(this);if(this.wC)return fya(this),!1;if(!this.KV)return $t(this),!0;this.dispatchEvent("p");if(!this.zP)return $t(this),!0;this.wM?(this.dispatchEvent("r"),$t(this)):fya(this);return!1};.var gya=function(a){var b=new _.ap(a.W4);a.qQ!=null&&_.Jn(b,"authuser",a.qQ);return b},fya=function(a){a.wC=!0;var b=gya(a),c="rt=r&f_uid="+_.pk(a.zP);_.cn(b,(0,_.bg)(a.ea,a),"POST",c)};.Zt.prototype.ea=function(a){a=a.target;eya(this);if(_.fn(a)){this.cK=0;if(this.wM)this.wC=!1,this.dispatchEvent("r"

Chrome Cache Entry: 115

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (395)
Category:	downloaded
Size (bytes):	1608
Entropy (8bit):	5.257113147606035
Encrypted:	false
SSDEEP:	48:o72ZrNZ4yNAbU+15fMxIdf5WENoBCbw7DbG2bEJrw:oyNNAY+1i4HoBNG2Ilw
MD5:	F06E2DC5CC446B39F878B5F8E4D78418
SHA1:	9F1F34FDD8F8DAB942A9B95D9F720587B6F6AD48
SHA-256:	118E4D2FE7CEF205F9AFC87636554C6D8220882B158333EE3D1990282D158B8F
SHA-512:	893C4F883CD1C88C6AAF5A6E7F232D62823A53E1FFDE5C1C52BB066D75781DD041F4D281CDBF18070D921CE862652D8863E2B9D5E0190CFA4128890D62C44168
Malicious:	false
URL:	"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en.RgRbaBHDctU.es5.O/ck=boq-identity.AccountsSignInUi.gAiX_O5afVA.L.B1.O/am=5IFgKBi2EQjEE54DekBRIOQAAAAAAAAAAKANAAB0DA/d=1/exm=AvtSve,CMcBD,E87wgc,EFQ78c,EIOG1e,EN3i8d,Fndnac,GwYlN,I6YDgd,IZT63,K0PMbc,K1ZKnb,KUM7Z,L1AAkb,L9OGUe,LDQI,LEikZe,MY7mZe,MpJwZc,NOeYWe,NTMZac,O6y8ed,P6sQOc,PHUIyb,PrPYRd,RMhBfe,Rkm0ef,RqjULd,SCuOPb,SD8Jgb,STuCOe,SpsfSb,Tbb4sb,UUJqVe,Uas9Hd,WpP9Yc,XVq9Qb,YHI3We,YTxL4,YgOFye,ZakeSe,ZwDk9d,_b,_tp,aC1iue,aW3pY,b3kMqb,bSspM,bTi8wc,byfTOb,cYShmd,eVCnO,f8Gu1e,gJzDyc,hc6Ubd,inNHtf,iyZMqd,lsjVmc,ltDFwf,lwddkf,m9oV,mvkUhe,mzzZzc,n73qwf,njlZCf,oLggrd,pxq3x,qPYxq,qPfo0c,qmdT9,rCcCxc,rmumx,siKnQd,soHxf,t2srLd,tUnxGc,vHEMJe,vfuNJf,vjKJJ,vvMGie,ws9Tlc,xBaz7b,xQtZb,xiZRqc,y5vRwf,yRXbo,ywOR5c,z0u0L,zbML3c,ziZ8Mc,zr1jrb,zy0vNb/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlEr6KOaFsGvhdDsnkaRQWWkVkg2lQ/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:GwYlN;EmZ2Bf:zr1jrb;JsbNhc:Xd8iUd;K5nYTd:ZDZcre;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;ScI3Yc:e7Hzgb;UpnZUd:nnwwYc;Uvc8o:VDovNc;XdiAjb:NLiXbe;YIZmRd:A1yn5d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;dowIGb:ebZ3mb;eBAeSb:zbML3c;iFQyKf:vfuNJf;lOO0Vd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qafBPd:yDVVkb;qddgKe:xQtZb;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=w9hDv,ZDZcre,A7fCU"
Preview:	"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi\|\|{};(function(_){var window=this;.try{._.k("w9hDv");._.vg(_.Hla);_.eA=function(a){_.W.call(this,a.Fa);this.aa=a.Xa.cache};_.J(_.eA,_.W);_.eA.Ba=function(){return{Xa:{cache:_.dt}}};_.eA.prototype.execute=function(a){_.Bb(a,function(b){var c;_.$e(b)&&(c=b.eb.kc(b.kb));c&&this.aa.xG(c)},this);return{}};_.nu(_.Nla,_.eA);._.l();._.k("ZDZcre");.var fH=function(a){_.W.call(this,a.Fa);this.Wl=a.Ea.Wl;this.d4=a.Ea.metadata;this.aa=a.Ea.ot};_.J(fH,_.W);fH.Ba=function(){return{Ea:{Wl:_.KG,metadata:_.VZa,ot:_.HG}}};fH.prototype.execute=function(a){var b=this;a=this.aa.create(a);return _.Bb(a,function(c){var d=b.d4.getType(c.Od())===2?b.Wl.Rb(c):b.Wl.fetch(c);return _.yl(c,_.LG)?d.then(function(e){return _.Dd(e)}):d},this)};_.nu(_.Sla,fH);._.l();._.k("K5nYTd");._.UZa=new _.pf(_.Ola);._.l();._.k("sP4Vbe");.._.l();._.k("kMFpHd");.._.l();._.k("A7fCU");.var NG=function(a){_.W.call(this,a.Fa);this.aa=a.Ea.tQ};_.J(NG,_.W);NG.Ba=func

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.582342635860022
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	918'528 bytes
MD5:	17e81ded92e36f3d9cb2e548e9765cbe
SHA1:	7bad6623b670b99f64e4796c96bd3151efe94c10
SHA256:	96dcbbee1239cbb0d455b0b00532cd8d8b8bbe292f1ad5926670c91c88acc154
SHA512:	c7895e2c90370d4a6636c73962f44c9289ebdfd0aeb08edb02c90e211ff406d0a2002155f30fee8dac0cd408c8471ca1cb4a2eaed8b0e41aa542c713ff9065ed
SSDEEP:	12288:9qDEvFo+yo4DdbbMWu/jrQu4M9lBAlKhQcDGB3cuBNGE6iOrpfe4JdaDgaMTQ:9qDEvCTbMWu7rQYlBQcBiT6rprG8acQ
TLSH:	55159E0273D1C062FFAB92334B5AF6515BBC69260123E61F13981DB9BE701B1563E7A3
File Content Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......................j:......j:..C...j:......@.*...............................n.......~.............{.......{.......{.........z....

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x420577
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x66FD7470 [Wed Oct 2 16:27:28 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	948cc502fe9226992dce9417f952fce3

Entrypoint Preview

Instruction
call 00007F78089DF943h
jmp 00007F78089DF24Fh
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F78089DF42Dh
mov dword ptr [esi], 0049FDF0h
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FDF8h
mov dword ptr [ecx], 0049FDF0h
ret
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F78089DF3FAh
mov dword ptr [esi], 0049FE0Ch
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FE14h
mov dword ptr [ecx], 0049FE0Ch
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
and dword ptr [eax], 00000000h
and dword ptr [eax+04h], 00000000h
push eax
mov eax, dword ptr [ebp+08h]
add eax, 04h
push eax
call 00007F78089E1FEDh
pop ecx
pop ecx
mov eax, esi
pop esi
pop ebp
retn 0004h
lea eax, dword ptr [ecx+04h]
mov dword ptr [ecx], 0049FDD0h
push eax
call 00007F78089E2038h
pop ecx
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
push eax
call 00007F78089E2021h
test byte ptr [ebp+08h], 00000001h
pop ecx

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc8e64	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xd4000	0x9934	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xde000	0x7594	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xb0ff0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xc3400	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xb1010	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x9c000	0x894	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x9ab1d	0x9ac00	0a1473f3064dcbc32ef93c5c8a90f3a6	False	0.565500681542811	data	6.668273581389308	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x9c000	0x2fb82	0x2fc00	c9cf2468b60bf4f80f136ed54b3989fb	False	0.35289185209424084	data	5.691811547483722	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xcc000	0x706c	0x4800	53b9025d545d65e23295e30afdbd16d9	False	0.04356553819444445	DOS executable (block device driver @\273\)	0.5846666986982398	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xd4000	0x9934	0x9a00	dad245c2c495499b64826ad558d63db0	False	0.3033938717532468	data	5.280185543668453	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xde000	0x7594	0x7600	c68ee8931a32d45eb82dc450ee40efc3	False	0.7628111758474576	data	6.7972128181359786	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xd45a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xd46d0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xd47f8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xd4920	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xd4c08	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xd4d30	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xd5bd8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xd6480	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xd69e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xd8f90	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xda038	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xda4a0	0x50	data	English	Great Britain	0.9
RT_STRING	0xda4f0	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xdaa84	0x68a	data	English	Great Britain	0.2735961768219833
RT_STRING	0xdb110	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xdb5a0	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xdbb9c	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xdc1f8	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xdc660	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xdc7b8	0xbfc	data			1.0035853976531943
RT_GROUP_ICON	0xdd3b4	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0xdd42c	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0xdd440	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0xdd454	0x14	data	English	Great Britain	1.25
RT_VERSION	0xdd468	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0xdd544	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	gethostbyname, recv, send, socket, inet_ntoa, setsockopt, ntohs, WSACleanup, WSAStartup, sendto, htons, __WSAFDIsSet, select, accept, listen, bind, inet_addr, ioctlsocket, recvfrom, WSAGetLastError, closesocket, gethostname, connect
VERSION.dll	GetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetGetConnectionW, WNetCancelConnection2W, WNetUseConnectionW, WNetAddConnection2W
WININET.dll	HttpOpenRequestW, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, InternetConnectW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetQueryDataAvailable
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpSendEcho, IcmpCloseHandle, IcmpCreateFile
USERENV.dll	DestroyEnvironmentBlock, LoadUserProfileW, CreateEnvironmentBlock, UnloadUserProfile
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetShortPathNameW, DeleteFileW, IsDebuggerPresent, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, LoadResource, LockResource, SizeofResource, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, LoadLibraryW, GetLocalTime, CompareStringW, GetCurrentThread, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, VirtualAlloc, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, ResetEvent, WaitForSingleObjectEx, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, CloseHandle, GetFullPathNameW, GetStartupInfoW, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, SetLastError, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, ResumeThread, FreeLibraryAndExitThread, GetACP, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetStringTypeW, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, ReadConsoleW, GetTimeZoneInformation, FindFirstFileExW, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableA, SetCurrentDirectoryW, FindNextFileW, WriteConsoleW
USER32.dll	GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, PeekMessageW, GetInputState, UnregisterHotKey, CharLowerBuffW, MonitorFromPoint, MonitorFromRect, LoadImageW, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, ClientToScreen, GetCursorPos, DeleteMenu, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, LockWindowUpdate, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, RegisterHotKey, GetCursorInfo, SetWindowPos, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, TrackPopupMenuEx, GetMessageW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, DispatchMessageW, keybd_event, TranslateMessage, ScreenToClient
GDI32.dll	EndPath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, GetDeviceCaps, SetPixel, CloseFigure, LineTo, AngleArc, MoveToEx, Ellipse, CreateCompatibleBitmap, CreateCompatibleDC, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, SelectObject, StretchBlt, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, GetDIBits, StrokePath
COMDLG32.dll	GetSaveFileNameW, GetOpenFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, RegCreateKeyExW, GetSecurityDescriptorDacl, GetAclInformation, GetUserNameW, AddAce, SetSecurityDescriptorDacl, InitiateSystemShutdownExW
SHELL32.dll	DragFinish, DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
OLEAUT32.dll	CreateStdDispatch, CreateDispTypeInfo, UnRegisterTypeLib, UnRegisterTypeLibForUser, RegisterTypeLibForUser, RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, VariantChangeType, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysStringLen, QueryPathOfRegTypeLib, SysAllocString, VariantInit, VariantClear, DispCallFunc, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, SafeArrayDestroyDescriptor, VariantCopy, OleLoadPicture

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 2, 2024 19:04:44.303410053 CEST	49676	443	192.168.2.9	23.206.229.209
Oct 2, 2024 19:04:44.304339886 CEST	49675	443	192.168.2.9	23.206.229.209
Oct 2, 2024 19:04:44.568718910 CEST	49674	443	192.168.2.9	23.206.229.209
Oct 2, 2024 19:04:44.678128958 CEST	49677	443	192.168.2.9	20.189.173.11
Oct 2, 2024 19:04:49.490573883 CEST	49677	443	192.168.2.9	20.189.173.11
Oct 2, 2024 19:04:50.678184032 CEST	49673	443	192.168.2.9	204.79.197.203
Oct 2, 2024 19:04:52.188419104 CEST	49708	443	192.168.2.9	142.250.185.78
Oct 2, 2024 19:04:52.188426971 CEST	443	49708	142.250.185.78	192.168.2.9
Oct 2, 2024 19:04:52.188474894 CEST	49708	443	192.168.2.9	142.250.185.78
Oct 2, 2024 19:04:52.189538002 CEST	49708	443	192.168.2.9	142.250.185.78
Oct 2, 2024 19:04:52.189553022 CEST	443	49708	142.250.185.78	192.168.2.9
Oct 2, 2024 19:04:52.847599030 CEST	443	49708	142.250.185.78	192.168.2.9
Oct 2, 2024 19:04:52.848227024 CEST	49708	443	192.168.2.9	142.250.185.78
Oct 2, 2024 19:04:52.848248959 CEST	443	49708	142.250.185.78	192.168.2.9
Oct 2, 2024 19:04:52.848814011 CEST	443	49708	142.250.185.78	192.168.2.9
Oct 2, 2024 19:04:52.848869085 CEST	49708	443	192.168.2.9	142.250.185.78
Oct 2, 2024 19:04:52.849801064 CEST	443	49708	142.250.185.78	192.168.2.9
Oct 2, 2024 19:04:52.849853039 CEST	49708	443	192.168.2.9	142.250.185.78
Oct 2, 2024 19:04:52.860198975 CEST	49708	443	192.168.2.9	142.250.185.78
Oct 2, 2024 19:04:52.860327005 CEST	443	49708	142.250.185.78	192.168.2.9
Oct 2, 2024 19:04:52.868448019 CEST	49708	443	192.168.2.9	142.250.185.78
Oct 2, 2024 19:04:52.868467093 CEST	443	49708	142.250.185.78	192.168.2.9
Oct 2, 2024 19:04:52.914699078 CEST	49708	443	192.168.2.9	142.250.185.78
Oct 2, 2024 19:04:53.136317968 CEST	443	49708	142.250.185.78	192.168.2.9
Oct 2, 2024 19:04:53.137397051 CEST	443	49708	142.250.185.78	192.168.2.9
Oct 2, 2024 19:04:53.137449980 CEST	49708	443	192.168.2.9	142.250.185.78
Oct 2, 2024 19:04:53.140940905 CEST	49708	443	192.168.2.9	142.250.185.78
Oct 2, 2024 19:04:53.140958071 CEST	443	49708	142.250.185.78	192.168.2.9
Oct 2, 2024 19:04:53.151284933 CEST	49712	443	192.168.2.9	216.58.206.46
Oct 2, 2024 19:04:53.151324987 CEST	443	49712	216.58.206.46	192.168.2.9
Oct 2, 2024 19:04:53.151381969 CEST	49712	443	192.168.2.9	216.58.206.46
Oct 2, 2024 19:04:53.151565075 CEST	49712	443	192.168.2.9	216.58.206.46
Oct 2, 2024 19:04:53.151581049 CEST	443	49712	216.58.206.46	192.168.2.9
Oct 2, 2024 19:04:53.799434900 CEST	443	49712	216.58.206.46	192.168.2.9
Oct 2, 2024 19:04:53.799704075 CEST	49712	443	192.168.2.9	216.58.206.46
Oct 2, 2024 19:04:53.799724102 CEST	443	49712	216.58.206.46	192.168.2.9
Oct 2, 2024 19:04:53.800111055 CEST	443	49712	216.58.206.46	192.168.2.9
Oct 2, 2024 19:04:53.800173044 CEST	49712	443	192.168.2.9	216.58.206.46
Oct 2, 2024 19:04:53.800832987 CEST	443	49712	216.58.206.46	192.168.2.9
Oct 2, 2024 19:04:53.800882101 CEST	49712	443	192.168.2.9	216.58.206.46
Oct 2, 2024 19:04:53.802069902 CEST	49712	443	192.168.2.9	216.58.206.46
Oct 2, 2024 19:04:53.802128077 CEST	443	49712	216.58.206.46	192.168.2.9
Oct 2, 2024 19:04:53.802325964 CEST	49712	443	192.168.2.9	216.58.206.46
Oct 2, 2024 19:04:53.802339077 CEST	443	49712	216.58.206.46	192.168.2.9
Oct 2, 2024 19:04:53.852233887 CEST	49712	443	192.168.2.9	216.58.206.46
Oct 2, 2024 19:04:53.914722919 CEST	49676	443	192.168.2.9	23.206.229.209
Oct 2, 2024 19:04:53.914813042 CEST	49675	443	192.168.2.9	23.206.229.209
Oct 2, 2024 19:04:54.118947983 CEST	443	49712	216.58.206.46	192.168.2.9
Oct 2, 2024 19:04:54.119003057 CEST	443	49712	216.58.206.46	192.168.2.9
Oct 2, 2024 19:04:54.119062901 CEST	49712	443	192.168.2.9	216.58.206.46
Oct 2, 2024 19:04:54.119075060 CEST	443	49712	216.58.206.46	192.168.2.9
Oct 2, 2024 19:04:54.119199991 CEST	443	49712	216.58.206.46	192.168.2.9
Oct 2, 2024 19:04:54.119324923 CEST	49712	443	192.168.2.9	216.58.206.46
Oct 2, 2024 19:04:54.122311115 CEST	49712	443	192.168.2.9	216.58.206.46
Oct 2, 2024 19:04:54.122328997 CEST	443	49712	216.58.206.46	192.168.2.9
Oct 2, 2024 19:04:54.173662901 CEST	49674	443	192.168.2.9	23.206.229.209
Oct 2, 2024 19:04:55.907233953 CEST	443	49704	23.206.229.209	192.168.2.9
Oct 2, 2024 19:04:55.907378912 CEST	49704	443	192.168.2.9	23.206.229.209
Oct 2, 2024 19:04:56.752278090 CEST	49717	443	192.168.2.9	216.58.206.68
Oct 2, 2024 19:04:56.752310991 CEST	443	49717	216.58.206.68	192.168.2.9
Oct 2, 2024 19:04:56.752405882 CEST	49717	443	192.168.2.9	216.58.206.68
Oct 2, 2024 19:04:56.752598047 CEST	49717	443	192.168.2.9	216.58.206.68
Oct 2, 2024 19:04:56.752612114 CEST	443	49717	216.58.206.68	192.168.2.9
Oct 2, 2024 19:04:57.391828060 CEST	443	49717	216.58.206.68	192.168.2.9
Oct 2, 2024 19:04:57.394931078 CEST	49717	443	192.168.2.9	216.58.206.68
Oct 2, 2024 19:04:57.394942045 CEST	443	49717	216.58.206.68	192.168.2.9
Oct 2, 2024 19:04:57.396352053 CEST	443	49717	216.58.206.68	192.168.2.9
Oct 2, 2024 19:04:57.396400928 CEST	49717	443	192.168.2.9	216.58.206.68
Oct 2, 2024 19:04:57.397969007 CEST	49717	443	192.168.2.9	216.58.206.68
Oct 2, 2024 19:04:57.398062944 CEST	443	49717	216.58.206.68	192.168.2.9
Oct 2, 2024 19:04:57.437659979 CEST	49717	443	192.168.2.9	216.58.206.68
Oct 2, 2024 19:04:57.437666893 CEST	443	49717	216.58.206.68	192.168.2.9
Oct 2, 2024 19:04:57.487108946 CEST	49717	443	192.168.2.9	216.58.206.68
Oct 2, 2024 19:04:57.921194077 CEST	49722	443	192.168.2.9	184.28.90.27
Oct 2, 2024 19:04:57.921238899 CEST	443	49722	184.28.90.27	192.168.2.9
Oct 2, 2024 19:04:57.921300888 CEST	49722	443	192.168.2.9	184.28.90.27
Oct 2, 2024 19:04:57.923942089 CEST	49722	443	192.168.2.9	184.28.90.27
Oct 2, 2024 19:04:57.923955917 CEST	443	49722	184.28.90.27	192.168.2.9
Oct 2, 2024 19:04:58.579094887 CEST	443	49722	184.28.90.27	192.168.2.9
Oct 2, 2024 19:04:58.579164028 CEST	49722	443	192.168.2.9	184.28.90.27
Oct 2, 2024 19:04:58.585279942 CEST	49722	443	192.168.2.9	184.28.90.27
Oct 2, 2024 19:04:58.585314989 CEST	443	49722	184.28.90.27	192.168.2.9
Oct 2, 2024 19:04:58.585591078 CEST	443	49722	184.28.90.27	192.168.2.9
Oct 2, 2024 19:04:58.633508921 CEST	49722	443	192.168.2.9	184.28.90.27
Oct 2, 2024 19:04:58.651597977 CEST	49722	443	192.168.2.9	184.28.90.27
Oct 2, 2024 19:04:58.699408054 CEST	443	49722	184.28.90.27	192.168.2.9
Oct 2, 2024 19:04:58.851243973 CEST	443	49722	184.28.90.27	192.168.2.9
Oct 2, 2024 19:04:58.851326942 CEST	443	49722	184.28.90.27	192.168.2.9
Oct 2, 2024 19:04:58.851460934 CEST	49722	443	192.168.2.9	184.28.90.27
Oct 2, 2024 19:04:58.877912045 CEST	49722	443	192.168.2.9	184.28.90.27
Oct 2, 2024 19:04:58.877948046 CEST	443	49722	184.28.90.27	192.168.2.9
Oct 2, 2024 19:04:58.877963066 CEST	49722	443	192.168.2.9	184.28.90.27
Oct 2, 2024 19:04:58.877969980 CEST	443	49722	184.28.90.27	192.168.2.9
Oct 2, 2024 19:04:58.937927008 CEST	49727	443	192.168.2.9	184.28.90.27
Oct 2, 2024 19:04:58.937958002 CEST	443	49727	184.28.90.27	192.168.2.9
Oct 2, 2024 19:04:58.938102007 CEST	49727	443	192.168.2.9	184.28.90.27
Oct 2, 2024 19:04:58.938934088 CEST	49727	443	192.168.2.9	184.28.90.27
Oct 2, 2024 19:04:58.938946962 CEST	443	49727	184.28.90.27	192.168.2.9
Oct 2, 2024 19:04:59.102195024 CEST	49677	443	192.168.2.9	20.189.173.11
Oct 2, 2024 19:04:59.577079058 CEST	443	49727	184.28.90.27	192.168.2.9
Oct 2, 2024 19:04:59.577970982 CEST	49727	443	192.168.2.9	184.28.90.27
Oct 2, 2024 19:04:59.578849077 CEST	49727	443	192.168.2.9	184.28.90.27
Oct 2, 2024 19:04:59.578854084 CEST	443	49727	184.28.90.27	192.168.2.9
Oct 2, 2024 19:04:59.579108000 CEST	443	49727	184.28.90.27	192.168.2.9
Oct 2, 2024 19:04:59.581099033 CEST	49727	443	192.168.2.9	184.28.90.27
Oct 2, 2024 19:04:59.623394966 CEST	443	49727	184.28.90.27	192.168.2.9
Oct 2, 2024 19:04:59.853065014 CEST	443	49727	184.28.90.27	192.168.2.9
Oct 2, 2024 19:04:59.853135109 CEST	443	49727	184.28.90.27	192.168.2.9
Oct 2, 2024 19:04:59.853188992 CEST	49727	443	192.168.2.9	184.28.90.27
Oct 2, 2024 19:04:59.860562086 CEST	49727	443	192.168.2.9	184.28.90.27
Oct 2, 2024 19:04:59.860562086 CEST	49727	443	192.168.2.9	184.28.90.27
Oct 2, 2024 19:04:59.860575914 CEST	443	49727	184.28.90.27	192.168.2.9
Oct 2, 2024 19:04:59.860584021 CEST	443	49727	184.28.90.27	192.168.2.9
Oct 2, 2024 19:05:01.448230028 CEST	49737	443	192.168.2.9	142.250.185.110
Oct 2, 2024 19:05:01.448272943 CEST	443	49737	142.250.185.110	192.168.2.9
Oct 2, 2024 19:05:01.448573112 CEST	49737	443	192.168.2.9	142.250.185.110
Oct 2, 2024 19:05:01.448919058 CEST	49737	443	192.168.2.9	142.250.185.110
Oct 2, 2024 19:05:01.448936939 CEST	443	49737	142.250.185.110	192.168.2.9
Oct 2, 2024 19:05:02.132370949 CEST	443	49737	142.250.185.110	192.168.2.9
Oct 2, 2024 19:05:02.132644892 CEST	49737	443	192.168.2.9	142.250.185.110
Oct 2, 2024 19:05:02.132663965 CEST	443	49737	142.250.185.110	192.168.2.9
Oct 2, 2024 19:05:02.133068085 CEST	443	49737	142.250.185.110	192.168.2.9
Oct 2, 2024 19:05:02.133214951 CEST	49737	443	192.168.2.9	142.250.185.110
Oct 2, 2024 19:05:02.133802891 CEST	443	49737	142.250.185.110	192.168.2.9
Oct 2, 2024 19:05:02.134135962 CEST	49737	443	192.168.2.9	142.250.185.110
Oct 2, 2024 19:05:02.134987116 CEST	49737	443	192.168.2.9	142.250.185.110
Oct 2, 2024 19:05:02.135081053 CEST	443	49737	142.250.185.110	192.168.2.9
Oct 2, 2024 19:05:02.135257959 CEST	49737	443	192.168.2.9	142.250.185.110
Oct 2, 2024 19:05:02.135265112 CEST	443	49737	142.250.185.110	192.168.2.9
Oct 2, 2024 19:05:02.180104971 CEST	49737	443	192.168.2.9	142.250.185.110
Oct 2, 2024 19:05:02.475404024 CEST	443	49737	142.250.185.110	192.168.2.9
Oct 2, 2024 19:05:02.475456953 CEST	443	49737	142.250.185.110	192.168.2.9
Oct 2, 2024 19:05:02.475661993 CEST	443	49737	142.250.185.110	192.168.2.9
Oct 2, 2024 19:05:02.475687981 CEST	49737	443	192.168.2.9	142.250.185.110
Oct 2, 2024 19:05:02.475712061 CEST	443	49737	142.250.185.110	192.168.2.9
Oct 2, 2024 19:05:02.476015091 CEST	49737	443	192.168.2.9	142.250.185.110
Oct 2, 2024 19:05:02.481385946 CEST	443	49737	142.250.185.110	192.168.2.9
Oct 2, 2024 19:05:02.481440067 CEST	49737	443	192.168.2.9	142.250.185.110
Oct 2, 2024 19:05:02.481455088 CEST	443	49737	142.250.185.110	192.168.2.9
Oct 2, 2024 19:05:02.487742901 CEST	443	49737	142.250.185.110	192.168.2.9
Oct 2, 2024 19:05:02.487778902 CEST	443	49737	142.250.185.110	192.168.2.9
Oct 2, 2024 19:05:02.488687992 CEST	49737	443	192.168.2.9	142.250.185.110
Oct 2, 2024 19:05:02.488703966 CEST	443	49737	142.250.185.110	192.168.2.9
Oct 2, 2024 19:05:02.488800049 CEST	49737	443	192.168.2.9	142.250.185.110
Oct 2, 2024 19:05:02.493927002 CEST	443	49737	142.250.185.110	192.168.2.9
Oct 2, 2024 19:05:02.494128942 CEST	49737	443	192.168.2.9	142.250.185.110
Oct 2, 2024 19:05:02.505769014 CEST	443	49737	142.250.185.110	192.168.2.9
Oct 2, 2024 19:05:02.505803108 CEST	443	49737	142.250.185.110	192.168.2.9
Oct 2, 2024 19:05:02.506045103 CEST	49737	443	192.168.2.9	142.250.185.110
Oct 2, 2024 19:05:02.506063938 CEST	443	49737	142.250.185.110	192.168.2.9
Oct 2, 2024 19:05:02.507404089 CEST	49737	443	192.168.2.9	142.250.185.110
Oct 2, 2024 19:05:02.646138906 CEST	443	49737	142.250.185.110	192.168.2.9
Oct 2, 2024 19:05:02.646214962 CEST	443	49737	142.250.185.110	192.168.2.9
Oct 2, 2024 19:05:02.646235943 CEST	49737	443	192.168.2.9	142.250.185.110
Oct 2, 2024 19:05:02.646260977 CEST	443	49737	142.250.185.110	192.168.2.9
Oct 2, 2024 19:05:02.646384001 CEST	49737	443	192.168.2.9	142.250.185.110
Oct 2, 2024 19:05:02.649120092 CEST	443	49737	142.250.185.110	192.168.2.9
Oct 2, 2024 19:05:02.649152994 CEST	443	49737	142.250.185.110	192.168.2.9
Oct 2, 2024 19:05:02.649692059 CEST	49737	443	192.168.2.9	142.250.185.110
Oct 2, 2024 19:05:02.649705887 CEST	443	49737	142.250.185.110	192.168.2.9
Oct 2, 2024 19:05:02.651410103 CEST	49737	443	192.168.2.9	142.250.185.110
Oct 2, 2024 19:05:02.655452013 CEST	443	49737	142.250.185.110	192.168.2.9
Oct 2, 2024 19:05:02.655764103 CEST	49737	443	192.168.2.9	142.250.185.110
Oct 2, 2024 19:05:02.659780979 CEST	443	49737	142.250.185.110	192.168.2.9
Oct 2, 2024 19:05:02.659948111 CEST	49737	443	192.168.2.9	142.250.185.110
Oct 2, 2024 19:05:02.659965038 CEST	443	49737	142.250.185.110	192.168.2.9
Oct 2, 2024 19:05:02.663569927 CEST	443	49737	142.250.185.110	192.168.2.9
Oct 2, 2024 19:05:02.667417049 CEST	49737	443	192.168.2.9	142.250.185.110
Oct 2, 2024 19:05:02.667438984 CEST	443	49737	142.250.185.110	192.168.2.9
Oct 2, 2024 19:05:02.671027899 CEST	443	49737	142.250.185.110	192.168.2.9
Oct 2, 2024 19:05:02.671137094 CEST	49737	443	192.168.2.9	142.250.185.110
Oct 2, 2024 19:05:02.671149969 CEST	443	49737	142.250.185.110	192.168.2.9
Oct 2, 2024 19:05:02.671253920 CEST	443	49737	142.250.185.110	192.168.2.9
Oct 2, 2024 19:05:02.673681974 CEST	49737	443	192.168.2.9	142.250.185.110
Oct 2, 2024 19:05:02.801667929 CEST	49737	443	192.168.2.9	142.250.185.110
Oct 2, 2024 19:05:02.801693916 CEST	443	49737	142.250.185.110	192.168.2.9
Oct 2, 2024 19:05:02.854659081 CEST	49740	443	192.168.2.9	142.250.185.142
Oct 2, 2024 19:05:02.854708910 CEST	443	49740	142.250.185.142	192.168.2.9
Oct 2, 2024 19:05:02.854902029 CEST	49740	443	192.168.2.9	142.250.185.142
Oct 2, 2024 19:05:02.855115891 CEST	49740	443	192.168.2.9	142.250.185.142
Oct 2, 2024 19:05:02.855134010 CEST	443	49740	142.250.185.142	192.168.2.9
Oct 2, 2024 19:05:02.934107065 CEST	49742	443	192.168.2.9	142.250.185.142
Oct 2, 2024 19:05:02.934132099 CEST	443	49742	142.250.185.142	192.168.2.9
Oct 2, 2024 19:05:02.934303999 CEST	49742	443	192.168.2.9	142.250.185.142
Oct 2, 2024 19:05:02.934685946 CEST	49742	443	192.168.2.9	142.250.185.142
Oct 2, 2024 19:05:02.934695959 CEST	443	49742	142.250.185.142	192.168.2.9
Oct 2, 2024 19:05:03.492587090 CEST	443	49740	142.250.185.142	192.168.2.9
Oct 2, 2024 19:05:03.493326902 CEST	49740	443	192.168.2.9	142.250.185.142
Oct 2, 2024 19:05:03.493355036 CEST	443	49740	142.250.185.142	192.168.2.9
Oct 2, 2024 19:05:03.493686914 CEST	443	49740	142.250.185.142	192.168.2.9
Oct 2, 2024 19:05:03.493738890 CEST	49740	443	192.168.2.9	142.250.185.142
Oct 2, 2024 19:05:03.494398117 CEST	443	49740	142.250.185.142	192.168.2.9
Oct 2, 2024 19:05:03.494443893 CEST	49740	443	192.168.2.9	142.250.185.142
Oct 2, 2024 19:05:03.495938063 CEST	49740	443	192.168.2.9	142.250.185.142
Oct 2, 2024 19:05:03.496020079 CEST	443	49740	142.250.185.142	192.168.2.9
Oct 2, 2024 19:05:03.496228933 CEST	49740	443	192.168.2.9	142.250.185.142
Oct 2, 2024 19:05:03.496236086 CEST	443	49740	142.250.185.142	192.168.2.9
Oct 2, 2024 19:05:03.541507959 CEST	49740	443	192.168.2.9	142.250.185.142
Oct 2, 2024 19:05:03.578022003 CEST	443	49742	142.250.185.142	192.168.2.9
Oct 2, 2024 19:05:03.578200102 CEST	49742	443	192.168.2.9	142.250.185.142
Oct 2, 2024 19:05:03.578226089 CEST	443	49742	142.250.185.142	192.168.2.9
Oct 2, 2024 19:05:03.578732014 CEST	443	49742	142.250.185.142	192.168.2.9
Oct 2, 2024 19:05:03.578799009 CEST	49742	443	192.168.2.9	142.250.185.142
Oct 2, 2024 19:05:03.579751015 CEST	443	49742	142.250.185.142	192.168.2.9
Oct 2, 2024 19:05:03.579801083 CEST	49742	443	192.168.2.9	142.250.185.142
Oct 2, 2024 19:05:03.579942942 CEST	49742	443	192.168.2.9	142.250.185.142
Oct 2, 2024 19:05:03.580012083 CEST	443	49742	142.250.185.142	192.168.2.9
Oct 2, 2024 19:05:03.580094099 CEST	49742	443	192.168.2.9	142.250.185.142
Oct 2, 2024 19:05:03.580106974 CEST	443	49742	142.250.185.142	192.168.2.9
Oct 2, 2024 19:05:03.634478092 CEST	49742	443	192.168.2.9	142.250.185.142
Oct 2, 2024 19:05:03.793353081 CEST	443	49740	142.250.185.142	192.168.2.9
Oct 2, 2024 19:05:03.793981075 CEST	443	49740	142.250.185.142	192.168.2.9
Oct 2, 2024 19:05:03.794023037 CEST	49740	443	192.168.2.9	142.250.185.142
Oct 2, 2024 19:05:03.794578075 CEST	49740	443	192.168.2.9	142.250.185.142
Oct 2, 2024 19:05:03.794589996 CEST	443	49740	142.250.185.142	192.168.2.9
Oct 2, 2024 19:05:03.795770884 CEST	49745	443	192.168.2.9	142.250.185.142
Oct 2, 2024 19:05:03.795803070 CEST	443	49745	142.250.185.142	192.168.2.9
Oct 2, 2024 19:05:03.796211004 CEST	49745	443	192.168.2.9	142.250.185.142
Oct 2, 2024 19:05:03.796608925 CEST	49745	443	192.168.2.9	142.250.185.142
Oct 2, 2024 19:05:03.796619892 CEST	443	49745	142.250.185.142	192.168.2.9
Oct 2, 2024 19:05:03.877404928 CEST	443	49742	142.250.185.142	192.168.2.9
Oct 2, 2024 19:05:03.879441977 CEST	443	49742	142.250.185.142	192.168.2.9
Oct 2, 2024 19:05:03.879779100 CEST	49742	443	192.168.2.9	142.250.185.142
Oct 2, 2024 19:05:03.881663084 CEST	49742	443	192.168.2.9	142.250.185.142
Oct 2, 2024 19:05:03.881694078 CEST	443	49742	142.250.185.142	192.168.2.9
Oct 2, 2024 19:05:03.881711006 CEST	49742	443	192.168.2.9	142.250.185.142
Oct 2, 2024 19:05:03.881782055 CEST	49742	443	192.168.2.9	142.250.185.142
Oct 2, 2024 19:05:03.883413076 CEST	49746	443	192.168.2.9	142.250.185.142
Oct 2, 2024 19:05:03.883445024 CEST	443	49746	142.250.185.142	192.168.2.9
Oct 2, 2024 19:05:03.883534908 CEST	49746	443	192.168.2.9	142.250.185.142
Oct 2, 2024 19:05:03.889249086 CEST	49746	443	192.168.2.9	142.250.185.142
Oct 2, 2024 19:05:03.889270067 CEST	443	49746	142.250.185.142	192.168.2.9
Oct 2, 2024 19:05:04.447593927 CEST	443	49745	142.250.185.142	192.168.2.9
Oct 2, 2024 19:05:04.448000908 CEST	49745	443	192.168.2.9	142.250.185.142
Oct 2, 2024 19:05:04.448014975 CEST	443	49745	142.250.185.142	192.168.2.9
Oct 2, 2024 19:05:04.448381901 CEST	443	49745	142.250.185.142	192.168.2.9
Oct 2, 2024 19:05:04.448441982 CEST	49745	443	192.168.2.9	142.250.185.142
Oct 2, 2024 19:05:04.449069977 CEST	443	49745	142.250.185.142	192.168.2.9
Oct 2, 2024 19:05:04.449114084 CEST	49745	443	192.168.2.9	142.250.185.142
Oct 2, 2024 19:05:04.449250937 CEST	49745	443	192.168.2.9	142.250.185.142
Oct 2, 2024 19:05:04.449296951 CEST	443	49745	142.250.185.142	192.168.2.9
Oct 2, 2024 19:05:04.449707985 CEST	49745	443	192.168.2.9	142.250.185.142
Oct 2, 2024 19:05:04.449714899 CEST	443	49745	142.250.185.142	192.168.2.9
Oct 2, 2024 19:05:04.449738026 CEST	49745	443	192.168.2.9	142.250.185.142
Oct 2, 2024 19:05:04.452610970 CEST	49749	443	192.168.2.9	20.114.59.183
Oct 2, 2024 19:05:04.452647924 CEST	443	49749	20.114.59.183	192.168.2.9
Oct 2, 2024 19:05:04.452845097 CEST	49749	443	192.168.2.9	20.114.59.183
Oct 2, 2024 19:05:04.454183102 CEST	49749	443	192.168.2.9	20.114.59.183
Oct 2, 2024 19:05:04.454194069 CEST	443	49749	20.114.59.183	192.168.2.9
Oct 2, 2024 19:05:04.491405010 CEST	443	49745	142.250.185.142	192.168.2.9
Oct 2, 2024 19:05:04.493004084 CEST	49745	443	192.168.2.9	142.250.185.142
Oct 2, 2024 19:05:04.620893002 CEST	443	49746	142.250.185.142	192.168.2.9
Oct 2, 2024 19:05:04.621182919 CEST	49746	443	192.168.2.9	142.250.185.142
Oct 2, 2024 19:05:04.621198893 CEST	443	49746	142.250.185.142	192.168.2.9
Oct 2, 2024 19:05:04.621715069 CEST	443	49746	142.250.185.142	192.168.2.9
Oct 2, 2024 19:05:04.621777058 CEST	49746	443	192.168.2.9	142.250.185.142
Oct 2, 2024 19:05:04.622718096 CEST	443	49746	142.250.185.142	192.168.2.9
Oct 2, 2024 19:05:04.622776985 CEST	49746	443	192.168.2.9	142.250.185.142
Oct 2, 2024 19:05:04.623019934 CEST	49746	443	192.168.2.9	142.250.185.142
Oct 2, 2024 19:05:04.623100042 CEST	443	49746	142.250.185.142	192.168.2.9
Oct 2, 2024 19:05:04.623272896 CEST	49746	443	192.168.2.9	142.250.185.142
Oct 2, 2024 19:05:04.623281002 CEST	443	49746	142.250.185.142	192.168.2.9
Oct 2, 2024 19:05:04.623327017 CEST	49746	443	192.168.2.9	142.250.185.142
Oct 2, 2024 19:05:04.664870977 CEST	49746	443	192.168.2.9	142.250.185.142
Oct 2, 2024 19:05:04.664887905 CEST	443	49746	142.250.185.142	192.168.2.9
Oct 2, 2024 19:05:04.668627977 CEST	443	49745	142.250.185.142	192.168.2.9
Oct 2, 2024 19:05:04.669822931 CEST	443	49745	142.250.185.142	192.168.2.9
Oct 2, 2024 19:05:04.669872046 CEST	49745	443	192.168.2.9	142.250.185.142
Oct 2, 2024 19:05:04.670574903 CEST	49745	443	192.168.2.9	142.250.185.142
Oct 2, 2024 19:05:04.670598030 CEST	443	49745	142.250.185.142	192.168.2.9
Oct 2, 2024 19:05:04.838870049 CEST	443	49746	142.250.185.142	192.168.2.9
Oct 2, 2024 19:05:04.840173960 CEST	443	49746	142.250.185.142	192.168.2.9
Oct 2, 2024 19:05:04.840394974 CEST	49746	443	192.168.2.9	142.250.185.142
Oct 2, 2024 19:05:04.841377974 CEST	49746	443	192.168.2.9	142.250.185.142
Oct 2, 2024 19:05:04.841398954 CEST	443	49746	142.250.185.142	192.168.2.9
Oct 2, 2024 19:05:05.235373020 CEST	443	49749	20.114.59.183	192.168.2.9
Oct 2, 2024 19:05:05.235493898 CEST	49749	443	192.168.2.9	20.114.59.183
Oct 2, 2024 19:05:05.284672022 CEST	49749	443	192.168.2.9	20.114.59.183
Oct 2, 2024 19:05:05.284698009 CEST	443	49749	20.114.59.183	192.168.2.9
Oct 2, 2024 19:05:05.285137892 CEST	443	49749	20.114.59.183	192.168.2.9
Oct 2, 2024 19:05:05.295243025 CEST	49717	443	192.168.2.9	216.58.206.68
Oct 2, 2024 19:05:05.336751938 CEST	49749	443	192.168.2.9	20.114.59.183
Oct 2, 2024 19:05:05.339397907 CEST	443	49717	216.58.206.68	192.168.2.9
Oct 2, 2024 19:05:05.359632015 CEST	49749	443	192.168.2.9	20.114.59.183
Oct 2, 2024 19:05:05.403405905 CEST	443	49749	20.114.59.183	192.168.2.9
Oct 2, 2024 19:05:05.572120905 CEST	443	49717	216.58.206.68	192.168.2.9
Oct 2, 2024 19:05:05.572175980 CEST	443	49717	216.58.206.68	192.168.2.9
Oct 2, 2024 19:05:05.572207928 CEST	443	49717	216.58.206.68	192.168.2.9
Oct 2, 2024 19:05:05.572236061 CEST	443	49717	216.58.206.68	192.168.2.9
Oct 2, 2024 19:05:05.572279930 CEST	49717	443	192.168.2.9	216.58.206.68
Oct 2, 2024 19:05:05.572309017 CEST	443	49717	216.58.206.68	192.168.2.9
Oct 2, 2024 19:05:05.572321892 CEST	49717	443	192.168.2.9	216.58.206.68
Oct 2, 2024 19:05:05.572824001 CEST	443	49717	216.58.206.68	192.168.2.9
Oct 2, 2024 19:05:05.572918892 CEST	49717	443	192.168.2.9	216.58.206.68
Oct 2, 2024 19:05:05.574402094 CEST	49717	443	192.168.2.9	216.58.206.68
Oct 2, 2024 19:05:05.574419022 CEST	443	49717	216.58.206.68	192.168.2.9
Oct 2, 2024 19:05:05.616245985 CEST	443	49749	20.114.59.183	192.168.2.9
Oct 2, 2024 19:05:05.616278887 CEST	443	49749	20.114.59.183	192.168.2.9
Oct 2, 2024 19:05:05.616287947 CEST	443	49749	20.114.59.183	192.168.2.9
Oct 2, 2024 19:05:05.616313934 CEST	443	49749	20.114.59.183	192.168.2.9
Oct 2, 2024 19:05:05.616347075 CEST	443	49749	20.114.59.183	192.168.2.9
Oct 2, 2024 19:05:05.616344929 CEST	49749	443	192.168.2.9	20.114.59.183
Oct 2, 2024 19:05:05.616358042 CEST	443	49749	20.114.59.183	192.168.2.9
Oct 2, 2024 19:05:05.616375923 CEST	443	49749	20.114.59.183	192.168.2.9
Oct 2, 2024 19:05:05.616390944 CEST	443	49749	20.114.59.183	192.168.2.9
Oct 2, 2024 19:05:05.616405964 CEST	49749	443	192.168.2.9	20.114.59.183
Oct 2, 2024 19:05:05.616415024 CEST	443	49749	20.114.59.183	192.168.2.9
Oct 2, 2024 19:05:05.616437912 CEST	49749	443	192.168.2.9	20.114.59.183
Oct 2, 2024 19:05:05.616441965 CEST	443	49749	20.114.59.183	192.168.2.9
Oct 2, 2024 19:05:05.616482019 CEST	49749	443	192.168.2.9	20.114.59.183
Oct 2, 2024 19:05:05.616482973 CEST	443	49749	20.114.59.183	192.168.2.9
Oct 2, 2024 19:05:05.616516113 CEST	49749	443	192.168.2.9	20.114.59.183
Oct 2, 2024 19:05:05.627846956 CEST	49749	443	192.168.2.9	20.114.59.183
Oct 2, 2024 19:05:05.627872944 CEST	443	49749	20.114.59.183	192.168.2.9
Oct 2, 2024 19:05:05.627912998 CEST	49749	443	192.168.2.9	20.114.59.183
Oct 2, 2024 19:05:05.627918959 CEST	443	49749	20.114.59.183	192.168.2.9
Oct 2, 2024 19:05:10.590776920 CEST	49756	443	192.168.2.9	142.250.185.142
Oct 2, 2024 19:05:10.590821981 CEST	443	49756	142.250.185.142	192.168.2.9
Oct 2, 2024 19:05:10.590898991 CEST	49756	443	192.168.2.9	142.250.185.142
Oct 2, 2024 19:05:10.597672939 CEST	49756	443	192.168.2.9	142.250.185.142
Oct 2, 2024 19:05:10.597693920 CEST	443	49756	142.250.185.142	192.168.2.9
Oct 2, 2024 19:05:11.334566116 CEST	443	49756	142.250.185.142	192.168.2.9
Oct 2, 2024 19:05:11.334861040 CEST	49756	443	192.168.2.9	142.250.185.142
Oct 2, 2024 19:05:11.334882021 CEST	443	49756	142.250.185.142	192.168.2.9
Oct 2, 2024 19:05:11.335246086 CEST	443	49756	142.250.185.142	192.168.2.9
Oct 2, 2024 19:05:11.335547924 CEST	49756	443	192.168.2.9	142.250.185.142
Oct 2, 2024 19:05:11.335602999 CEST	443	49756	142.250.185.142	192.168.2.9
Oct 2, 2024 19:05:11.335864067 CEST	49756	443	192.168.2.9	142.250.185.142
Oct 2, 2024 19:05:11.335875034 CEST	49756	443	192.168.2.9	142.250.185.142
Oct 2, 2024 19:05:11.335884094 CEST	443	49756	142.250.185.142	192.168.2.9
Oct 2, 2024 19:05:11.667691946 CEST	443	49756	142.250.185.142	192.168.2.9
Oct 2, 2024 19:05:11.668097973 CEST	443	49756	142.250.185.142	192.168.2.9
Oct 2, 2024 19:05:11.668148041 CEST	49756	443	192.168.2.9	142.250.185.142
Oct 2, 2024 19:05:11.669543028 CEST	49756	443	192.168.2.9	142.250.185.142
Oct 2, 2024 19:05:11.669560909 CEST	443	49756	142.250.185.142	192.168.2.9
Oct 2, 2024 19:05:32.965708971 CEST	49757	443	192.168.2.9	142.250.185.142
Oct 2, 2024 19:05:32.965740919 CEST	443	49757	142.250.185.142	192.168.2.9
Oct 2, 2024 19:05:32.965807915 CEST	49757	443	192.168.2.9	142.250.185.142
Oct 2, 2024 19:05:32.966126919 CEST	49757	443	192.168.2.9	142.250.185.142
Oct 2, 2024 19:05:32.966137886 CEST	443	49757	142.250.185.142	192.168.2.9
Oct 2, 2024 19:05:33.500904083 CEST	49758	443	192.168.2.9	142.250.185.142
Oct 2, 2024 19:05:33.500969887 CEST	443	49758	142.250.185.142	192.168.2.9
Oct 2, 2024 19:05:33.501049042 CEST	49758	443	192.168.2.9	142.250.185.142
Oct 2, 2024 19:05:33.501368999 CEST	49758	443	192.168.2.9	142.250.185.142
Oct 2, 2024 19:05:33.501389027 CEST	443	49758	142.250.185.142	192.168.2.9
Oct 2, 2024 19:05:33.797434092 CEST	443	49757	142.250.185.142	192.168.2.9
Oct 2, 2024 19:05:33.797739983 CEST	49757	443	192.168.2.9	142.250.185.142
Oct 2, 2024 19:05:33.797753096 CEST	443	49757	142.250.185.142	192.168.2.9
Oct 2, 2024 19:05:33.798124075 CEST	443	49757	142.250.185.142	192.168.2.9
Oct 2, 2024 19:05:33.798547029 CEST	49757	443	192.168.2.9	142.250.185.142
Oct 2, 2024 19:05:33.798609972 CEST	443	49757	142.250.185.142	192.168.2.9
Oct 2, 2024 19:05:33.798908949 CEST	49757	443	192.168.2.9	142.250.185.142
Oct 2, 2024 19:05:33.798908949 CEST	49757	443	192.168.2.9	142.250.185.142
Oct 2, 2024 19:05:33.798933983 CEST	443	49757	142.250.185.142	192.168.2.9
Oct 2, 2024 19:05:33.893527031 CEST	49759	443	192.168.2.9	142.250.185.142
Oct 2, 2024 19:05:33.893582106 CEST	443	49759	142.250.185.142	192.168.2.9
Oct 2, 2024 19:05:33.893675089 CEST	49759	443	192.168.2.9	142.250.185.142
Oct 2, 2024 19:05:33.893939972 CEST	49759	443	192.168.2.9	142.250.185.142
Oct 2, 2024 19:05:33.893954039 CEST	443	49759	142.250.185.142	192.168.2.9
Oct 2, 2024 19:05:34.177335978 CEST	443	49757	142.250.185.142	192.168.2.9
Oct 2, 2024 19:05:34.178700924 CEST	443	49757	142.250.185.142	192.168.2.9
Oct 2, 2024 19:05:34.178750992 CEST	49757	443	192.168.2.9	142.250.185.142
Oct 2, 2024 19:05:34.179164886 CEST	49757	443	192.168.2.9	142.250.185.142
Oct 2, 2024 19:05:34.179182053 CEST	443	49757	142.250.185.142	192.168.2.9
Oct 2, 2024 19:05:34.284169912 CEST	443	49758	142.250.185.142	192.168.2.9
Oct 2, 2024 19:05:34.284529924 CEST	49758	443	192.168.2.9	142.250.185.142
Oct 2, 2024 19:05:34.284547091 CEST	443	49758	142.250.185.142	192.168.2.9
Oct 2, 2024 19:05:34.284929037 CEST	443	49758	142.250.185.142	192.168.2.9
Oct 2, 2024 19:05:34.285224915 CEST	49758	443	192.168.2.9	142.250.185.142
Oct 2, 2024 19:05:34.285283089 CEST	443	49758	142.250.185.142	192.168.2.9
Oct 2, 2024 19:05:34.285367012 CEST	49758	443	192.168.2.9	142.250.185.142
Oct 2, 2024 19:05:34.285381079 CEST	49758	443	192.168.2.9	142.250.185.142
Oct 2, 2024 19:05:34.285437107 CEST	443	49758	142.250.185.142	192.168.2.9
Oct 2, 2024 19:05:34.529141903 CEST	443	49759	142.250.185.142	192.168.2.9
Oct 2, 2024 19:05:34.529512882 CEST	49759	443	192.168.2.9	142.250.185.142
Oct 2, 2024 19:05:34.529531002 CEST	443	49759	142.250.185.142	192.168.2.9
Oct 2, 2024 19:05:34.530591965 CEST	443	49759	142.250.185.142	192.168.2.9
Oct 2, 2024 19:05:34.531066895 CEST	49759	443	192.168.2.9	142.250.185.142
Oct 2, 2024 19:05:34.531125069 CEST	443	49759	142.250.185.142	192.168.2.9
Oct 2, 2024 19:05:34.531212091 CEST	49759	443	192.168.2.9	142.250.185.142
Oct 2, 2024 19:05:34.531229019 CEST	49759	443	192.168.2.9	142.250.185.142
Oct 2, 2024 19:05:34.531234026 CEST	443	49759	142.250.185.142	192.168.2.9
Oct 2, 2024 19:05:34.582514048 CEST	443	49758	142.250.185.142	192.168.2.9
Oct 2, 2024 19:05:34.582659960 CEST	443	49758	142.250.185.142	192.168.2.9
Oct 2, 2024 19:05:34.582740068 CEST	49758	443	192.168.2.9	142.250.185.142
Oct 2, 2024 19:05:34.583081961 CEST	49758	443	192.168.2.9	142.250.185.142
Oct 2, 2024 19:05:34.583101988 CEST	443	49758	142.250.185.142	192.168.2.9
Oct 2, 2024 19:05:34.743779898 CEST	443	49759	142.250.185.142	192.168.2.9
Oct 2, 2024 19:05:34.745224953 CEST	443	49759	142.250.185.142	192.168.2.9
Oct 2, 2024 19:05:34.745321035 CEST	49759	443	192.168.2.9	142.250.185.142
Oct 2, 2024 19:05:34.745399952 CEST	49759	443	192.168.2.9	142.250.185.142
Oct 2, 2024 19:05:34.745418072 CEST	443	49759	142.250.185.142	192.168.2.9
Oct 2, 2024 19:05:39.578320026 CEST	49705	80	192.168.2.9	93.184.221.240
Oct 2, 2024 19:05:39.583460093 CEST	80	49705	93.184.221.240	192.168.2.9
Oct 2, 2024 19:05:39.583524942 CEST	49705	80	192.168.2.9	93.184.221.240
Oct 2, 2024 19:05:42.405879974 CEST	49760	443	192.168.2.9	20.114.59.183
Oct 2, 2024 19:05:42.405925035 CEST	443	49760	20.114.59.183	192.168.2.9
Oct 2, 2024 19:05:42.406008959 CEST	49760	443	192.168.2.9	20.114.59.183
Oct 2, 2024 19:05:42.406364918 CEST	49760	443	192.168.2.9	20.114.59.183
Oct 2, 2024 19:05:42.406378031 CEST	443	49760	20.114.59.183	192.168.2.9
Oct 2, 2024 19:05:43.181755066 CEST	443	49760	20.114.59.183	192.168.2.9
Oct 2, 2024 19:05:43.181863070 CEST	49760	443	192.168.2.9	20.114.59.183
Oct 2, 2024 19:05:43.183223009 CEST	49760	443	192.168.2.9	20.114.59.183
Oct 2, 2024 19:05:43.183234930 CEST	443	49760	20.114.59.183	192.168.2.9
Oct 2, 2024 19:05:43.183501959 CEST	443	49760	20.114.59.183	192.168.2.9
Oct 2, 2024 19:05:43.184591055 CEST	49760	443	192.168.2.9	20.114.59.183
Oct 2, 2024 19:05:43.227395058 CEST	443	49760	20.114.59.183	192.168.2.9
Oct 2, 2024 19:05:43.511703014 CEST	443	49760	20.114.59.183	192.168.2.9
Oct 2, 2024 19:05:43.511723042 CEST	443	49760	20.114.59.183	192.168.2.9
Oct 2, 2024 19:05:43.511737108 CEST	443	49760	20.114.59.183	192.168.2.9
Oct 2, 2024 19:05:43.511784077 CEST	49760	443	192.168.2.9	20.114.59.183
Oct 2, 2024 19:05:43.511794090 CEST	443	49760	20.114.59.183	192.168.2.9
Oct 2, 2024 19:05:43.511816025 CEST	49760	443	192.168.2.9	20.114.59.183
Oct 2, 2024 19:05:43.511836052 CEST	49760	443	192.168.2.9	20.114.59.183
Oct 2, 2024 19:05:43.512341022 CEST	443	49760	20.114.59.183	192.168.2.9
Oct 2, 2024 19:05:43.512382030 CEST	443	49760	20.114.59.183	192.168.2.9
Oct 2, 2024 19:05:43.512391090 CEST	49760	443	192.168.2.9	20.114.59.183
Oct 2, 2024 19:05:43.512398005 CEST	443	49760	20.114.59.183	192.168.2.9
Oct 2, 2024 19:05:43.512422085 CEST	49760	443	192.168.2.9	20.114.59.183
Oct 2, 2024 19:05:43.513109922 CEST	443	49760	20.114.59.183	192.168.2.9
Oct 2, 2024 19:05:43.513158083 CEST	49760	443	192.168.2.9	20.114.59.183
Oct 2, 2024 19:05:43.518229008 CEST	49760	443	192.168.2.9	20.114.59.183
Oct 2, 2024 19:05:43.518245935 CEST	443	49760	20.114.59.183	192.168.2.9
Oct 2, 2024 19:05:43.518256903 CEST	49760	443	192.168.2.9	20.114.59.183
Oct 2, 2024 19:05:43.518263102 CEST	443	49760	20.114.59.183	192.168.2.9
Oct 2, 2024 19:05:56.807476997 CEST	49762	443	192.168.2.9	216.58.206.68
Oct 2, 2024 19:05:56.807590961 CEST	443	49762	216.58.206.68	192.168.2.9
Oct 2, 2024 19:05:56.807693958 CEST	49762	443	192.168.2.9	216.58.206.68
Oct 2, 2024 19:05:56.807991982 CEST	49762	443	192.168.2.9	216.58.206.68
Oct 2, 2024 19:05:56.808027029 CEST	443	49762	216.58.206.68	192.168.2.9
Oct 2, 2024 19:05:57.484734058 CEST	443	49762	216.58.206.68	192.168.2.9
Oct 2, 2024 19:05:57.485239983 CEST	49762	443	192.168.2.9	216.58.206.68
Oct 2, 2024 19:05:57.485328913 CEST	443	49762	216.58.206.68	192.168.2.9
Oct 2, 2024 19:05:57.485678911 CEST	443	49762	216.58.206.68	192.168.2.9
Oct 2, 2024 19:05:57.486022949 CEST	49762	443	192.168.2.9	216.58.206.68
Oct 2, 2024 19:05:57.486099958 CEST	443	49762	216.58.206.68	192.168.2.9
Oct 2, 2024 19:05:57.541193008 CEST	49762	443	192.168.2.9	216.58.206.68
Oct 2, 2024 19:06:07.394222975 CEST	443	49762	216.58.206.68	192.168.2.9
Oct 2, 2024 19:06:07.394294024 CEST	443	49762	216.58.206.68	192.168.2.9
Oct 2, 2024 19:06:07.394484043 CEST	49762	443	192.168.2.9	216.58.206.68
Oct 2, 2024 19:06:20.303411961 CEST	49762	443	192.168.2.9	216.58.206.68
Oct 2, 2024 19:06:20.303456068 CEST	443	49762	216.58.206.68	192.168.2.9

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 2, 2024 19:04:52.090497017 CEST	56561	53	192.168.2.9	1.1.1.1
Oct 2, 2024 19:04:52.090627909 CEST	65079	53	192.168.2.9	1.1.1.1
Oct 2, 2024 19:04:52.097738981 CEST	53	60385	1.1.1.1	192.168.2.9
Oct 2, 2024 19:04:52.098035097 CEST	53	56561	1.1.1.1	192.168.2.9
Oct 2, 2024 19:04:52.098227978 CEST	53	65079	1.1.1.1	192.168.2.9
Oct 2, 2024 19:04:52.152753115 CEST	53	52971	1.1.1.1	192.168.2.9
Oct 2, 2024 19:04:53.143362999 CEST	63936	53	192.168.2.9	1.1.1.1
Oct 2, 2024 19:04:53.143490076 CEST	59272	53	192.168.2.9	1.1.1.1
Oct 2, 2024 19:04:53.150686979 CEST	53	59272	1.1.1.1	192.168.2.9
Oct 2, 2024 19:04:53.150702953 CEST	53	63936	1.1.1.1	192.168.2.9
Oct 2, 2024 19:04:53.193403006 CEST	53	51201	1.1.1.1	192.168.2.9
Oct 2, 2024 19:04:56.744388103 CEST	55051	53	192.168.2.9	1.1.1.1
Oct 2, 2024 19:04:56.744559050 CEST	62902	53	192.168.2.9	1.1.1.1
Oct 2, 2024 19:04:56.751178026 CEST	53	55051	1.1.1.1	192.168.2.9
Oct 2, 2024 19:04:56.751358032 CEST	53	62902	1.1.1.1	192.168.2.9
Oct 2, 2024 19:04:56.939943075 CEST	53	51021	1.1.1.1	192.168.2.9
Oct 2, 2024 19:04:58.920550108 CEST	53	54540	1.1.1.1	192.168.2.9
Oct 2, 2024 19:05:01.427745104 CEST	58128	53	192.168.2.9	1.1.1.1
Oct 2, 2024 19:05:01.428200960 CEST	57875	53	192.168.2.9	1.1.1.1
Oct 2, 2024 19:05:01.434961081 CEST	53	58128	1.1.1.1	192.168.2.9
Oct 2, 2024 19:05:01.436538935 CEST	53	57875	1.1.1.1	192.168.2.9
Oct 2, 2024 19:05:02.843913078 CEST	53932	53	192.168.2.9	1.1.1.1
Oct 2, 2024 19:05:02.844264030 CEST	54245	53	192.168.2.9	1.1.1.1
Oct 2, 2024 19:05:02.850888014 CEST	53	53932	1.1.1.1	192.168.2.9
Oct 2, 2024 19:05:02.851666927 CEST	53	54245	1.1.1.1	192.168.2.9
Oct 2, 2024 19:05:10.212270021 CEST	53	51638	1.1.1.1	192.168.2.9
Oct 2, 2024 19:05:29.298360109 CEST	53	53498	1.1.1.1	192.168.2.9
Oct 2, 2024 19:05:39.583101988 CEST	138	138	192.168.2.9	192.168.2.255
Oct 2, 2024 19:05:52.067354918 CEST	53	52398	1.1.1.1	192.168.2.9
Oct 2, 2024 19:05:52.518435001 CEST	53	50883	1.1.1.1	192.168.2.9
Oct 2, 2024 19:06:03.544791937 CEST	61608	53	192.168.2.9	1.1.1.1
Oct 2, 2024 19:06:03.544981956 CEST	65210	53	192.168.2.9	1.1.1.1
Oct 2, 2024 19:06:03.551692009 CEST	53	61608	1.1.1.1	192.168.2.9
Oct 2, 2024 19:06:03.552076101 CEST	53	65210	1.1.1.1	192.168.2.9
Oct 2, 2024 19:06:03.600754976 CEST	53	54938	1.1.1.1	192.168.2.9
Oct 2, 2024 19:06:20.311574936 CEST	53	58489	1.1.1.1	192.168.2.9

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 2, 2024 19:04:52.090497017 CEST	192.168.2.9	1.1.1.1	0x1622	Standard query (0)	youtube.com	A (IP address)	IN (0x0001)	false
Oct 2, 2024 19:04:52.090627909 CEST	192.168.2.9	1.1.1.1	0x444	Standard query (0)	youtube.com	65	IN (0x0001)	false
Oct 2, 2024 19:04:53.143362999 CEST	192.168.2.9	1.1.1.1	0xdfbb	Standard query (0)	www.youtube.com	A (IP address)	IN (0x0001)	false
Oct 2, 2024 19:04:53.143490076 CEST	192.168.2.9	1.1.1.1	0x3469	Standard query (0)	www.youtube.com	65	IN (0x0001)	false
Oct 2, 2024 19:04:56.744388103 CEST	192.168.2.9	1.1.1.1	0x2c79	Standard query (0)	www.google.com	A (IP address)	IN (0x0001)	false
Oct 2, 2024 19:04:56.744559050 CEST	192.168.2.9	1.1.1.1	0xce1e	Standard query (0)	www.google.com	65	IN (0x0001)	false
Oct 2, 2024 19:05:01.427745104 CEST	192.168.2.9	1.1.1.1	0x6e8c	Standard query (0)	accounts.youtube.com	A (IP address)	IN (0x0001)	false
Oct 2, 2024 19:05:01.428200960 CEST	192.168.2.9	1.1.1.1	0xe36f	Standard query (0)	accounts.youtube.com	65	IN (0x0001)	false
Oct 2, 2024 19:05:02.843913078 CEST	192.168.2.9	1.1.1.1	0xd43	Standard query (0)	play.google.com	A (IP address)	IN (0x0001)	false
Oct 2, 2024 19:05:02.844264030 CEST	192.168.2.9	1.1.1.1	0x6c2f	Standard query (0)	play.google.com	65	IN (0x0001)	false
Oct 2, 2024 19:06:03.544791937 CEST	192.168.2.9	1.1.1.1	0x6938	Standard query (0)	play.google.com	A (IP address)	IN (0x0001)	false
Oct 2, 2024 19:06:03.544981956 CEST	192.168.2.9	1.1.1.1	0x73a0	Standard query (0)	play.google.com	65	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 2, 2024 19:04:52.098035097 CEST	1.1.1.1	192.168.2.9	0x1622	No error (0)	youtube.com		142.250.185.78	A (IP address)	IN (0x0001)	false
Oct 2, 2024 19:04:52.098227978 CEST	1.1.1.1	192.168.2.9	0x444	No error (0)	youtube.com			65	IN (0x0001)	false
Oct 2, 2024 19:04:53.150686979 CEST	1.1.1.1	192.168.2.9	0x3469	No error (0)	www.youtube.com	youtube-ui.l.google.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 2, 2024 19:04:53.150686979 CEST	1.1.1.1	192.168.2.9	0x3469	No error (0)	youtube-ui.l.google.com			65	IN (0x0001)	false
Oct 2, 2024 19:04:53.150702953 CEST	1.1.1.1	192.168.2.9	0xdfbb	No error (0)	www.youtube.com	youtube-ui.l.google.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 2, 2024 19:04:53.150702953 CEST	1.1.1.1	192.168.2.9	0xdfbb	No error (0)	youtube-ui.l.google.com		216.58.206.46	A (IP address)	IN (0x0001)	false
Oct 2, 2024 19:04:53.150702953 CEST	1.1.1.1	192.168.2.9	0xdfbb	No error (0)	youtube-ui.l.google.com		216.58.206.78	A (IP address)	IN (0x0001)	false
Oct 2, 2024 19:04:53.150702953 CEST	1.1.1.1	192.168.2.9	0xdfbb	No error (0)	youtube-ui.l.google.com		142.250.185.142	A (IP address)	IN (0x0001)	false
Oct 2, 2024 19:04:53.150702953 CEST	1.1.1.1	192.168.2.9	0xdfbb	No error (0)	youtube-ui.l.google.com		142.250.186.142	A (IP address)	IN (0x0001)	false
Oct 2, 2024 19:04:53.150702953 CEST	1.1.1.1	192.168.2.9	0xdfbb	No error (0)	youtube-ui.l.google.com		142.250.185.78	A (IP address)	IN (0x0001)	false
Oct 2, 2024 19:04:53.150702953 CEST	1.1.1.1	192.168.2.9	0xdfbb	No error (0)	youtube-ui.l.google.com		142.250.181.238	A (IP address)	IN (0x0001)	false
Oct 2, 2024 19:04:53.150702953 CEST	1.1.1.1	192.168.2.9	0xdfbb	No error (0)	youtube-ui.l.google.com		142.250.185.110	A (IP address)	IN (0x0001)	false
Oct 2, 2024 19:04:53.150702953 CEST	1.1.1.1	192.168.2.9	0xdfbb	No error (0)	youtube-ui.l.google.com		142.250.185.206	A (IP address)	IN (0x0001)	false
Oct 2, 2024 19:04:53.150702953 CEST	1.1.1.1	192.168.2.9	0xdfbb	No error (0)	youtube-ui.l.google.com		142.250.185.238	A (IP address)	IN (0x0001)	false
Oct 2, 2024 19:04:53.150702953 CEST	1.1.1.1	192.168.2.9	0xdfbb	No error (0)	youtube-ui.l.google.com		142.250.184.238	A (IP address)	IN (0x0001)	false
Oct 2, 2024 19:04:53.150702953 CEST	1.1.1.1	192.168.2.9	0xdfbb	No error (0)	youtube-ui.l.google.com		172.217.16.142	A (IP address)	IN (0x0001)	false
Oct 2, 2024 19:04:53.150702953 CEST	1.1.1.1	192.168.2.9	0xdfbb	No error (0)	youtube-ui.l.google.com		172.217.23.110	A (IP address)	IN (0x0001)	false
Oct 2, 2024 19:04:53.150702953 CEST	1.1.1.1	192.168.2.9	0xdfbb	No error (0)	youtube-ui.l.google.com		142.250.185.174	A (IP address)	IN (0x0001)	false
Oct 2, 2024 19:04:53.150702953 CEST	1.1.1.1	192.168.2.9	0xdfbb	No error (0)	youtube-ui.l.google.com		142.250.186.174	A (IP address)	IN (0x0001)	false
Oct 2, 2024 19:04:53.150702953 CEST	1.1.1.1	192.168.2.9	0xdfbb	No error (0)	youtube-ui.l.google.com		142.250.184.206	A (IP address)	IN (0x0001)	false
Oct 2, 2024 19:04:53.150702953 CEST	1.1.1.1	192.168.2.9	0xdfbb	No error (0)	youtube-ui.l.google.com		172.217.18.110	A (IP address)	IN (0x0001)	false
Oct 2, 2024 19:04:56.751178026 CEST	1.1.1.1	192.168.2.9	0x2c79	No error (0)	www.google.com		216.58.206.68	A (IP address)	IN (0x0001)	false
Oct 2, 2024 19:04:56.751358032 CEST	1.1.1.1	192.168.2.9	0xce1e	No error (0)	www.google.com			65	IN (0x0001)	false
Oct 2, 2024 19:05:01.434961081 CEST	1.1.1.1	192.168.2.9	0x6e8c	No error (0)	accounts.youtube.com	www3.l.google.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 2, 2024 19:05:01.434961081 CEST	1.1.1.1	192.168.2.9	0x6e8c	No error (0)	www3.l.google.com		142.250.185.110	A (IP address)	IN (0x0001)	false
Oct 2, 2024 19:05:01.436538935 CEST	1.1.1.1	192.168.2.9	0xe36f	No error (0)	accounts.youtube.com	www3.l.google.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 2, 2024 19:05:02.850888014 CEST	1.1.1.1	192.168.2.9	0xd43	No error (0)	play.google.com		142.250.185.142	A (IP address)	IN (0x0001)	false
Oct 2, 2024 19:06:03.551692009 CEST	1.1.1.1	192.168.2.9	0x6938	No error (0)	play.google.com		142.250.186.174	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

youtube.com

www.youtube.com

fs.microsoft.com

https:

accounts.youtube.com

play.google.com

www.google.com

slscr.update.microsoft.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.9	49708	142.250.185.78	443	7232	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-02 17:04:52 UTC	847	OUT	GET /account?=https://accounts.google.com/v3/signin/challenge/pwd HTTP/1.1 Host: youtube.com Connection: keep-alive sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "Windows" Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 X-Client-Data: CIu2yQEIo7bJAQipncoBCNT9ygEIlqHLAQiFoM0BCNy9zQEIucrNAQip0c0BCInTzQEIqdXNAQjJ1s0BCPTWzQEIqNjNAQj5wNQVGOmYzQEY642lFw== Sec-Fetch-Site: none Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-10-02 17:04:53 UTC	1704	IN	HTTP/1.1 301 Moved Permanently Content-Type: application/binary X-Content-Type-Options: nosniff Expires: Wed, 02 Oct 2024 17:04:53 GMT Date: Wed, 02 Oct 2024 17:04:53 GMT Cache-Control: private, max-age=31536000 Location: https://www.youtube.com/account?=https%3A%2F%2Faccounts.google.com%2Fv3%2Fsignin%2Fchallenge%2Fpwd Strict-Transport-Security: max-age=31536000; includeSubDomains; preload X-Frame-Options: SAMEORIGIN Report-To: {"group":"youtube_main","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/youtube_main"}]} Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Vary: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Origin-Trial: AmhMBR6zCLzDDxpW+HfpP67BqwIknWnyMOXOQGfzYswFmJe+fgaI6XZgAzcxOrzNtP7hEDsOo1jdjFnVr2IdxQ4AAAB4eyJvcmlnaW4iOiJodHRwczovL3lvdXR1YmUuY29tOjQ0MyIsImZlYXR1cmUiOiJXZWJWaWV3WFJlcXVlc3RlZFdpdGhEZXByZWNhdGlvbiIsImV4cGlyeSI6MTc1ODA2NzE5OSwiaXNTdWJkb21haW4iOnRydWV9 Content-Security-Policy: require-trusted-types-for 'script' Cross-Origin-Opener-Policy: same-origin-allow-popups; report-to="youtube_main" Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Server: ESF Content-Length: 0 X-XSS-Protection: 0 Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.9	49712	216.58.206.46	443	7232	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-02 17:04:53 UTC	865	OUT	GET /account?=https%3A%2F%2Faccounts.google.com%2Fv3%2Fsignin%2Fchallenge%2Fpwd HTTP/1.1 Host: www.youtube.com Connection: keep-alive Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 X-Client-Data: CIu2yQEIo7bJAQipncoBCNT9ygEIlqHLAQiFoM0BCNy9zQEIucrNAQip0c0BCInTzQEIqdXNAQjJ1s0BCPTWzQEIqNjNAQj5wNQVGOmYzQEY642lFw== Sec-Fetch-Site: none Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "Windows" Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-10-02 17:04:54 UTC	2634	IN	HTTP/1.1 303 See Other Content-Type: application/binary X-Content-Type-Options: nosniff Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Wed, 02 Oct 2024 17:04:54 GMT Location: https://accounts.google.com/ServiceLogin?service=youtube&uilel=3&passive=true&continue=https%3A%2F%2Fwww.youtube.com%2Fsignin%3Faction_handle_signin%3Dtrue%26app%3Ddesktop%26hl%3Den%26next%3Dhttps%253A%252F%252Fwww.youtube.com%252Faccount%253F%253Dhttps%25253A%25252F%25252Faccounts.google.com%25252Fv3%25252Fsignin%25252Fchallenge%25252Fpwd%26feature%3Dredirect_login&hl=en Strict-Transport-Security: max-age=31536000 X-Frame-Options: SAMEORIGIN Report-To: {"group":"youtube_main","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/youtube_main"}]} Cross-Origin-Opener-Policy: same-origin-allow-popups; report-to="youtube_main" Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Vary: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Content-Security-Policy: require-trusted-types-for 'script' Origin-Trial: AmhMBR6zCLzDDxpW+HfpP67BqwIknWnyMOXOQGfzYswFmJe+fgaI6XZgAzcxOrzNtP7hEDsOo1jdjFnVr2IdxQ4AAAB4eyJvcmlnaW4iOiJodHRwczovL3lvdXR1YmUuY29tOjQ0MyIsImZlYXR1cmUiOiJXZWJWaWV3WFJlcXVlc3RlZFdpdGhEZXByZWNhdGlvbiIsImV4cGlyeSI6MTc1ODA2NzE5OSwiaXNTdWJkb21haW4iOnRydWV9 P3P: CP="This is not a P3P policy! See http://support.google.com/accounts/answer/151657?hl=en for more info." Server: ESF Content-Length: 0 X-XSS-Protection: 0 Set-Cookie: GPS=1; Domain=.youtube.com; Expires=Wed, 02-Oct-2024 17:34:54 GMT; Path=/; Secure; HttpOnly Set-Cookie: YSC=zj59DwWv3ts; Domain=.youtube.com; Path=/; Secure; HttpOnly; SameSite=none; Partitioned Set-Cookie: VISITOR_INFO1_LIVE=dWjbEB1X_JM; Domain=.youtube.com; Expires=Mon, 31-Mar-2025 17:04:54 GMT; Path=/; Secure; HttpOnly; SameSite=none; Partitioned Set-Cookie: VISITOR_PRIVACY_METADATA=CgJVUxIEGgAgKw%3D%3D; Domain=.youtube.com; Expires=Mon, 31-Mar-2025 17:04:54 GMT; Path=/; Secure; HttpOnly; SameSite=none; Partitioned Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.9	49722	184.28.90.27	443

Timestamp	Bytes transferred	Direction	Data
2024-10-02 17:04:58 UTC	161	OUT	HEAD /fs/windows/config.json HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Encoding: identity User-Agent: Microsoft BITS/7.8 Host: fs.microsoft.com
2024-10-02 17:04:58 UTC	466	IN	HTTP/1.1 200 OK Content-Disposition: attachment; filename=config.json; filename*=UTF-8''config.json Content-Type: application/octet-stream ETag: "0x64667F707FF07D62B733DBCB79EFE3855E6886C9975B0C0B467D46231B3FA5E7" Last-Modified: Tue, 16 May 2017 22:58:00 GMT Server: ECAcc (lpl/EF06) X-CID: 11 X-Ms-ApiVersion: Distribute 1.2 X-Ms-Region: prod-neu-z1 Cache-Control: public, max-age=85252 Date: Wed, 02 Oct 2024 17:04:58 GMT Connection: close X-CID: 2

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.9	49727	184.28.90.27	443

Timestamp	Bytes transferred	Direction	Data
2024-10-02 17:04:59 UTC	239	OUT	GET /fs/windows/config.json HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Encoding: identity If-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMT Range: bytes=0-2147483646 User-Agent: Microsoft BITS/7.8 Host: fs.microsoft.com
2024-10-02 17:04:59 UTC	514	IN	HTTP/1.1 200 OK ApiVersion: Distribute 1.1 Content-Disposition: attachment; filename=config.json; filename*=UTF-8''config.json Content-Type: application/octet-stream ETag: "0x64667F707FF07D62B733DBCB79EFE3855E6886C9975B0C0B467D46231B3FA5E7" Last-Modified: Tue, 16 May 2017 22:58:00 GMT Server: ECAcc (lpl/EF06) X-CID: 11 X-Ms-ApiVersion: Distribute 1.2 X-Ms-Region: prod-weu-z1 Cache-Control: public, max-age=85195 Date: Wed, 02 Oct 2024 17:04:59 GMT Content-Length: 55 Connection: close X-CID: 2
2024-10-02 17:04:59 UTC	55	IN	Data Raw: 7b 22 66 6f 6e 74 53 65 74 55 72 69 22 3a 22 66 6f 6e 74 73 65 74 2d 32 30 31 37 2d 30 34 2e 6a 73 6f 6e 22 2c 22 62 61 73 65 55 72 69 22 3a 22 66 6f 6e 74 73 22 7d Data Ascii: {"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.9	49737	142.250.185.110	443	7232	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-02 17:05:02 UTC	1233	OUT	GET /accounts/CheckConnection?pmpo=https%3A%2F%2Faccounts.google.com&v=-1001248921&timestamp=1727888700501 HTTP/1.1 Host: accounts.youtube.com Connection: keep-alive sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 sec-ch-ua-full-version: "117.0.5938.134" sec-ch-ua-arch: "x86" sec-ch-ua-platform: "Windows" sec-ch-ua-platform-version: "10.0.0" sec-ch-ua-model: "" sec-ch-ua-bitness: "64" sec-ch-ua-wow64: ?0 sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.134", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.134" Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 X-Client-Data: CIu2yQEIo7bJAQipncoBCNT9ygEIlqHLAQiFoM0BCNy9zQEIucrNAQip0c0BCInTzQEIqdXNAQjJ1s0BCPTWzQEIqNjNAQj5wNQVGOmYzQEY642lFw== Sec-Fetch-Site: cross-site Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: iframe Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-10-02 17:05:02 UTC	1969	IN	HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 X-Frame-Options: ALLOW-FROM https://accounts.google.com Content-Security-Policy: frame-ancestors https://accounts.google.com Content-Security-Policy: script-src 'report-sample' 'nonce-kTKEhMusLplcaVhpEF0Jeg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/AccountsDomainCookiesCheckConnectionHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/AccountsDomainCookiesCheckConnectionHttp/cspreport/allowlist Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/AccountsDomainCookiesCheckConnectionHttp/cspreport Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Wed, 02 Oct 2024 17:05:02 GMT Cross-Origin-Opener-Policy: same-origin Cross-Origin-Resource-Policy: cross-origin Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* reporting-endpoints: default="/_/AccountsDomainCookiesCheckConnectionHttp/web-reports?context=eJzjstDikmJw0ZBikPj6kkkDiJ3SZ7AGAXHSv_OsRUB8ufsS63UgVu25xGoKxEUSV1ibgFiIh2Pfr6_b2QQaXv9fwaikl5RfGJ-ZkppXkllSmZKfm5iZl5yfn52ZWlycWlSWWhRvZGBkYmBpZKRnYBFfYAAAAOwuIg" Server: ESF X-XSS-Protection: 0 X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2024-10-02 17:05:02 UTC	1969	IN	Data Raw: 37 36 32 30 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 20 6e 6f 6e 63 65 3d 22 6b 54 4b 45 68 4d 75 73 4c 70 6c 63 61 56 68 70 45 46 30 4a 65 67 22 3e 22 75 73 65 20 73 74 72 69 63 74 22 3b 74 68 69 73 2e 64 65 66 61 75 6c 74 5f 41 63 63 6f 75 6e 74 73 44 6f 6d 61 69 6e 63 6f 6f 6b 69 65 73 43 68 65 63 6b 63 6f 6e 6e 65 63 74 69 6f 6e 4a 73 3d 74 68 69 73 2e 64 65 66 61 75 6c 74 5f 41 63 63 6f 75 6e 74 73 44 6f 6d 61 69 6e 63 6f 6f 6b 69 65 73 43 68 65 63 6b 63 6f 6e 6e 65 63 74 69 6f 6e 4a 73 7c 7c 7b 7d 3b 28 66 75 6e 63 74 69 6f 6e 28 5f 29 7b 76 61 72 20 77 69 6e 64 6f 77 3d 74 68 69 73 3b 0a 74 72 79 7b 0a 5f 2e 5f 46 5f 74 6f 67 67 6c 65 73 5f 69 6e 69 74 69 61 6c 69 7a 65 3d 66 75 6e 63 74 69 6f 6e 28 61 29 7b 28 74 79 70 65 6f Data Ascii: 7620<html><head><script nonce="kTKEhMusLplcaVhpEF0Jeg">"use strict";this.default_AccountsDomaincookiesCheckconnectionJs=this.default_AccountsDomaincookiesCheckconnectionJs\|\|{};(function(_){var window=this;try{_._F_toggles_initialize=function(a){(typeo
2024-10-02 17:05:02 UTC	1969	IN	Data Raw: 54 72 69 64 65 6e 74 5c 2f 28 5c 64 2e 5c 64 29 2f 2e 65 78 65 63 28 62 29 2c 0a 63 5b 31 5d 3d 3d 22 37 2e 30 22 29 69 66 28 62 26 26 62 5b 31 5d 29 73 77 69 74 63 68 28 62 5b 31 5d 29 7b 63 61 73 65 20 22 34 2e 30 22 3a 61 3d 22 38 2e 30 22 3b 62 72 65 61 6b 3b 63 61 73 65 20 22 35 2e 30 22 3a 61 3d 22 39 2e 30 22 3b 62 72 65 61 6b 3b 63 61 73 65 20 22 36 2e 30 22 3a 61 3d 22 31 30 2e 30 22 3b 62 72 65 61 6b 3b 63 61 73 65 20 22 37 2e 30 22 3a 61 3d 22 31 31 2e 30 22 7d 65 6c 73 65 20 61 3d 22 37 2e 30 22 3b 65 6c 73 65 20 61 3d 63 5b 31 5d 3b 62 3d 61 7d 65 6c 73 65 20 62 3d 22 22 3b 72 65 74 75 72 6e 20 62 7d 76 61 72 20 64 3d 52 65 67 45 78 70 28 22 28 5b 41 2d 5a 5d 5b 5c 5c 77 20 5d 2b 29 2f 28 5b 5e 5c 5c 73 5d 2b 29 5c 5c 73 2a 28 3f 3a 5c 5c 28 Data Ascii: Trident\/(\d.\d)/.exec(b),c[1]=="7.0")if(b&&b[1])switch(b[1]){case "4.0":a="8.0";break;case "5.0":a="9.0";break;case "6.0":a="10.0";break;case "7.0":a="11.0"}else a="7.0";else a=c[1];b=a}else b="";return b}var d=RegExp("([A-Z][\\w ]+)/([^\\s]+)\\s*(?:\\(
2024-10-02 17:05:02 UTC	1969	IN	Data Raw: 74 63 68 28 74 79 70 65 6f 66 20 61 29 7b 63 61 73 65 20 22 6e 75 6d 62 65 72 22 3a 72 65 74 75 72 6e 20 69 73 46 69 6e 69 74 65 28 61 29 3f 61 3a 53 74 72 69 6e 67 28 61 29 3b 63 61 73 65 20 22 62 69 67 69 6e 74 22 3a 72 65 74 75 72 6e 28 41 61 3f 0a 61 3e 3d 42 61 26 26 61 3c 3d 43 61 3a 61 5b 30 5d 3d 3d 3d 22 2d 22 3f 75 61 28 61 2c 44 61 29 3a 75 61 28 61 2c 45 61 29 29 3f 4e 75 6d 62 65 72 28 61 29 3a 53 74 72 69 6e 67 28 61 29 3b 63 61 73 65 20 22 62 6f 6f 6c 65 61 6e 22 3a 72 65 74 75 72 6e 20 61 3f 31 3a 30 3b 63 61 73 65 20 22 6f 62 6a 65 63 74 22 3a 69 66 28 61 29 69 66 28 41 72 72 61 79 2e 69 73 41 72 72 61 79 28 61 29 29 7b 69 66 28 43 28 61 29 29 72 65 74 75 72 6e 7d 65 6c 73 65 20 69 66 28 46 61 26 26 61 21 3d 6e 75 6c 6c 26 26 61 20 69 6e Data Ascii: tch(typeof a){case "number":return isFinite(a)?a:String(a);case "bigint":return(Aa?a>=Ba&&a<=Ca:a[0]==="-"?ua(a,Da):ua(a,Ea))?Number(a):String(a);case "boolean":return a?1:0;case "object":if(a)if(Array.isArray(a)){if(C(a))return}else if(Fa&&a!=null&&a in
2024-10-02 17:05:02 UTC	1969	IN	Data Raw: 7b 76 61 72 20 62 3b 69 66 28 61 26 26 28 62 3d 51 61 29 21 3d 6e 75 6c 6c 26 26 62 2e 68 61 73 28 61 29 26 26 28 62 3d 61 2e 43 29 29 66 6f 72 28 76 61 72 20 63 3d 30 3b 63 3c 62 2e 6c 65 6e 67 74 68 3b 63 2b 2b 29 7b 76 61 72 20 64 3d 62 5b 63 5d 3b 69 66 28 63 3d 3d 3d 62 2e 6c 65 6e 67 74 68 2d 31 26 26 41 28 64 29 29 66 6f 72 28 76 61 72 20 65 20 69 6e 20 64 29 7b 76 61 72 20 66 3d 64 5b 65 5d 3b 41 72 72 61 79 2e 69 73 41 72 72 61 79 28 66 29 26 26 0a 52 61 28 66 2c 61 29 7d 65 6c 73 65 20 41 72 72 61 79 2e 69 73 41 72 72 61 79 28 64 29 26 26 52 61 28 64 2c 61 29 7d 61 3d 45 3f 61 2e 43 3a 4d 61 28 61 2e 43 2c 50 61 2c 76 6f 69 64 20 30 2c 76 6f 69 64 20 30 2c 21 31 29 3b 65 3d 21 45 3b 69 66 28 62 3d 61 2e 6c 65 6e 67 74 68 29 7b 64 3d 61 5b 62 2d Data Ascii: {var b;if(a&&(b=Qa)!=null&&b.has(a)&&(b=a.C))for(var c=0;c<b.length;c++){var d=b[c];if(c===b.length-1&&A(d))for(var e in d){var f=d[e];Array.isArray(f)&&Ra(f,a)}else Array.isArray(d)&&Ra(d,a)}a=E?a.C:Ma(a.C,Pa,void 0,void 0,!1);e=!E;if(b=a.length){d=a[b-
2024-10-02 17:05:02 UTC	1969	IN	Data Raw: 6f 6c 2e 69 74 65 72 61 74 6f 72 22 2c 66 75 6e 63 74 69 6f 6e 28 61 29 7b 69 66 28 61 29 72 65 74 75 72 6e 20 61 3b 61 3d 53 79 6d 62 6f 6c 28 22 63 22 29 3b 66 6f 72 28 76 61 72 20 62 3d 22 41 72 72 61 79 20 49 6e 74 38 41 72 72 61 79 20 55 69 6e 74 38 41 72 72 61 79 20 55 69 6e 74 38 43 6c 61 6d 70 65 64 41 72 72 61 79 20 49 6e 74 31 36 41 72 72 61 79 20 55 69 6e 74 31 36 41 72 72 61 79 20 49 6e 74 33 32 41 72 72 61 79 20 55 69 6e 74 33 32 41 72 72 61 79 20 46 6c 6f 61 74 33 32 41 72 72 61 79 20 46 6c 6f 61 74 36 34 41 72 72 61 79 22 2e 73 70 6c 69 74 28 22 20 22 29 2c 63 3d 30 3b 63 3c 62 2e 6c 65 6e 67 74 68 3b 63 2b 2b 29 7b 76 61 72 20 64 3d 57 61 5b 62 5b 63 5d 5d 3b 74 79 70 65 6f 66 20 64 3d 3d 3d 22 66 75 6e 63 74 69 6f 6e 22 26 26 74 79 70 65 Data Ascii: ol.iterator",function(a){if(a)return a;a=Symbol("c");for(var b="Array Int8Array Uint8Array Uint8ClampedArray Int16Array Uint16Array Int32Array Uint32Array Float32Array Float64Array".split(" "),c=0;c<b.length;c++){var d=Wa[b[c]];typeof d==="function"&&type
2024-10-02 17:05:02 UTC	1969	IN	Data Raw: 29 3b 65 28 22 66 72 65 65 7a 65 22 29 3b 65 28 22 70 72 65 76 65 6e 74 45 78 74 65 6e 73 69 6f 6e 73 22 29 3b 65 28 22 73 65 61 6c 22 29 3b 76 61 72 20 68 3d 30 2c 67 3d 66 75 6e 63 74 69 6f 6e 28 6b 29 7b 74 68 69 73 2e 67 3d 28 68 2b 3d 4d 61 74 68 2e 72 61 6e 64 6f 6d 28 29 2b 31 29 2e 74 6f 53 74 72 69 6e 67 28 29 3b 69 66 28 6b 29 7b 6b 3d 48 28 6b 29 3b 66 6f 72 28 76 61 72 20 6c 3b 21 28 6c 3d 6b 2e 6e 65 78 74 28 29 29 2e 64 6f 6e 65 3b 29 6c 3d 6c 2e 76 61 6c 75 65 2c 74 68 69 73 2e 73 65 74 28 6c 5b 30 5d 2c 6c 5b 31 5d 29 7d 7d 3b 67 2e 70 72 6f 74 6f 74 79 70 65 2e 73 65 74 3d 66 75 6e 63 74 69 6f 6e 28 6b 2c 6c 29 7b 69 66 28 21 63 28 6b 29 29 74 68 72 6f 77 20 45 72 72 6f 72 28 22 69 22 29 3b 64 28 6b 29 3b 69 66 28 21 49 28 6b 2c 66 29 29 Data Ascii: );e("freeze");e("preventExtensions");e("seal");var h=0,g=function(k){this.g=(h+=Math.random()+1).toString();if(k){k=H(k);for(var l;!(l=k.next()).done;)l=l.value,this.set(l[0],l[1])}};g.prototype.set=function(k,l){if(!c(k))throw Error("i");d(k);if(!I(k,f))
2024-10-02 17:05:02 UTC	1969	IN	Data Raw: 75 72 6e 20 67 2e 76 61 6c 75 65 7d 29 7d 3b 63 2e 70 72 6f 74 6f 74 79 70 65 2e 66 6f 72 45 61 63 68 3d 66 75 6e 63 74 69 6f 6e 28 67 2c 6b 29 7b 66 6f 72 28 76 61 72 20 6c 3d 74 68 69 73 2e 65 6e 74 72 69 65 73 28 29 2c 6d 3b 21 28 6d 3d 6c 2e 6e 65 78 74 28 29 29 2e 64 6f 6e 65 3b 29 6d 3d 0a 6d 2e 76 61 6c 75 65 2c 67 2e 63 61 6c 6c 28 6b 2c 6d 5b 31 5d 2c 6d 5b 30 5d 2c 74 68 69 73 29 7d 3b 63 2e 70 72 6f 74 6f 74 79 70 65 5b 53 79 6d 62 6f 6c 2e 69 74 65 72 61 74 6f 72 5d 3d 63 2e 70 72 6f 74 6f 74 79 70 65 2e 65 6e 74 72 69 65 73 3b 76 61 72 20 64 3d 66 75 6e 63 74 69 6f 6e 28 67 2c 6b 29 7b 76 61 72 20 6c 3d 6b 26 26 74 79 70 65 6f 66 20 6b 3b 6c 3d 3d 22 6f 62 6a 65 63 74 22 7c 7c 6c 3d 3d 22 66 75 6e 63 74 69 6f 6e 22 3f 62 2e 68 61 73 28 6b 29 Data Ascii: urn g.value})};c.prototype.forEach=function(g,k){for(var l=this.entries(),m;!(m=l.next()).done;)m=m.value,g.call(k,m[1],m[0],this)};c.prototype[Symbol.iterator]=c.prototype.entries;var d=function(g,k){var l=k&&typeof k;l=="object"\|\|l=="function"?b.has(k)
2024-10-02 17:05:02 UTC	1969	IN	Data Raw: 6f 6e 28 61 29 7b 72 65 74 75 72 6e 20 61 3f 61 3a 66 75 6e 63 74 69 6f 6e 28 62 29 7b 72 65 74 75 72 6e 20 74 79 70 65 6f 66 20 62 3d 3d 3d 22 6e 75 6d 62 65 72 22 26 26 69 73 4e 61 4e 28 62 29 7d 7d 29 3b 76 61 72 20 66 62 3d 66 62 7c 7c 7b 7d 2c 71 3d 74 68 69 73 7c 7c 73 65 6c 66 2c 67 62 3d 71 2e 5f 46 5f 74 6f 67 67 6c 65 73 7c 7c 5b 5d 2c 68 62 3d 66 75 6e 63 74 69 6f 6e 28 61 29 7b 61 3d 61 2e 73 70 6c 69 74 28 22 2e 22 29 3b 66 6f 72 28 76 61 72 20 62 3d 71 2c 63 3d 30 3b 63 3c 61 2e 6c 65 6e 67 74 68 3b 63 2b 2b 29 69 66 28 62 3d 62 5b 61 5b 63 5d 5d 2c 62 3d 3d 6e 75 6c 6c 29 72 65 74 75 72 6e 20 6e 75 6c 6c 3b 72 65 74 75 72 6e 20 62 7d 2c 69 62 3d 22 63 6c 6f 73 75 72 65 5f 75 69 64 5f 22 2b 28 4d 61 74 68 2e 72 61 6e 64 6f 6d 28 29 2a 31 45 Data Ascii: on(a){return a?a:function(b){return typeof b==="number"&&isNaN(b)}});var fb=fb\|\|{},q=this\|\|self,gb=q._F_toggles\|\|[],hb=function(a){a=a.split(".");for(var b=q,c=0;c<a.length;c++)if(b=b[a[c]],b==null)return null;return b},ib="closure_uid_"+(Math.random()*1E
2024-10-02 17:05:02 UTC	1969	IN	Data Raw: 74 65 78 74 5f 5f 39 38 34 33 38 32 3d 7b 7d 29 3b 61 2e 5f 5f 63 6c 6f 73 75 72 65 5f 5f 65 72 72 6f 72 5f 5f 63 6f 6e 74 65 78 74 5f 5f 39 38 34 33 38 32 2e 73 65 76 65 72 69 74 79 3d 62 7d 3b 76 61 72 20 71 62 3d 66 75 6e 63 74 69 6f 6e 28 61 2c 62 2c 63 29 7b 63 3d 63 7c 7c 71 3b 76 61 72 20 64 3d 63 2e 6f 6e 65 72 72 6f 72 2c 65 3d 21 21 62 3b 63 2e 6f 6e 65 72 72 6f 72 3d 66 75 6e 63 74 69 6f 6e 28 66 2c 68 2c 67 2c 6b 2c 6c 29 7b 64 26 26 64 28 66 2c 68 2c 67 2c 6b 2c 6c 29 3b 61 28 7b 6d 65 73 73 61 67 65 3a 66 2c 66 69 6c 65 4e 61 6d 65 3a 68 2c 6c 69 6e 65 3a 67 2c 6c 69 6e 65 4e 75 6d 62 65 72 3a 67 2c 63 61 3a 6b 2c 65 72 72 6f 72 3a 6c 7d 29 3b 72 65 74 75 72 6e 20 65 7d 7d 2c 74 62 3d 66 75 6e 63 74 69 6f 6e 28 61 29 7b 76 61 72 20 62 3d 68 Data Ascii: text__984382={});a.__closure__error__context__984382.severity=b};var qb=function(a,b,c){c=c\|\|q;var d=c.onerror,e=!!b;c.onerror=function(f,h,g,k,l){d&&d(f,h,g,k,l);a({message:f,fileName:h,line:g,lineNumber:g,ca:k,error:l});return e}},tb=function(a){var b=h
2024-10-02 17:05:02 UTC	1969	IN	Data Raw: 22 6e 75 6d 62 65 72 22 3a 66 3d 53 74 72 69 6e 67 28 66 29 3b 62 72 65 61 6b 3b 63 61 73 65 20 22 62 6f 6f 6c 65 61 6e 22 3a 66 3d 66 3f 22 74 72 75 65 22 3a 22 66 61 6c 73 65 22 3b 62 72 65 61 6b 3b 63 61 73 65 20 22 66 75 6e 63 74 69 6f 6e 22 3a 66 3d 28 66 3d 73 62 28 66 29 29 3f 66 3a 22 5b 66 6e 5d 22 3b 62 72 65 61 6b 3b 64 65 66 61 75 6c 74 3a 66 3d 0a 74 79 70 65 6f 66 20 66 7d 66 2e 6c 65 6e 67 74 68 3e 34 30 26 26 28 66 3d 66 2e 73 6c 69 63 65 28 30 2c 34 30 29 2b 22 2e 2e 2e 22 29 3b 63 2e 70 75 73 68 28 66 29 7d 62 2e 70 75 73 68 28 61 29 3b 63 2e 70 75 73 68 28 22 29 5c 6e 22 29 3b 74 72 79 7b 63 2e 70 75 73 68 28 77 62 28 61 2e 63 61 6c 6c 65 72 2c 62 29 29 7d 63 61 74 63 68 28 68 29 7b 63 2e 70 75 73 68 28 22 5b 65 78 63 65 70 74 69 6f 6e Data Ascii: "number":f=String(f);break;case "boolean":f=f?"true":"false";break;case "function":f=(f=sb(f))?f:"[fn]";break;default:f=typeof f}f.length>40&&(f=f.slice(0,40)+"...");c.push(f)}b.push(a);c.push(")\n");try{c.push(wb(a.caller,b))}catch(h){c.push("[exception

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.9	49740	142.250.185.142	443	7232	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-02 17:05:03 UTC	549	OUT	OPTIONS /log?format=json&hasfast=true&authuser=0 HTTP/1.1 Host: play.google.com Connection: keep-alive Accept: / Access-Control-Request-Method: POST Access-Control-Request-Headers: x-goog-authuser Origin: https://accounts.google.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Sec-Fetch-Mode: cors Sec-Fetch-Site: same-site Sec-Fetch-Dest: empty Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-10-02 17:05:03 UTC	520	IN	HTTP/1.1 200 OK Access-Control-Allow-Origin: https://accounts.google.com Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Max-Age: 86400 Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: X-Playlog-Web,authorization,origin,x-goog-authuser Content-Type: text/plain; charset=UTF-8 Date: Wed, 02 Oct 2024 17:05:03 GMT Server: Playlog Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.9	49742	142.250.185.142	443	7232	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-02 17:05:03 UTC	549	OUT	OPTIONS /log?format=json&hasfast=true&authuser=0 HTTP/1.1 Host: play.google.com Connection: keep-alive Accept: / Access-Control-Request-Method: POST Access-Control-Request-Headers: x-goog-authuser Origin: https://accounts.google.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Sec-Fetch-Mode: cors Sec-Fetch-Site: same-site Sec-Fetch-Dest: empty Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-10-02 17:05:03 UTC	520	IN	HTTP/1.1 200 OK Access-Control-Allow-Origin: https://accounts.google.com Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Max-Age: 86400 Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: X-Playlog-Web,authorization,origin,x-goog-authuser Content-Type: text/plain; charset=UTF-8 Date: Wed, 02 Oct 2024 17:05:03 GMT Server: Playlog Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.9	49745	142.250.185.142	443	7232	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-02 17:05:04 UTC	1120	OUT	POST /log?format=json&hasfast=true&authuser=0 HTTP/1.1 Host: play.google.com Connection: keep-alive Content-Length: 519 sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-arch: "x86" Content-Type: application/x-www-form-urlencoded;charset=UTF-8 sec-ch-ua-full-version: "117.0.5938.134" sec-ch-ua-platform-version: "10.0.0" X-Goog-AuthUser: 0 sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.134", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.134" sec-ch-ua-bitness: "64" sec-ch-ua-model: "" sec-ch-ua-wow64: ?0 sec-ch-ua-platform: "Windows" Accept: / Origin: https://accounts.google.com X-Client-Data: CIu2yQEIo7bJAQipncoBCNT9ygEIlqHLAQiFoM0BCNy9zQEIucrNAQip0c0BCInTzQEIqdXNAQjJ1s0BCPTWzQEIqNjNAQj5wNQVGOmYzQEY642lFw== Sec-Fetch-Site: same-site Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-10-02 17:05:04 UTC	519	OUT	Data Raw: 5b 5b 31 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 5b 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 22 65 6e 22 2c 6e 75 6c 6c 2c 22 33 30 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 47 6f 6f 67 6c 65 20 43 68 72 6f 6d 65 22 2c 22 31 31 37 22 5d 2c 5b 22 4e 6f 74 3b 41 3d 42 72 61 6e 64 22 2c 22 38 22 5d 2c 5b 22 43 68 72 6f 6d 69 75 6d 22 2c 22 31 31 37 22 5d 5d 2c 30 2c 22 57 69 6e 64 6f 77 73 22 2c 22 31 30 2e 30 2e 30 22 2c 22 78 38 36 22 2c 22 22 2c 22 31 31 37 2e 30 2e 35 39 33 38 2e 31 33 34 22 5d 2c 5b 31 2c 30 2c 30 2c 30 2c 30 5d 5d 5d 2c 31 38 32 38 2c 5b 5b 22 31 37 32 37 38 38 38 37 30 31 39 32 30 22 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c Data Ascii: [[1,null,null,null,null,null,null,null,null,null,[null,null,null,null,"en",null,"30",null,[[["Google Chrome","117"],["Not;A=Brand","8"],["Chromium","117"]],0,"Windows","10.0.0","x86","","117.0.5938.134"],[1,0,0,0,0]]],1828,[["1727888701920",null,null,null
2024-10-02 17:05:04 UTC	932	IN	HTTP/1.1 200 OK Access-Control-Allow-Origin: https://accounts.google.com Cross-Origin-Resource-Policy: cross-origin Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: X-Playlog-Web Set-Cookie: NID=518=ZyG0GFbLNsY10Dqr2Rfo5RFfUqC4cU547T0EHvjC8H9r3oEQahBL4JpYEiYLVDQyfS6R71uMfQxwqKNlw_zne1nrwksVWbJ8Kmz1tuhJaajC7KVUlfKQCbZFE41wKqL9UVYXmvaLOU6zjHrNT00Iz3RuK9WgHpSY8NVcWKSnztBJ6oSYNQ; expires=Thu, 03-Apr-2025 17:05:04 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=none P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info." Content-Type: text/plain; charset=UTF-8 Date: Wed, 02 Oct 2024 17:05:04 GMT Server: Playlog Cache-Control: private X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Expires: Wed, 02 Oct 2024 17:05:04 GMT Connection: close Transfer-Encoding: chunked
2024-10-02 17:05:04 UTC	137	IN	Data Raw: 38 33 0d 0a 5b 22 2d 31 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 41 4e 44 52 4f 49 44 5f 42 41 43 4b 55 50 22 2c 30 5d 2c 5b 22 42 41 54 54 45 52 59 5f 53 54 41 54 53 22 2c 30 5d 2c 5b 22 53 4d 41 52 54 5f 53 45 54 55 50 22 2c 30 5d 2c 5b 22 54 52 4f 4e 22 2c 30 5d 5d 2c 2d 33 33 33 34 37 33 37 35 39 34 30 32 34 39 37 31 32 32 35 5d 2c 5b 5d 2c 7b 22 31 37 35 32 33 37 33 37 35 22 3a 5b 31 30 30 30 30 5d 7d 5d 0d 0a Data Ascii: 83["-1",null,[[["ANDROID_BACKUP",0],["BATTERY_STATS",0],["SMART_SETUP",0],["TRON",0]],-3334737594024971225],[],{"175237375":[10000]}]
2024-10-02 17:05:04 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.9	49746	142.250.185.142	443	7232	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-02 17:05:04 UTC	1120	OUT	POST /log?format=json&hasfast=true&authuser=0 HTTP/1.1 Host: play.google.com Connection: keep-alive Content-Length: 505 sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-arch: "x86" Content-Type: application/x-www-form-urlencoded;charset=UTF-8 sec-ch-ua-full-version: "117.0.5938.134" sec-ch-ua-platform-version: "10.0.0" X-Goog-AuthUser: 0 sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.134", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.134" sec-ch-ua-bitness: "64" sec-ch-ua-model: "" sec-ch-ua-wow64: ?0 sec-ch-ua-platform: "Windows" Accept: / Origin: https://accounts.google.com X-Client-Data: CIu2yQEIo7bJAQipncoBCNT9ygEIlqHLAQiFoM0BCNy9zQEIucrNAQip0c0BCInTzQEIqdXNAQjJ1s0BCPTWzQEIqNjNAQj5wNQVGOmYzQEY642lFw== Sec-Fetch-Site: same-site Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-10-02 17:05:04 UTC	505	OUT	Data Raw: 5b 5b 31 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 5b 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 22 65 6e 22 2c 6e 75 6c 6c 2c 22 33 30 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 47 6f 6f 67 6c 65 20 43 68 72 6f 6d 65 22 2c 22 31 31 37 22 5d 2c 5b 22 4e 6f 74 3b 41 3d 42 72 61 6e 64 22 2c 22 38 22 5d 2c 5b 22 43 68 72 6f 6d 69 75 6d 22 2c 22 31 31 37 22 5d 5d 2c 30 2c 22 57 69 6e 64 6f 77 73 22 2c 22 31 30 2e 30 2e 30 22 2c 22 78 38 36 22 2c 22 22 2c 22 31 31 37 2e 30 2e 35 39 33 38 2e 31 33 34 22 5d 2c 5b 31 2c 30 2c 30 2c 30 2c 30 5d 5d 5d 2c 31 38 32 38 2c 5b 5b 22 31 37 32 37 38 38 38 37 30 32 30 31 36 22 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c Data Ascii: [[1,null,null,null,null,null,null,null,null,null,[null,null,null,null,"en",null,"30",null,[[["Google Chrome","117"],["Not;A=Brand","8"],["Chromium","117"]],0,"Windows","10.0.0","x86","","117.0.5938.134"],[1,0,0,0,0]]],1828,[["1727888702016",null,null,null
2024-10-02 17:05:04 UTC	933	IN	HTTP/1.1 200 OK Access-Control-Allow-Origin: https://accounts.google.com Cross-Origin-Resource-Policy: cross-origin Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: X-Playlog-Web Set-Cookie: NID=518=micYROsaTqDyWZzfS8HPmk92q0qq2-cElcyknW9mTo4Xk5GaoDqFS-olR2joG-79rbj7_NsTG06Zfyt-Ws3X2H6kXi4sobV0bBJ0fctqnO6Fta3q4cLEcYSvUwe_WHP-dGTq4QudYScfP6MN8vUkKCR8twtJIoumuMFGSU9ibygcF7i9qKU; expires=Thu, 03-Apr-2025 17:05:04 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=none P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info." Content-Type: text/plain; charset=UTF-8 Date: Wed, 02 Oct 2024 17:05:04 GMT Server: Playlog Cache-Control: private X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Expires: Wed, 02 Oct 2024 17:05:04 GMT Connection: close Transfer-Encoding: chunked
2024-10-02 17:05:04 UTC	137	IN	Data Raw: 38 33 0d 0a 5b 22 2d 31 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 41 4e 44 52 4f 49 44 5f 42 41 43 4b 55 50 22 2c 30 5d 2c 5b 22 42 41 54 54 45 52 59 5f 53 54 41 54 53 22 2c 30 5d 2c 5b 22 53 4d 41 52 54 5f 53 45 54 55 50 22 2c 30 5d 2c 5b 22 54 52 4f 4e 22 2c 30 5d 5d 2c 2d 33 33 33 34 37 33 37 35 39 34 30 32 34 39 37 31 32 32 35 5d 2c 5b 5d 2c 7b 22 31 37 35 32 33 37 33 37 35 22 3a 5b 31 30 30 30 30 5d 7d 5d 0d 0a Data Ascii: 83["-1",null,[[["ANDROID_BACKUP",0],["BATTERY_STATS",0],["SMART_SETUP",0],["TRON",0]],-3334737594024971225],[],{"175237375":[10000]}]
2024-10-02 17:05:04 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.9	49717	216.58.206.68	443	7232	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-02 17:05:05 UTC	1210	OUT	GET /favicon.ico HTTP/1.1 Host: www.google.com Connection: keep-alive sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-arch: "x86" sec-ch-ua-full-version: "117.0.5938.134" sec-ch-ua-platform-version: "10.0.0" sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.134", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.134" sec-ch-ua-bitness: "64" sec-ch-ua-model: "" sec-ch-ua-wow64: ?0 sec-ch-ua-platform: "Windows" Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8 X-Client-Data: CIu2yQEIo7bJAQipncoBCNT9ygEIlqHLAQiFoM0BCNy9zQEIucrNAQip0c0BCInTzQEIqdXNAQjJ1s0BCPTWzQEIqNjNAQj5wNQVGOmYzQEY642lFw== Sec-Fetch-Site: same-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: image Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: NID=518=micYROsaTqDyWZzfS8HPmk92q0qq2-cElcyknW9mTo4Xk5GaoDqFS-olR2joG-79rbj7_NsTG06Zfyt-Ws3X2H6kXi4sobV0bBJ0fctqnO6Fta3q4cLEcYSvUwe_WHP-dGTq4QudYScfP6MN8vUkKCR8twtJIoumuMFGSU9ibygcF7i9qKU
2024-10-02 17:05:05 UTC	705	IN	HTTP/1.1 200 OK Accept-Ranges: bytes Cross-Origin-Resource-Policy: cross-origin Cross-Origin-Opener-Policy-Report-Only: same-origin; report-to="static-on-bigtable" Report-To: {"group":"static-on-bigtable","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/static-on-bigtable"}]} Content-Length: 5430 X-Content-Type-Options: nosniff Server: sffe X-XSS-Protection: 0 Date: Wed, 02 Oct 2024 15:37:10 GMT Expires: Thu, 10 Oct 2024 15:37:10 GMT Cache-Control: public, max-age=691200 Last-Modified: Tue, 22 Oct 2019 18:30:00 GMT Content-Type: image/x-icon Vary: Accept-Encoding Age: 5275 Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-10-02 17:05:05 UTC	685	IN	Data Raw: 00 00 01 00 02 00 10 10 00 00 01 00 20 00 68 04 00 00 26 00 00 00 20 20 00 00 01 00 20 00 a8 10 00 00 8e 04 00 00 28 00 00 00 10 00 00 00 20 00 00 00 01 00 20 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff ff ff 30 fd fd fd 96 fd fd fd d8 fd fd fd f9 fd fd fd f9 fd fd fd d7 fd fd fd 94 fe fe fe 2e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fe fe fe 09 fd fd fd 99 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd 95 ff ff ff 08 00 00 00 00 00 00 00 00 00 00 00 00 fe fe fe 09 fd fd fd c1 ff ff ff ff fa fd f9 ff b4 d9 a7 ff 76 ba 5d ff 58 ab 3a ff 58 aa 3a ff 72 b8 59 ff ac d5 9d ff f8 fb f6 ff ff Data Ascii: h& ( 0.v]X:X:rY
2024-10-02 17:05:05 UTC	1390	IN	Data Raw: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd d8 fd fd fd 99 ff ff ff ff 92 cf fb ff 37 52 ec ff 38 46 ea ff d0 d4 fa ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd 96 fe fe fe 32 ff ff ff ff f9 f9 fe ff 56 62 ed ff 35 43 ea ff 3b 49 eb ff 95 9c f4 ff cf d2 fa ff d1 d4 fa ff 96 9d f4 ff 52 5e ed ff e1 e3 fc ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 30 00 00 00 00 fd fd fd 9d ff ff ff ff e8 ea fd ff 58 63 ee ff 35 43 ea ff 35 43 ea ff 35 43 ea ff 35 43 ea ff 35 43 ea ff 35 43 ea ff 6c 76 f0 ff ff ff ff ff ff ff ff ff fd fd fd 98 00 00 00 00 00 00 00 00 ff ff ff 0a fd fd fd c3 ff ff ff ff f9 f9 fe ff a5 ac f6 ff 5d 69 ee ff 3c 4a Data Ascii: 7R8F2Vb5C;IR^0Xc5C5C5C5C5C5Clv]i<J
2024-10-02 17:05:05 UTC	1390	IN	Data Raw: ff ff ff ff ff ff ff ff ff ff ff fd fd fd d0 ff ff ff 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fd fd fd 8b ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff b1 d8 a3 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 60 a5 35 ff ca 8e 3e ff f9 c1 9f ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd 87 00 00 00 00 00 00 00 00 00 00 00 00 fe fe fe 25 fd fd fd fb ff ff ff ff ff ff ff ff ff ff ff ff c2 e0 b7 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 6e b6 54 ff 9f ce 8d ff b7 da aa ff b8 db ab ff a5 d2 95 ff 7b bc 64 ff 54 a8 35 ff 53 a8 34 ff 77 a0 37 ff e3 89 41 ff f4 85 42 ff f4 85 42 ff Data Ascii: S4S4S4S4S4S4S4S4S4S4S4S4S4S4`5>%S4S4S4S4S4S4nT{dT5S4w7ABB
2024-10-02 17:05:05 UTC	1390	IN	Data Raw: ff f4 85 42 ff f4 85 42 ff f4 85 42 ff f4 85 42 ff f4 85 42 ff f4 85 42 ff fb d5 bf ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd ea fd fd fd cb ff ff ff ff ff ff ff ff ff ff ff ff 46 cd fc ff 05 bc fb ff 05 bc fb ff 05 bc fb ff 21 ae f9 ff fb fb ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd c8 fd fd fd 9c ff ff ff ff ff ff ff ff ff ff ff ff 86 df fd ff 05 bc fb ff 05 bc fb ff 15 93 f5 ff 34 49 eb ff b3 b8 f7 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff Data Ascii: BBBBBBF!4I
2024-10-02 17:05:05 UTC	575	IN	Data Raw: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd d2 fe fe fe 24 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff ff ff 0a fd fd fd 8d fd fd fd fc ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd fb fd fd fd 8b fe fe fe 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fe fe fe 27 fd fd fd 9f fd fd fd f7 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff Data Ascii: $'

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.9	49749	20.114.59.183	443

Timestamp	Bytes transferred	Direction	Data
2024-10-02 17:05:05 UTC	306	OUT	GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=gT5EOe7XAfCHPgO&MD=yYxOA5Wo HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33 Host: slscr.update.microsoft.com
2024-10-02 17:05:05 UTC	560	IN	HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Type: application/octet-stream Expires: -1 Last-Modified: Mon, 01 Jan 0001 00:00:00 GMT ETag: "XAopazV00XDWnJCwkmEWRv6JkbjRA9QSSZ2+e/3MzEk=_2880" MS-CorrelationId: 0b3263f8-1dc8-4710-a293-b2b2303067f0 MS-RequestId: 9f2ea514-97cf-4c80-88a5-4c852d019f73 MS-CV: tMXC8UXHtUiaHG2s.0 X-Microsoft-SLSClientCache: 2880 Content-Disposition: attachment; filename=environment.cab X-Content-Type-Options: nosniff Date: Wed, 02 Oct 2024 17:05:05 GMT Connection: close Content-Length: 24490
2024-10-02 17:05:05 UTC	15824	IN	Data Raw: 4d 53 43 46 00 00 00 00 92 1e 00 00 00 00 00 00 44 00 00 00 00 00 00 00 03 01 01 00 01 00 04 00 23 d0 00 00 14 00 00 00 00 00 10 00 92 1e 00 00 18 41 00 00 00 00 00 00 00 00 00 00 64 00 00 00 01 00 01 00 e6 42 00 00 00 00 00 00 00 00 00 00 00 00 80 00 65 6e 76 69 72 6f 6e 6d 65 6e 74 2e 63 61 62 00 78 cf 8d 5c 26 1e e6 42 43 4b ed 5c 07 54 13 db d6 4e a3 f7 2e d5 d0 3b 4c 42 af 4a 57 10 e9 20 bd 77 21 94 80 88 08 24 2a 02 02 d2 55 10 a4 a8 88 97 22 8a 0a d2 11 04 95 ae d2 8b 20 28 0a 88 20 45 05 f4 9f 80 05 bd ed dd f7 ff 77 dd f7 bf 65 d6 4a 66 ce 99 33 67 4e d9 7b 7f fb db 7b 56 f4 4d 34 b4 21 e0 a7 03 0a d9 fc 68 6e 1d 20 70 28 14 02 85 20 20 ad 61 10 08 e3 66 0d ed 66 9b 1d 6a 90 af 1f 17 f0 4b 68 35 01 83 6c fb 44 42 5c 7d 83 3d 03 30 be 3e ae be 58 Data Ascii: MSCFD#AdBenvironment.cabx\&BCK\TN.;LBJW w!$*U" ( EweJf3gN{{VM4!hn p( affjKh5lDB\}=0>X
2024-10-02 17:05:05 UTC	8666	IN	Data Raw: 04 01 31 2f 30 2d 30 0a 02 05 00 e1 2b 8a 50 02 01 00 30 0a 02 01 00 02 02 12 fe 02 01 ff 30 07 02 01 00 02 02 11 e6 30 0a 02 05 00 e1 2c db d0 02 01 00 30 36 06 0a 2b 06 01 04 01 84 59 0a 04 02 31 28 30 26 30 0c 06 0a 2b 06 01 04 01 84 59 0a 03 02 a0 0a 30 08 02 01 00 02 03 07 a1 20 a1 0a 30 08 02 01 00 02 03 01 86 a0 30 0d 06 09 2a 86 48 86 f7 0d 01 01 05 05 00 03 81 81 00 0c d9 08 df 48 94 57 65 3e ad e7 f2 17 9c 1f ca 3d 4d 6c cd 51 e1 ed 9c 17 a5 52 35 0f fd de 4b bd 22 92 c5 69 e5 d7 9f 29 23 72 40 7a ca 55 9d 8d 11 ad d5 54 00 bb 53 b4 87 7b 72 84 da 2d f6 e3 2c 4f 7e ba 1a 58 88 6e d6 b9 6d 16 ae 85 5b b5 c2 81 a8 e0 ee 0a 9c 60 51 3a 7b e4 61 f8 c3 e4 38 bd 7d 28 17 d6 79 f0 c8 58 c6 ef 1f f7 88 65 b1 ea 0a c0 df f7 ee 5c 23 c2 27 fd 98 63 08 31 Data Ascii: 1/0-0+P000,06+Y1(0&0+Y0 00*HHWe>=MlQR5K"i)#r@zUTS{r-,O~Xnm[`Q:{a8}(yXe\#'c1

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.9	49756	142.250.185.142	443	7232	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-02 17:05:11 UTC	1295	OUT	POST /log?format=json&hasfast=true&authuser=0 HTTP/1.1 Host: play.google.com Connection: keep-alive Content-Length: 1218 sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-arch: "x86" Content-Type: text/plain;charset=UTF-8 sec-ch-ua-full-version: "117.0.5938.134" sec-ch-ua-platform-version: "10.0.0" X-Goog-AuthUser: 0 sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.134", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.134" sec-ch-ua-bitness: "64" sec-ch-ua-model: "" sec-ch-ua-wow64: ?0 sec-ch-ua-platform: "Windows" Accept: / Origin: https://accounts.google.com X-Client-Data: CIu2yQEIo7bJAQipncoBCNT9ygEIlqHLAQiFoM0BCNy9zQEIucrNAQip0c0BCInTzQEIqdXNAQjJ1s0BCPTWzQEIqNjNAQj5wNQVGOmYzQEY642lFw== Sec-Fetch-Site: same-site Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: NID=518=micYROsaTqDyWZzfS8HPmk92q0qq2-cElcyknW9mTo4Xk5GaoDqFS-olR2joG-79rbj7_NsTG06Zfyt-Ws3X2H6kXi4sobV0bBJ0fctqnO6Fta3q4cLEcYSvUwe_WHP-dGTq4QudYScfP6MN8vUkKCR8twtJIoumuMFGSU9ibygcF7i9qKU
2024-10-02 17:05:11 UTC	1218	OUT	Data Raw: 5b 5b 31 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 5b 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 22 65 6e 22 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 5b 5b 5b 22 47 6f 6f 67 6c 65 20 43 68 72 6f 6d 65 22 2c 22 31 31 37 22 5d 2c 5b 22 4e 6f 74 3b 41 3d 42 72 61 6e 64 22 2c 22 38 22 5d 2c 5b 22 43 68 72 6f 6d 69 75 6d 22 2c 22 31 31 37 22 5d 5d 2c 30 2c 22 57 69 6e 64 6f 77 73 22 2c 22 31 30 2e 30 2e 30 22 2c 22 78 38 36 22 2c 22 22 2c 22 31 31 37 2e 30 2e 35 39 33 38 2e 31 33 34 22 5d 2c 5b 34 2c 30 2c 30 2c 30 2c 30 5d 5d 5d 2c 35 35 38 2c 5b 5b 22 31 37 32 37 38 38 38 36 39 39 30 30 30 22 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c Data Ascii: [[1,null,null,null,null,null,null,null,null,null,[null,null,null,null,"en",null,null,null,[[["Google Chrome","117"],["Not;A=Brand","8"],["Chromium","117"]],0,"Windows","10.0.0","x86","","117.0.5938.134"],[4,0,0,0,0]]],558,[["1727888699000",null,null,null,
2024-10-02 17:05:11 UTC	941	IN	HTTP/1.1 200 OK Access-Control-Allow-Origin: https://accounts.google.com Cross-Origin-Resource-Policy: cross-origin Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: X-Playlog-Web Set-Cookie: NID=518=sKhAhUDnpWsSNv2fowRZhS7k_dSXzVl0y8w47aKy5wPCR9EUl5qnxxpdcR8UaBeETkNhfFrhyMEiTFliDlXIqdTky_qO939g5X-n5UVsc6ei-In25UhwDccWca7_XLWGcaVFk25uqaHNKXBUPMLcBr5CSIq9_I099HPvHQTeZ921L7KGYgb-uiAtMxY; expires=Thu, 03-Apr-2025 17:05:11 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=none P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info." Content-Type: text/plain; charset=UTF-8 Date: Wed, 02 Oct 2024 17:05:11 GMT Server: Playlog Cache-Control: private X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Expires: Wed, 02 Oct 2024 17:05:11 GMT Connection: close Transfer-Encoding: chunked
2024-10-02 17:05:11 UTC	137	IN	Data Raw: 38 33 0d 0a 5b 22 2d 31 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 41 4e 44 52 4f 49 44 5f 42 41 43 4b 55 50 22 2c 30 5d 2c 5b 22 42 41 54 54 45 52 59 5f 53 54 41 54 53 22 2c 30 5d 2c 5b 22 53 4d 41 52 54 5f 53 45 54 55 50 22 2c 30 5d 2c 5b 22 54 52 4f 4e 22 2c 30 5d 5d 2c 2d 33 33 33 34 37 33 37 35 39 34 30 32 34 39 37 31 32 32 35 5d 2c 5b 5d 2c 7b 22 31 37 35 32 33 37 33 37 35 22 3a 5b 31 30 30 30 30 5d 7d 5d 0d 0a Data Ascii: 83["-1",null,[[["ANDROID_BACKUP",0],["BATTERY_STATS",0],["SMART_SETUP",0],["TRON",0]],-3334737594024971225],[],{"175237375":[10000]}]
2024-10-02 17:05:11 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.9	49757	142.250.185.142	443	7232	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-02 17:05:33 UTC	1326	OUT	POST /log?format=json&hasfast=true&authuser=0 HTTP/1.1 Host: play.google.com Connection: keep-alive Content-Length: 1419 sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-arch: "x86" Content-Type: application/x-www-form-urlencoded;charset=UTF-8 sec-ch-ua-full-version: "117.0.5938.134" sec-ch-ua-platform-version: "10.0.0" X-Goog-AuthUser: 0 sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.134", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.134" sec-ch-ua-bitness: "64" sec-ch-ua-model: "" sec-ch-ua-wow64: ?0 sec-ch-ua-platform: "Windows" Accept: / Origin: https://accounts.google.com X-Client-Data: CIu2yQEIo7bJAQipncoBCNT9ygEIlqHLAQiFoM0BCNy9zQEIucrNAQip0c0BCInTzQEIqdXNAQjJ1s0BCPTWzQEIqNjNAQj5wNQVGOmYzQEY642lFw== Sec-Fetch-Site: same-site Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: NID=518=sKhAhUDnpWsSNv2fowRZhS7k_dSXzVl0y8w47aKy5wPCR9EUl5qnxxpdcR8UaBeETkNhfFrhyMEiTFliDlXIqdTky_qO939g5X-n5UVsc6ei-In25UhwDccWca7_XLWGcaVFk25uqaHNKXBUPMLcBr5CSIq9_I099HPvHQTeZ921L7KGYgb-uiAtMxY
2024-10-02 17:05:33 UTC	1419	OUT	Data Raw: 5b 5b 31 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 5b 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 22 65 6e 22 2c 6e 75 6c 6c 2c 22 33 30 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 47 6f 6f 67 6c 65 20 43 68 72 6f 6d 65 22 2c 22 31 31 37 22 5d 2c 5b 22 4e 6f 74 3b 41 3d 42 72 61 6e 64 22 2c 22 38 22 5d 2c 5b 22 43 68 72 6f 6d 69 75 6d 22 2c 22 31 31 37 22 5d 5d 2c 30 2c 22 57 69 6e 64 6f 77 73 22 2c 22 31 30 2e 30 2e 30 22 2c 22 78 38 36 22 2c 22 22 2c 22 31 31 37 2e 30 2e 35 39 33 38 2e 31 33 34 22 5d 2c 5b 31 2c 30 2c 30 2c 30 2c 30 5d 5d 5d 2c 31 38 32 38 2c 5b 5b 22 31 37 32 37 38 38 38 37 33 32 30 34 36 22 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c Data Ascii: [[1,null,null,null,null,null,null,null,null,null,[null,null,null,null,"en",null,"30",null,[[["Google Chrome","117"],["Not;A=Brand","8"],["Chromium","117"]],0,"Windows","10.0.0","x86","","117.0.5938.134"],[1,0,0,0,0]]],1828,[["1727888732046",null,null,null
2024-10-02 17:05:34 UTC	523	IN	HTTP/1.1 200 OK Access-Control-Allow-Origin: https://accounts.google.com Cross-Origin-Resource-Policy: cross-origin Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: X-Playlog-Web Content-Type: text/plain; charset=UTF-8 Date: Wed, 02 Oct 2024 17:05:34 GMT Server: Playlog Cache-Control: private X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2024-10-02 17:05:34 UTC	137	IN	Data Raw: 38 33 0d 0a 5b 22 2d 31 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 41 4e 44 52 4f 49 44 5f 42 41 43 4b 55 50 22 2c 30 5d 2c 5b 22 42 41 54 54 45 52 59 5f 53 54 41 54 53 22 2c 30 5d 2c 5b 22 53 4d 41 52 54 5f 53 45 54 55 50 22 2c 30 5d 2c 5b 22 54 52 4f 4e 22 2c 30 5d 5d 2c 2d 33 33 33 34 37 33 37 35 39 34 30 32 34 39 37 31 32 32 35 5d 2c 5b 5d 2c 7b 22 31 37 35 32 33 37 33 37 35 22 3a 5b 31 30 30 30 30 5d 7d 5d 0d 0a Data Ascii: 83["-1",null,[[["ANDROID_BACKUP",0],["BATTERY_STATS",0],["SMART_SETUP",0],["TRON",0]],-3334737594024971225],[],{"175237375":[10000]}]
2024-10-02 17:05:34 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.9	49758	142.250.185.142	443	7232	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-02 17:05:34 UTC	1326	OUT	POST /log?format=json&hasfast=true&authuser=0 HTTP/1.1 Host: play.google.com Connection: keep-alive Content-Length: 1146 sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-arch: "x86" Content-Type: application/x-www-form-urlencoded;charset=UTF-8 sec-ch-ua-full-version: "117.0.5938.134" sec-ch-ua-platform-version: "10.0.0" X-Goog-AuthUser: 0 sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.134", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.134" sec-ch-ua-bitness: "64" sec-ch-ua-model: "" sec-ch-ua-wow64: ?0 sec-ch-ua-platform: "Windows" Accept: / Origin: https://accounts.google.com X-Client-Data: CIu2yQEIo7bJAQipncoBCNT9ygEIlqHLAQiFoM0BCNy9zQEIucrNAQip0c0BCInTzQEIqdXNAQjJ1s0BCPTWzQEIqNjNAQj5wNQVGOmYzQEY642lFw== Sec-Fetch-Site: same-site Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: NID=518=sKhAhUDnpWsSNv2fowRZhS7k_dSXzVl0y8w47aKy5wPCR9EUl5qnxxpdcR8UaBeETkNhfFrhyMEiTFliDlXIqdTky_qO939g5X-n5UVsc6ei-In25UhwDccWca7_XLWGcaVFk25uqaHNKXBUPMLcBr5CSIq9_I099HPvHQTeZ921L7KGYgb-uiAtMxY
2024-10-02 17:05:34 UTC	1146	OUT	Data Raw: 5b 5b 31 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 5b 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 22 65 6e 22 2c 6e 75 6c 6c 2c 22 33 30 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 47 6f 6f 67 6c 65 20 43 68 72 6f 6d 65 22 2c 22 31 31 37 22 5d 2c 5b 22 4e 6f 74 3b 41 3d 42 72 61 6e 64 22 2c 22 38 22 5d 2c 5b 22 43 68 72 6f 6d 69 75 6d 22 2c 22 31 31 37 22 5d 5d 2c 30 2c 22 57 69 6e 64 6f 77 73 22 2c 22 31 30 2e 30 2e 30 22 2c 22 78 38 36 22 2c 22 22 2c 22 31 31 37 2e 30 2e 35 39 33 38 2e 31 33 34 22 5d 2c 5b 31 2c 30 2c 30 2c 30 2c 30 5d 5d 5d 2c 31 38 32 38 2c 5b 5b 22 31 37 32 37 38 38 38 37 33 32 35 37 33 22 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c Data Ascii: [[1,null,null,null,null,null,null,null,null,null,[null,null,null,null,"en",null,"30",null,[[["Google Chrome","117"],["Not;A=Brand","8"],["Chromium","117"]],0,"Windows","10.0.0","x86","","117.0.5938.134"],[1,0,0,0,0]]],1828,[["1727888732573",null,null,null
2024-10-02 17:05:34 UTC	523	IN	HTTP/1.1 200 OK Access-Control-Allow-Origin: https://accounts.google.com Cross-Origin-Resource-Policy: cross-origin Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: X-Playlog-Web Content-Type: text/plain; charset=UTF-8 Date: Wed, 02 Oct 2024 17:05:34 GMT Server: Playlog Cache-Control: private X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2024-10-02 17:05:34 UTC	137	IN	Data Raw: 38 33 0d 0a 5b 22 2d 31 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 41 4e 44 52 4f 49 44 5f 42 41 43 4b 55 50 22 2c 30 5d 2c 5b 22 42 41 54 54 45 52 59 5f 53 54 41 54 53 22 2c 30 5d 2c 5b 22 53 4d 41 52 54 5f 53 45 54 55 50 22 2c 30 5d 2c 5b 22 54 52 4f 4e 22 2c 30 5d 5d 2c 2d 33 33 33 34 37 33 37 35 39 34 30 32 34 39 37 31 32 32 35 5d 2c 5b 5d 2c 7b 22 31 37 35 32 33 37 33 37 35 22 3a 5b 31 30 30 30 30 5d 7d 5d 0d 0a Data Ascii: 83["-1",null,[[["ANDROID_BACKUP",0],["BATTERY_STATS",0],["SMART_SETUP",0],["TRON",0]],-3334737594024971225],[],{"175237375":[10000]}]
2024-10-02 17:05:34 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.9	49759	142.250.185.142	443	7232	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-02 17:05:34 UTC	1285	OUT	POST /log?hasfast=true&authuser=0&format=json HTTP/1.1 Host: play.google.com Connection: keep-alive Content-Length: 862 sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-arch: "x86" sec-ch-ua-full-version: "117.0.5938.134" Content-Type: text/plain;charset=UTF-8 sec-ch-ua-platform-version: "10.0.0" sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.134", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.134" sec-ch-ua-bitness: "64" sec-ch-ua-model: "" sec-ch-ua-wow64: ?0 sec-ch-ua-platform: "Windows" Accept: / Origin: https://accounts.google.com X-Client-Data: CIu2yQEIo7bJAQipncoBCNT9ygEIlqHLAQiFoM0BCNy9zQEIucrNAQip0c0BCInTzQEIqdXNAQjJ1s0BCPTWzQEIqNjNAQj5wNQVGOmYzQEY642lFw== Sec-Fetch-Site: same-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: NID=518=sKhAhUDnpWsSNv2fowRZhS7k_dSXzVl0y8w47aKy5wPCR9EUl5qnxxpdcR8UaBeETkNhfFrhyMEiTFliDlXIqdTky_qO939g5X-n5UVsc6ei-In25UhwDccWca7_XLWGcaVFk25uqaHNKXBUPMLcBr5CSIq9_I099HPvHQTeZ921L7KGYgb-uiAtMxY
2024-10-02 17:05:34 UTC	862	OUT	Data Raw: 5b 5b 31 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 5b 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 22 65 6e 22 2c 6e 75 6c 6c 2c 22 62 6f 71 5f 69 64 65 6e 74 69 74 79 66 72 6f 6e 74 65 6e 64 61 75 74 68 75 69 73 65 72 76 65 72 5f 32 30 32 34 30 39 32 39 2e 30 37 5f 70 30 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 47 6f 6f 67 6c 65 20 43 68 72 6f 6d 65 22 2c 22 31 31 37 22 5d 2c 5b 22 4e 6f 74 3b 41 3d 42 72 61 6e 64 22 2c 22 38 22 5d 2c 5b 22 43 68 72 6f 6d 69 75 6d 22 2c 22 31 31 37 22 5d 5d 2c 30 2c 22 57 69 6e 64 6f 77 73 22 2c 22 31 30 2e 30 2e 30 22 2c 22 78 38 36 22 2c 22 22 2c 22 31 31 37 2e 30 2e 35 39 33 38 2e 31 33 34 22 5d 2c 5b 33 2c 30 2c 30 Data Ascii: [[1,null,null,null,null,null,null,null,null,null,[null,null,null,null,"en",null,"boq_identityfrontendauthuiserver_20240929.07_p0",null,[[["Google Chrome","117"],["Not;A=Brand","8"],["Chromium","117"]],0,"Windows","10.0.0","x86","","117.0.5938.134"],[3,0,0
2024-10-02 17:05:34 UTC	523	IN	HTTP/1.1 200 OK Access-Control-Allow-Origin: https://accounts.google.com Cross-Origin-Resource-Policy: cross-origin Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: X-Playlog-Web Content-Type: text/plain; charset=UTF-8 Date: Wed, 02 Oct 2024 17:05:34 GMT Server: Playlog Cache-Control: private X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2024-10-02 17:05:34 UTC	137	IN	Data Raw: 38 33 0d 0a 5b 22 2d 31 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 41 4e 44 52 4f 49 44 5f 42 41 43 4b 55 50 22 2c 30 5d 2c 5b 22 42 41 54 54 45 52 59 5f 53 54 41 54 53 22 2c 30 5d 2c 5b 22 53 4d 41 52 54 5f 53 45 54 55 50 22 2c 30 5d 2c 5b 22 54 52 4f 4e 22 2c 30 5d 5d 2c 2d 33 33 33 34 37 33 37 35 39 34 30 32 34 39 37 31 32 32 35 5d 2c 5b 5d 2c 7b 22 31 37 35 32 33 37 33 37 35 22 3a 5b 31 30 30 30 30 5d 7d 5d 0d 0a Data Ascii: 83["-1",null,[[["ANDROID_BACKUP",0],["BATTERY_STATS",0],["SMART_SETUP",0],["TRON",0]],-3334737594024971225],[],{"175237375":[10000]}]
2024-10-02 17:05:34 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.9	49760	20.114.59.183	443

Timestamp	Bytes transferred	Direction	Data
2024-10-02 17:05:43 UTC	306	OUT	GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=gT5EOe7XAfCHPgO&MD=yYxOA5Wo HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33 Host: slscr.update.microsoft.com
2024-10-02 17:05:43 UTC	560	IN	HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Type: application/octet-stream Expires: -1 Last-Modified: Mon, 01 Jan 0001 00:00:00 GMT ETag: "vic+p1MiJJ+/WMnK08jaWnCBGDfvkGRzPk9f8ZadQHg=_1440" MS-CorrelationId: 87b8054e-e0e2-4bb3-9215-cc5e8ca40430 MS-RequestId: 3ce74b19-af21-4281-a4cb-516b648fee34 MS-CV: uC5BFatM8EyCwfC8.0 X-Microsoft-SLSClientCache: 1440 Content-Disposition: attachment; filename=environment.cab X-Content-Type-Options: nosniff Date: Wed, 02 Oct 2024 17:05:42 GMT Connection: close Content-Length: 30005
2024-10-02 17:05:43 UTC	15824	IN	Data Raw: 4d 53 43 46 00 00 00 00 8d 2b 00 00 00 00 00 00 44 00 00 00 00 00 00 00 03 01 01 00 01 00 04 00 5b 49 00 00 14 00 00 00 00 00 10 00 8d 2b 00 00 a8 49 00 00 00 00 00 00 00 00 00 00 64 00 00 00 01 00 01 00 72 4d 00 00 00 00 00 00 00 00 00 00 00 00 80 00 65 6e 76 69 72 6f 6e 6d 65 6e 74 2e 63 61 62 00 fe f6 51 be 21 2b 72 4d 43 4b ed 7c 05 58 54 eb da f6 14 43 49 37 0a 02 d2 b9 86 0e 41 52 a4 1b 24 a5 bb 43 24 44 18 94 90 92 52 41 3a 05 09 95 ee 54 b0 00 91 2e e9 12 10 04 11 c9 6f 10 b7 a2 67 9f bd cf 3e ff b7 ff b3 bf 73 ed e1 9a 99 f5 c6 7a d7 bb de f5 3e cf fd 3c f7 dc 17 4a 1a 52 e7 41 a8 97 1e 14 f4 e5 25 7d f4 05 82 82 c1 20 30 08 06 ba c3 05 02 11 7f a9 c1 ff d2 87 5c 1e f4 ed 65 8e 7a 1f f6 0a 40 03 1d 7b f9 83 2c 1c 2f db b8 3a 39 3a 58 38 ba 73 5e Data Ascii: MSCF+D[I+IdrMenvironment.cabQ!+rMCK\|XTCI7AR$C$DRA:T.og>sz><JRA%} 0\ez@{,/:9:X8s^
2024-10-02 17:05:43 UTC	14181	IN	Data Raw: 06 03 55 04 06 13 02 55 53 31 13 30 11 06 03 55 04 08 13 0a 57 61 73 68 69 6e 67 74 6f 6e 31 10 30 0e 06 03 55 04 07 13 07 52 65 64 6d 6f 6e 64 31 1e 30 1c 06 03 55 04 0a 13 15 4d 69 63 72 6f 73 6f 66 74 20 43 6f 72 70 6f 72 61 74 69 6f 6e 31 26 30 24 06 03 55 04 03 13 1d 4d 69 63 72 6f 73 6f 66 74 20 54 69 6d 65 2d 53 74 61 6d 70 20 50 43 41 20 32 30 31 30 30 1e 17 0d 32 33 31 30 31 32 31 39 30 37 32 35 5a 17 0d 32 35 30 31 31 30 31 39 30 37 32 35 5a 30 81 d2 31 0b 30 09 06 03 55 04 06 13 02 55 53 31 13 30 11 06 03 55 04 08 13 0a 57 61 73 68 69 6e 67 74 6f 6e 31 10 30 0e 06 03 55 04 07 13 07 52 65 64 6d 6f 6e 64 31 1e 30 1c 06 03 55 04 0a 13 15 4d 69 63 72 6f 73 6f 66 74 20 43 6f 72 70 6f 72 61 74 69 6f 6e 31 2d 30 2b 06 03 55 04 0b 13 24 4d 69 63 72 6f Data Ascii: UUS10UWashington10URedmond10UMicrosoft Corporation1&0$UMicrosoft Time-Stamp PCA 20100231012190725Z250110190725Z010UUS10UWashington10URedmond10UMicrosoft Corporation1-0+U$Micro

Target ID:	0
Start time:	13:04:47
Start date:	02/10/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0x70000
File size:	918'528 bytes
MD5 hash:	17E81DED92E36F3D9CB2E548E9765CBE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	13:04:48
Start date:	02/10/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM chrome.exe /T
Imagebase:	0x350000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	13:04:48
Start date:	02/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff70f010000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	13:04:50
Start date:	02/10/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --start-fullscreen --no-first-run --disable-session-crashed-bubble --disable-infobars
Imagebase:	0x7ff6b2cb0000
File size:	3'242'272 bytes
MD5 hash:	5BBFA6CBDF4C254EB368D534F9E23C92
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	6
Start time:	13:04:50
Start date:	02/10/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2392 --field-trial-handle=2352,i,15969125917398102169,18062438457060757556,262144 /prefetch:8
Imagebase:	0x7ff6b2cb0000
File size:	3'242'272 bytes
MD5 hash:	5BBFA6CBDF4C254EB368D534F9E23C92
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	8
Start time:	13:05:01
Start date:	02/10/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5528 --field-trial-handle=2352,i,15969125917398102169,18062438457060757556,262144 /prefetch:8
Imagebase:	0x7ff6b2cb0000
File size:	3'242'272 bytes
MD5 hash:	5BBFA6CBDF4C254EB368D534F9E23C92
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	9
Start time:	13:05:01
Start date:	02/10/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5580 --field-trial-handle=2352,i,15969125917398102169,18062438457060757556,262144 /prefetch:8
Imagebase:	0x7ff6b2cb0000
File size:	3'242'272 bytes
MD5 hash:	5BBFA6CBDF4C254EB368D534F9E23C92
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	2.3%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	4.5%
Total number of Nodes:	1673
Total number of Limit Nodes:	55

Executed Functions

Function 0008F98E Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130
keyboardthreadwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetForegroundWindow.USER32(00000000,00000000,00000000), ref: 0008F998
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 000CF474
IsIconic.USER32(00000000), ref: 000CF47D
ShowWindow.USER32(00000000,00000009), ref: 000CF48A
SetForegroundWindow.USER32(00000000), ref: 000CF494
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 000CF4AA
GetCurrentThreadId.KERNEL32 ref: 000CF4B1
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 000CF4BD
AttachThreadInput.USER32(?,00000000,00000001), ref: 000CF4CE
AttachThreadInput.USER32(?,00000000,00000001), ref: 000CF4D6
AttachThreadInput.USER32(00000000,000000FF,00000001), ref: 000CF4DE
SetForegroundWindow.USER32(00000000), ref: 000CF4E1
MapVirtualKeyW.USER32(00000012,00000000), ref: 000CF4F6
keybd_event.USER32(00000012,00000000), ref: 000CF501
MapVirtualKeyW.USER32(00000012,00000000), ref: 000CF50B
keybd_event.USER32(00000012,00000000), ref: 000CF510
MapVirtualKeyW.USER32(00000012,00000000), ref: 000CF519
keybd_event.USER32(00000012,00000000), ref: 000CF51E
MapVirtualKeyW.USER32(00000012,00000000), ref: 000CF528
keybd_event.USER32(00000012,00000000), ref: 000CF52D
SetForegroundWindow.USER32(00000000), ref: 000CF530
AttachThreadInput.USER32(?,000000FF,00000000), ref: 000CF557

Strings

Shell_TrayWnd, xrefs: 000CF46F

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: 58ac5f7b9c48de4d3657cbc1d2f10552dcc3b72fd020c7cf6107dc01ed7bf6d5
Instruction ID: 48235b689c715e16b59526cd5d3ae1417bc90e68dbe19893c0f394b7b92c5837
Opcode Fuzzy Hash: 58ac5f7b9c48de4d3657cbc1d2f10552dcc3b72fd020c7cf6107dc01ed7bf6d5
Instruction Fuzzy Hash: 51315E71B40218BBEB206BB55C4AFBF7EADEB44B50F10012AFB40E61D1C6F15D40AEA1

Function 000742DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 0007430D

Part of subcall function 00076B57: _wcslen.LIBCMT ref: 00076B6A

GetCurrentProcess.KERNEL32(?,0010CB64,00000000,?,?), ref: 00074422
IsWow64Process.KERNEL32(00000000,?,?), ref: 00074429
LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 00074454
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00074466
GetNativeSystemInfo.KERNELBASE(?,?,?), ref: 00074474
FreeLibrary.KERNEL32(00000000,?,?), ref: 0007447B
GetSystemInfo.KERNEL32(?,?,?), ref: 000744A0

Strings

kernel32.dll, xrefs: 0007444F
|O, xrefs: 000B36F8
GetNativeSystemInfo, xrefs: 00074460

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
String ID: GetNativeSystemInfo$kernel32.dll$|O
API String ID: 3290436268-3101561225
Opcode ID: 782e3e683eb12292f6959f7853655814fdbade166a622d2dc828a69ee1d52131
Instruction ID: e88273900d05782d53c67450f0049f5d7b21690027c62dd50a964c913f8dd3a7
Opcode Fuzzy Hash: 782e3e683eb12292f6959f7853655814fdbade166a622d2dc828a69ee1d52131
Instruction Fuzzy Hash: 75A1A16AD0A2C0FFC721CF6ABC401E97FE47B27360B188499D08593E32E72449C9DB65

Function 000742A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,000750AA,?,?,00000000,00000000), ref: 000742B2
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,000750AA,?,?,00000000,00000000), ref: 000742C9
LoadResource.KERNEL32(?,00000000,?,?,000750AA,?,?,00000000,00000000,?,?,?,?,?,?,00074F20), ref: 000B35BE
SizeofResource.KERNEL32(?,00000000,?,?,000750AA,?,?,00000000,00000000,?,?,?,?,?,?,00074F20), ref: 000B35D3
LockResource.KERNEL32(000750AA,?,?,000750AA,?,?,00000000,00000000,?,?,?,?,?,?,00074F20,?), ref: 000B35E6

Strings

SCRIPT, xrefs: 000742BF

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: 849b34cf4218b07378f2191849764f90f5ea957c1a51cc0cf7974c17405830f4
Instruction ID: 534ce52e1dde9ec2e93306a66e6bfa38a64dc7f4b4630cf2d8aae11c3c999de8
Opcode Fuzzy Hash: 849b34cf4218b07378f2191849764f90f5ea957c1a51cc0cf7974c17405830f4
Instruction Fuzzy Hash: 15117C70A00700BFD7218B65DC48F677BB9EBC5B51F208269B44696A90DBB1D8518A60

Function 000B2BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetCurrentDirectoryW.KERNEL32(?), ref: 00072B6B

Part of subcall function 00073A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00141418,?,00072E7F,?,?,?,00000000), ref: 00073A78

Part of subcall function 00079CB3: _wcslen.LIBCMT ref: 00079CBD

GetForegroundWindow.USER32(runas,?,?,?,?,?,00132224), ref: 000B2C10
ShellExecuteW.SHELL32(00000000,?,?,00132224), ref: 000B2C17

Strings

runas, xrefs: 000B2C0B

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: CurrentDirectoryExecuteFileForegroundModuleNameShellWindow_wcslen
String ID: runas
API String ID: 448630720-4000483414
Opcode ID: 37f0175525ee076cf269e60e217be4d59cb8d6dec4faef5696b43f0af0fa207c
Instruction ID: b8657b0c465818276279b3578542df8628dacf6726f2c2445a421e691f67f523
Opcode Fuzzy Hash: 37f0175525ee076cf269e60e217be4d59cb8d6dec4faef5696b43f0af0fa207c
Instruction Fuzzy Hash: 3611D631A083456AD714FF60DC52DEE77A4AF91700F44942DF08A520A3DF398A89D756

Function 000DDBBE Relevance: 6.0, APIs: 4, Instructions: 29filestringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,000B5222), ref: 000DDBCE
GetFileAttributesW.KERNELBASE(?), ref: 000DDBDD
FindFirstFileW.KERNEL32(?,?), ref: 000DDBEE
FindClose.KERNEL32(00000000), ref: 000DDBFA

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: FileFind$AttributesCloseFirstlstrlen
String ID:
API String ID: 2695905019-0
Opcode ID: 2bd87ca9dc5581c492b534c4f6cfa74044055dfc17640a9feb8fb2c595a3126c
Instruction ID: 1aa3f0863e5b79d27b0658c643a8b524d91a178962a86c97379a539ea982bc11
Opcode Fuzzy Hash: 2bd87ca9dc5581c492b534c4f6cfa74044055dfc17640a9feb8fb2c595a3126c
Instruction Fuzzy Hash: BDF0A73042061197C2206B789C0D47A37AD9F01334F104703F475C15E1EBF0599489E5

Function 00094CE8 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(000A28E9,?,00094CBE,000A28E9,001388B8,0000000C,00094E15,000A28E9,00000002,00000000,?,000A28E9), ref: 00094D09
TerminateProcess.KERNEL32(00000000,?,00094CBE,000A28E9,001388B8,0000000C,00094E15,000A28E9,00000002,00000000,?,000A28E9), ref: 00094D10
ExitProcess.KERNEL32 ref: 00094D22

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: a839483eda70a1f91b5056a7a0b277ffe1b8599ece87e2182085cd4edf2e82a5
Instruction ID: 433e6f9b70b787221a58bbce53a169009497215a9a5611675826ab57dd234d56
Opcode Fuzzy Hash: a839483eda70a1f91b5056a7a0b277ffe1b8599ece87e2182085cd4edf2e82a5
Instruction Fuzzy Hash: 07E0B635015148ABCF15AF54DD09E983B69FB46781B108114FC458A523CB75DD82DE80

Function 000FAFF9 Relevance: 24.4, APIs: 16, Instructions: 418
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_wcslen.LIBCMT ref: 000FB198
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 000FB1B0
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 000FB1D4
_wcslen.LIBCMT ref: 000FB200
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 000FB214
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 000FB236
_wcslen.LIBCMT ref: 000FB332

Part of subcall function 000E05A7: GetStdHandle.KERNEL32(000000F6), ref: 000E05C6

_wcslen.LIBCMT ref: 000FB34B
_wcslen.LIBCMT ref: 000FB366
CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 000FB3B6
GetLastError.KERNEL32(00000000), ref: 000FB407
CloseHandle.KERNEL32(?), ref: 000FB439
CloseHandle.KERNEL32(00000000), ref: 000FB44A
CloseHandle.KERNEL32(00000000), ref: 000FB45C
CloseHandle.KERNEL32(00000000), ref: 000FB46E
CloseHandle.KERNEL32(?), ref: 000FB4E3

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
String ID:
API String ID: 2178637699-0
Opcode ID: 8310f940156684f94f2b64b65c777d3941e01af8d4eeefcc7986d3c39b35cee3
Instruction ID: ed281a4457acde48fa0d3579417d328a1e16a3eed44eb3e0372129828a3346ca
Opcode Fuzzy Hash: 8310f940156684f94f2b64b65c777d3941e01af8d4eeefcc7986d3c39b35cee3
Instruction Fuzzy Hash: 81F189316082049FCB64EF24C881BAEBBE1AF85314F14855DF9899B2A2CB71EC40DF52

Function 0007D730 Relevance: 21.6, APIs: 14, Instructions: 625windowsleeptimeCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 0007D807
timeGetTime.WINMM ref: 0007DA07
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0007DB28
TranslateMessage.USER32(?), ref: 0007DB7B
DispatchMessageW.USER32(?), ref: 0007DB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0007DB9F
Sleep.KERNELBASE(0000000A), ref: 0007DBB1

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: Message$Peek$DispatchInputSleepStateTimeTranslatetime
String ID:
API String ID: 2189390790-0
Opcode ID: fcbf135bb0217daabe67318e63d1f21c4e141cfca5a530e9d4254d9e6bfc8518
Instruction ID: d4d550e78b9fca8fbba3b557bff58cb0f0948012978d7c5dc05fb625a2b1b151
Opcode Fuzzy Hash: fcbf135bb0217daabe67318e63d1f21c4e141cfca5a530e9d4254d9e6bfc8518
Instruction Fuzzy Hash: D342C070A04241EFD774DB24C884FAEB7F1BF46304F14861EE599876A2D774E884CB96

Function 00072CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00072D07
RegisterClassExW.USER32(00000030), ref: 00072D31
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00072D42
InitCommonControlsEx.COMCTL32(?), ref: 00072D5F
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00072D6F
LoadIconW.USER32(000000A9), ref: 00072D85
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00072D94

Strings

+, xrefs: 00072CF0
AutoIt v3 GUI, xrefs: 00072D23
TaskbarCreated, xrefs: 00072D37
0, xrefs: 00072CE9

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: bd7ce160f5efe483893d693e19c5a8370932662f7443e8ff1ffcd3911c32ca2b
Instruction ID: 1b81a5588c60f31fd38eb854b3cddbd59fc84547434b5c272257dd0bad8e1357
Opcode Fuzzy Hash: bd7ce160f5efe483893d693e19c5a8370932662f7443e8ff1ffcd3911c32ca2b
Instruction Fuzzy Hash: DD21C2B9951318EFDB00DFA4EC89BDDBBB8FB09704F00821AF591A66A0D7B54584CF91

Function 000B065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 000B039A: CreateFileW.KERNELBASE(00000000,00000000,?,000B0704,?,?,00000000,?,000B0704,00000000,0000000C), ref: 000B03B7

GetLastError.KERNEL32 ref: 000B076F
__dosmaperr.LIBCMT ref: 000B0776
GetFileType.KERNELBASE(00000000), ref: 000B0782
GetLastError.KERNEL32 ref: 000B078C
__dosmaperr.LIBCMT ref: 000B0795
CloseHandle.KERNEL32(00000000), ref: 000B07B5
CloseHandle.KERNEL32(?), ref: 000B08FF
GetLastError.KERNEL32 ref: 000B0931
__dosmaperr.LIBCMT ref: 000B0938

Strings

H, xrefs: 000B08BD

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: fa548a7f5bdb0f34a2d257adfc341d9e35c20505110dea3ae8b526d9ddee411c
Instruction ID: 73d8d445f1cd65ad6d38fbebc56dfc8429be26222b17c68274890a4c942ca36f
Opcode Fuzzy Hash: fa548a7f5bdb0f34a2d257adfc341d9e35c20505110dea3ae8b526d9ddee411c
Instruction Fuzzy Hash: 9CA11332A141058FDF29AF68D851BEE7BE0AB0A320F144159F855DF3E2DB319D52CB91

Function 0007344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00073A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00141418,?,00072E7F,?,?,?,00000000), ref: 00073A78

Part of subcall function 00073357: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00073379

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 0007356A
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 000B318D
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 000B31CE
RegCloseKey.ADVAPI32(?), ref: 000B3210
_wcslen.LIBCMT ref: 000B3277
_wcslen.LIBCMT ref: 000B3286

Strings

Include, xrefs: 000B3184, 000B31C5
\Include\, xrefs: 00073527
\, xrefs: 000B328C
Software\AutoIt v3\AutoIt, xrefs: 00073560

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 98802146-2727554177
Opcode ID: 1ca43fc0ca727116bbfe533af2a57e3c157df72bd70ff1d40a55473ac400c342
Instruction ID: 2ec33188594fe7577287d1c468ad68b17ba524838e1e6fea5406d919af226dc4
Opcode Fuzzy Hash: 1ca43fc0ca727116bbfe533af2a57e3c157df72bd70ff1d40a55473ac400c342
Instruction Fuzzy Hash: 9471A2719043019EC314DF25DC828ABBBF8FF8A740F90452DF585931B1EB749A88CB56

Function 00072B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00072B8E
LoadCursorW.USER32(00000000,00007F00), ref: 00072B9D
LoadIconW.USER32(00000063), ref: 00072BB3
LoadIconW.USER32(000000A4), ref: 00072BC5
LoadIconW.USER32(000000A2), ref: 00072BD7
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00072BEF
RegisterClassExW.USER32(?), ref: 00072C40

Part of subcall function 00072CD4: GetSysColorBrush.USER32(0000000F), ref: 00072D07
Part of subcall function 00072CD4: RegisterClassExW.USER32(00000030), ref: 00072D31
Part of subcall function 00072CD4: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00072D42
Part of subcall function 00072CD4: InitCommonControlsEx.COMCTL32(?), ref: 00072D5F
Part of subcall function 00072CD4: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00072D6F
Part of subcall function 00072CD4: LoadIconW.USER32(000000A9), ref: 00072D85
Part of subcall function 00072CD4: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00072D94

Strings

0, xrefs: 00072C0F
AutoIt v3, xrefs: 00072C2F
#, xrefs: 00072C16

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: 5735e6348481faff5ce45f38e487fee5158758d3edf3f1c2feba61fe431ce626
Instruction ID: 6098f03a9b3f82cb6b414a678f4d5ad7ebceba43b10fdb56a6096ec5184ad378
Opcode Fuzzy Hash: 5735e6348481faff5ce45f38e487fee5158758d3edf3f1c2feba61fe431ce626
Instruction Fuzzy Hash: 0E212978E40318BBDB109FA5EC95AA97FB4FB49B60F00452AF504A6AB0D7B505C0CF94

Function 00073170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,0007316A,?,?), ref: 000731D8
KillTimer.USER32(?,00000001,?,?,?,?,?,0007316A,?,?), ref: 00073204
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00073227
RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,0007316A,?,?), ref: 00073232
CreatePopupMenu.USER32 ref: 00073246
PostQuitMessage.USER32(00000000), ref: 00073267

Strings

TaskbarCreated, xrefs: 0007322D

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: 79acad7b7d2be96bfeaf0c5ef677fddcffac717d5830116832e28b55c77f81bb
Instruction ID: b5fa77466677c790ad024f9ffdcd185612d90c4942f35d3fd6e5a463e20336d7
Opcode Fuzzy Hash: 79acad7b7d2be96bfeaf0c5ef677fddcffac717d5830116832e28b55c77f81bb
Instruction Fuzzy Hash: F9416D35B50204B7FB241B38CD09BFD3796E706350F148225F90D856B3C7788AC1ABAA

Function 00071410 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00071459
CoUninitialize.COMBASE ref: 000714F8
UnregisterHotKey.USER32(?), ref: 000716DD
DestroyWindow.USER32(?), ref: 000B24B9
FreeLibrary.KERNEL32(?), ref: 000B251E
VirtualFree.KERNEL32(?,00000000,00008000), ref: 000B254B

Strings

close all, xrefs: 00071454

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: d3862f268e872ce0b2028a153f326689811e6b8d45ae99276a1a956bb1abe70d
Instruction ID: 3630ca647e02770aae2118c2413f71f26137c7f2e992ceb4d886cf19d956cc9d
Opcode Fuzzy Hash: d3862f268e872ce0b2028a153f326689811e6b8d45ae99276a1a956bb1abe70d
Instruction Fuzzy Hash: FAD19231B01212CFCB29EF19C499AA9F7A4BF05700F14829DE54E6B292DB34ED52CF55

Function 00072C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00072C91
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00072CB2
ShowWindow.USER32(00000000,?,?,?,?,?,?,00071CAD,?), ref: 00072CC6
ShowWindow.USER32(00000000,?,?,?,?,?,?,00071CAD,?), ref: 00072CCF

Strings

AutoIt v3, xrefs: 00072C89, 00072C8E, 00072C8F
edit, xrefs: 00072CAC

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: d6a6b8404654628405ab64b4e75181b1d6fb7ebfe3b7d03d39d999bdd8110586
Instruction ID: d4445789eb3d08353b5190dd01c74e5bdabf576eadbd906d0c2396e771a1a0e4
Opcode Fuzzy Hash: d6a6b8404654628405ab64b4e75181b1d6fb7ebfe3b7d03d39d999bdd8110586
Instruction Fuzzy Hash: FAF0DA795402947AEB311B17AC48E773EBDE7C7F60B00005AF900A29B0C6A118D4DEB0

Function 000DE97B Relevance: 7.5, APIs: 5, Instructions: 47
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

QueryPerformanceCounter.KERNEL32(?), ref: 000DE997
QueryPerformanceFrequency.KERNEL32(?), ref: 000DE9A5
Sleep.KERNEL32(00000000), ref: 000DE9AD
QueryPerformanceCounter.KERNEL32(?), ref: 000DE9B7
Sleep.KERNELBASE ref: 000DE9F3

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: e06c6bed41d5234eb07d4f6559f6cb8fbdb0b4fd279a6e07f27fb3de89b54ca9
Instruction ID: 5263338f04b52c40b4db5dd15b0d0b5a42a0f8d2ef80d4619d0750b40a0e6680
Opcode Fuzzy Hash: e06c6bed41d5234eb07d4f6559f6cb8fbdb0b4fd279a6e07f27fb3de89b54ca9
Instruction Fuzzy Hash: 62012931C02629DBCF50AFE5DC69AEDFB78FF09701F000656E542B6241CB709595CBA1

Function 00073B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,00073B0F,SwapMouseButtons,00000004,?), ref: 00073B40
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,00073B0F,SwapMouseButtons,00000004,?), ref: 00073B61
RegCloseKey.KERNELBASE(00000000,?,?,?,80000001,80000001,?,00073B0F,SwapMouseButtons,00000004,?), ref: 00073B83

Strings

Control Panel\Mouse, xrefs: 00073B3E

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: ff3b869a866a02d104f0710fda47ace6d76ecefd77b3758cff3e41f7bea0ad4d
Instruction ID: dd9212f60093ef168a2ca351b32afed732e58feac700281a49f765cb44049317
Opcode Fuzzy Hash: ff3b869a866a02d104f0710fda47ace6d76ecefd77b3758cff3e41f7bea0ad4d
Instruction Fuzzy Hash: 0F112AB5910208FFEB608FA5DC44AEEB7BCEF44744B10855ABA09D7110D375AE40ABA4

Function 00073923 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94windowCOMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 000B33A2

Part of subcall function 00076B57: _wcslen.LIBCMT ref: 00076B6A

Shell_NotifyIconW.SHELL32(00000001,?), ref: 00073A04

Strings

Line: , xrefs: 000B33EB

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: IconLoadNotifyShell_String_wcslen
String ID: Line:
API String ID: 2289894680-1585850449
Opcode ID: cc40c99b2b5246855643a6940fdbe62179b9e9a4333c3202466af6413f12717e
Instruction ID: 36401ee33e374725153d3e9e1367160b7d06d48ccfa72f738eba939ee782788d
Opcode Fuzzy Hash: cc40c99b2b5246855643a6940fdbe62179b9e9a4333c3202466af6413f12717e
Instruction Fuzzy Hash: F431C771808304AAD721EB20DC45BDF77D8AB41710F10892EF59D925A2DB749788C7D6

Function 0008FDDB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 00090668

Part of subcall function 000932A4: RaiseException.KERNEL32(?,?,?,0009068A,?,00141444,?,?,?,?,?,?,0009068A,00071129,00138738,00071129), ref: 00093304

__CxxThrowException@8.LIBVCRUNTIME ref: 00090685

Strings

Unknown exception, xrefs: 00090692

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID: Unknown exception
API String ID: 3476068407-410509341
Opcode ID: e8355043839139e28ba15fb9c548b139716cff5895055f4fb0a511537fb537b2
Instruction ID: fe46c5472628a86c09d63d65a2135137f6645b3923461a83e372b84ec30eb247
Opcode Fuzzy Hash: e8355043839139e28ba15fb9c548b139716cff5895055f4fb0a511537fb537b2
Instruction Fuzzy Hash: E8F04F34900309ABCF10B6B4D846CAE77AD6F40350B604535B964D65D2EF71EA66EA81

Function 00102322 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0010232C
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 0010233F

Part of subcall function 000DE97B: Sleep.KERNELBASE ref: 000DE9F3

Strings

Shell_TrayWnd, xrefs: 00102325

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 87a0296c2e688d04d5385df9324d044d0b321de963cf025e2a5395533d6ad7ff
Instruction ID: 8f07c9016da673ede17fa9724ff93a46ad6ba727457901ce2132e23fabba17ce
Opcode Fuzzy Hash: 87a0296c2e688d04d5385df9324d044d0b321de963cf025e2a5395533d6ad7ff
Instruction Fuzzy Hash: 93D01276395350B7E678B770DC1FFC6BA189B00B14F108A167785AA2D1C9F0A841CEA4

Function 000710F3 Relevance: 4.7, APIs: 3, Instructions: 153comCOMMON

Download Yara Rule

APIs

Part of subcall function 00071BC3: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00071BF4
Part of subcall function 00071BC3: MapVirtualKeyW.USER32(00000010,00000000), ref: 00071BFC
Part of subcall function 00071BC3: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00071C07
Part of subcall function 00071BC3: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00071C12
Part of subcall function 00071BC3: MapVirtualKeyW.USER32(00000011,00000000), ref: 00071C1A
Part of subcall function 00071BC3: MapVirtualKeyW.USER32(00000012,00000000), ref: 00071C22

Part of subcall function 00071B4A: RegisterWindowMessageW.USER32(00000004,?,000712C4), ref: 00071BA2

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 0007136A
OleInitialize.OLE32 ref: 00071388
CloseHandle.KERNEL32(00000000,00000000), ref: 000B24AB

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID:
API String ID: 1986988660-0
Opcode ID: 3228ff20d4ff1b49f734961bcdd0ea62c17cdb2d6720cf0ca8bf0c132f2d14da
Instruction ID: 8db2e4a1cd846870cfb1a3690534d00b503fbafdfc83b0f801c642d16ed5dbac
Opcode Fuzzy Hash: 3228ff20d4ff1b49f734961bcdd0ea62c17cdb2d6720cf0ca8bf0c132f2d14da
Instruction Fuzzy Hash: 7171B9BCE11301AEC384EF79E9456D53AE1BB8B344358822AD55EDBAB2EB7444C1CF44

Function 000DC161 Relevance: 4.6, APIs: 3, Instructions: 74timewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00073923: Shell_NotifyIconW.SHELL32(00000001,?), ref: 00073A04

Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 000DC259
KillTimer.USER32(?,00000001,?,?), ref: 000DC261
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 000DC270

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: IconNotifyShell_Timer$Kill
String ID:
API String ID: 3500052701-0
Opcode ID: 85dd813484c182bf4851b762d8c5046e9d3cd613460bda71653ff9c0e7b684a7
Instruction ID: e01aa07c33d5bc05b98627d784f8687e7cdc4e3063b2a45fed71717466639547
Opcode Fuzzy Hash: 85dd813484c182bf4851b762d8c5046e9d3cd613460bda71653ff9c0e7b684a7
Instruction Fuzzy Hash: C6318170904354AFFB729F648895BEBBBECAB06304F04449EE6DA97241C7745A84CB61

Function 000A86AE Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE

Download Yara Rule

APIs

CloseHandle.KERNELBASE(00000000,00000000,?,?,000A85CC,?,00138CC8,0000000C), ref: 000A8704
GetLastError.KERNEL32(?,000A85CC,?,00138CC8,0000000C), ref: 000A870E
__dosmaperr.LIBCMT ref: 000A8739

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: CloseErrorHandleLast__dosmaperr
String ID:
API String ID: 2583163307-0
Opcode ID: 5055e2aee700747f232b089c45f2df27f43e7ae45677aef52a5847c2af9a1a93
Instruction ID: 85253269df09cd9b759a3e2b5cc7ed6080c293e6f035103aee64e280a87f0d8e
Opcode Fuzzy Hash: 5055e2aee700747f232b089c45f2df27f43e7ae45677aef52a5847c2af9a1a93
Instruction Fuzzy Hash: 14012B3360562026EAA563F46C45BBE67895BC3775F398219F9149B1D3DEB0CC858390

Function 0007DB38 Relevance: 4.5, APIs: 3, Instructions: 29windowsleepCOMMON

Download Yara Rule

APIs

TranslateMessage.USER32(?), ref: 0007DB7B
DispatchMessageW.USER32(?), ref: 0007DB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0007DB9F
Sleep.KERNELBASE(0000000A), ref: 0007DBB1
TranslateAcceleratorW.USER32(?,?,?), ref: 000C1CC9

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchPeekSleep
String ID:
API String ID: 3288985973-0
Opcode ID: 6c562d1b3ccbd9490971d78321ed8a58ccb5e8b0c8f115f5aa420ae6be879bd6
Instruction ID: 1f3b3b66a020b1b3160f6bb4e71d7048c6425056b8c829c0bfd064c19e4b30f9
Opcode Fuzzy Hash: 6c562d1b3ccbd9490971d78321ed8a58ccb5e8b0c8f115f5aa420ae6be879bd6
Instruction Fuzzy Hash: 6BF03A306443859AE770CB608C89FEA73B8AF45310F504619F65A934D0DB74A4889B55

Function 00081310 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 000817F6

Strings

CALL, xrefs: 000817C6

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID: CALL
API String ID: 1385522511-4196123274
Opcode ID: c81383abac6649b44aed2f7c758e7f5385bdd9f99250b6119856b748c3ea614e
Instruction ID: 00036127cc544271f457456757f2adc0eba64971749c2c4d740a403f51c60014
Opcode Fuzzy Hash: c81383abac6649b44aed2f7c758e7f5385bdd9f99250b6119856b748c3ea614e
Instruction Fuzzy Hash: 03226B70608241DFC724EF14C484BAABBF5BF85314F14896DF49A8B3A2D772E946CB52

Function 00101EDA Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 166COMMON

Download Yara Rule

APIs

Part of subcall function 00076B57: _wcslen.LIBCMT ref: 00076B6A

GetWindowTextW.USER32(?,?,00007FFF), ref: 00102043

Part of subcall function 00079CB3: _wcslen.LIBCMT ref: 00079CBD

Strings

all, xrefs: 00101F09

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: _wcslen$TextWindow
String ID: all
API String ID: 4161112387-991457757
Opcode ID: 605884b26211d41797216314601f59f7662b89d7b3c8ac7fb94729b9ee2cc2c7
Instruction ID: 2ea60105568136c380ae5c4220c48b856bc897e33f37e0a588638221755d969d
Opcode Fuzzy Hash: 605884b26211d41797216314601f59f7662b89d7b3c8ac7fb94729b9ee2cc2c7
Instruction Fuzzy Hash: 8C518D71604302AFD704EF24C886EAAB7E5BF88310F40851DF99E9B292DB75ED44CB95

Function 00072DE3 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 64COMMON

Download Yara Rule

APIs

GetOpenFileNameW.COMDLG32(?), ref: 000B2C8C

Part of subcall function 00073AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00073A97,?,?,00072E7F,?,?,?,00000000), ref: 00073AC2

Part of subcall function 00072DA5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00072DC4

Strings

X, xrefs: 000B2C5A

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen
String ID: X
API String ID: 779396738-3081909835
Opcode ID: 57c565a7e10255cba23c6c5b44339fb4579f2658cdb1f12dea80bba0fe111977
Instruction ID: dd3f4595f1edcff148b32ee540af6bf14abe2dbe7647023bbc564d067292fdf0
Opcode Fuzzy Hash: 57c565a7e10255cba23c6c5b44339fb4579f2658cdb1f12dea80bba0fe111977
Instruction Fuzzy Hash: 80217271E00258AFDB51EF94C845BEE7BF8AF49314F00C059E449B7242DBB85A89CFA5

Function 00073837 Relevance: 3.1, APIs: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000000,?), ref: 00073908

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: c28d38086d8108944706213041c6b0724a2dbbeff0768f83d37fc923038b4100
Instruction ID: 02b727eb2b95627d961c93783d0cd1eb29eef01dbedad6bd4f26d623f90bf069
Opcode Fuzzy Hash: c28d38086d8108944706213041c6b0724a2dbbeff0768f83d37fc923038b4100
Instruction Fuzzy Hash: DF319370904301AFE760DF24D8847D7BBE4FB49718F00092EF59D83651E775AA84DB56

Function 0008F645 Relevance: 3.0, APIs: 2, Instructions: 29sleeptimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 0008F661

Part of subcall function 0007D730: GetInputState.USER32 ref: 0007D807

Sleep.KERNEL32(00000000), ref: 000CF2DE

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: InputSleepStateTimetime
String ID:
API String ID: 4149333218-0
Opcode ID: 4ccbf1156de7ac24f237b1b1168db6998c8ff8620476d0669962ba1f49b8064e
Instruction ID: ae1b772ac1c0d96f2234bdf830ce43e6bf8bd2689750d4b7b4e5d2ecc70f43a8
Opcode Fuzzy Hash: 4ccbf1156de7ac24f237b1b1168db6998c8ff8620476d0669962ba1f49b8064e
Instruction Fuzzy Hash: 44F08C312406059FD314EF79D449BAABBE8FF45761F00412AE89DC72A1EBB0A840CF95

Function 0007B710 Relevance: 2.1, APIs: 1, Instructions: 587COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 0007BB4E

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID:
API String ID: 1385522511-0
Opcode ID: 77d4e0517ccfeb4578ed375e8ffb8949ce9d4432d68fc6d752247a437470dfc5
Instruction ID: 2e5a4d03afaea87d1a107801654364875dfdace254eaed8aab010408b1f4872d
Opcode Fuzzy Hash: 77d4e0517ccfeb4578ed375e8ffb8949ce9d4432d68fc6d752247a437470dfc5
Instruction Fuzzy Hash: 78327934E00209EFDB24DF54C894FBEB7F9EB45304F148059E919AB262D778AE81CB95

Function 001013B7 Relevance: 1.6, APIs: 1, Instructions: 76COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000001,?), ref: 00101420

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: ForegroundWindow
String ID:
API String ID: 2020703349-0
Opcode ID: 495fc14d75f77913e9e5d3017e0824b19a335ab76a766042abc3fd4558ee90ea
Instruction ID: 6f32047857db93dc1aa37041e1dad20f576dbc633844b5754dd8c39f5076fc4f
Opcode Fuzzy Hash: 495fc14d75f77913e9e5d3017e0824b19a335ab76a766042abc3fd4558ee90ea
Instruction Fuzzy Hash: 5E319470604602AFD714EF25C495B69F7A2FF45328F048169E89A8F392DBB9EC41CBD0

Function 00074ECB Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00074E90: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00074EDD,?,00141418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00074E9C
Part of subcall function 00074E90: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00074EAE
Part of subcall function 00074E90: FreeLibrary.KERNEL32(00000000,?,?,00074EDD,?,00141418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00074EC0

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,00141418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00074EFD

Part of subcall function 00074E59: LoadLibraryA.KERNEL32(kernel32.dll,?,?,000B3CDE,?,00141418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00074E62
Part of subcall function 00074E59: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00074E74
Part of subcall function 00074E59: FreeLibrary.KERNEL32(00000000,?,?,000B3CDE,?,00141418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00074E87

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: Library$Load$AddressFreeProc
String ID:
API String ID: 2632591731-0
Opcode ID: d3d42d349a2d041fa79e6c507877b83c33534387ad117d2496eeb9de7ef71b46
Instruction ID: 8a7aea85d6306422029c7b49dccc6de84e497cf9e66994e1d65848f53e90ff1e
Opcode Fuzzy Hash: d3d42d349a2d041fa79e6c507877b83c33534387ad117d2496eeb9de7ef71b46
Instruction Fuzzy Hash: 8711E731A00205ABDF24FF60DC02FED77A5AF40711F20C42DF54AA61C2DFB89A459B94

Function 00102658 Relevance: 1.6, APIs: 1, Instructions: 60COMMON

Download Yara Rule

APIs

ShowWindow.USER32(?,00000000,00000001,?), ref: 001026E0

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: d453a7f9007caf8d103b5ec4ce199612141879dabe1978fd046c3fbec4f800ea
Instruction ID: 8898f8616f44a4ba69e624004f317888139c75b40c8dbf4aeb9db72fed7c151a
Opcode Fuzzy Hash: d453a7f9007caf8d103b5ec4ce199612141879dabe1978fd046c3fbec4f800ea
Instruction Fuzzy Hash: 321104706002419FD714EF29C899F3AB795FF41364F50805DE88A8B6D2CBB2EC81CB90

Function 000A8402 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT ref: 000A8440

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: cfe78d4a30eabf751c1dd50c6656beb070d1e8c0274f3ce8154aa75b38fa3355
Instruction ID: 0837bfaf8b8d4d8103984c74357f10fb1ebcf84ab4c062cf3a6505a4b19aae7f
Opcode Fuzzy Hash: cfe78d4a30eabf751c1dd50c6656beb070d1e8c0274f3ce8154aa75b38fa3355
Instruction Fuzzy Hash: 5A11187590420AAFCB15DF98E9419DE7BF9EF49314F148059F808AB312DA31DA11CBA5

Function 000A5000 Relevance: 1.6, APIs: 1, Instructions: 52COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 000A4C7D: RtlAllocateHeap.NTDLL(00000008,00071129,00000000,?,000A2E29,00000001,00000364,?,?,?,0009F2DE,000A3863,00141444,?,0008FDF5,?), ref: 000A4CBE

_free.LIBCMT ref: 000A506C

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
Instruction ID: 577205c389a08045f2fc90533c77d58859d9370347d36b42dcbe815168247093
Opcode Fuzzy Hash: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
Instruction Fuzzy Hash: 1B014E722047045BE3318F95DC45E9AFBECFB8A370F25051DE184832C0E6706805C774

Function 001029BF Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,?,?,?,001014B5,?), ref: 00102A01

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: ForegroundWindow
String ID:
API String ID: 2020703349-0
Opcode ID: 5911e1b5c5c7871b75965c9d6b3811da4bd51ade0907b58b5ec682e13ef0d110
Instruction ID: 4f877c7dde3b90912c1e25c7e2fe2caa829ce62131836d4718c2adaba2780e26
Opcode Fuzzy Hash: 5911e1b5c5c7871b75965c9d6b3811da4bd51ade0907b58b5ec682e13ef0d110
Instruction Fuzzy Hash: D401B136740A51DFD324CA2CC458F267792EB85318F69C569D0C78B691DFB2EC42C7A0

Function 0009E602 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction ID: fa39d63f5c00e36a7d067b5c7dfeaa82316dd03b60575e6e7a0531e08feb2eac
Opcode Fuzzy Hash: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction Fuzzy Hash: D8F0F432510E10AADE317AA9DC05BDA33989FA33B4F100725F820962D3DB70DC01A6A5

Function 000A4C7D Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,00071129,00000000,?,000A2E29,00000001,00000364,?,?,?,0009F2DE,000A3863,00141444,?,0008FDF5,?), ref: 000A4CBE

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 76307db6c3ce195d99abeb1c5f6717844b172cd17c41ee9af9563c198a3a2ff2
Instruction ID: fc556d1419c3d57a8da48a6355c7eaf7694b06e9a3d4157297ea744175d2d130
Opcode Fuzzy Hash: 76307db6c3ce195d99abeb1c5f6717844b172cd17c41ee9af9563c198a3a2ff2
Instruction Fuzzy Hash: A5F0E93960622467DFE15FE29C09F9A37C8BFC37B0B144221B81DE7191CAF0D80156E0

Function 000A3820 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,00141444,?,0008FDF5,?,?,0007A976,00000010,00141440,000713FC,?,000713C6,?,00071129), ref: 000A3852

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 25d2d7ee1fd53ce6d22d1ec45bc6aed9cb068f6634d524e18a95bed7640b4831
Instruction ID: 24cebe2a869a863aa5d0f01cd3dee5035c345b25ee33eed80ab2c048266ce3a7
Opcode Fuzzy Hash: 25d2d7ee1fd53ce6d22d1ec45bc6aed9cb068f6634d524e18a95bed7640b4831
Instruction Fuzzy Hash: 70E0ED31102326A6EA312BE69C05FDA3A88AF43BB0F050120BC0496892DF28DE0292E0

Function 00074F39 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,00141418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00074F6D

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: d712b68208729a2480ad6362ceb11444c1ee06b9cadfc9feac26cf091adb6172
Instruction ID: a40bbf57f4aea35669bf90ddc7c629925e36f5e36a2a34dc761313cdc85cfbbb
Opcode Fuzzy Hash: d712b68208729a2480ad6362ceb11444c1ee06b9cadfc9feac26cf091adb6172
Instruction Fuzzy Hash: BBF0A970805342CFCB349F24D490826FBE0EF00329320CA7EE1EE82621C7369884DF04

Function 00102A55 Relevance: 1.5, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00102A66

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: Window
String ID:
API String ID: 2353593579-0
Opcode ID: 812bec311d88bd4b8c147f822727fc3d7ead48922ea01021e96f9ae808aed409
Instruction ID: c9ed23490b0c329d5971609118206223dae5ec02e38777cb42d596a27d54d4b0
Opcode Fuzzy Hash: 812bec311d88bd4b8c147f822727fc3d7ead48922ea01021e96f9ae808aed409
Instruction Fuzzy Hash: 81E01A36354216AAC724AB30D8848FAB358EB50395B104536E85AD2641DF70999586A0

Function 000730F2 Relevance: 1.5, APIs: 1, Instructions: 24windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000002,?), ref: 0007314E

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: a44070d98f0492417dd12840a1e8b5bcdf536bfa09207d2b921620a022fe6391
Instruction ID: e8ddae96a0ff6ba4812b7734211aa0838e162acdc252c479c7736f59590cdbcd
Opcode Fuzzy Hash: a44070d98f0492417dd12840a1e8b5bcdf536bfa09207d2b921620a022fe6391
Instruction Fuzzy Hash: B8F03774914314AFEB629F24DC457D57BFCB701708F0001E5A58896592D77457C8CF51

Function 00072DA5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00072DC4

Part of subcall function 00076B57: _wcslen.LIBCMT ref: 00076B6A

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: LongNamePath_wcslen
String ID:
API String ID: 541455249-0
Opcode ID: a764689968572bbb9dbf23215b0e84400a99848acdc513d6496f9dac7133f30d
Instruction ID: 1b88dbd068e74a0dc3a77850050af2b99c7338c79bbd82e05da7e550161a0d19
Opcode Fuzzy Hash: a764689968572bbb9dbf23215b0e84400a99848acdc513d6496f9dac7133f30d
Instruction Fuzzy Hash: 3FE0CD72A001245BC71093589C05FEA77DDDFC8790F044171FD09D7249DA64ADC0C590

Function 00072B3D Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00073837: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00073908

Part of subcall function 0007D730: GetInputState.USER32 ref: 0007D807

SetCurrentDirectoryW.KERNEL32(?), ref: 00072B6B

Part of subcall function 000730F2: Shell_NotifyIconW.SHELL32(00000002,?), ref: 0007314E

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: IconNotifyShell_$CurrentDirectoryInputState
String ID:
API String ID: 3667716007-0
Opcode ID: fcdf66b04d39817dc9b89de54d09d293aa0a1825525f606668ea5854ccedf6b5
Instruction ID: 7abae63441821988f969bfd13122b3a77b587d641afaa88f6fd072afdb2dd339
Opcode Fuzzy Hash: fcdf66b04d39817dc9b89de54d09d293aa0a1825525f606668ea5854ccedf6b5
Instruction Fuzzy Hash: DDE07D21F0420813C608BB30A8124FDB7599FD2311F40853EF08E431B3CF2C89C5835A

Function 000B039A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,00000000,?,000B0704,?,?,00000000,?,000B0704,00000000,0000000C), ref: 000B03B7

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 89467b7899d325a8228b1d28eabe7990d6b92561eb7674a1e5d370f975243130
Instruction ID: 22fc57f339a883237423f366fa14cb9fdeeeb34726a496db24b3bb6cd4e021e3
Opcode Fuzzy Hash: 89467b7899d325a8228b1d28eabe7990d6b92561eb7674a1e5d370f975243130
Instruction Fuzzy Hash: C9D06C3204010DFBDF029F84DD06EDA3BAAFB48714F014100BE5856020C772E861AB90

Function 00071CAD Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00002001,00000000,00000002), ref: 00071CBC

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: InfoParametersSystem
String ID:
API String ID: 3098949447-0
Opcode ID: 183ebecb38316ef79f1e5496f15f6fa05b081fc72644c146ff027757d749a148
Instruction ID: 4fb6ff73f4c030e68ad1b9be4fe2da6af17923a1c4700c21f40272c27f665f49
Opcode Fuzzy Hash: 183ebecb38316ef79f1e5496f15f6fa05b081fc72644c146ff027757d749a148
Instruction Fuzzy Hash: 4BC0483A380205AAE2148B80AC4AF5077A4A34AB10F448001F649A99F382A228E0AA90

Non-executed Functions

Function 00109576 Relevance: 74.1, APIs: 39, Strings: 3, Instructions: 625windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00089BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00089BB2

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 0010961A
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0010965B
GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 0010969F
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 001096C9
SendMessageW.USER32 ref: 001096F2
GetKeyState.USER32(00000011), ref: 0010978B
GetKeyState.USER32(00000009), ref: 00109798
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 001097AE
GetKeyState.USER32(00000010), ref: 001097B8
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 001097E9
SendMessageW.USER32 ref: 00109810
SendMessageW.USER32(?,00001030,?,00107E95), ref: 00109918
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 0010992E
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 00109941
SetCapture.USER32(?), ref: 0010994A
ClientToScreen.USER32(?,?), ref: 001099AF
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 001099BC
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 001099D6
ReleaseCapture.USER32 ref: 001099E1
GetCursorPos.USER32(?), ref: 00109A19
ScreenToClient.USER32(?,?), ref: 00109A26
SendMessageW.USER32(?,00001012,00000000,?), ref: 00109A80
SendMessageW.USER32 ref: 00109AAE
SendMessageW.USER32(?,00001111,00000000,?), ref: 00109AEB
SendMessageW.USER32 ref: 00109B1A
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00109B3B
SendMessageW.USER32(?,0000110B,00000009,?), ref: 00109B4A
GetCursorPos.USER32(?), ref: 00109B68
ScreenToClient.USER32(?,?), ref: 00109B75
GetParent.USER32(?), ref: 00109B93
SendMessageW.USER32(?,00001012,00000000,?), ref: 00109BFA
SendMessageW.USER32 ref: 00109C2B
ClientToScreen.USER32(?,?), ref: 00109C84
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00109CB4
SendMessageW.USER32(?,00001111,00000000,?), ref: 00109CDE
SendMessageW.USER32 ref: 00109D01
ClientToScreen.USER32(?,?), ref: 00109D4E
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00109D82

Part of subcall function 00089944: GetWindowLongW.USER32(?,000000EB), ref: 00089952

GetWindowLongW.USER32(?,000000F0), ref: 00109E05

Strings

@GUI_DRAGID, xrefs: 0010997D
@U=u, xrefs: 0010965B, 001096C9, 001096F2, 001097AE, 001097E9, 00109810, 00109918, 00109A80, 00109AAE, 00109AEB, 00109B1A, 00109BFA, 00109C2B, 00109CDE, 00109D01
F, xrefs: 00109D07

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease
String ID: @GUI_DRAGID$@U=u$F
API String ID: 3429851547-1007936534
Opcode ID: fe5483831ab1b7bb4ecd54284b248929236c1395aefd793420727bb9b11ae450
Instruction ID: 341071ed9187ef95c116ffc2dbaf1e536fde14767ec9fe03351c8a64ac2b2c47
Opcode Fuzzy Hash: fe5483831ab1b7bb4ecd54284b248929236c1395aefd793420727bb9b11ae450
Instruction Fuzzy Hash: 5042AE75608201AFD724CF24CC64AAABBE5FF49314F144619F6D9876E2D7B2E890CF81

Function 00104873 Relevance: 61.8, APIs: 33, Strings: 2, Instructions: 566windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000408,00000000,00000000), ref: 001048F3
SendMessageW.USER32(00000000,00000188,00000000,00000000), ref: 00104908
SendMessageW.USER32(00000000,0000018A,00000000,00000000), ref: 00104927
SendMessageW.USER32(?,00000148,00000000,00000000), ref: 0010494B
SendMessageW.USER32(00000000,00000147,00000000,00000000), ref: 0010495C
SendMessageW.USER32(00000000,00000149,00000000,00000000), ref: 0010497B
SendMessageW.USER32(00000000,0000130B,00000000,00000000), ref: 001049AE
SendMessageW.USER32(00000000,0000133C,00000000,?), ref: 001049D4
SendMessageW.USER32(00000000,0000110A,00000009,00000000), ref: 00104A0F
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00104A56
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00104A7E
IsMenu.USER32(?), ref: 00104A97
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00104AF2
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00104B20
GetWindowLongW.USER32(?,000000F0), ref: 00104B94
SendMessageW.USER32(?,0000113E,00000000,00000008), ref: 00104BE3
SendMessageW.USER32(00000000,00001001,00000000,?), ref: 00104C82
wsprintfW.USER32 ref: 00104CAE
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00104CC9
GetWindowTextW.USER32(?,00000000,00000001), ref: 00104CF1
SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00104D13
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00104D33
GetWindowTextW.USER32(?,00000000,00000001), ref: 00104D5A

Strings

%d/%02d/%02d, xrefs: 00104CA8
@U=u, xrefs: 001048F3, 00104908, 0010495C, 00104A0F, 00104A56, 00104A7E, 00104BE3, 00104C82, 00104CC9, 00104D13, 00104D33, 00104E15, 00104E4E, 00104EA5, 00104F10

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: MessageSend$MenuWindow$InfoItemText$Longwsprintf
String ID: %d/%02d/%02d$@U=u
API String ID: 4054740463-2764005415
Opcode ID: d85db90b8b21f47173d234b1c21addd1763022ac0d35758b9a4ec680a8121318
Instruction ID: a3e521a7f6fe22708324968651facefccedc23e93cf0e30932bbe7c5bfb0f915
Opcode Fuzzy Hash: d85db90b8b21f47173d234b1c21addd1763022ac0d35758b9a4ec680a8121318
Instruction Fuzzy Hash: 1612C1B1600215ABEB249F68CC89FEE7BB8FF45710F104229F695DB2E1DBB49941CB50

Function 000D1201 Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 241COMMON

Download Yara Rule

APIs

Part of subcall function 000D16C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 000D170D
Part of subcall function 000D16C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 000D173A
Part of subcall function 000D16C3: GetLastError.KERNEL32 ref: 000D174A

LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 000D1286
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 000D12A8
CloseHandle.KERNEL32(?), ref: 000D12B9
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 000D12D1
GetProcessWindowStation.USER32 ref: 000D12EA
SetProcessWindowStation.USER32(00000000), ref: 000D12F4
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 000D1310

Part of subcall function 000D10BF: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,000D11FC), ref: 000D10D4
Part of subcall function 000D10BF: CloseHandle.KERNEL32(?,?,000D11FC), ref: 000D10E9

Strings

default, xrefs: 000D130B
, xrefs: 000D125A
winsta0, xrefs: 000D12CC

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
String ID: $default$winsta0
API String ID: 22674027-1027155976
Opcode ID: 7105e155cb91807570b3814c3bce6f53e9e6220ea53cc142300eba44d154ba4b
Instruction ID: 592216ce1a2079d7808628847c3b068c9766408f027f08fb5d1dfd24ca767648
Opcode Fuzzy Hash: 7105e155cb91807570b3814c3bce6f53e9e6220ea53cc142300eba44d154ba4b
Instruction Fuzzy Hash: 67816D71900309BBDF219FA4DC49FEE7BB9EF08704F14412AF911A62A1DBB18995CF61

Function 000D0B62 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 000D10F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 000D1114
Part of subcall function 000D10F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,000D0B9B,?,?,?), ref: 000D1120
Part of subcall function 000D10F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,000D0B9B,?,?,?), ref: 000D112F
Part of subcall function 000D10F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,000D0B9B,?,?,?), ref: 000D1136
Part of subcall function 000D10F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 000D114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 000D0BCC
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 000D0C00
GetLengthSid.ADVAPI32(?), ref: 000D0C17
GetAce.ADVAPI32(?,00000000,?), ref: 000D0C51
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 000D0C6D
GetLengthSid.ADVAPI32(?), ref: 000D0C84
GetProcessHeap.KERNEL32(00000008,00000008), ref: 000D0C8C
HeapAlloc.KERNEL32(00000000), ref: 000D0C93
GetLengthSid.ADVAPI32(?,00000008,?), ref: 000D0CB4
CopySid.ADVAPI32(00000000), ref: 000D0CBB
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 000D0CEA
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 000D0D0C
SetUserObjectSecurity.USER32(?,00000004,?), ref: 000D0D1E
GetProcessHeap.KERNEL32(00000000,00000000), ref: 000D0D45
HeapFree.KERNEL32(00000000), ref: 000D0D4C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 000D0D55
HeapFree.KERNEL32(00000000), ref: 000D0D5C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 000D0D65
HeapFree.KERNEL32(00000000), ref: 000D0D6C
GetProcessHeap.KERNEL32(00000000,?), ref: 000D0D78
HeapFree.KERNEL32(00000000), ref: 000D0D7F

Part of subcall function 000D1193: GetProcessHeap.KERNEL32(00000008,000D0BB1,?,00000000,?,000D0BB1,?), ref: 000D11A1
Part of subcall function 000D1193: HeapAlloc.KERNEL32(00000000,?,00000000,?,000D0BB1,?), ref: 000D11A8
Part of subcall function 000D1193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,000D0BB1,?), ref: 000D11B7

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: c339af6b90ab8f3884ae3dba7a42f8244379e45e4ce9e346e6ea9cb39b94aed8
Instruction ID: 85aac158a79e674799858b709baad6d55624594bf0a63f06b97866d242e0b4d3
Opcode Fuzzy Hash: c339af6b90ab8f3884ae3dba7a42f8244379e45e4ce9e346e6ea9cb39b94aed8
Instruction Fuzzy Hash: 55714A7690020AABDF509FA4DC48BEEBBB9BF05300F144616F958A7291D7B1A945CFB0

Function 000EEAFF Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(0010CC08), ref: 000EEB29
IsClipboardFormatAvailable.USER32(0000000D), ref: 000EEB37
GetClipboardData.USER32(0000000D), ref: 000EEB43
CloseClipboard.USER32 ref: 000EEB4F
GlobalLock.KERNEL32(00000000), ref: 000EEB87
CloseClipboard.USER32 ref: 000EEB91
GlobalUnlock.KERNEL32(00000000), ref: 000EEBBC
IsClipboardFormatAvailable.USER32(00000001), ref: 000EEBC9
GetClipboardData.USER32(00000001), ref: 000EEBD1
GlobalLock.KERNEL32(00000000), ref: 000EEBE2
GlobalUnlock.KERNEL32(00000000), ref: 000EEC22
IsClipboardFormatAvailable.USER32(0000000F), ref: 000EEC38
GetClipboardData.USER32(0000000F), ref: 000EEC44
GlobalLock.KERNEL32(00000000), ref: 000EEC55
DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 000EEC77
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 000EEC94
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 000EECD2
GlobalUnlock.KERNEL32(00000000), ref: 000EECF3
CountClipboardFormats.USER32 ref: 000EED14
CloseClipboard.USER32 ref: 000EED59

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
String ID:
API String ID: 420908878-0
Opcode ID: 8b398be0754b9bf963c9644e147ef14ef83e270baa91622f4d94433597883614
Instruction ID: d532a1e56ac16925500847aae04527de58cb6b081cd02a36af15c97a0fa4ebc0
Opcode Fuzzy Hash: 8b398be0754b9bf963c9644e147ef14ef83e270baa91622f4d94433597883614
Instruction Fuzzy Hash: C361F0342042859FD310EF25D884F6AB7E4AF84704F148619F49AA76A2DB71DD86CFA2

Function 000E698F Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 000E69BE
FindClose.KERNEL32(00000000), ref: 000E6A12
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 000E6A4E
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 000E6A75

Part of subcall function 00079CB3: _wcslen.LIBCMT ref: 00079CBD

FileTimeToSystemTime.KERNEL32(?,?), ref: 000E6AB2
FileTimeToSystemTime.KERNEL32(?,?), ref: 000E6ADF

Strings

%03d, xrefs: 000E6DA2
%4d%02d%02d%02d%02d%02d%03d, xrefs: 000E6B32
%4d, xrefs: 000E6BB1
%4d%02d%02d%02d%02d%02d, xrefs: 000E6B6A
%02d, xrefs: 000E6C00, 000E6C0A, 000E6C5A, 000E6CAA, 000E6CFA, 000E6D4A

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
API String ID: 3830820486-3289030164
Opcode ID: 0d2cb84bc6f8a4c89b82e792614f3743af47331c0d0cd8b2480a9c4a4e654a59
Instruction ID: 21da3ec3c6802f58b55bc8cd4def28cd21001fb64cb79005efc9e55c19b9eb97
Opcode Fuzzy Hash: 0d2cb84bc6f8a4c89b82e792614f3743af47331c0d0cd8b2480a9c4a4e654a59
Instruction Fuzzy Hash: DBD15271908340AEC710EB64D882EAFB7ECBF98704F44491DF589D7192EB79DA44CB62

Function 000E9642 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,76F88FB0,?,00000000), ref: 000E9663
GetFileAttributesW.KERNEL32(?), ref: 000E96A1
SetFileAttributesW.KERNEL32(?,?), ref: 000E96BB
FindNextFileW.KERNEL32(00000000,?), ref: 000E96D3
FindClose.KERNEL32(00000000), ref: 000E96DE
FindFirstFileW.KERNEL32(*.*,?), ref: 000E96FA
SetCurrentDirectoryW.KERNEL32(?), ref: 000E974A
SetCurrentDirectoryW.KERNEL32(00136B7C), ref: 000E9768
FindNextFileW.KERNEL32(00000000,00000010), ref: 000E9772
FindClose.KERNEL32(00000000), ref: 000E977F
FindClose.KERNEL32(00000000), ref: 000E978F

Strings

*.*, xrefs: 000E96F5

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1409584000-438819550
Opcode ID: fa38e03025518202e500249f885f2f4ff9722444b8b8b3c70d6267b3296df259
Instruction ID: be62db34bd235717b1ac21749b548852d715079cc01b757d123701e98e21e19d
Opcode Fuzzy Hash: fa38e03025518202e500249f885f2f4ff9722444b8b8b3c70d6267b3296df259
Instruction Fuzzy Hash: 8C31F3326002597EDF24AFB6DC08ADE77ECAF09321F144166F884F2091DB74DD848E50

Function 000E979D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,76F88FB0,?,00000000), ref: 000E97BE
FindNextFileW.KERNEL32(00000000,?), ref: 000E9819
FindClose.KERNEL32(00000000), ref: 000E9824
FindFirstFileW.KERNEL32(*.*,?), ref: 000E9840
SetCurrentDirectoryW.KERNEL32(?), ref: 000E9890
SetCurrentDirectoryW.KERNEL32(00136B7C), ref: 000E98AE
FindNextFileW.KERNEL32(00000000,00000010), ref: 000E98B8
FindClose.KERNEL32(00000000), ref: 000E98C5
FindClose.KERNEL32(00000000), ref: 000E98D5

Part of subcall function 000DDAE5: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 000DDB00

Strings

*.*, xrefs: 000E983B

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 2640511053-438819550
Opcode ID: 725aff71902fddf23cc4eb5f06f3ace7149650364359c35d54d099b0d9054b2a
Instruction ID: ab1320fae699fdc4c5d513a197180ab923fd39621a45dadd90aecb8108b29f94
Opcode Fuzzy Hash: 725aff71902fddf23cc4eb5f06f3ace7149650364359c35d54d099b0d9054b2a
Instruction Fuzzy Hash: 1031C1316002596EDF20AFB6ED48ADEB7ACAF06320F148155F890B21E1DF74DE858F60

Function 000FBE44 Relevance: 17.0, APIs: 11, Instructions: 456registryCOMMON

Download Yara Rule

APIs

Part of subcall function 000FC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,000FB6AE,?,?), ref: 000FC9B5
Part of subcall function 000FC998: _wcslen.LIBCMT ref: 000FC9F1
Part of subcall function 000FC998: _wcslen.LIBCMT ref: 000FCA68
Part of subcall function 000FC998: _wcslen.LIBCMT ref: 000FCA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 000FBF3E
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?), ref: 000FBFA9
RegCloseKey.ADVAPI32(00000000), ref: 000FBFCD
RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 000FC02C
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 000FC0E7
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 000FC154
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 000FC1E9
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,?,?,?,00000000), ref: 000FC23A
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 000FC2E3
RegCloseKey.ADVAPI32(?,?,00000000), ref: 000FC382
RegCloseKey.ADVAPI32(00000000), ref: 000FC38F

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: QueryValue$Close_wcslen$BuffCharConnectOpenRegistryUpper
String ID:
API String ID: 3102970594-0
Opcode ID: bd1a182ddfe5c19df2a6626a5e42bb829f5aac02ecc1982f1b3f1cb16b8a36dd
Instruction ID: 4e45f987a0e2af79e5bfb496c0cfd4456131da5f03bc0b782c764945b1ec01c6
Opcode Fuzzy Hash: bd1a182ddfe5c19df2a6626a5e42bb829f5aac02ecc1982f1b3f1cb16b8a36dd
Instruction Fuzzy Hash: CA026C706042049FD754CF28C991E2ABBE5EF89308F18C49DF94ACB6A2DB31ED45DB91

Function 000E8195 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 000E8257
SystemTimeToFileTime.KERNEL32(?,?), ref: 000E8267
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 000E8273
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 000E8310
SetCurrentDirectoryW.KERNEL32(?), ref: 000E8324
SetCurrentDirectoryW.KERNEL32(?), ref: 000E8356
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 000E838C
SetCurrentDirectoryW.KERNEL32(?), ref: 000E8395

Strings

*.*, xrefs: 000E839B

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local$System
String ID: *.*
API String ID: 1464919966-438819550
Opcode ID: 3171552701263003676ca32dfecb7494f140d81dc08e0175f62770e207f2097b
Instruction ID: 8ae52b013d8b3af0e91c41def56390c18baf16163696cdaa43416452dcec1a74
Opcode Fuzzy Hash: 3171552701263003676ca32dfecb7494f140d81dc08e0175f62770e207f2097b
Instruction Fuzzy Hash: 45619B725043459FCB10EF60C840AAEB3E8FF89310F04892EF98D97252DB35EA45CB92

Function 000DD076 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00073AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00073A97,?,?,00072E7F,?,?,?,00000000), ref: 00073AC2

Part of subcall function 000DE199: GetFileAttributesW.KERNEL32(?,000DCF95), ref: 000DE19A

FindFirstFileW.KERNEL32(?,?), ref: 000DD122
DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 000DD1DD
MoveFileW.KERNEL32(?,?), ref: 000DD1F0
DeleteFileW.KERNEL32(?,?,?,?), ref: 000DD20D
FindNextFileW.KERNEL32(00000000,00000010), ref: 000DD237

Part of subcall function 000DD29C: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,000DD21C,?,?), ref: 000DD2B2

FindClose.KERNEL32(00000000,?,?,?), ref: 000DD253
FindClose.KERNEL32(00000000), ref: 000DD264

Strings

\*.*, xrefs: 000DD0CD, 000DD0D6, 000DD0EB

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 1946585618-1173974218
Opcode ID: 8587245897998d6c409744c25654e6c80e4d0d13587c7933ca9ca79c30e13225
Instruction ID: e4570435cb19d01ff158cd2a692021fa101dd666da232d547503c893eb23a253
Opcode Fuzzy Hash: 8587245897998d6c409744c25654e6c80e4d0d13587c7933ca9ca79c30e13225
Instruction Fuzzy Hash: EE617C31C0120DAACF15EBE0D992DFDB7B5AF65300F208166E40677292EB34AF09CB65

Function 000EED6A Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 000EED91
EmptyClipboard.USER32 ref: 000EED97
GlobalAlloc.KERNEL32(00000002,?), ref: 000EEDAC
CloseClipboard.USER32 ref: 000EEEA3

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: 6755d14ae4697287231fdead524d64e0ef01ee9a7f031fbec14dd01ae23b3ebf
Instruction ID: fce4b86fb7387843f4d2deef99067ee2ce2645faeba1de9914f5f6af70a06ed6
Opcode Fuzzy Hash: 6755d14ae4697287231fdead524d64e0ef01ee9a7f031fbec14dd01ae23b3ebf
Instruction Fuzzy Hash: 8B41AC35604691AFE320DF16D888F19BBE1AF44328F14C199E4599BB62C776EC81CFD0

Function 000DE8F6 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 000D16C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 000D170D
Part of subcall function 000D16C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 000D173A
Part of subcall function 000D16C3: GetLastError.KERNEL32 ref: 000D174A

ExitWindowsEx.USER32(?,00000000), ref: 000DE932

Strings

, xrefs: 000DE95C
SeShutdownPrivilege, xrefs: 000DE902
@, xrefs: 000DE925
, xrefs: 000DE920

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $ $@$SeShutdownPrivilege
API String ID: 2234035333-3163812486
Opcode ID: 81c5fcf9c3ccf0feba62c1abddf9d46ef94831653c5813192c2392225234ba02
Instruction ID: 93cfa1101fa44c9effe0622f3d5d5ba2f6d59934124578d3484f5536dd1f3a45
Opcode Fuzzy Hash: 81c5fcf9c3ccf0feba62c1abddf9d46ef94831653c5813192c2392225234ba02
Instruction Fuzzy Hash: BB012672611311BBEB6433B4DC96FFFB29C9714744F140923F802E62D2DAA05C8086F0

Function 000F1204 Relevance: 12.1, APIs: 8, Instructions: 113networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 000F1276
WSAGetLastError.WSOCK32 ref: 000F1283
bind.WSOCK32(00000000,?,00000010), ref: 000F12BA
WSAGetLastError.WSOCK32 ref: 000F12C5
closesocket.WSOCK32(00000000), ref: 000F12F4
listen.WSOCK32(00000000,00000005), ref: 000F1303
WSAGetLastError.WSOCK32 ref: 000F130D
closesocket.WSOCK32(00000000), ref: 000F133C

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: ErrorLast$closesocket$bindlistensocket
String ID:
API String ID: 540024437-0
Opcode ID: fdd9d6aac11a17077c58a6f26d49ba55c8d708a451b62fe94d2b96f5bb1c6b5f
Instruction ID: 4ceb750356be7dd961195b45f89f1ad9ad54a9fd86456e70515d9bd52e40cb9d
Opcode Fuzzy Hash: fdd9d6aac11a17077c58a6f26d49ba55c8d708a451b62fe94d2b96f5bb1c6b5f
Instruction Fuzzy Hash: 4E418F31A00104DFD750DF64C488BA9BBE6AF86318F18C199E9568F6D2C771ED81DBE1

Function 000AB952 Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 000AB9D4
_free.LIBCMT ref: 000AB9F8
_free.LIBCMT ref: 000ABB7F
GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,00113700), ref: 000ABB91
WideCharToMultiByte.KERNEL32(00000000,00000000,0014121C,000000FF,00000000,0000003F,00000000,?,?), ref: 000ABC09
WideCharToMultiByte.KERNEL32(00000000,00000000,00141270,000000FF,?,0000003F,00000000,?), ref: 000ABC36
_free.LIBCMT ref: 000ABD4B

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: _free$ByteCharMultiWide$InformationTimeZone
String ID:
API String ID: 314583886-0
Opcode ID: bd8d6e6dd8c8be6802ca4b6a92bb4b300530e53c8726e080e477bcc533a3d9dd
Instruction ID: 695f76578548096a9090185013809277cd037da48867eeab2d2b02052d7e51d7
Opcode Fuzzy Hash: bd8d6e6dd8c8be6802ca4b6a92bb4b300530e53c8726e080e477bcc533a3d9dd
Instruction Fuzzy Hash: 2DC11676904244AFCB209FE89C51BEE7BE9EF53310F2442AAE495D7253EB709E81C750

Function 000DD3A9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00073AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00073A97,?,?,00072E7F,?,?,?,00000000), ref: 00073AC2

Part of subcall function 000DE199: GetFileAttributesW.KERNEL32(?,000DCF95), ref: 000DE19A

FindFirstFileW.KERNEL32(?,?), ref: 000DD420
DeleteFileW.KERNEL32(?,?,?,?), ref: 000DD470
FindNextFileW.KERNEL32(00000000,00000010), ref: 000DD481
FindClose.KERNEL32(00000000), ref: 000DD498
FindClose.KERNEL32(00000000), ref: 000DD4A1

Strings

\*.*, xrefs: 000DD3F2

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: 9bb6b5d6b7061c5936065c58c13b9bfdc7cb5ba436aca8575ae8790d38088134
Instruction ID: 519edf9f085325b57813f15724b8dd9f97d30daa8638e87a8a2e980a332a4e18
Opcode Fuzzy Hash: 9bb6b5d6b7061c5936065c58c13b9bfdc7cb5ba436aca8575ae8790d38088134
Instruction Fuzzy Hash: C73182314083459BC310EF64C8528EF77E8BF92314F448A1EF4D553292EB34AA09CBA7

Function 000AE4FF Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 000AE645

Strings

1#QNAN, xrefs: 000AF84B
1#INF, xrefs: 000AF852
1#SNAN, xrefs: 000AF844
1#IND, xrefs: 000AF83D

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: 74328be0f408175808c369549f6b9367736b91dc59e0fa32ccc0dd297459df76
Instruction ID: 9488d1ddfb88219ae65117cc58e21adca56559d84a232637f7a8fd91969a7af2
Opcode Fuzzy Hash: 74328be0f408175808c369549f6b9367736b91dc59e0fa32ccc0dd297459df76
Instruction Fuzzy Hash: BAC25A71E086298FDB65CEA8DD407EAB7F5EB4A304F1441EAD44DE7241E778AE818F40

Function 000E648E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 000E64DC
CoInitialize.OLE32(00000000), ref: 000E6639
CoCreateInstance.OLE32(0010FCF8,00000000,00000001,0010FB68,?), ref: 000E6650
CoUninitialize.OLE32 ref: 000E68D4

Strings

.lnk, xrefs: 000E64BA, 000E6524, 000E65E0

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_wcslen
String ID: .lnk
API String ID: 886957087-24824748
Opcode ID: 1ebed36bc3598808b7896f60fa312760f5dfa1ec05fa6b3b812a87cfd514f8ce
Instruction ID: 51f14e56446e3e5e74f5f5fb76adc9fa06f7437e1d1b6348f10cfed2ea923e38
Opcode Fuzzy Hash: 1ebed36bc3598808b7896f60fa312760f5dfa1ec05fa6b3b812a87cfd514f8ce
Instruction Fuzzy Hash: CCD15B71608741AFD314DF24C881DABB7E8FF94344F00896DF5999B2A2DB71E905CB92

Function 000F22DA Relevance: 9.1, APIs: 6, Instructions: 103COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,00000000), ref: 000F22E8

Part of subcall function 000EE4EC: GetWindowRect.USER32(?,?), ref: 000EE504

GetDesktopWindow.USER32 ref: 000F2312
GetWindowRect.USER32(00000000), ref: 000F2319
mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 000F2355
GetCursorPos.USER32(?), ref: 000F2381
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 000F23DF

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForeground
String ID:
API String ID: 2387181109-0
Opcode ID: cb63e4216829bc0900aad6257109dff347fca9313ea079e4a4fdda3736a0c553
Instruction ID: ac8baca923b12c0a90436bd0c8556092ceeb00c1d695868544b5aebad74659e9
Opcode Fuzzy Hash: cb63e4216829bc0900aad6257109dff347fca9313ea079e4a4fdda3736a0c553
Instruction Fuzzy Hash: 5A31CFB2505359AFC720DF14C845EABBBE9FF84314F000A19F98597291DB75EA48CBD2

Function 000E9B2B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00079CB3: _wcslen.LIBCMT ref: 00079CBD

FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 000E9B78
FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 000E9C8B

Part of subcall function 000E3874: GetInputState.USER32 ref: 000E38CB
Part of subcall function 000E3874: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 000E3966

Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 000E9BA8
FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 000E9C75

Strings

*.*, xrefs: 000E9B5D

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
String ID: *.*
API String ID: 1972594611-438819550
Opcode ID: c4cb776ca6fe1dae9a5249dd3781e0bbe243c5a19528c0e7c76b5d018824765a
Instruction ID: 34b1f0bab64d54258c424f94905ca4e629a9e25050fcfcdd95393faf3a7960a2
Opcode Fuzzy Hash: c4cb776ca6fe1dae9a5249dd3781e0bbe243c5a19528c0e7c76b5d018824765a
Instruction Fuzzy Hash: BE418271D0024AAFDF54EF65C945AEEBBF8EF05310F248155E505B2192EB349E84CFA4

Function 0008997D Relevance: 7.9, APIs: 5, Instructions: 375COMMON

Download Yara Rule

APIs

Part of subcall function 00089BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00089BB2

DefDlgProcW.USER32(?,?,?,?,?), ref: 00089A4E
GetSysColor.USER32(0000000F), ref: 00089B23
SetBkColor.GDI32(?,00000000), ref: 00089B36

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: Color$LongProcWindow
String ID:
API String ID: 3131106179-0
Opcode ID: 0dee26294551ad96731ffca259a3223ff88e0d778c6b8078a2931944c0833122
Instruction ID: 160fdc621c9042a9edc9d7b8dc19373b4ae8e8caf7b2cc24c67dd0ec208993d2
Opcode Fuzzy Hash: 0dee26294551ad96731ffca259a3223ff88e0d778c6b8078a2931944c0833122
Instruction Fuzzy Hash: 95A1F570208414BEE678BB2C8C58E7F26DDFB82350B19020DF582D6ED2CB659D41DBB6

Function 000F1806 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON

Download Yara Rule

APIs

Part of subcall function 000F304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 000F307A
Part of subcall function 000F304E: _wcslen.LIBCMT ref: 000F309B

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 000F185D
WSAGetLastError.WSOCK32 ref: 000F1884
bind.WSOCK32(00000000,?,00000010), ref: 000F18DB
WSAGetLastError.WSOCK32 ref: 000F18E6
closesocket.WSOCK32(00000000), ref: 000F1915

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
String ID:
API String ID: 1601658205-0
Opcode ID: 02ee07e19289fc953b35348cdf9b2f2dbed32013f51ed875c517ada02a5ad6a4
Instruction ID: bc3a0f1e71b0ce80ca94db465672e6992ba42c9002f92b77c41167321f7bd187
Opcode Fuzzy Hash: 02ee07e19289fc953b35348cdf9b2f2dbed32013f51ed875c517ada02a5ad6a4
Instruction Fuzzy Hash: 9A51A171A00204AFE710AF24C886FBA77E5AB44718F54C058FA4A5F6C3DA75AD428BE1

Function 00101C41 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 00101CC0
IsWindowEnabled.USER32 ref: 00101CCE
GetForegroundWindow.USER32(?,?,00000001,?), ref: 00101CDB
IsIconic.USER32 ref: 00101CE9
IsZoomed.USER32 ref: 00101CF7

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: b1b5be4b174927a53b2c1dc192dff9814f2d15863d3bcc602c5cf47dfcd1bea8
Instruction ID: 4c7431879bc99628e552bc9de8fe4d5bd2144318fef1af18719f080fef687e07
Opcode Fuzzy Hash: b1b5be4b174927a53b2c1dc192dff9814f2d15863d3bcc602c5cf47dfcd1bea8
Instruction Fuzzy Hash: FD2176317402116FE7249F16C844B5A7B95BF95315F198068E88A8B391CBB5DC42CB94

Function 00078060 Relevance: 7.4, Strings: 5, Instructions: 1151COMMON

Download Yara Rule

Strings

VUUU, xrefs: 000B5DF0
ERCP, xrefs: 0007813C
VUUU, xrefs: 000783FA
VUUU, xrefs: 0007843C
VUUU, xrefs: 000783E8

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID:
String ID: ERCP$VUUU$VUUU$VUUU$VUUU
API String ID: 0-1546025612
Opcode ID: 52f5b08c703cbef701a042f4c125efa30e73e0ea2d3bdbb07154002ad23839b8
Instruction ID: 6847919f3beca5b4b5a9ea202aeb4f64829facb45c068aeae902cbf28899c709
Opcode Fuzzy Hash: 52f5b08c703cbef701a042f4c125efa30e73e0ea2d3bdbb07154002ad23839b8
Instruction Fuzzy Hash: A2A27E70E4061ACBDF74CF58C8447EEB7B1BB54310F24C5AAD819A7281EB799E81CB94

Function 000FA67C Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 000FA6AC
Process32FirstW.KERNEL32(00000000,?), ref: 000FA6BA

Part of subcall function 00079CB3: _wcslen.LIBCMT ref: 00079CBD

Process32NextW.KERNEL32(00000000,?), ref: 000FA79C
CloseHandle.KERNEL32(00000000), ref: 000FA7AB

Part of subcall function 0008CE60: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,000B3303,?), ref: 0008CE8A

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
String ID:
API String ID: 1991900642-0
Opcode ID: 920f070ce84141c02e7459da7a3790c8203341606ff62c7070d469d2a955e638
Instruction ID: 89e87a785caf9b52f4841c0759c35c5c18f4399e46fc5f2c092366c4434b7ab5
Opcode Fuzzy Hash: 920f070ce84141c02e7459da7a3790c8203341606ff62c7070d469d2a955e638
Instruction Fuzzy Hash: 5F5170B19083019FD710EF24C886EABBBE8FF89754F40891DF58997252EB74D905CB92

Function 000DAA57 Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 000DAAAC
SetKeyboardState.USER32(00000080), ref: 000DAAC8
PostMessageW.USER32(?,00000102,00000001,00000001), ref: 000DAB36
SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 000DAB88

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 12eb0a46f4ac6b9bea69003887fa560237e9448a9ac131c23d7abf15b992bb60
Instruction ID: a46c8b1649791ad076a386d4739d3e784c04c990d70d5bedc6b13e008f8f07b0
Opcode Fuzzy Hash: 12eb0a46f4ac6b9bea69003887fa560237e9448a9ac131c23d7abf15b992bb60
Instruction Fuzzy Hash: D031D530B40348AEEF358B648C05BFA7BEAAB46320F14421BF581563D2D3758982C7B6

Function 000ECE44 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON

Download Yara Rule

APIs

InternetReadFile.WININET(?,?,00000400,?), ref: 000ECE89
GetLastError.KERNEL32(?,00000000), ref: 000ECEEA
SetEvent.KERNEL32(?,?,00000000), ref: 000ECEFE

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: ErrorEventFileInternetLastRead
String ID:
API String ID: 234945975-0
Opcode ID: 9c6f6b77c8dabe41ccb8d011be06962d827a24d37c0ed1386b0ccf5c3a391730
Instruction ID: d2f132dcf338ce4ccc3606bbb8bf1efb6b297ffe6ba19594cfd44c31a7a701bd
Opcode Fuzzy Hash: 9c6f6b77c8dabe41ccb8d011be06962d827a24d37c0ed1386b0ccf5c3a391730
Instruction Fuzzy Hash: B921BD71500345AFEB30DFA6C949FAAB7F8EB00354F10442EE546A2652E771EE469BA0

Function 000D8298 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 568stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 000D82AA

Strings

|, xrefs: 000D82DA
(, xrefs: 000D82F0

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: lstrlen
String ID: ($|
API String ID: 1659193697-1631851259
Opcode ID: 30d194ed96cfffb8005616d4034cfd4706dfcaa8ca0828c51dfa0bc8a1143912
Instruction ID: 520cb8a7f0c7cc3ff01ee09f7250816f92113d3f9bf9d657377e8aada4221c03
Opcode Fuzzy Hash: 30d194ed96cfffb8005616d4034cfd4706dfcaa8ca0828c51dfa0bc8a1143912
Instruction Fuzzy Hash: 7A322674A007059FCB28CF69C481AAAB7F0FF48710B15C56EE59ADB3A1EB70E941CB54

Function 000E5C97 Relevance: 4.6, APIs: 3, Instructions: 138fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 000E5CC1
FindNextFileW.KERNEL32(00000000,?), ref: 000E5D17
FindClose.KERNEL32(?), ref: 000E5D5F

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: Find$File$CloseFirstNext
String ID:
API String ID: 3541575487-0
Opcode ID: 79873e67446d6a6e7d20c87df3d2ea6557cd6668f7d9019dbd836c2e17ccc53a
Instruction ID: 9f7245e4a94e09038bb06be2877805aedfcbeded4b20ab48afc477caacf0733f
Opcode Fuzzy Hash: 79873e67446d6a6e7d20c87df3d2ea6557cd6668f7d9019dbd836c2e17ccc53a
Instruction Fuzzy Hash: E5519E34604A419FC714DF29C894E9AB7E4FF4A318F14895DE99A9B3A2CB30ED44CF91

Function 000A2622 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 000A271A
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 000A2724
UnhandledExceptionFilter.KERNEL32(?), ref: 000A2731

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 6ba4638fb05c1ee91d66929dc91ab671beca7d330bd989e04eb3108eff1e9644
Instruction ID: 7aebffa3d1fe33c8cc2b55e21b5f21679ac797e42e8ed3626512073a6bdecb97
Opcode Fuzzy Hash: 6ba4638fb05c1ee91d66929dc91ab671beca7d330bd989e04eb3108eff1e9644
Instruction Fuzzy Hash: 4931D574911218ABCB21DF68DC887DCB7B8BF08310F5042EAE81CA7261E7709F818F85

Function 000E51CD Relevance: 4.6, APIs: 3, Instructions: 76COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 000E51DA
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 000E5238
SetErrorMode.KERNEL32(00000000), ref: 000E52A1

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: 92be8cebac8eef7f3cca6b0afad1823f7112ebe002d08afb5617dcf364d1dc00
Instruction ID: 13589a49cbf41713da592f0fda356047555f976789b079bbe9e139bf52b8e71e
Opcode Fuzzy Hash: 92be8cebac8eef7f3cca6b0afad1823f7112ebe002d08afb5617dcf364d1dc00
Instruction Fuzzy Hash: D1317C35A00608DFDB00DF54D884EADBBF4FF49318F048099E909AB3A2DB75E845CB90

Function 000D16C3 Relevance: 4.6, APIs: 3, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 0008FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00090668
Part of subcall function 0008FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00090685

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 000D170D
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 000D173A
GetLastError.KERNEL32 ref: 000D174A

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
String ID:
API String ID: 577356006-0
Opcode ID: 3c7fa1ea1ab3a8162968fa7fc8ffe059c644e73c96ea635f48690b137d79391f
Instruction ID: e243e6d00dd017be1ec1ef101f27b705c3d313670c215f98a3ae100b2944328d
Opcode Fuzzy Hash: 3c7fa1ea1ab3a8162968fa7fc8ffe059c644e73c96ea635f48690b137d79391f
Instruction Fuzzy Hash: 7711BFB2404305BFD718AF64DC86DABB7BDFB04714B20852EF49656651EB70BC418B60

Function 000DD5EB Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 000DD608
DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 000DD645
CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 000DD650

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle
String ID:
API String ID: 33631002-0
Opcode ID: 49824208a852c182024d868404325fc919fc6d938f10b051951d71a29ce30898
Instruction ID: 60d516d3fce64110dd37f36a933b98bc75676837c0cea72c079c007ffad2775d
Opcode Fuzzy Hash: 49824208a852c182024d868404325fc919fc6d938f10b051951d71a29ce30898
Instruction Fuzzy Hash: 51113C75E05228BBDB208F959C45FAFBBBCEB45B50F108156F904E7290D6B08A058BE1

Function 000D1663 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 000D168C
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 000D16A1
FreeSid.ADVAPI32(?), ref: 000D16B1

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: c147f8ea5bbd32c483bb66848392bb2520d471da0f95d8d524199aadd8172d19
Instruction ID: 492d97febd7c0c4c1ae4035336e257b43fabdec3dc7261d63e38fc84d84a5b57
Opcode Fuzzy Hash: c147f8ea5bbd32c483bb66848392bb2520d471da0f95d8d524199aadd8172d19
Instruction Fuzzy Hash: 11F0F475950309FBEB00DFE49D89AAEBBBCEB08604F504565F501E2181E774AA448AA0

Function 000AC2A2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 127COMMON

Download Yara Rule

Strings

/, xrefs: 000AC36C

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID:
String ID: /
API String ID: 0-2043925204
Opcode ID: 638a0f63ce4071cf9b8082b018db68b154d69bdc96e9c9139f9717a2ee69704e
Instruction ID: e320d21e66ad495c95e3fecf944ecb510d3bcda7f01b0b7d0c732eeecab23630
Opcode Fuzzy Hash: 638a0f63ce4071cf9b8082b018db68b154d69bdc96e9c9139f9717a2ee69704e
Instruction Fuzzy Hash: 24415976900218AFDB20DFF9CC48EBB77B8EB85314F1082A9F905D7181E6709E80CB50

Function 000CD27A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 000CD28C

Strings

X64, xrefs: 000CD2A8

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: NameUser
String ID: X64
API String ID: 2645101109-893830106
Opcode ID: f91ab993ad11dd1327e3843cff608302aea2781799642c6796d8ec523dbd45c4
Instruction ID: 9be90e9cb0484676547d1d785ff98cf2eb2ecb5badd8e7572bf4d67c990313ae
Opcode Fuzzy Hash: f91ab993ad11dd1327e3843cff608302aea2781799642c6796d8ec523dbd45c4
Instruction Fuzzy Hash: 88D0C9B480111DEACBA4DB90DC88EDDB37CBB14305F100256F146A2140D77095499F10

Function 0009CAA0 Relevance: 3.5, APIs: 2, Instructions: 464COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction ID: 484f834056c0be9c8fe20615ff8d9ffac3c1738b7f3b7005c2a2e7e6eed841ac
Opcode Fuzzy Hash: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction Fuzzy Hash: 1D022D71E012199FEF14CFA9C890AADFBF1EF48314F258169D819E7381D731AA41DB94

Function 000E68EE Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 000E6918
FindClose.KERNEL32(00000000), ref: 000E6961

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 6cfe01698328bf0cd73b1014b0ddd3b3aede215fb389d4cf204ce1ce346867cc
Instruction ID: 171bc83946cc0130f9f0ec22a7cbf3239a0aa2083d11d6c01373903a235933c6
Opcode Fuzzy Hash: 6cfe01698328bf0cd73b1014b0ddd3b3aede215fb389d4cf204ce1ce346867cc
Instruction Fuzzy Hash: 1E11BE316042409FD710DF2AD484A1ABBE5EF85328F14C6A9F4699F6A3CB35EC45CB90

Function 000E37B5 Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,000F4891,?,?,00000035,?), ref: 000E37E4
FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,000F4891,?,?,00000035,?), ref: 000E37F4

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 4f8a92d81427af889eae93806c827cbf45e660cffee4c289b8d8a51541372dd8
Instruction ID: 4db4b28bd845081df9810690fdd71a0905ec3c1cded1f115e56f7e9ba335eb97
Opcode Fuzzy Hash: 4f8a92d81427af889eae93806c827cbf45e660cffee4c289b8d8a51541372dd8
Instruction Fuzzy Hash: EDF0E5B06052292AEB2017678C4DFEB3AAEEFC4761F000275F509E3681D9A09944CAF0

Function 000D10BF Relevance: 3.0, APIs: 2, Instructions: 24COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,000D11FC), ref: 000D10D4
CloseHandle.KERNEL32(?,?,000D11FC), ref: 000D10E9

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: 28fda1eba7059b381763a97a12103689dbc6942d948da8cd3a3de1cfbd462272
Instruction ID: f253a06c64b10a33b7abebd3c28e3629b39f36c49eedfdbc990e91500bc6c8ae
Opcode Fuzzy Hash: 28fda1eba7059b381763a97a12103689dbc6942d948da8cd3a3de1cfbd462272
Instruction Fuzzy Hash: BBE01A32014601AEE7252B21FC05EB37BA9FB04310B10892EB5A5808B1DAA26CE0DB50

Function 0007CAF0 Relevance: 1.9, Strings: 1, Instructions: 659COMMON

Download Yara Rule

Strings

Variable is not of type 'Object'., xrefs: 000C0C40

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID:
String ID: Variable is not of type 'Object'.
API String ID: 0-1840281001
Opcode ID: bcd2c05d99fb6c7043133fc81b4c26f2ae4ec79047cb02eda2fc1a015df70556
Instruction ID: 736333a707e16d2a810084a0b5a44f0c93651472b6529541ed9c4d093824616e
Opcode Fuzzy Hash: bcd2c05d99fb6c7043133fc81b4c26f2ae4ec79047cb02eda2fc1a015df70556
Instruction Fuzzy Hash: BC323570900218DBEF24DF94C895FEDB7B5BF05304F24806DE80AAB292D779AE45CB65

Function 000A676B Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,000A6766,?,?,00000008,?,?,000AFEFE,00000000), ref: 000A6998

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: b1c63c941c9d5fe820fe1b8648651487481741389c5e52a98539f524cc1466cb
Instruction ID: 1e9d5cd0a70b49720b8491f3ce4942de174ca58469cf1e2bf0fcae71170e7bcc
Opcode Fuzzy Hash: b1c63c941c9d5fe820fe1b8648651487481741389c5e52a98539f524cc1466cb
Instruction Fuzzy Hash: 30B13D31610608DFD755CF68C48AB697BF0FF46364F298658E89ACF2A2C736D991CB40

Function 0008B119 Relevance: 1.8, Strings: 1, Instructions: 511COMMON

Download Yara Rule

Strings

, xrefs: 000C851F

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 14f703a0d1376c5989b161b1c47bfa681bccaa93987ad99cb9bf95a97c11f97d
Instruction ID: c254b0aee58229048da1b402e33420af12788e7b008d06909c9a736dd62e1c44
Opcode Fuzzy Hash: 14f703a0d1376c5989b161b1c47bfa681bccaa93987ad99cb9bf95a97c11f97d
Instruction Fuzzy Hash: 25125F719002299BDB64DF58C881BEEB7F5FF48710F1481AAE849EB251DB709E81CB94

Function 000EEAA2 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 000EEABD

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: 0ab83952e47d4fe5ce6df4b8a59e37cc6662de0daf3470d69d55741022f80b74
Instruction ID: 5c5af7bc6e8873986b2bf1eb5e99e9e08b8a1c1d5e5c9a760a0dd31edc990497
Opcode Fuzzy Hash: 0ab83952e47d4fe5ce6df4b8a59e37cc6662de0daf3470d69d55741022f80b74
Instruction Fuzzy Hash: 7BE04F312002049FD710EF6AD804E9AF7E9AF98760F04C42AFC49D7391DBB4F8408B91

Function 000909D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_000209E1,000903EE), ref: 000909DA

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 8f0a6f784f97942b43784582b1d6fe5fd066248836564df092c660c22c055570
Instruction ID: c980d46b0653971412f51a32b3fb63a18e27590b6b0177063f219e7224d655c4
Opcode Fuzzy Hash: 8f0a6f784f97942b43784582b1d6fe5fd066248836564df092c660c22c055570
Instruction Fuzzy Hash:

Function 0009781B Relevance: 1.5, Strings: 1, Instructions: 214COMMON

Download Yara Rule

Strings

0, xrefs: 0009798B

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction ID: 38797e97cbe3b5409aa3815a2bb343da2a5e654f334e17621c228c33a7fc6c15
Opcode Fuzzy Hash: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction Fuzzy Hash: 655155636BC6055ADFB88528885E7FF23C9DB42304F280509E88EDB292CE15DE02F356

Function 000A6DD9 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b624095efe4bcb400282fa4cf748b89b74a9d044cd904a9e020dd5b4d329938
Instruction ID: b1c134f8956a207e56876a2c8e0e16dd961045747b927b463f8edc960c716a8f
Opcode Fuzzy Hash: 6b624095efe4bcb400282fa4cf748b89b74a9d044cd904a9e020dd5b4d329938
Instruction Fuzzy Hash: 22321222D29F014DDB279634DD22336A689AFB73C5F15D737E81AB5EA6EB29C4C34100

Function 0008CC39 Relevance: .6, Instructions: 635COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a2035383c92253d1313187d4a9bb51fabf9fe4ada2a89b918824ef4e2614189
Instruction ID: 697fc979da455f762f84046bd0ae89c2fd4ba70325c135f9452167aabdee80f1
Opcode Fuzzy Hash: 4a2035383c92253d1313187d4a9bb51fabf9fe4ada2a89b918824ef4e2614189
Instruction Fuzzy Hash: D832EE32A041458BFF78DB28C494FBDBBE1EB45304F28856ED89E9B691D230DD81DB51

Function 00077920 Relevance: .6, Instructions: 563COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dbee05a5dcc008cb3c6fa306ffccc352f16c092e0d6aace5640c7e8daa6c6bef
Instruction ID: 802983f7a3554a8ea7a6637e72ef10b65f87bdf6d9c423c45b617bd45877b813
Opcode Fuzzy Hash: dbee05a5dcc008cb3c6fa306ffccc352f16c092e0d6aace5640c7e8daa6c6bef
Instruction Fuzzy Hash: 01229E70E0060A9FDF14CF64C881BEEB3F5FF48341F148569E81AA7291EB3AA954CB54

Function 000791C0 Relevance: .5, Instructions: 475COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb433bfe476e12f734101ce25f6f0a94c09f545be07c696e17b3e0c52fd8578d
Instruction ID: 3c68fc2988fd752fdc9b8abb66e7da8735c0166c4d9a53cb2063fc79394e48c3
Opcode Fuzzy Hash: bb433bfe476e12f734101ce25f6f0a94c09f545be07c696e17b3e0c52fd8578d
Instruction Fuzzy Hash: 8202C8B0E00206EFDF14DF64D841AEEB7B5FF44300F118169E85A9B291EB35AE51CB95

Function 00091C77 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction ID: 694a63dade0066b89d1952879eb0f7cbb0ab3662a43bd2723c497e578426910f
Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction Fuzzy Hash: 179146727090A34ADF6D463A85740BEFFE15F923A131A079DE4F2CA1C5EE24D954F620

Function 000919B0 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction ID: a58054e344b473841416efdac37b73d5464cfae3d150d6840d3de0da533d2b8e
Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction Fuzzy Hash: 749114723090A34ADFAD467A85740BDFFE15B923A231A079DD4F2CA1C5FE24D954F620

Function 00097A4A Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0cfce7b9a270eda301d35c901ae258acc4a1e134889a665ff483664d4af79986
Instruction ID: e2aed95262f4a31aaeaf984653059465653dd59640585bc08ad7c7749e721bbc
Opcode Fuzzy Hash: 0cfce7b9a270eda301d35c901ae258acc4a1e134889a665ff483664d4af79986
Instruction Fuzzy Hash: E261897322C30956DEB899288CA5BFE23C9DF82700F14491EE94EDB292D7119E42F356

Function 00097CA7 Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e35cb4663c4237f45f6ff668a5bf9676b64470e1de4ec2ca47631a1264de539
Instruction ID: 9347b39de7720124cc5f3e459e21eddc03c4f8b441ec789aa4f6093cd90b6fe7
Opcode Fuzzy Hash: 3e35cb4663c4237f45f6ff668a5bf9676b64470e1de4ec2ca47631a1264de539
Instruction Fuzzy Hash: 8D61897333C70997DEB84A288851BFF23E8EF46704F104959E88FDB282DA129D42B355

Function 00091706 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction ID: b7a1f876686d34415f0682e997a952b4598bcfea3502a30468e1d79fb2b29afb
Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction Fuzzy Hash: 9381627270D0A309DFAE427A85344BEFFE15F923A131A079ED4F2CA1C1EE249554F620

Function 000E2046 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f61e69edb1b8e20fa682f047c37a1066d25a5912eaee3995838f553889adf6f5
Instruction ID: f3c17f25d80af9693a0330d78127a62db9fd04f27a3117c63fccf021588c11de
Opcode Fuzzy Hash: f61e69edb1b8e20fa682f047c37a1066d25a5912eaee3995838f553889adf6f5
Instruction Fuzzy Hash: D621E7322206118BDB28CF79C82367E73E9A754320F558A2EE4A7D37D1DE35A944CB80

Function 000F2ADE Relevance: 79.2, APIs: 40, Strings: 5, Instructions: 486filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 000F2B30
DeleteObject.GDI32(00000000), ref: 000F2B43
DestroyWindow.USER32 ref: 000F2B52
GetDesktopWindow.USER32 ref: 000F2B6D
GetWindowRect.USER32(00000000), ref: 000F2B74
SetRect.USER32(?,00000000,00000000,00000007,00000002), ref: 000F2CA3
AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 000F2CB1
CreateWindowExW.USER32(?,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 000F2CF8
GetClientRect.USER32(00000000,?), ref: 000F2D04
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 000F2D40
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 000F2D62
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 000F2D75
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 000F2D80
GlobalLock.KERNEL32(00000000), ref: 000F2D89
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 000F2D98
GlobalUnlock.KERNEL32(00000000), ref: 000F2DA1
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 000F2DA8
GlobalFree.KERNEL32(00000000), ref: 000F2DB3
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 000F2DC5
OleLoadPicture.OLEAUT32(?,00000000,00000000,0010FC38,00000000), ref: 000F2DDB
GlobalFree.KERNEL32(00000000), ref: 000F2DEB
CopyImage.USER32(00000007,00000000,00000000,00000000,00002000), ref: 000F2E11
SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 000F2E30
SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 000F2E52
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 000F303F

Strings

AutoIt v3, xrefs: 000F2CF2
static, xrefs: 000F2D3A, 000F2E91
DISPLAY, xrefs: 000F2EA2
@U=u, xrefs: 000F2E30, 000F2FBF
, xrefs: 000F2FC5

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $@U=u$AutoIt v3$DISPLAY$static
API String ID: 2211948467-3613752883
Opcode ID: 27ed1b493f8c4e2fb58c735dd5858f10d0ad5d92b41a9b4d440eb2f22a963085
Instruction ID: 744fd026a9276b437b130f7f452f994ac5827faa9c94d7b3e9029cabeb2ee588
Opcode Fuzzy Hash: 27ed1b493f8c4e2fb58c735dd5858f10d0ad5d92b41a9b4d440eb2f22a963085
Instruction Fuzzy Hash: 43027D75900209EFDB14DF64CC89EAE7BB9FB49710F148218F915AB6A1CB74AD41CFA0

Function 001070D5 Relevance: 59.8, APIs: 33, Strings: 1, Instructions: 273COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 0010712F
GetSysColorBrush.USER32(0000000F), ref: 00107160
GetSysColor.USER32(0000000F), ref: 0010716C
SetBkColor.GDI32(?,000000FF), ref: 00107186
SelectObject.GDI32(?,?), ref: 00107195
InflateRect.USER32(?,000000FF,000000FF), ref: 001071C0
GetSysColor.USER32(00000010), ref: 001071C8
CreateSolidBrush.GDI32(00000000), ref: 001071CF
FrameRect.USER32(?,?,00000000), ref: 001071DE
DeleteObject.GDI32(00000000), ref: 001071E5
InflateRect.USER32(?,000000FE,000000FE), ref: 00107230
FillRect.USER32(?,?,?), ref: 00107262
GetWindowLongW.USER32(?,000000F0), ref: 00107284

Part of subcall function 001073E8: GetSysColor.USER32(00000012), ref: 00107421
Part of subcall function 001073E8: SetTextColor.GDI32(?,?), ref: 00107425
Part of subcall function 001073E8: GetSysColorBrush.USER32(0000000F), ref: 0010743B
Part of subcall function 001073E8: GetSysColor.USER32(0000000F), ref: 00107446
Part of subcall function 001073E8: GetSysColor.USER32(00000011), ref: 00107463
Part of subcall function 001073E8: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00107471
Part of subcall function 001073E8: SelectObject.GDI32(?,00000000), ref: 00107482
Part of subcall function 001073E8: SetBkColor.GDI32(?,00000000), ref: 0010748B
Part of subcall function 001073E8: SelectObject.GDI32(?,?), ref: 00107498
Part of subcall function 001073E8: InflateRect.USER32(?,000000FF,000000FF), ref: 001074B7
Part of subcall function 001073E8: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 001074CE
Part of subcall function 001073E8: GetWindowLongW.USER32(00000000,000000F0), ref: 001074DB

Strings

@U=u, xrefs: 001072CC

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
String ID: @U=u
API String ID: 4124339563-2594219639
Opcode ID: e72f114121fdac26c17af607300192471c1a8fabd0fed2e374cadf4af44888f2
Instruction ID: 4268cca0b5ed430c3d1e7cba945704a671df5e9a490d4de06abb9da9e9c20f10
Opcode Fuzzy Hash: e72f114121fdac26c17af607300192471c1a8fabd0fed2e374cadf4af44888f2
Instruction Fuzzy Hash: 79A18F72508301EFD7119F60DC48A6BBBA9FB89320F104B19F9E2965E1D7B1E984CF91

Function 00088D85 Relevance: 49.5, APIs: 26, Strings: 2, Instructions: 480windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?), ref: 00088E14
SendMessageW.USER32(?,00001308,?,00000000), ref: 000C6AC5
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 000C6AFE
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 000C6F43

Part of subcall function 00088F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00088BE8,?,00000000,?,?,?,?,00088BBA,00000000,?), ref: 00088FC5

SendMessageW.USER32(?,00001053), ref: 000C6F7F
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 000C6F96
ImageList_Destroy.COMCTL32(00000000,?), ref: 000C6FAC
ImageList_Destroy.COMCTL32(00000000,?), ref: 000C6FB7

Strings

0, xrefs: 000C6DCF
@U=u, xrefs: 000C6AC5, 000C6BD6, 000C6EBF

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: DestroyImageList_MessageSend$Window$InvalidateMoveRectRemove
String ID: 0$@U=u
API String ID: 2760611726-975001249
Opcode ID: 4c4d3152b8b13019ab742c9fe9056caab9d263bac3f7b7d9dd82e5a7d4520ae0
Instruction ID: 2ff12bca7e5c2579ebfe5ee28161b0dead926d0987f95ed7dad1ce741f36d9fe
Opcode Fuzzy Hash: 4c4d3152b8b13019ab742c9fe9056caab9d263bac3f7b7d9dd82e5a7d4520ae0
Instruction Fuzzy Hash: 5D129B38600201AFDB75DF14C888FAAB7E5FB49300F54856DF4858B662CB72AC92CF91

Function 000F2711 Relevance: 47.6, APIs: 22, Strings: 5, Instructions: 330windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 000F273E
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 000F286A
SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 000F28A9
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 000F28B9
CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 000F2900
GetClientRect.USER32(00000000,?), ref: 000F290C
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 000F2955
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 000F2964
GetStockObject.GDI32(00000011), ref: 000F2974
SelectObject.GDI32(00000000,00000000), ref: 000F2978
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 000F2988
GetDeviceCaps.GDI32(00000000,0000005A), ref: 000F2991
DeleteDC.GDI32(00000000), ref: 000F299A
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 000F29C6
SendMessageW.USER32(00000030,00000000,00000001), ref: 000F29DD
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 000F2A1D
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 000F2A31
SendMessageW.USER32(00000404,00000001,00000000), ref: 000F2A42
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 000F2A77
GetStockObject.GDI32(00000011), ref: 000F2A82
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 000F2A8D
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 000F2A97

Strings

AutoIt v3, xrefs: 000F28F8
static, xrefs: 000F294F, 000F2A71
DISPLAY, xrefs: 000F295A
msctls_progress32, xrefs: 000F2A13
@U=u, xrefs: 000F29CC

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: @U=u$AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-2771358697
Opcode ID: 3c73a53ebd97400e4b89b1ec3d1c5ef2f655cdf5f2993a0b59c312b8f398983d
Instruction ID: 8ecd975f8ffd4b879d9480910d1a41e4ac33ba51186e07235a87e2046a8f3de7
Opcode Fuzzy Hash: 3c73a53ebd97400e4b89b1ec3d1c5ef2f655cdf5f2993a0b59c312b8f398983d
Instruction Fuzzy Hash: 19B15E75A40209AFDB14DF68CC45FAE7BA9FB09710F008114FA14E76A1D7B4AD80CF94

Function 001073E8 Relevance: 47.5, APIs: 26, Strings: 1, Instructions: 201windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 00107421
SetTextColor.GDI32(?,?), ref: 00107425
GetSysColorBrush.USER32(0000000F), ref: 0010743B
GetSysColor.USER32(0000000F), ref: 00107446
CreateSolidBrush.GDI32(?), ref: 0010744B
GetSysColor.USER32(00000011), ref: 00107463
CreatePen.GDI32(00000000,00000001,00743C00), ref: 00107471
SelectObject.GDI32(?,00000000), ref: 00107482
SetBkColor.GDI32(?,00000000), ref: 0010748B
SelectObject.GDI32(?,?), ref: 00107498
InflateRect.USER32(?,000000FF,000000FF), ref: 001074B7
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 001074CE
GetWindowLongW.USER32(00000000,000000F0), ref: 001074DB
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0010752A
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00107554
InflateRect.USER32(?,000000FD,000000FD), ref: 00107572
DrawFocusRect.USER32(?,?), ref: 0010757D
GetSysColor.USER32(00000011), ref: 0010758E
SetTextColor.GDI32(?,00000000), ref: 00107596
DrawTextW.USER32(?,001070F5,000000FF,?,00000000), ref: 001075A8
SelectObject.GDI32(?,?), ref: 001075BF
DeleteObject.GDI32(?), ref: 001075CA
SelectObject.GDI32(?,?), ref: 001075D0
DeleteObject.GDI32(?), ref: 001075D5
SetTextColor.GDI32(?,?), ref: 001075DB
SetBkColor.GDI32(?,?), ref: 001075E5

Strings

@U=u, xrefs: 0010752A

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID: @U=u
API String ID: 1996641542-2594219639
Opcode ID: 0bc9a9ae0b26a533c2cb5879464066ea6f156404da5aad261a78d92362284f77
Instruction ID: 2b3816afd33bbdbb6792ef2f413ef308c863c4baeac02df5e4313a4fc9577556
Opcode Fuzzy Hash: 0bc9a9ae0b26a533c2cb5879464066ea6f156404da5aad261a78d92362284f77
Instruction Fuzzy Hash: 61616C76D00218AFDB019FA4DC49AEE7FB9EB09320F114215F951AB2E1D7B1A980CF90

Function 000E4ADF Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 000E4AED
GetDriveTypeW.KERNEL32(?,0010CB68,?,\\.\,0010CC08), ref: 000E4BCA
SetErrorMode.KERNEL32(00000000,0010CB68,?,\\.\,0010CC08), ref: 000E4D36

Strings

Fibre, xrefs: 000E4CAD
Network, xrefs: 000E4C02
USB, xrefs: 000E4CB4
RAID, xrefs: 000E4CBB
SSD, xrefs: 000E4C4A
Unknown, xrefs: 000E4BED, 000E4C83
Fixed, xrefs: 000E4C09
SSA, xrefs: 000E4CA6
Removable, xrefs: 000E4C10, 000E4C15
ATAPI, xrefs: 000E4C91
SAS, xrefs: 000E4CC9
iSCSI, xrefs: 000E4CC2
SATA, xrefs: 000E4CD0
PhysicalDrive, xrefs: 000E4B76
Virtual, xrefs: 000E4CE5
CDROM, xrefs: 000E4BFB
MMC, xrefs: 000E4CDE
FileBackedVirtual, xrefs: 000E4CEC
ATA, xrefs: 000E4C98
\\.\, xrefs: 000E4B3F
SCSI, xrefs: 000E4C8A
RAMDisk, xrefs: 000E4BF4
1394, xrefs: 000E4C9F

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: 3b08908fe042d55a2a0a15206074f17a671597c90a5485dd7977905fa340edeb
Instruction ID: 980e38a33151195e0229397cf89b996cc3e95876061b071d1b6cd0bb3ff6ff4d
Opcode Fuzzy Hash: 3b08908fe042d55a2a0a15206074f17a671597c90a5485dd7977905fa340edeb
Instruction Fuzzy Hash: 4061AE30705285EFCBA4DF66CA829AC77E1AB04340F34C016F84ABB692DB76ED45DB51

Function 00100241 Relevance: 37.1, APIs: 7, Strings: 14, Instructions: 391windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 001002E5
_wcslen.LIBCMT ref: 0010031F
_wcslen.LIBCMT ref: 00100389
_wcslen.LIBCMT ref: 001003F1
_wcslen.LIBCMT ref: 00100475
SendMessageW.USER32(?,00001032,00000000,00000000), ref: 001004C5
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00100504

Part of subcall function 0008F9F2: _wcslen.LIBCMT ref: 0008F9FD

Part of subcall function 000D223F: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 000D2258
Part of subcall function 000D223F: SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 000D228A

Strings

SELECTALL, xrefs: 00100515
GETITEMCOUNT, xrefs: 00100316, 00100337
GETSELECTEDCOUNT, xrefs: 00100470, 0010048B
DESELECT, xrefs: 0010059C
ISSELECTED, xrefs: 001004DD
@U=u, xrefs: 001004C5, 00100504
SELECTINVERT, xrefs: 0010057E
FINDITEM, xrefs: 00100627
SELECT, xrefs: 00100548
GETTEXT, xrefs: 001003EC, 00100407
SELECTCLEAR, xrefs: 0010052D
GETSUBITEMCOUNT, xrefs: 00100384, 0010039F
VIEWCHANGE, xrefs: 00100675
GETSELECTED, xrefs: 001005E1

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: @U=u$DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
API String ID: 1103490817-1753161424
Opcode ID: af931a182679d1402c335581cf175dcca1b78f1d0a59835ecf2ed5e16bd1389b
Instruction ID: 6dfc3e6c663dacea7a2161d052552e4931b0d8f9633d856ca7c1d1224244b323
Opcode Fuzzy Hash: af931a182679d1402c335581cf175dcca1b78f1d0a59835ecf2ed5e16bd1389b
Instruction Fuzzy Hash: 15E1BE316082018FC725EF24C950A6AB3E6BF88714F15895DF8DAAB2E2DB70ED45CB51

Function 00100FF3 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00101128
GetDesktopWindow.USER32 ref: 0010113D
GetWindowRect.USER32(00000000), ref: 00101144
GetWindowLongW.USER32(?,000000F0), ref: 00101199
DestroyWindow.USER32(?), ref: 001011B9
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 001011ED
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0010120B
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 0010121D
SendMessageW.USER32(00000000,00000421,?,?), ref: 00101232
SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 00101245
IsWindowVisible.USER32(00000000), ref: 001012A1
SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 001012BC
SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 001012D0
GetWindowRect.USER32(00000000,?), ref: 001012E8
MonitorFromPoint.USER32(?,?,00000002), ref: 0010130E
GetMonitorInfoW.USER32(00000000,?), ref: 00101328
CopyRect.USER32(?,?), ref: 0010133F
SendMessageW.USER32(00000000,00000412,00000000), ref: 001013AA

Strings

(, xrefs: 0010131B
tooltips_class32, xrefs: 001011E6
0, xrefs: 001010D3

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: 9caa81127fb07fd708d532753e0bd7a56895f499d056e89d9b49fd8fd8a2e355
Instruction ID: 1223873b2397586a821562de9f01ae63f0a5cba2a10420c12dc865c42ff501c5
Opcode Fuzzy Hash: 9caa81127fb07fd708d532753e0bd7a56895f499d056e89d9b49fd8fd8a2e355
Instruction Fuzzy Hash: 58B17B71604341AFD714DF64C884BAABBE4FF88754F008918F9D99B2A2CBB5E844CF95

Function 00088891 Relevance: 35.3, APIs: 18, Strings: 2, Instructions: 282windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00088968
GetSystemMetrics.USER32(00000007), ref: 00088970
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 0008899B
GetSystemMetrics.USER32(00000008), ref: 000889A3
GetSystemMetrics.USER32(00000004), ref: 000889C8
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 000889E5
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 000889F5
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00088A28
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00088A3C
GetClientRect.USER32(00000000,000000FF), ref: 00088A5A
GetStockObject.GDI32(00000011), ref: 00088A76
SendMessageW.USER32(00000000,00000030,00000000), ref: 00088A81

Part of subcall function 0008912D: GetCursorPos.USER32(?), ref: 00089141
Part of subcall function 0008912D: ScreenToClient.USER32(00000000,?), ref: 0008915E
Part of subcall function 0008912D: GetAsyncKeyState.USER32(00000001), ref: 00089183
Part of subcall function 0008912D: GetAsyncKeyState.USER32(00000002), ref: 0008919D

SetTimer.USER32(00000000,00000000,00000028,000890FC), ref: 00088AA8

Strings

AutoIt v3 GUI, xrefs: 00088A20
@U=u, xrefs: 00088A81

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: @U=u$AutoIt v3 GUI
API String ID: 1458621304-2077007950
Opcode ID: d9deb97ce203455b6e5c7492b9e33980a8b5bf740747eb53bab67e02017ad756
Instruction ID: 3d7e5d06ab51afb6a881e95b03993b7d87d3bbe202131fe8d6da88b98822573e
Opcode Fuzzy Hash: d9deb97ce203455b6e5c7492b9e33980a8b5bf740747eb53bab67e02017ad756
Instruction Fuzzy Hash: 8DB18F75A0020AEFDF24DF68CC45BAE7BB5FB48314F104229FA55A72A0DB71A881CF51

Function 000D5A1B Relevance: 33.4, APIs: 18, Strings: 1, Instructions: 198windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 000D5A2E
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 000D5A40
SetWindowTextW.USER32(?,?), ref: 000D5A57
GetDlgItem.USER32(?,000003EA), ref: 000D5A6C
SetWindowTextW.USER32(00000000,?), ref: 000D5A72
GetDlgItem.USER32(?,000003E9), ref: 000D5A82
SetWindowTextW.USER32(00000000,?), ref: 000D5A88
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 000D5AA9
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 000D5AC3
GetWindowRect.USER32(?,?), ref: 000D5ACC
_wcslen.LIBCMT ref: 000D5B33
SetWindowTextW.USER32(?,?), ref: 000D5B6F
GetDesktopWindow.USER32 ref: 000D5B75
GetWindowRect.USER32(00000000), ref: 000D5B7C
MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 000D5BD3
GetClientRect.USER32(?,?), ref: 000D5BE0
PostMessageW.USER32(?,00000005,00000000,?), ref: 000D5C05
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 000D5C2F

Strings

@U=u, xrefs: 000D5A40

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
String ID: @U=u
API String ID: 895679908-2594219639
Opcode ID: 6600c98c17b28291a635fa762f47f072b4f9d606ab35add6a58861cb4a0aa374
Instruction ID: c50933503e1ac17de7fa17dc6e9f39bcb8c51240125e5c8d1de6f020c9a0ac40
Opcode Fuzzy Hash: 6600c98c17b28291a635fa762f47f072b4f9d606ab35add6a58861cb4a0aa374
Instruction Fuzzy Hash: D7716131900B05AFDB20DFA8CE45AAEBBF5FF48715F10461AE582A36A0D775E944CF60

Function 0010091E Relevance: 31.9, APIs: 6, Strings: 12, Instructions: 372windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 001009C6
_wcslen.LIBCMT ref: 00100A01
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00100A54
_wcslen.LIBCMT ref: 00100A8A
_wcslen.LIBCMT ref: 00100B06
_wcslen.LIBCMT ref: 00100B81

Part of subcall function 0008F9F2: _wcslen.LIBCMT ref: 0008F9FD

Part of subcall function 000D2BE8: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 000D2BFA

Strings

GETITEMCOUNT, xrefs: 00100C1E
GETTEXT, xrefs: 00100C97
ISCHECKED, xrefs: 00100CE1
UNCHECK, xrefs: 00100D3E
GETTOTALCOUNT, xrefs: 001009F2, 00100A17
CHECK, xrefs: 00100A85, 00100AA0
EXISTS, xrefs: 00100B7C, 00100B97
COLLAPSE, xrefs: 00100B01, 00100B1C
EXPAND, xrefs: 00100BF8
@U=u, xrefs: 00100A54
SELECT, xrefs: 00100D11
GETSELECTED, xrefs: 00100C4E

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: @U=u$CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 1103490817-383632319
Opcode ID: 6edc77b18691a0fdf03883ecf0029c4ae851c815ad6c06a9c368c6b3e6341006
Instruction ID: 298361c36d754575df81ea034e8c5c9828aa651f12acd9497d7f36336bd3e614
Opcode Fuzzy Hash: 6edc77b18691a0fdf03883ecf0029c4ae851c815ad6c06a9c368c6b3e6341006
Instruction Fuzzy Hash: F5E1D9352087018FCB15EF24C450A6AB7E2BF98314F11895DF8DAAB3A2DB71ED45CB91

Function 000D0D8B Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 000D10F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 000D1114
Part of subcall function 000D10F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,000D0B9B,?,?,?), ref: 000D1120
Part of subcall function 000D10F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,000D0B9B,?,?,?), ref: 000D112F
Part of subcall function 000D10F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,000D0B9B,?,?,?), ref: 000D1136
Part of subcall function 000D10F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 000D114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 000D0DF5
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 000D0E29
GetLengthSid.ADVAPI32(?), ref: 000D0E40
GetAce.ADVAPI32(?,00000000,?), ref: 000D0E7A
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 000D0E96
GetLengthSid.ADVAPI32(?), ref: 000D0EAD
GetProcessHeap.KERNEL32(00000008,00000008), ref: 000D0EB5
HeapAlloc.KERNEL32(00000000), ref: 000D0EBC
GetLengthSid.ADVAPI32(?,00000008,?), ref: 000D0EDD
CopySid.ADVAPI32(00000000), ref: 000D0EE4
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 000D0F13
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 000D0F35
SetUserObjectSecurity.USER32(?,00000004,?), ref: 000D0F47
GetProcessHeap.KERNEL32(00000000,00000000), ref: 000D0F6E
HeapFree.KERNEL32(00000000), ref: 000D0F75
GetProcessHeap.KERNEL32(00000000,00000000), ref: 000D0F7E
HeapFree.KERNEL32(00000000), ref: 000D0F85
GetProcessHeap.KERNEL32(00000000,00000000), ref: 000D0F8E
HeapFree.KERNEL32(00000000), ref: 000D0F95
GetProcessHeap.KERNEL32(00000000,?), ref: 000D0FA1
HeapFree.KERNEL32(00000000), ref: 000D0FA8

Part of subcall function 000D1193: GetProcessHeap.KERNEL32(00000008,000D0BB1,?,00000000,?,000D0BB1,?), ref: 000D11A1
Part of subcall function 000D1193: HeapAlloc.KERNEL32(00000000,?,00000000,?,000D0BB1,?), ref: 000D11A8
Part of subcall function 000D1193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,000D0BB1,?), ref: 000D11B7

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: da414dacd83755c064f68ec0a83a152aed9e6585a28ca4d964efb54534c051dc
Instruction ID: b6df776bd80b682c47bfc326190c1d6c2acda97d2f770b36e08de8a794dd7880
Opcode Fuzzy Hash: da414dacd83755c064f68ec0a83a152aed9e6585a28ca4d964efb54534c051dc
Instruction Fuzzy Hash: 25714C7290030AEBDF609FA5DC48BEEBBB8BF04310F144226F959A6691D7719945CFB0

Function 0010833C Relevance: 31.7, APIs: 14, Strings: 4, Instructions: 196windowlibraryCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0010835A
_wcslen.LIBCMT ref: 0010836E
_wcslen.LIBCMT ref: 00108391
_wcslen.LIBCMT ref: 001083B4
LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 001083F2
LoadLibraryExW.KERNEL32(?,00000000,00000032,?,?,00000001,?,?,?,0010361A,?), ref: 0010844E
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00108487
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 001084CA
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00108501
FreeLibrary.KERNEL32(?), ref: 0010850D
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0010851D
DestroyIcon.USER32(?), ref: 0010852C
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00108549
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00108555

Strings

.exe, xrefs: 00108388
.icl, xrefs: 00108368
.dll, xrefs: 001083AB
@U=u, xrefs: 00108535

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
String ID: .dll$.exe$.icl$@U=u
API String ID: 799131459-1639919054
Opcode ID: 96a359d9628b47805518ed6ec576334e713c2fbc8b62d172af657ede908979a0
Instruction ID: a9325b768bbc477479c305b816ef4393421c2ff0ec7ba5e0ff74df5c78c5ba1d
Opcode Fuzzy Hash: 96a359d9628b47805518ed6ec576334e713c2fbc8b62d172af657ede908979a0
Instruction Fuzzy Hash: 1261DF71904219BAEB14DF64CC81FFE77A8BB04B21F104619F895D61D2DFB4A980DBA0

Function 000FC3B7 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 000FC4BD
RegCreateKeyExW.ADVAPI32(?,?,00000000,0010CC08,00000000,?,00000000,?,?), ref: 000FC544
RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 000FC5A4
_wcslen.LIBCMT ref: 000FC5F4
_wcslen.LIBCMT ref: 000FC66F
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 000FC6B2
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 000FC7C1
RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 000FC84D
RegCloseKey.ADVAPI32(?), ref: 000FC881
RegCloseKey.ADVAPI32(00000000), ref: 000FC88E
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 000FC960

Strings

REG_MULTI_SZ, xrefs: 000FC6F5
REG_EXPAND_SZ, xrefs: 000FC5CD
REG_QWORD, xrefs: 000FC8C3
REG_DWORD, xrefs: 000FC804
REG_BINARY, xrefs: 000FC913
REG_SZ, xrefs: 000FC644

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: Value$Close$_wcslen$ConnectCreateRegistry
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 9721498-966354055
Opcode ID: 899fe89a3866cab9d29f930ebc9c64f22e77def03e2c349a21057f93f1d4d700
Instruction ID: d068618572744a75956c6b530e196a2c6eda5839c659edaf65781be1b8861ba3
Opcode Fuzzy Hash: 899fe89a3866cab9d29f930ebc9c64f22e77def03e2c349a21057f93f1d4d700
Instruction Fuzzy Hash: A812A9356046089FDB14DF24C882F6AB7E5EF88754F14885CF98A9B7A2CB35EC41CB85

Function 000FC998 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,000FB6AE,?,?), ref: 000FC9B5
_wcslen.LIBCMT ref: 000FC9F1
_wcslen.LIBCMT ref: 000FCA68
_wcslen.LIBCMT ref: 000FCA9E
_wcslen.LIBCMT ref: 000FCAF9
_wcslen.LIBCMT ref: 000FCB2F
_wcslen.LIBCMT ref: 000FCB7F

Strings

HKEY_CURRENT_CONFIG, xrefs: 000FCB79, 000FCB7E
HKEY_CLASSES_ROOT, xrefs: 000FCAF3, 000FCAF8
HKCR, xrefs: 000FCB29, 000FCB2E
HKCU, xrefs: 000FCBCE
HKEY_CURRENT_USER, xrefs: 000FCBBD
HKLM, xrefs: 000FCA98, 000FCA9D
HKCC, xrefs: 000FCBAC
HKEY_USERS, xrefs: 000FCBDF
HKEY_LOCAL_MACHINE, xrefs: 000FCA62, 000FCA67
HKU, xrefs: 000FCBF0

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 1256254125-909552448
Opcode ID: f6ad5533c7cadc4f4d679322431bc1f317ffb2e690ad349007b52b76636f329e
Instruction ID: 0b3c0b965cb7c9bec06d20ee79e9ae216629e2919a185a79dd58fb06f9e7b291
Opcode Fuzzy Hash: f6ad5533c7cadc4f4d679322431bc1f317ffb2e690ad349007b52b76636f329e
Instruction Fuzzy Hash: 8471143260012E8BEB20DE38CB43DFE33D1ABA0754F250524FA56A7685EB31DD45E3A1

Function 00077778 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 273COMMON

Download Yara Rule

Strings

', xrefs: 000B5169
", xrefs: 000B5153
#comments-start, xrefs: 0007785F, 000778B1
#notrayicon, xrefs: 000777E7
Unterminated group of comments, xrefs: 000B528C
#ce, xrefs: 000778ED
#requireadmin, xrefs: 000777FF
#include, xrefs: 00077847
#OnAutoItStartRegister, xrefs: 00077817
Bad directive syntax error, xrefs: 000B519A
#pragma compile, xrefs: 000777D3
#cs, xrefs: 00077873, 000778C5
#include-once, xrefs: 0007782F
#comments-end, xrefs: 000778D9
Cannot parse #include, xrefs: 000B5279

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID:
String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 0-1645009161
Opcode ID: 546fb78706ee81ef608efdd0f2dc62026d82d07cea7bc20ff3ed1df8c8ed59cf
Instruction ID: d60abf12fd16500178c836ff7fb436ef72433483c950f9ca37f1c1c3719ea9d6
Opcode Fuzzy Hash: 546fb78706ee81ef608efdd0f2dc62026d82d07cea7bc20ff3ed1df8c8ed59cf
Instruction Fuzzy Hash: 3C811871A48205BBDB25AF64CC42FEE37A8AF15340F04C464F90CAB193EBB8D911D7A5

Function 000E3E79 Relevance: 28.2, APIs: 8, Strings: 8, Instructions: 205COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 000E3EF8
_wcslen.LIBCMT ref: 000E3F03
_wcslen.LIBCMT ref: 000E3F5A
_wcslen.LIBCMT ref: 000E3F98
GetDriveTypeW.KERNEL32(?), ref: 000E3FD6
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 000E401E
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 000E4059
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 000E4087

Strings

close, xrefs: 000E3EFE, 000E3F18
open , xrefs: 000E3FE5
open, xrefs: 000E3F54, 000E3F59
close cd wait, xrefs: 000E4072
closed, xrefs: 000E3F08, 000E3F2D, 000E3F46, 000E3F7E, 000E3F97
type cdaudio alias cd wait, xrefs: 000E4001
set cd door , xrefs: 000E4028
wait, xrefs: 000E4044

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: SendString_wcslen$BuffCharDriveLowerType
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 1839972693-4113822522
Opcode ID: 904cadc556e7f5bb5d376744357663a4287a4cb5244e3fd1dab97cfc9f7b6e35
Instruction ID: 5701ff7ad3ec3385b46df921c52a68686d2211c266f5f917e1b518a167418246
Opcode Fuzzy Hash: 904cadc556e7f5bb5d376744357663a4287a4cb5244e3fd1dab97cfc9f7b6e35
Instruction Fuzzy Hash: 0171E232A042019FC710EF25C8819AEB7F4EF94754F50892DF89AA7252EB35DE45CB91

Function 0010856F Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 131filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,00000000,?), ref: 00108592
GetFileSize.KERNEL32(00000000,00000000), ref: 001085A2
GlobalAlloc.KERNEL32(00000002,00000000), ref: 001085AD
CloseHandle.KERNEL32(00000000), ref: 001085BA
GlobalLock.KERNEL32(00000000), ref: 001085C8
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 001085D7
GlobalUnlock.KERNEL32(00000000), ref: 001085E0
CloseHandle.KERNEL32(00000000), ref: 001085E7
CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 001085F8
OleLoadPicture.OLEAUT32(?,00000000,00000000,0010FC38,?), ref: 00108611
GlobalFree.KERNEL32(00000000), ref: 00108621
GetObjectW.GDI32(?,00000018,000000FF), ref: 00108641
CopyImage.USER32(?,00000000,00000000,?,00002000), ref: 00108671
DeleteObject.GDI32(00000000), ref: 00108699
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 001086AF

Strings

@U=u, xrefs: 001086AF

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID: @U=u
API String ID: 3840717409-2594219639
Opcode ID: eaa2ff5a8ab05004ac69e5c9ef89a6306b8b88fc2878adbb13dcd4914b28fa21
Instruction ID: 75eeec3f55ae4520cb92a99c28b5097ef8bfbbb2589939d4a17363f3e0cd99f4
Opcode Fuzzy Hash: eaa2ff5a8ab05004ac69e5c9ef89a6306b8b88fc2878adbb13dcd4914b28fa21
Instruction Fuzzy Hash: 09412C75600208EFDB119F65CC48EAA7BB8FF89711F108258F985D7690DBB19941CF60

Function 000EFE0E Relevance: 27.1, APIs: 18, Instructions: 128COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F89), ref: 000EFE27
LoadCursorW.USER32(00000000,00007F8A), ref: 000EFE32
LoadCursorW.USER32(00000000,00007F00), ref: 000EFE3D
LoadCursorW.USER32(00000000,00007F03), ref: 000EFE48
LoadCursorW.USER32(00000000,00007F8B), ref: 000EFE53
LoadCursorW.USER32(00000000,00007F01), ref: 000EFE5E
LoadCursorW.USER32(00000000,00007F81), ref: 000EFE69
LoadCursorW.USER32(00000000,00007F88), ref: 000EFE74
LoadCursorW.USER32(00000000,00007F80), ref: 000EFE7F
LoadCursorW.USER32(00000000,00007F86), ref: 000EFE8A
LoadCursorW.USER32(00000000,00007F83), ref: 000EFE95
LoadCursorW.USER32(00000000,00007F85), ref: 000EFEA0
LoadCursorW.USER32(00000000,00007F82), ref: 000EFEAB
LoadCursorW.USER32(00000000,00007F84), ref: 000EFEB6
LoadCursorW.USER32(00000000,00007F04), ref: 000EFEC1
LoadCursorW.USER32(00000000,00007F02), ref: 000EFECC
GetCursorInfo.USER32(?), ref: 000EFEDC
GetLastError.KERNEL32 ref: 000EFF1E

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: Cursor$Load$ErrorInfoLast
String ID:
API String ID: 3215588206-0
Opcode ID: 0893736698130343335e268f84fa380276e645a138c0c22e0ad3075000e101b2
Instruction ID: 76925dd6302eb74bcff1161c4735e54275c2ea3aa77e6b03d662cfc328975bdb
Opcode Fuzzy Hash: 0893736698130343335e268f84fa380276e645a138c0c22e0ad3075000e101b2
Instruction Fuzzy Hash: 4A4153B0D0535A6EDB109FBA8C8586EBFE8FF04354B50853AE11DE7281DB789901CE91

Function 000900C6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON

Download Yara Rule

APIs

__scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 000900C6

Part of subcall function 000900ED: InitializeCriticalSectionAndSpinCount.KERNEL32(0014070C,00000FA0,F34EDE35,?,?,?,?,000B23B3,000000FF), ref: 0009011C
Part of subcall function 000900ED: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,000B23B3,000000FF), ref: 00090127
Part of subcall function 000900ED: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,000B23B3,000000FF), ref: 00090138
Part of subcall function 000900ED: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 0009014E
Part of subcall function 000900ED: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 0009015C
Part of subcall function 000900ED: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 0009016A
Part of subcall function 000900ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00090195
Part of subcall function 000900ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 000901A0

___scrt_fastfail.LIBCMT ref: 000900E7

Part of subcall function 000900A3: __onexit.LIBCMT ref: 000900A9

Strings

api-ms-win-core-synch-l1-2-0.dll, xrefs: 00090122
SleepConditionVariableCS, xrefs: 00090154
kernel32.dll, xrefs: 00090133
InitializeConditionVariable, xrefs: 00090148
WakeAllConditionVariable, xrefs: 00090162

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 66158676-1714406822
Opcode ID: 85b8b1aa36cfa48a0ee9c2e1a01f520609aab9e30bcd2ce4ff38179df412b1fe
Instruction ID: e4834a32c8555913d2a3e876bfe225d05542ae5597ebcb031670fcc5973fb0a1
Opcode Fuzzy Hash: 85b8b1aa36cfa48a0ee9c2e1a01f520609aab9e30bcd2ce4ff38179df412b1fe
Instruction Fuzzy Hash: F921FC32645711AFDB215BB4AC0AB6A37D4EB49F51F00012AF981A6AD1DBB058409B91

Function 000D30F7 Relevance: 24.9, APIs: 8, Strings: 6, Instructions: 400COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 000D318D
_wcslen.LIBCMT ref: 000D31F8

Strings

TEXT, xrefs: 000D347C
CLASSNN, xrefs: 000D31F3, 000D3204
REGEXPCLASS, xrefs: 000D3255, 000D3266
NAME, xrefs: 000D3335, 000D3346
INSTANCE, xrefs: 000D3453
CLASS, xrefs: 000D3188, 000D31A5

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: _wcslen
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 176396367-1603158881
Opcode ID: 5d5e0afe0387a18c888814eddec924aacb05720b046b867ca9d55c721f7240de
Instruction ID: 218acaf533ddcf927fc3be44c6fe7d3e5fc51000254eaa805dcc2ac48be6eaf4
Opcode Fuzzy Hash: 5d5e0afe0387a18c888814eddec924aacb05720b046b867ca9d55c721f7240de
Instruction Fuzzy Hash: 7BE1E232A00616ABCB689F68C451AEEFBB1BF44710F14811AE456B7341DB30AF859BB1

Function 000E44C0 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(00000000,00000000,0010CC08), ref: 000E4527
_wcslen.LIBCMT ref: 000E453B
_wcslen.LIBCMT ref: 000E4599
_wcslen.LIBCMT ref: 000E45F4
_wcslen.LIBCMT ref: 000E463F
_wcslen.LIBCMT ref: 000E46A7

Part of subcall function 0008F9F2: _wcslen.LIBCMT ref: 0008F9FD

GetDriveTypeW.KERNEL32(?,00136BF0,00000061), ref: 000E4743

Strings

removable, xrefs: 000E45EA, 000E45EF
all, xrefs: 000E4531, 000E4536
fixed, xrefs: 000E4635, 000E463A
ramdisk, xrefs: 000E46F1
network, xrefs: 000E469D, 000E46A2
cdrom, xrefs: 000E458F, 000E4594
unknown, xrefs: 000E4708

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: _wcslen$BuffCharDriveLowerType
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2055661098-1000479233
Opcode ID: cbbbf2ab4f59d2db3ec638ec7a5f717b095b932aaba6a0a21a74001ac26fab9a
Instruction ID: 6d7236ae545046a7e0537b66b133019461ac275e9d686a1765e9cae9539e209e
Opcode Fuzzy Hash: cbbbf2ab4f59d2db3ec638ec7a5f717b095b932aaba6a0a21a74001ac26fab9a
Instruction Fuzzy Hash: F9B11631A083429FC710DF29C890A7EB7E5BFA5760F50891DF49AE7292D730D945CB92

Function 00106CD9 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 194windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,?), ref: 00106DEB

Part of subcall function 00076B57: _wcslen.LIBCMT ref: 00076B6A

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00106E5F
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00106E81
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00106E94
DestroyWindow.USER32(?), ref: 00106EB5
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00070000,00000000), ref: 00106EE4
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00106EFD
GetDesktopWindow.USER32 ref: 00106F16
GetWindowRect.USER32(00000000), ref: 00106F1D
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00106F35
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00106F4D

Part of subcall function 00089944: GetWindowLongW.USER32(?,000000EB), ref: 00089952

Strings

0, xrefs: 00106D98
tooltips_class32, xrefs: 00106E58, 00106EDD
@U=u, xrefs: 00106E81, 00106E94, 00106EFD, 00106F27

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
String ID: 0$@U=u$tooltips_class32
API String ID: 2429346358-1130792468
Opcode ID: 4f89a94bf055b807eadae66958cf87a777e1bb002d496c68c7e1a0e0524bf9b6
Instruction ID: e252b44b384dbfa63fb4561827312df801fe1d4af4764a0cad31c2b44bd234aa
Opcode Fuzzy Hash: 4f89a94bf055b807eadae66958cf87a777e1bb002d496c68c7e1a0e0524bf9b6
Instruction Fuzzy Hash: 99717674104345AFDB21CF18DC54EAABBE9FB89304F04091DFAC9872A1CBB1A996CF51

Function 0010911E Relevance: 24.7, APIs: 10, Strings: 4, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00089BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00089BB2

DragQueryPoint.SHELL32(?,?), ref: 00109147

Part of subcall function 00107674: ClientToScreen.USER32(?,?), ref: 0010769A
Part of subcall function 00107674: GetWindowRect.USER32(?,?), ref: 00107710
Part of subcall function 00107674: PtInRect.USER32(?,?,00108B89), ref: 00107720

SendMessageW.USER32(?,000000B0,?,?), ref: 001091B0
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 001091BB
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 001091DE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 00109225
SendMessageW.USER32(?,000000B0,?,?), ref: 0010923E
SendMessageW.USER32(?,000000B1,?,?), ref: 00109255
SendMessageW.USER32(?,000000B1,?,?), ref: 00109277
DragFinish.SHELL32(?), ref: 0010927E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 00109371

Strings

@GUI_DRAGFILE, xrefs: 00109320
@GUI_DRAGID, xrefs: 001092E9
@GUI_DROPID, xrefs: 0010929E
@U=u, xrefs: 001091B0, 00109225, 0010923E, 00109255, 00109277

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID$@U=u
API String ID: 221274066-762882726
Opcode ID: 9235a8e86d5e6176eb620ae46d7b8da7bcc01b642559629be307c925c01f3659
Instruction ID: 28153b7a1b3ab18eaab7e49bb6fd5cf236542a5b48930d727ff89e8d4f0f9379
Opcode Fuzzy Hash: 9235a8e86d5e6176eb620ae46d7b8da7bcc01b642559629be307c925c01f3659
Instruction Fuzzy Hash: AE616971508301AFD701EF64DC85DAFBBE8FF99350F004A2DF595921A2DB709A89CB92

Function 0007326F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(00141990), ref: 000B2F8D
GetMenuItemCount.USER32(00141990), ref: 000B303D
GetCursorPos.USER32(?), ref: 000B3081
SetForegroundWindow.USER32(00000000), ref: 000B308A
TrackPopupMenuEx.USER32(00141990,00000000,?,00000000,00000000,00000000), ref: 000B309D
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 000B30A9

Strings

0, xrefs: 0007327D

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
String ID: 0
API String ID: 36266755-4108050209
Opcode ID: 36a6fd6f2003044b903dff3c21bc798b320d6494a8ffac3a43754f36303ef3e1
Instruction ID: 3cb857d5be420f6ed5a8071bc75c09802669b9f0a84a18e3041b4a91d51bdc56
Opcode Fuzzy Hash: 36a6fd6f2003044b903dff3c21bc798b320d6494a8ffac3a43754f36303ef3e1
Instruction Fuzzy Hash: 9271C670640206BAFB359F65CC49FEABFA4FF05364F204226F528661E1C7B1AD50DB94

Function 000EC476 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 000EC4B0
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 000EC4C3
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 000EC4D7
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 000EC4F0
InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 000EC533
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 000EC549
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 000EC554
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 000EC584
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 000EC5DC
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 000EC5F0
InternetCloseHandle.WININET(00000000), ref: 000EC5FB

Strings

, xrefs: 000EC575

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
String ID:
API String ID: 3800310941-3916222277
Opcode ID: acb84e1d62fd654c2b8743052b01c1f13d7333d05768082df41076b06aac9bf7
Instruction ID: ba603617c39ff26e2e9875cfd1df745c258d6284825855d0d05b22af96c5ee60
Opcode Fuzzy Hash: acb84e1d62fd654c2b8743052b01c1f13d7333d05768082df41076b06aac9bf7
Instruction Fuzzy Hash: CC517FB1500744BFEB219F65C948EAB7BFCFF04344F00451AF986A6650D771E9859FA0

Function 000E14BD Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 360timeCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000000), ref: 000E1502
VariantCopy.OLEAUT32(?,?), ref: 000E150B
VariantClear.OLEAUT32(?), ref: 000E1517
VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 000E15FB
VarR8FromDec.OLEAUT32(?,?), ref: 000E1657
VariantInit.OLEAUT32(?), ref: 000E1708
SysFreeString.OLEAUT32(?), ref: 000E178C
VariantClear.OLEAUT32(?), ref: 000E17D8
VariantClear.OLEAUT32(?), ref: 000E17E7
VariantInit.OLEAUT32(00000000), ref: 000E1823

Strings

Default, xrefs: 000E16AF
%4d%02d%02d%02d%02d%02d, xrefs: 000E1625

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem
String ID: %4d%02d%02d%02d%02d%02d$Default
API String ID: 1234038744-3931177956
Opcode ID: 72c71469a7557ef05c08ade4eed8e13051160d109b68ebf40596957625cb7cd2
Instruction ID: 7b78a089c1987fc421eb71766ca22a38295be4054c2c8ae89bfe5236b083eaa5
Opcode Fuzzy Hash: 72c71469a7557ef05c08ade4eed8e13051160d109b68ebf40596957625cb7cd2
Instruction Fuzzy Hash: FCD10032A00A01EFDB20AF66D885BFDB7B1BF45700F10815AE896BB585DB74DC40DBA1

Function 000FB60E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00079CB3: _wcslen.LIBCMT ref: 00079CBD

Part of subcall function 000FC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,000FB6AE,?,?), ref: 000FC9B5
Part of subcall function 000FC998: _wcslen.LIBCMT ref: 000FC9F1
Part of subcall function 000FC998: _wcslen.LIBCMT ref: 000FCA68
Part of subcall function 000FC998: _wcslen.LIBCMT ref: 000FCA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 000FB6F4
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 000FB772
RegDeleteValueW.ADVAPI32(?,?), ref: 000FB80A
RegCloseKey.ADVAPI32(?), ref: 000FB87E
RegCloseKey.ADVAPI32(?), ref: 000FB89C
LoadLibraryA.KERNEL32(advapi32.dll), ref: 000FB8F2
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 000FB904
RegDeleteKeyW.ADVAPI32(?,?), ref: 000FB922
FreeLibrary.KERNEL32(00000000), ref: 000FB983
RegCloseKey.ADVAPI32(00000000), ref: 000FB994

Strings

RegDeleteKeyExW, xrefs: 000FB8FE
advapi32.dll, xrefs: 000FB8ED

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 146587525-4033151799
Opcode ID: c255d3e43e29d16c3d8d4daef51bf32c11d46dd5db31894378d030f2d1fd0013
Instruction ID: 6a55c4d3955c1dc7fe392adfd76dcd5a9eff12e01e8b6a570759d34f0aed62c6
Opcode Fuzzy Hash: c255d3e43e29d16c3d8d4daef51bf32c11d46dd5db31894378d030f2d1fd0013
Instruction Fuzzy Hash: 78C19C34608205AFD720DF24C495F6ABBE1BF84308F14855CF69A8BAA2CB75EC45DF91

Function 0010541D Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 191windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00105504
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00105515
CharNextW.USER32(00000158), ref: 00105544
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00105585
SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 0010559B
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 001055AC

Strings

@U=u, xrefs: 00105504, 00105515, 0010554A, 001055C9, 0010562B, 00105816

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: MessageSend$CharNext
String ID: @U=u
API String ID: 1350042424-2594219639
Opcode ID: a634db3e9d040984215c749f1ad18121939c77b26a5dd954fc3b8e0c46b681b9
Instruction ID: ef943e3b91cd845f0b354bfb4bfa853e2b529c6bd9238bfff3feca0d8f174845
Opcode Fuzzy Hash: a634db3e9d040984215c749f1ad18121939c77b26a5dd954fc3b8e0c46b681b9
Instruction Fuzzy Hash: 77617C34900609ABDF209F54CC84DFF7BBAEB0A724F104145F9A5AB2D1DBB59A81DF60

Function 000F255C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 000F25D8
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 000F25E8
CreateCompatibleDC.GDI32(?), ref: 000F25F4
SelectObject.GDI32(00000000,?), ref: 000F2601
StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 000F266D
GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 000F26AC
GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 000F26D0
SelectObject.GDI32(?,?), ref: 000F26D8
DeleteObject.GDI32(?), ref: 000F26E1
DeleteDC.GDI32(?), ref: 000F26E8
ReleaseDC.USER32(00000000,?), ref: 000F26F3

Strings

(, xrefs: 000F268D

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: d6958f99b35b632796c8e583db57e92f84162eb1614a4d3a6ce6eaf357b6cc33
Instruction ID: 31ce0d923cef2e3ab2b88ba3cfed6bf7ea408966761c686f2e0c16d325890204
Opcode Fuzzy Hash: d6958f99b35b632796c8e583db57e92f84162eb1614a4d3a6ce6eaf357b6cc33
Instruction Fuzzy Hash: B06102B5D00219EFCF14CFA4D884AAEBBF6FF48310F208529EA55A7650D770A951DF90

Function 000DE6B0 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 000DE6B4

Part of subcall function 0008E551: timeGetTime.WINMM(?,?,000DE6D4), ref: 0008E555

Sleep.KERNEL32(0000000A), ref: 000DE6E1
EnumThreadWindows.USER32(?,Function_0006E665,00000000), ref: 000DE705
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 000DE727
SetActiveWindow.USER32 ref: 000DE746
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 000DE754
SendMessageW.USER32(00000010,00000000,00000000), ref: 000DE773
Sleep.KERNEL32(000000FA), ref: 000DE77E
IsWindow.USER32 ref: 000DE78A
EndDialog.USER32(00000000), ref: 000DE79B

Strings

BUTTON, xrefs: 000DE719
@U=u, xrefs: 000DE754, 000DE773

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: @U=u$BUTTON
API String ID: 1194449130-2582809321
Opcode ID: 5cdebe4e95a5d1ae6249dd4bb11c6a3be307862d4a50ee195cab28368aff2357
Instruction ID: 844685b01a46824c84644d407e8683736d640b5b9c6c28de0e2ee0ea27e713ea
Opcode Fuzzy Hash: 5cdebe4e95a5d1ae6249dd4bb11c6a3be307862d4a50ee195cab28368aff2357
Instruction Fuzzy Hash: 5C218474204344AFEB506F60EC89A3A3B69F755348F500526F94585BB1DBB1ACC08E75

Function 000ADA5D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 000ADAA1

Part of subcall function 000AD63C: _free.LIBCMT ref: 000AD659
Part of subcall function 000AD63C: _free.LIBCMT ref: 000AD66B
Part of subcall function 000AD63C: _free.LIBCMT ref: 000AD67D
Part of subcall function 000AD63C: _free.LIBCMT ref: 000AD68F
Part of subcall function 000AD63C: _free.LIBCMT ref: 000AD6A1
Part of subcall function 000AD63C: _free.LIBCMT ref: 000AD6B3
Part of subcall function 000AD63C: _free.LIBCMT ref: 000AD6C5
Part of subcall function 000AD63C: _free.LIBCMT ref: 000AD6D7
Part of subcall function 000AD63C: _free.LIBCMT ref: 000AD6E9
Part of subcall function 000AD63C: _free.LIBCMT ref: 000AD6FB
Part of subcall function 000AD63C: _free.LIBCMT ref: 000AD70D
Part of subcall function 000AD63C: _free.LIBCMT ref: 000AD71F
Part of subcall function 000AD63C: _free.LIBCMT ref: 000AD731

_free.LIBCMT ref: 000ADA96

Part of subcall function 000A29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,000AD7D1,00000000,00000000,00000000,00000000,?,000AD7F8,00000000,00000007,00000000,?,000ADBF5,00000000), ref: 000A29DE
Part of subcall function 000A29C8: GetLastError.KERNEL32(00000000,?,000AD7D1,00000000,00000000,00000000,00000000,?,000AD7F8,00000000,00000007,00000000,?,000ADBF5,00000000,00000000), ref: 000A29F0

_free.LIBCMT ref: 000ADAB8
_free.LIBCMT ref: 000ADACD
_free.LIBCMT ref: 000ADAD8
_free.LIBCMT ref: 000ADAFA
_free.LIBCMT ref: 000ADB0D
_free.LIBCMT ref: 000ADB1B
_free.LIBCMT ref: 000ADB26
_free.LIBCMT ref: 000ADB5E
_free.LIBCMT ref: 000ADB65
_free.LIBCMT ref: 000ADB82
_free.LIBCMT ref: 000ADB9A

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: a93b49ed7fdb22b6442123f1a4e816c2efb2c3416dd2d62dee6f1774c0eda38d
Instruction ID: a2972d7d8d52c0e81ca37d66821779db154bd7275fa500c31a2c5cc2f899a292
Opcode Fuzzy Hash: a93b49ed7fdb22b6442123f1a4e816c2efb2c3416dd2d62dee6f1774c0eda38d
Instruction Fuzzy Hash: 27318D31604305DFEBA1AAB8E845B9B77E9FF12710F11442AE44AD7992DF30EC40C721

Function 000D365B Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 267windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 000D369C
_wcslen.LIBCMT ref: 000D36A7
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 000D3797
GetClassNameW.USER32(?,?,00000400), ref: 000D380C
GetDlgCtrlID.USER32(?), ref: 000D385D
GetWindowRect.USER32(?,?), ref: 000D3882
GetParent.USER32(?), ref: 000D38A0
ScreenToClient.USER32(00000000), ref: 000D38A7
GetClassNameW.USER32(?,?,00000100), ref: 000D3921
GetWindowTextW.USER32(?,?,00000400), ref: 000D395D

Strings

%s%u, xrefs: 000D3734

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout_wcslen
String ID: %s%u
API String ID: 4010501982-679674701
Opcode ID: 855b12eac11e117f9db9351c7c3ca8377104e5cce67dbe7f0756f166fd41cfba
Instruction ID: 5fffdb5cd6c5d9ea8c66a00763f844393862ff62e2b5c706e2023ec3a384102d
Opcode Fuzzy Hash: 855b12eac11e117f9db9351c7c3ca8377104e5cce67dbe7f0756f166fd41cfba
Instruction Fuzzy Hash: 5691A571204706AFD715DF24C895BEAF7E8FF44350F00862AF999D2291DB70EA45CBA2

Function 000D4954 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 253COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000400), ref: 000D4994
GetWindowTextW.USER32(?,?,00000400), ref: 000D49DA
_wcslen.LIBCMT ref: 000D49EB
CharUpperBuffW.USER32(?,00000000), ref: 000D49F7
_wcsstr.LIBVCRUNTIME ref: 000D4A2C
GetClassNameW.USER32(00000018,?,00000400), ref: 000D4A64
GetWindowTextW.USER32(?,?,00000400), ref: 000D4A9D
GetClassNameW.USER32(00000018,?,00000400), ref: 000D4AE6
GetClassNameW.USER32(?,?,00000400), ref: 000D4B20
GetWindowRect.USER32(?,?), ref: 000D4B8B

Strings

ThumbnailClass, xrefs: 000D4A6F, 000D4AF1

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
String ID: ThumbnailClass
API String ID: 1311036022-1241985126
Opcode ID: b66d2a855667aafd0ea7baa211465605690ec3818747bb678c8d602da8a2e652
Instruction ID: e28f677b81c672e01876db0582422732431397ddeb7b0e5618076ee07c750607
Opcode Fuzzy Hash: b66d2a855667aafd0ea7baa211465605690ec3818747bb678c8d602da8a2e652
Instruction Fuzzy Hash: 8991B8710083059BDB14CF14C985BAAB7E8FF94314F04856BFD899A296EB34ED45CBA2

Function 00108D0E Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 221windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00089BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00089BB2

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00108D5A
GetFocus.USER32 ref: 00108D6A
GetDlgCtrlID.USER32(00000000), ref: 00108D75
DefDlgProcW.USER32(?,00000111,?,?,00000000,?,?,?,?,?,?,?), ref: 00108E1D
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 00108ECF
GetMenuItemCount.USER32(?), ref: 00108EEC
GetMenuItemID.USER32(?,00000000), ref: 00108EFC
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 00108F2E
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 00108F70
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00108FA1

Strings

0, xrefs: 00108E9F

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow
String ID: 0
API String ID: 1026556194-4108050209
Opcode ID: 37523526ff1bfa703f17453cc21bfadb9f509ba6b8ba8687a657663608226344
Instruction ID: 51a2ec7ef2fdaa264c69caf8da19faaac3906bf0e98f030664d38c9bc4bcd58d
Opcode Fuzzy Hash: 37523526ff1bfa703f17453cc21bfadb9f509ba6b8ba8687a657663608226344
Instruction Fuzzy Hash: 6A819071608311AFDB10DF24D884AAB7BE9FB89354F140A19F9C5972D1DBB0D941CFA1

Function 000DDC0E Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 178COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(?,?), ref: 000DDC20
GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 000DDC46
_wcslen.LIBCMT ref: 000DDC50
_wcsstr.LIBVCRUNTIME ref: 000DDCA0
VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 000DDCBC

Strings

\VarFileInfo\Translation, xrefs: 000DDCB4
%u.%u.%u.%u, xrefs: 000DDD9A
StringFileInfo\, xrefs: 000DDC8F
04090000, xrefs: 000DDCF2
DefaultLangCodepage, xrefs: 000DDD1F

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: FileInfoVersion$QuerySizeValue_wcslen_wcsstr
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 1939486746-1459072770
Opcode ID: 7fe4a5458918cb07577d439d641741e8dda806a948a803e0bcd16865d952c29a
Instruction ID: c15c70cb7b32105785fca5451b04bee68f25c265ac168b2af0a7b7b7fe906203
Opcode Fuzzy Hash: 7fe4a5458918cb07577d439d641741e8dda806a948a803e0bcd16865d952c29a
Instruction Fuzzy Hash: 1A41F032940305BAEF10AB749C43EFF77ACEF56750F10416AF900A6283EBB499019BB5

Function 000FCC34 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 000FCC64
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 000FCC8D
FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 000FCD48

Part of subcall function 000FCC34: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 000FCCAA
Part of subcall function 000FCC34: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 000FCCBD
Part of subcall function 000FCC34: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 000FCCCF
Part of subcall function 000FCC34: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 000FCD05
Part of subcall function 000FCC34: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 000FCD28

RegDeleteKeyW.ADVAPI32(?,?), ref: 000FCCF3

Strings

RegDeleteKeyExW, xrefs: 000FCCC9
advapi32.dll, xrefs: 000FCCB8

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2734957052-4033151799
Opcode ID: 7c9a809956feac5f53188d8153415e8a90f64ab0d8c37bc938453f02f5146647
Instruction ID: 774156045852e7de9b22aae73855da2ac4336becdba056edbebcf5ab658f7856
Opcode Fuzzy Hash: 7c9a809956feac5f53188d8153415e8a90f64ab0d8c37bc938453f02f5146647
Instruction Fuzzy Hash: D1318F7590112CBBEB208B54DD89EFFBBBCEF45750F000165FA06E2644DB709A85EAE0

Function 000E3D1E Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 101fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 000E3D40
_wcslen.LIBCMT ref: 000E3D6D
CreateDirectoryW.KERNEL32(?,00000000), ref: 000E3D9D
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 000E3DBE
RemoveDirectoryW.KERNEL32(?), ref: 000E3DCE
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 000E3E55
CloseHandle.KERNEL32(00000000), ref: 000E3E60
CloseHandle.KERNEL32(00000000), ref: 000E3E6B

Strings

\, xrefs: 000E3D77
\??\%s, xrefs: 000E3D5B
:, xrefs: 000E3D82

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove_wcslen
String ID: :$\$\??\%s
API String ID: 1149970189-3457252023
Opcode ID: 861cee8fdbb657d67347a7945d7642703aeae1cd4f4e82aa5b126147e73b7dd8
Instruction ID: 7739c5b70534162998b1de70f292b9ec76c1d8b3a4b54cfda7fa72f0f721bf94
Opcode Fuzzy Hash: 861cee8fdbb657d67347a7945d7642703aeae1cd4f4e82aa5b126147e73b7dd8
Instruction Fuzzy Hash: F631B271904249ABDB219BA1DC49FEF3BBDEF88700F5041B5F545E6061EBB097848B64

Function 000DE9FC Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 00079CB3: _wcslen.LIBCMT ref: 00079CBD

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 000DEA5D
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 000DEA73
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 000DEA84
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 000DEA96
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 000DEAA7

Strings

open , xrefs: 000DEA0C
play PlayMe wait, xrefs: 000DEA91
status PlayMe mode, xrefs: 000DEA58
alias PlayMe, xrefs: 000DEA36
close PlayMe, xrefs: 000DEA6E, 000DEA9B
play PlayMe, xrefs: 000DEAA2

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: SendString$_wcslen
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2420728520-1007645807
Opcode ID: de6efb4b8b94818bc3c380a0bd8eb6297e56af8b4edb0bb32046ba2c9c0a77c2
Instruction ID: 1c6091ea2550a7a38639931444192e86ddaf12e7176e2eff42b2f674dd85ea3d
Opcode Fuzzy Hash: de6efb4b8b94818bc3c380a0bd8eb6297e56af8b4edb0bb32046ba2c9c0a77c2
Instruction Fuzzy Hash: 89119131A902597DD720B7A5DC4AEFF6ABCEBD1B04F00442AB415A60D1EFB01A05C6B1

Function 000D5CC6 Relevance: 18.2, APIs: 12, Instructions: 173COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 000D5CE2
GetWindowRect.USER32(00000000,?), ref: 000D5CFB
MoveWindow.USER32(?,0000000A,00000004,?,?,00000004,00000000), ref: 000D5D59
GetDlgItem.USER32(?,00000002), ref: 000D5D69
GetWindowRect.USER32(00000000,?), ref: 000D5D7B
MoveWindow.USER32(?,?,00000004,00000000,?,00000004,00000000), ref: 000D5DCF
GetDlgItem.USER32(?,000003E9), ref: 000D5DDD
GetWindowRect.USER32(00000000,?), ref: 000D5DEF
MoveWindow.USER32(?,0000000A,00000000,?,00000004,00000000), ref: 000D5E31
GetDlgItem.USER32(?,000003EA), ref: 000D5E44
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 000D5E5A
InvalidateRect.USER32(?,00000000,00000001), ref: 000D5E67

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: 2c9e754c3f4698db8bed1b28e1947a17449679a9962da646d9cc841739bbd1ec
Instruction ID: 7b29f9fbf567ed02b4d99ceae3dae32bce2af2da4c9c5ad1842f3efe902f0d4d
Opcode Fuzzy Hash: 2c9e754c3f4698db8bed1b28e1947a17449679a9962da646d9cc841739bbd1ec
Instruction Fuzzy Hash: A051FF71A00705AFDB18DF68DD89AAE7BB6EB48301F148229F915E7790D7709E44CF60

Function 00088BCD Relevance: 18.2, APIs: 12, Instructions: 168timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00088F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00088BE8,?,00000000,?,?,?,?,00088BBA,00000000,?), ref: 00088FC5

DestroyWindow.USER32(?), ref: 00088C81
KillTimer.USER32(00000000,?,?,?,?,00088BBA,00000000,?), ref: 00088D1B
DestroyAcceleratorTable.USER32(00000000), ref: 000C6973
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,00088BBA,00000000,?), ref: 000C69A1
ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,00088BBA,00000000,?), ref: 000C69B8
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,00088BBA,00000000), ref: 000C69D4
DeleteObject.GDI32(00000000), ref: 000C69E6

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: 4860f6110433edaec37644723ec0df8be16f1ca49c12922b4912e488cd824867
Instruction ID: 8a6b37c2b4c4198a342deca1cc1d201c617e9abf2e47f4970b9ef33621f9984f
Opcode Fuzzy Hash: 4860f6110433edaec37644723ec0df8be16f1ca49c12922b4912e488cd824867
Instruction Fuzzy Hash: 6D617934502710EFDB75AF14DA48B2AB7F1FB41316F94852CE0829A9B4CB72A9C0CF91

Function 00089838 Relevance: 18.1, APIs: 12, Instructions: 137COMMON

Download Yara Rule

APIs

Part of subcall function 00089944: GetWindowLongW.USER32(?,000000EB), ref: 00089952

GetSysColor.USER32(0000000F), ref: 00089862

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: 3bbc4df3228e0471ea7d8e1d04dcb4d3e6df0bb1f5357d8a4f0903e683083a61
Instruction ID: 68ba847ddbafc70b0ea67003a11c2d444b7b0e0d191b4e51e338947961983881
Opcode Fuzzy Hash: 3bbc4df3228e0471ea7d8e1d04dcb4d3e6df0bb1f5357d8a4f0903e683083a61
Instruction Fuzzy Hash: 72419131204641EFDB607F389C84BB93BA5BB46334F184619F9E6871E1DB719C82DB60

Function 000A8D45 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 300COMMONLIBRARYCODE

Download Yara Rule

Strings

., xrefs: 000A903A, 000A8FD0, 000A8FF2

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID:
String ID: .
API String ID: 0-3497715306
Opcode ID: d93e0df0a561a838e0ce9b958fc3b3f61ba99a7f7f6b140f613c2860ed190756
Instruction ID: 601b8fadcd092634ce1b40de3623fc4ec9ca6ff4ad440b021f4b282260d31f72
Opcode Fuzzy Hash: d93e0df0a561a838e0ce9b958fc3b3f61ba99a7f7f6b140f613c2860ed190756
Instruction Fuzzy Hash: 0BC1D174A04249AFDF61DFE8C845BEDBBF0AF1B350F1481A9E954A7392C7309941CB61

Function 001050D4 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 162windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00002001,00000000,00000000), ref: 00105186
ShowWindow.USER32(?,00000000), ref: 001051C7
ShowWindow.USER32(?,00000005,?,00000000), ref: 001051CD
SetFocus.USER32(?,?,00000005,?,00000000), ref: 001051D1

Part of subcall function 00106FBA: DeleteObject.GDI32(00000000), ref: 00106FE6

GetWindowLongW.USER32(?,000000F0), ref: 0010520D
SetWindowLongW.USER32(?,000000F0,00000000), ref: 0010521A
InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 0010524D
SendMessageW.USER32(?,00001001,00000000,000000FE), ref: 00105287
SendMessageW.USER32(?,00001026,00000000,000000FE), ref: 00105296

Strings

@U=u, xrefs: 00105186

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: Window$MessageSend$LongShow$DeleteFocusInvalidateObjectRect
String ID: @U=u
API String ID: 3210457359-2594219639
Opcode ID: c71b8d184fd66e9a36f07d197d086c986e9a9722e842331c0524f05df82aa2f8
Instruction ID: afebc4e2065cf1af2e7dc3f9dd98d09bb79594f6469454466d6bdca8a6d017de
Opcode Fuzzy Hash: c71b8d184fd66e9a36f07d197d086c986e9a9722e842331c0524f05df82aa2f8
Instruction Fuzzy Hash: AB516B30A50A08FEEF24AF24CC4ABDA3B66BF05365F188111F695962E1C7F5A990DF41

Function 00088B06 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 155windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 000C6890
ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 000C68A9
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 000C68B9
ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 000C68D1
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 000C68F2
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00088874,00000000,00000000,00000000,000000FF,00000000), ref: 000C6901
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 000C691E
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00088874,00000000,00000000,00000000,000000FF,00000000), ref: 000C692D

Strings

@U=u, xrefs: 000C68F2, 000C691E

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend
String ID: @U=u
API String ID: 1268354404-2594219639
Opcode ID: b3065161a495588e37348870380f5998448f75e57594c6f13cc9c27af13ee02e
Instruction ID: f0af79eaf27b8577fd5e344bb94978c7ce7858158291fb88d635f28c535f4a66
Opcode Fuzzy Hash: b3065161a495588e37348870380f5998448f75e57594c6f13cc9c27af13ee02e
Instruction Fuzzy Hash: 5D516974600209AFDB20EF24CC95FAE7BF5FB98750F108618F996972A0DB71E990DB50

Function 000D96E2 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,?,?,000BF7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?), ref: 000D9717
LoadStringW.USER32(00000000,?,000BF7F8,00000001), ref: 000D9720

Part of subcall function 00079CB3: _wcslen.LIBCMT ref: 00079CBD

GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,000BF7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?,00000000), ref: 000D9742
LoadStringW.USER32(00000000,?,000BF7F8,00000001), ref: 000D9745
MessageBoxW.USER32(00000000,00000000,?,00011010), ref: 000D9866

Strings

Line %d (File "%s"):, xrefs: 000D978F
Line %d:, xrefs: 000D97A0
Error: , xrefs: 000D981D
^ ERROR, xrefs: 000D97FB
%s (%d) : ==> %s: %s %s, xrefs: 000D984A

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wcslen
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 747408836-2268648507
Opcode ID: 624431eb701f4942ee51fe53d47e9e264eae40d51e10d47c17d06654fc0ad67b
Instruction ID: 1de03bf7564a11e61c9c1540a2069e05b18e089cf48d1b02daf5c1ea9ca12d12
Opcode Fuzzy Hash: 624431eb701f4942ee51fe53d47e9e264eae40d51e10d47c17d06654fc0ad67b
Instruction Fuzzy Hash: 78413B72D00209AADB14EBA0CE46DEEB778AF55340F508125F60A72193EF396F48CB75

Function 000D06DE Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 00076B57: _wcslen.LIBCMT ref: 00076B6A

WNetAddConnection2W.MPR(?,?,?,00000000), ref: 000D07A2
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 000D07BE
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 000D07DA
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 000D0804
CLSIDFromString.OLE32(?,000001FE,?,SOFTWARE\Classes\), ref: 000D082C
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 000D0837
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 000D083C

Strings

\CLSID, xrefs: 000D0724
SOFTWARE\Classes\, xrefs: 000D070E
\IPC$, xrefs: 000D0784

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 323675364-22481851
Opcode ID: 79b2291befbb93bd089fbb6145b12ffe593b743d77009585e63aaf75747028a8
Instruction ID: f4bcc53c0d3201af9bafa6b396c6a55af1a7bbdb73afc480665526afde6f68be
Opcode Fuzzy Hash: 79b2291befbb93bd089fbb6145b12ffe593b743d77009585e63aaf75747028a8
Instruction Fuzzy Hash: AA412972C10228EBDF11EBA4DC85DEDB7B8BF44750F44812AE905A31A1EB745E44CFA0

Function 000F3C30 Relevance: 16.8, APIs: 11, Instructions: 344fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 000F3C5C
CoInitialize.OLE32(00000000), ref: 000F3C8A
CoUninitialize.OLE32 ref: 000F3C94
_wcslen.LIBCMT ref: 000F3D2D
GetRunningObjectTable.OLE32(00000000,?), ref: 000F3DB1
SetErrorMode.KERNEL32(00000001,00000029), ref: 000F3ED5
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,?), ref: 000F3F0E
CoGetObject.OLE32(?,00000000,0010FB98,?), ref: 000F3F2D
SetErrorMode.KERNEL32(00000000), ref: 000F3F40
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 000F3FC4
VariantClear.OLEAUT32(?), ref: 000F3FD8

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize_wcslen
String ID:
API String ID: 429561992-0
Opcode ID: b131812b4b8793b6bcb93525ecda5627bc201e3f4a30a288a6036acc4092749a
Instruction ID: 48525fa4ac6fa76444607ac693ef4df9c2abb1ed3972155bd986b039e9b2963a
Opcode Fuzzy Hash: b131812b4b8793b6bcb93525ecda5627bc201e3f4a30a288a6036acc4092749a
Instruction Fuzzy Hash: 8BC177716083099FC700DF28C88496BBBE9FF89758F10491DFA8A9B251D771EE45CB92

Function 000E7A96 Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 000E7AF3
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 000E7B8F
SHGetDesktopFolder.SHELL32(?), ref: 000E7BA3
CoCreateInstance.OLE32(0010FD08,00000000,00000001,00136E6C,?), ref: 000E7BEF
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 000E7C74
CoTaskMemFree.OLE32(?,?), ref: 000E7CCC
SHBrowseForFolderW.SHELL32(?), ref: 000E7D57
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 000E7D7A
CoTaskMemFree.OLE32(00000000), ref: 000E7D81
CoTaskMemFree.OLE32(00000000), ref: 000E7DD6
CoUninitialize.OLE32 ref: 000E7DDC

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
String ID:
API String ID: 2762341140-0
Opcode ID: d029d6cb36381a008ab0f01431268244cd8f779d1ac3eaa3d42974bb22b60961
Instruction ID: b5604601ef3f044c35b9a49de9eb308333796e181ad3ce67f73df5cedcda55b3
Opcode Fuzzy Hash: d029d6cb36381a008ab0f01431268244cd8f779d1ac3eaa3d42974bb22b60961
Instruction Fuzzy Hash: 86C12B75A04149AFCB14DFA5C884DAEBBF9FF48304B148599E819EB362D731EE41CB90

Function 000CFA88 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 000CFAAF
SafeArrayAllocData.OLEAUT32(?), ref: 000CFB08
VariantInit.OLEAUT32(?), ref: 000CFB1A
SafeArrayAccessData.OLEAUT32(?,?), ref: 000CFB3A
VariantCopy.OLEAUT32(?,?), ref: 000CFB8D
SafeArrayUnaccessData.OLEAUT32(?), ref: 000CFBA1
VariantClear.OLEAUT32(?), ref: 000CFBB6
SafeArrayDestroyData.OLEAUT32(?), ref: 000CFBC3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 000CFBCC
VariantClear.OLEAUT32(?), ref: 000CFBDE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 000CFBE9

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: 7923c3ea879ea011f88670fe854e1404966d8394bd98c0e4423e156bc6c126c9
Instruction ID: 5e643b4a18afa6442c458bc81f24838f5bd2f3bd4becc5b273276a4d1c514156
Opcode Fuzzy Hash: 7923c3ea879ea011f88670fe854e1404966d8394bd98c0e4423e156bc6c126c9
Instruction Fuzzy Hash: CB412D75A0021A9FCB009F64C854EEEBBBAFF48344F008169E945E7661CB74A945CFA1

Function 000D9C79 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 000D9CA1
GetAsyncKeyState.USER32(000000A0), ref: 000D9D22
GetKeyState.USER32(000000A0), ref: 000D9D3D
GetAsyncKeyState.USER32(000000A1), ref: 000D9D57
GetKeyState.USER32(000000A1), ref: 000D9D6C
GetAsyncKeyState.USER32(00000011), ref: 000D9D84
GetKeyState.USER32(00000011), ref: 000D9D96
GetAsyncKeyState.USER32(00000012), ref: 000D9DAE
GetKeyState.USER32(00000012), ref: 000D9DC0
GetAsyncKeyState.USER32(0000005B), ref: 000D9DD8
GetKeyState.USER32(0000005B), ref: 000D9DEA

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 7c7f4cd3f5800e9d4d6ccc8f79edcdbd69d3ff44a44f16bfe76a62effef561b1
Instruction ID: 2f6852a9a87ea32678bc9becedcbcc4593aaea8546a66299df99d97a874e0cd8
Opcode Fuzzy Hash: 7c7f4cd3f5800e9d4d6ccc8f79edcdbd69d3ff44a44f16bfe76a62effef561b1
Instruction Fuzzy Hash: D341A6346047CA69FFB1976488043B5BEE16F11344F04815BDAC6567C2EBE599C8CBB2

Function 000F055B Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 000F05BC
inet_addr.WSOCK32(?), ref: 000F061C
gethostbyname.WSOCK32(?), ref: 000F0628
IcmpCreateFile.IPHLPAPI ref: 000F0636
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 000F06C6
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 000F06E5
IcmpCloseHandle.IPHLPAPI(?), ref: 000F07B9
WSACleanup.WSOCK32 ref: 000F07BF

Strings

Ping, xrefs: 000F0676

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: 85f356ee0694af4d996e406e14f7dc9bcbd7b888055232030eb67846f23a8c39
Instruction ID: c44f3b36d41ef0936cf1c6c699d7007b6986599dbb212499aa46cf73ac276b9d
Opcode Fuzzy Hash: 85f356ee0694af4d996e406e14f7dc9bcbd7b888055232030eb67846f23a8c39
Instruction Fuzzy Hash: 7D917F759087019FD720DF15C888F2ABBE0AF84318F1485A9E5A98BAA3C770ED41DF91

Function 000F8CD3 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,00000000,?), ref: 000F8CF3

Part of subcall function 000D8E54: _wcslen.LIBCMT ref: 000D8E77

_wcslen.LIBCMT ref: 000F8D4E
_wcslen.LIBCMT ref: 000F8D9C
_wcslen.LIBCMT ref: 000F8DDC
_wcslen.LIBCMT ref: 000F8E6E

Strings

winapi, xrefs: 000F8D96, 000F8D9B
cdecl, xrefs: 000F8D48, 000F8D4D
none, xrefs: 000F8E65, 000F8E6A
stdcall, xrefs: 000F8DD6, 000F8DDB

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: _wcslen$BuffCharLower
String ID: cdecl$none$stdcall$winapi
API String ID: 707087890-567219261
Opcode ID: be5d2a53ac117fae1ab85d82fe17465e5876fe6e50a2fcd2ca614dad54159b44
Instruction ID: 2faba0887317f436e8b1fea5b6df58625d91c19fa530eccb96d50874f9627870
Opcode Fuzzy Hash: be5d2a53ac117fae1ab85d82fe17465e5876fe6e50a2fcd2ca614dad54159b44
Instruction Fuzzy Hash: BA51D172A0051A9BCF64DF68C9418FEB7E5BF64320B218229E626E76C1DF34DD40E790

Function 000F372C Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32 ref: 000F3774
CoUninitialize.OLE32 ref: 000F377F
CoCreateInstance.OLE32(?,00000000,00000017,0010FB78,?), ref: 000F37D9
IIDFromString.OLE32(?,?), ref: 000F384C
VariantInit.OLEAUT32(?), ref: 000F38E4
VariantClear.OLEAUT32(?), ref: 000F3936

Strings

Failed to create object, xrefs: 000F37E4, 000F389A
Invalid parameter, xrefs: 000F3865
NULL Pointer assignment, xrefs: 000F381E

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 636576611-1287834457
Opcode ID: 95f0752ed35a54b0b9b0087bae2d14adae5f1222230407f483d8f69338982687
Instruction ID: a9d2bc2e3ffe2790b3cfc6df5c4fbb3addca0c2ea598c5d7a3fb906c5d684ede
Opcode Fuzzy Hash: 95f0752ed35a54b0b9b0087bae2d14adae5f1222230407f483d8f69338982687
Instruction Fuzzy Hash: D261B170608305AFD320EF54C849BAEB7E4EF48760F104909FA8597691CB74EE49DB96

Function 00075BEA Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 00075C7A

Part of subcall function 00075D0A: GetClientRect.USER32(?,?), ref: 00075D30
Part of subcall function 00075D0A: GetWindowRect.USER32(?,?), ref: 00075D71
Part of subcall function 00075D0A: ScreenToClient.USER32(?,?), ref: 00075D99

GetDC.USER32 ref: 000B46F5
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 000B4708
SelectObject.GDI32(00000000,00000000), ref: 000B4716
SelectObject.GDI32(00000000,00000000), ref: 000B472B
ReleaseDC.USER32(?,00000000), ref: 000B4733
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 000B47C4

Strings

U, xrefs: 000B4693
@U=u, xrefs: 000B4708

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: @U=u$U
API String ID: 4009187628-4110099822
Opcode ID: 72d7f15796cafa10a49de58c1a551b2162761818e6dd4e4ae2b329435c074b3e
Instruction ID: 77001415b9ecde0d344fbeb0ba2a77abba426dab35c7c763423e5c1344d94463
Opcode Fuzzy Hash: 72d7f15796cafa10a49de58c1a551b2162761818e6dd4e4ae2b329435c074b3e
Instruction Fuzzy Hash: 4171DD34804205EFCF218F64C984AEE3BF5FF4A311F148269E9555A2A7CB718A81DF60

Function 00108B02 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 149windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00089BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00089BB2

Part of subcall function 0008912D: GetCursorPos.USER32(?), ref: 00089141
Part of subcall function 0008912D: ScreenToClient.USER32(00000000,?), ref: 0008915E
Part of subcall function 0008912D: GetAsyncKeyState.USER32(00000001), ref: 00089183
Part of subcall function 0008912D: GetAsyncKeyState.USER32(00000002), ref: 0008919D

ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?,?,?), ref: 00108B6B
ImageList_EndDrag.COMCTL32 ref: 00108B71
ReleaseCapture.USER32 ref: 00108B77
SetWindowTextW.USER32(?,00000000), ref: 00108C12
SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 00108C25
DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?,?,?), ref: 00108CFF

Strings

@GUI_DRAGFILE, xrefs: 00108C9A
@GUI_DROPID, xrefs: 00108C51
@U=u, xrefs: 00108C25

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
String ID: @GUI_DRAGFILE$@GUI_DROPID$@U=u
API String ID: 1924731296-2104563098
Opcode ID: d9e8cf8f25d763c8f66f1fcac0ed38a9e336db3fbf95a33adadbf43fbbdc641a
Instruction ID: 5a7b8c34015474007382fd5c07b53f5560315a4e9d08997fec9b2eca007425fc
Opcode Fuzzy Hash: d9e8cf8f25d763c8f66f1fcac0ed38a9e336db3fbf95a33adadbf43fbbdc641a
Instruction Fuzzy Hash: 84519E74604300AFE704EF24DD56FAA77E4FB89714F400A2DF996572E2CBB19984CB62

Function 000E3388 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 149COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,?), ref: 000E33CF

Part of subcall function 00079CB3: _wcslen.LIBCMT ref: 00079CBD

LoadStringW.USER32(00000072,?,00000FFF,?), ref: 000E33F0

Strings

Line %d (File "%s"):, xrefs: 000E3443, 000E345C
Error: , xrefs: 000E34D1
^ ERROR , xrefs: 000E349E
"%s" (%d) : ==> %s:, xrefs: 000E3522
Incorrect parameters to object property !, xrefs: 000E34AB
"%s" (%d) : ==> %s:%s%s, xrefs: 000E3504

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-3080491070
Opcode ID: 3cf70d19b6905f344d3e5e80656f1782da5732060dbf5e4c1d7468b2e5df8a00
Instruction ID: 82c3f54f7e777d2d88703d8ab93d01de200a616eb97f159c301840522e2e9375
Opcode Fuzzy Hash: 3cf70d19b6905f344d3e5e80656f1782da5732060dbf5e4c1d7468b2e5df8a00
Instruction Fuzzy Hash: D5518D72D00609BADF15EBA0CD46EEEB7B8AF14340F108165F509731A2EB352F98DB65

Function 000DB5C8 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 142COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 000DB5FC
_wcslen.LIBCMT ref: 000DB608
_wcslen.LIBCMT ref: 000DB64D
_wcslen.LIBCMT ref: 000DB68C
_wcslen.LIBCMT ref: 000DB6C7

Strings

REMOVE, xrefs: 000DB602, 000DB607
KEYS, xrefs: 000DB647, 000DB64C
EXISTS, xrefs: 000DB686, 000DB68B
APPEND, xrefs: 000DB6C1, 000DB6C6

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 1256254125-769500911
Opcode ID: 47602f5617b5b1ad23a9103170b2b2f2e4a0a5a86b746b803424c72a2d5441ae
Instruction ID: 13a00ab7aa8bb70fb4962130521ab9649155355e5e4c2607f3f48e4425568ede
Opcode Fuzzy Hash: 47602f5617b5b1ad23a9103170b2b2f2e4a0a5a86b746b803424c72a2d5441ae
Instruction Fuzzy Hash: 8941E832A00226DBCB605F7D89905BE77E5AF61754B26412BE421D7384E739CD81C7A0

Function 000E5393 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 103COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 000E53A0
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 000E5416
GetLastError.KERNEL32 ref: 000E5420
SetErrorMode.KERNEL32(00000000,READY), ref: 000E54A7

Strings

READONLY, xrefs: 000E5452
UNKNOWN, xrefs: 000E5444
INVALID, xrefs: 000E5459
READY, xrefs: 000E5460, 000E5468
NOTREADY, xrefs: 000E544B

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: 07219b3399a57766b2ff998c3b25ef021183bf8797cf8e7f544055ddad0593f5
Instruction ID: 94263ec076185c106757acf6f84be2c492ebe59c95c56234172f6c5b9f6898d8
Opcode Fuzzy Hash: 07219b3399a57766b2ff998c3b25ef021183bf8797cf8e7f544055ddad0593f5
Instruction Fuzzy Hash: AD31D0B5A006449FC750DF69C884AAABBF4EF4530EF14C465E405EB2A2DBB0DD86CB90

Function 00103C46 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON

Download Yara Rule

APIs

CreateMenu.USER32 ref: 00103C79
SetMenu.USER32(?,00000000), ref: 00103C88
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00103D10
IsMenu.USER32(?), ref: 00103D24
CreatePopupMenu.USER32 ref: 00103D2E
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00103D5B
DrawMenuBar.USER32 ref: 00103D63

Strings

0, xrefs: 00103C54
F, xrefs: 00103D4E

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup
String ID: 0$F
API String ID: 161812096-3044882817
Opcode ID: a52f89b95ecb3b68aab9972d2817dfc598f1d3fdf31b90e77e580e2c961439e7
Instruction ID: 0f7097e3b1f26bee1f12ab438ab030d888764a2d853bc217d976634328936071
Opcode Fuzzy Hash: a52f89b95ecb3b68aab9972d2817dfc598f1d3fdf31b90e77e580e2c961439e7
Instruction Fuzzy Hash: 22419C79A01209EFDB14CFA4D844AEA7BB9FF49310F140129F996973A0D7B0AA50DF90

Function 00102D03 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00102D1B
GetDC.USER32(00000000), ref: 00102D23
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00102D2E
ReleaseDC.USER32(00000000,00000000), ref: 00102D3A
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00102D76
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00102D87
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00105A65,?,?,000000FF,00000000,?,000000FF,?), ref: 00102DC2
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00102DE1

Strings

@U=u, xrefs: 00102D87, 00102DE1

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID: @U=u
API String ID: 3864802216-2594219639
Opcode ID: 53c00044f4f781e7d6516d4bfc89b129f084dca5db5fdea4f1ffbc8a3dc9b7e6
Instruction ID: ab2979f9dcf0017645359d493b3bcd6010ec3a20eac93be8eb057a43be5fc05f
Opcode Fuzzy Hash: 53c00044f4f781e7d6516d4bfc89b129f084dca5db5fdea4f1ffbc8a3dc9b7e6
Instruction Fuzzy Hash: 96317A76201214BFEB218F50CC8AFEB3BADEF09715F044155FE889A2D1C6B59C91CBA4

Function 000D209F Relevance: 15.8, APIs: 3, Strings: 6, Instructions: 71windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 000D20AB
GetClassNameW.USER32(00000000,?,00000100), ref: 000D20C0
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 000D214D

Strings

smallicons, xrefs: 000D2115
largeicons, xrefs: 000D20E1
@U=u, xrefs: 000D214D
details, xrefs: 000D20FB
SHELLDLL_DefView, xrefs: 000D20CC
list, xrefs: 000D212F

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: ClassMessageNameParentSend
String ID: @U=u$SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1290815626-1428604138
Opcode ID: 75d329d28d016dd63dc5c767fe6538ffcb1e5c13e0240316d23500e211725185
Instruction ID: 0daf97d0dc4f755a0d37b2ffb6565369493396536ac6b26be3ee063b776b7d81
Opcode Fuzzy Hash: 75d329d28d016dd63dc5c767fe6538ffcb1e5c13e0240316d23500e211725185
Instruction Fuzzy Hash: 8411067A688706B9FB212220DC07DEA779DCF35724F204217FB04A52D6EFA168426A64

Function 00103A23 Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00103A9D
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00103AA0
GetWindowLongW.USER32(?,000000F0), ref: 00103AC7
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00103AEA
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00103B62
SendMessageW.USER32(?,00001074,00000000,00000007), ref: 00103BAC
SendMessageW.USER32(?,00001057,00000000,00000000), ref: 00103BC7
SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 00103BE2
SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 00103BF6
SendMessageW.USER32(?,00001008,00000000,00000007), ref: 00103C13

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: MessageSend$LongWindow
String ID:
API String ID: 312131281-0
Opcode ID: b27b0e8e980553955a85eaec0c79f5a27845da92c9d4f500aebebb2afc5c1795
Instruction ID: 1832a4e87a3da6d2b604371fd5281670b1894f0f035553bd986854009a990cce
Opcode Fuzzy Hash: b27b0e8e980553955a85eaec0c79f5a27845da92c9d4f500aebebb2afc5c1795
Instruction Fuzzy Hash: BC617D75900248AFDB10DF68CD81EEE77B8EB49704F10419AFA55E72E1D7B0AE81DB50

Function 000DB12F Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 000DB151
GetForegroundWindow.USER32(00000000,?,?,?,?,?,000DA1E1,?,00000001), ref: 000DB165
GetWindowThreadProcessId.USER32(00000000), ref: 000DB16C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,000DA1E1,?,00000001), ref: 000DB17B
GetWindowThreadProcessId.USER32(?,00000000), ref: 000DB18D
AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,000DA1E1,?,00000001), ref: 000DB1A6
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,000DA1E1,?,00000001), ref: 000DB1B8
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,000DA1E1,?,00000001), ref: 000DB1FD
AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,000DA1E1,?,00000001), ref: 000DB212
AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,000DA1E1,?,00000001), ref: 000DB21D

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: b48a77bd685aaa135fd567f7922ade5307f7564532fcd92b194fa448c0484150
Instruction ID: 117597dd4e83a9501215ac632151b5e3553fac2f11b58b30ae89285d4932a3c4
Opcode Fuzzy Hash: b48a77bd685aaa135fd567f7922ade5307f7564532fcd92b194fa448c0484150
Instruction Fuzzy Hash: 6E3180BA500304EFDB209F24EC84B7DBBB9BB56355F114206FA11D76A0D7B499808F74

Function 000A2C80 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 000A2C94

Part of subcall function 000A29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,000AD7D1,00000000,00000000,00000000,00000000,?,000AD7F8,00000000,00000007,00000000,?,000ADBF5,00000000), ref: 000A29DE
Part of subcall function 000A29C8: GetLastError.KERNEL32(00000000,?,000AD7D1,00000000,00000000,00000000,00000000,?,000AD7F8,00000000,00000007,00000000,?,000ADBF5,00000000,00000000), ref: 000A29F0

_free.LIBCMT ref: 000A2CA0
_free.LIBCMT ref: 000A2CAB
_free.LIBCMT ref: 000A2CB6
_free.LIBCMT ref: 000A2CC1
_free.LIBCMT ref: 000A2CCC
_free.LIBCMT ref: 000A2CD7
_free.LIBCMT ref: 000A2CE2
_free.LIBCMT ref: 000A2CED
_free.LIBCMT ref: 000A2CFB

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 99dd78261ecf4c01a08df4808d016f0fb111c84ad77a0fb54f6d427c530a364e
Instruction ID: 675c861c624c3bab038a37295dee51ad6fcd45fbe4e0f717cca1c8a57790c3b6
Opcode Fuzzy Hash: 99dd78261ecf4c01a08df4808d016f0fb111c84ad77a0fb54f6d427c530a364e
Instruction Fuzzy Hash: 0811A476110108BFCB42EF98D982CDE3BA5FF06750F4144A5FA489F223DA31EE509BA1

Function 000E7DF0 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 000E7FAD
SetCurrentDirectoryW.KERNEL32(?), ref: 000E7FC1
GetFileAttributesW.KERNEL32(?), ref: 000E7FEB
SetFileAttributesW.KERNEL32(?,00000000), ref: 000E8005
SetCurrentDirectoryW.KERNEL32(?), ref: 000E8017
SetCurrentDirectoryW.KERNEL32(?), ref: 000E8060
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 000E80B0

Strings

*.*, xrefs: 000E8066

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile
String ID: *.*
API String ID: 769691225-438819550
Opcode ID: 3c46570c2eac045fe32b704e2753ca20c2cb09ca926692311970429af4f46429
Instruction ID: 68de0498442a8833a4c90a70e9f2255646faa59484f97ad882d5f1dd6f7c95b1
Opcode Fuzzy Hash: 3c46570c2eac045fe32b704e2753ca20c2cb09ca926692311970429af4f46429
Instruction Fuzzy Hash: 8D81B2715082819FCB64EF16C444AAEB3E8BF88310F54886EF88DE7251EB34DD45CB92

Function 000E359C Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 150COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 000E35E4

Part of subcall function 00079CB3: _wcslen.LIBCMT ref: 00079CBD

LoadStringW.USER32(00142390,?,00000FFF,?), ref: 000E360A

Strings

Line %d (File "%s"):, xrefs: 000E366B
Error: , xrefs: 000E36EF
"%s" (%d) : ==> %s:, xrefs: 000E3742
^ ERROR, xrefs: 000E36C9
"%s" (%d) : ==> %s:%s%s, xrefs: 000E3724

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-2391861430
Opcode ID: ec05da455247bfb942d5513dc6068b44d0cb4c9c4f01f47ed03d308d1e9033cc
Instruction ID: 05a226dd2a071a6f235b708ba41439305fbeb9e913dd507d7f1ff1f6f1372cee
Opcode Fuzzy Hash: ec05da455247bfb942d5513dc6068b44d0cb4c9c4f01f47ed03d308d1e9033cc
Instruction Fuzzy Hash: 02517F71C00249BBDF25EBA0CC46EEEBB78AF15310F148125F509721A2EB351B98DFA5

Function 00103886 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 141windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00103925
SendMessageW.USER32(00000000,00001036,00000000,?), ref: 0010393A
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00103954
_wcslen.LIBCMT ref: 00103999
SendMessageW.USER32(?,00001057,00000000,?), ref: 001039C6
SendMessageW.USER32(?,00001061,?,0000000F), ref: 001039F4

Strings

@U=u, xrefs: 00103925, 0010393A
SysListView32, xrefs: 001038F7

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: MessageSend$Window_wcslen
String ID: @U=u$SysListView32
API String ID: 2147712094-1908207174
Opcode ID: 312716f650bbd2c7face680dd8bc1f8b03d96e21a5d4b40e4572be2dc55bf254
Instruction ID: 98e07b7d48839c068f29b8c9dc166426c8a095294c06a3fc70fdafc3bb67df7a
Opcode Fuzzy Hash: 312716f650bbd2c7face680dd8bc1f8b03d96e21a5d4b40e4572be2dc55bf254
Instruction Fuzzy Hash: 5C419571A00219ABEF219F64CC49BEA77ADFF08354F100566F598E72D1D7B19980CB90

Function 00102DFD Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 00102E1C
GetWindowLongW.USER32(?,000000F0), ref: 00102E4F
GetWindowLongW.USER32(?,000000F0), ref: 00102E84
SendMessageW.USER32(?,000000F1,00000000,00000000), ref: 00102EB6
SendMessageW.USER32(?,000000F1,00000001,00000000), ref: 00102EE0
GetWindowLongW.USER32(?,000000F0), ref: 00102EF1
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00102F0B

Strings

@U=u, xrefs: 00102E1C, 00102EB6, 00102EE0

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID: @U=u
API String ID: 2178440468-2594219639
Opcode ID: 679cb17382571adb6e55e061a19148b9f9996952594eb767b1d62d0ff70d9f03
Instruction ID: e1346d06eb0dc5b2ad6388371f9c3d1271d9de56896b3d2930365f4c60f1b6c4
Opcode Fuzzy Hash: 679cb17382571adb6e55e061a19148b9f9996952594eb767b1d62d0ff70d9f03
Instruction Fuzzy Hash: 38310434684254AFDB21CF58DC88FA537E5FB9A754F1501A4FA848F6F2CBB1A880DB41

Function 000EC253 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 000EC272
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 000EC29A
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 000EC2CA
GetLastError.KERNEL32 ref: 000EC322
SetEvent.KERNEL32(?), ref: 000EC336
InternetCloseHandle.WININET(00000000), ref: 000EC341

Strings

, xrefs: 000EC2BB

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: 4fa6d2422b7009f8f1a0e98633c8b5bc8072826df37708552f1eba3e43e9ffa6
Instruction ID: 3184b3b4fc222f0dfdde81cba94962b832647f6b8299101f3511f24e76c859ed
Opcode Fuzzy Hash: 4fa6d2422b7009f8f1a0e98633c8b5bc8072826df37708552f1eba3e43e9ffa6
Instruction Fuzzy Hash: 34319371500284AFE7219F668C84EAB7BFCEB45740B14851DF486A2601D771DD469BA0

Function 000D989B Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,000B3AAF,?,?,Bad directive syntax error,0010CC08,00000000,00000010,?,?,>>>AUTOIT SCRIPT<<<), ref: 000D98BC
LoadStringW.USER32(00000000,?,000B3AAF,?), ref: 000D98C3

Part of subcall function 00079CB3: _wcslen.LIBCMT ref: 00079CBD

MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 000D9987

Strings

Line %d (File "%s"):, xrefs: 000D992D
Line %d:, xrefs: 000D9912
., xrefs: 000D996D
Error: , xrefs: 000D9955
%s (%d) : ==> %s.: %s %s, xrefs: 000D98F1

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: HandleLoadMessageModuleString_wcslen
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 858772685-4153970271
Opcode ID: a5e54c01df8b6fb55e97c78202eb62dc80e369a1177aa378c9d81e1410570215
Instruction ID: 81c8e957eb674f745acf20825df8eb7ba779f11e3f88993ff6e06a4c3093626a
Opcode Fuzzy Hash: a5e54c01df8b6fb55e97c78202eb62dc80e369a1177aa378c9d81e1410570215
Instruction Fuzzy Hash: 75216D31D0021AFBDF25AF90CC16EEE7779FF18300F04846AF519660A2EB759658DB61

Function 000ACE90 Relevance: 13.7, APIs: 9, Instructions: 209COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 000ACEB7
_free.LIBCMT ref: 000ACF22
_free.LIBCMT ref: 000ACF48
_free.LIBCMT ref: 000ACF71
_free.LIBCMT ref: 000ACFA9
_free.LIBCMT ref: 000ACFDA
_free.LIBCMT ref: 000AD01B
SetEnvironmentVariableA.KERNEL32(00000000,00000000), ref: 000AD09C
_free.LIBCMT ref: 000AD0B5

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: _free$EnvironmentVariable___from_strstr_to_strchr
String ID:
API String ID: 1282221369-0
Opcode ID: 4f91c54b7661c32a3c93e813a46f9cade62f40640e245cdac9048730fa9102ab
Instruction ID: 1641fa9068baa39bde0a845d599740c0d81c0a7c7acc0acd7c43a503894ceb34
Opcode Fuzzy Hash: 4f91c54b7661c32a3c93e813a46f9cade62f40640e245cdac9048730fa9102ab
Instruction Fuzzy Hash: 87614672904301AFEF61AFF89881FAE7BE5AF07320F05427EFA5597292D6319D418790

Function 000EC143 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 000EC182
GetLastError.KERNEL32 ref: 000EC195
SetEvent.KERNEL32(?), ref: 000EC1A9

Part of subcall function 000EC253: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 000EC272
Part of subcall function 000EC253: GetLastError.KERNEL32 ref: 000EC322
Part of subcall function 000EC253: SetEvent.KERNEL32(?), ref: 000EC336
Part of subcall function 000EC253: InternetCloseHandle.WININET(00000000), ref: 000EC341

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
String ID:
API String ID: 337547030-0
Opcode ID: 3986f18be59d0d40970369d527059409545faa788fd9a13c7d702e8a472618a0
Instruction ID: f32c9e564e69e9b135bf6be7e159e0560243f65eb3f00e07fb1ff3670d819a4f
Opcode Fuzzy Hash: 3986f18be59d0d40970369d527059409545faa788fd9a13c7d702e8a472618a0
Instruction Fuzzy Hash: 2D31A371100681AFEB219FA6DC04E6A7BF8FF14300B00451DFA5696A11D732E8519FA0

Function 000D25A2 Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 000D3A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 000D3A57
Part of subcall function 000D3A3D: GetCurrentThreadId.KERNEL32 ref: 000D3A5E
Part of subcall function 000D3A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,000D25B3), ref: 000D3A65

MapVirtualKeyW.USER32(00000025,00000000), ref: 000D25BD
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 000D25DB
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 000D25DF
MapVirtualKeyW.USER32(00000025,00000000), ref: 000D25E9
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 000D2601
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 000D2605
MapVirtualKeyW.USER32(00000025,00000000), ref: 000D260F
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 000D2623
Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 000D2627

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: b6ca665d7f67a789c84d5667db1b732ddd20de04673ffa51d1a693ae146f5940
Instruction ID: c2ee7283797ad0c16b1cfc35b38a292b0cc6c7c6210db7249f97909900181c22
Opcode Fuzzy Hash: b6ca665d7f67a789c84d5667db1b732ddd20de04673ffa51d1a693ae146f5940
Instruction Fuzzy Hash: 6501B530390710BBFB2067689C8AF993E59EB5AB11F100102F354AE1D1C9F254848EBA

Function 000D1803 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,000D1449,?,?,00000000), ref: 000D180C
HeapAlloc.KERNEL32(00000000,?,000D1449,?,?,00000000), ref: 000D1813
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,000D1449,?,?,00000000), ref: 000D1828
GetCurrentProcess.KERNEL32(?,00000000,?,000D1449,?,?,00000000), ref: 000D1830
DuplicateHandle.KERNEL32(00000000,?,000D1449,?,?,00000000), ref: 000D1833
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,000D1449,?,?,00000000), ref: 000D1843
GetCurrentProcess.KERNEL32(000D1449,00000000,?,000D1449,?,?,00000000), ref: 000D184B
DuplicateHandle.KERNEL32(00000000,?,000D1449,?,?,00000000), ref: 000D184E
CreateThread.KERNEL32(00000000,00000000,000D1874,00000000,00000000,00000000), ref: 000D1868

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: ecfe381d0a46f7ef665834a48300c5698df0dbae5ae3de43e6d3ce65e6c851b3
Instruction ID: 68e522301030ae284cd692fff8d4b785ae6836844ad3d3d8a636c7b2793b10d5
Opcode Fuzzy Hash: ecfe381d0a46f7ef665834a48300c5698df0dbae5ae3de43e6d3ce65e6c851b3
Instruction Fuzzy Hash: 1101AC75240304FFE610AB65DC49F573B6CEB89B11F004511FA45DB591CAB09840CF60

Function 000A3E80 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 305COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 000A3F0B
__alldvrm.LIBCMT ref: 000A410C
__alldvrm.LIBCMT ref: 000A412E

Strings

}}, xrefs: 000A40CD
}}, xrefs: 000A3E96, 000A3EF1, 000A3F0A, 000A4090
}}, xrefs: 000A3E8A

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: __alldvrm$_strrchr
String ID: }}$}}$}}
API String ID: 1036877536-725535543
Opcode ID: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
Instruction ID: 4192c9ad92e33426ea9f243654c7cafd658b7c76823458bf8435fba835ffaa85
Opcode Fuzzy Hash: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
Instruction Fuzzy Hash: F2A16979D103869FDB25CF98C891BEEBBE4EFA3350F18416DE5859B282C2B48D81C750

Function 000FA0E2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON

Download Yara Rule

APIs

Part of subcall function 000DD4DC: CreateToolhelp32Snapshot.KERNEL32 ref: 000DD501
Part of subcall function 000DD4DC: Process32FirstW.KERNEL32(00000000,?), ref: 000DD50F
Part of subcall function 000DD4DC: CloseHandle.KERNEL32(00000000), ref: 000DD5DC

OpenProcess.KERNEL32(00000001,00000000,?), ref: 000FA16D
GetLastError.KERNEL32 ref: 000FA180
OpenProcess.KERNEL32(00000001,00000000,?), ref: 000FA1B3
TerminateProcess.KERNEL32(00000000,00000000), ref: 000FA268
GetLastError.KERNEL32(00000000), ref: 000FA273
CloseHandle.KERNEL32(00000000), ref: 000FA2C4

Strings

SeDebugPrivilege, xrefs: 000FA18F

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: b0d382b07a5fd16d7ee2401614a7403804cedcfc37deedc63f22634068d05992
Instruction ID: 74e7bf097e503c4d9b2a7e870098e22e5f3795244cf9094dd58f7d7de7d13895
Opcode Fuzzy Hash: b0d382b07a5fd16d7ee2401614a7403804cedcfc37deedc63f22634068d05992
Instruction Fuzzy Hash: D0618A702042029FD360DF18C494F69BBE1AF45318F14849CE56A4BBA3C776ED45CB92

Function 000DBC5E Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 000DBCFD
IsMenu.USER32(00000000), ref: 000DBD1D
CreatePopupMenu.USER32 ref: 000DBD53
GetMenuItemCount.USER32(017C64B0), ref: 000DBDA4
InsertMenuItemW.USER32(017C64B0,?,00000001,00000030), ref: 000DBDCC

Strings

0, xrefs: 000DBCA8
2, xrefs: 000DBD37

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup
String ID: 0$2
API String ID: 93392585-3793063076
Opcode ID: 02361bba93111f60eb118e5a3805dd382db73b21edc9db90838cb1b7dc46a934
Instruction ID: 60af39b1439842722fb63f2a74362373d73e5436af351205f3a64fcbb009d60b
Opcode Fuzzy Hash: 02361bba93111f60eb118e5a3805dd382db73b21edc9db90838cb1b7dc46a934
Instruction Fuzzy Hash: C8518E70A00309DBDB20DFA8D884BAEBBF6BF49314F15425AE4519B391E7709945CB71

Function 00092D20 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00092D4B
___except_validate_context_record.LIBVCRUNTIME ref: 00092D53
_ValidateLocalCookies.LIBCMT ref: 00092DE1
__IsNonwritableInCurrentImage.LIBCMT ref: 00092E0C
_ValidateLocalCookies.LIBCMT ref: 00092E61

Strings

&H, xrefs: 00092DFE, 00092E07, 00092E18
csm, xrefs: 00092DF6

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: &H$csm
API String ID: 1170836740-1834196660
Opcode ID: 972d7325c257450e38eb3beff5ee858aea3af525a5549b721499336f9d6b3514
Instruction ID: 2e483de005d49b528a72ac04d33658738bf4b754cffd1ac5fcb7152bfa9291e2
Opcode Fuzzy Hash: 972d7325c257450e38eb3beff5ee858aea3af525a5549b721499336f9d6b3514
Instruction Fuzzy Hash: C9419D34E02209ABCF14DF68C885ADEBBF5BF44324F148155F814AB392DB71AA45EBD0

Function 001081DB Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 104windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,000CF3AB,00000000,?,?,00000000,?,000C682C,00000004,00000000,00000000), ref: 0010824C
EnableWindow.USER32(?,00000000), ref: 00108272
ShowWindow.USER32(FFFFFFFF,00000000), ref: 001082D1
ShowWindow.USER32(?,00000004), ref: 001082E5
EnableWindow.USER32(?,00000001), ref: 0010830B
SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 0010832F

Strings

@U=u, xrefs: 0010832F

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID: @U=u
API String ID: 642888154-2594219639
Opcode ID: a2affd3f9faf9d9a6a61cd88e557c00f8dc41a14de492355c21c0093dfab69d7
Instruction ID: 3ea0cb1dc05ad034c1adcf6854546cb6dd12bec8fb97115265e58fe9be4e7538
Opcode Fuzzy Hash: a2affd3f9faf9d9a6a61cd88e557c00f8dc41a14de492355c21c0093dfab69d7
Instruction Fuzzy Hash: 2C417D34605644AFDF21CF15C899BE47BE1BB4A714F1852A9E6C84F6F2CBB1A881CF50

Function 000D4C7D Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 87windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 000D4C95
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 000D4CB2
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 000D4CEA
_wcslen.LIBCMT ref: 000D4D08
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 000D4D10
_wcsstr.LIBVCRUNTIME ref: 000D4D1A

Strings

@U=u, xrefs: 000D4CB2, 000D4CEA

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
String ID: @U=u
API String ID: 72514467-2594219639
Opcode ID: 474b0e289dd634bdabc8c72ef172ef2898dce35c9e4c9963130615cb3667085a
Instruction ID: 9511553b699eb1a55205ca7e3d9fc32954a6078431bcdb19ffb68228598913d8
Opcode Fuzzy Hash: 474b0e289dd634bdabc8c72ef172ef2898dce35c9e4c9963130615cb3667085a
Instruction Fuzzy Hash: 3321C272204305BBEB655B39AC49EBB7BDDDF45750F10812AF809CA292EAB1DC4196B0

Function 000DC874 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 000DC913

Strings

info, xrefs: 000DC8B4
question, xrefs: 000DC8CC
warning, xrefs: 000DC8FC
blank, xrefs: 000DC895
stop, xrefs: 000DC8E4

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: 539da8712ecf5a958f7b3cbfbb8705c2cde36f100d587fac7556cb709367ff40
Instruction ID: f0a33b655eac5d5fa7192ee63f15ef1da5ebfdb7bcf0aefadfa89e7661e04e7d
Opcode Fuzzy Hash: 539da8712ecf5a958f7b3cbfbb8705c2cde36f100d587fac7556cb709367ff40
Instruction Fuzzy Hash: 45110A32689307BAFB119B54DC93CEEB7DCDF15364B60402BF500A6382EBB05E41A275

Function 000DDE27 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 70networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 000DDE42
gethostname.WSOCK32(?,00000100), ref: 000DDE5C
gethostbyname.WSOCK32(?), ref: 000DDE69
inet_ntoa.WSOCK32(?), ref: 000DDEAB
_strcat.LIBCMT ref: 000DDEB9
WSACleanup.WSOCK32 ref: 000DDEDE

Strings

0.0.0.0, xrefs: 000DDE87

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: CleanupStartup_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 642191829-3771769585
Opcode ID: e3d558b30df5271950c779dd19308981b36c2566489b2978f431cd31935636a0
Instruction ID: 38fbea092c8ec33363f813d9ee825b18bb97bcbf9d539e251128da143dac3201
Opcode Fuzzy Hash: e3d558b30df5271950c779dd19308981b36c2566489b2978f431cd31935636a0
Instruction Fuzzy Hash: 8D110A31504205AFCB207B74DC0AEEF77ACDF11711F00016BF44596192EFB08A819FA0

Function 000C7439 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 37windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?), ref: 000C7452
SendMessageW.USER32(?,00001328,00000000,?), ref: 000C7469
GetWindowDC.USER32(?), ref: 000C7475
GetPixel.GDI32(00000000,?,?), ref: 000C7484
ReleaseDC.USER32(?,00000000), ref: 000C7496
GetSysColor.USER32(00000005), ref: 000C74B0

Strings

@U=u, xrefs: 000C7469

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: ClientColorMessagePixelRectReleaseSendWindow
String ID: @U=u
API String ID: 272304278-2594219639
Opcode ID: e9d1e402404cf9921d1ee3ab5ccf1ba5c8c5729bb8a9d2cc2bd9f943b1e36984
Instruction ID: 07835df4edf98d059a24f79d09a6a0818f20e30cb1f7f6423fde8cf28ef7e1b2
Opcode Fuzzy Hash: e9d1e402404cf9921d1ee3ab5ccf1ba5c8c5729bb8a9d2cc2bd9f943b1e36984
Instruction Fuzzy Hash: 68018B31500205EFDB605F64DC08FEEBBB6FB04321F100264FA59A25A0CF711E81AF90

Function 000DED19 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 000DED2A
_wcslen.LIBCMT ref: 000DED3B
_wcslen.LIBCMT ref: 000DED79
_wcslen.LIBCMT ref: 000DEDAF
_wcslen.LIBCMT ref: 000DEDDF
_wcslen.LIBCMT ref: 000DEDEF
_wcslen.LIBCMT ref: 000DEE2B
_wcslen.LIBCMT ref: 000DEE5A

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: _wcslen$LocalTime
String ID:
API String ID: 952045576-0
Opcode ID: 143fe7edb3fdda7ffb345908dfc8c7affd4c558b16564b87060669195365a8b7
Instruction ID: eec557a7d4c18ee27601a8b54b48ce226f22c869e81a18b8ec0651cf21d026d0
Opcode Fuzzy Hash: 143fe7edb3fdda7ffb345908dfc8c7affd4c558b16564b87060669195365a8b7
Instruction Fuzzy Hash: 59418C65C10218A6CF11FBB4C88AACFB7A8AF45710F508563E518E7262EB34E255C3A6

Function 0008F8D8 Relevance: 12.1, APIs: 8, Instructions: 124COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,000C682C,00000004,00000000,00000000), ref: 0008F953
ShowWindow.USER32(FFFFFFFF,00000006,?,00000000,?,000C682C,00000004,00000000,00000000), ref: 000CF3D1
ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,000C682C,00000004,00000000,00000000), ref: 000CF454

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 9ab83c170a4ff388faaf5cee1d0b33bd4ff5fb9597727b8f034dabde0cddaf0d
Instruction ID: 2cc7a8105cdb248bdb6018c10efd65b5a5cd18fabca948d354309aca981d9831
Opcode Fuzzy Hash: 9ab83c170a4ff388faaf5cee1d0b33bd4ff5fb9597727b8f034dabde0cddaf0d
Instruction Fuzzy Hash: 2E413B30218682FAC779BB38C888B7E7BD2BB56314F14413CE0C792961C676A9C0CB52

Function 000D5622 Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 000D5637
_memcmp.LIBVCRUNTIME ref: 000D5659
_memcmp.LIBVCRUNTIME ref: 000D5671
_memcmp.LIBVCRUNTIME ref: 000D5684
_memcmp.LIBVCRUNTIME ref: 000D569E
_memcmp.LIBVCRUNTIME ref: 000D56B1
_memcmp.LIBVCRUNTIME ref: 000D56C9
_memcmp.LIBVCRUNTIME ref: 000D56E4

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: de829d349ea442c208cf22d66c9e4307a7194b1f9626ccbd5e09037f954ad4df
Instruction ID: 34efdb9cbe5a68b25b155e91469bf05e60c95b9a05d9f0ec7fb4a8894bb75e44
Opcode Fuzzy Hash: de829d349ea442c208cf22d66c9e4307a7194b1f9626ccbd5e09037f954ad4df
Instruction Fuzzy Hash: 98218671744B09B7E62555109E83FFA33ACAF10396F544026FD045BB82F7A0EE1195B5

Function 000F4FAE Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON

Download Yara Rule

Strings

Not an Object type, xrefs: 000F5007
NULL Pointer assignment, xrefs: 000F502E, 000F5383

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: 9d64ff0079643e5138885cb762960b2f7e6493c5bca45bb317ce63319e34b422
Instruction ID: a1ef2c85f9ca96b1a9a772d318116f2747b81780bb1c97ac802106af21880d8c
Opcode Fuzzy Hash: 9d64ff0079643e5138885cb762960b2f7e6493c5bca45bb317ce63319e34b422
Instruction Fuzzy Hash: B1D18E71A0060AAFDB10CF98CC81BBEB7F5BF48345F148169EA15AB681E770E941DB90

Function 000B1522 Relevance: 10.8, APIs: 7, Instructions: 268COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(00000000,00000000,?,7FFFFFFF,?,?,000B17FB,00000000,00000000,?,00000000,?,?,?,?,00000000), ref: 000B15CE
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,000B17FB,00000000,00000000,?,00000000,?,?,?,?), ref: 000B1651
MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,000B17FB,?,000B17FB,00000000,00000000,?,00000000,?,?,?,?), ref: 000B16E4
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,000B17FB,00000000,00000000,?,00000000,?,?,?,?), ref: 000B16FB

Part of subcall function 000A3820: RtlAllocateHeap.NTDLL(00000000,?,00141444,?,0008FDF5,?,?,0007A976,00000010,00141440,000713FC,?,000713C6,?,00071129), ref: 000A3852

MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,000B17FB,00000000,00000000,?,00000000,?,?,?,?), ref: 000B1777
__freea.LIBCMT ref: 000B17A2
__freea.LIBCMT ref: 000B17AE

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
String ID:
API String ID: 2829977744-0
Opcode ID: 07fe767eb4ca41ab5dbce1963f23f77ea7b37d3ccf97ea4f60db1abd72a29d57
Instruction ID: 923a65fd1c82486decdb93e5c2a084a02db35b07213c7a8c270c881b918fa117
Opcode Fuzzy Hash: 07fe767eb4ca41ab5dbce1963f23f77ea7b37d3ccf97ea4f60db1abd72a29d57
Instruction Fuzzy Hash: 1F91B471E146169ADF308FB4C8A1AEEBBF5EF49350F984669E801E7181DB35DD40CBA0

Function 000F4523 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 000F4648
VariantInit.OLEAUT32(?), ref: 000F4749
VariantClear.OLEAUT32(?), ref: 000F4753
VariantClear.OLEAUT32(?), ref: 000F47B0

Strings

Null Object assignment in FOR..IN loop, xrefs: 000F45D8, 000F4706, 000F47BE
Incorrect Object type in FOR..IN loop, xrefs: 000F472C

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: Variant$ClearInit
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2610073882-625585964
Opcode ID: 4d416e936b77cd178665e733664f5008c31c6ed2fa01d7adf613248d6d55a7eb
Instruction ID: 80a09a42a6cadda2105ac47e57e1604f7cf8ce3a59bd8307dbdebcfc7dc8b2e5
Opcode Fuzzy Hash: 4d416e936b77cd178665e733664f5008c31c6ed2fa01d7adf613248d6d55a7eb
Instruction Fuzzy Hash: 68918E71A04219ABDF20DFA5C884FBFBBB8EF46710F108559FA05AB681D7709941DFA0

Function 000E1187 Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000001,?), ref: 000E125C
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 000E1284
SafeArrayUnaccessData.OLEAUT32(00000001), ref: 000E12A8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 000E12D8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 000E135F
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 000E13C4
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 000E1430

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: ArraySafe$Data$Access$UnaccessVartype
String ID:
API String ID: 2550207440-0
Opcode ID: b68f0197b89551f902d73a74f756c651e4cdc1dc0a724df4127fd80e7f45828d
Instruction ID: aca3d757485218b0ea91c99874fe9e6e1ae4e649481fe81e7beed595d96ab5e6
Opcode Fuzzy Hash: b68f0197b89551f902d73a74f756c651e4cdc1dc0a724df4127fd80e7f45828d
Instruction Fuzzy Hash: 7991F3B1A00249AFDB00DFA9C884BFEB7B5FF45314F104029EA51FB292D775A941CB90

Function 0008948A Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: a1c58e3fbb28c29f63d239cf4c4fcb7fe26eccab4b43df597c0aa4c5cea5966a
Instruction ID: 1363f135c70306952df22168c84460a4dc84d98d87926effe97d426b3d96e07c
Opcode Fuzzy Hash: a1c58e3fbb28c29f63d239cf4c4fcb7fe26eccab4b43df597c0aa4c5cea5966a
Instruction Fuzzy Hash: A3911671D00219EFCB50EFA9C884AEEBBB8FF49320F184559E555B7251D374AA81CF60

Function 000F3947 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 000F396B
CharUpperBuffW.USER32(?,?), ref: 000F3A7A
_wcslen.LIBCMT ref: 000F3A8A
VariantClear.OLEAUT32(?), ref: 000F3C1F

Part of subcall function 000E0CDF: VariantInit.OLEAUT32(00000000), ref: 000E0D1F
Part of subcall function 000E0CDF: VariantCopy.OLEAUT32(?,?), ref: 000E0D28
Part of subcall function 000E0CDF: VariantClear.OLEAUT32(?), ref: 000E0D34

Strings

Incorrect Parameter format, xrefs: 000F39A6, 000F3BA1
AUTOIT.ERROR, xrefs: 000F3A80, 000F3A85

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4137639002-1221869570
Opcode ID: c87cddcf07dcb26f808a756a0f47db6b54c015273bc63ac090c138f97a43868c
Instruction ID: 1ebef709290058be599af20286b5392cfa0c7df6f0318b640e9ae377ef7cccb3
Opcode Fuzzy Hash: c87cddcf07dcb26f808a756a0f47db6b54c015273bc63ac090c138f97a43868c
Instruction Fuzzy Hash: 57918974A083099FC714EF24C48196AB7E4FF89324F14892DF9899B352DB31EE45DB92

Function 000F4BAD Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

APIs

Part of subcall function 000D000E: CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,000CFF41,80070057,?,?,?,000D035E), ref: 000D002B
Part of subcall function 000D000E: ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,000CFF41,80070057,?,?), ref: 000D0046
Part of subcall function 000D000E: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,000CFF41,80070057,?,?), ref: 000D0054
Part of subcall function 000D000E: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,000CFF41,80070057,?), ref: 000D0064

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,00000001,?,?), ref: 000F4C51
_wcslen.LIBCMT ref: 000F4D59
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 000F4DCF
CoTaskMemFree.OLE32(?), ref: 000F4DDA

Strings

NULL Pointer assignment, xrefs: 000F4E23, 000F4E52

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
String ID: NULL Pointer assignment
API String ID: 614568839-2785691316
Opcode ID: febf34c60f95eea78616b03b97af777a1aad5e1f5a223b6cebda21a6687dc366
Instruction ID: 14789caaadbc1432f5ffbbf56457909f8d44d4425a007b803c7805392fd46e83
Opcode Fuzzy Hash: febf34c60f95eea78616b03b97af777a1aad5e1f5a223b6cebda21a6687dc366
Instruction Fuzzy Hash: 8A911771D0021DAFDF14DFA4C891AEEB7B8BF48310F10816AE919A7251EB749A44DFA0

Function 001020FD Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 00102183
GetMenuItemCount.USER32(00000000), ref: 001021B5
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 001021DD
_wcslen.LIBCMT ref: 00102213
GetMenuItemID.USER32(?,?), ref: 0010224D
GetSubMenu.USER32(?,?), ref: 0010225B

Part of subcall function 000D3A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 000D3A57
Part of subcall function 000D3A3D: GetCurrentThreadId.KERNEL32 ref: 000D3A5E
Part of subcall function 000D3A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,000D25B3), ref: 000D3A65

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 001022E3

Part of subcall function 000DE97B: Sleep.KERNELBASE ref: 000DE9F3

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
String ID:
API String ID: 4196846111-0
Opcode ID: 8eb2f723bef3f6486d5cd2a3cadf500887e4db75d2a27f8c26079c26503caa8f
Instruction ID: 218dcb95ce6adf3f65b6dd16d1320aa5db3446d533c4108b8c3cfc31d5070279
Opcode Fuzzy Hash: 8eb2f723bef3f6486d5cd2a3cadf500887e4db75d2a27f8c26079c26503caa8f
Instruction Fuzzy Hash: F5717175E00205AFCB14EFA4C845AAEB7F5FF48310F158459E89AEB381D774AD418F90

Function 000DAEBA Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 000DAEF9
GetKeyboardState.USER32(?), ref: 000DAF0E
SetKeyboardState.USER32(?), ref: 000DAF6F
PostMessageW.USER32(?,00000101,00000010,?), ref: 000DAF9D
PostMessageW.USER32(?,00000101,00000011,?), ref: 000DAFBC
PostMessageW.USER32(?,00000101,00000012,?), ref: 000DAFFD
PostMessageW.USER32(?,00000101,0000005B,?), ref: 000DB020

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: adcc74040cc46d82aa64f367adc1e6c09f584ddb0b3a408f58d5a48683a07c7b
Instruction ID: e69cbe20b6963c4a373f7ed4290fedb4286738cde82387a48ea76826a73d8599
Opcode Fuzzy Hash: adcc74040cc46d82aa64f367adc1e6c09f584ddb0b3a408f58d5a48683a07c7b
Instruction Fuzzy Hash: 6651EEA1A043D17DFB3683348845BBBBEE95B06304F08858AF1D985AC3C3D9A8C8D771

Function 000DACDA Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 000DAD19
GetKeyboardState.USER32(?), ref: 000DAD2E
SetKeyboardState.USER32(?), ref: 000DAD8F
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 000DADBB
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 000DADD8
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 000DAE17
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 000DAE38

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 5348cf70ec806e7d1897f9683dbe879ced0eabc372c7e7b4e9dcd5c4935bfbee
Instruction ID: 4e7706e37750cc071754f69a20e763d41d3e1aaf900601957689956780ce5f9a
Opcode Fuzzy Hash: 5348cf70ec806e7d1897f9683dbe879ced0eabc372c7e7b4e9dcd5c4935bfbee
Instruction Fuzzy Hash: B151D5A16047D53DFB3683348C55BBA7FE95B47300F08858AE1D646AC3D294EC88E776

Function 000A542E Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(000B3CD6,?,?,?,?,?,?,?,?,000A5BA3,?,?,000B3CD6,?,?), ref: 000A5470
__fassign.LIBCMT ref: 000A54EB
__fassign.LIBCMT ref: 000A5506
WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,000B3CD6,00000005,00000000,00000000), ref: 000A552C
WriteFile.KERNEL32(?,000B3CD6,00000000,000A5BA3,00000000,?,?,?,?,?,?,?,?,?,000A5BA3,?), ref: 000A554B
WriteFile.KERNEL32(?,?,00000001,000A5BA3,00000000,?,?,?,?,?,?,?,?,?,000A5BA3,?), ref: 000A5584

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: 5ce044ad492bb82c8b95de3de62e67e084b970477e73f6e466e8a593c2c0a99a
Instruction ID: 2f5d8cb626486ae2a067f05bc153d7e2d0e65850c96d29fe6f04745d46a7338b
Opcode Fuzzy Hash: 5ce044ad492bb82c8b95de3de62e67e084b970477e73f6e466e8a593c2c0a99a
Instruction Fuzzy Hash: A051AF70E006499FDB11CFA8DC55AEEBBF9FF0A301F14411AF955E7291D6309A41CBA0

Function 00106B76 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 131windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(00000002,000000F0,?), ref: 00106C33
SetWindowLongW.USER32(?,000000EC,?), ref: 00106C4A
SendMessageW.USER32(00000002,00001036,00000000,?), ref: 00106C73
ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,000EAB79,00000000,00000000), ref: 00106C98
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 00106CC7

Strings

@U=u, xrefs: 00106C73

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: Window$Long$MessageSendShow
String ID: @U=u
API String ID: 3688381893-2594219639
Opcode ID: e2f64ada596c446456a003b23c06c00551c0561f5434a534e773a0aedb944ba1
Instruction ID: 4f6c9ad797f758c4fd0cbffe84ee8c58cd3c6866c8fcfd2344a1a06653af6fe0
Opcode Fuzzy Hash: e2f64ada596c446456a003b23c06c00551c0561f5434a534e773a0aedb944ba1
Instruction Fuzzy Hash: 2F41B735604104AFE724CF28CE54FA97BA5EB0A350F150268F9D9A72E0C7B1AD61DA90

Function 000F10B8 Relevance: 10.6, APIs: 7, Instructions: 110networkCOMMON

Download Yara Rule

APIs

Part of subcall function 000F304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 000F307A
Part of subcall function 000F304E: _wcslen.LIBCMT ref: 000F309B

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 000F1112
WSAGetLastError.WSOCK32 ref: 000F1121
WSAGetLastError.WSOCK32 ref: 000F11C9
closesocket.WSOCK32(00000000), ref: 000F11F9

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: ErrorLast$_wcslenclosesocketinet_addrsocket
String ID:
API String ID: 2675159561-0
Opcode ID: 1dc059014ce38cfd1f35fe70f9e8d299b8e7368829e322a9f2a7c9d542e0f28d
Instruction ID: eba6731e25b54f059f5732b6d122b490f02dd1740e8f00d757c15be177f084d5
Opcode Fuzzy Hash: 1dc059014ce38cfd1f35fe70f9e8d299b8e7368829e322a9f2a7c9d542e0f28d
Instruction Fuzzy Hash: 9A41CF31600208AFDB109F24C884BE9B7E9FF45324F148159FA599B692C774AD818BE1

Function 000DCF00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 000DDDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,000DCF22,?), ref: 000DDDFD

Part of subcall function 000DDDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,000DCF22,?), ref: 000DDE16

lstrcmpiW.KERNEL32(?,?), ref: 000DCF45
MoveFileW.KERNEL32(?,?), ref: 000DCF7F
_wcslen.LIBCMT ref: 000DD005
_wcslen.LIBCMT ref: 000DD01B
SHFileOperationW.SHELL32(?), ref: 000DD061

Strings

\*.*, xrefs: 000DCFF3

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
String ID: \*.*
API String ID: 3164238972-1173974218
Opcode ID: 9bf394ecf1f3e3f7b5c0b0a46cf9863454aa06e0dceb3b6e67482df41c7bc8b7
Instruction ID: 5aac7ee7fdedffe5af7bbed41f01aebd36ef772d1cdb5786515fc3763b58c96c
Opcode Fuzzy Hash: 9bf394ecf1f3e3f7b5c0b0a46cf9863454aa06e0dceb3b6e67482df41c7bc8b7
Instruction Fuzzy Hash: 324135719453195FDF52EBA4C981EDDB7F9AF58380F1000E7E549EB242EA34A688CF60

Function 000D7726 Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 000D7769
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 000D778F
SysAllocString.OLEAUT32(00000000), ref: 000D7792
SysAllocString.OLEAUT32(?), ref: 000D77B0
SysFreeString.OLEAUT32(?), ref: 000D77B9
StringFromGUID2.OLE32(?,?,00000028), ref: 000D77DE
SysAllocString.OLEAUT32(?), ref: 000D77EC

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 30db580c70150ccd4600ea95686e5d2d6143ecbd1ee9dc09743321ab18404d90
Instruction ID: 62497bc6b464995094c8ac2281cc91652b3044a7db2d0bd81b3da40f9a0de2a7
Opcode Fuzzy Hash: 30db580c70150ccd4600ea95686e5d2d6143ecbd1ee9dc09743321ab18404d90
Instruction Fuzzy Hash: D7217176608219AFDB109FA8CC84CBB77ECFB097647048526F959DB291E6709C818BB4

Function 000D1DE2 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 93windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00079CB3: _wcslen.LIBCMT ref: 00079CBD

Part of subcall function 000D3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 000D3CCA

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 000D1E66
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 000D1E79
SendMessageW.USER32(?,00000189,?,00000000), ref: 000D1EA9

Part of subcall function 00076B57: _wcslen.LIBCMT ref: 00076B6A

Strings

@U=u, xrefs: 000D1E66, 000D1E79, 000D1EA9
ComboBox, xrefs: 000D1DF0
ListBox, xrefs: 000D1E25

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: MessageSend$_wcslen$ClassName
String ID: @U=u$ComboBox$ListBox
API String ID: 2081771294-2258501812
Opcode ID: 3fcbf860ae514aa08e124cc7ce44572285d0d784e13b82bd2c9cf65093f596ed
Instruction ID: 2a6025d2fb9941b2e2ed963a557f36e6273feff6751a948a944cb651947527b8
Opcode Fuzzy Hash: 3fcbf860ae514aa08e124cc7ce44572285d0d784e13b82bd2c9cf65093f596ed
Instruction Fuzzy Hash: FD212971A00204BEDB14AB64DC46CFFB7B9EF45354B14411AF815A72E2DF7949468B70

Function 000D77FD Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 000D7842
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 000D7868
SysAllocString.OLEAUT32(00000000), ref: 000D786B
SysAllocString.OLEAUT32 ref: 000D788C
SysFreeString.OLEAUT32 ref: 000D7895
StringFromGUID2.OLE32(?,?,00000028), ref: 000D78AF
SysAllocString.OLEAUT32(?), ref: 000D78BD

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: d93c806695362d0603637dfe52fcb423bfc5110c46458418ce9e9a0f1f3ec326
Instruction ID: c019f996323b99258cfcfaec71d03c907f41c6bea7f4cc288086dae20bb910d0
Opcode Fuzzy Hash: d93c806695362d0603637dfe52fcb423bfc5110c46458418ce9e9a0f1f3ec326
Instruction Fuzzy Hash: C2214435604205AFDB10AFB8DC89DBA77ECFB097607108126F959CB2A1EA74DC81DB74

Function 00105706 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 82windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001053,000000FF,?), ref: 00105745
SendMessageW.USER32(?,00001074,?,00000001), ref: 0010579D
_wcslen.LIBCMT ref: 001057AF
_wcslen.LIBCMT ref: 001057BA
SendMessageW.USER32(?,00001002,00000000,?), ref: 00105816

Strings

@U=u, xrefs: 00105745, 0010579D, 00105816

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: MessageSend$_wcslen
String ID: @U=u
API String ID: 763830540-2594219639
Opcode ID: 2c6445a622eebce5c5835d6e813b70bbcc501f34d3d11b667b4c90ed5b2285ea
Instruction ID: 87f757a3115cd6867350a5b7311cb00af4cb88d35c063361f1ce7a0c5de07b23
Opcode Fuzzy Hash: 2c6445a622eebce5c5835d6e813b70bbcc501f34d3d11b667b4c90ed5b2285ea
Instruction Fuzzy Hash: C8218275904618AADF209FA0CC85AEE7BBDFF44724F108216E969EA1C1E7B099C5CF50

Function 000E04D2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 000E04F2
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 000E052E

Strings

nul, xrefs: 000E0567

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: c1d1fa9df03e9f02c11292978621c6f9a9e98b9d8399b337ed9c9e89337d0aa3
Instruction ID: 5574a9fd177f52a2bf5251ed29f62512e4994a91c4bbfe67193a3b3b0ff3d840
Opcode Fuzzy Hash: c1d1fa9df03e9f02c11292978621c6f9a9e98b9d8399b337ed9c9e89337d0aa3
Instruction Fuzzy Hash: 73215E76500745EFDB209F2ADC44A9B77F4AF85764F604A19E8E1E62E0D7B09980CF60

Function 000E05A7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 000E05C6
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 000E0601

Strings

nul, xrefs: 000E0639

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: f724819d0b9f6a5c2681aa498b817cf07fdd2d187f3ecb9f865c7bbc0711d0f3
Instruction ID: ec67d3beca986d446984c33adad9f54c333f3604c9c54c219a9c3d29ca5d018f
Opcode Fuzzy Hash: f724819d0b9f6a5c2681aa498b817cf07fdd2d187f3ecb9f865c7bbc0711d0f3
Instruction Fuzzy Hash: 4C217F755003459FDB209F6A9C04B9A77E8BF95724F240B1AE8A1F72E0D7F099E0CB50

Function 001040AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0007600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0007604C
Part of subcall function 0007600E: GetStockObject.GDI32(00000011), ref: 00076060
Part of subcall function 0007600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 0007606A

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00104112
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 0010411F
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 0010412A
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00104139
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00104145

Strings

Msctls_Progress32, xrefs: 001040E3

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: 3b5b4e03c6786a0b9b72d59da6e5d559c1b38ad679ebf29a907ab9b5961d2381
Instruction ID: 009aef5990459c4cafcfc122a69f64e0a8c7e47a54fd93ffda8891db2a8d31f3
Opcode Fuzzy Hash: 3b5b4e03c6786a0b9b72d59da6e5d559c1b38ad679ebf29a907ab9b5961d2381
Instruction Fuzzy Hash: F11193B214011DBEEF119F64CC85EE77F5DEF08798F014110B758A2190CBB29C61DBA4

Function 000AD7DF Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 000AD7A3: _free.LIBCMT ref: 000AD7CC

_free.LIBCMT ref: 000AD82D

Part of subcall function 000A29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,000AD7D1,00000000,00000000,00000000,00000000,?,000AD7F8,00000000,00000007,00000000,?,000ADBF5,00000000), ref: 000A29DE
Part of subcall function 000A29C8: GetLastError.KERNEL32(00000000,?,000AD7D1,00000000,00000000,00000000,00000000,?,000AD7F8,00000000,00000007,00000000,?,000ADBF5,00000000,00000000), ref: 000A29F0

_free.LIBCMT ref: 000AD838
_free.LIBCMT ref: 000AD843
_free.LIBCMT ref: 000AD897
_free.LIBCMT ref: 000AD8A2
_free.LIBCMT ref: 000AD8AD
_free.LIBCMT ref: 000AD8B8

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction ID: b38c6f681fe2aa6d319fb9393d35d6ff975801ed07d05bf22e449dc8561ee7b5
Opcode Fuzzy Hash: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction Fuzzy Hash: 5C115E71544B04AAD661BFF0CC47FCF7BDCAF02B40F400826B29AA68A3EE65B5058661

Function 000DDA5A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 000DDA74
LoadStringW.USER32(00000000), ref: 000DDA7B
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 000DDA91
LoadStringW.USER32(00000000), ref: 000DDA98
MessageBoxW.USER32(00000000,?,?,00011010), ref: 000DDADC

Strings

%s (%d) : ==> %s: %s %s, xrefs: 000DDAB9

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: HandleLoadModuleString$Message
String ID: %s (%d) : ==> %s: %s %s
API String ID: 4072794657-3128320259
Opcode ID: 38bfebd7f28c793beb0816eca84f0528ab047deb57f8654751d06ba12d2b74fc
Instruction ID: 043fef8c50e2f5aefe869d6c25d015a8475fa602ecebe0b0b7c5c73e4b236c3e
Opcode Fuzzy Hash: 38bfebd7f28c793beb0816eca84f0528ab047deb57f8654751d06ba12d2b74fc
Instruction Fuzzy Hash: 100186F6900308BFE7109BA4DD89EEB376CE708301F404592B746E2181E6B49EC48FB5

Function 000E096B Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(017C0000,017C0000), ref: 000E097B
EnterCriticalSection.KERNEL32(017BFFE0,00000000), ref: 000E098D
TerminateThread.KERNEL32(?,000001F6), ref: 000E099B
WaitForSingleObject.KERNEL32(?,000003E8), ref: 000E09A9
CloseHandle.KERNEL32(?), ref: 000E09B8
InterlockedExchange.KERNEL32(017C0000,000001F6), ref: 000E09C8
LeaveCriticalSection.KERNEL32(017BFFE0), ref: 000E09CF

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: eda9685869198bd1d531d2bd45ea0468648f7a26d89003d24dc80cf96a135a17
Instruction ID: 6b2b7e9add8db32160d17ed56d72c389510ca0563a6a07590d88c1ecbfe18521
Opcode Fuzzy Hash: eda9685869198bd1d531d2bd45ea0468648f7a26d89003d24dc80cf96a135a17
Instruction Fuzzy Hash: CDF0C932442A12ABD7515FA4EE89AD6BA69BF05702F402225F242A4CA1C7B594A5CFD0

Function 000F1C60 Relevance: 9.3, APIs: 6, Instructions: 298networkCOMMON

Download Yara Rule

APIs

__WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 000F1DC0
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 000F1DE1
WSAGetLastError.WSOCK32 ref: 000F1DF2
htons.WSOCK32(?,?,?,?,?), ref: 000F1EDB
inet_ntoa.WSOCK32(?), ref: 000F1E8C

Part of subcall function 000D39E8: _strlen.LIBCMT ref: 000D39F2

Part of subcall function 000F3224: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000000,?,?,?,?,000EEC0C), ref: 000F3240

_strlen.LIBCMT ref: 000F1F35

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: _strlen$ByteCharErrorLastMultiWidehtonsinet_ntoa
String ID:
API String ID: 3203458085-0
Opcode ID: 1ee17435913aaa249ea7eabb064bd54b1428e4c554839e3f70ded2858bb434a4
Instruction ID: 0478e3c2536b45cb6b996638deba4a0927c68f2ed3b9b072cc037d507ee0469d
Opcode Fuzzy Hash: 1ee17435913aaa249ea7eabb064bd54b1428e4c554839e3f70ded2858bb434a4
Instruction Fuzzy Hash: 2EB1CD30604304AFC324EF24C885EBA7BE5AF84318F54855CF55A5B6A3CB71ED46CB92

Function 00075D0A Relevance: 9.3, APIs: 6, Instructions: 276COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 00075D30
GetWindowRect.USER32(?,?), ref: 00075D71
ScreenToClient.USER32(?,?), ref: 00075D99
GetClientRect.USER32(?,?), ref: 00075ED7
GetWindowRect.USER32(?,?), ref: 00075EF8

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: Rect$Client$Window$Screen
String ID:
API String ID: 1296646539-0
Opcode ID: 07fcf2d4654afc54ceba3b58349b0c457af8e5e62e13aa5c32f9657ec51e6ebb
Instruction ID: 672477b402fba95e2598678bbde5f182ea3cde2e578b6c685185d5590a21b217
Opcode Fuzzy Hash: 07fcf2d4654afc54ceba3b58349b0c457af8e5e62e13aa5c32f9657ec51e6ebb
Instruction Fuzzy Hash: 97B18834A00B4ADBDB24CFA9C8807EEB7F1FF58311F14851AE8A9D7250DB74AA50CB54

Function 000A01B7 Relevance: 9.3, APIs: 6, Instructions: 269COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 000A00BA
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 000A00D6
__allrem.LIBCMT ref: 000A00ED
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 000A010B
__allrem.LIBCMT ref: 000A0122
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 000A0140

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
Instruction ID: 39f5e06f75150f7374bc9dc450c398ef450c8598270dc1b9e7a9dc690a7deec7
Opcode Fuzzy Hash: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
Instruction Fuzzy Hash: 2381F772A0070A9BEB209FA8CC51BEB73E9AF42364F24453AF551D7282E770D9009B50

Function 000A61FE Relevance: 9.2, APIs: 6, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,000982D9,000982D9,?,?,?,000A644F,00000001,00000001,8BE85006), ref: 000A6258
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,000A644F,00000001,00000001,8BE85006,?,?,?), ref: 000A62DE
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 000A63D8
__freea.LIBCMT ref: 000A63E5

Part of subcall function 000A3820: RtlAllocateHeap.NTDLL(00000000,?,00141444,?,0008FDF5,?,?,0007A976,00000010,00141440,000713FC,?,000713C6,?,00071129), ref: 000A3852

__freea.LIBCMT ref: 000A63EE
__freea.LIBCMT ref: 000A6413

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: aec5bb244701bd029a257a4bb1af0bed96e4a2c40711cda1ae595cad98daf53b
Instruction ID: fe9e2ca16c57dfb18875d28ddc9c5bb03bb8f40586f34739ca9ead4a521f9175
Opcode Fuzzy Hash: aec5bb244701bd029a257a4bb1af0bed96e4a2c40711cda1ae595cad98daf53b
Instruction Fuzzy Hash: 5951BE72A00216ABDF258FE4CC81EAF76FAEF46750F184629F905D6181EB36DD41C6A0

Function 000FBBDB Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00079CB3: _wcslen.LIBCMT ref: 00079CBD

Part of subcall function 000FC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,000FB6AE,?,?), ref: 000FC9B5
Part of subcall function 000FC998: _wcslen.LIBCMT ref: 000FC9F1
Part of subcall function 000FC998: _wcslen.LIBCMT ref: 000FCA68
Part of subcall function 000FC998: _wcslen.LIBCMT ref: 000FCA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 000FBCCA
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 000FBD25
RegCloseKey.ADVAPI32(00000000), ref: 000FBD6A
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 000FBD99
RegCloseKey.ADVAPI32(?,?,00000000), ref: 000FBDF3
RegCloseKey.ADVAPI32(?), ref: 000FBDFF

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
String ID:
API String ID: 1120388591-0
Opcode ID: 4806217cd28195b6cc4b05dbf5047a765777284498bab4eb61a357a1cb6e7223
Instruction ID: 3636648c8bdc3fbf227887d63335b903033aadc206b762cc06966dfc8559368c
Opcode Fuzzy Hash: 4806217cd28195b6cc4b05dbf5047a765777284498bab4eb61a357a1cb6e7223
Instruction Fuzzy Hash: B3819B30208245AFD714DF24C881E6ABBE5FF84308F14895CF6994B6A2DB71ED45DF92

Function 000CF7AD Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000035), ref: 000CF7B9
SysAllocString.OLEAUT32(00000001), ref: 000CF860
VariantCopy.OLEAUT32(000CFA64,00000000), ref: 000CF889
VariantClear.OLEAUT32(000CFA64), ref: 000CF8AD
VariantCopy.OLEAUT32(000CFA64,00000000), ref: 000CF8B1
VariantClear.OLEAUT32(?), ref: 000CF8BB

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: Variant$ClearCopy$AllocInitString
String ID:
API String ID: 3859894641-0
Opcode ID: 12e1fc165d87e8ca0dd871abca3c183f2ff47ec5c4cf8c94d7f49508b5aba726
Instruction ID: 6dbacc1f289bb87c6fe341185c792ec53dc9fb1b76ca37d80e7cf9d66c241334
Opcode Fuzzy Hash: 12e1fc165d87e8ca0dd871abca3c183f2ff47ec5c4cf8c94d7f49508b5aba726
Instruction Fuzzy Hash: 2451D431600312BBCF24AB65D895F7DB3A6EF45310B20946BE906DF292DB748C40DB97

Function 000E910C Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 383COMMON

Download Yara Rule

APIs

Part of subcall function 00077620: _wcslen.LIBCMT ref: 00077625

Part of subcall function 00076B57: _wcslen.LIBCMT ref: 00076B6A

GetOpenFileNameW.COMDLG32(00000058), ref: 000E94E5
_wcslen.LIBCMT ref: 000E9506
_wcslen.LIBCMT ref: 000E952D
GetSaveFileNameW.COMDLG32(00000058), ref: 000E9585

Strings

X, xrefs: 000E9412

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: _wcslen$FileName$OpenSave
String ID: X
API String ID: 83654149-3081909835
Opcode ID: 4cdeaa9aee2d4e187b62f7daa90d8626cecf9faf42cb95cfa82dc208743226aa
Instruction ID: e37df46aa2b4503165939de06d22db14bd0ec86e4ce8ef5ee7dcf2ed86e49bbb
Opcode Fuzzy Hash: 4cdeaa9aee2d4e187b62f7daa90d8626cecf9faf42cb95cfa82dc208743226aa
Instruction Fuzzy Hash: CBE1B2719083409FD724DF25C881BAEB7E0BF85314F14896DF899AB2A2DB31DD45CB92

Function 0008920C Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00089BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00089BB2

BeginPaint.USER32(?,?,?), ref: 00089241
GetWindowRect.USER32(?,?), ref: 000892A5
ScreenToClient.USER32(?,?), ref: 000892C2
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 000892D3
EndPaint.USER32(?,?,?,?,?), ref: 00089321
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 000C71EA

Part of subcall function 00089339: BeginPath.GDI32(00000000), ref: 00089357

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
String ID:
API String ID: 3050599898-0
Opcode ID: 0a896ae99e82554cc735bf158aa2e6f91df40d757921ad0df82b2f3cdf3080c9
Instruction ID: 573c869e12c74a721eb93d570ba6232878f738fdebe1a3c5251d99b6315cf218
Opcode Fuzzy Hash: 0a896ae99e82554cc735bf158aa2e6f91df40d757921ad0df82b2f3cdf3080c9
Instruction Fuzzy Hash: 9C419F70105200AFD721EF24DC84FBA7BE8FB56324F180669F9A5872F2C7719985DB61

Function 000E07EF Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 000E080C
ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 000E0847
EnterCriticalSection.KERNEL32(?), ref: 000E0863
LeaveCriticalSection.KERNEL32(?), ref: 000E08DC
ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 000E08F3
InterlockedExchange.KERNEL32(?,000001F6), ref: 000E0921

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
String ID:
API String ID: 3368777196-0
Opcode ID: 6d03aa411b70f16123639f1f7b79ad159c56f543767fe2e7cff380a1ad54a3fb
Instruction ID: ffe2a991d6dee6f013d835cc9b63b191053dcab8dc38a72ec969b4102d04d94a
Opcode Fuzzy Hash: 6d03aa411b70f16123639f1f7b79ad159c56f543767fe2e7cff380a1ad54a3fb
Instruction Fuzzy Hash: A7417A71900205EFDF14AF64DC85AAAB7B8FF44300F1440A5ED40AA297DBB0DEA4DFA0

Function 000E581E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON

Download Yara Rule

APIs

Part of subcall function 00073AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00073A97,?,?,00072E7F,?,?,?,00000000), ref: 00073AC2

_wcslen.LIBCMT ref: 000E587B
CoInitialize.OLE32(00000000), ref: 000E5995
CoCreateInstance.OLE32(0010FCF8,00000000,00000001,0010FB68,?), ref: 000E59AE
CoUninitialize.OLE32 ref: 000E59CC

Strings

.lnk, xrefs: 000E5876, 000E58C1, 000E5985

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
String ID: .lnk
API String ID: 3172280962-24824748
Opcode ID: b1beefa5a3c6eadb5c6646254b1e145aadbbeab5a4f5fd8024b8595d0d60262d
Instruction ID: 445c55a5bb36202d42eccdbea2dd960f4c68b55dc85f324d372a5d05f820ff1e
Opcode Fuzzy Hash: b1beefa5a3c6eadb5c6646254b1e145aadbbeab5a4f5fd8024b8595d0d60262d
Instruction Fuzzy Hash: 32D16470A047019FC714DF25C880A6ABBE1FF89719F14895DF889AB362DB31EC45CB92

Function 000D175D Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 000D0FB4: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 000D0FCA
Part of subcall function 000D0FB4: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 000D0FD6
Part of subcall function 000D0FB4: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 000D0FE5
Part of subcall function 000D0FB4: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 000D0FEC
Part of subcall function 000D0FB4: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 000D1002

GetLengthSid.ADVAPI32(?,00000000,000D1335), ref: 000D17AE
GetProcessHeap.KERNEL32(00000008,00000000), ref: 000D17BA
HeapAlloc.KERNEL32(00000000), ref: 000D17C1
CopySid.ADVAPI32(00000000,00000000,?), ref: 000D17DA
GetProcessHeap.KERNEL32(00000000,00000000,000D1335), ref: 000D17EE
HeapFree.KERNEL32(00000000), ref: 000D17F5

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: ac904c04eb1473363cd3da847ec81d5db5e24f72195419ef147e067f88139f27
Instruction ID: d12df335ca4554dad81ef16389f251ff4e50c385a724e8d5772c4cfaa72e840b
Opcode Fuzzy Hash: ac904c04eb1473363cd3da847ec81d5db5e24f72195419ef147e067f88139f27
Instruction Fuzzy Hash: 7E116A71605305FBDB109FA4CC49BEE7BB9FB45355F10425AF48197220DB75A984CBA0

Function 000D14CE Relevance: 9.1, APIs: 6, Instructions: 64processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 000D14FF
OpenProcessToken.ADVAPI32(00000000), ref: 000D1506
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 000D1515
CloseHandle.KERNEL32(00000004), ref: 000D1520
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 000D154F
DestroyEnvironmentBlock.USERENV(00000000), ref: 000D1563

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: c6f70084394b91afa322cb36ab22988a7b1e87e58e2bdf6a5996c5c15194281a
Instruction ID: 89239ed86c7a470522b6993ac9a1013ee92c5bdb50f45580762339effd1a4d2f
Opcode Fuzzy Hash: c6f70084394b91afa322cb36ab22988a7b1e87e58e2bdf6a5996c5c15194281a
Instruction Fuzzy Hash: 84112972500209FBDF118F98ED49BDE7BA9FF48744F048115FA45A21A0C7B58EA0DBA0

Function 00093382 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00093379,00092FE5), ref: 00093390
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0009339E
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 000933B7
SetLastError.KERNEL32(00000000,?,00093379,00092FE5), ref: 00093409

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: e0b7bb2ac9b89a65c742ceaa5506df81cb37d22dd1f294e54cfec783c4e9ed69
Instruction ID: 086a9038020b77ce7fcca14babae2f60dda24db0ede0b4bfa2817e296a3b2c6d
Opcode Fuzzy Hash: e0b7bb2ac9b89a65c742ceaa5506df81cb37d22dd1f294e54cfec783c4e9ed69
Instruction Fuzzy Hash: EE01243260D311BEEF2827B47C859AB2A94EB053793208329F510942F2EF114E427E84

Function 000A2D74 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,000A5686,000B3CD6,?,00000000,?,000A5B6A,?,?,?,?,?,0009E6D1,?,00138A48), ref: 000A2D78
_free.LIBCMT ref: 000A2DAB
_free.LIBCMT ref: 000A2DD3
SetLastError.KERNEL32(00000000,?,?,?,?,0009E6D1,?,00138A48,00000010,00074F4A,?,?,00000000,000B3CD6), ref: 000A2DE0
SetLastError.KERNEL32(00000000,?,?,?,?,0009E6D1,?,00138A48,00000010,00074F4A,?,?,00000000,000B3CD6), ref: 000A2DEC
_abort.LIBCMT ref: 000A2DF2

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: ee57853fbdb747f88e1f3ba67d13df4838f66f905d88e50cf4e2d160a4266687
Instruction ID: 751c95507a3614033c48a7ad6164cb308fda765ca6ff934bb8400b97f4d4bb81
Opcode Fuzzy Hash: ee57853fbdb747f88e1f3ba67d13df4838f66f905d88e50cf4e2d160a4266687
Instruction Fuzzy Hash: AEF0C8355056006BC26227FDBC06F9F269ABFC37A1F254538F824965D3EF64884156A1

Function 00108A24 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 00089639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00089693
Part of subcall function 00089639: SelectObject.GDI32(?,00000000), ref: 000896A2
Part of subcall function 00089639: BeginPath.GDI32(?), ref: 000896B9
Part of subcall function 00089639: SelectObject.GDI32(?,00000000), ref: 000896E2

MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 00108A4E
LineTo.GDI32(?,00000003,00000000), ref: 00108A62
MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 00108A70
LineTo.GDI32(?,00000000,00000003), ref: 00108A80
EndPath.GDI32(?), ref: 00108A90
StrokePath.GDI32(?), ref: 00108AA0

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: c5e8c2aae3447f6a9ef96f71aca2a238b4391ed3ffd9a5ff9cc2ce8724f59bc0
Instruction ID: deac18f49d420ab813253f2ccb5f648ac87f89cbacfa21b9a89468ddc69a160f
Opcode Fuzzy Hash: c5e8c2aae3447f6a9ef96f71aca2a238b4391ed3ffd9a5ff9cc2ce8724f59bc0
Instruction Fuzzy Hash: 3B111E7600010CFFEF119F90DC88EAA7F6CEB04354F048111FA59965A1C7B19D95DFA0

Function 000D51FD Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 000D5218
GetDeviceCaps.GDI32(00000000,00000058), ref: 000D5229
GetDeviceCaps.GDI32(00000000,0000005A), ref: 000D5230
ReleaseDC.USER32(00000000,00000000), ref: 000D5238
MulDiv.KERNEL32(000009EC,?,00000000), ref: 000D524F
MulDiv.KERNEL32(000009EC,00000001,?), ref: 000D5261

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: a30e0a37fc16584d6cd2c79bd9b08b419880160021f905d4fac6c2eb12d1557c
Instruction ID: 365846fe4f2660d7d7f4c8069c0b937429ede736e580904d2a9420f27f96e539
Opcode Fuzzy Hash: a30e0a37fc16584d6cd2c79bd9b08b419880160021f905d4fac6c2eb12d1557c
Instruction Fuzzy Hash: 8301A275E00708BBEB109BA59C49F5EBFB8EF48351F048166FA04A7381D6709C04CFA0

Function 00071BC3 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 00071BF4
MapVirtualKeyW.USER32(00000010,00000000), ref: 00071BFC
MapVirtualKeyW.USER32(000000A0,00000000), ref: 00071C07
MapVirtualKeyW.USER32(000000A1,00000000), ref: 00071C12
MapVirtualKeyW.USER32(00000011,00000000), ref: 00071C1A
MapVirtualKeyW.USER32(00000012,00000000), ref: 00071C22

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: e11daf01b1266d4ffb413bda48faccaec43ca0e7dfbb155b6ba3cd985739000d
Instruction ID: a518da9e2afb4820abe64af39d2a65d470563fd3276723c212b94078b0d478ec
Opcode Fuzzy Hash: e11daf01b1266d4ffb413bda48faccaec43ca0e7dfbb155b6ba3cd985739000d
Instruction Fuzzy Hash: F3016CB09027597DE3008F5A8C85B52FFA8FF19354F00411B915C47A41C7F5A864CFE5

Function 000DEB20 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 000DEB30
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 000DEB46
GetWindowThreadProcessId.USER32(?,?), ref: 000DEB55
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 000DEB64
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 000DEB6E
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 000DEB75

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: f0c7aaa7227582a67cb4dbd006626fef3d14c3034e6868a336eca911deefd547
Instruction ID: 7de246f2fd2647ea83fa315586831dacdcba62e179cee4a659d9f25695d61b7b
Opcode Fuzzy Hash: f0c7aaa7227582a67cb4dbd006626fef3d14c3034e6868a336eca911deefd547
Instruction Fuzzy Hash: 89F09A72200258BBE7205B629C0EEEF3A7CEFCAB11F000259F641D1190E7E11A41CEF4

Function 000D1874 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 000D187F
UnloadUserProfile.USERENV(?,?), ref: 000D188B
CloseHandle.KERNEL32(?), ref: 000D1894
CloseHandle.KERNEL32(?), ref: 000D189C
GetProcessHeap.KERNEL32(00000000,?), ref: 000D18A5
HeapFree.KERNEL32(00000000), ref: 000D18AC

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: 2744387a037fda3d1ee8a87e48e9bd98ddc79674c1e2d133e422925910b27894
Instruction ID: a6936eb94975adba3fe8d8b812550aef2f0ad49aa717fb75b1b74f77b6956fc8
Opcode Fuzzy Hash: 2744387a037fda3d1ee8a87e48e9bd98ddc79674c1e2d133e422925910b27894
Instruction Fuzzy Hash: D2E0C236004101FBDA015BA1ED0C90ABB39FB4DB22B108320F2A5858B0CBB294A0DF90

Function 000DC5D0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00077620: _wcslen.LIBCMT ref: 00077625

GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 000DC6EE
_wcslen.LIBCMT ref: 000DC735
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 000DC79C
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 000DC7CA

Strings

0, xrefs: 000DC6AF

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: ItemMenu$Info_wcslen$Default
String ID: 0
API String ID: 1227352736-4108050209
Opcode ID: a2dbb4417f9c5826893732ff40fa47ad73bdce1430b9d01ed13d11cce357fa2b
Instruction ID: aed26ca9cd8e183c52bfc152edf71325757b790e19d2f1cacff1af5d7a901d09
Opcode Fuzzy Hash: a2dbb4417f9c5826893732ff40fa47ad73bdce1430b9d01ed13d11cce357fa2b
Instruction Fuzzy Hash: 1A51B0716083029BE7A49F28C885FAB77E4AF45314F040A2EF995D32E1DB74D944DF62

Function 000FAD64 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(0000003C), ref: 000FAEA3

Part of subcall function 00077620: _wcslen.LIBCMT ref: 00077625

GetProcessId.KERNEL32(00000000), ref: 000FAF38
CloseHandle.KERNEL32(00000000), ref: 000FAF67

Strings

@, xrefs: 000FAE72
<, xrefs: 000FAE6B

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: CloseExecuteHandleProcessShell_wcslen
String ID: <$@
API String ID: 146682121-1426351568
Opcode ID: 58020b748fef27ff6bc80617304363b7d0a47d65ce3f44f9356a2a521c2937fd
Instruction ID: 52e968d6cca134f2e76165639f0dfd64cdc5388a863c2d150febbb34514dd2dc
Opcode Fuzzy Hash: 58020b748fef27ff6bc80617304363b7d0a47d65ce3f44f9356a2a521c2937fd
Instruction Fuzzy Hash: 78718B70A00619DFCB14DF64C484AAEBBF0FF09310F0484A9E85AAB762C774ED45CB91

Function 00106278 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 138COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 001062E2
ScreenToClient.USER32(?,?), ref: 00106315
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 00106382

Strings

@U=u, xrefs: 001063DD

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID: @U=u
API String ID: 3880355969-2594219639
Opcode ID: 039addb50de65f0c2634d11f76b80dffcb5b70743694dd957573cae0fc0b2808
Instruction ID: 99c6a8910f73a7ed03fdfa567427be359cbabb98b8e6c3115a58df69be02763d
Opcode Fuzzy Hash: 039addb50de65f0c2634d11f76b80dffcb5b70743694dd957573cae0fc0b2808
Instruction Fuzzy Hash: 3C510D74A00209EFDB20DF54D881AAE7BB5FB55364F108259F8999B2E0D770ED91CB90

Function 000D2716 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 121windowCOMMON

Download Yara Rule

APIs

Part of subcall function 000DB403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,000D21D0,?,?,00000034,00000800,?,00000034), ref: 000DB42D

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 000D2760

Part of subcall function 000DB3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,000D21FF,?,?,00000800,?,00001073,00000000,?,?), ref: 000DB3F8

Part of subcall function 000DB32A: GetWindowThreadProcessId.USER32(?,?), ref: 000DB355
Part of subcall function 000DB32A: OpenProcess.KERNEL32(00000438,00000000,?,?,?,000D2194,00000034,?,?,00001004,00000000,00000000), ref: 000DB365
Part of subcall function 000DB32A: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,000D2194,00000034,?,?,00001004,00000000,00000000), ref: 000DB37B

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 000D27CD
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 000D281A

Strings

@, xrefs: 000D2832
@U=u, xrefs: 000D2760, 000D27CD, 000D281A

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @$@U=u
API String ID: 4150878124-826235744
Opcode ID: a770a6084f5feb658a6c51d28e582ae0eeb51122f388b538fd20b6ac6a611eba
Instruction ID: 89a3341471b7f62244578266ac085a3b5bb03d0ee269fcb3582f3b3c784c4be3
Opcode Fuzzy Hash: a770a6084f5feb658a6c51d28e582ae0eeb51122f388b538fd20b6ac6a611eba
Instruction Fuzzy Hash: 24411C72900218AFDB10DBA4CD45AEEBBB8EF19700F104056FA55B7281DB716E85DBA1

Function 000D719E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 000D7206
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 000D723C
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 000D724D
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 000D72CF

Strings

DllGetClassObject, xrefs: 000D7242

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: 9331b2efe5a1049f79bccaf3d3f2b40a343ae851f3da8281f06b17cdbe2acbbf
Instruction ID: a06c91a517154c61818150808e23b7b757601b669010fd6fb2522861d8202179
Opcode Fuzzy Hash: 9331b2efe5a1049f79bccaf3d3f2b40a343ae851f3da8281f06b17cdbe2acbbf
Instruction Fuzzy Hash: CF413F71A04304EFDB25CF54C885AAA7BA9EF44310F1481AEBD099F34AE7B5D945CBB0

Function 001052C1 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 104windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001024,00000000,?), ref: 00105352
GetWindowLongW.USER32(?,000000F0), ref: 00105375
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00105382
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 001053A8

Strings

@U=u, xrefs: 00105352

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: LongWindow$InvalidateMessageRectSend
String ID: @U=u
API String ID: 3340791633-2594219639
Opcode ID: 2c756bb142498daa6dbda40a8009dfd4532200faa6bb99f4f6ea9af29abcd0cf
Instruction ID: 6dce28cfe342f1ce02e54e878ff015a84bbc757bbc4093971be401afcdb02958
Opcode Fuzzy Hash: 2c756bb142498daa6dbda40a8009dfd4532200faa6bb99f4f6ea9af29abcd0cf
Instruction Fuzzy Hash: 95319E34A55A08AFEB349B14CC46BEA7767BB05390F584101FA919A2E1C7F1A980DF92

Function 00103D7C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00103E35
IsMenu.USER32(?), ref: 00103E4A
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00103E92
DrawMenuBar.USER32 ref: 00103EA5

Strings

0, xrefs: 00103D89

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert
String ID: 0
API String ID: 3076010158-4108050209
Opcode ID: bef59324f0a8a19bf05e8d14e230295a6a1c50f45f1f9c0b58a91ffddb6324a0
Instruction ID: 830c8b010114fcba68b3f891d9c942b2ccc2606422920d65a7f3e384efa70300
Opcode Fuzzy Hash: bef59324f0a8a19bf05e8d14e230295a6a1c50f45f1f9c0b58a91ffddb6324a0
Instruction Fuzzy Hash: 3B413B75A01209EFDB10DF50D884EEABBB9FF49354F044229F99597290D7B0AE45CF90

Function 000FC9EA Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 91COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 000FC9F1
_wcslen.LIBCMT ref: 000FCA68
_wcslen.LIBCMT ref: 000FCA9E
_wcslen.LIBCMT ref: 000FCAF9
_wcslen.LIBCMT ref: 000FCB2F
_wcslen.LIBCMT ref: 000FCB7F

Strings

HKLM, xrefs: 000FCA98, 000FCA9D
HKEY_LOCAL_MACHINE, xrefs: 000FCA62, 000FCA67

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: _wcslen
String ID: HKEY_LOCAL_MACHINE$HKLM
API String ID: 176396367-4004644295
Opcode ID: a5d0f7b092590d3b814ebdd58371ef5c3e8672a268c2bd91240125a630138c2c
Instruction ID: 47e516a017ec2ee90f9cab2568854bf01f4122f54312bf514109043741de40f5
Opcode Fuzzy Hash: a5d0f7b092590d3b814ebdd58371ef5c3e8672a268c2bd91240125a630138c2c
Instruction Fuzzy Hash: 47314B73A0016D4BEB70DF2C8B53CBE33D15BA1758F054019E9056BA45EA71ED80F3A2

Function 00102F17 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00102F8D
LoadLibraryW.KERNEL32(?), ref: 00102F94
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00102FA9
DestroyWindow.USER32(?), ref: 00102FB1

Strings

SysAnimate32, xrefs: 00102F68

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: MessageSend$DestroyLibraryLoadWindow
String ID: SysAnimate32
API String ID: 3529120543-1011021900
Opcode ID: fa7f54da953fadf90206fde5ba92bf06463172d14758f91dc6458023001cb4c6
Instruction ID: 29ae5405e373f2db4e628cfa558fc6815ada86ae0835d52acec2edd9f7222bb4
Opcode Fuzzy Hash: fa7f54da953fadf90206fde5ba92bf06463172d14758f91dc6458023001cb4c6
Instruction Fuzzy Hash: D121C07120020AABEB215F64DC88FBB77BDEB593A4F104618F990D31D0D7B1DC919B60

Function 00105660 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001060,?,00000004), ref: 001056BB
_wcslen.LIBCMT ref: 001056CD
_wcslen.LIBCMT ref: 001056D8
SendMessageW.USER32(?,00001002,00000000,?), ref: 00105816

Strings

@U=u, xrefs: 001056BB, 00105816

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: MessageSend_wcslen
String ID: @U=u
API String ID: 455545452-2594219639
Opcode ID: c600eed84b882feb1722e6ba8e32e5cd1b8d9a66bf809dcf11dc6e0822e97073
Instruction ID: 4e1bb3ca1d91b5cf59e495cf68a2da5a2dd83ed5701cce8441beb91497af590e
Opcode Fuzzy Hash: c600eed84b882feb1722e6ba8e32e5cd1b8d9a66bf809dcf11dc6e0822e97073
Instruction Fuzzy Hash: 7211B175A00608A6DF209F61CC85AEF7BBCEF11764B104126F995D60C1EBF08A81CF60

Function 0007600E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0007604C
GetStockObject.GDI32(00000011), ref: 00076060
SendMessageW.USER32(00000000,00000030,00000000), ref: 0007606A

Strings

@U=u, xrefs: 0007606A

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID: @U=u
API String ID: 3970641297-2594219639
Opcode ID: b2959cd10a60b77b8a92ff45eee417b34a85b801319f5a12c4fca13a4cddcd9a
Instruction ID: fc6ee0f9d3e804b4f8b31908ae90fcc86a70f427119fbab98c17850a784f7b86
Opcode Fuzzy Hash: b2959cd10a60b77b8a92ff45eee417b34a85b801319f5a12c4fca13a4cddcd9a
Instruction Fuzzy Hash: 9B118E72501908BFEF224F94CC44AEB7BA9FF08364F004201FA0952110C776ACA09FD0

Function 00094D6D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00094D1E,000A28E9,?,00094CBE,000A28E9,001388B8,0000000C,00094E15,000A28E9,00000002), ref: 00094D8D
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00094DA0
FreeLibrary.KERNEL32(00000000,?,?,?,00094D1E,000A28E9,?,00094CBE,000A28E9,001388B8,0000000C,00094E15,000A28E9,00000002,00000000), ref: 00094DC3

Strings

mscoree.dll, xrefs: 00094D86
CorExitProcess, xrefs: 00094D98

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: f323b552b80345d643143d367a2c9639cc12b39f7c6de96cad85044eff34434c
Instruction ID: 40b73d566a1e018c0a9dd42274cbe22fb117953cc4b829d05e807f5fc5844f89
Opcode Fuzzy Hash: f323b552b80345d643143d367a2c9639cc12b39f7c6de96cad85044eff34434c
Instruction Fuzzy Hash: 2EF0AF38A00208BBDB159F90DC49BEDBBF4EF48712F0001A8F849A26A0DBB059C1DFD1

Function 000CD3A0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 29libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32 ref: 000CD3AD
GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 000CD3BF
FreeLibrary.KERNEL32(00000000), ref: 000CD3E5

Strings

X64, xrefs: 000CD2A8
GetSystemWow64DirectoryW, xrefs: 000CD3B9

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: GetSystemWow64DirectoryW$X64
API String ID: 145871493-2590602151
Opcode ID: 820d921c63c8c8dcaa5acafb19983e29432d2c0323dbaf7b025faf65caf55a69
Instruction ID: 8763ad3e11730dc4731eb38f1df08d803b26cceb0f3d4ce11d62bb049f15c82e
Opcode Fuzzy Hash: 820d921c63c8c8dcaa5acafb19983e29432d2c0323dbaf7b025faf65caf55a69
Instruction Fuzzy Hash: 03F02071806621ABD7B127208C28F6E7760BF21701F65826FF486F2091DBB0CE808BC2

Function 00074E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00074EDD,?,00141418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00074E9C
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00074EAE
FreeLibrary.KERNEL32(00000000,?,?,00074EDD,?,00141418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00074EC0

Strings

kernel32.dll, xrefs: 00074E94
Wow64DisableWow64FsRedirection, xrefs: 00074EA8

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 145871493-3689287502
Opcode ID: 804ce552be072d4af514d68f09594e7b791dc061def6060fecd7a027ddebcdc4
Instruction ID: 1beec165f3e67058a60ec2b8f703b7caaea5ef23162a9d15412374cf09f2f4bb
Opcode Fuzzy Hash: 804ce552be072d4af514d68f09594e7b791dc061def6060fecd7a027ddebcdc4
Instruction Fuzzy Hash: F5E0CD36E015229BD27117256C18B6F75D4EF81F72B054215FC44D2140DBF8CD418CF8

Function 00074E59 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,000B3CDE,?,00141418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00074E62
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00074E74
FreeLibrary.KERNEL32(00000000,?,?,000B3CDE,?,00141418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00074E87

Strings

kernel32.dll, xrefs: 00074E5B
Wow64RevertWow64FsRedirection, xrefs: 00074E6E

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 145871493-1355242751
Opcode ID: c4c3dfad4479686b121ec8492bfd0c29334095dae0ff3912482db2aab1371eff
Instruction ID: ccd3e62b4a556c9b55b722ba189ab3fe3ea0999002efdf62e44d7ea1b155b87e
Opcode Fuzzy Hash: c4c3dfad4479686b121ec8492bfd0c29334095dae0ff3912482db2aab1371eff
Instruction Fuzzy Hash: 1CD0C23290262197C6221B246C08DCB2A5CEF86B613054310B848E2150CFB8CD418AD8

Function 000E2947 Relevance: 7.8, APIs: 5, Instructions: 313fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 000E2C05
DeleteFileW.KERNEL32(?), ref: 000E2C87
CopyFileW.KERNEL32(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 000E2C9D
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 000E2CAE
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 000E2CC0

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: File$Delete$Copy
String ID:
API String ID: 3226157194-0
Opcode ID: 13a8a16930676b2910472aa3957509c158b3a6ba71709d1657c0e9a91124e021
Instruction ID: 99542ca92de7a37e874c88b3d07329973aa265728b70f0a1d7465787ae70b0e7
Opcode Fuzzy Hash: 13a8a16930676b2910472aa3957509c158b3a6ba71709d1657c0e9a91124e021
Instruction Fuzzy Hash: A7B13D71D00119AFDF21EBA5CC86EDEB7BDEF49350F1040A6F609B6142EB749A448FA1

Function 000FA387 Relevance: 7.8, APIs: 5, Instructions: 256COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 000FA427
OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 000FA435
GetProcessIoCounters.KERNEL32(00000000,?), ref: 000FA468
CloseHandle.KERNEL32(?), ref: 000FA63D

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: Process$CloseCountersCurrentHandleOpen
String ID:
API String ID: 3488606520-0
Opcode ID: dc6e5e276fbb21dcda28e1068781bd3f11d5565d8540c15d4643ad3c046e8efe
Instruction ID: 28fc6feebf2cf229f6a0039298b7b80e07307168106a7d9a9c7d88878d542468
Opcode Fuzzy Hash: dc6e5e276fbb21dcda28e1068781bd3f11d5565d8540c15d4643ad3c046e8efe
Instruction Fuzzy Hash: 15A1A0B16047019FD720DF24C882F6AB7E5AF84714F14881DF59E9B692DBB4EC418B92

Function 000ABB27 Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,00113700), ref: 000ABB91
WideCharToMultiByte.KERNEL32(00000000,00000000,0014121C,000000FF,00000000,0000003F,00000000,?,?), ref: 000ABC09
WideCharToMultiByte.KERNEL32(00000000,00000000,00141270,000000FF,?,0000003F,00000000,?), ref: 000ABC36
_free.LIBCMT ref: 000ABB7F

Part of subcall function 000A29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,000AD7D1,00000000,00000000,00000000,00000000,?,000AD7F8,00000000,00000007,00000000,?,000ADBF5,00000000), ref: 000A29DE
Part of subcall function 000A29C8: GetLastError.KERNEL32(00000000,?,000AD7D1,00000000,00000000,00000000,00000000,?,000AD7F8,00000000,00000007,00000000,?,000ADBF5,00000000,00000000), ref: 000A29F0

_free.LIBCMT ref: 000ABD4B

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
String ID:
API String ID: 1286116820-0
Opcode ID: efbbc4fadfc13b349dfe8501d893df94701b0af10be90db6f3df72123da7d6cf
Instruction ID: a5a3c53756a25fa0eb17ca71cbbf00a3e0c77570dbfc649f7df70ca22beca321
Opcode Fuzzy Hash: efbbc4fadfc13b349dfe8501d893df94701b0af10be90db6f3df72123da7d6cf
Instruction Fuzzy Hash: D251CC75900219EFCB20DFE99C41DEEB7F8EF46320B10426AE555D71A3EB709E808B90

Function 000DE3FB Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 000DDDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,000DCF22,?), ref: 000DDDFD

Part of subcall function 000DDDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,000DCF22,?), ref: 000DDE16

Part of subcall function 000DE199: GetFileAttributesW.KERNEL32(?,000DCF95), ref: 000DE19A

lstrcmpiW.KERNEL32(?,?), ref: 000DE473
MoveFileW.KERNEL32(?,?), ref: 000DE4AC
_wcslen.LIBCMT ref: 000DE5EB
_wcslen.LIBCMT ref: 000DE603
SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 000DE650

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
String ID:
API String ID: 3183298772-0
Opcode ID: 2dd31d949042f5f6f8c500b62a67d79f0cf66b96e6743f949afae3f6520c5b20
Instruction ID: 14b0a33a6ba613884dc4c84736782b5660dc375a93549e882c183c6da1997038
Opcode Fuzzy Hash: 2dd31d949042f5f6f8c500b62a67d79f0cf66b96e6743f949afae3f6520c5b20
Instruction Fuzzy Hash: 4B5161B24087855BC764EB94DC819DF73DCAF84340F00491FF689D7292EE74A5888B6A

Function 000FB9C9 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00079CB3: _wcslen.LIBCMT ref: 00079CBD

Part of subcall function 000FC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,000FB6AE,?,?), ref: 000FC9B5
Part of subcall function 000FC998: _wcslen.LIBCMT ref: 000FC9F1
Part of subcall function 000FC998: _wcslen.LIBCMT ref: 000FCA68
Part of subcall function 000FC998: _wcslen.LIBCMT ref: 000FCA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 000FBAA5
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 000FBB00
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 000FBB63
RegCloseKey.ADVAPI32(?,?), ref: 000FBBA6
RegCloseKey.ADVAPI32(00000000), ref: 000FBBB3

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
String ID:
API String ID: 826366716-0
Opcode ID: ed12bc0c12045c25eec510a9be64be638e136f4f471cc712b9e2edf17f91ac2b
Instruction ID: 0c14f3ad6608c29cf8569ec20a62c2551dcd0fece5028c888c9b02655beb645f
Opcode Fuzzy Hash: ed12bc0c12045c25eec510a9be64be638e136f4f471cc712b9e2edf17f91ac2b
Instruction Fuzzy Hash: 52619A31208205AFD314DF24C891E6ABBE5FF84308F54899CF5998B6A2CB71ED45DF92

Function 000D8BB0 Relevance: 7.7, APIs: 5, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 000D8BCD
VariantClear.OLEAUT32 ref: 000D8C3E
VariantClear.OLEAUT32 ref: 000D8C9D
VariantClear.OLEAUT32(?), ref: 000D8D10
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 000D8D3B

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType
String ID:
API String ID: 4136290138-0
Opcode ID: 636d51005dcdcc7afad763a40e0b31d6eee2ac79be47965212397f4167ea0c4f
Instruction ID: 2ac94df20dcaf4272a640834c023d364071385f883e65ee621f330865ec4b302
Opcode Fuzzy Hash: 636d51005dcdcc7afad763a40e0b31d6eee2ac79be47965212397f4167ea0c4f
Instruction Fuzzy Hash: B35159B5A00219EFCB14CF68C894AAAB7F9FF89310F15855AE945DB350E730E911CFA0

Function 000E8AFB Relevance: 7.6, APIs: 5, Instructions: 143COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 000E8BAE
GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 000E8BDA
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 000E8C32
WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 000E8C57
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 000E8C5F

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String
String ID:
API String ID: 2832842796-0
Opcode ID: b03a986f2e89f0ceb11cf5c3d6ea3023f85e2c9342612109b494327bdb2fbd7f
Instruction ID: fa7bc9e81a3ebe72a0198b61957cf954a881f25fa46466e166eec6671cdc4b98
Opcode Fuzzy Hash: b03a986f2e89f0ceb11cf5c3d6ea3023f85e2c9342612109b494327bdb2fbd7f
Instruction Fuzzy Hash: C4514735A00619AFCB04DF65C881AA9BBF1FF49314F18C058E84DAB362CB75ED41CB90

Function 000F8EE4 Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(?,00000000,?), ref: 000F8F40
GetProcAddress.KERNEL32(00000000,?), ref: 000F8FD0
GetProcAddress.KERNEL32(00000000,00000000), ref: 000F8FEC
GetProcAddress.KERNEL32(00000000,?), ref: 000F9032
FreeLibrary.KERNEL32(00000000), ref: 000F9052

Part of subcall function 0008F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,000E1043,?,75B8E610), ref: 0008F6E6
Part of subcall function 0008F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,000CFA64,00000000,00000000,?,?,000E1043,?,75B8E610,?,000CFA64), ref: 0008F70D

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
String ID:
API String ID: 666041331-0
Opcode ID: 4f21e4ae96651676e283d9c0397ed5c4c8e6576bfbfe68ee69881129417ad435
Instruction ID: f204d7daf7ac5b7c94331093a9357c8ce91216b996a3585541b261fa268f8f31
Opcode Fuzzy Hash: 4f21e4ae96651676e283d9c0397ed5c4c8e6576bfbfe68ee69881129417ad435
Instruction Fuzzy Hash: 98512634A00209DFC715DF68C4849EDBBF1FF49314B0881A8E94A9BB62DB35ED85CB91

Function 000A2051 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 000A20C3
_free.LIBCMT ref: 000A20E3

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 72dce0f596a8724928a3ed7ff139a5ddb78b51c892792c0f12e7f87bdd1ae626
Instruction ID: 9f9ab50b140449c34b6a21e15609898530abdb97b5caec2deca5f10b2fda2681
Opcode Fuzzy Hash: 72dce0f596a8724928a3ed7ff139a5ddb78b51c892792c0f12e7f87bdd1ae626
Instruction Fuzzy Hash: CA41B276A002009FCB24DFBCC981A9EB7E5EF8A714F154579E615EB352DB31AD01CB81

Function 0008912D Relevance: 7.6, APIs: 5, Instructions: 121keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00089141
ScreenToClient.USER32(00000000,?), ref: 0008915E
GetAsyncKeyState.USER32(00000001), ref: 00089183
GetAsyncKeyState.USER32(00000002), ref: 0008919D

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: 8d403db89f550c8ae188a15ac17300eabb8872f019712956ad311a9276c6e380
Instruction ID: d08962166baa974f5117cda8d89952a5528cd635dad1c9e60a8e2800edbe2855
Opcode Fuzzy Hash: 8d403db89f550c8ae188a15ac17300eabb8872f019712956ad311a9276c6e380
Instruction Fuzzy Hash: 8D414031A0851AFBDF55AF68C848BFEB7B4FB05324F244219E869A72D0C7745950CF91

Function 000E3874 Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 000E38CB
TranslateAcceleratorW.USER32(?,00000000,?), ref: 000E3922
TranslateMessage.USER32(?), ref: 000E394B
DispatchMessageW.USER32(?), ref: 000E3955
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 000E3966

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchInputPeekState
String ID:
API String ID: 2256411358-0
Opcode ID: f12f593ca98116972ba0431bb1894febc8325fc01739a921163c2f4c0cb9f5e4
Instruction ID: 49cfe312e8279fdcdab6ea275d49c593d29778bb2c54c4fabcab8bfa783a76c6
Opcode Fuzzy Hash: f12f593ca98116972ba0431bb1894febc8325fc01739a921163c2f4c0cb9f5e4
Instruction Fuzzy Hash: 7D31B6745043C2AEEB75CB36D84DBB67FE8AB06304F040559E456A34A2D7F496C5CB21

Function 000ECF1A Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,00000000,?,?,?,000EC21E,00000000), ref: 000ECF38
InternetReadFile.WININET(?,00000000,?,?), ref: 000ECF6F
GetLastError.KERNEL32(?,00000000,?,?,?,000EC21E,00000000), ref: 000ECFB4
SetEvent.KERNEL32(?,?,00000000,?,?,?,000EC21E,00000000), ref: 000ECFC8
SetEvent.KERNEL32(?,?,00000000,?,?,?,000EC21E,00000000), ref: 000ECFF2

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: EventInternet$AvailableDataErrorFileLastQueryRead
String ID:
API String ID: 3191363074-0
Opcode ID: bb8f5b3af7acde8725b44eacf2752b58faa834109abf7c17d4a16d3628758ecb
Instruction ID: 4fb20a89433691e32eef45b67b1f513e09c07bc588ffd4ca6afd97f8d2cf0b24
Opcode Fuzzy Hash: bb8f5b3af7acde8725b44eacf2752b58faa834109abf7c17d4a16d3628758ecb
Instruction Fuzzy Hash: 75316B71600245AFEB20DFA6C884EAFBBF9FB14311B10443EF546E2501DB31AE42DBA0

Function 000D1901 Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 000D1915
PostMessageW.USER32(00000001,00000201,00000001), ref: 000D19C1
Sleep.KERNEL32(00000000,?,?,?), ref: 000D19C9
PostMessageW.USER32(00000001,00000202,00000000), ref: 000D19DA
Sleep.KERNEL32(00000000,?,?,?,?), ref: 000D19E2

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: 6b999aefbb66360a4fce509cc6a9277aeb0e5bb73711c4e6e1b1fccfb3ff3b1e
Instruction ID: 4dbe5b35088740a519f6d45962ce177743816ef5eb55f57f6a815579e5110471
Opcode Fuzzy Hash: 6b999aefbb66360a4fce509cc6a9277aeb0e5bb73711c4e6e1b1fccfb3ff3b1e
Instruction Fuzzy Hash: 7031B171900219EFCB10CFA8CDA9ADE7BB5EB04315F10432AF961A72D1C7B09D44CBA0

Function 000F0930 Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 000F0951
GetForegroundWindow.USER32 ref: 000F0968
GetDC.USER32(00000000), ref: 000F09A4
GetPixel.GDI32(00000000,?,00000003), ref: 000F09B0
ReleaseDC.USER32(00000000,00000003), ref: 000F09E8

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: 1cce22b257bf0bb69f2d033e33de1487d5d70d5fa1ffedad781a3d38dd16dada
Instruction ID: 26da8e841f7509fc0b61f657b485bb5bc32882712eeb8c458d78c6c68659e420
Opcode Fuzzy Hash: 1cce22b257bf0bb69f2d033e33de1487d5d70d5fa1ffedad781a3d38dd16dada
Instruction Fuzzy Hash: 42218135A00204AFD714EF65C885EAEBBE5EF48700F048168F94AA7762DB70AC44DF90

Function 000ACDBD Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 000ACDC6
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 000ACDE9

Part of subcall function 000A3820: RtlAllocateHeap.NTDLL(00000000,?,00141444,?,0008FDF5,?,?,0007A976,00000010,00141440,000713FC,?,000713C6,?,00071129), ref: 000A3852

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 000ACE0F
_free.LIBCMT ref: 000ACE22
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 000ACE31

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: 4f1fb276d9d2b5675ab2dd45f8d1d898b908a221dbf416fc0625eb351275dd3d
Instruction ID: 266584f742c98cfa4d89739c77b6829dbeb22da1fa89dfb3a0ad731a06f63368
Opcode Fuzzy Hash: 4f1fb276d9d2b5675ab2dd45f8d1d898b908a221dbf416fc0625eb351275dd3d
Instruction Fuzzy Hash: 030184726012157F772157FA6C88DBF69ADEFC7BA13160229F905D7201EA718D0185F0

Function 00089639 Relevance: 7.6, APIs: 5, Instructions: 66COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00089693
SelectObject.GDI32(?,00000000), ref: 000896A2
BeginPath.GDI32(?), ref: 000896B9
SelectObject.GDI32(?,00000000), ref: 000896E2

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: cc1423c91313477afc4a125ab56556c7a4573f6bfdbbd34f79f2b7bbe6857bc3
Instruction ID: 83b9dfb2f167762d64bebbd0fd1f5a577627420bd53055b710e81bb73839c562
Opcode Fuzzy Hash: cc1423c91313477afc4a125ab56556c7a4573f6bfdbbd34f79f2b7bbe6857bc3
Instruction Fuzzy Hash: 28214F78802305FBDB11BF64DC14BBD3BA9BB51359F144216F4A4A65B0E3B059E1CF94

Function 000D5711 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 000D5726
_memcmp.LIBVCRUNTIME ref: 000D5744
_memcmp.LIBVCRUNTIME ref: 000D5757
_memcmp.LIBVCRUNTIME ref: 000D576F
_memcmp.LIBVCRUNTIME ref: 000D5787

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 9e23beb547d58e37eab86478899eb1c0a667c12ef6d2c4b5bf5aa3064a7096ee
Instruction ID: c1e0d53fb6e9d4e0f2d3ae72ea3dd69fac9a4a6d041b498cac3c8a1486d9fa4e
Opcode Fuzzy Hash: 9e23beb547d58e37eab86478899eb1c0a667c12ef6d2c4b5bf5aa3064a7096ee
Instruction Fuzzy Hash: 79019671749705FAE6285510AE43EFA739C9B21396B204026FD149A781F7A1EE1196B0

Function 000A2DF8 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,0009F2DE,000A3863,00141444,?,0008FDF5,?,?,0007A976,00000010,00141440,000713FC,?,000713C6), ref: 000A2DFD
_free.LIBCMT ref: 000A2E32
_free.LIBCMT ref: 000A2E59
SetLastError.KERNEL32(00000000,00071129), ref: 000A2E66
SetLastError.KERNEL32(00000000,00071129), ref: 000A2E6F

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: b15e97fcd66fd9427c7555ed46dc8c1d4ed6a6ca71dcb8bb85d656a3e6c967d8
Instruction ID: 70adf8158df28f289b1d182508abe2d0a45f0b692532c8a4f34def934905f88e
Opcode Fuzzy Hash: b15e97fcd66fd9427c7555ed46dc8c1d4ed6a6ca71dcb8bb85d656a3e6c967d8
Instruction Fuzzy Hash: C801F4322056006BC622A7FD6C46EAF2699BBD37B1B214238F425E6293EB70CC814560

Function 000D000E Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,000CFF41,80070057,?,?,?,000D035E), ref: 000D002B
ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,000CFF41,80070057,?,?), ref: 000D0046
lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,000CFF41,80070057,?,?), ref: 000D0054
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,000CFF41,80070057,?), ref: 000D0064
CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,000CFF41,80070057,?,?), ref: 000D0070

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: 8b556f54e4d2702cc82d70315bce2f9b0a4138119d03f0bc2cf3fcb809d55b92
Instruction ID: b51b930fdfd9f23df6ee0496dd0c90a9cf995c5e1389bfad6a6acec7950aa093
Opcode Fuzzy Hash: 8b556f54e4d2702cc82d70315bce2f9b0a4138119d03f0bc2cf3fcb809d55b92
Instruction Fuzzy Hash: 75018F72600304BFDB104F68DC04BAA7EEDEB84752F14822AF949D6210DBB1DD808BA0

Function 000D10F9 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 000D1114
GetLastError.KERNEL32(?,00000000,00000000,?,?,000D0B9B,?,?,?), ref: 000D1120
GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,000D0B9B,?,?,?), ref: 000D112F
HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,000D0B9B,?,?,?), ref: 000D1136
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 000D114D

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: 2abb05490d6ae00e93d43e5f0ea424e2b25f6bc4fb8d754935e790b60f21bd02
Instruction ID: 094e8be964b532739a2176a89a433e8a77ee5f52654e652c0deb9729144ac55e
Opcode Fuzzy Hash: 2abb05490d6ae00e93d43e5f0ea424e2b25f6bc4fb8d754935e790b60f21bd02
Instruction Fuzzy Hash: E1011D79100305FFDB114F65DC49AAA3BBEFF89360B204515FA85D7350DA71DC409EA0

Function 000D0FB4 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 000D0FCA
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 000D0FD6
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 000D0FE5
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 000D0FEC
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 000D1002

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 32b4ffad1555ae63d7e1194d2a3cde5b3a7254a7108267d89343f274451ac9c9
Instruction ID: ba9b0ee85fe98315472cb47b5acd1f335f3cd08592fcabae6bfff760b1e32158
Opcode Fuzzy Hash: 32b4ffad1555ae63d7e1194d2a3cde5b3a7254a7108267d89343f274451ac9c9
Instruction Fuzzy Hash: 78F04939200301FBDB215FA4AC49F963FADFF89762F204515FA85C6291CAB0DC808EA0

Function 000D1014 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 000D102A
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 000D1036
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 000D1045
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 000D104C
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 000D1062

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: b91a7d4669bef267ee8361b7857423ada3c6656a48ef32a292cd07ef4144da7d
Instruction ID: 98658ed8a0b8a5bdceeacb7b61bea82ad6c0b53119e3a3fab0a3297c15f620e4
Opcode Fuzzy Hash: b91a7d4669bef267ee8361b7857423ada3c6656a48ef32a292cd07ef4144da7d
Instruction Fuzzy Hash: 8EF04939200301FBDB216FA4EC49F963FADFF89761F200515FA85C6250CAB0D8908EA0

Function 000E030F Relevance: 7.5, APIs: 6, Instructions: 41COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,?,?,000E017D,?,000E32FC,?,00000001,000B2592,?), ref: 000E0324
CloseHandle.KERNEL32(?,?,?,?,000E017D,?,000E32FC,?,00000001,000B2592,?), ref: 000E0331
CloseHandle.KERNEL32(?,?,?,?,000E017D,?,000E32FC,?,00000001,000B2592,?), ref: 000E033E
CloseHandle.KERNEL32(?,?,?,?,000E017D,?,000E32FC,?,00000001,000B2592,?), ref: 000E034B
CloseHandle.KERNEL32(?,?,?,?,000E017D,?,000E32FC,?,00000001,000B2592,?), ref: 000E0358
CloseHandle.KERNEL32(?,?,?,?,000E017D,?,000E32FC,?,00000001,000B2592,?), ref: 000E0365

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 8601cd8ab9efa0fee776dce1afb91090e7f0c65d95cf7abad9280be9687f0880
Instruction ID: 76e7ae2bab7ac1005350f278aef25a09b985f8ac9510e5d423d8b0f032435b2e
Opcode Fuzzy Hash: 8601cd8ab9efa0fee776dce1afb91090e7f0c65d95cf7abad9280be9687f0880
Instruction Fuzzy Hash: FF01A272800B559FC7309F66D880412F7F9BF503153158A3FD19662931C3B1AA94CF80

Function 000AD73A Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 000AD752

Part of subcall function 000A29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,000AD7D1,00000000,00000000,00000000,00000000,?,000AD7F8,00000000,00000007,00000000,?,000ADBF5,00000000), ref: 000A29DE
Part of subcall function 000A29C8: GetLastError.KERNEL32(00000000,?,000AD7D1,00000000,00000000,00000000,00000000,?,000AD7F8,00000000,00000007,00000000,?,000ADBF5,00000000,00000000), ref: 000A29F0

_free.LIBCMT ref: 000AD764
_free.LIBCMT ref: 000AD776
_free.LIBCMT ref: 000AD788
_free.LIBCMT ref: 000AD79A

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: d4993a61a34fc423b5f176f9f0059757b23e8967b1bf87ac9c8de6ec9ffa8ecd
Instruction ID: 65a6ab9d69be2c789c219cb098a00256b4a6caaedbdb9dffe0a6f27659a7dc19
Opcode Fuzzy Hash: d4993a61a34fc423b5f176f9f0059757b23e8967b1bf87ac9c8de6ec9ffa8ecd
Instruction Fuzzy Hash: CFF04F32508208AFC6A5EBA8F9C5C5F77DDBB06710B950816F049E7912D720FC8087A1

Function 000D5C44 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 000D5C58
GetWindowTextW.USER32(00000000,?,00000100), ref: 000D5C6F
MessageBeep.USER32(00000000), ref: 000D5C87
KillTimer.USER32(?,0000040A), ref: 000D5CA3
EndDialog.USER32(?,00000001), ref: 000D5CBD

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: ffec48322cfec367f90701dc78bae27e3bb208d21661c06372f53c8924d34391
Instruction ID: d25467b1b8b8a0ffb3850727ad75b5eff4c542fa2145f20a4948683e96a1aaea
Opcode Fuzzy Hash: ffec48322cfec367f90701dc78bae27e3bb208d21661c06372f53c8924d34391
Instruction Fuzzy Hash: EF018630510B04AFEB305B10DD4EFA67BB8BB00B46F04165AA983A15E1DBF5A9C48EA0

Function 000A22A0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 000A22BE

Part of subcall function 000A29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,000AD7D1,00000000,00000000,00000000,00000000,?,000AD7F8,00000000,00000007,00000000,?,000ADBF5,00000000), ref: 000A29DE
Part of subcall function 000A29C8: GetLastError.KERNEL32(00000000,?,000AD7D1,00000000,00000000,00000000,00000000,?,000AD7F8,00000000,00000007,00000000,?,000ADBF5,00000000,00000000), ref: 000A29F0

_free.LIBCMT ref: 000A22D0
_free.LIBCMT ref: 000A22E3
_free.LIBCMT ref: 000A22F4
_free.LIBCMT ref: 000A2305

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 889295d67610d4f032ff0cb891637f9a2f161cb4042d53ef6eeadc88fb7e1817
Instruction ID: 31a1c20c54e3fadff194a495860ccd52b1493b2a466d4aa413a7d20443f0ee4c
Opcode Fuzzy Hash: 889295d67610d4f032ff0cb891637f9a2f161cb4042d53ef6eeadc88fb7e1817
Instruction Fuzzy Hash: 7DF03078800210AFC753AFA8BC0184D3BA4B71BB617100566F514E2A72C73009D1AFE5

Function 000895C5 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 000895D4
StrokeAndFillPath.GDI32(?,?,000C71F7,00000000,?,?,?), ref: 000895F0
SelectObject.GDI32(?,00000000), ref: 00089603
DeleteObject.GDI32 ref: 00089616
StrokePath.GDI32(?), ref: 00089631

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: 4b546e2b1d008ee795818e8f787e323f19f14c2a7f619ec9eb97ca804575b967
Instruction ID: 1e770f5b8538100b0eb56a56f6727074aaa6b39cf59da736da266b7ff2cf96de
Opcode Fuzzy Hash: 4b546e2b1d008ee795818e8f787e323f19f14c2a7f619ec9eb97ca804575b967
Instruction Fuzzy Hash: DBF0EC39006708EBDB266F65ED5C7783BA5BB02326F088314F4A9558F0DB7089E5DF60

Function 000A0F47 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE

Download Yara Rule

APIs

__freea.LIBCMT ref: 000A10F9
__freea.LIBCMT ref: 000A1117

Part of subcall function 000A1537: _free.LIBCMT ref: 000A154F

Strings

a/p, xrefs: 000A11DE
am/pm, xrefs: 000A117A

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: __freea$_free
String ID: a/p$am/pm
API String ID: 3432400110-3206640213
Opcode ID: c0f6519f44c8b46bec39f19efb6a5abc68b4dbdc1320155c628f868f77da8e52
Instruction ID: 579234bbfacd60bc6a4b38e62723fee7bf74a614d6ddb5a4cd8050a8f1aa34b2
Opcode Fuzzy Hash: c0f6519f44c8b46bec39f19efb6a5abc68b4dbdc1320155c628f868f77da8e52
Instruction Fuzzy Hash: EAD10272900206DACF689FE8C855BFEB7F5EF07310F284159E901AB691D3759E80CB91

Function 000F7B7E Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 230COMMON

Download Yara Rule

APIs

Part of subcall function 00090242: EnterCriticalSection.KERNEL32(0014070C,00141884,?,?,0008198B,00142518,?,?,?,000712F9,00000000), ref: 0009024D
Part of subcall function 00090242: LeaveCriticalSection.KERNEL32(0014070C,?,0008198B,00142518,?,?,?,000712F9,00000000), ref: 0009028A

Part of subcall function 00079CB3: _wcslen.LIBCMT ref: 00079CBD

Part of subcall function 000900A3: __onexit.LIBCMT ref: 000900A9

__Init_thread_footer.LIBCMT ref: 000F7BFB

Part of subcall function 000901F8: EnterCriticalSection.KERNEL32(0014070C,?,?,00088747,00142514), ref: 00090202
Part of subcall function 000901F8: LeaveCriticalSection.KERNEL32(0014070C,?,00088747,00142514), ref: 00090235

Strings

5, xrefs: 000F7C78
G, xrefs: 000F7C7F
Variable must be of type 'Object'., xrefs: 000F7C3A

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit_wcslen
String ID: 5$G$Variable must be of type 'Object'.
API String ID: 535116098-3733170431
Opcode ID: d7d1e20222e36c81130828111f5d56005dc45ad40c1004356091f80a97cab94b
Instruction ID: 1dddef348f96d3548cfa2678136826125f44a159b6bb19b845f87e4f2de43331
Opcode Fuzzy Hash: d7d1e20222e36c81130828111f5d56005dc45ad40c1004356091f80a97cab94b
Instruction Fuzzy Hash: 69918C70A04209EFCB14EF54D991DFDB7B1BF49300F508059FA0AAB692DB71AE41EB52

Function 000A8A61 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 124COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,00000002,00000000,?,?,?,00000000,?,?,?,?), ref: 000A8B6E
GetLastError.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,00000000,00001000,?), ref: 000A8B7A
__dosmaperr.LIBCMT ref: 000A8B81

Strings

., xrefs: 000A8A63

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: ByteCharErrorLastMultiWide__dosmaperr
String ID: .
API String ID: 2434981716-3497715306
Opcode ID: 374e4d46295c36a6f668d90c2e284882ca6798fc71c0917801a823f758ba1cc4
Instruction ID: 860369fcb380ab437c743727ebe113bb7173f8225175f0158675f4ae234e1ff1
Opcode Fuzzy Hash: 374e4d46295c36a6f668d90c2e284882ca6798fc71c0917801a823f758ba1cc4
Instruction Fuzzy Hash: A8416CB0614045AFDB359FA4C880ABD7FE6DB47304B28C1A9F88587652DF31CC4297A0

Function 000A172E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\file.exe,00000104), ref: 000A1769
_free.LIBCMT ref: 000A1834
_free.LIBCMT ref: 000A183E

Strings

C:\Users\user\Desktop\file.exe, xrefs: 000A1760, 000A1767, 000A1796, 000A17CE

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\file.exe
API String ID: 2506810119-1639720508
Opcode ID: c6d46e3a2b37495c48887d6026f8199f2cfedabac5a3ea4638640c72788db894
Instruction ID: c49950d02da973a72b98b1518c0b2fa8ccf90fde04ffb8eae26934be19f1c810
Opcode Fuzzy Hash: c6d46e3a2b37495c48887d6026f8199f2cfedabac5a3ea4638640c72788db894
Instruction Fuzzy Hash: 33315075A44218FFDB21DBD99885DDEBBFCEB86710F244166F904D7211DAB08E80DB90

Function 000DC27D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 000DC306
DeleteMenu.USER32(?,00000007,00000000), ref: 000DC34C
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00141990,017C64B0), ref: 000DC395

Strings

0, xrefs: 000DC2DF

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: Menu$Delete$InfoItem
String ID: 0
API String ID: 135850232-4108050209
Opcode ID: b533ced31f9ec8391e9457f31488c4ce34ac44c48aaf28df5a427c4efd4624c4
Instruction ID: 2035a93aa86d34a4b05d8a036817808fad71e19c085e1966d7310a154c9c96f2
Opcode Fuzzy Hash: b533ced31f9ec8391e9457f31488c4ce34ac44c48aaf28df5a427c4efd4624c4
Instruction Fuzzy Hash: B141A6712043429FEB24DF29D844F5ABBE4AF85310F14861EF9A5973D2D770EA04CB62

Function 00104416 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,0010CC08,00000000,?,?,?,?), ref: 001044AA
GetWindowLongW.USER32 ref: 001044C7
SetWindowLongW.USER32(?,000000F0,00000000), ref: 001044D7

Strings

SysTreeView32, xrefs: 0010447C

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: 67d31313166d94e3b4d9dbb95d5bd0d12b8e69f0285305c3a2759d1eda3ac1f7
Instruction ID: 4c220406eac87bd44d6023c88da81933407d0eceb5030f08bb026a49ddbc990f
Opcode Fuzzy Hash: 67d31313166d94e3b4d9dbb95d5bd0d12b8e69f0285305c3a2759d1eda3ac1f7
Instruction Fuzzy Hash: 20319071210605AFDB209F78DC85BEA77A9EB09334F204715FAB5D21D1D7B0EC909B50

Function 000D6E71 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 92memoryCOMMON

Download Yara Rule

APIs

SysReAllocString.OLEAUT32(?,?), ref: 000D6EED
VariantCopyInd.OLEAUT32(?,?), ref: 000D6F08
VariantClear.OLEAUT32(?), ref: 000D6F12

Strings

*j, xrefs: 000D6E8B, 000D6E90, 000D6EF8

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: Variant$AllocClearCopyString
String ID: *j
API String ID: 2173805711-725149108
Opcode ID: b5c137c7b622a3988a08a58010dfb129eae8d2d2ee2ce99a163ab1d835a5049c
Instruction ID: 997029ad33bd75d671a4dc018eec57d05a8b10a0dabcfc95930ca93f8b0fb7b3
Opcode Fuzzy Hash: b5c137c7b622a3988a08a58010dfb129eae8d2d2ee2ce99a163ab1d835a5049c
Instruction Fuzzy Hash: 6031A1B1604B05DBCB15AF64E850ABE37B5FF44304B1044AAF9068B3A2C7359D11DBE4

Function 000F304E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON

Download Yara Rule

APIs

Part of subcall function 000F335B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,000F3077,?,?), ref: 000F3378

inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 000F307A
_wcslen.LIBCMT ref: 000F309B
htons.WSOCK32(00000000,?,?,00000000), ref: 000F3106

Strings

255.255.255.255, xrefs: 000F3095, 000F309A

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: ByteCharMultiWide_wcslenhtonsinet_addr
String ID: 255.255.255.255
API String ID: 946324512-2422070025
Opcode ID: de7fa98ccbe844ab6ddd98c50d593695872e5cafa519ecc6f1b0fc1aa57a1af0
Instruction ID: 3f828cbd77476df36a7cd246e7c0a7a47d24e8d5f197e1598eff835c2a414c07
Opcode Fuzzy Hash: de7fa98ccbe844ab6ddd98c50d593695872e5cafa519ecc6f1b0fc1aa57a1af0
Instruction Fuzzy Hash: C131F5356002099FCB20CF28C495EBA77E0EF54328F24C15AEA158BB92CB72DE41D761

Function 00104653 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00104705
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00104713
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 0010471A

Strings

msctls_updown32, xrefs: 00104684

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: c3f964c7288e9df222afd7999b62a257e6a53b05446af6136cb38e993071101a
Instruction ID: e7cd82098f64551e532fb50e987db728a77648832914c4034a514f13d330dc7a
Opcode Fuzzy Hash: c3f964c7288e9df222afd7999b62a257e6a53b05446af6136cb38e993071101a
Instruction Fuzzy Hash: CE2160F5600208AFEB10DF68DCD1DA737ADEF5A398B040459FA409B3A1DB71EC51CA60

Function 000D95AD Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 85COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 000D961D

Strings

#OnAutoItStartRegister, xrefs: 000D95F3
#notrayicon, xrefs: 000D95B7
#requireadmin, xrefs: 000D95D9

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: _wcslen
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 176396367-2734436370
Opcode ID: 30f9325d7b7f319306116be0afe18a8e0ccabba02b906082bfc96399aa090e40
Instruction ID: 70850a293ff43ab01581df1728942895ce64be9fe7b07cd522cc40913f8d9b06
Opcode Fuzzy Hash: 30f9325d7b7f319306116be0afe18a8e0ccabba02b906082bfc96399aa090e40
Instruction Fuzzy Hash: 6321383220471166C771BA249C02FFB73D8AF51310F10803BF94997286EB95ED52D3B5

Function 001037B7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00103840
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00103850
MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00103876

Strings

Listbox, xrefs: 0010380F

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: 003001cb538d2a40ef0da1af5856f1c203df7dc946809cc8bb6c331360869f7d
Instruction ID: 733ad0db92cac8cbc2a4456d1e79eb4c04769c429a2ac4dbc2438ef0cee095ad
Opcode Fuzzy Hash: 003001cb538d2a40ef0da1af5856f1c203df7dc946809cc8bb6c331360869f7d
Instruction Fuzzy Hash: 23218072610118BBEB218F54CC45FAB376EEF89750F118225F9959B1D0CBB1DC528BA0

Function 000D223F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 83windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001004,00000000,00000000), ref: 000D2258

Part of subcall function 00076B57: _wcslen.LIBCMT ref: 00076B6A

SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 000D228A
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 000D22CA

Strings

@U=u, xrefs: 000D2258, 000D228A, 000D22CA

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: MessageSend$_wcslen
String ID: @U=u
API String ID: 763830540-2594219639
Opcode ID: 5c1a90af02cab40ec905750a0ff39aba379f8016e0786274e131ed349602a4a0
Instruction ID: 92a1e57b5af230910fb9d2c744ce10a7e746e062983f9074a74809bb819914b8
Opcode Fuzzy Hash: 5c1a90af02cab40ec905750a0ff39aba379f8016e0786274e131ed349602a4a0
Instruction Fuzzy Hash: 4721AA317003047BDB209B55DD49EEE7BADEB65710F044025F905E7381DBB58A4597B1

Function 000E49F4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 000E4A08
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 000E4A5C
SetErrorMode.KERNEL32(00000000,?,?,0010CC08), ref: 000E4AD0

Strings

%lu, xrefs: 000E4A6F

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: ErrorMode$InformationVolume
String ID: %lu
API String ID: 2507767853-685833217
Opcode ID: f8c0cf514da0b517122369d60a1e0b50de8f5833c2ca646a42518adc35d4d6c5
Instruction ID: 0c7e98f28fce3fa9bb0f86b94467410b41a08a74b55f1695f92a43751df7911e
Opcode Fuzzy Hash: f8c0cf514da0b517122369d60a1e0b50de8f5833c2ca646a42518adc35d4d6c5
Instruction Fuzzy Hash: 78315175A00109AFDB10DF64C985EAABBF8EF08318F1480A5F909EB252D775ED45CFA1

Function 000D1B2C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 76windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 000D1B4F
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 000D1B61
SendMessageW.USER32(?,0000000D,?,00000000), ref: 000D1B99

Strings

@U=u, xrefs: 000D1B99

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: MessageSend
String ID: @U=u
API String ID: 3850602802-2594219639
Opcode ID: 806d5728874870e28dae0bc21d340bf5cf1a12e3b4326b70d0c0f81fd979c301
Instruction ID: 47cc0166634dd0dc2cbf35ae07bcf14c367304ceeef8d4602db2280fd4ce7755
Opcode Fuzzy Hash: 806d5728874870e28dae0bc21d340bf5cf1a12e3b4326b70d0c0f81fd979c301
Instruction Fuzzy Hash: 1F218172600219BFDB25DBA8D9459EEB7FEEF44350F10046BE105E3291DB71AE408BA4

Function 000F0CD5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 69windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000402,00000000,00000000), ref: 000F0D24
SendMessageW.USER32(0000000C,00000000,?), ref: 000F0D65
SendMessageW.USER32(0000000C,00000000,?), ref: 000F0D8D

Strings

@U=u, xrefs: 000F0D24, 000F0D65, 000F0D8D

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: MessageSend
String ID: @U=u
API String ID: 3850602802-2594219639
Opcode ID: c934eed1f47d37a1a66f8a8a8903a81730884b2b82671e85ac0bd4e7b1c0926d
Instruction ID: 4e857dbe49c7f3bb19edc898424e846176605639eae2a5232378508923e88eb2
Opcode Fuzzy Hash: c934eed1f47d37a1a66f8a8a8903a81730884b2b82671e85ac0bd4e7b1c0926d
Instruction Fuzzy Hash: A0219735600904EFD710EB64D981EAAB7EAFF0A710B408514FA199BA72CB71FC91CB90

Function 001041EB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 0010424F
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00104264
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00104271

Strings

msctls_trackbar32, xrefs: 00104226

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: b63cab76178f4ea7de27d9d9c20b520b44b32558cc7f369ed79c38b35bb938f7
Instruction ID: 646fe333dfb5638e9ba0ad01eb252eef8e0e9c280e0b8dbbcb1304336af32cd6
Opcode Fuzzy Hash: b63cab76178f4ea7de27d9d9c20b520b44b32558cc7f369ed79c38b35bb938f7
Instruction Fuzzy Hash: 7B11C171240208BFEF209E28DC46FAB3BACEF95B54F010124FA95E20E0D7B1D8619B50

Function 000D2F52 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00076B57: _wcslen.LIBCMT ref: 00076B6A

Part of subcall function 000D2DA7: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 000D2DC5
Part of subcall function 000D2DA7: GetWindowThreadProcessId.USER32(?,00000000), ref: 000D2DD6
Part of subcall function 000D2DA7: GetCurrentThreadId.KERNEL32 ref: 000D2DDD
Part of subcall function 000D2DA7: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 000D2DE4

GetFocus.USER32 ref: 000D2F78

Part of subcall function 000D2DEE: GetParent.USER32(00000000), ref: 000D2DF9

GetClassNameW.USER32(?,?,00000100), ref: 000D2FC3
EnumChildWindows.USER32(?,000D303B), ref: 000D2FEB

Strings

%s%d, xrefs: 000D2FFF

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
String ID: %s%d
API String ID: 1272988791-1110647743
Opcode ID: 981a4cef198a5202cf390651fcc7448abf558f69c42304e81fcd00275ad108fa
Instruction ID: 83e4363cb862d363a7577e3abb7c5988df0d6d06dae717992aa79d1a0aa59600
Opcode Fuzzy Hash: 981a4cef198a5202cf390651fcc7448abf558f69c42304e81fcd00275ad108fa
Instruction Fuzzy Hash: 9711AF756003056BCF547F708C95EEE37AAAF94304F048076B90A9B393DF719A498B71

Function 00103429 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 001034AB
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 001034BA

Strings

edit, xrefs: 0010348F
@U=u, xrefs: 001034BA

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: @U=u$edit
API String ID: 2978978980-590756393
Opcode ID: 721493c3daa174c8679a6174f9c5ec4e2433521d15ef635cbef6e1abf2d2033a
Instruction ID: 223b32fcf0d0683719ed75cbc2ad3b456d323d6161c002587df7d825201fc18e
Opcode Fuzzy Hash: 721493c3daa174c8679a6174f9c5ec4e2433521d15ef635cbef6e1abf2d2033a
Instruction Fuzzy Hash: 06116A71100208AAEB229F64DC84AEB376EEB15378F504724F9B5DB1E0C7B1DC919BA0

Function 000D1CDE Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00079CB3: _wcslen.LIBCMT ref: 00079CBD

Part of subcall function 000D3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 000D3CCA

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 000D1D4C

Strings

@U=u, xrefs: 000D1D4C
ComboBox, xrefs: 000D1CEB
ListBox, xrefs: 000D1D16

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: @U=u$ComboBox$ListBox
API String ID: 624084870-2258501812
Opcode ID: 3f269974bc4efcb0ea4e0df570325ca5412db43e44f40c3134173bc57c745fb1
Instruction ID: 30bb543005d5e657fb1141a90fba1c130cb6fe33e2e7fc491f801d098aafe1ff
Opcode Fuzzy Hash: 3f269974bc4efcb0ea4e0df570325ca5412db43e44f40c3134173bc57c745fb1
Instruction Fuzzy Hash: E501D471A11318BBCB18EBA4CC52CFE73AAEB56350B04061AF866673C2EF3559088771

Function 000D1BD8 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00079CB3: _wcslen.LIBCMT ref: 00079CBD

Part of subcall function 000D3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 000D3CCA

SendMessageW.USER32(?,00000180,00000000,?), ref: 000D1C46

Strings

@U=u, xrefs: 000D1C46
ComboBox, xrefs: 000D1BE5
ListBox, xrefs: 000D1C10

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: @U=u$ComboBox$ListBox
API String ID: 624084870-2258501812
Opcode ID: dff8a96e4ac678e049ff5ecd88cfa2d7e9051920fe3e1a5c4f476e5540a2e6d6
Instruction ID: c96ae080d353f82764f551c0f802c910c544a96354fa8536210bb005ea9d6211
Opcode Fuzzy Hash: dff8a96e4ac678e049ff5ecd88cfa2d7e9051920fe3e1a5c4f476e5540a2e6d6
Instruction Fuzzy Hash: 6C01A775B9120876DF14EB90CD52DFF77E99B11340F14101AA41667383EE249E0887B6

Function 000D1C5C Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00079CB3: _wcslen.LIBCMT ref: 00079CBD

Part of subcall function 000D3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 000D3CCA

SendMessageW.USER32(?,00000182,?,00000000), ref: 000D1CC8

Strings

@U=u, xrefs: 000D1CC8
ComboBox, xrefs: 000D1C69
ListBox, xrefs: 000D1C94

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: @U=u$ComboBox$ListBox
API String ID: 624084870-2258501812
Opcode ID: a68bfa21f0cdfe9a88c46a76ba8f31a92117dc3ec8f617c54f21343db1b0afc0
Instruction ID: fc01db479c33085ab163fc6b1938fcdb151a74d17d6477d6a1561e11873551bf
Opcode Fuzzy Hash: a68bfa21f0cdfe9a88c46a76ba8f31a92117dc3ec8f617c54f21343db1b0afc0
Instruction Fuzzy Hash: 5401A2B1B9021876CB14EBA0CA02EFE73E99B11340F541026B80673382EE659F0886B6

Function 00105882 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 001058C1
SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 001058EE
DrawMenuBar.USER32(?), ref: 001058FD

Strings

0, xrefs: 0010588F

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: Menu$InfoItem$Draw
String ID: 0
API String ID: 3227129158-4108050209
Opcode ID: 39a55b2c3d99a888a14c4c322fe5d44ec2eadabdba9c7f1804541ad5c1c23192
Instruction ID: fea2b465b4823b83369e57c0c1b382f9068f34855f773a08b0926e3f15af0562
Opcode Fuzzy Hash: 39a55b2c3d99a888a14c4c322fe5d44ec2eadabdba9c7f1804541ad5c1c23192
Instruction Fuzzy Hash: EB016D35600218EFDB219F21DC44BEFBBB5FB45365F108099F889D6191DBB08A94DF61

Function 000D1D68 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 46windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00079CB3: _wcslen.LIBCMT ref: 00079CBD

Part of subcall function 000D3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 000D3CCA

SendMessageW.USER32(?,0000018B,00000000,00000000), ref: 000D1DD3

Strings

@U=u, xrefs: 000D1DD3
ComboBox, xrefs: 000D1D75
ListBox, xrefs: 000D1DA0

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: @U=u$ComboBox$ListBox
API String ID: 624084870-2258501812
Opcode ID: 52ef81ceacd7e4179729f7fd8309b190794d12403f6cb932ed4ca4090331e826
Instruction ID: 5dab848ba17223ae205d55e2ddf1a70c3cb99814b3f5425f10fea77a306d5e52
Opcode Fuzzy Hash: 52ef81ceacd7e4179729f7fd8309b190794d12403f6cb932ed4ca4090331e826
Instruction Fuzzy Hash: EAF0FF71F503187ACB14E7A4CC52EFEB3A9AB12350F04091AB826633C2EF645A0882B5

Function 00107803 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 41windowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,001418B0,0010A364,000000FC,?,00000000,00000000,?,?,?,000C76CF,?,?,?,?,?), ref: 00107805
GetFocus.USER32 ref: 0010780D

Part of subcall function 00089BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00089BB2

Part of subcall function 00089944: GetWindowLongW.USER32(?,000000EB), ref: 00089952

SendMessageW.USER32(?,000000B0,000001BC,000001C0), ref: 0010787A

Strings

@U=u, xrefs: 0010787A

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: Window$Long$FocusForegroundMessageSend
String ID: @U=u
API String ID: 3601265619-2594219639
Opcode ID: 66d66b441f52ed3e594f8524811092a1d5e480ad6ab9560bea14f79bf3f7f341
Instruction ID: 418dcba03b5f0e90175ace71cad5b89ec8be4c8031d0508868e04b239b554050
Opcode Fuzzy Hash: 66d66b441f52ed3e594f8524811092a1d5e480ad6ab9560bea14f79bf3f7f341
Instruction Fuzzy Hash: 48017C35A011109FD325DB28E858AB633E6BF8A324F18466EE095876F1DB716C86CF80

Function 000D3D48 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 30windowCOMMON

Download Yara Rule

APIs

Part of subcall function 000D3D03: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 000D3D18

SendMessageW.USER32(?,0000000C,00000000,?), ref: 000D3D64
GetParent.USER32 ref: 000D3D7A
InvalidateRect.USER32(00000000,?,00000000,00000001,?,0000000C,00000000,?), ref: 000D3D81

Strings

@U=u, xrefs: 000D3D64

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: MessageSend$InvalidateParentRectTimeout
String ID: @U=u
API String ID: 3648793173-2594219639
Opcode ID: f589d41cd8705e3f5bc9a33a0536e70b7d85d002e2d67868be7879ec1fd44807
Instruction ID: 6bb6bae5285b9025ac30011f1f2bfcf3756d83ad7d9cd4c7eba68214a1813392
Opcode Fuzzy Hash: f589d41cd8705e3f5bc9a33a0536e70b7d85d002e2d67868be7879ec1fd44807
Instruction Fuzzy Hash: EBF03035240300BBEF306F54EC45FD57B9A9B15740F10411AF585962A1CAA26950DFB1

Function 000D007F Relevance: 6.3, APIs: 4, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88a8dc5c1d9532712493f9a0ba64c3877d30c387c54414d9db53ea57e6d26ac5
Instruction ID: 7582ba3bc3de17d4d2e3793be942df2c405d16fbd1e488633146b006fea5c2bf
Opcode Fuzzy Hash: 88a8dc5c1d9532712493f9a0ba64c3877d30c387c54414d9db53ea57e6d26ac5
Instruction Fuzzy Hash: 2BC11975A00216EFDB14CFA4C898BAEB7B9FF48704F108599E509EB251D771EE41CBA0

Function 000F342E Relevance: 6.3, APIs: 4, Instructions: 257COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 000F3459
CoUninitialize.OLE32 ref: 000F3463
VariantInit.OLEAUT32(?), ref: 000F346E
VariantClear.OLEAUT32(?), ref: 000F371B

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: Variant$ClearInitInitializeUninitialize
String ID:
API String ID: 1998397398-0
Opcode ID: 82020c94ae738be4ef2670d4bb8dad41d738f64b61b850f782746641e7d19bc7
Instruction ID: c26c1c572f3e22a47e682b6cc4b83da5eb0b7b3d8e093824882d1d3b09c96a61
Opcode Fuzzy Hash: 82020c94ae738be4ef2670d4bb8dad41d738f64b61b850f782746641e7d19bc7
Instruction Fuzzy Hash: 2AA189756047049FC710EF28C485A6AB7E4FF88724F14885DFA8A9B362DB74EE00CB95

Function 000D0436 Relevance: 6.2, APIs: 4, Instructions: 230COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,0010FC08,?), ref: 000D05F0
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,0010FC08,?), ref: 000D0608
CLSIDFromProgID.OLE32(?,?,00000000,0010CC40,000000FF,?,00000000,00000800,00000000,?,0010FC08,?), ref: 000D062D
_memcmp.LIBVCRUNTIME ref: 000D064E

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: 1beb516c7cd74132609c205f4c919cb4ddd217ebf88b10405fc0c0a9a7d7e3e1
Instruction ID: bbb40cec883fe512f1b2268d464f5460c52196619947500f6c2beb55d6900803
Opcode Fuzzy Hash: 1beb516c7cd74132609c205f4c919cb4ddd217ebf88b10405fc0c0a9a7d7e3e1
Instruction Fuzzy Hash: 7181FC75A00209EFCB04DF94C984EEEB7B9FF89315F208559E506AB250DB71AE46CF60

Function 000B1391 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 000B14C0

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 8e7ccf4ed4f2c58a9bdf6e851ee6cf586e05a0e61a3c4ddfde581e1a7c91f275
Instruction ID: ee386dd587fcdf4f617b64714f22ed13c8e3d1edb1f8350d581f122afeab1f5b
Opcode Fuzzy Hash: 8e7ccf4ed4f2c58a9bdf6e851ee6cf586e05a0e61a3c4ddfde581e1a7c91f275
Instruction Fuzzy Hash: 84416731A00501ABDF317BFD8C56BFE3AE4EF46770F644225F418D6293EB348941A2A2

Function 000F1AD6 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 000F1AFD
WSAGetLastError.WSOCK32 ref: 000F1B0B
#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 000F1B8A
WSAGetLastError.WSOCK32 ref: 000F1B94

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: ErrorLast$socket
String ID:
API String ID: 1881357543-0
Opcode ID: 8e673026c0f12d2c9e14026eb51afbbb3df9a63fbb6a84256c7b4474c56de86d
Instruction ID: 9a9b00d50fd279e7cc73a60ce0fb9065c52c3e36610b98f4644a7808fa0fcb74
Opcode Fuzzy Hash: 8e673026c0f12d2c9e14026eb51afbbb3df9a63fbb6a84256c7b4474c56de86d
Instruction Fuzzy Hash: F541D174640200AFE720AF20C886FB977E5AB44718F54C458FA5A9F7D3D776ED418B90

Function 000AB41F Relevance: 6.1, APIs: 4, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46f177bbe04e1e654ea012ef484c1ae8695d84323723f740dcdb671af9500dda
Instruction ID: f319a637bf79fea15ea50289d0d3d8a757085f677c013d8ab2c8df453be8c50b
Opcode Fuzzy Hash: 46f177bbe04e1e654ea012ef484c1ae8695d84323723f740dcdb671af9500dda
Instruction Fuzzy Hash: 1041D371A00704AFD7249FB8CC41BEEBBE9EF89710F10452AF551DB283D771A9418790

Function 000E56D9 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 000E5783
GetLastError.KERNEL32(?,00000000), ref: 000E57A9
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 000E57CE
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 000E57FA

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: c7b0c18ad1aecd587035997ca1a9a1d63d4fb3fe2d26166b3c81a72b32fdc1c2
Instruction ID: aee0ae89e1233cb833a2dfa550370a9ddb15f36658ca6616e1ec72509824eb72
Opcode Fuzzy Hash: c7b0c18ad1aecd587035997ca1a9a1d63d4fb3fe2d26166b3c81a72b32fdc1c2
Instruction Fuzzy Hash: C2412C39600A14DFCB11EF15C544A5DBBE2AF89725B18C888E84E6B362CB74FD41CB95

Function 000AD8C3 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,?,00096D71,00000000,00000000,000982D9,?,000982D9,?,00000001,00096D71,?,00000001,000982D9,000982D9), ref: 000AD910
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 000AD999
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 000AD9AB
__freea.LIBCMT ref: 000AD9B4

Part of subcall function 000A3820: RtlAllocateHeap.NTDLL(00000000,?,00141444,?,0008FDF5,?,?,0007A976,00000010,00141440,000713FC,?,000713C6,?,00071129), ref: 000A3852

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: 82fdf08318834bc81c9b598698981023663cb356fd2d5c6130e2f5afe3d925cc
Instruction ID: 637d377c2410861dd16436333b5d7808d035143aa3d2f99d8a7fcddcb2913d65
Opcode Fuzzy Hash: 82fdf08318834bc81c9b598698981023663cb356fd2d5c6130e2f5afe3d925cc
Instruction Fuzzy Hash: C031BE72A1020AABDF259FA4DC45EEF7BA9EB42310F05426AFC05DB251EB35CD54CB90

Function 000DAB9C Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,753DC0D0,?,00008000), ref: 000DABF1
SetKeyboardState.USER32(00000080,?,00008000), ref: 000DAC0D
PostMessageW.USER32(00000000,00000101,00000000), ref: 000DAC74
SendInput.USER32(00000001,?,0000001C,753DC0D0,?,00008000), ref: 000DACC6

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: edc4f0b0626de8c0beb04604b702f7e8655548d4e29ae87ada74a980ff2568be
Instruction ID: 7cb452356e1ee9e2ebf19afe2d21a46357c15ec5a9ab0e88a0a38c53ca5af31b
Opcode Fuzzy Hash: edc4f0b0626de8c0beb04604b702f7e8655548d4e29ae87ada74a980ff2568be
Instruction Fuzzy Hash: A631E530B607186FEB358B6588047FE7BA5AB8A330F04531BE485523D1C37589858BB2

Function 00107674 Relevance: 6.1, APIs: 4, Instructions: 102windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 0010769A
GetWindowRect.USER32(?,?), ref: 00107710
PtInRect.USER32(?,?,00108B89), ref: 00107720
MessageBeep.USER32(00000000), ref: 0010778C

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: 2101494dd0c6f4bd922ab1f24af2313b52d34ed64b41679dd5ce777f5918eab8
Instruction ID: 80db237227b203204b1fd294901a07ae752995aebf0f6189a74d38de6af6fdff
Opcode Fuzzy Hash: 2101494dd0c6f4bd922ab1f24af2313b52d34ed64b41679dd5ce777f5918eab8
Instruction Fuzzy Hash: 0241AD38A05254EFDB11CF58C898EA977F4FB49384F1581A8E8949B2E1C3B1B981CF90

Function 001016DA Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 001016EB

Part of subcall function 000D3A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 000D3A57
Part of subcall function 000D3A3D: GetCurrentThreadId.KERNEL32 ref: 000D3A5E
Part of subcall function 000D3A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,000D25B3), ref: 000D3A65

GetCaretPos.USER32(?), ref: 001016FF
ClientToScreen.USER32(00000000,?), ref: 0010174C
GetForegroundWindow.USER32 ref: 00101752

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: c7ea62d6de0345f467e69594d613fb8a499d97b05a2ad26a3ef2b147079b9bf2
Instruction ID: 1795809185765db09cafc4be2a83f897e72747d61fc311ca9347a58999d7b264
Opcode Fuzzy Hash: c7ea62d6de0345f467e69594d613fb8a499d97b05a2ad26a3ef2b147079b9bf2
Instruction Fuzzy Hash: 71316171D00249AFD700EFA9C881CEEB7F9EF48304B50806AE459E7252D7759E45CFA1

Function 000DD4DC Relevance: 6.1, APIs: 4, Instructions: 86processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 000DD501
Process32FirstW.KERNEL32(00000000,?), ref: 000DD50F
Process32NextW.KERNEL32(00000000,?), ref: 000DD52F
CloseHandle.KERNEL32(00000000), ref: 000DD5DC

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: 37fd1238adfdf000b9186dda50ae51dfc9024cdcbc61627d6219d9a94e1efa59
Instruction ID: f8f1c9d1b45a99cc0b9ce808803d3eb1276afdc2f41f38b979fd2df1ad62aa43
Opcode Fuzzy Hash: 37fd1238adfdf000b9186dda50ae51dfc9024cdcbc61627d6219d9a94e1efa59
Instruction Fuzzy Hash: 4B31C2715083019FD300EF64D881EAFBBF8EF99354F10492EF585862A2EB719945CBA3

Function 00108FC9 Relevance: 6.1, APIs: 4, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00089BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00089BB2

GetCursorPos.USER32(?), ref: 00109001
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,000C7711,?,?,?,?,?), ref: 00109016
GetCursorPos.USER32(?), ref: 0010905E
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,000C7711,?,?,?), ref: 00109094

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: 19fefc4cc0d80832ab60d14199a2f59fe39cf97bbd6fefbbed07e75d088b8033
Instruction ID: 95533030cbeddb5a64d61379fb139d5b737da091c1a4b5cd8edb58ad77969230
Opcode Fuzzy Hash: 19fefc4cc0d80832ab60d14199a2f59fe39cf97bbd6fefbbed07e75d088b8033
Instruction Fuzzy Hash: 42218D35600018BFDB258F94CC68EFA7BB9FB4A350F044155F9854B2A2C3B19990DBA0

Function 000DD2C1 Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,0010CB68), ref: 000DD2FB
GetLastError.KERNEL32 ref: 000DD30A
CreateDirectoryW.KERNEL32(?,00000000), ref: 000DD319
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,0010CB68), ref: 000DD376

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: 89bcfbddc4b6b40f6de340f1ea126228703d4065dbe1d33eb7ae045cbcffbe5c
Instruction ID: 0d9c19e48cb33443984d270ca9a66d32fff8623b7cc6bdeb592cafb60ab8cbc1
Opcode Fuzzy Hash: 89bcfbddc4b6b40f6de340f1ea126228703d4065dbe1d33eb7ae045cbcffbe5c
Instruction Fuzzy Hash: 15215C705093019FC710DF28C8818AE77E4AF5A364F504A1BF499C73A2DB719A45CFA7

Function 000D1571 Relevance: 6.1, APIs: 4, Instructions: 78memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 000D1014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 000D102A
Part of subcall function 000D1014: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 000D1036
Part of subcall function 000D1014: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 000D1045
Part of subcall function 000D1014: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 000D104C
Part of subcall function 000D1014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 000D1062

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 000D15BE
_memcmp.LIBVCRUNTIME ref: 000D15E1
GetProcessHeap.KERNEL32(00000000,00000000), ref: 000D1617
HeapFree.KERNEL32(00000000), ref: 000D161E

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: 36731ce34bd12433cef9bc0840a1e79dab8290bfb8d056e07c78676a1c95e7f7
Instruction ID: dab42da1405628c43027f1bf9f3d948eadde660d7f7f79cc4098b3402533da7e
Opcode Fuzzy Hash: 36731ce34bd12433cef9bc0840a1e79dab8290bfb8d056e07c78676a1c95e7f7
Instruction Fuzzy Hash: 29216971E00209FFDB00DFA4C949BEEB7F8EF44344F08855AE441AB241EB74AA45CBA0

Function 00102782 Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 0010280A
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00102824
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00102832
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 00102840

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: 19c4a6717cfa49a55b2250bd715afc5ab02c512df938cc1aa3e9bcad950c52f3
Instruction ID: 7c761d882b4efafec11c23f781f57d48585ab4d5876534c84d957fe5da929822
Opcode Fuzzy Hash: 19c4a6717cfa49a55b2250bd715afc5ab02c512df938cc1aa3e9bcad950c52f3
Instruction Fuzzy Hash: 66210635704510AFD7149B24CC48FAA7795AF46324F148259F4568B6D2CBB5FC82CBD0

Function 000D78F5 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON

Download Yara Rule

APIs

Part of subcall function 000D8D7D: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,000D790A,?,000000FF,?,000D8754,00000000,?,0000001C,?,?), ref: 000D8D8C
Part of subcall function 000D8D7D: lstrcpyW.KERNEL32(00000000,?,?,000D790A,?,000000FF,?,000D8754,00000000,?,0000001C,?,?,00000000), ref: 000D8DB2
Part of subcall function 000D8D7D: lstrcmpiW.KERNEL32(00000000,?,000D790A,?,000000FF,?,000D8754,00000000,?,0000001C,?,?), ref: 000D8DE3

lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,000D8754,00000000,?,0000001C,?,?,00000000), ref: 000D7923
lstrcpyW.KERNEL32(00000000,?,?,000D8754,00000000,?,0000001C,?,?,00000000), ref: 000D7949
lstrcmpiW.KERNEL32(00000002,cdecl,?,000D8754,00000000,?,0000001C,?,?,00000000), ref: 000D7984

Strings

cdecl, xrefs: 000D797B

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: c0bd9f87a258f151dec90699ad5f18b1072031fb8fcdda7bc83854dd705e495e
Instruction ID: 2fb386c7080d6ba244c161ffcf6bca5888ba0ef4535de336b7a288e6c792e93b
Opcode Fuzzy Hash: c0bd9f87a258f151dec90699ad5f18b1072031fb8fcdda7bc83854dd705e495e
Instruction Fuzzy Hash: F911B43A200302ABCB155F34D855D7AB7E5FF85350B50802BF946C73A5FB719851CBA1

Function 00107CC2 Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 00107D0B
SetWindowLongW.USER32(00000000,000000F0,?), ref: 00107D2A
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 00107D42
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,000EB7AD,00000000), ref: 00107D6B

Part of subcall function 00089BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00089BB2

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: Window$Long
String ID:
API String ID: 847901565-0
Opcode ID: a4a66a86eaafb8de0a2f26e0519dca8f5a63dbeab9befc5d70e1c94eb10dcfaf
Instruction ID: d30610210168844775274c3b2b1539c923073e43d80ee7ce3339ceb24b4a0e41
Opcode Fuzzy Hash: a4a66a86eaafb8de0a2f26e0519dca8f5a63dbeab9befc5d70e1c94eb10dcfaf
Instruction Fuzzy Hash: 8211E135A05655AFCB109F68CC04AB63BA4BF46360B258728F879C72F0E770ED90CB90

Function 000A1D09 Relevance: 6.1, APIs: 4, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f15094e212e5df4f32ed88c2f16961d83fba2a1e5eaf287b478b2f68493b693
Instruction ID: 2385014646d5597598195587a99769f78421278949d86540f70cd80c5400c113
Opcode Fuzzy Hash: 6f15094e212e5df4f32ed88c2f16961d83fba2a1e5eaf287b478b2f68493b693
Instruction Fuzzy Hash: C2016DB26096167EF6A126F86CC1FAB669DDF837B8F340329F525A11D2DB708C4055A0

Function 000D1A27 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 000D1A47
SendMessageW.USER32(?,000000C9,?,00000000), ref: 000D1A59
SendMessageW.USER32(?,000000C9,?,00000000), ref: 000D1A6F
SendMessageW.USER32(?,000000C9,?,00000000), ref: 000D1A8A

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 4e3ec460147f41c9f34a68bf0128494709b8ed8fc79c574fdeb8a421bfb216f9
Instruction ID: ce6f632397c0cbac07c756cfdec05a2645d558c5c60d53588b67c82933a1826d
Opcode Fuzzy Hash: 4e3ec460147f41c9f34a68bf0128494709b8ed8fc79c574fdeb8a421bfb216f9
Instruction Fuzzy Hash: 6F110C3AD01219FFEB11DBA9CD85FEDBB78EB04750F200092E604B7290DA716E51DB94

Function 000DE1D6 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 000DE1FD
MessageBoxW.USER32(?,?,?,?), ref: 000DE230
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 000DE246
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 000DE24D

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait
String ID:
API String ID: 2880819207-0
Opcode ID: 969c463a16606a600fc3e6c07d27a03d05e93b8019d8da21a22973704ce53274
Instruction ID: 031a07037ffa94409ee1c0ec16c8c9a24ea3d147c12f122a043e963c541b8be4
Opcode Fuzzy Hash: 969c463a16606a600fc3e6c07d27a03d05e93b8019d8da21a22973704ce53274
Instruction Fuzzy Hash: 9D11DB76904354BBC701AFA8DC05AAF7FADAB45320F14435AF914D7791D6B0DD848BB0

Function 0009D1CC Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,?,0009CFF9,00000000,00000004,00000000), ref: 0009D218
GetLastError.KERNEL32 ref: 0009D224
__dosmaperr.LIBCMT ref: 0009D22B
ResumeThread.KERNEL32(00000000), ref: 0009D249

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: Thread$CreateErrorLastResume__dosmaperr
String ID:
API String ID: 173952441-0
Opcode ID: 3ed5efc18c86ade25ee64d058d3f79cf5995937a8de2498c896bd1c6a357642a
Instruction ID: d8413bf63b0499154a59311abe4e17e0e08904e3d26364ee24ac25084f8d653d
Opcode Fuzzy Hash: 3ed5efc18c86ade25ee64d058d3f79cf5995937a8de2498c896bd1c6a357642a
Instruction Fuzzy Hash: DE01F936845104BBDF215BA5DC05BEE7B69EF91730F10431AF925961D1CB70C941E6A0

Function 00093B3C Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 00093B56

Part of subcall function 00093AA3: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 00093AD2
Part of subcall function 00093AA3: ___AdjustPointer.LIBCMT ref: 00093AED

_UnwindNestedFrames.LIBCMT ref: 00093B6B
__FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 00093B7C
CallCatchBlock.LIBVCRUNTIME ref: 00093BA4

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
String ID:
API String ID: 737400349-0
Opcode ID: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction ID: cab8064657d2b93dc2ab0dcd5db967b275b57fe34b9d36f97672417fb0d08ef3
Opcode Fuzzy Hash: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction Fuzzy Hash: 4801E932100149BBDF126E95CC46EEB7BAAEF98754F044014FE4896122C736E962EFA0

Function 000A3073 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,000713C6,00000000,00000000,?,000A301A,000713C6,00000000,00000000,00000000,?,000A328B,00000006,FlsSetValue), ref: 000A30A5
GetLastError.KERNEL32(?,000A301A,000713C6,00000000,00000000,00000000,?,000A328B,00000006,FlsSetValue,00112290,FlsSetValue,00000000,00000364,?,000A2E46), ref: 000A30B1
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,000A301A,000713C6,00000000,00000000,00000000,?,000A328B,00000006,FlsSetValue,00112290,FlsSetValue,00000000), ref: 000A30BF

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 785f67323df9520fde694bf7de3516935f086ad01b70f63f3bedb11787f0b123
Instruction ID: 9ca390563d53f7d45be574452d6fe89f2db4b5e567fb22bdcaeba003b21e07c6
Opcode Fuzzy Hash: 785f67323df9520fde694bf7de3516935f086ad01b70f63f3bedb11787f0b123
Instruction Fuzzy Hash: AA012B32301222ABCB314BF99C54E577BD8AF07BA1B204720F945E7580C731D941CAE0

Function 000D7464 Relevance: 6.1, APIs: 4, Instructions: 51registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000), ref: 000D747F
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 000D7497
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 000D74AC
RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 000D74CA

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: 483b05ccb948630aa7551f863f6afa8d63ce5c977ae284a84b06ae1f7a77e0df
Instruction ID: 0d24f35504b1517b9815fe90c2e686e48275ef00691da24647d6305052150752
Opcode Fuzzy Hash: 483b05ccb948630aa7551f863f6afa8d63ce5c977ae284a84b06ae1f7a77e0df
Instruction Fuzzy Hash: CA118BB1205310ABE7318F14DC08B96BBFCFF00B00F10856AA65AD6691E7B0E944DFA0

Function 000DB0A8 Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,000DACD3,?,00008000), ref: 000DB0C4
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,000DACD3,?,00008000), ref: 000DB0E9
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,000DACD3,?,00008000), ref: 000DB0F3
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,000DACD3,?,00008000), ref: 000DB126

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: 299b0719552c65a923a31512603193adf4b62886c98d3fcf1e11855dc3f30989
Instruction ID: 865b7a0088e05a7024ce730df6ce0ddedcab9a0f8aaa8c85b8c9f9a4688222ae
Opcode Fuzzy Hash: 299b0719552c65a923a31512603193adf4b62886c98d3fcf1e11855dc3f30989
Instruction Fuzzy Hash: 30116D31C0162CEBCF10AFE4E9596EEBF78FF09711F524186D981B2281CB7096908BA5

Function 00107E14 Relevance: 6.0, APIs: 4, Instructions: 46COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00107E33
ScreenToClient.USER32(?,?), ref: 00107E4B
ScreenToClient.USER32(?,?), ref: 00107E6F
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00107E8A

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: fd3f68d7f707012c96d74301dc084daeecdad777decc1262a36e459bc0051bca
Instruction ID: c5a70ee51378f62cfda4aa6ebc55743f56166749d03eb4f874cb2b8ae66de339
Opcode Fuzzy Hash: fd3f68d7f707012c96d74301dc084daeecdad777decc1262a36e459bc0051bca
Instruction Fuzzy Hash: 111186B9D0024AAFDB41CF98C8849EEBBF5FF08310F104156E951E3650D775AA94CF90

Function 000D2DA7 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 000D2DC5
GetWindowThreadProcessId.USER32(?,00000000), ref: 000D2DD6
GetCurrentThreadId.KERNEL32 ref: 000D2DDD
AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 000D2DE4

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: 7b3d6115eecd0be9ee35f2a4501279720df127be14f6b86b8d3511ca073a4aaa
Instruction ID: 647f48eecc0efe8619d61d1ee62953f1c59d91dd741d06c9e30d985e0b599c85
Opcode Fuzzy Hash: 7b3d6115eecd0be9ee35f2a4501279720df127be14f6b86b8d3511ca073a4aaa
Instruction Fuzzy Hash: 94E06D71101324BAD7301B629C0DEEB3E6DFB56BA1F000216B145D16809AE18880CAF0

Function 00108863 Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00089639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00089693
Part of subcall function 00089639: SelectObject.GDI32(?,00000000), ref: 000896A2
Part of subcall function 00089639: BeginPath.GDI32(?), ref: 000896B9
Part of subcall function 00089639: SelectObject.GDI32(?,00000000), ref: 000896E2

MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 00108887
LineTo.GDI32(?,?,?), ref: 00108894
EndPath.GDI32(?), ref: 001088A4
StrokePath.GDI32(?), ref: 001088B2

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: ce783551162ae16eeafd437b42c8052939e2273589450400a0770185aa8e6219
Instruction ID: cc718119825c108bd571e26503f6b05d3172f4a78a06bcfb54da2cb7dab6b6d6
Opcode Fuzzy Hash: ce783551162ae16eeafd437b42c8052939e2273589450400a0770185aa8e6219
Instruction Fuzzy Hash: 82F05E3A045258FAEB126F94AC0DFCE3F59AF06310F048101FA91654E2C7B555A1DFE5

Function 000898B0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 000898CC
SetTextColor.GDI32(?,?), ref: 000898D6
SetBkMode.GDI32(?,00000001), ref: 000898E9
GetStockObject.GDI32(00000005), ref: 000898F1

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: Color$ModeObjectStockText
String ID:
API String ID: 4037423528-0
Opcode ID: f879c85cddf42c33ded04a57e70e227d6a2c1de57b0eb6ab60811894f207796c
Instruction ID: c85ef3ff8a060d043d48ac906b21157e252414b70e5bf98b9f8edabea45800f9
Opcode Fuzzy Hash: f879c85cddf42c33ded04a57e70e227d6a2c1de57b0eb6ab60811894f207796c
Instruction Fuzzy Hash: 3AE06D31244680EEDB215B78AC09BEC3F61AB52336F04C319FAFA584E1C3B146909F50

Function 000D162B Relevance: 6.0, APIs: 4, Instructions: 22threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 000D1634
OpenThreadToken.ADVAPI32(00000000,?,?,?,000D11D9), ref: 000D163B
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,000D11D9), ref: 000D1648
OpenProcessToken.ADVAPI32(00000000,?,?,?,000D11D9), ref: 000D164F

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: 657427db73ac90c017caac371fd5865479edba529f2b6983aa10c90021ec25d2
Instruction ID: 6d0430688d75f95a894f4c61fa899d1d2b13a0f7b9e80f1cf8e19a50040ceed5
Opcode Fuzzy Hash: 657427db73ac90c017caac371fd5865479edba529f2b6983aa10c90021ec25d2
Instruction Fuzzy Hash: B8E08635601311EBE7601FA09D0DB873BBDAF54791F14C909F285C9480DAB48480CFA0

Function 000CD858 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 000CD858
GetDC.USER32(00000000), ref: 000CD862
GetDeviceCaps.GDI32(00000000,0000000C), ref: 000CD882
ReleaseDC.USER32(?), ref: 000CD8A3

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 9e4280625f843b7b27c7e6da0aa0273116fbd76c47832add5e50c2229b76383c
Instruction ID: 12f5f4e431d0aed195358c950eba9971d978a7526d9c846897a0175433c822cd
Opcode Fuzzy Hash: 9e4280625f843b7b27c7e6da0aa0273116fbd76c47832add5e50c2229b76383c
Instruction Fuzzy Hash: 6BE01AB4800204DFCF61AFA0D808A6DBBB1FB08310F20C119F88AE7750CB798981AF90

Function 000CD86C Relevance: 6.0, APIs: 4, Instructions: 18COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 000CD86C
GetDC.USER32(00000000), ref: 000CD876
GetDeviceCaps.GDI32(00000000,0000000C), ref: 000CD882
ReleaseDC.USER32(?), ref: 000CD8A3

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 18796b987172fbfe658e0a7804a796739bcc94d699e653faba5d8fc7989fed28
Instruction ID: fd54f01ca811955978b48a73af66c15860c2b5fa776592b36a298efdeaedbad0
Opcode Fuzzy Hash: 18796b987172fbfe658e0a7804a796739bcc94d699e653faba5d8fc7989fed28
Instruction Fuzzy Hash: 5BE09A75C00204DFCF61AFA0D80866DBBB5BB08311F14C559F98AE7750CB7959419F90

Function 000E4D87 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON

Download Yara Rule

APIs

Part of subcall function 00077620: _wcslen.LIBCMT ref: 00077625

WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 000E4ED4

Strings

LPT, xrefs: 000E4DFB
*, xrefs: 000E4E10

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: Connection_wcslen
String ID: *$LPT
API String ID: 1725874428-3443410124
Opcode ID: 79971fd8c197c69d67a0f875d21c0fb3953f56efefc8d359e0fee3489c2c67f0
Instruction ID: 40a9c7eac646847083e5c0db9e434afb0ca8ba5831069355196e096c58dd5912
Opcode Fuzzy Hash: 79971fd8c197c69d67a0f875d21c0fb3953f56efefc8d359e0fee3489c2c67f0
Instruction Fuzzy Hash: 55917075A00244DFCB54DF59C484EAABBF1BF44704F1980A9E80AAF3A2C775ED85CB91

Function 0009E27D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 0009E30D

Strings

pow, xrefs: 0009E2E5, 0009E302

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: 3ec67c9bd4720bf50cd11c3e1000d12b91a3488037f7982aa0418d01c247471c
Instruction ID: c6869c860fa2340381353fbe9cd285fd9f0aed964e9b99d092213f93254b4650
Opcode Fuzzy Hash: 3ec67c9bd4720bf50cd11c3e1000d12b91a3488037f7982aa0418d01c247471c
Instruction Fuzzy Hash: B2515C61A0C242A6CF65F754CE053FE3BE4EB51740F34CD68E0D9422EAEB358DD1AA46

Function 0008E187 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON

Download Yara Rule

Strings

#, xrefs: 0008E1B1

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: 4ac2ad91eef546b9b876907d3dc45b462b28c7d8e30905532fb400693fe7b101
Instruction ID: 9d7f1dac37b51a871c4a08134f47b2d8315abbb0e25189e60c4b8187203e27bc
Opcode Fuzzy Hash: 4ac2ad91eef546b9b876907d3dc45b462b28c7d8e30905532fb400693fe7b101
Instruction Fuzzy Hash: FD512435904286EFDF65EF68C481EFE7BE4EF25310F248159E8919B2D1DA349D42CB90

Function 0008F291 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 0008F2A2
GlobalMemoryStatusEx.KERNEL32(?), ref: 0008F2BB

Strings

@, xrefs: 0008F2AF

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: c3c5a7cd00fc71ff74b7a3c5693dc505709be5e63c65fa6ca0ce1e78d82de97d
Instruction ID: 3d45c860b752d95ddd92a2240586f50fcda2de22656bb10251bcc87065885da0
Opcode Fuzzy Hash: c3c5a7cd00fc71ff74b7a3c5693dc505709be5e63c65fa6ca0ce1e78d82de97d
Instruction Fuzzy Hash: 03515971808744ABD320AF10DC86BAFB7F8FB95340F81885CF1D9411A6EB758569CB6B

Function 000D2999 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 130windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 000D29EB
SendMessageW.USER32(?,0000110A,00000001,?), ref: 000D2A8D

Part of subcall function 000D2C75: SendMessageW.USER32(?,0000113E,00000000,00000000), ref: 000D2CE0

Strings

@U=u, xrefs: 000D29EB, 000D2A8D

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: MessageSend
String ID: @U=u
API String ID: 3850602802-2594219639
Opcode ID: 64cd924fc680fe30ea8ba5af2a3c479490631f045599ed28665dc9510528378d
Instruction ID: 9357ee66a29749295b587f5e6c6b4987e9f10cc71e5889654290c60f7e5610fa
Opcode Fuzzy Hash: 64cd924fc680fe30ea8ba5af2a3c479490631f045599ed28665dc9510528378d
Instruction Fuzzy Hash: 5E418170A00309ABDF25DF54C845BEE7BB9EF54710F04402AF91AA3392DB749E45CBA2

Function 000F5745 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,00000003,?,?), ref: 000F57E0
_wcslen.LIBCMT ref: 000F57EC

Strings

CALLARGARRAY, xrefs: 000F57E6, 000F57EB

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: BuffCharUpper_wcslen
String ID: CALLARGARRAY
API String ID: 157775604-1150593374
Opcode ID: e17a4afb849dee1e43c237f2932d876a30db50018d413cb3687b9a867efcc55b
Instruction ID: 8ecc6490158760d7f8a42ca72d5bc73066f05bfb51246a369086ec630bd7110e
Opcode Fuzzy Hash: e17a4afb849dee1e43c237f2932d876a30db50018d413cb3687b9a867efcc55b
Instruction Fuzzy Hash: 3A41B271E002099FCB14DFA8C8818FEBBF5FF59351F204029E605A7292EB749D82DB90

Function 000ED0F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98networkCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 000ED130
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 000ED13A

Strings

|, xrefs: 000ED10B

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: CrackInternet_wcslen
String ID: |
API String ID: 596671847-2343686810
Opcode ID: f92c747ecaebd8e779f35a2c2bd46e205e41e3024b672015fbc15673f3f8b99a
Instruction ID: 3f1cf9dbc9b25c02f70f7437bbafd0c9c85e6036497af093f7aa918b5b30a1f1
Opcode Fuzzy Hash: f92c747ecaebd8e779f35a2c2bd46e205e41e3024b672015fbc15673f3f8b99a
Instruction Fuzzy Hash: 3B311971D00209AFCF15EFA5CC85AEEBFB9FF04300F004059F819A6162EB35AA46DB65

Function 0010356C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 00103621
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 0010365C

Strings

static, xrefs: 001035BC

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: 9d05e732aee10ccd23734b3de8e9cfe3afc1ab7722cd5bf94ef8b00d0b90b8ca
Instruction ID: 840fc0160f3fc4494b32164be000c74be828b2625ac62b74cb683cbe3ed1f3ec
Opcode Fuzzy Hash: 9d05e732aee10ccd23734b3de8e9cfe3afc1ab7722cd5bf94ef8b00d0b90b8ca
Instruction Fuzzy Hash: A3318D71100604AEDB109F68DC80EFB73ADFF88720F109619F8A597290DBB1AD91DB60

Function 00104537 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000027,00001132,00000000,?), ref: 0010461F
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00104634

Strings

', xrefs: 0010458E

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: d7cdc70f0a27974843004747d20f9b7ae77c66228b539137f22bbefb1cccffa8
Instruction ID: 1d9048490b1218cdae4503f232692415bb1d1f777b4c8530339edb8fd8283ddd
Opcode Fuzzy Hash: d7cdc70f0a27974843004747d20f9b7ae77c66228b539137f22bbefb1cccffa8
Instruction Fuzzy Hash: E0312CB4A01309AFDF14CFA9C991BDA7BB5FF49300F144069EA45AB391E7B1A941CF90

Function 000D286B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 90windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000000,00000000), ref: 000D2884
SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 000D28B6

Strings

@U=u, xrefs: 000D2884, 000D28B6

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: MessageSend
String ID: @U=u
API String ID: 3850602802-2594219639
Opcode ID: 31da0ee2187cac0ec117220ae7e6f0a528b78f8f96f6fc329409abefbce99bba
Instruction ID: aff89cf60e41775df9c0622eb892c1fae382c969b667fd7d2e5447a89eb0a657
Opcode Fuzzy Hash: 31da0ee2187cac0ec117220ae7e6f0a528b78f8f96f6fc329409abefbce99bba
Instruction Fuzzy Hash: 5421E672E00305ABCB11AB948481DFEB7B9EFA8710B10411AE919A7395EB749D42C7B4

Function 000D3BC4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 80windowCOMMON

Download Yara Rule

APIs

Part of subcall function 000D3D03: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 000D3D18

SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 000D3C23
_strlen.LIBCMT ref: 000D3C2E

Strings

@U=u, xrefs: 000D3C23

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: MessageSend$Timeout_strlen
String ID: @U=u
API String ID: 2777139624-2594219639
Opcode ID: c5e4e082563ea6d67d5a581cd4735300a3811db674fe7967defbed79168a8647
Instruction ID: 4ff8ed528a3188db25c0c10e57d43668b42561a104bf3dfb17916e4cc41022d8
Opcode Fuzzy Hash: c5e4e082563ea6d67d5a581cd4735300a3811db674fe7967defbed79168a8647
Instruction Fuzzy Hash: B5113A3171021127CB28BA78D8928FE77A48F45B40F00403FF906AB393DE219E4287F5

Function 0010336F Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 000DED19: GetLocalTime.KERNEL32 ref: 000DED2A
Part of subcall function 000DED19: _wcslen.LIBCMT ref: 000DED3B
Part of subcall function 000DED19: _wcslen.LIBCMT ref: 000DED79
Part of subcall function 000DED19: _wcslen.LIBCMT ref: 000DEDAF
Part of subcall function 000DED19: _wcslen.LIBCMT ref: 000DEDDF
Part of subcall function 000DED19: _wcslen.LIBCMT ref: 000DEDEF
Part of subcall function 000DED19: _wcslen.LIBCMT ref: 000DEE2B

SendMessageW.USER32(?,00001002,00000000,?), ref: 0010340A

Strings

SysDateTimePick32, xrefs: 001033C7
@U=u, xrefs: 0010340A

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: _wcslen$LocalMessageSendTime
String ID: @U=u$SysDateTimePick32
API String ID: 2216836867-2530228043
Opcode ID: 576f7aeae0a9613db76ec87104c02b0e7fecf7726bcc63bef432c4fd9a63b31f
Instruction ID: 1f7a2e189ce3f23ce2972fc51fa209ba63ff54305de640292eadd3b0168d129e
Opcode Fuzzy Hash: 576f7aeae0a9613db76ec87104c02b0e7fecf7726bcc63bef432c4fd9a63b31f
Instruction Fuzzy Hash: 4B21DF312402096BEF229E54DC82FEE33AAEB44754F200519F990AA1D0DBF1EC9187A0

Function 000D215F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 73windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001004,00000000,00000000), ref: 000D2178

Part of subcall function 000DB32A: GetWindowThreadProcessId.USER32(?,?), ref: 000DB355
Part of subcall function 000DB32A: OpenProcess.KERNEL32(00000438,00000000,?,?,?,000D2194,00000034,?,?,00001004,00000000,00000000), ref: 000DB365
Part of subcall function 000DB32A: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,000D2194,00000034,?,?,00001004,00000000,00000000), ref: 000DB37B

Part of subcall function 000DB403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,000D21D0,?,?,00000034,00000800,?,00000034), ref: 000DB42D

SendMessageW.USER32(?,00001073,00000000,?), ref: 000D21DF

Part of subcall function 000DB3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,000D21FF,?,?,00000800,?,00001073,00000000,?,?), ref: 000DB3F8

Strings

@U=u, xrefs: 000D2178, 000D21DF

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: Process$MemoryMessageSend$AllocOpenReadThreadVirtualWindowWrite
String ID: @U=u
API String ID: 1045663743-2594219639
Opcode ID: 12b759737c217ba8d242ec19d14116adce81db18b835529236c73e53448a1a47
Instruction ID: 93518c32ff04fabbe03a940498aa812bc4cc12ab1bfa47995938d71eadaf3cf6
Opcode Fuzzy Hash: 12b759737c217ba8d242ec19d14116adce81db18b835529236c73e53448a1a47
Instruction Fuzzy Hash: 84216231901218EBEF11DB98DC41FDDBBB8FF14350F104196F548A7291EA715A44DF64

Function 001031EF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 0010327C
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00103287

Strings

Combobox, xrefs: 00103249

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: 33d85aaf8d1ffdb55087c562a2eefaf7a58499ec1f503504d85bc5d0cfb434b2
Instruction ID: b878f8c82a0a22060747dd5b81e4b48100989cf5da1fab05eee7604f2679fb44
Opcode Fuzzy Hash: 33d85aaf8d1ffdb55087c562a2eefaf7a58499ec1f503504d85bc5d0cfb434b2
Instruction Fuzzy Hash: EE1190712002087FEF259F54DC81EFB376EEB983A4F104125F968972D1D7B19D5187A0

Function 00103710 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 0007600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0007604C
Part of subcall function 0007600E: GetStockObject.GDI32(00000011), ref: 00076060
Part of subcall function 0007600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 0007606A

GetWindowRect.USER32(00000000,?), ref: 0010377A
GetSysColor.USER32(00000012), ref: 00103794

Strings

static, xrefs: 00103757

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: 3a2c8a8e84fde0b56be55a1b5effd73c446a01735937dd02d565e13b03b36603
Instruction ID: baf45ca97d1b580ba9723217598c7baf595033aa5e190d9666db670d722a1297
Opcode Fuzzy Hash: 3a2c8a8e84fde0b56be55a1b5effd73c446a01735937dd02d565e13b03b36603
Instruction Fuzzy Hash: B7113AB261020AAFDF01DFA8CC45EEA7BB8FF08354F004A15FDA5E2290D775E8519B90

Function 00106181 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 001061FC
SendMessageW.USER32(?,00000194,00000000,00000000), ref: 00106225

Strings

@U=u, xrefs: 001061FC, 00106225

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: MessageSend
String ID: @U=u
API String ID: 3850602802-2594219639
Opcode ID: b117c68a7fd07b096cb1e24bf9acc3ed159999530e4d34e5cfbeeec4956618e4
Instruction ID: 7699ce52458906e07bdc2032f46ca3f95e25ba64b815224345d4bb7f4ec3b6f8
Opcode Fuzzy Hash: b117c68a7fd07b096cb1e24bf9acc3ed159999530e4d34e5cfbeeec4956618e4
Instruction Fuzzy Hash: 1611C431140215FEEB149F68CC19FF93BA9EB06314F004115FA969A1E1D7F1DA60DB50

Function 000ECD1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 000ECD7D
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 000ECDA6

Strings

<local>, xrefs: 000ECD66

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: 29f96478f399e3288640b3ac7fd7bd0be21ab9e2df09ef831f2530853cf822d9
Instruction ID: 95c6aa88a74555fefa2c57a8c7f3c828613110229f727417419032897d954b4f
Opcode Fuzzy Hash: 29f96478f399e3288640b3ac7fd7bd0be21ab9e2df09ef831f2530853cf822d9
Instruction Fuzzy Hash: C511C671209671BEE7784B678C45EE7BEACEF127A4F004236B149A3080D7779842D6F0

Function 00104F80 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 60windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,?,?,?), ref: 00104FCC

Strings

@U=u, xrefs: 00104FCC, 00105008

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: MessageSend
String ID: @U=u
API String ID: 3850602802-2594219639
Opcode ID: d46f4d75e6f9242bf578c7fa9fd52b102e1659cf20a0782e68b1a0fa09a96798
Instruction ID: c468888e5b08d72967c2c68b6e85ab86124f1195186f1de2a5a95126994b8b6d
Opcode Fuzzy Hash: d46f4d75e6f9242bf578c7fa9fd52b102e1659cf20a0782e68b1a0fa09a96798
Instruction Fuzzy Hash: FE21C27AA0011AAFCB15CFA8C9848EE7BBAEB4D340B004554FA45A7364D771E961DF90

Function 001030D2 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 58windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000401,?,00000000), ref: 00103147

Strings

button, xrefs: 0010311E
@U=u, xrefs: 00103147

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: MessageSend
String ID: @U=u$button
API String ID: 3850602802-1762282863
Opcode ID: 8a45c54596edae2067deeed1d93ef67f5e63f479657b9ad873629acc6721e526
Instruction ID: 1b51066d49936e6c53707ce0a89e99f8f7dd4a435c7275bdec8dfab29b5008fa
Opcode Fuzzy Hash: 8a45c54596edae2067deeed1d93ef67f5e63f479657b9ad873629acc6721e526
Instruction Fuzzy Hash: D411A172250209ABDF118F64DC41FEB3BAAFF0C354F104114FAA4A71D0CBB6E8A1AB50

Function 000D6C86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 00079CB3: _wcslen.LIBCMT ref: 00079CBD

CharUpperBuffW.USER32(?,?,?), ref: 000D6CB6
_wcslen.LIBCMT ref: 000D6CC2

Strings

STOP, xrefs: 000D6CBC, 000D6CC1

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: STOP
API String ID: 1256254125-2411985666
Opcode ID: f5c96dcf248510367618052f8d97f58011bea23bba15b75d8575072b77aaab57
Instruction ID: 2cae5344bcdc90550ded5843b01748ef0219c8f4a069bc7ffb18cc536437c556
Opcode Fuzzy Hash: f5c96dcf248510367618052f8d97f58011bea23bba15b75d8575072b77aaab57
Instruction Fuzzy Hash: B301C432A146268ACB219FBDDC819BF77E6EF61710B500526E85296291EB37D940C660

Function 000D23DB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 53windowCOMMON

Download Yara Rule

APIs

Part of subcall function 000DB403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,000D21D0,?,?,00000034,00000800,?,00000034), ref: 000DB42D

SendMessageW.USER32(?,0000102B,?,00000000), ref: 000D243B
SendMessageW.USER32(?,0000102B,?,00000000), ref: 000D245E

Strings

@U=u, xrefs: 000D243B, 000D245E

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: MessageSend$MemoryProcessWrite
String ID: @U=u
API String ID: 1195347164-2594219639
Opcode ID: 02c6ac717ead552e4be58f02766808a2d16ff784cc1c8a99c9dc9c43e7e1f2c9
Instruction ID: daed5f337cc071a69415ae45f692110aff3dc7388ded5ca9aca4f480c8a82117
Opcode Fuzzy Hash: 02c6ac717ead552e4be58f02766808a2d16ff784cc1c8a99c9dc9c43e7e1f2c9
Instruction Fuzzy Hash: BD01D632900218EBEB21AF68DC46FEEBB78DB14310F10812BF955A61D1DBB06E45CB70

Function 00104366 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000133E,00000000,?), ref: 001043AF
InvalidateRect.USER32(?,00000000,00000001,?,?), ref: 00104408

Strings

@U=u, xrefs: 001043AF

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: InvalidateMessageRectSend
String ID: @U=u
API String ID: 909852535-2594219639
Opcode ID: 100d334685bd2d3295df4649f2a72cc26a964a20f8638216f8d3a02c63dacb42
Instruction ID: 376b6705b1a562ac1620baedb1befda5cdfd171d3a8e5445d9d0ae3aee0c1e22
Opcode Fuzzy Hash: 100d334685bd2d3295df4649f2a72cc26a964a20f8638216f8d3a02c63dacb42
Instruction Fuzzy Hash: 1C11BC70500744AFE721DF24C891BEBBBE4BF05310F10891CE9EB9B291CBB1A941CBA0

Function 000D250B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000406,00000000,00000000), ref: 000D2531
SendMessageW.USER32(?,0000040D,?,00000000), ref: 000D2564

Part of subcall function 000DB3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,000D21FF,?,?,00000800,?,00001073,00000000,?,?), ref: 000DB3F8

Part of subcall function 00076B57: _wcslen.LIBCMT ref: 00076B6A

Strings

@U=u, xrefs: 000D2531, 000D2564

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: MessageSend$MemoryProcessRead_wcslen
String ID: @U=u
API String ID: 1083363909-2594219639
Opcode ID: affff6ab3cce6ab38757ee745366edc01ccdd4436f58d1ac8dd0a0ccf7997c12
Instruction ID: b021c3ba37816010991bc1b1404fc4e2f22f4eda1a22a25af70f03937f1dd7d8
Opcode Fuzzy Hash: affff6ab3cce6ab38757ee745366edc01ccdd4436f58d1ac8dd0a0ccf7997c12
Instruction Fuzzy Hash: F8012171900118EFDB50AF54DC91DED776CEF14344F80C066B649A6251DE715F89CFA0

Function 001090A1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00089BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00089BB2

DefDlgProcW.USER32(?,0000002B,?,?,?,?,?,?,?,000C769C,?,?,?), ref: 00109111

Part of subcall function 00089944: GetWindowLongW.USER32(?,000000EB), ref: 00089952

SendMessageW.USER32(?,00000401,00000000,00000000), ref: 001090F7

Strings

@U=u, xrefs: 001090F7

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: LongWindow$MessageProcSend
String ID: @U=u
API String ID: 982171247-2594219639
Opcode ID: c3e9386bee4ff66bbfeb3cbb5c9ac4407bddb62136f4601e67abf8a159f2eb2a
Instruction ID: 966c05734f57cda3ce7ed17b3eae274b0d5d9cf46396c579baaef2f2a9d6795c
Opcode Fuzzy Hash: c3e9386bee4ff66bbfeb3cbb5c9ac4407bddb62136f4601e67abf8a159f2eb2a
Instruction Fuzzy Hash: 8701DF34200214BBDB21AF14DC69FA63BA6FF86375F100128F9911B6E2CBB26C91CB50

Function 000D246C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 38windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001004,00000000,00000000), ref: 000D2480
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 000D2497

Part of subcall function 000D23DB: SendMessageW.USER32(?,0000102B,?,00000000), ref: 000D243B

Strings

@U=u, xrefs: 000D2480, 000D2497

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: MessageSend
String ID: @U=u
API String ID: 3850602802-2594219639
Opcode ID: 852df40dd7cf51b9cbd317df1eedba9c14f00fbedaf11920dfccda35dc9883f0
Instruction ID: b06972008075f4e96d83fec8fc31281e4205675be2a71ad1ee4f7ece34a9f0b6
Opcode Fuzzy Hash: 852df40dd7cf51b9cbd317df1eedba9c14f00fbedaf11920dfccda35dc9883f0
Instruction Fuzzy Hash: 59F02730601221BAEB201B16CC0FCDFBF6DDF56760B100115B845A2251CAF15D81CBF0

Function 000F747E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 000F7493
_wcslen.LIBCMT ref: 000F74B9

Strings

3, 3, 16, 1, xrefs: 000F7483

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: _wcslen
String ID: 3, 3, 16, 1
API String ID: 176396367-3042988571
Opcode ID: 3d5c97dd553277e01eed14d6d0929bcf82129878c6313d41f1bd5f8ec37f1143
Instruction ID: 3a0855bfe3f74175ee834da5ab6ee0ddb87c60ac7d8a66cecf150ed912cb524b
Opcode Fuzzy Hash: 3d5c97dd553277e01eed14d6d0929bcf82129878c6313d41f1bd5f8ec37f1143
Instruction Fuzzy Hash: 5BE02B022052241092712279ACC1DBF56C9DFC9750710182BFA89C22A7EB94DD92B3A2

Function 000D2BE8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 000D2BFA
SendMessageW.USER32(?,0000110A,00000000,00000000), ref: 000D2C2A

Strings

@U=u, xrefs: 000D2BFA, 000D2C2A

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: MessageSend
String ID: @U=u
API String ID: 3850602802-2594219639
Opcode ID: 179ed4457dce9a9563fd548d45c9074f5b682a6e3c78c5841c0295bc4636e586
Instruction ID: 4b5166fd4c338fd9e1718abb0f462079a5552e982f78a2be913014696196dc90
Opcode Fuzzy Hash: 179ed4457dce9a9563fd548d45c9074f5b682a6e3c78c5841c0295bc4636e586
Instruction Fuzzy Hash: 52F0A075340304BFFA216B90DC46FEA7B5CEB25761F105115F7495A2D1CAE25C509BA0

Function 000D2D60 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 31windowCOMMON

Download Yara Rule

APIs

Part of subcall function 000D286B: SendMessageW.USER32(?,0000110A,00000000,00000000), ref: 000D2884
Part of subcall function 000D286B: SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 000D28B6

SendMessageW.USER32(?,0000110B,00000005,00000000), ref: 000D2D80
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 000D2D90

Strings

@U=u, xrefs: 000D2D80, 000D2D90

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: MessageSend
String ID: @U=u
API String ID: 3850602802-2594219639
Opcode ID: 59c061985f30cb5f87e6300fa0e3c77e2dbbf682856a686a44e5488d259da4e6
Instruction ID: 3e2b1e47061a1c1f3eff6ee7d2201881392cddf86dedc310e2675ee59dedde6d
Opcode Fuzzy Hash: 59c061985f30cb5f87e6300fa0e3c77e2dbbf682856a686a44e5488d259da4e6
Instruction Fuzzy Hash: BBE092352443057EF6310B519C46EE6375DD768751F100027B20465291DEE38C515970

Function 00105829 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 31windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000133D,?,?), ref: 00105855
InvalidateRect.USER32(?,?,00000001), ref: 00105877

Strings

@U=u, xrefs: 00105855

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: InvalidateMessageRectSend
String ID: @U=u
API String ID: 909852535-2594219639
Opcode ID: 64f8c883d5bcb07d15cede10299d8df7d500a606ffe0653842ecacce42c94f0c
Instruction ID: 199e7182837b48d42a08bf1dbda3c1f37def638c0c28e47a9d7662bd3d0f7d96
Opcode Fuzzy Hash: 64f8c883d5bcb07d15cede10299d8df7d500a606ffe0653842ecacce42c94f0c
Instruction Fuzzy Hash: A7F08232604140AEDB208B65DC44FEEBFF9EB85325F0445B2E59AD9191DBB08A81CF60

Function 000D0B15 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 000D0B23

Strings

Error allocating memory., xrefs: 000D0B1C
AutoIt, xrefs: 000D0B17

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: Message
String ID: AutoIt$Error allocating memory.
API String ID: 2030045667-4017498283
Opcode ID: 28670089e18b636a336cc8cd072346784ecbe0f112edeeaf3301cc1b53bf99ac
Instruction ID: e58c1efbd57cda039c4b048a19d56a142c79c2010abe8c3e695587af3f8639b2
Opcode Fuzzy Hash: 28670089e18b636a336cc8cd072346784ecbe0f112edeeaf3301cc1b53bf99ac
Instruction Fuzzy Hash: DEE0D83124830866D21437547C03FD97BC59F05F65F104427F7C8555C38BE224904BE9

Function 00090D42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 0008F7C9: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00090D71,?,?,?,0007100A), ref: 0008F7CE

IsDebuggerPresent.KERNEL32(?,?,?,0007100A), ref: 00090D75
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,0007100A), ref: 00090D84

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00090D7F

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 55579361-631824599
Opcode ID: f1ed0a0d32d812df7def5fee383d8730a16ad6f31804dd0ad81966b3601b2016
Instruction ID: 56c331dad8eacc11875bc71e0369f59d3033eb8e73c2c084c9a8479dd7fb03cc
Opcode Fuzzy Hash: f1ed0a0d32d812df7def5fee383d8730a16ad6f31804dd0ad81966b3601b2016
Instruction Fuzzy Hash: C7E06D742013018FE7709FB8D4083427BE4BB00740F008A2DE8D6C6A92DBF5E4848BD1

Function 000E3017 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?,00000001), ref: 000E302F
GetTempFileNameW.KERNEL32(?,aut,00000000,?), ref: 000E3044

Strings

aut, xrefs: 000E3038

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: 095fdccae70b25111f89c046b8b5cb449bf0bc405543ba463de04dd16e762978
Instruction ID: 0f26e5b8848a534bedb2987ee3023954cf12897580a34bb847ad563acf980ea4
Opcode Fuzzy Hash: 095fdccae70b25111f89c046b8b5cb449bf0bc405543ba463de04dd16e762978
Instruction Fuzzy Hash: 94D05E7250032877DA20A7A4AC0EFCB7E7CDB05750F0002A1B695E24D1DEF09984CED0

Function 000CD21C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 000CD220

Strings

%.3d, xrefs: 000CD22B
X64, xrefs: 000CD2A8

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: LocalTime
String ID: %.3d$X64
API String ID: 481472006-1077770165
Opcode ID: b13d9f240d9b5bc33ccc9c692ebd6f7cc75b78a096c8fbc373071c250d1e35f4
Instruction ID: 2729155da94a7959912dcffdb030cd678859fa7caaf0960d3d33959167abde7f
Opcode Fuzzy Hash: b13d9f240d9b5bc33ccc9c692ebd6f7cc75b78a096c8fbc373071c250d1e35f4
Instruction Fuzzy Hash: B4D062A1C09119E9CB70A7E0DC45EBEB3BCFB29341F508577F94692041D734D5496B61

Function 00102356 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0010236C
PostMessageW.USER32(00000000), ref: 00102373

Part of subcall function 000DE97B: Sleep.KERNELBASE ref: 000DE9F3

Strings

Shell_TrayWnd, xrefs: 00102365

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: ad93a594ae64179add2a92c43dd9184058dbce9d9e9d00b48e16a9ac332a839f
Instruction ID: 3a76c9457b6bcddb83951d071de5900bf0be2cb7be165bb7b3a915b738ca04e0
Opcode Fuzzy Hash: ad93a594ae64179add2a92c43dd9184058dbce9d9e9d00b48e16a9ac332a839f
Instruction Fuzzy Hash: A2D0C9763913507AE668B770DC0FFC6B6189B04B14F508A167685AA2D1C9E0A8418EA4

Function 000D2313 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 000D231F
SendMessageW.USER32(00000000,00001200,00000000,00000000), ref: 000D232D

Strings

@U=u, xrefs: 000D231F, 000D232D

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: MessageSend
String ID: @U=u
API String ID: 3850602802-2594219639
Opcode ID: 2d2f95227da215ee81ba402d30f680c1307c6bcf9b00bbcee374cf24997de16c
Instruction ID: fa763aec36da415f52884b83bea63b3ccd905869ad8aaa0d5b5bb5208053a9c3
Opcode Fuzzy Hash: 2d2f95227da215ee81ba402d30f680c1307c6bcf9b00bbcee374cf24997de16c
Instruction Fuzzy Hash: 2FC08C311001C0BAF7300B23BC0CCC73E3DE7CBF01300020CB244844A58AA20082CA30

Function 000ABDFD Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,?,?,00000000,?,?,?,?,?,00000000,?), ref: 000ABE93
GetLastError.KERNEL32 ref: 000ABEA1
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 000ABEFC

Memory Dump Source

Source File: 00000000.00000002.1427728937.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.1427627325.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1427891545.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428288508.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1428371535.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_file.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: 24370069d718fd2f0cd3afd6a04aed515e51d7c15568342b06ac17e32b1d9e2f
Instruction ID: c82644ddaf39c06059a29b2cb40ec8d292efd8bbfd94ce6fd40797b1cf16a451
Opcode Fuzzy Hash: 24370069d718fd2f0cd3afd6a04aed515e51d7c15568342b06ac17e32b1d9e2f
Instruction Fuzzy Hash: 6E41AF34605246AFCF618FE4CC54AAABBE5AF43320F184269F9599B1A3DB308D01DB60

Source: unknown	TCP traffic detected without corresponding DNS query: 23.206.229.209
Source: unknown	TCP traffic detected without corresponding DNS query: 23.206.229.209
Source: unknown	TCP traffic detected without corresponding DNS query: 23.206.229.209
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.11
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.11
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 23.206.229.209
Source: unknown	TCP traffic detected without corresponding DNS query: 23.206.229.209
Source: unknown	TCP traffic detected without corresponding DNS query: 23.206.229.209
Source: unknown	TCP traffic detected without corresponding DNS query: 23.206.229.209
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.11
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 93.184.221.240
Source: unknown	TCP traffic detected without corresponding DNS query: 93.184.221.240
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183

Source: global traffic	HTTP traffic detected: GET /account?=https://accounts.google.com/v3/signin/challenge/pwd HTTP/1.1Host: youtube.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7X-Client-Data: CIu2yQEIo7bJAQipncoBCNT9ygEIlqHLAQiFoM0BCNy9zQEIucrNAQip0c0BCInTzQEIqdXNAQjJ1s0BCPTWzQEIqNjNAQj5wNQVGOmYzQEY642lFw==Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /account?=https%3A%2F%2Faccounts.google.com%2Fv3%2Fsignin%2Fchallenge%2Fpwd HTTP/1.1Host: www.youtube.comConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7X-Client-Data: CIu2yQEIo7bJAQipncoBCNT9ygEIlqHLAQiFoM0BCNy9zQEIucrNAQip0c0BCInTzQEIqdXNAQjJ1s0BCPTWzQEIqNjNAQj5wNQVGOmYzQEY642lFw==Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentsec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /fs/windows/config.json HTTP/1.1Connection: Keep-AliveAccept: /Accept-Encoding: identityIf-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMTRange: bytes=0-2147483646User-Agent: Microsoft BITS/7.8Host: fs.microsoft.com
Source: global traffic	HTTP traffic detected: GET /accounts/CheckConnection?pmpo=https%3A%2F%2Faccounts.google.com&v=-1001248921&timestamp=1727888700501 HTTP/1.1Host: accounts.youtube.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-full-version: "117.0.5938.134"sec-ch-ua-arch: "x86"sec-ch-ua-platform: "Windows"sec-ch-ua-platform-version: "10.0.0"sec-ch-ua-model: ""sec-ch-ua-bitness: "64"sec-ch-ua-wow64: ?0sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.134", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.134"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7X-Client-Data: CIu2yQEIo7bJAQipncoBCNT9ygEIlqHLAQiFoM0BCNy9zQEIucrNAQip0c0BCInTzQEIqdXNAQjJ1s0BCPTWzQEIqNjNAQj5wNQVGOmYzQEY642lFw==Sec-Fetch-Site: cross-siteSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: iframeReferer: https://accounts.google.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /favicon.ico HTTP/1.1Host: www.google.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-arch: "x86"sec-ch-ua-full-version: "117.0.5938.134"sec-ch-ua-platform-version: "10.0.0"sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.134", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.134"sec-ch-ua-bitness: "64"sec-ch-ua-model: ""sec-ch-ua-wow64: ?0sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8X-Client-Data: CIu2yQEIo7bJAQipncoBCNT9ygEIlqHLAQiFoM0BCNy9zQEIucrNAQip0c0BCInTzQEIqdXNAQjJ1s0BCPTWzQEIqNjNAQj5wNQVGOmYzQEY642lFw==Sec-Fetch-Site: same-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://accounts.google.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: NID=518=micYROsaTqDyWZzfS8HPmk92q0qq2-cElcyknW9mTo4Xk5GaoDqFS-olR2joG-79rbj7_NsTG06Zfyt-Ws3X2H6kXi4sobV0bBJ0fctqnO6Fta3q4cLEcYSvUwe_WHP-dGTq4QudYScfP6MN8vUkKCR8twtJIoumuMFGSU9ibygcF7i9qKU
Source: global traffic	HTTP traffic detected: GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=gT5EOe7XAfCHPgO&MD=yYxOA5Wo HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic	HTTP traffic detected: GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=gT5EOe7XAfCHPgO&MD=yYxOA5Wo HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk

Chrome Cache Entry: 101

Chrome Cache Entry: 102

Chrome Cache Entry: 103

Chrome Cache Entry: 104

Chrome Cache Entry: 105

Chrome Cache Entry: 106

Chrome Cache Entry: 107

Chrome Cache Entry: 108

Chrome Cache Entry: 109

Chrome Cache Entry: 110

Chrome Cache Entry: 111

Windows Analysis Report
file.exe

Function 0008F98E Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130
keyboardthreadwindowCOMMON

Function 000742DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Function 000742A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Function 000B2BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Function 000FAFF9 Relevance: 24.4, APIs: 16, Instructions: 418
processCOMMON

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre