Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1524416
MD5:	f8f75e38c6ac62437b87e91357b5e4b2
SHA1:	a9416b829703d33aab1c5c5c0061acaf0e0ffaf9
SHA256:	ff3eb3b73be9294cf03e51eb541d635500b30fcd0740140600f4c1ea44015eca
Tags:	exeuser-Bitsight
Infos:

Detection

Credential Flusher

Score:	68
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Yara detected Credential Flusher

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Found API chain indicative of debugger detection

Found API chain indicative of sandbox detection

Machine Learning detection for sample

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected non-DNS traffic on DNS port

Detected potential crypto function

Enables debug privileges

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

OS version to string mapping found (often used in BOTs)

Potential key logger detected (key state polling based)

Sample execution stops while process was sleeping (likely an evasion)

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Uses taskkill to terminate processes

Classification

Process Tree

System is w10x64

file.exe (PID: 1816 cmdline: "C:\Users\user\Desktop\file.exe" MD5: F8F75E38C6AC62437B87E91357B5E4B2)

taskkill.exe (PID: 5476 cmdline: taskkill /F /IM chrome.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 3608 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

chrome.exe (PID: 6996 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --start-fullscreen --no-first-run --disable-session-crashed-bubble --disable-infobars MD5: 5BBFA6CBDF4C254EB368D534F9E23C92)

chrome.exe (PID: 964 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2024 --field-trial-handle=1924,i,15881300021728988269,12277537631577109083,262144 /prefetch:8 MD5: 5BBFA6CBDF4C254EB368D534F9E23C92)

chrome.exe (PID: 5640 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5508 --field-trial-handle=1924,i,15881300021728988269,12277537631577109083,262144 /prefetch:8 MD5: 5BBFA6CBDF4C254EB368D534F9E23C92)

chrome.exe (PID: 2820 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5528 --field-trial-handle=1924,i,15881300021728988269,12277537631577109083,262144 /prefetch:8 MD5: 5BBFA6CBDF4C254EB368D534F9E23C92)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
Process Memory Space: file.exe PID: 1816	JoeSecurity_CredentialFlusher	Yara detected Credential Flusher	Joe Security

String found in binary or memory: _.fq(p)+"/familylink/privacy/notice/embedded?langCountry="+_.fq(p);break;case "PuZJUb":a+="https://www.youtube.com/t/terms?chromeless=1&hl="+_.fq(m);break;case "fxTQxb":a+="https://youtube.com/t/terms?gl="+_.fq(_.oq(c))+"&hl="+_.fq(d)+"&override_hl=1"+(f?"&linkless=1":"");break;case "prAmvd":a+="https://www.google.com/intl/"+_.fq(m)+"/chromebook/termsofservice.html?languageCode="+_.fq(d)+"&regionCode="+_.fq(c);break;case "NfnTze":a+="https://policies.google.com/privacy/google-partners"+(f?"/embedded": equals www.youtube.com (Youtube)

Source: global traffic	DNS traffic detected: DNS query: youtube.com
Source: global traffic	DNS traffic detected: DNS query: www.youtube.com
Source: global traffic	DNS traffic detected: DNS query: www.google.com
Source: global traffic	DNS traffic detected: DNS query: accounts.youtube.com
Source: global traffic	DNS traffic detected: DNS query: play.google.com

Source: unknown

HTTP traffic detected: POST /log?format=json&hasfast=true&authuser=0 HTTP/1.1Host: play.google.comConnection: keep-aliveContent-Length: 519sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-arch: "x86"Content-Type: application/x-www-form-urlencoded;charset=UTF-8sec-ch-ua-full-version: "117.0.5938.134"sec-ch-ua-platform-version: "10.0.0"X-Goog-AuthUser: 0sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.134", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.134"sec-ch-ua-bitness: "64"sec-ch-ua-model: ""sec-ch-ua-wow64: ?0sec-ch-ua-platform: "Windows"Accept: */*Origin: https://accounts.google.comX-Client-Data: CJa2yQEIprbJAQipncoBCO6MywEIlKHLAQj6mM0BCIWgzQEI3L3NAQi5ys0BCOnSzQEI6NXNAQjL1s0BCKjYzQEI+cDUFRi60s0BGOuNpRc=Sec-Fetch-Site: same-siteSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: https://accounts.google.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9

Source: chromecache_151.10.dr	String found in binary or memory: https://accounts.google.com
Source: chromecache_151.10.dr	String found in binary or memory: https://accounts.google.com/TOS?loc=
Source: chromecache_143.10.dr	String found in binary or memory: https://apis.google.com/js/api.js
Source: chromecache_151.10.dr	String found in binary or memory: https://apis.google.com/js/rpc:shindig_random.js?onload=credentialservice.postMessage
Source: chromecache_151.10.dr	String found in binary or memory: https://families.google.com/intl/
Source: chromecache_143.10.dr	String found in binary or memory: https://fonts.gstatic.com/s/i/productlogos/drive_2020q4/v10/192px.svg
Source: chromecache_143.10.dr	String found in binary or memory: https://fonts.gstatic.com/s/i/productlogos/gmail_2020q4/v10/web-48dp/logo_gmail_2020q4_color_2x_web_
Source: chromecache_143.10.dr	String found in binary or memory: https://fonts.gstatic.com/s/i/productlogos/maps/v7/192px.svg
Source: chromecache_151.10.dr	String found in binary or memory: https://g.co/recover
Source: chromecache_151.10.dr	String found in binary or memory: https://play.google.com/log?format=json&hasfast=true
Source: chromecache_151.10.dr	String found in binary or memory: https://play.google.com/work/enroll?identifier=
Source: chromecache_151.10.dr	String found in binary or memory: https://play.google/intl/
Source: chromecache_151.10.dr	String found in binary or memory: https://policies.google.com/privacy
Source: chromecache_151.10.dr	String found in binary or memory: https://policies.google.com/privacy/additional
Source: chromecache_151.10.dr	String found in binary or memory: https://policies.google.com/privacy/google-partners
Source: chromecache_151.10.dr	String found in binary or memory: https://policies.google.com/technologies/cookies
Source: chromecache_151.10.dr	String found in binary or memory: https://policies.google.com/technologies/location-data
Source: chromecache_151.10.dr	String found in binary or memory: https://policies.google.com/terms
Source: chromecache_151.10.dr	String found in binary or memory: https://policies.google.com/terms/location
Source: chromecache_151.10.dr	String found in binary or memory: https://policies.google.com/terms/service-specific
Source: chromecache_143.10.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/account-recovery-email-pin.gif
Source: chromecache_143.10.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/account-recovery-password.svg
Source: chromecache_143.10.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/account-recovery-sms-or-voice-pin.gif
Source: chromecache_143.10.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/account-recovery-sms-pin.gif
Source: chromecache_143.10.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/account-recovery-stop-go-landing-page_1x.png
Source: chromecache_143.10.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/animation/
Source: chromecache_143.10.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/ble_device.png
Source: chromecache_143.10.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/ble_pin.png
Source: chromecache_143.10.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/contacts_backup_sync.png
Source: chromecache_143.10.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/contacts_backup_sync_1x.png
Source: chromecache_143.10.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/contacts_backup_sync_2x.png
Source: chromecache_143.10.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/contacts_backup_sync_darkmode_1x.png
Source: chromecache_143.10.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/continue_on_your_phone.png
Source: chromecache_143.10.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/device_phone_number_verification.png
Source: chromecache_143.10.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/device_prompt_silent_tap_yes_darkmode.gif
Source: chromecache_143.10.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/device_prompt_tap_yes.gif
Source: chromecache_143.10.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/device_prompt_tap_yes_darkmode.gif
Source: chromecache_143.10.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kid_success.svg
Source: chromecache_143.10.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kid_success_darkmode.svg
Source: chromecache_143.10.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidfork_who_will_use_dark_v2.svg
Source: chromecache_143.10.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidfork_who_will_use_updated.svg
Source: chromecache_143.10.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidfork_who_will_use_updated_darkmode.svg
Source: chromecache_143.10.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidfork_who_will_use_v2.svg
Source: chromecache_143.10.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignin_not_ready.png
Source: chromecache_143.10.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignin_stick_around_1.svg
Source: chromecache_143.10.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignin_stick_around_dark_1.svg
Source: chromecache_143.10.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_child_account_1.svg
Source: chromecache_143.10.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_child_account_darkmode_1.svg
Source: chromecache_143.10.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_child_privacy_1.svg
Source: chromecache_143.10.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_child_privacy_darkmode_1.svg
Source: chromecache_143.10.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_created.png
Source: chromecache_143.10.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_double_device.svg
Source: chromecache_143.10.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_double_device_darkmode.svg
Source: chromecache_143.10.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_full_house.png
Source: chromecache_143.10.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_link_accounts_1.svg
Source: chromecache_143.10.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_link_accounts_darkmode_1.svg
Source: chromecache_143.10.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_parent_app_decision.svg
Source: chromecache_143.10.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_parent_app_decision_darkmode.svg
Source: chromecache_143.10.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_parent_supervision_1.svg
Source: chromecache_143.10.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_parent_supervision_darkmode_1.svg
Source: chromecache_143.10.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_respect_others_1.svg
Source: chromecache_143.10.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_respect_others_darkmode_1.svg
Source: chromecache_143.10.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_single_device.svg
Source: chromecache_143.10.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_single_device_darkmode.svg
Source: chromecache_143.10.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_stop.png
Source: chromecache_143.10.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/personalization_reminders.svg
Source: chromecache_143.10.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/phone_number_sign_in_2x.png
Source: chromecache_143.10.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/return_to_desktop.svg
Source: chromecache_143.10.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/return_to_desktop_darkmode.svg
Source: chromecache_143.10.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/security_key.gif
Source: chromecache_143.10.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/security_key_ios_center.png
Source: chromecache_143.10.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/security_key_laptop.gif
Source: chromecache_143.10.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/security_key_nfc_discovered.gif
Source: chromecache_143.10.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/security_key_nfc_discovered_darkmode.gif
Source: chromecache_143.10.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/security_key_phone.gif
Source: chromecache_143.10.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/signin_googleapp_ios.gif
Source: chromecache_143.10.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/signin_googleapp_pulldown.gif
Source: chromecache_143.10.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/signin_tapyes.gif
Source: chromecache_143.10.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/smart_lock_2x.png
Source: chromecache_143.10.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/usb_key.svg
Source: chromecache_143.10.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/web_and_app_activity.svg
Source: chromecache_143.10.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/who_will_be_using_this_device.svg
Source: chromecache_143.10.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/you_tube_history.svg
Source: chromecache_143.10.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/feature_not_available.svg
Source: chromecache_143.10.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/feature_not_available_dark.svg
Source: chromecache_143.10.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/gmail_ios_authzen.gif
Source: chromecache_143.10.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/paaskey.svg
Source: chromecache_143.10.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_challenge.svg
Source: chromecache_143.10.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_challenge_darkmode.svg
Source: chromecache_143.10.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_darkmode.svg
Source: chromecache_143.10.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_enrollment.svg
Source: chromecache_143.10.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_enrollment_cross_device.svg
Source: chromecache_143.10.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_enrollment_cross_device_darkmode.svg
Source: chromecache_143.10.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_enrollment_darkmode.svg
Source: chromecache_143.10.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_enrollment_error.svg
Source: chromecache_143.10.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_enrollment_error_darkmode.svg
Source: chromecache_143.10.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_enrollment_reauth.svg
Source: chromecache_143.10.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_enrollment_reauth_darkmode.svg
Source: chromecache_143.10.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_success.svg
Source: chromecache_143.10.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_success_darkmode.svg
Source: chromecache_143.10.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkeyerror.svg
Source: chromecache_143.10.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkeyerror_darkmode.svg
Source: chromecache_143.10.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/red_globe_dark.svg
Source: chromecache_143.10.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/red_globe_light.svg
Source: chromecache_143.10.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/screenlock.png
Source: chromecache_143.10.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/security_key_ipad.gif
Source: chromecache_143.10.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/security_key_iphone.gif
Source: chromecache_143.10.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/security_key_iphone_nfc.gif
Source: chromecache_143.10.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/security_key_iphone_usb.gif
Source: chromecache_143.10.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/security_key_phone.svg
Source: chromecache_143.10.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/security_keys.svg
Source: chromecache_143.10.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/success_checkmark_2.svg
Source: chromecache_143.10.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/success_checkmark_2_darkmode.svg
Source: chromecache_143.10.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/ui/loading_spinner_gm.gif
Source: chromecache_143.10.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/ui/progress_spinner_color_20dp_4x.gif
Source: chromecache_143.10.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/ui/success-gm-default_2x.png
Source: chromecache_143.10.dr	String found in binary or memory: https://ssl.gstatic.com/apps/signup/resources/custom-email-address.svg
Source: chromecache_143.10.dr	String found in binary or memory: https://ssl.gstatic.com/images/hpp/shield_security_checkup_green_2x_web_96dp.png
Source: chromecache_143.10.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/chaptering/account_setup_chapter_dark_1.svg
Source: chromecache_143.10.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/chaptering/account_setup_chapter_v1.svg
Source: chromecache_143.10.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/chaptering/device_setup_chapter_dark_v1.svg
Source: chromecache_143.10.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/chaptering/device_setup_chapter_v1.svg
Source: chromecache_143.10.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/chaptering/parental_control_chapter_dark_v1.svg
Source: chromecache_143.10.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/chaptering/parental_control_chapter_v1.svg
Source: chromecache_143.10.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/conversion/conversion_accountslinked.svg
Source: chromecache_143.10.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/conversion/conversion_accountslinked_dark.svg
Source: chromecache_143.10.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/conversion/conversion_childneedshelp.svg
Source: chromecache_143.10.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/conversion/conversion_childneedshelp_dark.svg
Source: chromecache_143.10.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/conversion/conversion_nextstepsforparents.svg
Source: chromecache_143.10.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/conversion/conversion_nextstepsforparents_dark.svg
Source: chromecache_143.10.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_allset.svg
Source: chromecache_143.10.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_allset_dark.svg
Source: chromecache_143.10.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_apps_devices.svg
Source: chromecache_143.10.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_apps_devices_darkmode.svg
Source: chromecache_143.10.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_areyousurekid.svg
Source: chromecache_143.10.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_areyousurekid_dark.svg
Source: chromecache_143.10.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_birthdayemail.svg
Source: chromecache_143.10.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_birthdayemail_dark.svg
Source: chromecache_143.10.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_choose_apps.svg
Source: chromecache_143.10.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_choose_apps_darkmode.svg
Source: chromecache_143.10.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_confirmation.svg
Source: chromecache_143.10.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_exploremore.svg
Source: chromecache_143.10.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_exploremore_dark.svg
Source: chromecache_143.10.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_intro.svg
Source: chromecache_143.10.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_intro_darkmode.svg
Source: chromecache_143.10.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_privacy_terms_a18.svg
Source: chromecache_143.10.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_privacy_terms_a18_darkmode.svg
Source: chromecache_143.10.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_privacyterms.svg
Source: chromecache_143.10.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_privacyterms_dark.svg
Source: chromecache_143.10.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_review_settings.svg
Source: chromecache_143.10.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_review_settings_darkmode.svg
Source: chromecache_143.10.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_safe_search.svg
Source: chromecache_143.10.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_safe_search_darkmode.svg
Source: chromecache_143.10.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_success_unchanged_a18.svg
Source: chromecache_143.10.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_success_unchanged_a18_darkmode.svg
Source: chromecache_143.10.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_success_update_a18.svg
Source: chromecache_143.10.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_success_update_a18_darkmode.svg
Source: chromecache_143.10.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_supervision_choice.svg
Source: chromecache_143.10.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_supervision_choice_a18.svg
Source: chromecache_143.10.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_supervision_choice_a18_darkmode.svg
Source: chromecache_143.10.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_supervision_choice_darkmode.svg
Source: chromecache_143.10.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_supervisiongrad.svg
Source: chromecache_143.10.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_supervisiongrad_dark.svg
Source: chromecache_143.10.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/guardianlinking/linking_complete_0.svg
Source: chromecache_143.10.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/guardianlinking/linking_complete_dark_0.svg
Source: chromecache_143.10.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/ads_personalization.svg
Source: chromecache_143.10.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/ads_personalization_darkmode.svg
Source: chromecache_143.10.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/confirmation.svg
Source: chromecache_143.10.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/confirmation_darkmode.svg
Source: chromecache_143.10.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/eligibility_error.svg
Source: chromecache_143.10.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/eligibility_error_darkmode.svg
Source: chromecache_143.10.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/fork.svg
Source: chromecache_143.10.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/fork_darkmode.svg
Source: chromecache_143.10.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/intro.svg
Source: chromecache_143.10.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/intro_darkmode.svg
Source: chromecache_143.10.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/personal_results.svg
Source: chromecache_143.10.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/personal_results_darkmode.svg
Source: chromecache_143.10.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/safe_search.svg
Source: chromecache_143.10.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/safe_search_darkmode.svg
Source: chromecache_143.10.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/check_notifications.svg
Source: chromecache_143.10.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/check_notifications_dark.svg
Source: chromecache_143.10.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/kid_watch_installing_family_link_2.svg
Source: chromecache_143.10.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/kid_watch_installing_family_link_dark_2.svg
Source: chromecache_143.10.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/kid_watch_set_up_location_sharing_2.svg
Source: chromecache_143.10.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/kid_watch_set_up_location_sharing_dark_2.svg
Source: chromecache_143.10.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/kid_watch_set_up_parental_controls_2.svg
Source: chromecache_143.10.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/kid_watch_set_up_parental_controls_dark_2.svg
Source: chromecache_143.10.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/kid_watch_set_up_school_time_2.svg
Source: chromecache_143.10.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/kid_watch_set_up_school_time_dark_2.svg
Source: chromecache_143.10.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/location_sharing_enabled_2.svg
Source: chromecache_143.10.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/location_sharing_enabled_dark_3.svg
Source: chromecache_143.10.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/parent_sign_in_prologue_1.svg
Source: chromecache_143.10.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/parent_sign_in_prologue_dark_1.svg
Source: chromecache_143.10.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/set_up_complete_1.svg
Source: chromecache_143.10.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/set_up_complete_dark_1.svg
Source: chromecache_143.10.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/set_up_contacts_2.svg
Source: chromecache_143.10.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/set_up_contacts_dark_2.svg
Source: chromecache_143.10.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/set_up_family_link_boy_1.svg
Source: chromecache_143.10.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/set_up_family_link_boy_dark_1.svg
Source: chromecache_143.10.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/set_up_family_link_girl_2.svg
Source: chromecache_143.10.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/set_up_family_link_girl_dark_2.svg
Source: chromecache_143.10.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/ulp_continue_without_gmail_dark_v2.svg
Source: chromecache_143.10.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/ulp_continue_without_gmail_v2.svg
Source: chromecache_143.10.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/all_set.svg
Source: chromecache_143.10.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/all_set_dark.svg
Source: chromecache_143.10.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/are_you_sure_parent.svg
Source: chromecache_143.10.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/are_you_sure_parent_dark.svg
Source: chromecache_143.10.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/content_restriction.svg
Source: chromecache_143.10.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/content_restriction_dark.svg
Source: chromecache_143.10.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/error.svg
Source: chromecache_143.10.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/error_dark.svg
Source: chromecache_143.10.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/how_controls_work.svg
Source: chromecache_143.10.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/how_controls_work_dark.svg
Source: chromecache_143.10.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/next_steps.svg
Source: chromecache_143.10.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/next_steps_dark.svg
Source: chromecache_143.10.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/setup_controls.svg
Source: chromecache_143.10.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/setup_controls_dark.svg
Source: chromecache_143.10.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/who_parent.svg
Source: chromecache_143.10.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/who_parent_dark.svg
Source: chromecache_143.10.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/who_teen.svg
Source: chromecache_143.10.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/who_teen_dark.svg
Source: chromecache_143.10.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teentoadultgraduation/supervision_choice.svg
Source: chromecache_143.10.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teentoadultgraduation/supervision_choice_darkmode.svg
Source: chromecache_143.10.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/ulp_appblock/kid_setup_parent_escalation.svg
Source: chromecache_143.10.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/ulp_appblock/kid_setup_parent_escalation_dark.svg
Source: chromecache_143.10.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/ulp_appblock/send_email_confirmation.svg
Source: chromecache_143.10.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/ulp_appblock/send_email_confirmation_dark.svg
Source: chromecache_143.10.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/ulp_appblock/success_sent_email.svg
Source: chromecache_143.10.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/ulp_appblock/success_sent_email_dark.svg
Source: chromecache_143.10.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/ulpupgrade/kidprofileupgrade_all_set.svg
Source: chromecache_143.10.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/ulpupgrade/kidprofileupgrade_all_set_darkmode.svg
Source: chromecache_143.10.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/all_set.svg
Source: chromecache_143.10.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/all_set_dark.svg
Source: chromecache_143.10.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/almost_done_kids_space_dark.svg
Source: chromecache_143.10.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/almost_done_kids_space_v2.svg
Source: chromecache_143.10.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/devices_connected_tablet_v2.svg
Source: chromecache_143.10.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/devices_connected_tablet_v2_dark.svg
Source: chromecache_143.10.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/devices_connected_v2.svg
Source: chromecache_143.10.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/devices_connected_v2_dark.svg
Source: chromecache_143.10.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/emailinstallfamilylink.svg
Source: chromecache_143.10.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/emailinstallfamilylink_dark.svg
Source: chromecache_143.10.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/familylinkinstalling.svg
Source: chromecache_143.10.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/familylinkinstalling_dark.svg
Source: chromecache_143.10.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/hand_over_device_dark_v2.svg
Source: chromecache_143.10.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/hand_over_device_v2.svg
Source: chromecache_143.10.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/linking_accounts_v2.svg
Source: chromecache_143.10.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/linking_accounts_v2_dark.svg
Source: chromecache_143.10.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/locationsetup.svg
Source: chromecache_143.10.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/locationsetup_dark.svg
Source: chromecache_143.10.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/manage_parental_controls_email.svg
Source: chromecache_143.10.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/manage_parental_controls_email_v2.svg
Source: chromecache_143.10.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/manage_parental_controls_email_v2_dark.svg
Source: chromecache_143.10.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/manage_parental_controls_v2.svg
Source: chromecache_143.10.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/manage_parental_controls_v2_dark.svg
Source: chromecache_143.10.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/open_family_link_v2.svg
Source: chromecache_143.10.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/open_family_link_v2_dark.svg
Source: chromecache_143.10.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/parents_help.svg
Source: chromecache_143.10.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/parents_help_dark.svg
Source: chromecache_143.10.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/set_up_kids_space.png
Source: chromecache_143.10.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/set_up_kids_space_dark.png
Source: chromecache_143.10.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/setupcontrol.svg
Source: chromecache_143.10.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/setupcontrol_dark.svg
Source: chromecache_143.10.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/setuplocation.svg
Source: chromecache_143.10.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/setuplocation_dark.svg
Source: chromecache_143.10.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/setuptimelimits.svg
Source: chromecache_143.10.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/setuptimelimits_dark.svg
Source: chromecache_143.10.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/supervision_ready_v2.svg
Source: chromecache_143.10.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/supervision_ready_v2_dark.svg
Source: chromecache_143.10.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/youtubeaccess.svg
Source: chromecache_143.10.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/youtubeaccess_dark.svg
Source: chromecache_151.10.dr	String found in binary or memory: https://support.google.com/accounts?hl=
Source: chromecache_151.10.dr	String found in binary or memory: https://support.google.com/accounts?p=new-si-ui
Source: chromecache_151.10.dr	String found in binary or memory: https://support.google.com/websearch/answer/4358949?hl=ko&ref_topic=3285072
Source: chromecache_143.10.dr	String found in binary or memory: https://uberproxy-pen-redirect.corp.google.com/uberproxy/pen?url=
Source: chromecache_151.10.dr	String found in binary or memory: https://www.google.com
Source: chromecache_151.10.dr	String found in binary or memory: https://www.google.com/intl/
Source: chromecache_143.10.dr	String found in binary or memory: https://www.gstatic.com/accounts/speedbump/authzen_optin_illustration.gif
Source: chromecache_143.10.dr	String found in binary or memory: https://www.gstatic.com/images/branding/product/2x/chrome_48dp.png
Source: chromecache_143.10.dr	String found in binary or memory: https://www.gstatic.com/images/branding/product/2x/googleg_48dp.png
Source: chromecache_143.10.dr	String found in binary or memory: https://www.gstatic.com/images/branding/product/2x/gsa_48dp.png
Source: chromecache_143.10.dr	String found in binary or memory: https://www.gstatic.com/images/branding/product/2x/play_prism_48dp.png
Source: chromecache_143.10.dr	String found in binary or memory: https://www.gstatic.com/images/branding/product/2x/youtube_48dp.png
Source: chromecache_151.10.dr	String found in binary or memory: https://www.gstatic.com/images/branding/productlogos/googleg/v6/36px.svg
Source: chromecache_151.10.dr	String found in binary or memory: https://www.youtube.com/t/terms?chromeless=1&hl=
Source: file.exe, 00000000.00000002.2718106625.0000000000978000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/
Source: file.exe, 00000000.00000002.2718219880.00000000009C0000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2717550791.00000000009BE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2701738341.00000000009BE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pw
Source: file.exe, 00000000.00000002.2718106625.0000000000978000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwds
Source: chromecache_151.10.dr	String found in binary or memory: https://youtube.com/t/terms?gl=

Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 63812 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49672 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 49759 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49753 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 63813 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 63817 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49767 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 63812
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 63814
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 63813
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 63815
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 63817
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49767
Source: unknown	Network traffic detected: HTTP traffic on port 49674 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49765
Source: unknown	Network traffic detected: HTTP traffic on port 49758 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 63814 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49758
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712
Source: unknown	Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown	Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 63815 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49765 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49705

Source: unknown	HTTPS traffic detected: 40.115.3.253:443 -> 192.168.2.6:49710 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.115.3.253:443 -> 192.168.2.6:49711 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.114.59.183:443 -> 192.168.2.6:49712 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.115.3.253:443 -> 192.168.2.6:49716 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.115.3.253:443 -> 192.168.2.6:49717 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.114.59.183:443 -> 192.168.2.6:49718 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.6:49732 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.6:49736 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.115.3.253:443 -> 192.168.2.6:49765 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.115.3.253:443 -> 192.168.2.6:63815 version: TLS 1.2

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00EBEAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_00EBEAFF

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00EBED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_00EBED6A

Source: C:\Users\user\Desktop\file.exe

0_2_00EBEAFF

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00EAAA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,

0_2_00EAAA57

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00ED9576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_00ED9576

System Summary

Binary is likely a compiled AutoIt script file

Source: file.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: file.exe, 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_e74eb1e2-c
Source: file.exe, 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_f1165ed6-e
Source: file.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_30ae38b0-2
Source: file.exe	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_ce311701-5

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00EAD5EB: CreateFileW,DeviceIoControl,CloseHandle,

0_2_00EAD5EB

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00EA1201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_00EA1201

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00EAE8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_00EAE8F6

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E48060	0_2_00E48060
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00EB2046	0_2_00EB2046
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00EA8298	0_2_00EA8298
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E7E4FF	0_2_00E7E4FF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E7676B	0_2_00E7676B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00ED4873	0_2_00ED4873
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E4CAF0	0_2_00E4CAF0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E6CAA0	0_2_00E6CAA0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E5CC39	0_2_00E5CC39
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E76DD9	0_2_00E76DD9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E5D071	0_2_00E5D071
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E491C0	0_2_00E491C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E5B119	0_2_00E5B119
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E61394	0_2_00E61394
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E6781B	0_2_00E6781B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E5997D	0_2_00E5997D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E47920	0_2_00E47920
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E67A4A	0_2_00E67A4A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E67CA7	0_2_00E67CA7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E79EEE	0_2_00E79EEE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00ECBE44	0_2_00ECBE44

Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00E5F9F2 appears 40 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00E60A30 appears 46 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00E49CB3 appears 31 times

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: classification engine

Classification label: mal68.troj.evad.winEXE@44/30@10/7

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00EB37B5 GetLastError,FormatMessageW,

0_2_00EB37B5

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00EA10BF AdjustTokenPrivileges,CloseHandle,		0_2_00EA10BF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00EA16C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_00EA16C3

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00EB51CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_00EB51CD

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00ECA67C CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_00ECA67C

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00EB648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize,

0_2_00EB648E

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00E442A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_00E442A2

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3608:120:WilError_03

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\SysWOW64\taskkill.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --start-fullscreen --no-first-run --disable-session-crashed-bubble --disable-infobars
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2024 --field-trial-handle=1924,i,15881300021728988269,12277537631577109083,262144 /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5508 --field-trial-handle=1924,i,15881300021728988269,12277537631577109083,262144 /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5528 --field-trial-handle=1924,i,15881300021728988269,12277537631577109083,262144 /prefetch:8
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --start-fullscreen --no-first-run --disable-session-crashed-bubble --disable-infobars	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2024 --field-trial-handle=1924,i,15881300021728988269,12277537631577109083,262144 /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5508 --field-trial-handle=1924,i,15881300021728988269,12277537631577109083,262144 /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5528 --field-trial-handle=1924,i,15881300021728988269,12277537631577109083,262144 /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00E442DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00E442DE

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00E60A76 push ecx; ret

0_2_00E60A89

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E5F98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_00E5F98E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00ED1C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_00ED1C41

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Found API chain indicative of sandbox detection

Source: C:\Users\user\Desktop\file.exe

Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep

graph_0-93318

Source: C:\Users\user\Desktop\file.exe

API coverage: 4.1 %

Source: C:\Users\user\Desktop\file.exe TID: 2948

Thread sleep time: -58000s >= -30000s

Jump to behavior

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00EADBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00EADBBE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E7C2A2 FindFirstFileExW,	0_2_00E7C2A2
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00EB68EE FindFirstFileW,FindClose,	0_2_00EB68EE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00EB698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	0_2_00EB698F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00EAD076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00EAD076
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00EAD3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00EAD3A9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00EB9642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00EB9642
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00EB979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00EB979D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00EB9B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_00EB9B2B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00EB5C97 FindFirstFileW,FindNextFileW,FindClose,	0_2_00EB5C97

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00E442DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00E442DE

Anti Debugging

Found API chain indicative of debugger detection

Source: C:\Users\user\Desktop\file.exe

Debugger detection routine: QueryPerformanceCounter, DebugActiveProcess, DecisionNodes, ExitProcess or Sleep

graph_0-93279

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00EBEAA2 BlockInput,

0_2_00EBEAA2

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00E72622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00E72622

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00E442DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00E442DE

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00E64CE8 mov eax, dword ptr fs:[00000030h]

0_2_00E64CE8

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00EA0B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

0_2_00EA0B62

Source: C:\Windows\SysWOW64\taskkill.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E72622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00E72622
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E6083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00E6083F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E609D5 SetUnhandledExceptionFilter,	0_2_00E609D5
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E60C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00E60C21

Source: C:\Users\user\Desktop\file.exe

0_2_00EA1201

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00E82BA5 KiUserCallbackDispatcher,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00E82BA5

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00E5F98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,

0_2_00E5F98E

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00EC22DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event,

0_2_00EC22DA

Source: C:\Users\user\Desktop\file.exe

Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

0_2_00EA0B62

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00EA1663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_00EA1663

Source: file.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: file.exe, 00000000.00000003.2109524144.00000000009BF000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2132836997.00000000009BF000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2126990099.00000000009BF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: file.exe	Binary or memory string: Shell_TrayWnd

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00E60698 cpuid

0_2_00E60698

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00EB8195 GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,

0_2_00EB8195

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00E9D27A GetUserNameW,

0_2_00E9D27A

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00E7B952 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,

0_2_00E7B952

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00E442DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00E442DE

Stealing of Sensitive Information

Yara detected Credential Flusher

Source: Yara match

File source: Process Memory Space: file.exe PID: 1816, type: MEMORYSTR

Source: file.exe	Binary or memory string: WIN_81
Source: file.exe	Binary or memory string: WIN_XP
Source: file.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]\|%%\|%[-+ 0#]?([0-9]\|\)?(\.[0-9]\|\.\)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: file.exe	Binary or memory string: WIN_XPe
Source: file.exe	Binary or memory string: WIN_VISTA
Source: file.exe	Binary or memory string: WIN_7
Source: file.exe	Binary or memory string: WIN_8

Remote Access Functionality

Yara detected Credential Flusher

Source: Yara match

File source: Process Memory Space: file.exe PID: 1816, type: MEMORYSTR

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00EC1204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,		0_2_00EC1204
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00EC1806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_00EC1806

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	2 Disable or Modify Tools	21 Input Capture	2 System Time Discovery	Remote Services	1 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Native API	2 Valid Accounts	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	21 Input Capture	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	2 Valid Accounts	2 Obfuscated Files or Information	Security Account Manager	1 File and Directory Discovery	SMB/Windows Admin Shares	3 Clipboard Data	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	21 Access Token Manipulation	1 DLL Side-Loading	NTDS	16 System Information Discovery	Distributed Component Object Model	Input Capture	4 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	2 Process Injection	2 Valid Accounts	LSA Secrets	22 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	21 Virtualization/Sandbox Evasion	Cached Domain Credentials	21 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	21 Access Token Manipulation	DCSync	2 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	2 Process Injection	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	HTML Smuggling	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
file.exe	11%	ReversingLabs
file.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
https://play.google/intl/	0%	URL Reputation	safe
https://families.google.com/intl/	0%	URL Reputation	safe
https://policies.google.com/technologies/location-data	0%	URL Reputation	safe
https://apis.google.com/js/api.js	0%	URL Reputation	safe
https://policies.google.com/privacy/google-partners	0%	URL Reputation	safe
https://policies.google.com/terms/service-specific	0%	URL Reputation	safe
https://g.co/recover	0%	URL Reputation	safe
https://policies.google.com/privacy/additional	0%	URL Reputation	safe
https://support.google.com/websearch/answer/4358949?hl=ko&ref_topic=3285072	0%	URL Reputation	safe
https://policies.google.com/technologies/cookies	0%	URL Reputation	safe
https://policies.google.com/terms	0%	URL Reputation	safe
https://uberproxy-pen-redirect.corp.google.com/uberproxy/pen?url=	0%	URL Reputation	safe
https://support.google.com/accounts?hl=	0%	URL Reputation	safe
https://policies.google.com/terms/location	0%	URL Reputation	safe
https://policies.google.com/privacy	0%	URL Reputation	safe
https://support.google.com/accounts?p=new-si-ui	0%	URL Reputation	safe
https://apis.google.com/js/rpc:shindig_random.js?onload=credentialservice.postMessage	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
youtube-ui.l.google.com	216.58.206.78	true	false	unknown
www3.l.google.com	142.250.185.206	true	false	unknown
play.google.com	142.250.185.142	true	false	unknown
www.google.com	172.217.18.4	true	false	unknown
youtube.com	142.250.186.46	true	false	unknown
accounts.youtube.com	unknown	unknown	false	unknown
www.youtube.com	unknown	unknown	false	unknown

Contacted URLs

Name	Malicious	Reputation
https://play.google.com/log?format=json&hasfast=true&authuser=0	false	unknown
https://www.google.com/favicon.ico	false	unknown
https://play.google.com/log?hasfast=true&authuser=0&format=json	false	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://play.google/intl/	chromecache_151.10.dr	false	URL Reputation: safe	unknown
https://families.google.com/intl/	chromecache_151.10.dr	false	URL Reputation: safe	unknown
https://youtube.com/t/terms?gl=	chromecache_151.10.dr	false		unknown
https://policies.google.com/technologies/location-data	chromecache_151.10.dr	false	URL Reputation: safe	unknown
https://www.google.com/intl/	chromecache_151.10.dr	false		unknown
https://apis.google.com/js/api.js	chromecache_143.10.dr	false	URL Reputation: safe	unknown
https://policies.google.com/privacy/google-partners	chromecache_151.10.dr	false	URL Reputation: safe	unknown
https://play.google.com/work/enroll?identifier=	chromecache_151.10.dr	false		unknown
https://policies.google.com/terms/service-specific	chromecache_151.10.dr	false	URL Reputation: safe	unknown
https://g.co/recover	chromecache_151.10.dr	false	URL Reputation: safe	unknown
https://policies.google.com/privacy/additional	chromecache_151.10.dr	false	URL Reputation: safe	unknown
https://support.google.com/websearch/answer/4358949?hl=ko&ref_topic=3285072	chromecache_151.10.dr	false	URL Reputation: safe	unknown
https://policies.google.com/technologies/cookies	chromecache_151.10.dr	false	URL Reputation: safe	unknown
https://policies.google.com/terms	chromecache_151.10.dr	false	URL Reputation: safe	unknown
https://uberproxy-pen-redirect.corp.google.com/uberproxy/pen?url=	chromecache_143.10.dr	false	URL Reputation: safe	unknown
https://www.google.com	chromecache_151.10.dr	false		unknown
https://play.google.com/log?format=json&hasfast=true	chromecache_151.10.dr	false		unknown
https://www.youtube.com/t/terms?chromeless=1&hl=	chromecache_151.10.dr	false		unknown
https://support.google.com/accounts?hl=	chromecache_151.10.dr	false	URL Reputation: safe	unknown
https://policies.google.com/terms/location	chromecache_151.10.dr	false	URL Reputation: safe	unknown
https://policies.google.com/privacy	chromecache_151.10.dr	false	URL Reputation: safe	unknown
https://support.google.com/accounts?p=new-si-ui	chromecache_151.10.dr	false	URL Reputation: safe	unknown
https://apis.google.com/js/rpc:shindig_random.js?onload=credentialservice.postMessage	chromecache_151.10.dr	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
142.250.186.46	youtube.com	United States	15169	GOOGLEUS	false
142.250.185.206	www3.l.google.com	United States	15169	GOOGLEUS	false
172.217.18.4	www.google.com	United States	15169	GOOGLEUS	false
239.255.255.250	unknown	Reserved	unknown	unknown	false
142.250.185.142	play.google.com	United States	15169	GOOGLEUS	false

Private

IP
192.168.2.7
192.168.2.6

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1524416
Start date and time:	2024-10-02 19:05:29 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 55s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	13
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal68.troj.evad.winEXE@44/30@10/7
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 96% Number of executed functions: 50 Number of non-executed functions: 302
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 192.229.221.95, 2.16.100.168, 142.250.185.195, 64.233.167.84, 216.58.206.78, 34.104.35.123, 142.250.185.138, 142.250.185.74, 142.250.186.138, 142.250.185.106, 142.250.186.74, 142.250.184.202, 142.250.185.202, 142.250.185.234, 216.58.212.138, 216.58.206.74, 172.217.16.202, 142.250.185.170, 142.250.184.234, 172.217.18.10, 172.217.18.106, 142.250.186.106, 142.250.181.227, 142.250.186.42, 142.250.181.234, 216.58.206.42, 172.217.16.138, 142.250.186.170, 93.184.221.240, 172.217.16.195
Excluded domains from analysis (whitelisted): client.wns.windows.com, fs.microsoft.com, accounts.google.com, content-autofill.googleapis.com, slscr.update.microsoft.com, fonts.gstatic.com, ctldl.windowsupdate.com, clientservices.googleapis.com, fe3cr.delivery.mp.microsoft.com, clients2.google.com, ocsp.digicert.com, edgedl.me.gvt1.com, update.googleapis.com, clients.l.google.com, www.gstatic.com, optimizationguide-pa.googleapis.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing disassembly code.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: file.exe

Simulations

Behavior and APIs

Time	Type	Description
13:06:52	API Interceptor	111x Sleep call for process: file.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
239.255.255.250	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	27987136e29b3032ad40982c8b7c2e168112c9601e08da806119dcba615524b5.html	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
youtube-ui.l.google.com	file.exe	Get hash	malicious	Credential Flusher	Browse	142.250.186.142
	file.exe	Get hash	malicious	Credential Flusher	Browse	216.58.206.46
	file.exe	Get hash	malicious	Credential Flusher	Browse	142.250.185.142
	file.exe	Get hash	malicious	Unknown	Browse	172.217.16.142
	file.exe	Get hash	malicious	Credential Flusher	Browse	142.250.185.142
	file.exe	Get hash	malicious	Credential Flusher	Browse	216.58.212.174
	file.exe	Get hash	malicious	Credential Flusher	Browse	172.217.18.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	142.250.185.174
	file.exe	Get hash	malicious	Credential Flusher	Browse	172.217.16.142
	file.exe	Get hash	malicious	Credential Flusher	Browse	172.217.18.14

ASNs

⊘No context

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
28a2c9bd18a11de089ef85a160da29e4	file.exe	Get hash	malicious	Credential Flusher	Browse	184.28.90.27 20.114.59.183
	file.exe	Get hash	malicious	Credential Flusher	Browse	184.28.90.27 20.114.59.183
	file.exe	Get hash	malicious	Credential Flusher	Browse	184.28.90.27 20.114.59.183
	file.exe	Get hash	malicious	Unknown	Browse	184.28.90.27 20.114.59.183
	file.exe	Get hash	malicious	Credential Flusher	Browse	184.28.90.27 20.114.59.183
	file.exe	Get hash	malicious	Credential Flusher	Browse	184.28.90.27 20.114.59.183
	file.exe	Get hash	malicious	Credential Flusher	Browse	184.28.90.27 20.114.59.183
	file.exe	Get hash	malicious	Credential Flusher	Browse	184.28.90.27 20.114.59.183
	27987136e29b3032ad40982c8b7c2e168112c9601e08da806119dcba615524b5.html	Get hash	malicious	Unknown	Browse	184.28.90.27 20.114.59.183
	file.exe	Get hash	malicious	Credential Flusher	Browse	184.28.90.27 20.114.59.183
3b5074b1b5d032e5620f69f9f700ff0e	0XVZC3kfwL.exe	Get hash	malicious	Unknown	Browse	40.115.3.253
	nTHivMbGpg.exe	Get hash	malicious	Unknown	Browse	40.115.3.253
	file.exe	Get hash	malicious	Unknown	Browse	40.115.3.253
	file.exe	Get hash	malicious	Credential Flusher	Browse	40.115.3.253
	PO-A1702108.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	40.115.3.253
	file.exe	Get hash	malicious	Credential Flusher	Browse	40.115.3.253
	QUOTATION_OCTQTRA071244PDF.scr.exe	Get hash	malicious	Unknown	Browse	40.115.3.253
	QUOTATION_OCTQTRA071244PDF.scr.exe	Get hash	malicious	Unknown	Browse	40.115.3.253
	file.exe	Get hash	malicious	Credential Flusher	Browse	40.115.3.253
	inquiry_qoutation_Europe_Hydraulic Partner, LLC_7638628279_uue.exe	Get hash	malicious	AgentTesla	Browse	40.115.3.253

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (755)
Category:	downloaded
Size (bytes):	1460
Entropy (8bit):	5.291808298251231
Encrypted:	false
SSDEEP:	24:kMYD7DuZvuhqCsNRxoYTY9/qoVk7hz1l2p6vDMW94uEQOeGbCx4VGbgCSFBV87OU:o7DuZWhv6oy12kvwKEeGbC6GbHSh/Hrw
MD5:	4CA7ADFE744A690411EA4D3EA8DB9E4B
SHA1:	2CF1777A199E25378D330DA68BED1871B5C5BC32
SHA-256:	128129BA736B3094323499B0498A5B3A909C1529717461C34B70080A5B1603BD
SHA-512:	8BD3477AF41D1F0FE74AFFCB177BEC0F5F4FDCBBA6BD29D9C2567E6FFDEF5DEB7FF74BF348F33209C39D7BB4958E748DF6731D3DC8F6947352276BC92EAF9E79
Malicious:	false
Reputation:	moderate, very likely benign file
URL:	"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en.RgRbaBHDctU.es5.O/ck=boq-identity.AccountsSignInUi.gAiX_O5afVA.L.B1.O/am=xIFgKBimMQjEE54DekBRIOQAAAAAAAAAAKANAAB0DA/d=1/exm=AvtSve,CMcBD,E87wgc,EFQ78c,EIOG1e,EN3i8d,Fndnac,GwYlN,I6YDgd,IZT63,K0PMbc,K1ZKnb,KUM7Z,L1AAkb,L9OGUe,LDQI,LEikZe,MY7mZe,MpJwZc,NOeYWe,NTMZac,O6y8ed,PHUIyb,PrPYRd,RMhBfe,Rkm0ef,RqjULd,SCuOPb,SD8Jgb,STuCOe,SpsfSb,Tbb4sb,UUJqVe,Uas9Hd,WpP9Yc,XVq9Qb,YHI3We,YTxL4,YgOFye,ZakeSe,ZwDk9d,_b,_tp,aC1iue,aW3pY,b3kMqb,bSspM,bTi8wc,byfTOb,cYShmd,eVCnO,f8Gu1e,gJzDyc,hc6Ubd,inNHtf,iyZMqd,lsjVmc,ltDFwf,lwddkf,m9oV,mvkUhe,mzzZzc,n73qwf,njlZCf,oLggrd,pxq3x,qPYxq,qPfo0c,qmdT9,rCcCxc,rmumx,siKnQd,soHxf,t2srLd,tUnxGc,vHEMJe,vfuNJf,vjKJJ,vvMGie,ws9Tlc,xBaz7b,xQtZb,xiZRqc,y5vRwf,yRXbo,ywOR5c,z0u0L,zbML3c,ziZ8Mc,zr1jrb,zy0vNb/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlEAF-baPa28Av_JZAHlEj0o1Qzd2A/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:GwYlN;EmZ2Bf:zr1jrb;JsbNhc:Xd8iUd;K5nYTd:ZDZcre;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;ScI3Yc:e7Hzgb;UpnZUd:nnwwYc;Uvc8o:VDovNc;XdiAjb:NLiXbe;YIZmRd:A1yn5d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;dowIGb:ebZ3mb;eBAeSb:zbML3c;iFQyKf:vfuNJf;lOO0Vd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qafBPd:yDVVkb;qddgKe:xQtZb;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=P6sQOc"
Preview:	"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi\|\|{};(function(_){var window=this;.try{._.k("lOO0Vd");._.VZa=new _.pf(_.Am);._.l();._.k("P6sQOc");.var $Za=!!(_.Kh[1]&16);var b_a=function(a,b,c,d,e){this.ea=a;this.wa=b;this.ka=c;this.Ca=d;this.Ga=e;this.aa=0;this.da=a_a(this)},c_a=function(a){var b={};_.La(a.yS(),function(e){b[e]=!0});var c=a.pS(),d=a.tS();return new b_a(a.qP(),c.aa()1E3,a.WR(),d.aa()1E3,b)},a_a=function(a){return Math.random()Math.min(a.waMath.pow(a.ka,a.aa),a.Ca)},OG=function(a,b){return a.aa>=a.ea?!1:b!=null?!!a.Ga[b]:!0};var PG=function(a){_.W.call(this,a.Fa);this.da=a.Ea.EV;this.ea=a.Ea.metadata;a=a.Ea.Xga;this.fetch=a.fetch.bind(a)};_.J(PG,_.W);PG.Ba=function(){return{Ea:{EV:_.YZa,metadata:_.VZa,Xga:_.OZa}}};PG.prototype.aa=function(a,b){if(this.ea.getType(a.Od())!==1)return _.Sm(a);var c=this.da.eV;return(c=c?c_a(c):null)&&OG(c)?_.wya(a,d_a(this,a,b,c)):_.Sm(a)};.var d_a=function(a,b,c,d){return c.then(function(e){return e},function(e)

Chrome Cache Entry: 140

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows icon resource - 2 icons, 16x16, 32 bits/pixel, 32x32, 32 bits/pixel
Category:	downloaded
Size (bytes):	5430
Entropy (8bit):	3.6534652184263736
Encrypted:	false
SSDEEP:	48:wIJct3xIAxG/7nvWDtZcdYLtX7B6QXL3aqG8Q:wIJct+A47v+rcqlBPG9B
MD5:	F3418A443E7D841097C714D69EC4BCB8
SHA1:	49263695F6B0CDD72F45CF1B775E660FDC36C606
SHA-256:	6DA5620880159634213E197FAFCA1DDE0272153BE3E4590818533FAB8D040770
SHA-512:	82D017C4B7EC8E0C46E8B75DA0CA6A52FD8BCE7FCF4E556CBDF16B49FC81BE9953FE7E25A05F63ECD41C7272E8BB0A9FD9AEDF0AC06CB6032330B096B3702563
Malicious:	false
Reputation:	high, very likely benign file
URL:	https://www.google.com/favicon.ico
Preview:	............ .h...&... .... .........(....... ..... ............................................0...................................................................................................................................v.].X.:.X.:.r.Y........................................q.X.S.4.S.4.S.4.S.4.S.4.S.4...X....................0........q.W.S.4.X.:.................J...A...g.........................K.H.V.8..........................F..B.....................,.......................................B..............................................B..B..B..B..B...u..........................................B..B..B..B..B...{.................5.......k...........................................................7R..8F.................................................2........Vb..5C..;I..................R^.....................0................Xc..5C..5C..5C..5C..5C..5C..lv..........................................]i..<J..:G..Zf....................................................

Chrome Cache Entry: 141

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (2907)
Category:	downloaded
Size (bytes):	22833
Entropy (8bit):	5.425034548615223
Encrypted:	false
SSDEEP:	384:7lFo6ZEdpgtmyiPixV9OX9gMBpHkHnfst9lZulagGcwYHiRFjJzN7:77o6ZviPixV8xpEHn89l4IgGcwYCRtb7
MD5:	749B18538FE32BFE0815D75F899F5B21
SHA1:	AF95A019211AF69F752A43CAA54A83C2AFD41D28
SHA-256:	116B2687C1D5E00DB56A79894AB0C12D4E2E000B9379B7E7AD751B84DF611F3F
SHA-512:	E4B6F4556AA0FD9979BB52681508F5E26FFB256473803F74F7F5C8D93FA3636D7D0A5835618FBC6123022805CE0D9616A7451A0F302C665E28A6090B5D588505
Malicious:	false
Reputation:	moderate, very likely benign file
URL:	"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en.RgRbaBHDctU.es5.O/ck=boq-identity.AccountsSignInUi.gAiX_O5afVA.L.B1.O/am=xIFgKBimMQjEE54DekBRIOQAAAAAAAAAAKANAAB0DA/d=1/exm=AvtSve,CMcBD,E87wgc,EFQ78c,EIOG1e,EN3i8d,Fndnac,GwYlN,I6YDgd,IZT63,K0PMbc,K1ZKnb,KUM7Z,L1AAkb,L9OGUe,LDQI,LEikZe,MY7mZe,MpJwZc,NOeYWe,NTMZac,O6y8ed,PHUIyb,PrPYRd,Rkm0ef,SCuOPb,SD8Jgb,STuCOe,SpsfSb,Tbb4sb,UUJqVe,Uas9Hd,WpP9Yc,XVq9Qb,YHI3We,YTxL4,YgOFye,ZakeSe,_b,_tp,aC1iue,aW3pY,b3kMqb,bSspM,bTi8wc,byfTOb,cYShmd,eVCnO,f8Gu1e,gJzDyc,hc6Ubd,inNHtf,iyZMqd,lsjVmc,ltDFwf,lwddkf,m9oV,mvkUhe,mzzZzc,n73qwf,njlZCf,oLggrd,pxq3x,qPYxq,qPfo0c,qmdT9,rCcCxc,rmumx,siKnQd,soHxf,t2srLd,tUnxGc,vHEMJe,vfuNJf,vjKJJ,vvMGie,ws9Tlc,xBaz7b,xQtZb,xiZRqc,y5vRwf,yRXbo,ywOR5c,z0u0L,zbML3c,ziZ8Mc,zr1jrb,zy0vNb/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlEAF-baPa28Av_JZAHlEj0o1Qzd2A/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:GwYlN;EmZ2Bf:zr1jrb;JsbNhc:Xd8iUd;K5nYTd:ZDZcre;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;ScI3Yc:e7Hzgb;UpnZUd:nnwwYc;Uvc8o:VDovNc;XdiAjb:NLiXbe;YIZmRd:A1yn5d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;dowIGb:ebZ3mb;eBAeSb:zbML3c;iFQyKf:vfuNJf;lOO0Vd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qafBPd:yDVVkb;qddgKe:xQtZb;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=RqjULd"
Preview:	"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi\|\|{};(function(_){var window=this;.try{._.uu.prototype.da=_.ca(40,function(){return _.rj(this,3)});_.$y=function(a,b){this.key=a;this.defaultValue=!1;this.flagName=b};_.$y.prototype.ctor=function(a){return typeof a==="boolean"?a:this.defaultValue};_.az=function(){this.ka=!0;var a=_.vj(_.dk(_.Be("TSDtV",window),_.zya),_.uu,1,_.qj())[0];if(a){var b={};for(var c=_.n(_.vj(a,_.Aya,2,_.qj())),d=c.next();!d.done;d=c.next()){d=d.value;var e=_.Jj(d,1).toString();switch(_.tj(d,_.vu)){case 3:b[e]=_.Hj(d,_.lj(d,_.vu,3));break;case 2:b[e]=_.Jj(d,_.lj(d,_.vu,2));break;case 4:b[e]=_.Kj(d,_.lj(d,_.vu,4));break;case 5:b[e]=_.Lj(d,_.lj(d,_.vu,5));break;case 6:b[e]=_.Pj(d,_.ff,6,_.vu);break;default:throw Error("jd`"+_.tj(d,_.vu));}}}else b={};this.ea=b;this.token=.a?a.da():null};_.az.prototype.aa=function(a){if(!this.ka\|\|a.key in this.ea)a=a.ctor(this.ea[a.key]);else if(_.Be("nQyAE",window)){var b=_.Cya(a.flagName);if(b===null)a=a.de

Chrome Cache Entry: 142

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	Web Open Font Format (Version 2), TrueType, length 52280, version 1.0
Category:	downloaded
Size (bytes):	52280
Entropy (8bit):	7.995413196679271
Encrypted:	true
SSDEEP:	1536:1rvqtK8DZilXxwJ8mMwAZy7phqsFLdG3B4d:xytBZits8bw4wzbFxG3B4d
MD5:	F61F0D4D0F968D5BBA39A84C76277E1A
SHA1:	AA3693EA140ECA418B4B2A30F6A68F6F43B4BEB2
SHA-256:	57147F08949ABABE7DEEF611435AE418475A693E3823769A25C2A39B6EAD9CCC
SHA-512:	6C3BD90F709BCF9151C9ED9FFEA55C4F6883E7FDA2A4E26BF018C83FE1CFBE4F4AA0DB080D6D024070D53B2257472C399C8AC44EEFD38B9445640EFA85D5C487
Malicious:	false
URL:	https://fonts.gstatic.com/s/googlesans/v58/4UaRrENHsxJlGDuGo1OIlJfC6l_24rlCK1Yo_Iq2vgCI.woff2
Preview:	wOF2.......8.....................................^...$..4?HVAR..?MVAR9.`?STAT.',..J/.......`..(..Z.0..R.6.$.... .....K..[..q..c..T.....>.P.j.`.w..#...%......N.".....$..3.0.6......... .L.rX/r[j.y.\|(.4.%#.....2.v.m..-..%.....;-.Y.{..&..O=#l@...k..7g..ZI...#.Z./+T..r7...M..3).Z%.x....s..sL..[A!.51w'/.8V..2Z..%.X.h.o.).]..9..Q`.$.....7..kZ.~O........d..g.n.d.Rw+&....Cz..uy#..fz,(.J....v.%..`..9.....h...?O..:...c%.....6s....xl..#...5..._......1.>.)"U.4 W....?%......6//!$...!.n9C@n...........!""^.....W..Z<.7.x.."UT.T....E.."R>.R..t.....H d..e_.K../.+8.Q.P.ZQ....;...U....]......._.e......71.?.7.ORv.?...l...G\|.P...\|:...I.X..2.,.L........d.g.]}W#uW]QnuP-s.;.-Y.....].......C..j_.M0...y.......J..........NY..@A...,....-.F......'..w./j5g.vUS...U..0.&...y7.LP.....%.....Y......Y..D. e.A..G.?.$.......6...eaK.n5.m...N...,...+BCl..L> .E9~.b[.w.x....6<...}.e...%V....O.......*.?...a..#[eE.4..p..$...].....%......o._......N.._~..El....b..A.0.r8.....\|..D.d..

Chrome Cache Entry: 143

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (553)
Category:	downloaded
Size (bytes):	743936
Entropy (8bit):	5.791085594389134
Encrypted:	false
SSDEEP:	6144:yVXWBQkPdzg5pTX1ROv/duPzd8C3s891/N:zfd8j91/N
MD5:	3FDEB0FE61D04FE9E0081BCF8EAD05D7
SHA1:	FCA1D32D71DE9B1FC86CF8C927D4D3E313F8EEF1
SHA-256:	EA11EFDB297631020115306F867725DE78586BB8D08499987552EDF2614A1F40
SHA-512:	6E7077EE009505111DA0DCECA5FD23368CDABF95D0DA10FF9A9D6ED8D8C7F92051A26BD6BCC1368F688D4465AD7438A408A8C963FBBA75438136A27CF0B59CD0
Malicious:	false
URL:	"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en.RgRbaBHDctU.es5.O/am=xIFgKBimMQjEE54DekBRIOQAAAAAAAAAAKANAAB0DA/d=1/excm=_b,_tp,identifierview/ed=1/dg=0/wt=2/ujg=1/rs=AOaEmlHIxvWDLaKr9gauWjw_Jp2NnAj5jg/m=_b,_tp"
Preview:	"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi\|\|{};(function(_){var window=this;.try{._._F_toggles_initialize=function(a){(typeof globalThis!=="undefined"?globalThis:typeof self!=="undefined"?self:this)._F_toggles=a\|\|[]};(0,_._F_toggles_initialize)([0x286081c4, 0x20c69860, 0x39e13c40, 0x14501e80, 0xe420, 0x0, 0x1a000000, 0x1d000003, 0xc, ]);./.. Copyright The Closure Library Authors.. SPDX-License-Identifier: Apache-2.0././.. Copyright Google LLC. SPDX-License-Identifier: Apache-2.0././.. Copyright 2024 Google, Inc. SPDX-License-Identifier: MIT././. SPDX-License-Identifier: Apache-2.0././. Copyright The Closure Library Authors.. SPDX-License-Identifier: Apache-2.0./.var baa,daa,Ma,Sa,gaa,iaa,jb,qaa,waa,Caa,Haa,Kaa,Jb,Laa,Ob,Qb,Rb,Maa,Naa,Sb,Oaa,Paa,Qaa,Yb,Vaa,Xaa,ec,fc,gc,bba,cba,gba,jba,lba,mba,qba,tba,nba,sba,rba,pba,oba,uba,yba,Cba,Dba,Aba,Hc,Ic,Gba,Iba,Mba,Nba,Oba,Pba,Lba,Qba,Sba,dd,Uba,Vba,Xba,Zba,Yba,aca,bca,cca,dca,fca,eca,hca,ica,jca,kca,nca,

Chrome Cache Entry: 144

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (533)
Category:	downloaded
Size (bytes):	9210
Entropy (8bit):	5.404371326611379
Encrypted:	false
SSDEEP:	192:EEFZpeip4HzZlY0If0Ma23jcUcrhCx6VD1TYPi8:Es/p4jgjUhtD1TY68
MD5:	21E893B65627B397E22619A9F5BB9662
SHA1:	F561B0F66211C1E7B22F94B4935C312AB7087E85
SHA-256:	FFA9B8BC8EF2CDFF5EB4BA1A0BA1710A253A5B42535E2A369D5026967DCF4673
SHA-512:	3DE3CD6A4E9B06AB3EB324E90A40B5F2AEEA8D7D6A2651C310E993CF79EEB5AC6E2E33C587F46B2DD20CC862354FD1A61AEBB9B990E6805F6629404BA285F8FA
Malicious:	false
URL:	"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en.RgRbaBHDctU.es5.O/ck=boq-identity.AccountsSignInUi.gAiX_O5afVA.L.B1.O/am=xIFgKBimMQjEE54DekBRIOQAAAAAAAAAAKANAAB0DA/d=1/exm=AvtSve,CMcBD,EFQ78c,EIOG1e,EN3i8d,Fndnac,GwYlN,I6YDgd,IZT63,K0PMbc,K1ZKnb,KUM7Z,L1AAkb,L9OGUe,LDQI,LEikZe,MY7mZe,MpJwZc,NOeYWe,NTMZac,O6y8ed,PrPYRd,Rkm0ef,SCuOPb,STuCOe,SpsfSb,UUJqVe,Uas9Hd,WpP9Yc,XVq9Qb,YHI3We,YTxL4,ZakeSe,_b,_tp,aC1iue,aW3pY,b3kMqb,bSspM,byfTOb,cYShmd,eVCnO,gJzDyc,hc6Ubd,inNHtf,iyZMqd,lsjVmc,lwddkf,m9oV,mvkUhe,mzzZzc,n73qwf,njlZCf,oLggrd,qPfo0c,qmdT9,rCcCxc,siKnQd,t2srLd,tUnxGc,vHEMJe,vfuNJf,vjKJJ,vvMGie,ws9Tlc,xBaz7b,xQtZb,xiZRqc,y5vRwf,z0u0L,zbML3c,ziZ8Mc,zr1jrb,zy0vNb/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlEAF-baPa28Av_JZAHlEj0o1Qzd2A/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:GwYlN;EmZ2Bf:zr1jrb;JsbNhc:Xd8iUd;K5nYTd:ZDZcre;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;ScI3Yc:e7Hzgb;UpnZUd:nnwwYc;Uvc8o:VDovNc;XdiAjb:NLiXbe;YIZmRd:A1yn5d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;dowIGb:ebZ3mb;eBAeSb:zbML3c;iFQyKf:vfuNJf;lOO0Vd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qafBPd:yDVVkb;qddgKe:xQtZb;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=ltDFwf,SD8Jgb,rmumx,E87wgc,qPYxq,Tbb4sb,pxq3x,f8Gu1e,soHxf,YgOFye,yRXbo,bTi8wc,ywOR5c,PHUIyb"
Preview:	"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi\|\|{};(function(_){var window=this;.try{._.qNa=_.y("SD8Jgb",[]);._.GX=function(a,b){if(typeof b==="string")a.Lc(b);else if(b instanceof _.Fp&&b.ia&&b.ia===_.A)b=_.Ya(b.Lw()),a.empty().append(b);else if(b instanceof _.Ua)b=_.Ya(b),a.empty().append(b);else if(b instanceof Node)a.empty().append(b);else throw Error("Vf");};_.HX=function(a){var b=_.Io(a,"[jsslot]");if(b.size()>0)return b;b=new _.Go([_.Kk("span")]);_.Jo(b,"jsslot","");a.empty().append(b);return b};_.NLb=function(a){return a===null\|\|typeof a==="string"&&_.Hi(a)};._.k("SD8Jgb");._.MX=function(a){_.X.call(this,a.Fa);this.Ua=a.controller.Ua;this.od=a.controllers.od[0]\|\|null;this.header=a.controller.header;this.nav=a.controller.nav;var b;(b=this.oa().find("button:not([type])").el())==null\|\|b.setAttribute("type","button")};_.J(_.MX,_.X);_.MX.Ba=function(){return{controller:{Ua:{jsname:"n7vHCb",ctor:_.mv},header:{jsname:"tJHJj",ctor:_.mv},nav:{jsname:"DH6Rkf",ct

Chrome Cache Entry: 145

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (683)
Category:	downloaded
Size (bytes):	3131
Entropy (8bit):	5.355381206612617
Encrypted:	false
SSDEEP:	48:o7FEEM3MtH15jNQ8jsK3rnw0dkckTrKEp/OqLE9xz0W5Bzv3M6hIHYA+JITbwrF8:oq675jOArwoAmI/DLaxNPL5m+m6w
MD5:	E2A7251AD83A0D0634FEA2703D10ED07
SHA1:	90D72011F31FC40D3DA3748F2817F90A29EB5C01
SHA-256:	1079B49C4AAF5C10E4F2E6A086623F40D200A71FF2A1F64E88AA6C91E4BE7A6F
SHA-512:	CD6D75580EA8BD97CF7C7C0E0BD9D9A54FB6EA7DF1DDB5A95E94D38B260F9EE1425C640839ECD229B8D01E145CF2786CA374D31EC537EB8FE17FF415D5B985F5
Malicious:	false
URL:	"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en.RgRbaBHDctU.es5.O/ck=boq-identity.AccountsSignInUi.gAiX_O5afVA.L.B1.O/am=xIFgKBimMQjEE54DekBRIOQAAAAAAAAAAKANAAB0DA/d=1/exm=AvtSve,CMcBD,E87wgc,EFQ78c,EIOG1e,EN3i8d,Fndnac,GwYlN,I6YDgd,IZT63,K0PMbc,K1ZKnb,KUM7Z,L1AAkb,L9OGUe,LDQI,LEikZe,MY7mZe,MpJwZc,NOeYWe,NTMZac,O6y8ed,PHUIyb,PrPYRd,Rkm0ef,RqjULd,SCuOPb,SD8Jgb,STuCOe,SpsfSb,Tbb4sb,UUJqVe,Uas9Hd,WpP9Yc,XVq9Qb,YHI3We,YTxL4,YgOFye,ZakeSe,_b,_tp,aC1iue,aW3pY,b3kMqb,bSspM,bTi8wc,byfTOb,cYShmd,eVCnO,f8Gu1e,gJzDyc,hc6Ubd,inNHtf,iyZMqd,lsjVmc,ltDFwf,lwddkf,m9oV,mvkUhe,mzzZzc,n73qwf,njlZCf,oLggrd,pxq3x,qPYxq,qPfo0c,qmdT9,rCcCxc,rmumx,siKnQd,soHxf,t2srLd,tUnxGc,vHEMJe,vfuNJf,vjKJJ,vvMGie,ws9Tlc,xBaz7b,xQtZb,xiZRqc,y5vRwf,yRXbo,ywOR5c,z0u0L,zbML3c,ziZ8Mc,zr1jrb,zy0vNb/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlEAF-baPa28Av_JZAHlEj0o1Qzd2A/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:GwYlN;EmZ2Bf:zr1jrb;JsbNhc:Xd8iUd;K5nYTd:ZDZcre;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;ScI3Yc:e7Hzgb;UpnZUd:nnwwYc;Uvc8o:VDovNc;XdiAjb:NLiXbe;YIZmRd:A1yn5d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;dowIGb:ebZ3mb;eBAeSb:zbML3c;iFQyKf:vfuNJf;lOO0Vd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qafBPd:yDVVkb;qddgKe:xQtZb;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=ZwDk9d,RMhBfe"
Preview:	"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi\|\|{};(function(_){var window=this;.try{._.k("ZwDk9d");.var gA=function(a){_.W.call(this,a.Fa)};_.J(gA,_.W);gA.Ba=_.W.Ba;gA.prototype.eS=function(a){return _.Xe(this,{Xa:{gT:_.ll}}).then(function(b){var c=window._wjdd,d=window._wjdc;return!c&&d?new _.li(function(e){window._wjdc=function(f){d(f);e(ZJa(f,b,a))}}):ZJa(c,b,a)})};var ZJa=function(a,b,c){return(a=a&&a[c])?a:b.Xa.gT.eS(c)};.gA.prototype.aa=function(a,b){var c=_.Zra(b).Rj;if(c.startsWith("$")){var d=_.gm.get(a);_.uq[b]&&(d\|\|(d={},_.gm.set(a,d)),d[c]=_.uq[b],delete _.uq[b],_.vq--);if(d)if(a=d[c])b=_.af(a);else throw Error("Jb`"+b);else b=null}else b=null;return b};_.nu(_.Lfa,gA);._.l();._.k("SNUn3");._.YJa=new _.pf(_.wg);._.l();._.k("RMhBfe");.var $Ja=function(a){var b=_.tq(a);return b?new _.li(function(c,d){var e=function(){b=_.tq(a);var f=_.Sfa(a,b);f?c(f.getAttribute("jsdata")):window.document.readyState=="complete"?(f=["Unable to find deferred jsdata wit

Chrome Cache Entry: 146

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (395)
Category:	downloaded
Size (bytes):	1608
Entropy (8bit):	5.257113147606035
Encrypted:	false
SSDEEP:	48:o72ZrNZ4yNAbU+15fMxIdf5WENoBCbw7DbG2bEJrw:oyNNAY+1i4HoBNG2Ilw
MD5:	F06E2DC5CC446B39F878B5F8E4D78418
SHA1:	9F1F34FDD8F8DAB942A9B95D9F720587B6F6AD48
SHA-256:	118E4D2FE7CEF205F9AFC87636554C6D8220882B158333EE3D1990282D158B8F
SHA-512:	893C4F883CD1C88C6AAF5A6E7F232D62823A53E1FFDE5C1C52BB066D75781DD041F4D281CDBF18070D921CE862652D8863E2B9D5E0190CFA4128890D62C44168
Malicious:	false
URL:	"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en.RgRbaBHDctU.es5.O/ck=boq-identity.AccountsSignInUi.gAiX_O5afVA.L.B1.O/am=xIFgKBimMQjEE54DekBRIOQAAAAAAAAAAKANAAB0DA/d=1/exm=AvtSve,CMcBD,E87wgc,EFQ78c,EIOG1e,EN3i8d,Fndnac,GwYlN,I6YDgd,IZT63,K0PMbc,K1ZKnb,KUM7Z,L1AAkb,L9OGUe,LDQI,LEikZe,MY7mZe,MpJwZc,NOeYWe,NTMZac,O6y8ed,P6sQOc,PHUIyb,PrPYRd,RMhBfe,Rkm0ef,RqjULd,SCuOPb,SD8Jgb,STuCOe,SpsfSb,Tbb4sb,UUJqVe,Uas9Hd,WpP9Yc,XVq9Qb,YHI3We,YTxL4,YgOFye,ZakeSe,ZwDk9d,_b,_tp,aC1iue,aW3pY,b3kMqb,bSspM,bTi8wc,byfTOb,cYShmd,eVCnO,f8Gu1e,gJzDyc,hc6Ubd,inNHtf,iyZMqd,lsjVmc,ltDFwf,lwddkf,m9oV,mvkUhe,mzzZzc,n73qwf,njlZCf,oLggrd,pxq3x,qPYxq,qPfo0c,qmdT9,rCcCxc,rmumx,siKnQd,soHxf,t2srLd,tUnxGc,vHEMJe,vfuNJf,vjKJJ,vvMGie,ws9Tlc,xBaz7b,xQtZb,xiZRqc,y5vRwf,yRXbo,ywOR5c,z0u0L,zbML3c,ziZ8Mc,zr1jrb,zy0vNb/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlEAF-baPa28Av_JZAHlEj0o1Qzd2A/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:GwYlN;EmZ2Bf:zr1jrb;JsbNhc:Xd8iUd;K5nYTd:ZDZcre;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;ScI3Yc:e7Hzgb;UpnZUd:nnwwYc;Uvc8o:VDovNc;XdiAjb:NLiXbe;YIZmRd:A1yn5d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;dowIGb:ebZ3mb;eBAeSb:zbML3c;iFQyKf:vfuNJf;lOO0Vd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qafBPd:yDVVkb;qddgKe:xQtZb;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=w9hDv,ZDZcre,A7fCU"
Preview:	"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi\|\|{};(function(_){var window=this;.try{._.k("w9hDv");._.vg(_.Hla);_.eA=function(a){_.W.call(this,a.Fa);this.aa=a.Xa.cache};_.J(_.eA,_.W);_.eA.Ba=function(){return{Xa:{cache:_.dt}}};_.eA.prototype.execute=function(a){_.Bb(a,function(b){var c;_.$e(b)&&(c=b.eb.kc(b.kb));c&&this.aa.xG(c)},this);return{}};_.nu(_.Nla,_.eA);._.l();._.k("ZDZcre");.var fH=function(a){_.W.call(this,a.Fa);this.Wl=a.Ea.Wl;this.d4=a.Ea.metadata;this.aa=a.Ea.ot};_.J(fH,_.W);fH.Ba=function(){return{Ea:{Wl:_.KG,metadata:_.VZa,ot:_.HG}}};fH.prototype.execute=function(a){var b=this;a=this.aa.create(a);return _.Bb(a,function(c){var d=b.d4.getType(c.Od())===2?b.Wl.Rb(c):b.Wl.fetch(c);return _.yl(c,_.LG)?d.then(function(e){return _.Dd(e)}):d},this)};_.nu(_.Sla,fH);._.l();._.k("K5nYTd");._.UZa=new _.pf(_.Ola);._.l();._.k("sP4Vbe");.._.l();._.k("kMFpHd");.._.l();._.k("A7fCU");.var NG=function(a){_.W.call(this,a.Fa);this.aa=a.Ea.tQ};_.J(NG,_.W);NG.Ba=func

Chrome Cache Entry: 147

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	HTML document, ASCII text, with very long lines (681)
Category:	downloaded
Size (bytes):	4066
Entropy (8bit):	5.363016925556486
Encrypted:	false
SSDEEP:	96:G2CiFZX5BReR68ujioIRVrqtyzBeTV6SfyAKLif9c7w:bCMZXVeR6jiosVrqtyzBaImyAKw9x
MD5:	FC5E597D923838E10390DADD12651A81
SHA1:	C9959F8D539DB5DF07B8246EC12539B6A9CC101F
SHA-256:	A7EBD5280C50AE93C061EAE1E9727329E015E97531F8F2D82D0E3EA76ADB37B4
SHA-512:	784CA572808F184A849388723FBB3701E6981D885BBA8A330A933F90BF0B36A2E4A491D4463A27911B1D9F7A7134F23E15F187FC7CB4554EAE9BC252513EED7C
Malicious:	false
URL:	"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en.RgRbaBHDctU.es5.O/ck=boq-identity.AccountsSignInUi.gAiX_O5afVA.L.B1.O/am=xIFgKBimMQjEE54DekBRIOQAAAAAAAAAAKANAAB0DA/d=1/exm=A7fCU,AvtSve,CMcBD,E87wgc,EFQ78c,EIOG1e,EN3i8d,Fndnac,GwYlN,I6YDgd,IZT63,K0PMbc,K1ZKnb,KUM7Z,L1AAkb,L9OGUe,LDQI,LEikZe,MY7mZe,MpJwZc,NOeYWe,NTMZac,O6y8ed,P6sQOc,PHUIyb,PrPYRd,RMhBfe,Rkm0ef,RqjULd,SCuOPb,SD8Jgb,STuCOe,SpsfSb,Tbb4sb,UUJqVe,Uas9Hd,WpP9Yc,XVq9Qb,YHI3We,YTxL4,YgOFye,ZDZcre,ZakeSe,ZwDk9d,_b,_tp,aC1iue,aW3pY,b3kMqb,bSspM,bTi8wc,byfTOb,cYShmd,eVCnO,f8Gu1e,gJzDyc,hc6Ubd,inNHtf,iyZMqd,lsjVmc,ltDFwf,lwddkf,m9oV,mvkUhe,mzzZzc,n73qwf,njlZCf,oLggrd,pxq3x,qPYxq,qPfo0c,qmdT9,rCcCxc,rmumx,siKnQd,soHxf,t2srLd,tUnxGc,vHEMJe,vfuNJf,vjKJJ,vvMGie,w9hDv,ws9Tlc,xBaz7b,xQtZb,xiZRqc,y5vRwf,yRXbo,ywOR5c,z0u0L,zbML3c,ziZ8Mc,zr1jrb,zy0vNb/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlEAF-baPa28Av_JZAHlEj0o1Qzd2A/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:GwYlN;EmZ2Bf:zr1jrb;JsbNhc:Xd8iUd;K5nYTd:ZDZcre;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;ScI3Yc:e7Hzgb;UpnZUd:nnwwYc;Uvc8o:VDovNc;XdiAjb:NLiXbe;YIZmRd:A1yn5d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;dowIGb:ebZ3mb;eBAeSb:zbML3c;iFQyKf:vfuNJf;lOO0Vd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qafBPd:yDVVkb;qddgKe:xQtZb;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=sOXFj,q0xTif,ZZ4WUe"
Preview:	"use strict";_F_installCss(".N7rBcd{overflow-x:auto}sentinel{}");.this.default_AccountsSignInUi=this.default_AccountsSignInUi\|\|{};(function(_){var window=this;.try{._.vg(_.aqa);._.k("sOXFj");.var tu=function(a){_.W.call(this,a.Fa)};_.J(tu,_.W);tu.Ba=_.W.Ba;tu.prototype.aa=function(a){return a()};_.nu(_.$pa,tu);._.l();._.k("oGtAuc");._.yya=new _.pf(_.aqa);._.l();._.k("q0xTif");.var sza=function(a){var b=function(d){_.Sn(d)&&(_.Sn(d).Jc=null,_.Du(d,null));d.XyHi9&&(d.XyHi9=null)};b(a);a=a.querySelectorAll("[c-wiz]");for(var c=0;c<a.length;c++)b(a[c])},Pu=function(a){_.kt.call(this,a.Fa);this.Qa=this.dom=null;if(this.kl()){var b=_.zm(this.Ug(),[_.Em,_.Dm]);b=_.ni([b[_.Em],b[_.Dm]]).then(function(c){this.Qa=c[0];this.dom=c[1]},null,this);_.hu(this,b)}this.Ra=a.lm.zea};_.J(Pu,_.kt);Pu.Ba=function(){return{lm:{zea:function(a){return _.Ue(a)}}}};Pu.prototype.zp=function(a){return this.Ra.zp(a)};.Pu.prototype.getData=function(a){return this.Ra.getData(a)};Pu.prototype.qo=function(){_.Kt(this.d

Chrome Cache Entry: 148

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (570)
Category:	downloaded
Size (bytes):	3467
Entropy (8bit):	5.514745431912774
Encrypted:	false
SSDEEP:	96:ozbld2fNUmeqJNizhNtt1W8t//loyIpXmdVE2w:onSKE8PWe/Cy4X3j
MD5:	8DEF399E8355ABC23E64505281005099
SHA1:	24FF74C3AEFD7696D84FF148465DF4B1B60B1696
SHA-256:	F128D7218E1286B05DF11310AD3C8F4CF781402698E45448850D2A3A22F5F185
SHA-512:	33721DD47658D8E12ADF6BD9E9316EB89F5B6297927F7FD60F954E04B829DCBF0E1AE6DDD9A3401F45E0011AE4B1397B960C218238A3D0F633A2173D8E604082
Malicious:	false
URL:	"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en.RgRbaBHDctU.es5.O/ck=boq-identity.AccountsSignInUi.gAiX_O5afVA.L.B1.O/am=xIFgKBimMQjEE54DekBRIOQAAAAAAAAAAKANAAB0DA/d=1/exm=A7fCU,AvtSve,CMcBD,E87wgc,EFQ78c,EIOG1e,EN3i8d,Fndnac,GwYlN,I6YDgd,IZT63,K0PMbc,K1ZKnb,KUM7Z,L1AAkb,L9OGUe,LDQI,LEikZe,MY7mZe,MpJwZc,NOeYWe,NTMZac,O6y8ed,P6sQOc,PHUIyb,PrPYRd,RMhBfe,Rkm0ef,RqjULd,SCuOPb,SD8Jgb,STuCOe,SpsfSb,Tbb4sb,UUJqVe,Uas9Hd,WpP9Yc,XVq9Qb,YHI3We,YTxL4,YgOFye,ZDZcre,ZZ4WUe,ZakeSe,ZwDk9d,_b,_tp,aC1iue,aW3pY,b3kMqb,bSspM,bTi8wc,byfTOb,cYShmd,eVCnO,f8Gu1e,gJzDyc,hc6Ubd,iAskyc,inNHtf,iyZMqd,lsjVmc,ltDFwf,lwddkf,m9oV,mvkUhe,mzzZzc,n73qwf,njlZCf,oLggrd,pxq3x,q0xTif,qPYxq,qPfo0c,qmdT9,rCcCxc,rmumx,sOXFj,siKnQd,soHxf,t2srLd,tUnxGc,vHEMJe,vfuNJf,vjKJJ,vvMGie,w9hDv,wg1P6b,ws9Tlc,xBaz7b,xQtZb,xiZRqc,y5vRwf,yRXbo,ywOR5c,z0u0L,zbML3c,ziXSP,ziZ8Mc,zr1jrb,zy0vNb/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlEAF-baPa28Av_JZAHlEj0o1Qzd2A/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:GwYlN;EmZ2Bf:zr1jrb;JsbNhc:Xd8iUd;K5nYTd:ZDZcre;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;ScI3Yc:e7Hzgb;UpnZUd:nnwwYc;Uvc8o:VDovNc;XdiAjb:NLiXbe;YIZmRd:A1yn5d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;dowIGb:ebZ3mb;eBAeSb:zbML3c;iFQyKf:vfuNJf;lOO0Vd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qafBPd:yDVVkb;qddgKe:xQtZb;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=Wt6vjf,hhhU8,FCpbqb,WhJNk"
Preview:	"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi\|\|{};(function(_){var window=this;.try{._.k("Wt6vjf");.var cya=function(){var a=_.He();return _.Lj(a,1)},Yt=function(a){this.Da=_.t(a,0,Yt.messageId)};_.J(Yt,_.w);Yt.prototype.Ha=function(){return _.Dj(this,1)};Yt.prototype.Va=function(a){return _.Vj(this,1,a)};Yt.messageId="f.bo";var Zt=function(){_.hm.call(this)};_.J(Zt,_.hm);Zt.prototype.xd=function(){this.CT=!1;dya(this);_.hm.prototype.xd.call(this)};Zt.prototype.aa=function(){eya(this);if(this.wC)return fya(this),!1;if(!this.KV)return $t(this),!0;this.dispatchEvent("p");if(!this.zP)return $t(this),!0;this.wM?(this.dispatchEvent("r"),$t(this)):fya(this);return!1};.var gya=function(a){var b=new _.ap(a.W4);a.qQ!=null&&_.Jn(b,"authuser",a.qQ);return b},fya=function(a){a.wC=!0;var b=gya(a),c="rt=r&f_uid="+_.pk(a.zP);_.cn(b,(0,_.bg)(a.ea,a),"POST",c)};.Zt.prototype.ea=function(a){a=a.target;eya(this);if(_.fn(a)){this.cK=0;if(this.wM)this.wC=!1,this.dispatchEvent("r"

Chrome Cache Entry: 149

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (1694)
Category:	downloaded
Size (bytes):	32500
Entropy (8bit):	5.378903546681047
Encrypted:	false
SSDEEP:	768:zYlbuROstb0e39nKGrkysU0smpu4OLOdzIf1p/5GeSsngurz6aKEEEGo/:zYl61Cysbu4OLOdzIfrIen72ZFo/
MD5:	BF4BF9728A7C302FBA5B14F3D0F1878B
SHA1:	2607CA7A93710D629400077FF3602CB207E6F53D
SHA-256:	8981E7B228DF7D6A8797C0CD1E9B0F1F88337D5F0E1C27A04E7A57D2C4309798
SHA-512:	AC9E170FC3AFDC0CF6BB8E926B93EF129A5FAD1BBA51B60BABCF3555E9B652E98F86A00FB099879DED35DD3FFE72ECFA597E20E6CA8CF402BEDEC40F78412EDA
Malicious:	false
URL:	"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en.RgRbaBHDctU.es5.O/ck=boq-identity.AccountsSignInUi.gAiX_O5afVA.L.B1.O/am=xIFgKBimMQjEE54DekBRIOQAAAAAAAAAAKANAAB0DA/d=1/exm=_b,_tp/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlEAF-baPa28Av_JZAHlEj0o1Qzd2A/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:GwYlN;EmZ2Bf:zr1jrb;JsbNhc:Xd8iUd;K5nYTd:ZDZcre;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;ScI3Yc:e7Hzgb;UpnZUd:nnwwYc;Uvc8o:VDovNc;XdiAjb:NLiXbe;YIZmRd:A1yn5d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;dowIGb:ebZ3mb;eBAeSb:zbML3c;iFQyKf:vfuNJf;lOO0Vd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qafBPd:yDVVkb;qddgKe:xQtZb;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=byfTOb,lsjVmc,LEikZe"
Preview:	"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi\|\|{};(function(_){var window=this;.try{.var Aua=function(a,b){this.da=a;this.ea=b;if(!c){var c=new _.ap("//www.google.com/images/cleardot.gif");_.op(c)}this.ka=c};_.h=Aua.prototype;_.h.Zc=null;_.h.lZ=1E4;_.h.bA=!1;_.h.nQ=0;_.h.zJ=null;_.h.bV=null;_.h.setTimeout=function(a){this.lZ=a};_.h.start=function(){if(this.bA)throw Error("dc");this.bA=!0;this.nQ=0;Bua(this)};_.h.stop=function(){Cua(this);this.bA=!1};.var Bua=function(a){a.nQ++;navigator!==null&&"onLine"in navigator&&!navigator.onLine?_.km((0,_.bg)(a.aH,a,!1),0):(a.aa=new Image,a.aa.onload=(0,_.bg)(a.Fja,a),a.aa.onerror=(0,_.bg)(a.Eja,a),a.aa.onabort=(0,_.bg)(a.Dja,a),a.zJ=_.km(a.Gja,a.lZ,a),a.aa.src=String(a.ka))};_.h=Aua.prototype;_.h.Fja=function(){this.aH(!0)};_.h.Eja=function(){this.aH(!1)};_.h.Dja=function(){this.aH(!1)};_.h.Gja=function(){this.aH(!1)};._.h.aH=function(a){Cua(this);a?(this.bA=!1,this.da.call(this.ea,!0)):this.nQ<=0?Bua(this):(this.bA=!1,

Chrome Cache Entry: 150

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (468)
Category:	downloaded
Size (bytes):	1858
Entropy (8bit):	5.298162049824456
Encrypted:	false
SSDEEP:	48:o7vGoolL3ALFKphnpiu7xOKAcfO/3d/rYh4vZorw:o/QLUFUL4KA+2y0Mw
MD5:	CE055F881BDAB4EF6C1C8AA4B3890348
SHA1:	2671741A70E9F5B608F690AAEEA4972003747654
SHA-256:	9B91C23691D6032CDFE28863E369624B2EDB033E1487A1D1BB0977E3590E5462
SHA-512:	8A22250628985C2E570E6FBADFC0D5CB6753F0735130F9E74962A409476C2859C5C81F8A0F5C427A9F13ED399C8E251FA43FF67AD5F16860640D45E7A538E857
Malicious:	false
URL:	"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en.RgRbaBHDctU.es5.O/ck=boq-identity.AccountsSignInUi.gAiX_O5afVA.L.B1.O/am=xIFgKBimMQjEE54DekBRIOQAAAAAAAAAAKANAAB0DA/d=1/exm=A7fCU,AvtSve,CMcBD,E87wgc,EFQ78c,EIOG1e,EN3i8d,Fndnac,GwYlN,I6YDgd,IZT63,K0PMbc,K1ZKnb,KUM7Z,L1AAkb,L9OGUe,LDQI,LEikZe,MY7mZe,MpJwZc,NOeYWe,NTMZac,O6y8ed,P6sQOc,PHUIyb,PrPYRd,RMhBfe,Rkm0ef,RqjULd,SCuOPb,SD8Jgb,STuCOe,SpsfSb,Tbb4sb,UUJqVe,Uas9Hd,WpP9Yc,XVq9Qb,YHI3We,YTxL4,YgOFye,ZDZcre,ZZ4WUe,ZakeSe,ZwDk9d,_b,_tp,aC1iue,aW3pY,b3kMqb,bSspM,bTi8wc,byfTOb,cYShmd,eVCnO,f8Gu1e,gJzDyc,hc6Ubd,inNHtf,iyZMqd,lsjVmc,ltDFwf,lwddkf,m9oV,mvkUhe,mzzZzc,n73qwf,njlZCf,oLggrd,pxq3x,q0xTif,qPYxq,qPfo0c,qmdT9,rCcCxc,rmumx,sOXFj,siKnQd,soHxf,t2srLd,tUnxGc,vHEMJe,vfuNJf,vjKJJ,vvMGie,w9hDv,ws9Tlc,xBaz7b,xQtZb,xiZRqc,y5vRwf,yRXbo,ywOR5c,z0u0L,zbML3c,ziZ8Mc,zr1jrb,zy0vNb/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlEAF-baPa28Av_JZAHlEj0o1Qzd2A/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:GwYlN;EmZ2Bf:zr1jrb;JsbNhc:Xd8iUd;K5nYTd:ZDZcre;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;ScI3Yc:e7Hzgb;UpnZUd:nnwwYc;Uvc8o:VDovNc;XdiAjb:NLiXbe;YIZmRd:A1yn5d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;dowIGb:ebZ3mb;eBAeSb:zbML3c;iFQyKf:vfuNJf;lOO0Vd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qafBPd:yDVVkb;qddgKe:xQtZb;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=iAskyc,ziXSP"
Preview:	"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi\|\|{};(function(_){var window=this;.try{._.k("iAskyc");._.QZ=function(a){_.W.call(this,a.Fa);this.window=a.Ea.window.get();this.Nc=a.Ea.Nc};_.J(_.QZ,_.W);_.QZ.Ba=function(){return{Ea:{window:_.qu,Nc:_.DE}}};_.QZ.prototype.Po=function(){};_.QZ.prototype.addEncryptionRecoveryMethod=function(){};_.RZ=function(a){return(a==null?void 0:a.Jo)\|\|function(){}};_.SZ=function(a){return(a==null?void 0:a.m3)\|\|function(){}};_.GPb=function(a){return(a==null?void 0:a.Op)\|\|function(){}};._.HPb=function(a){return new Map(Array.from(a,function(b){var c=_.n(b);b=c.next().value;c=c.next().value;return[b,c.map(function(d){return{epoch:d.epoch,key:new Uint8Array(d.key)}})]}))};_.IPb=function(a){setTimeout(function(){throw a;},0)};_.QZ.prototype.kO=function(){return!0};_.nu(_.An,_.QZ);._.l();._.k("ziXSP");.var j_=function(a){_.QZ.call(this,a.Fa)};_.J(j_,_.QZ);j_.Ba=_.QZ.Ba;j_.prototype.Po=function(a,b,c){var d;if((d=this.window.chrome)==nu

Chrome Cache Entry: 151

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (5693)
Category:	downloaded
Size (bytes):	698314
Entropy (8bit):	5.595120835898624
Encrypted:	false
SSDEEP:	6144:TJvaKtQfcxene0F2HhPM8RGYcBlKmd5r6XISxi7SlncOpYMSrBg5X3O4mAEFD7:TJyKtkIct842ISxXJ09
MD5:	F82438F9EAD5F57493C673008EED9E09
SHA1:	E4681E68FD66D8C76C6ACBC21E2C45F36FD645BC
SHA-256:	B4B092F54EAAA82BFAA159B8D61FB867B51C3067CBD60F4904A205A11F503250
SHA-512:	89027A7B1B3A080D40411F2E6E3B62BF57AC60879223566E71BD41D900C17051F0A058EFE04F8F1FED5E05DC54617D7A86F83D21BDED0F79347795C8B980B4B2
Malicious:	false
URL:	"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en.RgRbaBHDctU.es5.O/ck=boq-identity.AccountsSignInUi.gAiX_O5afVA.L.B1.O/am=xIFgKBimMQjEE54DekBRIOQAAAAAAAAAAKANAAB0DA/d=1/exm=LEikZe,_b,_tp,byfTOb,lsjVmc/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlEAF-baPa28Av_JZAHlEj0o1Qzd2A/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:GwYlN;EmZ2Bf:zr1jrb;JsbNhc:Xd8iUd;K5nYTd:ZDZcre;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;ScI3Yc:e7Hzgb;UpnZUd:nnwwYc;Uvc8o:VDovNc;XdiAjb:NLiXbe;YIZmRd:A1yn5d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;dowIGb:ebZ3mb;eBAeSb:zbML3c;iFQyKf:vfuNJf;lOO0Vd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qafBPd:yDVVkb;qddgKe:xQtZb;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=n73qwf,SCuOPb,IZT63,vfuNJf,UUJqVe,ws9Tlc,siKnQd,XVq9Qb,STuCOe,njlZCf,m9oV,vjKJJ,y5vRwf,iyZMqd,NTMZac,mzzZzc,rCcCxc,vvMGie,K1ZKnb,ziZ8Mc,b3kMqb,mvkUhe,CMcBD,Fndnac,t2srLd,EN3i8d,z0u0L,xiZRqc,NOeYWe,O6y8ed,L9OGUe,PrPYRd,MpJwZc,qPfo0c,cYShmd,hc6Ubd,Rkm0ef,KUM7Z,oLggrd,inNHtf,L1AAkb,WpP9Yc,lwddkf,gJzDyc,SpsfSb,aC1iue,tUnxGc,aW3pY,ZakeSe,EFQ78c,xQtZb,I6YDgd,zbML3c,zr1jrb,vHEMJe,YHI3We,YTxL4,bSspM,Uas9Hd,zy0vNb,K0PMbc,AvtSve,qmdT9,MY7mZe,xBaz7b,GwYlN,eVCnO,EIOG1e,LDQI"
Preview:	"use strict";_F_installCss(".r4WGQb{position:relative}.Dl08I>:first-child{margin-top:0}.Dl08I>:last-child{margin-bottom:0}.IzwVE{color:#1f1f1f;color:var(--gm3-sys-color-on-surface,#1f1f1f);font-family:\"Google Sans\",roboto,\"Noto Sans Myanmar UI\",arial,sans-serif;font-size:1.25rem;font-weight:400;letter-spacing:0rem;line-height:1.2}.l5PPKe{color:#1f1f1f;color:var(--gm3-sys-color-on-surface,#1f1f1f);font-size:1rem}.l5PPKe .dMNVAe{margin:0;padding:0}.l5PPKe>:first-child{margin-top:0;padding-top:0}.l5PPKe>:last-child{margin-bottom:0;padding-bottom:0}.Dl08I{margin:0;padding:0;position:relative}.Dl08I>.SmR8:only-child{padding-top:1px}.Dl08I>.SmR8:only-child::before{top:0}.Dl08I>.SmR8:not(first-child){padding-bottom:1px}.Dl08I>.SmR8::after{bottom:0}.Dl08I>.SmR8:only-child::before,.Dl08I>.SmR8::after{border-bottom:1px solid #c4c7c5;border-bottom:1px solid var(--gm3-sys-color-outline-variant,#c4c7c5);content:\"\";height:0;left:0;position:absolute;width:100%}.aZvCDf{margin-top:8px;margin-left

Chrome Cache Entry: 152

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (522)
Category:	downloaded
Size (bytes):	5050
Entropy (8bit):	5.289052544075544
Encrypted:	false
SSDEEP:	96:o4We0hP7OBFXYvB1sig3Fd8HkaXzLmUrv8Vh1WJlLQXT2v2gqw:655758Fd8HkaPZ0GmAD
MD5:	26E26FD11772DFF5C7004BEA334289CC
SHA1:	638DAAF541BDE31E95AEE4F8ADA677434D7051DB
SHA-256:	ADFE3E4960982F5EF4C043052A9990D8683C5FC2B590E817B6B1A5774DDE2CE3
SHA-512:	C31929EB6D1C60D6A84A2574FF60490394A6D6F9B354972F3328952F570D80B3F2AEC916B0E1B66DDB1AC056EB75BFAC477E7AF631D0AD1810EDBAF025465D66
Malicious:	false
URL:	"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en.RgRbaBHDctU.es5.O/ck=boq-identity.AccountsSignInUi.gAiX_O5afVA.L.B1.O/am=xIFgKBimMQjEE54DekBRIOQAAAAAAAAAAKANAAB0DA/d=1/exm=A7fCU,AvtSve,CMcBD,E87wgc,EFQ78c,EIOG1e,EN3i8d,Fndnac,GwYlN,I6YDgd,IZT63,K0PMbc,K1ZKnb,KUM7Z,L1AAkb,L9OGUe,LDQI,LEikZe,MY7mZe,MpJwZc,NOeYWe,NTMZac,O6y8ed,P6sQOc,PHUIyb,PrPYRd,RMhBfe,Rkm0ef,RqjULd,SCuOPb,SD8Jgb,STuCOe,SpsfSb,Tbb4sb,UUJqVe,Uas9Hd,WpP9Yc,XVq9Qb,YHI3We,YTxL4,YgOFye,ZDZcre,ZZ4WUe,ZakeSe,ZwDk9d,_b,_tp,aC1iue,aW3pY,b3kMqb,bSspM,bTi8wc,byfTOb,cYShmd,eVCnO,f8Gu1e,gJzDyc,hc6Ubd,iAskyc,inNHtf,iyZMqd,lsjVmc,ltDFwf,lwddkf,m9oV,mvkUhe,mzzZzc,n73qwf,njlZCf,oLggrd,pxq3x,q0xTif,qPYxq,qPfo0c,qmdT9,rCcCxc,rmumx,sOXFj,siKnQd,soHxf,t2srLd,tUnxGc,vHEMJe,vfuNJf,vjKJJ,vvMGie,w9hDv,ws9Tlc,xBaz7b,xQtZb,xiZRqc,y5vRwf,yRXbo,ywOR5c,z0u0L,zbML3c,ziXSP,ziZ8Mc,zr1jrb,zy0vNb/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlEAF-baPa28Av_JZAHlEj0o1Qzd2A/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:GwYlN;EmZ2Bf:zr1jrb;JsbNhc:Xd8iUd;K5nYTd:ZDZcre;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;ScI3Yc:e7Hzgb;UpnZUd:nnwwYc;Uvc8o:VDovNc;XdiAjb:NLiXbe;YIZmRd:A1yn5d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;dowIGb:ebZ3mb;eBAeSb:zbML3c;iFQyKf:vfuNJf;lOO0Vd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qafBPd:yDVVkb;qddgKe:xQtZb;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=wg1P6b"
Preview:	"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi\|\|{};(function(_){var window=this;.try{._.jNa=_.y("wg1P6b",[_.TA,_.Cn,_.Kn]);._.k("wg1P6b");.var Z5a;Z5a=_.mh(["aria-"]);._.uJ=function(a){_.X.call(this,a.Fa);this.Ka=this.wa=this.aa=this.viewportElement=this.Na=null;this.Hc=a.Ea.ff;this.ab=a.Ea.focus;this.Fc=a.Ea.Fc;this.ea=this.Pi();a=-1*parseInt(_.Co(this.Pi().el(),"marginTop")\|\|"0",10);var b=parseInt(_.Co(this.Pi().el(),"marginBottom")\|\|"0",10);this.Ta={top:a,right:0,bottom:b,left:0};a=_.cf(this.getData("isMenuDynamic"),!1);b=_.cf(this.getData("isMenuHoisted"),!1);this.Ga=a?1:b?2:0;this.ka=!1;this.Ca=1;this.Ga!==1&&(this.aa=this.Sa("U0exHf").children().Wc(0),_.ku(this,.$5a(this,this.aa.el())));_.kF(this.oa())&&(a=this.oa().el(),b=this.we.bind(this),a.__soy_skip_handler=b)};_.J(_.uJ,_.X);_.uJ.Ba=function(){return{Ea:{ff:_.ZE,focus:_.KE,Fc:_.ru}}};_.uJ.prototype.xF=function(a){var b=a.source;this.Na=b;var c;((c=a.data)==null?0:c.fz)?(a=a.data.fz,this.Ca=a==="MOUS

Chrome Cache Entry: 153

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with no line terminators
Category:	downloaded
Size (bytes):	84
Entropy (8bit):	4.875266466142591
Encrypted:	false
SSDEEP:	3:DZFJu0+WVTBCq2Bjdw2KsJJuYHSKnZ:lFJuuVTBudw29nu4SKZ
MD5:	87B6333E98B7620EA1FF98D1A837A39E
SHA1:	105DE6815B0885357DE1414BFC0D77FCC9E924EF
SHA-256:	DCD3C133C5C40BECD4100BBE6EDAE84C9735E778E4234A5E8395C56FF8A733BA
SHA-512:	867D7943D813685FAA76394E53199750C55817E836FD19C933F74D11E9657CE66719A6D6B2E39EE1DE62358BCE364E38A55F4E138DF92337DE6985DDCD5D0994
Malicious:	false
URL:	https://content-autofill.googleapis.com/v1/pages/ChVDaHJvbWUvMTE3LjAuNTkzOC4xMzQSHgmA6QC9dWevzxIFDRkBE_oSBQ3oIX6GEgUN05ioBw==?alt=proto
Preview:	Cj0KBw0ZARP6GgAKKQ3oIX6GGgQISxgCKhwIClIYCg5AIS4jJF8qLSY/Ky8lLBABGP////8PCgcN05ioBxoA

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.582414945890609
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	918'528 bytes
MD5:	f8f75e38c6ac62437b87e91357b5e4b2
SHA1:	a9416b829703d33aab1c5c5c0061acaf0e0ffaf9
SHA256:	ff3eb3b73be9294cf03e51eb541d635500b30fcd0740140600f4c1ea44015eca
SHA512:	96e9af77df41a24a47f501c0f0197dde7762fa78f70298cb6f963937e200daade34d0e7bdde89b55ae71784c45461c49096747ddd3a0eff7a270084db5f1fd72
SSDEEP:	12288:aqDEvFo+yo4DdbbMWu/jrQu4M9lBAlKhQcDGB3cuBNGE6iOrpfe4JdaDgaeTd:aqDEvCTbMWu7rQYlBQcBiT6rprG8aGd
TLSH:	20159E0273D1C062FFAB92334B5AF6515BBC69260123E61F13981DB9BE701B1563E7A3
File Content Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......................j:......j:..C...j:......@.*...............................n.......~.............{.......{.......{.........z....

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x420577
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x66FD7731 [Wed Oct 2 16:39:13 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	948cc502fe9226992dce9417f952fce3

Entrypoint Preview

Instruction
call 00007FBA04672723h
jmp 00007FBA0467202Fh
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007FBA0467220Dh
mov dword ptr [esi], 0049FDF0h
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FDF8h
mov dword ptr [ecx], 0049FDF0h
ret
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007FBA046721DAh
mov dword ptr [esi], 0049FE0Ch
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FE14h
mov dword ptr [ecx], 0049FE0Ch
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
and dword ptr [eax], 00000000h
and dword ptr [eax+04h], 00000000h
push eax
mov eax, dword ptr [ebp+08h]
add eax, 04h
push eax
call 00007FBA04674DCDh
pop ecx
pop ecx
mov eax, esi
pop esi
pop ebp
retn 0004h
lea eax, dword ptr [ecx+04h]
mov dword ptr [ecx], 0049FDD0h
push eax
call 00007FBA04674E18h
pop ecx
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
push eax
call 00007FBA04674E01h
test byte ptr [ebp+08h], 00000001h
pop ecx

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc8e64	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xd4000	0x9994	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xde000	0x7594	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xb0ff0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xc3400	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xb1010	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x9c000	0x894	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x9ab1d	0x9ac00	0a1473f3064dcbc32ef93c5c8a90f3a6	False	0.565500681542811	data	6.668273581389308	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x9c000	0x2fb82	0x2fc00	c9cf2468b60bf4f80f136ed54b3989fb	False	0.35289185209424084	data	5.691811547483722	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xcc000	0x706c	0x4800	53b9025d545d65e23295e30afdbd16d9	False	0.04356553819444445	DOS executable (block device driver @\273\)	0.5846666986982398	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xd4000	0x9994	0x9a00	4a526b4afe84e2d705e7e936e766634b	False	0.306057224025974	data	5.279517333707518	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xde000	0x7594	0x7600	c68ee8931a32d45eb82dc450ee40efc3	False	0.7628111758474576	data	6.7972128181359786	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xd45a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xd46d0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xd47f8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xd4920	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xd4c08	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xd4d30	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xd5bd8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xd6480	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xd69e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xd8f90	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xda038	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xda4a0	0x50	data	English	Great Britain	0.9
RT_STRING	0xda4f0	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xdaa84	0x68a	data	English	Great Britain	0.2735961768219833
RT_STRING	0xdb110	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xdb5a0	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xdbb9c	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xdc1f8	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xdc660	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xdc7b8	0xc5a	data			1.0034788108791903
RT_GROUP_ICON	0xdd414	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0xdd48c	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0xdd4a0	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0xdd4b4	0x14	data	English	Great Britain	1.25
RT_VERSION	0xdd4c8	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0xdd5a4	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	gethostbyname, recv, send, socket, inet_ntoa, setsockopt, ntohs, WSACleanup, WSAStartup, sendto, htons, __WSAFDIsSet, select, accept, listen, bind, inet_addr, ioctlsocket, recvfrom, WSAGetLastError, closesocket, gethostname, connect
VERSION.dll	GetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetGetConnectionW, WNetCancelConnection2W, WNetUseConnectionW, WNetAddConnection2W
WININET.dll	HttpOpenRequestW, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, InternetConnectW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetQueryDataAvailable
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpSendEcho, IcmpCloseHandle, IcmpCreateFile
USERENV.dll	DestroyEnvironmentBlock, LoadUserProfileW, CreateEnvironmentBlock, UnloadUserProfile
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetShortPathNameW, DeleteFileW, IsDebuggerPresent, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, LoadResource, LockResource, SizeofResource, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, LoadLibraryW, GetLocalTime, CompareStringW, GetCurrentThread, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, VirtualAlloc, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, ResetEvent, WaitForSingleObjectEx, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, CloseHandle, GetFullPathNameW, GetStartupInfoW, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, SetLastError, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, ResumeThread, FreeLibraryAndExitThread, GetACP, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetStringTypeW, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, ReadConsoleW, GetTimeZoneInformation, FindFirstFileExW, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableA, SetCurrentDirectoryW, FindNextFileW, WriteConsoleW
USER32.dll	GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, PeekMessageW, GetInputState, UnregisterHotKey, CharLowerBuffW, MonitorFromPoint, MonitorFromRect, LoadImageW, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, ClientToScreen, GetCursorPos, DeleteMenu, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, LockWindowUpdate, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, RegisterHotKey, GetCursorInfo, SetWindowPos, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, TrackPopupMenuEx, GetMessageW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, DispatchMessageW, keybd_event, TranslateMessage, ScreenToClient
GDI32.dll	EndPath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, GetDeviceCaps, SetPixel, CloseFigure, LineTo, AngleArc, MoveToEx, Ellipse, CreateCompatibleBitmap, CreateCompatibleDC, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, SelectObject, StretchBlt, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, GetDIBits, StrokePath
COMDLG32.dll	GetSaveFileNameW, GetOpenFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, RegCreateKeyExW, GetSecurityDescriptorDacl, GetAclInformation, GetUserNameW, AddAce, SetSecurityDescriptorDacl, InitiateSystemShutdownExW
SHELL32.dll	DragFinish, DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
OLEAUT32.dll	CreateStdDispatch, CreateDispTypeInfo, UnRegisterTypeLib, UnRegisterTypeLibForUser, RegisterTypeLibForUser, RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, VariantChangeType, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysStringLen, QueryPathOfRegTypeLib, SysAllocString, VariantInit, VariantClear, DispCallFunc, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, SafeArrayDestroyDescriptor, VariantCopy, OleLoadPicture

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 2, 2024 19:06:15.792736053 CEST	49674	443	192.168.2.6	173.222.162.64
Oct 2, 2024 19:06:15.792736053 CEST	49673	443	192.168.2.6	173.222.162.64
Oct 2, 2024 19:06:16.105242968 CEST	49672	443	192.168.2.6	173.222.162.64
Oct 2, 2024 19:06:24.041464090 CEST	49710	443	192.168.2.6	40.115.3.253
Oct 2, 2024 19:06:24.041508913 CEST	443	49710	40.115.3.253	192.168.2.6
Oct 2, 2024 19:06:24.041580915 CEST	49710	443	192.168.2.6	40.115.3.253
Oct 2, 2024 19:06:24.042474031 CEST	49710	443	192.168.2.6	40.115.3.253
Oct 2, 2024 19:06:24.042488098 CEST	443	49710	40.115.3.253	192.168.2.6
Oct 2, 2024 19:06:24.832597017 CEST	443	49710	40.115.3.253	192.168.2.6
Oct 2, 2024 19:06:24.832791090 CEST	49710	443	192.168.2.6	40.115.3.253
Oct 2, 2024 19:06:24.837879896 CEST	49710	443	192.168.2.6	40.115.3.253
Oct 2, 2024 19:06:24.837893963 CEST	443	49710	40.115.3.253	192.168.2.6
Oct 2, 2024 19:06:24.838335037 CEST	443	49710	40.115.3.253	192.168.2.6
Oct 2, 2024 19:06:24.840214968 CEST	49710	443	192.168.2.6	40.115.3.253
Oct 2, 2024 19:06:24.840277910 CEST	49710	443	192.168.2.6	40.115.3.253
Oct 2, 2024 19:06:24.840285063 CEST	443	49710	40.115.3.253	192.168.2.6
Oct 2, 2024 19:06:24.840424061 CEST	49710	443	192.168.2.6	40.115.3.253
Oct 2, 2024 19:06:24.887398005 CEST	443	49710	40.115.3.253	192.168.2.6
Oct 2, 2024 19:06:25.015630007 CEST	443	49710	40.115.3.253	192.168.2.6
Oct 2, 2024 19:06:25.015713930 CEST	443	49710	40.115.3.253	192.168.2.6
Oct 2, 2024 19:06:25.015912056 CEST	49710	443	192.168.2.6	40.115.3.253
Oct 2, 2024 19:06:25.015954971 CEST	49710	443	192.168.2.6	40.115.3.253
Oct 2, 2024 19:06:25.015975952 CEST	443	49710	40.115.3.253	192.168.2.6
Oct 2, 2024 19:06:25.402151108 CEST	49674	443	192.168.2.6	173.222.162.64
Oct 2, 2024 19:06:25.402152061 CEST	49673	443	192.168.2.6	173.222.162.64
Oct 2, 2024 19:06:25.714786053 CEST	49672	443	192.168.2.6	173.222.162.64
Oct 2, 2024 19:06:27.409991026 CEST	443	49705	173.222.162.64	192.168.2.6
Oct 2, 2024 19:06:27.410331964 CEST	49705	443	192.168.2.6	173.222.162.64
Oct 2, 2024 19:06:32.050909996 CEST	49711	443	192.168.2.6	40.115.3.253
Oct 2, 2024 19:06:32.050965071 CEST	443	49711	40.115.3.253	192.168.2.6
Oct 2, 2024 19:06:32.051209927 CEST	49711	443	192.168.2.6	40.115.3.253
Oct 2, 2024 19:06:32.051785946 CEST	49711	443	192.168.2.6	40.115.3.253
Oct 2, 2024 19:06:32.051819086 CEST	443	49711	40.115.3.253	192.168.2.6
Oct 2, 2024 19:06:32.829097986 CEST	443	49711	40.115.3.253	192.168.2.6
Oct 2, 2024 19:06:32.829205990 CEST	49711	443	192.168.2.6	40.115.3.253
Oct 2, 2024 19:06:32.843893051 CEST	49711	443	192.168.2.6	40.115.3.253
Oct 2, 2024 19:06:32.843949080 CEST	443	49711	40.115.3.253	192.168.2.6
Oct 2, 2024 19:06:32.844254017 CEST	443	49711	40.115.3.253	192.168.2.6
Oct 2, 2024 19:06:32.886542082 CEST	49711	443	192.168.2.6	40.115.3.253
Oct 2, 2024 19:06:32.922080040 CEST	49711	443	192.168.2.6	40.115.3.253
Oct 2, 2024 19:06:32.922138929 CEST	49711	443	192.168.2.6	40.115.3.253
Oct 2, 2024 19:06:32.922146082 CEST	443	49711	40.115.3.253	192.168.2.6
Oct 2, 2024 19:06:32.922260046 CEST	49711	443	192.168.2.6	40.115.3.253
Oct 2, 2024 19:06:32.963413954 CEST	443	49711	40.115.3.253	192.168.2.6
Oct 2, 2024 19:06:33.096924067 CEST	443	49711	40.115.3.253	192.168.2.6
Oct 2, 2024 19:06:33.096976042 CEST	443	49711	40.115.3.253	192.168.2.6
Oct 2, 2024 19:06:33.097048998 CEST	49711	443	192.168.2.6	40.115.3.253
Oct 2, 2024 19:06:33.097223997 CEST	49711	443	192.168.2.6	40.115.3.253
Oct 2, 2024 19:06:33.097246885 CEST	443	49711	40.115.3.253	192.168.2.6
Oct 2, 2024 19:06:36.115705967 CEST	49712	443	192.168.2.6	20.114.59.183
Oct 2, 2024 19:06:36.115734100 CEST	443	49712	20.114.59.183	192.168.2.6
Oct 2, 2024 19:06:36.115799904 CEST	49712	443	192.168.2.6	20.114.59.183
Oct 2, 2024 19:06:36.117253065 CEST	49712	443	192.168.2.6	20.114.59.183
Oct 2, 2024 19:06:36.117268085 CEST	443	49712	20.114.59.183	192.168.2.6
Oct 2, 2024 19:06:36.905893087 CEST	443	49712	20.114.59.183	192.168.2.6
Oct 2, 2024 19:06:36.906009912 CEST	49712	443	192.168.2.6	20.114.59.183
Oct 2, 2024 19:06:36.907886982 CEST	49712	443	192.168.2.6	20.114.59.183
Oct 2, 2024 19:06:36.907897949 CEST	443	49712	20.114.59.183	192.168.2.6
Oct 2, 2024 19:06:36.908415079 CEST	443	49712	20.114.59.183	192.168.2.6
Oct 2, 2024 19:06:36.949091911 CEST	49712	443	192.168.2.6	20.114.59.183
Oct 2, 2024 19:06:37.085928917 CEST	49712	443	192.168.2.6	20.114.59.183
Oct 2, 2024 19:06:37.127418041 CEST	443	49712	20.114.59.183	192.168.2.6
Oct 2, 2024 19:06:37.350128889 CEST	443	49712	20.114.59.183	192.168.2.6
Oct 2, 2024 19:06:37.350155115 CEST	443	49712	20.114.59.183	192.168.2.6
Oct 2, 2024 19:06:37.350163937 CEST	443	49712	20.114.59.183	192.168.2.6
Oct 2, 2024 19:06:37.350172997 CEST	443	49712	20.114.59.183	192.168.2.6
Oct 2, 2024 19:06:37.350225925 CEST	443	49712	20.114.59.183	192.168.2.6
Oct 2, 2024 19:06:37.350261927 CEST	49712	443	192.168.2.6	20.114.59.183
Oct 2, 2024 19:06:37.350294113 CEST	443	49712	20.114.59.183	192.168.2.6
Oct 2, 2024 19:06:37.350313902 CEST	49712	443	192.168.2.6	20.114.59.183
Oct 2, 2024 19:06:37.350351095 CEST	443	49712	20.114.59.183	192.168.2.6
Oct 2, 2024 19:06:37.350353956 CEST	49712	443	192.168.2.6	20.114.59.183
Oct 2, 2024 19:06:37.350389004 CEST	49712	443	192.168.2.6	20.114.59.183
Oct 2, 2024 19:06:37.374273062 CEST	49712	443	192.168.2.6	20.114.59.183
Oct 2, 2024 19:06:37.374305964 CEST	443	49712	20.114.59.183	192.168.2.6
Oct 2, 2024 19:06:37.374344110 CEST	49712	443	192.168.2.6	20.114.59.183
Oct 2, 2024 19:06:37.374353886 CEST	443	49712	20.114.59.183	192.168.2.6
Oct 2, 2024 19:06:44.738807917 CEST	49716	443	192.168.2.6	40.115.3.253
Oct 2, 2024 19:06:44.738877058 CEST	443	49716	40.115.3.253	192.168.2.6
Oct 2, 2024 19:06:44.738974094 CEST	49716	443	192.168.2.6	40.115.3.253
Oct 2, 2024 19:06:44.739605904 CEST	49716	443	192.168.2.6	40.115.3.253
Oct 2, 2024 19:06:44.739618063 CEST	443	49716	40.115.3.253	192.168.2.6
Oct 2, 2024 19:06:45.545603991 CEST	443	49716	40.115.3.253	192.168.2.6
Oct 2, 2024 19:06:45.545692921 CEST	49716	443	192.168.2.6	40.115.3.253
Oct 2, 2024 19:06:45.551803112 CEST	49716	443	192.168.2.6	40.115.3.253
Oct 2, 2024 19:06:45.551820993 CEST	443	49716	40.115.3.253	192.168.2.6
Oct 2, 2024 19:06:45.552037001 CEST	443	49716	40.115.3.253	192.168.2.6
Oct 2, 2024 19:06:45.554083109 CEST	49716	443	192.168.2.6	40.115.3.253
Oct 2, 2024 19:06:45.554171085 CEST	49716	443	192.168.2.6	40.115.3.253
Oct 2, 2024 19:06:45.554178953 CEST	443	49716	40.115.3.253	192.168.2.6
Oct 2, 2024 19:06:45.554425955 CEST	49716	443	192.168.2.6	40.115.3.253
Oct 2, 2024 19:06:45.599410057 CEST	443	49716	40.115.3.253	192.168.2.6
Oct 2, 2024 19:06:45.726924896 CEST	443	49716	40.115.3.253	192.168.2.6
Oct 2, 2024 19:06:45.727125883 CEST	443	49716	40.115.3.253	192.168.2.6
Oct 2, 2024 19:06:45.727200985 CEST	49716	443	192.168.2.6	40.115.3.253
Oct 2, 2024 19:06:45.727376938 CEST	49716	443	192.168.2.6	40.115.3.253
Oct 2, 2024 19:06:45.727432013 CEST	443	49716	40.115.3.253	192.168.2.6
Oct 2, 2024 19:07:04.608340025 CEST	49717	443	192.168.2.6	40.115.3.253
Oct 2, 2024 19:07:04.608388901 CEST	443	49717	40.115.3.253	192.168.2.6
Oct 2, 2024 19:07:04.608462095 CEST	49717	443	192.168.2.6	40.115.3.253
Oct 2, 2024 19:07:04.609050035 CEST	49717	443	192.168.2.6	40.115.3.253
Oct 2, 2024 19:07:04.609062910 CEST	443	49717	40.115.3.253	192.168.2.6
Oct 2, 2024 19:07:05.396497965 CEST	443	49717	40.115.3.253	192.168.2.6
Oct 2, 2024 19:07:05.396682024 CEST	49717	443	192.168.2.6	40.115.3.253
Oct 2, 2024 19:07:05.398920059 CEST	49717	443	192.168.2.6	40.115.3.253
Oct 2, 2024 19:07:05.398940086 CEST	443	49717	40.115.3.253	192.168.2.6
Oct 2, 2024 19:07:05.399185896 CEST	443	49717	40.115.3.253	192.168.2.6
Oct 2, 2024 19:07:05.400844097 CEST	49717	443	192.168.2.6	40.115.3.253
Oct 2, 2024 19:07:05.400897980 CEST	49717	443	192.168.2.6	40.115.3.253
Oct 2, 2024 19:07:05.400907040 CEST	443	49717	40.115.3.253	192.168.2.6
Oct 2, 2024 19:07:05.401025057 CEST	49717	443	192.168.2.6	40.115.3.253
Oct 2, 2024 19:07:05.443411112 CEST	443	49717	40.115.3.253	192.168.2.6
Oct 2, 2024 19:07:05.579147100 CEST	443	49717	40.115.3.253	192.168.2.6
Oct 2, 2024 19:07:05.580146074 CEST	443	49717	40.115.3.253	192.168.2.6
Oct 2, 2024 19:07:05.580240965 CEST	49717	443	192.168.2.6	40.115.3.253
Oct 2, 2024 19:07:05.584054947 CEST	49717	443	192.168.2.6	40.115.3.253
Oct 2, 2024 19:07:05.584085941 CEST	443	49717	40.115.3.253	192.168.2.6
Oct 2, 2024 19:07:05.584100962 CEST	49717	443	192.168.2.6	40.115.3.253
Oct 2, 2024 19:07:13.800112963 CEST	49718	443	192.168.2.6	20.114.59.183
Oct 2, 2024 19:07:13.800167084 CEST	443	49718	20.114.59.183	192.168.2.6
Oct 2, 2024 19:07:13.800277948 CEST	49718	443	192.168.2.6	20.114.59.183
Oct 2, 2024 19:07:13.800642967 CEST	49718	443	192.168.2.6	20.114.59.183
Oct 2, 2024 19:07:13.800653934 CEST	443	49718	20.114.59.183	192.168.2.6
Oct 2, 2024 19:07:14.583218098 CEST	443	49718	20.114.59.183	192.168.2.6
Oct 2, 2024 19:07:14.583288908 CEST	49718	443	192.168.2.6	20.114.59.183
Oct 2, 2024 19:07:14.585036993 CEST	49718	443	192.168.2.6	20.114.59.183
Oct 2, 2024 19:07:14.585043907 CEST	443	49718	20.114.59.183	192.168.2.6
Oct 2, 2024 19:07:14.585273981 CEST	443	49718	20.114.59.183	192.168.2.6
Oct 2, 2024 19:07:14.595113039 CEST	49718	443	192.168.2.6	20.114.59.183
Oct 2, 2024 19:07:14.639394045 CEST	443	49718	20.114.59.183	192.168.2.6
Oct 2, 2024 19:07:14.911829948 CEST	443	49718	20.114.59.183	192.168.2.6
Oct 2, 2024 19:07:14.911851883 CEST	443	49718	20.114.59.183	192.168.2.6
Oct 2, 2024 19:07:14.911869049 CEST	443	49718	20.114.59.183	192.168.2.6
Oct 2, 2024 19:07:14.911947012 CEST	49718	443	192.168.2.6	20.114.59.183
Oct 2, 2024 19:07:14.911962986 CEST	443	49718	20.114.59.183	192.168.2.6
Oct 2, 2024 19:07:14.912020922 CEST	49718	443	192.168.2.6	20.114.59.183
Oct 2, 2024 19:07:14.912992954 CEST	443	49718	20.114.59.183	192.168.2.6
Oct 2, 2024 19:07:14.913034916 CEST	443	49718	20.114.59.183	192.168.2.6
Oct 2, 2024 19:07:14.913049936 CEST	49718	443	192.168.2.6	20.114.59.183
Oct 2, 2024 19:07:14.913055897 CEST	443	49718	20.114.59.183	192.168.2.6
Oct 2, 2024 19:07:14.913078070 CEST	49718	443	192.168.2.6	20.114.59.183
Oct 2, 2024 19:07:14.913094997 CEST	443	49718	20.114.59.183	192.168.2.6
Oct 2, 2024 19:07:14.913130999 CEST	49718	443	192.168.2.6	20.114.59.183
Oct 2, 2024 19:07:14.916944981 CEST	49718	443	192.168.2.6	20.114.59.183
Oct 2, 2024 19:07:14.916960955 CEST	443	49718	20.114.59.183	192.168.2.6
Oct 2, 2024 19:07:14.916975975 CEST	49718	443	192.168.2.6	20.114.59.183
Oct 2, 2024 19:07:14.916980982 CEST	443	49718	20.114.59.183	192.168.2.6
Oct 2, 2024 19:07:17.258438110 CEST	49721	443	192.168.2.6	142.250.186.46
Oct 2, 2024 19:07:17.258446932 CEST	443	49721	142.250.186.46	192.168.2.6
Oct 2, 2024 19:07:17.258485079 CEST	49721	443	192.168.2.6	142.250.186.46
Oct 2, 2024 19:07:17.259680986 CEST	49721	443	192.168.2.6	142.250.186.46
Oct 2, 2024 19:07:17.259695053 CEST	443	49721	142.250.186.46	192.168.2.6
Oct 2, 2024 19:07:17.919370890 CEST	443	49721	142.250.186.46	192.168.2.6
Oct 2, 2024 19:07:17.919584036 CEST	49721	443	192.168.2.6	142.250.186.46
Oct 2, 2024 19:07:17.919608116 CEST	443	49721	142.250.186.46	192.168.2.6
Oct 2, 2024 19:07:17.920166969 CEST	443	49721	142.250.186.46	192.168.2.6
Oct 2, 2024 19:07:17.920237064 CEST	49721	443	192.168.2.6	142.250.186.46
Oct 2, 2024 19:07:17.921169043 CEST	443	49721	142.250.186.46	192.168.2.6
Oct 2, 2024 19:07:17.921227932 CEST	49721	443	192.168.2.6	142.250.186.46
Oct 2, 2024 19:07:17.922223091 CEST	49721	443	192.168.2.6	142.250.186.46
Oct 2, 2024 19:07:17.922326088 CEST	443	49721	142.250.186.46	192.168.2.6
Oct 2, 2024 19:07:17.922431946 CEST	49721	443	192.168.2.6	142.250.186.46
Oct 2, 2024 19:07:17.922446012 CEST	443	49721	142.250.186.46	192.168.2.6
Oct 2, 2024 19:07:17.963059902 CEST	49721	443	192.168.2.6	142.250.186.46
Oct 2, 2024 19:07:18.205243111 CEST	443	49721	142.250.186.46	192.168.2.6
Oct 2, 2024 19:07:18.205322981 CEST	49721	443	192.168.2.6	142.250.186.46
Oct 2, 2024 19:07:18.205346107 CEST	443	49721	142.250.186.46	192.168.2.6
Oct 2, 2024 19:07:18.205364943 CEST	443	49721	142.250.186.46	192.168.2.6
Oct 2, 2024 19:07:18.205415010 CEST	49721	443	192.168.2.6	142.250.186.46
Oct 2, 2024 19:07:18.205729008 CEST	49721	443	192.168.2.6	142.250.186.46
Oct 2, 2024 19:07:18.205743074 CEST	443	49721	142.250.186.46	192.168.2.6
Oct 2, 2024 19:07:18.205753088 CEST	49721	443	192.168.2.6	142.250.186.46
Oct 2, 2024 19:07:18.205796003 CEST	49721	443	192.168.2.6	142.250.186.46
Oct 2, 2024 19:07:21.004980087 CEST	49729	443	192.168.2.6	172.217.18.4
Oct 2, 2024 19:07:21.005028009 CEST	443	49729	172.217.18.4	192.168.2.6
Oct 2, 2024 19:07:21.005100012 CEST	49729	443	192.168.2.6	172.217.18.4
Oct 2, 2024 19:07:21.005306959 CEST	49729	443	192.168.2.6	172.217.18.4
Oct 2, 2024 19:07:21.005322933 CEST	443	49729	172.217.18.4	192.168.2.6
Oct 2, 2024 19:07:21.722266912 CEST	443	49729	172.217.18.4	192.168.2.6
Oct 2, 2024 19:07:21.739998102 CEST	49729	443	192.168.2.6	172.217.18.4
Oct 2, 2024 19:07:21.740024090 CEST	443	49729	172.217.18.4	192.168.2.6
Oct 2, 2024 19:07:21.741061926 CEST	443	49729	172.217.18.4	192.168.2.6
Oct 2, 2024 19:07:21.741128922 CEST	49729	443	192.168.2.6	172.217.18.4
Oct 2, 2024 19:07:21.760224104 CEST	49729	443	192.168.2.6	172.217.18.4
Oct 2, 2024 19:07:21.760373116 CEST	443	49729	172.217.18.4	192.168.2.6
Oct 2, 2024 19:07:21.815735102 CEST	49729	443	192.168.2.6	172.217.18.4
Oct 2, 2024 19:07:21.815753937 CEST	443	49729	172.217.18.4	192.168.2.6
Oct 2, 2024 19:07:21.862626076 CEST	49729	443	192.168.2.6	172.217.18.4
Oct 2, 2024 19:07:21.950225115 CEST	49732	443	192.168.2.6	184.28.90.27
Oct 2, 2024 19:07:21.950278997 CEST	443	49732	184.28.90.27	192.168.2.6
Oct 2, 2024 19:07:21.950356960 CEST	49732	443	192.168.2.6	184.28.90.27
Oct 2, 2024 19:07:21.951328039 CEST	49732	443	192.168.2.6	184.28.90.27
Oct 2, 2024 19:07:21.951343060 CEST	443	49732	184.28.90.27	192.168.2.6
Oct 2, 2024 19:07:22.589370012 CEST	443	49732	184.28.90.27	192.168.2.6
Oct 2, 2024 19:07:22.589452982 CEST	49732	443	192.168.2.6	184.28.90.27
Oct 2, 2024 19:07:22.592358112 CEST	49732	443	192.168.2.6	184.28.90.27
Oct 2, 2024 19:07:22.592367887 CEST	443	49732	184.28.90.27	192.168.2.6
Oct 2, 2024 19:07:22.592606068 CEST	443	49732	184.28.90.27	192.168.2.6
Oct 2, 2024 19:07:22.635188103 CEST	49732	443	192.168.2.6	184.28.90.27
Oct 2, 2024 19:07:22.642899990 CEST	49732	443	192.168.2.6	184.28.90.27
Oct 2, 2024 19:07:22.683438063 CEST	443	49732	184.28.90.27	192.168.2.6
Oct 2, 2024 19:07:22.860260963 CEST	443	49732	184.28.90.27	192.168.2.6
Oct 2, 2024 19:07:22.860331059 CEST	443	49732	184.28.90.27	192.168.2.6
Oct 2, 2024 19:07:22.860387087 CEST	49732	443	192.168.2.6	184.28.90.27
Oct 2, 2024 19:07:22.860450029 CEST	49732	443	192.168.2.6	184.28.90.27
Oct 2, 2024 19:07:22.860466957 CEST	443	49732	184.28.90.27	192.168.2.6
Oct 2, 2024 19:07:22.860477924 CEST	49732	443	192.168.2.6	184.28.90.27
Oct 2, 2024 19:07:22.860482931 CEST	443	49732	184.28.90.27	192.168.2.6
Oct 2, 2024 19:07:22.935607910 CEST	49736	443	192.168.2.6	184.28.90.27
Oct 2, 2024 19:07:22.935646057 CEST	443	49736	184.28.90.27	192.168.2.6
Oct 2, 2024 19:07:22.935931921 CEST	49736	443	192.168.2.6	184.28.90.27
Oct 2, 2024 19:07:22.936275005 CEST	49736	443	192.168.2.6	184.28.90.27
Oct 2, 2024 19:07:22.936290026 CEST	443	49736	184.28.90.27	192.168.2.6
Oct 2, 2024 19:07:23.586998940 CEST	443	49736	184.28.90.27	192.168.2.6
Oct 2, 2024 19:07:23.587053061 CEST	49736	443	192.168.2.6	184.28.90.27
Oct 2, 2024 19:07:23.595808029 CEST	49736	443	192.168.2.6	184.28.90.27
Oct 2, 2024 19:07:23.595823050 CEST	443	49736	184.28.90.27	192.168.2.6
Oct 2, 2024 19:07:23.596014023 CEST	443	49736	184.28.90.27	192.168.2.6
Oct 2, 2024 19:07:23.597440004 CEST	49736	443	192.168.2.6	184.28.90.27
Oct 2, 2024 19:07:23.639395952 CEST	443	49736	184.28.90.27	192.168.2.6
Oct 2, 2024 19:07:23.867820024 CEST	443	49736	184.28.90.27	192.168.2.6
Oct 2, 2024 19:07:23.867896080 CEST	443	49736	184.28.90.27	192.168.2.6
Oct 2, 2024 19:07:23.868112087 CEST	49736	443	192.168.2.6	184.28.90.27
Oct 2, 2024 19:07:23.871745110 CEST	49736	443	192.168.2.6	184.28.90.27
Oct 2, 2024 19:07:23.871763945 CEST	443	49736	184.28.90.27	192.168.2.6
Oct 2, 2024 19:07:23.871774912 CEST	49736	443	192.168.2.6	184.28.90.27
Oct 2, 2024 19:07:23.871779919 CEST	443	49736	184.28.90.27	192.168.2.6
Oct 2, 2024 19:07:27.150515079 CEST	49750	443	192.168.2.6	142.250.185.206
Oct 2, 2024 19:07:27.150561094 CEST	443	49750	142.250.185.206	192.168.2.6
Oct 2, 2024 19:07:27.150758028 CEST	49750	443	192.168.2.6	142.250.185.206
Oct 2, 2024 19:07:27.151010036 CEST	49750	443	192.168.2.6	142.250.185.206
Oct 2, 2024 19:07:27.151026964 CEST	443	49750	142.250.185.206	192.168.2.6
Oct 2, 2024 19:07:27.810368061 CEST	443	49750	142.250.185.206	192.168.2.6
Oct 2, 2024 19:07:27.810609102 CEST	49750	443	192.168.2.6	142.250.185.206
Oct 2, 2024 19:07:27.810640097 CEST	443	49750	142.250.185.206	192.168.2.6
Oct 2, 2024 19:07:27.811038017 CEST	443	49750	142.250.185.206	192.168.2.6
Oct 2, 2024 19:07:27.811094046 CEST	49750	443	192.168.2.6	142.250.185.206
Oct 2, 2024 19:07:27.811773062 CEST	443	49750	142.250.185.206	192.168.2.6
Oct 2, 2024 19:07:27.811836004 CEST	49750	443	192.168.2.6	142.250.185.206
Oct 2, 2024 19:07:27.812689066 CEST	49750	443	192.168.2.6	142.250.185.206
Oct 2, 2024 19:07:27.812764883 CEST	443	49750	142.250.185.206	192.168.2.6
Oct 2, 2024 19:07:27.812990904 CEST	49750	443	192.168.2.6	142.250.185.206
Oct 2, 2024 19:07:27.813010931 CEST	443	49750	142.250.185.206	192.168.2.6
Oct 2, 2024 19:07:27.856496096 CEST	49750	443	192.168.2.6	142.250.185.206
Oct 2, 2024 19:07:28.134844065 CEST	443	49750	142.250.185.206	192.168.2.6
Oct 2, 2024 19:07:28.135005951 CEST	443	49750	142.250.185.206	192.168.2.6
Oct 2, 2024 19:07:28.135055065 CEST	49750	443	192.168.2.6	142.250.185.206
Oct 2, 2024 19:07:28.135076046 CEST	443	49750	142.250.185.206	192.168.2.6
Oct 2, 2024 19:07:28.135144949 CEST	49750	443	192.168.2.6	142.250.185.206
Oct 2, 2024 19:07:28.135257959 CEST	443	49750	142.250.185.206	192.168.2.6
Oct 2, 2024 19:07:28.135298967 CEST	49750	443	192.168.2.6	142.250.185.206
Oct 2, 2024 19:07:28.143311024 CEST	443	49750	142.250.185.206	192.168.2.6
Oct 2, 2024 19:07:28.143403053 CEST	443	49750	142.250.185.206	192.168.2.6
Oct 2, 2024 19:07:28.143420935 CEST	49750	443	192.168.2.6	142.250.185.206
Oct 2, 2024 19:07:28.143429041 CEST	443	49750	142.250.185.206	192.168.2.6
Oct 2, 2024 19:07:28.143505096 CEST	49750	443	192.168.2.6	142.250.185.206
Oct 2, 2024 19:07:28.147856951 CEST	443	49750	142.250.185.206	192.168.2.6
Oct 2, 2024 19:07:28.147953987 CEST	49750	443	192.168.2.6	142.250.185.206
Oct 2, 2024 19:07:28.152442932 CEST	443	49750	142.250.185.206	192.168.2.6
Oct 2, 2024 19:07:28.152538061 CEST	49750	443	192.168.2.6	142.250.185.206
Oct 2, 2024 19:07:28.158442020 CEST	443	49750	142.250.185.206	192.168.2.6
Oct 2, 2024 19:07:28.158508062 CEST	49750	443	192.168.2.6	142.250.185.206
Oct 2, 2024 19:07:28.220832109 CEST	443	49750	142.250.185.206	192.168.2.6
Oct 2, 2024 19:07:28.220907927 CEST	443	49750	142.250.185.206	192.168.2.6
Oct 2, 2024 19:07:28.220927000 CEST	49750	443	192.168.2.6	142.250.185.206
Oct 2, 2024 19:07:28.220938921 CEST	443	49750	142.250.185.206	192.168.2.6
Oct 2, 2024 19:07:28.220978975 CEST	49750	443	192.168.2.6	142.250.185.206
Oct 2, 2024 19:07:28.227041006 CEST	443	49750	142.250.185.206	192.168.2.6
Oct 2, 2024 19:07:28.227102041 CEST	49750	443	192.168.2.6	142.250.185.206
Oct 2, 2024 19:07:28.230343103 CEST	443	49750	142.250.185.206	192.168.2.6
Oct 2, 2024 19:07:28.230396986 CEST	443	49750	142.250.185.206	192.168.2.6
Oct 2, 2024 19:07:28.230407953 CEST	49750	443	192.168.2.6	142.250.185.206
Oct 2, 2024 19:07:28.230416059 CEST	443	49750	142.250.185.206	192.168.2.6
Oct 2, 2024 19:07:28.230443954 CEST	49750	443	192.168.2.6	142.250.185.206
Oct 2, 2024 19:07:28.236499071 CEST	443	49750	142.250.185.206	192.168.2.6
Oct 2, 2024 19:07:28.236541986 CEST	49750	443	192.168.2.6	142.250.185.206
Oct 2, 2024 19:07:28.242949009 CEST	443	49750	142.250.185.206	192.168.2.6
Oct 2, 2024 19:07:28.243021011 CEST	49750	443	192.168.2.6	142.250.185.206
Oct 2, 2024 19:07:28.248995066 CEST	443	49750	142.250.185.206	192.168.2.6
Oct 2, 2024 19:07:28.249038935 CEST	443	49750	142.250.185.206	192.168.2.6
Oct 2, 2024 19:07:28.249073029 CEST	49750	443	192.168.2.6	142.250.185.206
Oct 2, 2024 19:07:28.249083996 CEST	443	49750	142.250.185.206	192.168.2.6
Oct 2, 2024 19:07:28.249114990 CEST	49750	443	192.168.2.6	142.250.185.206
Oct 2, 2024 19:07:28.255505085 CEST	443	49750	142.250.185.206	192.168.2.6
Oct 2, 2024 19:07:28.261257887 CEST	443	49750	142.250.185.206	192.168.2.6
Oct 2, 2024 19:07:28.261359930 CEST	49750	443	192.168.2.6	142.250.185.206
Oct 2, 2024 19:07:28.261394978 CEST	443	49750	142.250.185.206	192.168.2.6
Oct 2, 2024 19:07:28.261687994 CEST	49750	443	192.168.2.6	142.250.185.206
Oct 2, 2024 19:07:28.261710882 CEST	443	49750	142.250.185.206	192.168.2.6
Oct 2, 2024 19:07:28.261744976 CEST	443	49750	142.250.185.206	192.168.2.6
Oct 2, 2024 19:07:28.261771917 CEST	49750	443	192.168.2.6	142.250.185.206
Oct 2, 2024 19:07:28.261821032 CEST	49750	443	192.168.2.6	142.250.185.206
Oct 2, 2024 19:07:28.313946009 CEST	49753	443	192.168.2.6	142.250.185.142
Oct 2, 2024 19:07:28.314039946 CEST	443	49753	142.250.185.142	192.168.2.6
Oct 2, 2024 19:07:28.314146996 CEST	49753	443	192.168.2.6	142.250.185.142
Oct 2, 2024 19:07:28.314409018 CEST	49753	443	192.168.2.6	142.250.185.142
Oct 2, 2024 19:07:28.314439058 CEST	443	49753	142.250.185.142	192.168.2.6
Oct 2, 2024 19:07:28.369323015 CEST	49755	443	192.168.2.6	142.250.185.142
Oct 2, 2024 19:07:28.369390011 CEST	443	49755	142.250.185.142	192.168.2.6
Oct 2, 2024 19:07:28.369461060 CEST	49755	443	192.168.2.6	142.250.185.142
Oct 2, 2024 19:07:28.370057106 CEST	49755	443	192.168.2.6	142.250.185.142
Oct 2, 2024 19:07:28.370069981 CEST	443	49755	142.250.185.142	192.168.2.6
Oct 2, 2024 19:07:28.954523087 CEST	443	49753	142.250.185.142	192.168.2.6
Oct 2, 2024 19:07:28.954829931 CEST	49753	443	192.168.2.6	142.250.185.142
Oct 2, 2024 19:07:28.954852104 CEST	443	49753	142.250.185.142	192.168.2.6
Oct 2, 2024 19:07:28.955225945 CEST	443	49753	142.250.185.142	192.168.2.6
Oct 2, 2024 19:07:28.955281973 CEST	49753	443	192.168.2.6	142.250.185.142
Oct 2, 2024 19:07:28.955974102 CEST	443	49753	142.250.185.142	192.168.2.6
Oct 2, 2024 19:07:28.956022978 CEST	49753	443	192.168.2.6	142.250.185.142
Oct 2, 2024 19:07:28.956938028 CEST	49753	443	192.168.2.6	142.250.185.142
Oct 2, 2024 19:07:28.957020998 CEST	443	49753	142.250.185.142	192.168.2.6
Oct 2, 2024 19:07:28.957474947 CEST	49753	443	192.168.2.6	142.250.185.142
Oct 2, 2024 19:07:28.957484961 CEST	443	49753	142.250.185.142	192.168.2.6
Oct 2, 2024 19:07:29.003083944 CEST	443	49755	142.250.185.142	192.168.2.6
Oct 2, 2024 19:07:29.003341913 CEST	49755	443	192.168.2.6	142.250.185.142
Oct 2, 2024 19:07:29.003372908 CEST	443	49755	142.250.185.142	192.168.2.6
Oct 2, 2024 19:07:29.003782034 CEST	443	49755	142.250.185.142	192.168.2.6
Oct 2, 2024 19:07:29.003829956 CEST	49755	443	192.168.2.6	142.250.185.142
Oct 2, 2024 19:07:29.004499912 CEST	443	49755	142.250.185.142	192.168.2.6
Oct 2, 2024 19:07:29.004627943 CEST	49755	443	192.168.2.6	142.250.185.142
Oct 2, 2024 19:07:29.004867077 CEST	49755	443	192.168.2.6	142.250.185.142
Oct 2, 2024 19:07:29.004929066 CEST	443	49755	142.250.185.142	192.168.2.6
Oct 2, 2024 19:07:29.005173922 CEST	49755	443	192.168.2.6	142.250.185.142
Oct 2, 2024 19:07:29.005179882 CEST	443	49755	142.250.185.142	192.168.2.6
Oct 2, 2024 19:07:29.012095928 CEST	49753	443	192.168.2.6	142.250.185.142
Oct 2, 2024 19:07:29.059295893 CEST	49755	443	192.168.2.6	142.250.185.142
Oct 2, 2024 19:07:29.256357908 CEST	443	49753	142.250.185.142	192.168.2.6
Oct 2, 2024 19:07:29.256908894 CEST	443	49753	142.250.185.142	192.168.2.6
Oct 2, 2024 19:07:29.257107973 CEST	49753	443	192.168.2.6	142.250.185.142
Oct 2, 2024 19:07:29.288122892 CEST	49753	443	192.168.2.6	142.250.185.142
Oct 2, 2024 19:07:29.288186073 CEST	443	49753	142.250.185.142	192.168.2.6
Oct 2, 2024 19:07:29.298171043 CEST	49758	443	192.168.2.6	142.250.185.142
Oct 2, 2024 19:07:29.298224926 CEST	443	49758	142.250.185.142	192.168.2.6
Oct 2, 2024 19:07:29.298289061 CEST	49758	443	192.168.2.6	142.250.185.142
Oct 2, 2024 19:07:29.298785925 CEST	49758	443	192.168.2.6	142.250.185.142
Oct 2, 2024 19:07:29.298801899 CEST	443	49758	142.250.185.142	192.168.2.6
Oct 2, 2024 19:07:29.308176041 CEST	443	49755	142.250.185.142	192.168.2.6
Oct 2, 2024 19:07:29.308252096 CEST	443	49755	142.250.185.142	192.168.2.6
Oct 2, 2024 19:07:29.308309078 CEST	49755	443	192.168.2.6	142.250.185.142
Oct 2, 2024 19:07:29.308572054 CEST	49755	443	192.168.2.6	142.250.185.142
Oct 2, 2024 19:07:29.308590889 CEST	443	49755	142.250.185.142	192.168.2.6
Oct 2, 2024 19:07:29.309425116 CEST	49759	443	192.168.2.6	142.250.185.142
Oct 2, 2024 19:07:29.309464931 CEST	443	49759	142.250.185.142	192.168.2.6
Oct 2, 2024 19:07:29.309536934 CEST	49759	443	192.168.2.6	142.250.185.142
Oct 2, 2024 19:07:29.309827089 CEST	49759	443	192.168.2.6	142.250.185.142
Oct 2, 2024 19:07:29.309844017 CEST	443	49759	142.250.185.142	192.168.2.6
Oct 2, 2024 19:07:29.975076914 CEST	443	49758	142.250.185.142	192.168.2.6
Oct 2, 2024 19:07:29.975481033 CEST	49758	443	192.168.2.6	142.250.185.142
Oct 2, 2024 19:07:29.975507021 CEST	443	49758	142.250.185.142	192.168.2.6
Oct 2, 2024 19:07:29.976016998 CEST	443	49758	142.250.185.142	192.168.2.6
Oct 2, 2024 19:07:29.976151943 CEST	49758	443	192.168.2.6	142.250.185.142
Oct 2, 2024 19:07:29.976937056 CEST	443	49758	142.250.185.142	192.168.2.6
Oct 2, 2024 19:07:29.977001905 CEST	49758	443	192.168.2.6	142.250.185.142
Oct 2, 2024 19:07:29.977149010 CEST	49758	443	192.168.2.6	142.250.185.142
Oct 2, 2024 19:07:29.977258921 CEST	443	49758	142.250.185.142	192.168.2.6
Oct 2, 2024 19:07:29.977344036 CEST	49758	443	192.168.2.6	142.250.185.142
Oct 2, 2024 19:07:29.977365971 CEST	49758	443	192.168.2.6	142.250.185.142
Oct 2, 2024 19:07:29.977371931 CEST	443	49758	142.250.185.142	192.168.2.6
Oct 2, 2024 19:07:29.987584114 CEST	443	49759	142.250.185.142	192.168.2.6
Oct 2, 2024 19:07:29.988296032 CEST	49759	443	192.168.2.6	142.250.185.142
Oct 2, 2024 19:07:29.988325119 CEST	443	49759	142.250.185.142	192.168.2.6
Oct 2, 2024 19:07:29.988691092 CEST	443	49759	142.250.185.142	192.168.2.6
Oct 2, 2024 19:07:29.988745928 CEST	49759	443	192.168.2.6	142.250.185.142
Oct 2, 2024 19:07:29.989384890 CEST	443	49759	142.250.185.142	192.168.2.6
Oct 2, 2024 19:07:29.989442110 CEST	49759	443	192.168.2.6	142.250.185.142
Oct 2, 2024 19:07:29.989590883 CEST	49759	443	192.168.2.6	142.250.185.142
Oct 2, 2024 19:07:29.989650965 CEST	443	49759	142.250.185.142	192.168.2.6
Oct 2, 2024 19:07:29.990230083 CEST	49759	443	192.168.2.6	142.250.185.142
Oct 2, 2024 19:07:29.990300894 CEST	49759	443	192.168.2.6	142.250.185.142
Oct 2, 2024 19:07:29.990309954 CEST	443	49759	142.250.185.142	192.168.2.6
Oct 2, 2024 19:07:30.027359009 CEST	49758	443	192.168.2.6	142.250.185.142
Oct 2, 2024 19:07:30.027410984 CEST	443	49758	142.250.185.142	192.168.2.6
Oct 2, 2024 19:07:30.043076992 CEST	49759	443	192.168.2.6	142.250.185.142
Oct 2, 2024 19:07:30.074290037 CEST	49758	443	192.168.2.6	142.250.185.142
Oct 2, 2024 19:07:30.203918934 CEST	443	49758	142.250.185.142	192.168.2.6
Oct 2, 2024 19:07:30.204808950 CEST	443	49758	142.250.185.142	192.168.2.6
Oct 2, 2024 19:07:30.206896067 CEST	49758	443	192.168.2.6	142.250.185.142
Oct 2, 2024 19:07:30.206994057 CEST	443	49759	142.250.185.142	192.168.2.6
Oct 2, 2024 19:07:30.207580090 CEST	49758	443	192.168.2.6	142.250.185.142
Oct 2, 2024 19:07:30.207602978 CEST	443	49758	142.250.185.142	192.168.2.6
Oct 2, 2024 19:07:30.208343983 CEST	443	49759	142.250.185.142	192.168.2.6
Oct 2, 2024 19:07:30.209254980 CEST	49759	443	192.168.2.6	142.250.185.142
Oct 2, 2024 19:07:30.209891081 CEST	49759	443	192.168.2.6	142.250.185.142
Oct 2, 2024 19:07:30.209935904 CEST	443	49759	142.250.185.142	192.168.2.6
Oct 2, 2024 19:07:30.673477888 CEST	49729	443	192.168.2.6	172.217.18.4
Oct 2, 2024 19:07:30.719403028 CEST	443	49729	172.217.18.4	192.168.2.6
Oct 2, 2024 19:07:30.940881014 CEST	443	49729	172.217.18.4	192.168.2.6
Oct 2, 2024 19:07:30.940942049 CEST	443	49729	172.217.18.4	192.168.2.6
Oct 2, 2024 19:07:30.940977097 CEST	49729	443	192.168.2.6	172.217.18.4
Oct 2, 2024 19:07:30.940979004 CEST	443	49729	172.217.18.4	192.168.2.6
Oct 2, 2024 19:07:30.940990925 CEST	443	49729	172.217.18.4	192.168.2.6
Oct 2, 2024 19:07:30.941019058 CEST	49729	443	192.168.2.6	172.217.18.4
Oct 2, 2024 19:07:30.941030979 CEST	443	49729	172.217.18.4	192.168.2.6
Oct 2, 2024 19:07:30.941224098 CEST	443	49729	172.217.18.4	192.168.2.6
Oct 2, 2024 19:07:30.941284895 CEST	49729	443	192.168.2.6	172.217.18.4
Oct 2, 2024 19:07:30.943994999 CEST	49729	443	192.168.2.6	172.217.18.4
Oct 2, 2024 19:07:30.944010973 CEST	443	49729	172.217.18.4	192.168.2.6
Oct 2, 2024 19:07:31.554351091 CEST	49765	443	192.168.2.6	40.115.3.253
Oct 2, 2024 19:07:31.554447889 CEST	443	49765	40.115.3.253	192.168.2.6
Oct 2, 2024 19:07:31.554569006 CEST	49765	443	192.168.2.6	40.115.3.253
Oct 2, 2024 19:07:31.555175066 CEST	49765	443	192.168.2.6	40.115.3.253
Oct 2, 2024 19:07:31.555202961 CEST	443	49765	40.115.3.253	192.168.2.6
Oct 2, 2024 19:07:32.336231947 CEST	443	49765	40.115.3.253	192.168.2.6
Oct 2, 2024 19:07:32.336409092 CEST	49765	443	192.168.2.6	40.115.3.253
Oct 2, 2024 19:07:32.338318110 CEST	49765	443	192.168.2.6	40.115.3.253
Oct 2, 2024 19:07:32.338349104 CEST	443	49765	40.115.3.253	192.168.2.6
Oct 2, 2024 19:07:32.339131117 CEST	443	49765	40.115.3.253	192.168.2.6
Oct 2, 2024 19:07:32.341042042 CEST	49765	443	192.168.2.6	40.115.3.253
Oct 2, 2024 19:07:32.341104984 CEST	49765	443	192.168.2.6	40.115.3.253
Oct 2, 2024 19:07:32.341116905 CEST	443	49765	40.115.3.253	192.168.2.6
Oct 2, 2024 19:07:32.341274977 CEST	49765	443	192.168.2.6	40.115.3.253
Oct 2, 2024 19:07:32.383456945 CEST	443	49765	40.115.3.253	192.168.2.6
Oct 2, 2024 19:07:32.516412020 CEST	443	49765	40.115.3.253	192.168.2.6
Oct 2, 2024 19:07:32.516597986 CEST	443	49765	40.115.3.253	192.168.2.6
Oct 2, 2024 19:07:32.516685009 CEST	49765	443	192.168.2.6	40.115.3.253
Oct 2, 2024 19:07:32.516835928 CEST	49765	443	192.168.2.6	40.115.3.253
Oct 2, 2024 19:07:32.516885042 CEST	443	49765	40.115.3.253	192.168.2.6
Oct 2, 2024 19:07:36.075747967 CEST	49767	443	192.168.2.6	142.250.185.142
Oct 2, 2024 19:07:36.075799942 CEST	443	49767	142.250.185.142	192.168.2.6
Oct 2, 2024 19:07:36.075994968 CEST	49767	443	192.168.2.6	142.250.185.142
Oct 2, 2024 19:07:36.076946974 CEST	49767	443	192.168.2.6	142.250.185.142
Oct 2, 2024 19:07:36.076961040 CEST	443	49767	142.250.185.142	192.168.2.6
Oct 2, 2024 19:07:36.737202883 CEST	443	49767	142.250.185.142	192.168.2.6
Oct 2, 2024 19:07:36.741537094 CEST	49767	443	192.168.2.6	142.250.185.142
Oct 2, 2024 19:07:36.741601944 CEST	443	49767	142.250.185.142	192.168.2.6
Oct 2, 2024 19:07:36.743104935 CEST	443	49767	142.250.185.142	192.168.2.6
Oct 2, 2024 19:07:36.743468046 CEST	49767	443	192.168.2.6	142.250.185.142
Oct 2, 2024 19:07:36.743660927 CEST	49767	443	192.168.2.6	142.250.185.142
Oct 2, 2024 19:07:36.743660927 CEST	49767	443	192.168.2.6	142.250.185.142
Oct 2, 2024 19:07:36.743663073 CEST	443	49767	142.250.185.142	192.168.2.6
Oct 2, 2024 19:07:36.743804932 CEST	443	49767	142.250.185.142	192.168.2.6
Oct 2, 2024 19:07:36.792860031 CEST	49767	443	192.168.2.6	142.250.185.142
Oct 2, 2024 19:07:37.115784883 CEST	443	49767	142.250.185.142	192.168.2.6
Oct 2, 2024 19:07:37.117377043 CEST	443	49767	142.250.185.142	192.168.2.6
Oct 2, 2024 19:07:37.117501020 CEST	49767	443	192.168.2.6	142.250.185.142
Oct 2, 2024 19:07:37.118355989 CEST	49767	443	192.168.2.6	142.250.185.142
Oct 2, 2024 19:07:37.118386984 CEST	443	49767	142.250.185.142	192.168.2.6
Oct 2, 2024 19:07:39.222023010 CEST	63810	53	192.168.2.6	1.1.1.1
Oct 2, 2024 19:07:39.227108002 CEST	53	63810	1.1.1.1	192.168.2.6
Oct 2, 2024 19:07:39.227374077 CEST	63810	53	192.168.2.6	1.1.1.1
Oct 2, 2024 19:07:39.227374077 CEST	63810	53	192.168.2.6	1.1.1.1
Oct 2, 2024 19:07:39.232404947 CEST	53	63810	1.1.1.1	192.168.2.6
Oct 2, 2024 19:07:39.700467110 CEST	53	63810	1.1.1.1	192.168.2.6
Oct 2, 2024 19:07:39.701189041 CEST	63810	53	192.168.2.6	1.1.1.1
Oct 2, 2024 19:07:39.707175970 CEST	53	63810	1.1.1.1	192.168.2.6
Oct 2, 2024 19:07:39.707252026 CEST	63810	53	192.168.2.6	1.1.1.1
Oct 2, 2024 19:07:58.946193933 CEST	63812	443	192.168.2.6	142.250.185.142
Oct 2, 2024 19:07:58.946227074 CEST	443	63812	142.250.185.142	192.168.2.6
Oct 2, 2024 19:07:58.946286917 CEST	63812	443	192.168.2.6	142.250.185.142
Oct 2, 2024 19:07:58.946614027 CEST	63812	443	192.168.2.6	142.250.185.142
Oct 2, 2024 19:07:58.946624994 CEST	443	63812	142.250.185.142	192.168.2.6
Oct 2, 2024 19:07:59.451229095 CEST	63813	443	192.168.2.6	142.250.185.142
Oct 2, 2024 19:07:59.451289892 CEST	443	63813	142.250.185.142	192.168.2.6
Oct 2, 2024 19:07:59.451373100 CEST	63813	443	192.168.2.6	142.250.185.142
Oct 2, 2024 19:07:59.451814890 CEST	63813	443	192.168.2.6	142.250.185.142
Oct 2, 2024 19:07:59.451831102 CEST	443	63813	142.250.185.142	192.168.2.6
Oct 2, 2024 19:07:59.663301945 CEST	443	63812	142.250.185.142	192.168.2.6
Oct 2, 2024 19:07:59.663671970 CEST	63812	443	192.168.2.6	142.250.185.142
Oct 2, 2024 19:07:59.663697958 CEST	443	63812	142.250.185.142	192.168.2.6
Oct 2, 2024 19:07:59.664103031 CEST	443	63812	142.250.185.142	192.168.2.6
Oct 2, 2024 19:07:59.664422035 CEST	63812	443	192.168.2.6	142.250.185.142
Oct 2, 2024 19:07:59.664486885 CEST	443	63812	142.250.185.142	192.168.2.6
Oct 2, 2024 19:07:59.664597988 CEST	63812	443	192.168.2.6	142.250.185.142
Oct 2, 2024 19:07:59.664618015 CEST	63812	443	192.168.2.6	142.250.185.142
Oct 2, 2024 19:07:59.664623022 CEST	443	63812	142.250.185.142	192.168.2.6
Oct 2, 2024 19:07:59.965708971 CEST	443	63812	142.250.185.142	192.168.2.6
Oct 2, 2024 19:07:59.965843916 CEST	443	63812	142.250.185.142	192.168.2.6
Oct 2, 2024 19:07:59.965925932 CEST	63812	443	192.168.2.6	142.250.185.142
Oct 2, 2024 19:07:59.966830015 CEST	63812	443	192.168.2.6	142.250.185.142
Oct 2, 2024 19:07:59.966850996 CEST	443	63812	142.250.185.142	192.168.2.6
Oct 2, 2024 19:08:00.175734997 CEST	443	63813	142.250.185.142	192.168.2.6
Oct 2, 2024 19:08:00.179898024 CEST	63813	443	192.168.2.6	142.250.185.142
Oct 2, 2024 19:08:00.179946899 CEST	443	63813	142.250.185.142	192.168.2.6
Oct 2, 2024 19:08:00.180367947 CEST	443	63813	142.250.185.142	192.168.2.6
Oct 2, 2024 19:08:00.180819035 CEST	63813	443	192.168.2.6	142.250.185.142
Oct 2, 2024 19:08:00.180888891 CEST	443	63813	142.250.185.142	192.168.2.6
Oct 2, 2024 19:08:00.181046009 CEST	63813	443	192.168.2.6	142.250.185.142
Oct 2, 2024 19:08:00.181108952 CEST	63813	443	192.168.2.6	142.250.185.142
Oct 2, 2024 19:08:00.181122065 CEST	443	63813	142.250.185.142	192.168.2.6
Oct 2, 2024 19:08:00.478168964 CEST	443	63813	142.250.185.142	192.168.2.6
Oct 2, 2024 19:08:00.479240894 CEST	443	63813	142.250.185.142	192.168.2.6
Oct 2, 2024 19:08:00.479370117 CEST	63813	443	192.168.2.6	142.250.185.142
Oct 2, 2024 19:08:00.484832048 CEST	63813	443	192.168.2.6	142.250.185.142
Oct 2, 2024 19:08:00.484880924 CEST	443	63813	142.250.185.142	192.168.2.6
Oct 2, 2024 19:08:00.961277962 CEST	63814	443	192.168.2.6	142.250.185.142
Oct 2, 2024 19:08:00.961339951 CEST	443	63814	142.250.185.142	192.168.2.6
Oct 2, 2024 19:08:00.961436033 CEST	63814	443	192.168.2.6	142.250.185.142
Oct 2, 2024 19:08:00.961673021 CEST	63814	443	192.168.2.6	142.250.185.142
Oct 2, 2024 19:08:00.961684942 CEST	443	63814	142.250.185.142	192.168.2.6
Oct 2, 2024 19:08:01.655848026 CEST	443	63814	142.250.185.142	192.168.2.6
Oct 2, 2024 19:08:01.656136036 CEST	63814	443	192.168.2.6	142.250.185.142
Oct 2, 2024 19:08:01.656172037 CEST	443	63814	142.250.185.142	192.168.2.6
Oct 2, 2024 19:08:01.656532049 CEST	443	63814	142.250.185.142	192.168.2.6
Oct 2, 2024 19:08:01.656789064 CEST	63814	443	192.168.2.6	142.250.185.142
Oct 2, 2024 19:08:01.656837940 CEST	443	63814	142.250.185.142	192.168.2.6
Oct 2, 2024 19:08:01.657011032 CEST	63814	443	192.168.2.6	142.250.185.142
Oct 2, 2024 19:08:01.657011032 CEST	63814	443	192.168.2.6	142.250.185.142
Oct 2, 2024 19:08:01.657031059 CEST	443	63814	142.250.185.142	192.168.2.6
Oct 2, 2024 19:08:01.960571051 CEST	443	63814	142.250.185.142	192.168.2.6
Oct 2, 2024 19:08:01.961003065 CEST	443	63814	142.250.185.142	192.168.2.6
Oct 2, 2024 19:08:01.961103916 CEST	63814	443	192.168.2.6	142.250.185.142
Oct 2, 2024 19:08:01.961631060 CEST	63814	443	192.168.2.6	142.250.185.142
Oct 2, 2024 19:08:01.961673975 CEST	443	63814	142.250.185.142	192.168.2.6
Oct 2, 2024 19:08:02.538381100 CEST	63815	443	192.168.2.6	40.115.3.253
Oct 2, 2024 19:08:02.538435936 CEST	443	63815	40.115.3.253	192.168.2.6
Oct 2, 2024 19:08:02.538516998 CEST	63815	443	192.168.2.6	40.115.3.253
Oct 2, 2024 19:08:02.539135933 CEST	63815	443	192.168.2.6	40.115.3.253
Oct 2, 2024 19:08:02.539151907 CEST	443	63815	40.115.3.253	192.168.2.6
Oct 2, 2024 19:08:03.866482019 CEST	443	63815	40.115.3.253	192.168.2.6
Oct 2, 2024 19:08:03.866714001 CEST	63815	443	192.168.2.6	40.115.3.253
Oct 2, 2024 19:08:03.871092081 CEST	63815	443	192.168.2.6	40.115.3.253
Oct 2, 2024 19:08:03.871118069 CEST	443	63815	40.115.3.253	192.168.2.6
Oct 2, 2024 19:08:03.871870041 CEST	443	63815	40.115.3.253	192.168.2.6
Oct 2, 2024 19:08:03.873785973 CEST	63815	443	192.168.2.6	40.115.3.253
Oct 2, 2024 19:08:03.873858929 CEST	63815	443	192.168.2.6	40.115.3.253
Oct 2, 2024 19:08:03.873869896 CEST	443	63815	40.115.3.253	192.168.2.6
Oct 2, 2024 19:08:03.874007940 CEST	63815	443	192.168.2.6	40.115.3.253
Oct 2, 2024 19:08:03.915417910 CEST	443	63815	40.115.3.253	192.168.2.6
Oct 2, 2024 19:08:04.054651022 CEST	443	63815	40.115.3.253	192.168.2.6
Oct 2, 2024 19:08:04.054754019 CEST	443	63815	40.115.3.253	192.168.2.6
Oct 2, 2024 19:08:04.054867029 CEST	63815	443	192.168.2.6	40.115.3.253
Oct 2, 2024 19:08:04.055227041 CEST	63815	443	192.168.2.6	40.115.3.253
Oct 2, 2024 19:08:04.055246115 CEST	443	63815	40.115.3.253	192.168.2.6
Oct 2, 2024 19:08:21.051865101 CEST	63817	443	192.168.2.6	172.217.18.4
Oct 2, 2024 19:08:21.051923037 CEST	443	63817	172.217.18.4	192.168.2.6
Oct 2, 2024 19:08:21.052035093 CEST	63817	443	192.168.2.6	172.217.18.4
Oct 2, 2024 19:08:21.052242994 CEST	63817	443	192.168.2.6	172.217.18.4
Oct 2, 2024 19:08:21.052256107 CEST	443	63817	172.217.18.4	192.168.2.6
Oct 2, 2024 19:08:22.052059889 CEST	443	63817	172.217.18.4	192.168.2.6
Oct 2, 2024 19:08:22.052458048 CEST	63817	443	192.168.2.6	172.217.18.4
Oct 2, 2024 19:08:22.052474022 CEST	443	63817	172.217.18.4	192.168.2.6
Oct 2, 2024 19:08:22.054181099 CEST	443	63817	172.217.18.4	192.168.2.6
Oct 2, 2024 19:08:22.054708958 CEST	63817	443	192.168.2.6	172.217.18.4
Oct 2, 2024 19:08:22.054910898 CEST	443	63817	172.217.18.4	192.168.2.6
Oct 2, 2024 19:08:22.106147051 CEST	63817	443	192.168.2.6	172.217.18.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 2, 2024 19:07:17.185554981 CEST	63762	53	192.168.2.6	1.1.1.1
Oct 2, 2024 19:07:17.185899973 CEST	52520	53	192.168.2.6	1.1.1.1
Oct 2, 2024 19:07:17.188520908 CEST	53	58483	1.1.1.1	192.168.2.6
Oct 2, 2024 19:07:17.192287922 CEST	53	63762	1.1.1.1	192.168.2.6
Oct 2, 2024 19:07:17.192986965 CEST	53	52520	1.1.1.1	192.168.2.6
Oct 2, 2024 19:07:17.193721056 CEST	53	51977	1.1.1.1	192.168.2.6
Oct 2, 2024 19:07:18.208015919 CEST	54532	53	192.168.2.6	1.1.1.1
Oct 2, 2024 19:07:18.208148956 CEST	53418	53	192.168.2.6	1.1.1.1
Oct 2, 2024 19:07:18.215579987 CEST	53	54532	1.1.1.1	192.168.2.6
Oct 2, 2024 19:07:18.216932058 CEST	53	53418	1.1.1.1	192.168.2.6
Oct 2, 2024 19:07:18.269987106 CEST	53	54841	1.1.1.1	192.168.2.6
Oct 2, 2024 19:07:20.996522903 CEST	57415	53	192.168.2.6	1.1.1.1
Oct 2, 2024 19:07:20.996716022 CEST	56762	53	192.168.2.6	1.1.1.1
Oct 2, 2024 19:07:21.003307104 CEST	53	56762	1.1.1.1	192.168.2.6
Oct 2, 2024 19:07:21.003988028 CEST	53	57415	1.1.1.1	192.168.2.6
Oct 2, 2024 19:07:21.687681913 CEST	53	51551	1.1.1.1	192.168.2.6
Oct 2, 2024 19:07:24.342114925 CEST	53	60210	1.1.1.1	192.168.2.6
Oct 2, 2024 19:07:27.141026020 CEST	60521	53	192.168.2.6	1.1.1.1
Oct 2, 2024 19:07:27.141093016 CEST	56338	53	192.168.2.6	1.1.1.1
Oct 2, 2024 19:07:27.147653103 CEST	53	60521	1.1.1.1	192.168.2.6
Oct 2, 2024 19:07:27.149612904 CEST	53	56338	1.1.1.1	192.168.2.6
Oct 2, 2024 19:07:28.292639971 CEST	56773	53	192.168.2.6	1.1.1.1
Oct 2, 2024 19:07:28.292789936 CEST	63156	53	192.168.2.6	1.1.1.1
Oct 2, 2024 19:07:28.299443007 CEST	53	56773	1.1.1.1	192.168.2.6
Oct 2, 2024 19:07:28.299726963 CEST	53	63156	1.1.1.1	192.168.2.6
Oct 2, 2024 19:07:35.174135923 CEST	53	51671	1.1.1.1	192.168.2.6
Oct 2, 2024 19:07:39.221456051 CEST	53	61636	1.1.1.1	192.168.2.6
Oct 2, 2024 19:08:16.944169998 CEST	53	58568	1.1.1.1	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 2, 2024 19:07:17.185554981 CEST	192.168.2.6	1.1.1.1	0xaebd	Standard query (0)	youtube.com	A (IP address)	IN (0x0001)	false
Oct 2, 2024 19:07:17.185899973 CEST	192.168.2.6	1.1.1.1	0xfde6	Standard query (0)	youtube.com	65	IN (0x0001)	false
Oct 2, 2024 19:07:18.208015919 CEST	192.168.2.6	1.1.1.1	0xd11f	Standard query (0)	www.youtube.com	A (IP address)	IN (0x0001)	false
Oct 2, 2024 19:07:18.208148956 CEST	192.168.2.6	1.1.1.1	0x130	Standard query (0)	www.youtube.com	65	IN (0x0001)	false
Oct 2, 2024 19:07:20.996522903 CEST	192.168.2.6	1.1.1.1	0x4dd3	Standard query (0)	www.google.com	A (IP address)	IN (0x0001)	false
Oct 2, 2024 19:07:20.996716022 CEST	192.168.2.6	1.1.1.1	0x9185	Standard query (0)	www.google.com	65	IN (0x0001)	false
Oct 2, 2024 19:07:27.141026020 CEST	192.168.2.6	1.1.1.1	0x4d0a	Standard query (0)	accounts.youtube.com	A (IP address)	IN (0x0001)	false
Oct 2, 2024 19:07:27.141093016 CEST	192.168.2.6	1.1.1.1	0x36a7	Standard query (0)	accounts.youtube.com	65	IN (0x0001)	false
Oct 2, 2024 19:07:28.292639971 CEST	192.168.2.6	1.1.1.1	0xc9a	Standard query (0)	play.google.com	A (IP address)	IN (0x0001)	false
Oct 2, 2024 19:07:28.292789936 CEST	192.168.2.6	1.1.1.1	0x7aa4	Standard query (0)	play.google.com	65	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 2, 2024 19:07:17.192287922 CEST	1.1.1.1	192.168.2.6	0xaebd	No error (0)	youtube.com		142.250.186.46	A (IP address)	IN (0x0001)	false
Oct 2, 2024 19:07:17.192986965 CEST	1.1.1.1	192.168.2.6	0xfde6	No error (0)	youtube.com			65	IN (0x0001)	false
Oct 2, 2024 19:07:18.215579987 CEST	1.1.1.1	192.168.2.6	0xd11f	No error (0)	www.youtube.com	youtube-ui.l.google.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 2, 2024 19:07:18.215579987 CEST	1.1.1.1	192.168.2.6	0xd11f	No error (0)	youtube-ui.l.google.com		216.58.206.78	A (IP address)	IN (0x0001)	false
Oct 2, 2024 19:07:18.215579987 CEST	1.1.1.1	192.168.2.6	0xd11f	No error (0)	youtube-ui.l.google.com		172.217.18.110	A (IP address)	IN (0x0001)	false
Oct 2, 2024 19:07:18.215579987 CEST	1.1.1.1	192.168.2.6	0xd11f	No error (0)	youtube-ui.l.google.com		142.250.186.78	A (IP address)	IN (0x0001)	false
Oct 2, 2024 19:07:18.215579987 CEST	1.1.1.1	192.168.2.6	0xd11f	No error (0)	youtube-ui.l.google.com		142.250.186.142	A (IP address)	IN (0x0001)	false
Oct 2, 2024 19:07:18.215579987 CEST	1.1.1.1	192.168.2.6	0xd11f	No error (0)	youtube-ui.l.google.com		142.250.185.142	A (IP address)	IN (0x0001)	false
Oct 2, 2024 19:07:18.215579987 CEST	1.1.1.1	192.168.2.6	0xd11f	No error (0)	youtube-ui.l.google.com		216.58.212.142	A (IP address)	IN (0x0001)	false
Oct 2, 2024 19:07:18.215579987 CEST	1.1.1.1	192.168.2.6	0xd11f	No error (0)	youtube-ui.l.google.com		142.250.184.206	A (IP address)	IN (0x0001)	false
Oct 2, 2024 19:07:18.215579987 CEST	1.1.1.1	192.168.2.6	0xd11f	No error (0)	youtube-ui.l.google.com		142.250.185.174	A (IP address)	IN (0x0001)	false
Oct 2, 2024 19:07:18.215579987 CEST	1.1.1.1	192.168.2.6	0xd11f	No error (0)	youtube-ui.l.google.com		142.250.185.110	A (IP address)	IN (0x0001)	false
Oct 2, 2024 19:07:18.215579987 CEST	1.1.1.1	192.168.2.6	0xd11f	No error (0)	youtube-ui.l.google.com		142.250.185.206	A (IP address)	IN (0x0001)	false
Oct 2, 2024 19:07:18.215579987 CEST	1.1.1.1	192.168.2.6	0xd11f	No error (0)	youtube-ui.l.google.com		142.250.185.238	A (IP address)	IN (0x0001)	false
Oct 2, 2024 19:07:18.215579987 CEST	1.1.1.1	192.168.2.6	0xd11f	No error (0)	youtube-ui.l.google.com		142.250.181.238	A (IP address)	IN (0x0001)	false
Oct 2, 2024 19:07:18.215579987 CEST	1.1.1.1	192.168.2.6	0xd11f	No error (0)	youtube-ui.l.google.com		172.217.16.206	A (IP address)	IN (0x0001)	false
Oct 2, 2024 19:07:18.215579987 CEST	1.1.1.1	192.168.2.6	0xd11f	No error (0)	youtube-ui.l.google.com		142.250.184.238	A (IP address)	IN (0x0001)	false
Oct 2, 2024 19:07:18.215579987 CEST	1.1.1.1	192.168.2.6	0xd11f	No error (0)	youtube-ui.l.google.com		172.217.23.110	A (IP address)	IN (0x0001)	false
Oct 2, 2024 19:07:18.215579987 CEST	1.1.1.1	192.168.2.6	0xd11f	No error (0)	youtube-ui.l.google.com		142.250.185.78	A (IP address)	IN (0x0001)	false
Oct 2, 2024 19:07:18.216932058 CEST	1.1.1.1	192.168.2.6	0x130	No error (0)	www.youtube.com	youtube-ui.l.google.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 2, 2024 19:07:18.216932058 CEST	1.1.1.1	192.168.2.6	0x130	No error (0)	youtube-ui.l.google.com			65	IN (0x0001)	false
Oct 2, 2024 19:07:21.003307104 CEST	1.1.1.1	192.168.2.6	0x9185	No error (0)	www.google.com			65	IN (0x0001)	false
Oct 2, 2024 19:07:21.003988028 CEST	1.1.1.1	192.168.2.6	0x4dd3	No error (0)	www.google.com		172.217.18.4	A (IP address)	IN (0x0001)	false
Oct 2, 2024 19:07:27.147653103 CEST	1.1.1.1	192.168.2.6	0x4d0a	No error (0)	accounts.youtube.com	www3.l.google.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 2, 2024 19:07:27.147653103 CEST	1.1.1.1	192.168.2.6	0x4d0a	No error (0)	www3.l.google.com		142.250.185.206	A (IP address)	IN (0x0001)	false
Oct 2, 2024 19:07:27.149612904 CEST	1.1.1.1	192.168.2.6	0x36a7	No error (0)	accounts.youtube.com	www3.l.google.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 2, 2024 19:07:28.299443007 CEST	1.1.1.1	192.168.2.6	0xc9a	No error (0)	play.google.com		142.250.185.142	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

slscr.update.microsoft.com

youtube.com

fs.microsoft.com

https:

accounts.youtube.com

play.google.com

www.google.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port
0	192.168.2.6	49710	40.115.3.253	443

Timestamp	Bytes transferred	Direction	Data
2024-10-02 17:06:24 UTC	71	OUT	Data Raw: 43 4e 54 20 31 20 43 4f 4e 20 33 30 35 0d 0a 4d 53 2d 43 56 3a 20 68 47 64 46 4e 38 6d 31 4d 55 79 69 31 59 37 77 2e 31 0d 0a 43 6f 6e 74 65 78 74 3a 20 37 65 34 33 37 32 30 31 33 62 34 39 65 31 65 31 0d 0a 0d 0a Data Ascii: CNT 1 CON 305MS-CV: hGdFN8m1MUyi1Y7w.1Context: 7e4372013b49e1e1
2024-10-02 17:06:24 UTC	249	OUT	Data Raw: 3c 63 6f 6e 6e 65 63 74 3e 3c 76 65 72 3e 32 3c 2f 76 65 72 3e 3c 61 67 65 6e 74 3e 3c 6f 73 3e 57 69 6e 64 6f 77 73 3c 2f 6f 73 3e 3c 6f 73 56 65 72 3e 31 30 2e 30 2e 30 2e 30 2e 31 39 30 34 35 3c 2f 6f 73 56 65 72 3e 3c 70 72 6f 63 3e 78 36 34 3c 2f 70 72 6f 63 3e 3c 6c 63 69 64 3e 65 6e 2d 43 48 3c 2f 6c 63 69 64 3e 3c 67 65 6f 49 64 3e 32 32 33 3c 2f 67 65 6f 49 64 3e 3c 61 6f 61 63 3e 30 3c 2f 61 6f 61 63 3e 3c 64 65 76 69 63 65 54 79 70 65 3e 31 3c 2f 64 65 76 69 63 65 54 79 70 65 3e 3c 64 65 76 69 63 65 4e 61 6d 65 3e 56 4d 77 61 72 65 32 30 2c 31 3c 2f 64 65 76 69 63 65 4e 61 6d 65 3e 3c 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 74 72 75 65 3c 2f 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 3c 2f 61 67 65 6e 74 3e 3c 2f 63 6f 6e 6e 65 63 74 3e Data Ascii: <connect><ver>2</ver><agent><os>Windows</os><osVer>10.0.0.0.19045</osVer><proc>x64</proc><lcid>en-CH</lcid><geoId>223</geoId><aoac>0</aoac><deviceType>1</deviceType><deviceName>VMware20,1</deviceName><followRetry>true</followRetry></agent></connect>
2024-10-02 17:06:24 UTC	1084	OUT	Data Raw: 41 54 48 20 32 20 43 4f 4e 5c 44 45 56 49 43 45 20 31 30 36 31 0d 0a 4d 53 2d 43 56 3a 20 68 47 64 46 4e 38 6d 31 4d 55 79 69 31 59 37 77 2e 32 0d 0a 43 6f 6e 74 65 78 74 3a 20 37 65 34 33 37 32 30 31 33 62 34 39 65 31 65 31 0d 0a 0d 0a 3c 64 65 76 69 63 65 3e 3c 63 6f 6d 70 61 63 74 2d 74 69 63 6b 65 74 3e 74 3d 45 77 43 34 41 75 70 49 42 41 41 55 31 62 44 47 66 64 61 7a 69 44 66 58 70 6a 4e 35 4e 36 63 59 68 54 31 77 62 6d 51 41 41 56 37 6d 76 6a 47 59 36 63 47 46 46 53 6b 52 39 75 30 2f 4a 64 68 4a 4d 68 48 67 50 58 61 54 72 66 68 70 46 63 44 6b 32 34 54 56 73 2f 37 56 72 6f 39 4e 61 31 71 36 5a 35 77 52 4b 55 6c 30 2f 78 53 53 45 36 35 50 42 72 39 2b 34 2f 6d 35 4a 4d 38 36 5a 37 34 39 45 78 79 32 39 32 6a 2f 6d 70 33 69 45 65 72 72 39 5a 45 69 66 63 Data Ascii: ATH 2 CON\DEVICE 1061MS-CV: hGdFN8m1MUyi1Y7w.2Context: 7e4372013b49e1e1<device><compact-ticket>t=EwC4AupIBAAU1bDGfdaziDfXpjN5N6cYhT1wbmQAAV7mvjGY6cGFFSkR9u0/JdhJMhHgPXaTrfhpFcDk24TVs/7Vro9Na1q6Z5wRKUl0/xSSE65PBr9+4/m5JM86Z749Exy292j/mp3iEerr9ZEifc
2024-10-02 17:06:24 UTC	218	OUT	Data Raw: 42 4e 44 20 33 20 43 4f 4e 5c 57 4e 53 20 30 20 31 39 37 0d 0a 4d 53 2d 43 56 3a 20 68 47 64 46 4e 38 6d 31 4d 55 79 69 31 59 37 77 2e 33 0d 0a 43 6f 6e 74 65 78 74 3a 20 37 65 34 33 37 32 30 31 33 62 34 39 65 31 65 31 0d 0a 0d 0a 3c 77 6e 73 3e 3c 76 65 72 3e 31 3c 2f 76 65 72 3e 3c 63 6c 69 65 6e 74 3e 3c 6e 61 6d 65 3e 57 50 4e 3c 2f 6e 61 6d 65 3e 3c 76 65 72 3e 31 2e 30 3c 2f 76 65 72 3e 3c 2f 63 6c 69 65 6e 74 3e 3c 6f 70 74 69 6f 6e 73 3e 3c 70 77 72 6d 6f 64 65 20 6d 6f 64 65 3d 22 30 22 3e 3c 2f 70 77 72 6d 6f 64 65 3e 3c 2f 6f 70 74 69 6f 6e 73 3e 3c 6c 61 73 74 4d 73 67 49 64 3e 30 3c 2f 6c 61 73 74 4d 73 67 49 64 3e 3c 2f 77 6e 73 3e Data Ascii: BND 3 CON\WNS 0 197MS-CV: hGdFN8m1MUyi1Y7w.3Context: 7e4372013b49e1e1<wns><ver>1</ver><client><name>WPN</name><ver>1.0</ver></client><options><pwrmode mode="0"></pwrmode></options><lastMsgId>0</lastMsgId></wns>
2024-10-02 17:06:25 UTC	14	IN	Data Raw: 32 30 32 20 31 20 43 4f 4e 20 35 38 0d 0a Data Ascii: 202 1 CON 58
2024-10-02 17:06:25 UTC	58	IN	Data Raw: 4d 53 2d 43 56 3a 20 72 55 36 78 34 4a 6a 6c 72 6b 79 30 72 7a 58 6a 53 6e 50 46 2f 77 2e 30 0d 0a 0d 0a 50 61 79 6c 6f 61 64 20 70 61 72 73 69 6e 67 20 66 61 69 6c 65 64 2e Data Ascii: MS-CV: rU6x4Jjlrky0rzXjSnPF/w.0Payload parsing failed.

Session ID	Source IP	Source Port	Destination IP	Destination Port
1	192.168.2.6	49711	40.115.3.253	443

Timestamp	Bytes transferred	Direction	Data
2024-10-02 17:06:32 UTC	71	OUT	Data Raw: 43 4e 54 20 31 20 43 4f 4e 20 33 30 35 0d 0a 4d 53 2d 43 56 3a 20 59 72 4a 73 38 7a 66 2b 55 45 32 4d 6c 33 31 2b 2e 31 0d 0a 43 6f 6e 74 65 78 74 3a 20 62 36 37 36 34 31 66 61 61 35 64 39 37 34 61 34 0d 0a 0d 0a Data Ascii: CNT 1 CON 305MS-CV: YrJs8zf+UE2Ml31+.1Context: b67641faa5d974a4
2024-10-02 17:06:32 UTC	249	OUT	Data Raw: 3c 63 6f 6e 6e 65 63 74 3e 3c 76 65 72 3e 32 3c 2f 76 65 72 3e 3c 61 67 65 6e 74 3e 3c 6f 73 3e 57 69 6e 64 6f 77 73 3c 2f 6f 73 3e 3c 6f 73 56 65 72 3e 31 30 2e 30 2e 30 2e 30 2e 31 39 30 34 35 3c 2f 6f 73 56 65 72 3e 3c 70 72 6f 63 3e 78 36 34 3c 2f 70 72 6f 63 3e 3c 6c 63 69 64 3e 65 6e 2d 43 48 3c 2f 6c 63 69 64 3e 3c 67 65 6f 49 64 3e 32 32 33 3c 2f 67 65 6f 49 64 3e 3c 61 6f 61 63 3e 30 3c 2f 61 6f 61 63 3e 3c 64 65 76 69 63 65 54 79 70 65 3e 31 3c 2f 64 65 76 69 63 65 54 79 70 65 3e 3c 64 65 76 69 63 65 4e 61 6d 65 3e 56 4d 77 61 72 65 32 30 2c 31 3c 2f 64 65 76 69 63 65 4e 61 6d 65 3e 3c 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 74 72 75 65 3c 2f 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 3c 2f 61 67 65 6e 74 3e 3c 2f 63 6f 6e 6e 65 63 74 3e Data Ascii: <connect><ver>2</ver><agent><os>Windows</os><osVer>10.0.0.0.19045</osVer><proc>x64</proc><lcid>en-CH</lcid><geoId>223</geoId><aoac>0</aoac><deviceType>1</deviceType><deviceName>VMware20,1</deviceName><followRetry>true</followRetry></agent></connect>
2024-10-02 17:06:32 UTC	1084	OUT	Data Raw: 41 54 48 20 32 20 43 4f 4e 5c 44 45 56 49 43 45 20 31 30 36 31 0d 0a 4d 53 2d 43 56 3a 20 59 72 4a 73 38 7a 66 2b 55 45 32 4d 6c 33 31 2b 2e 32 0d 0a 43 6f 6e 74 65 78 74 3a 20 62 36 37 36 34 31 66 61 61 35 64 39 37 34 61 34 0d 0a 0d 0a 3c 64 65 76 69 63 65 3e 3c 63 6f 6d 70 61 63 74 2d 74 69 63 6b 65 74 3e 74 3d 45 77 43 34 41 75 70 49 42 41 41 55 31 62 44 47 66 64 61 7a 69 44 66 58 70 6a 4e 35 4e 36 63 59 68 54 31 77 62 6d 51 41 41 56 37 6d 76 6a 47 59 36 63 47 46 46 53 6b 52 39 75 30 2f 4a 64 68 4a 4d 68 48 67 50 58 61 54 72 66 68 70 46 63 44 6b 32 34 54 56 73 2f 37 56 72 6f 39 4e 61 31 71 36 5a 35 77 52 4b 55 6c 30 2f 78 53 53 45 36 35 50 42 72 39 2b 34 2f 6d 35 4a 4d 38 36 5a 37 34 39 45 78 79 32 39 32 6a 2f 6d 70 33 69 45 65 72 72 39 5a 45 69 66 63 Data Ascii: ATH 2 CON\DEVICE 1061MS-CV: YrJs8zf+UE2Ml31+.2Context: b67641faa5d974a4<device><compact-ticket>t=EwC4AupIBAAU1bDGfdaziDfXpjN5N6cYhT1wbmQAAV7mvjGY6cGFFSkR9u0/JdhJMhHgPXaTrfhpFcDk24TVs/7Vro9Na1q6Z5wRKUl0/xSSE65PBr9+4/m5JM86Z749Exy292j/mp3iEerr9ZEifc
2024-10-02 17:06:32 UTC	218	OUT	Data Raw: 42 4e 44 20 33 20 43 4f 4e 5c 57 4e 53 20 30 20 31 39 37 0d 0a 4d 53 2d 43 56 3a 20 59 72 4a 73 38 7a 66 2b 55 45 32 4d 6c 33 31 2b 2e 33 0d 0a 43 6f 6e 74 65 78 74 3a 20 62 36 37 36 34 31 66 61 61 35 64 39 37 34 61 34 0d 0a 0d 0a 3c 77 6e 73 3e 3c 76 65 72 3e 31 3c 2f 76 65 72 3e 3c 63 6c 69 65 6e 74 3e 3c 6e 61 6d 65 3e 57 50 4e 3c 2f 6e 61 6d 65 3e 3c 76 65 72 3e 31 2e 30 3c 2f 76 65 72 3e 3c 2f 63 6c 69 65 6e 74 3e 3c 6f 70 74 69 6f 6e 73 3e 3c 70 77 72 6d 6f 64 65 20 6d 6f 64 65 3d 22 30 22 3e 3c 2f 70 77 72 6d 6f 64 65 3e 3c 2f 6f 70 74 69 6f 6e 73 3e 3c 6c 61 73 74 4d 73 67 49 64 3e 30 3c 2f 6c 61 73 74 4d 73 67 49 64 3e 3c 2f 77 6e 73 3e Data Ascii: BND 3 CON\WNS 0 197MS-CV: YrJs8zf+UE2Ml31+.3Context: b67641faa5d974a4<wns><ver>1</ver><client><name>WPN</name><ver>1.0</ver></client><options><pwrmode mode="0"></pwrmode></options><lastMsgId>0</lastMsgId></wns>
2024-10-02 17:06:33 UTC	14	IN	Data Raw: 32 30 32 20 31 20 43 4f 4e 20 35 38 0d 0a Data Ascii: 202 1 CON 58
2024-10-02 17:06:33 UTC	58	IN	Data Raw: 4d 53 2d 43 56 3a 20 67 58 55 6c 69 41 61 71 58 30 53 68 35 49 35 53 4e 65 45 41 6c 41 2e 30 0d 0a 0d 0a 50 61 79 6c 6f 61 64 20 70 61 72 73 69 6e 67 20 66 61 69 6c 65 64 2e Data Ascii: MS-CV: gXUliAaqX0Sh5I5SNeEAlA.0Payload parsing failed.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.6	49712	20.114.59.183	443

Timestamp	Bytes transferred	Direction	Data
2024-10-02 17:06:37 UTC	306	OUT	GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=C2wLcow5xOV9Wht&MD=y55AC6D1 HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33 Host: slscr.update.microsoft.com
2024-10-02 17:06:37 UTC	560	IN	HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Type: application/octet-stream Expires: -1 Last-Modified: Mon, 01 Jan 0001 00:00:00 GMT ETag: "XAopazV00XDWnJCwkmEWRv6JkbjRA9QSSZ2+e/3MzEk=_2880" MS-CorrelationId: fea6951c-014a-4ceb-b2d6-ece3d6107d94 MS-RequestId: 523357f4-e7af-4386-8bd9-a7f8cef2f9b2 MS-CV: sS+V1fPD4EmeTp9O.0 X-Microsoft-SLSClientCache: 2880 Content-Disposition: attachment; filename=environment.cab X-Content-Type-Options: nosniff Date: Wed, 02 Oct 2024 17:06:36 GMT Connection: close Content-Length: 24490
2024-10-02 17:06:37 UTC	15824	IN	Data Raw: 4d 53 43 46 00 00 00 00 92 1e 00 00 00 00 00 00 44 00 00 00 00 00 00 00 03 01 01 00 01 00 04 00 23 d0 00 00 14 00 00 00 00 00 10 00 92 1e 00 00 18 41 00 00 00 00 00 00 00 00 00 00 64 00 00 00 01 00 01 00 e6 42 00 00 00 00 00 00 00 00 00 00 00 00 80 00 65 6e 76 69 72 6f 6e 6d 65 6e 74 2e 63 61 62 00 78 cf 8d 5c 26 1e e6 42 43 4b ed 5c 07 54 13 db d6 4e a3 f7 2e d5 d0 3b 4c 42 af 4a 57 10 e9 20 bd 77 21 94 80 88 08 24 2a 02 02 d2 55 10 a4 a8 88 97 22 8a 0a d2 11 04 95 ae d2 8b 20 28 0a 88 20 45 05 f4 9f 80 05 bd ed dd f7 ff 77 dd f7 bf 65 d6 4a 66 ce 99 33 67 4e d9 7b 7f fb db 7b 56 f4 4d 34 b4 21 e0 a7 03 0a d9 fc 68 6e 1d 20 70 28 14 02 85 20 20 ad 61 10 08 e3 66 0d ed 66 9b 1d 6a 90 af 1f 17 f0 4b 68 35 01 83 6c fb 44 42 5c 7d 83 3d 03 30 be 3e ae be 58 Data Ascii: MSCFD#AdBenvironment.cabx\&BCK\TN.;LBJW w!$*U" ( EweJf3gN{{VM4!hn p( affjKh5lDB\}=0>X
2024-10-02 17:06:37 UTC	8666	IN	Data Raw: 04 01 31 2f 30 2d 30 0a 02 05 00 e1 2b 8a 50 02 01 00 30 0a 02 01 00 02 02 12 fe 02 01 ff 30 07 02 01 00 02 02 11 e6 30 0a 02 05 00 e1 2c db d0 02 01 00 30 36 06 0a 2b 06 01 04 01 84 59 0a 04 02 31 28 30 26 30 0c 06 0a 2b 06 01 04 01 84 59 0a 03 02 a0 0a 30 08 02 01 00 02 03 07 a1 20 a1 0a 30 08 02 01 00 02 03 01 86 a0 30 0d 06 09 2a 86 48 86 f7 0d 01 01 05 05 00 03 81 81 00 0c d9 08 df 48 94 57 65 3e ad e7 f2 17 9c 1f ca 3d 4d 6c cd 51 e1 ed 9c 17 a5 52 35 0f fd de 4b bd 22 92 c5 69 e5 d7 9f 29 23 72 40 7a ca 55 9d 8d 11 ad d5 54 00 bb 53 b4 87 7b 72 84 da 2d f6 e3 2c 4f 7e ba 1a 58 88 6e d6 b9 6d 16 ae 85 5b b5 c2 81 a8 e0 ee 0a 9c 60 51 3a 7b e4 61 f8 c3 e4 38 bd 7d 28 17 d6 79 f0 c8 58 c6 ef 1f f7 88 65 b1 ea 0a c0 df f7 ee 5c 23 c2 27 fd 98 63 08 31 Data Ascii: 1/0-0+P000,06+Y1(0&0+Y0 00*HHWe>=MlQR5K"i)#r@zUTS{r-,O~Xnm[`Q:{a8}(yXe\#'c1

Session ID	Source IP	Source Port	Destination IP	Destination Port
3	192.168.2.6	49716	40.115.3.253	443

Timestamp	Bytes transferred	Direction	Data
2024-10-02 17:06:45 UTC	71	OUT	Data Raw: 43 4e 54 20 31 20 43 4f 4e 20 33 30 35 0d 0a 4d 53 2d 43 56 3a 20 37 55 69 46 44 33 55 33 45 55 4f 34 74 74 6b 78 2e 31 0d 0a 43 6f 6e 74 65 78 74 3a 20 31 34 38 34 31 30 33 30 65 38 34 66 38 32 38 34 0d 0a 0d 0a Data Ascii: CNT 1 CON 305MS-CV: 7UiFD3U3EUO4ttkx.1Context: 14841030e84f8284
2024-10-02 17:06:45 UTC	249	OUT	Data Raw: 3c 63 6f 6e 6e 65 63 74 3e 3c 76 65 72 3e 32 3c 2f 76 65 72 3e 3c 61 67 65 6e 74 3e 3c 6f 73 3e 57 69 6e 64 6f 77 73 3c 2f 6f 73 3e 3c 6f 73 56 65 72 3e 31 30 2e 30 2e 30 2e 30 2e 31 39 30 34 35 3c 2f 6f 73 56 65 72 3e 3c 70 72 6f 63 3e 78 36 34 3c 2f 70 72 6f 63 3e 3c 6c 63 69 64 3e 65 6e 2d 43 48 3c 2f 6c 63 69 64 3e 3c 67 65 6f 49 64 3e 32 32 33 3c 2f 67 65 6f 49 64 3e 3c 61 6f 61 63 3e 30 3c 2f 61 6f 61 63 3e 3c 64 65 76 69 63 65 54 79 70 65 3e 31 3c 2f 64 65 76 69 63 65 54 79 70 65 3e 3c 64 65 76 69 63 65 4e 61 6d 65 3e 56 4d 77 61 72 65 32 30 2c 31 3c 2f 64 65 76 69 63 65 4e 61 6d 65 3e 3c 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 74 72 75 65 3c 2f 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 3c 2f 61 67 65 6e 74 3e 3c 2f 63 6f 6e 6e 65 63 74 3e Data Ascii: <connect><ver>2</ver><agent><os>Windows</os><osVer>10.0.0.0.19045</osVer><proc>x64</proc><lcid>en-CH</lcid><geoId>223</geoId><aoac>0</aoac><deviceType>1</deviceType><deviceName>VMware20,1</deviceName><followRetry>true</followRetry></agent></connect>
2024-10-02 17:06:45 UTC	1084	OUT	Data Raw: 41 54 48 20 32 20 43 4f 4e 5c 44 45 56 49 43 45 20 31 30 36 31 0d 0a 4d 53 2d 43 56 3a 20 37 55 69 46 44 33 55 33 45 55 4f 34 74 74 6b 78 2e 32 0d 0a 43 6f 6e 74 65 78 74 3a 20 31 34 38 34 31 30 33 30 65 38 34 66 38 32 38 34 0d 0a 0d 0a 3c 64 65 76 69 63 65 3e 3c 63 6f 6d 70 61 63 74 2d 74 69 63 6b 65 74 3e 74 3d 45 77 43 34 41 75 70 49 42 41 41 55 31 62 44 47 66 64 61 7a 69 44 66 58 70 6a 4e 35 4e 36 63 59 68 54 31 77 62 6d 51 41 41 56 37 6d 76 6a 47 59 36 63 47 46 46 53 6b 52 39 75 30 2f 4a 64 68 4a 4d 68 48 67 50 58 61 54 72 66 68 70 46 63 44 6b 32 34 54 56 73 2f 37 56 72 6f 39 4e 61 31 71 36 5a 35 77 52 4b 55 6c 30 2f 78 53 53 45 36 35 50 42 72 39 2b 34 2f 6d 35 4a 4d 38 36 5a 37 34 39 45 78 79 32 39 32 6a 2f 6d 70 33 69 45 65 72 72 39 5a 45 69 66 63 Data Ascii: ATH 2 CON\DEVICE 1061MS-CV: 7UiFD3U3EUO4ttkx.2Context: 14841030e84f8284<device><compact-ticket>t=EwC4AupIBAAU1bDGfdaziDfXpjN5N6cYhT1wbmQAAV7mvjGY6cGFFSkR9u0/JdhJMhHgPXaTrfhpFcDk24TVs/7Vro9Na1q6Z5wRKUl0/xSSE65PBr9+4/m5JM86Z749Exy292j/mp3iEerr9ZEifc
2024-10-02 17:06:45 UTC	218	OUT	Data Raw: 42 4e 44 20 33 20 43 4f 4e 5c 57 4e 53 20 30 20 31 39 37 0d 0a 4d 53 2d 43 56 3a 20 37 55 69 46 44 33 55 33 45 55 4f 34 74 74 6b 78 2e 33 0d 0a 43 6f 6e 74 65 78 74 3a 20 31 34 38 34 31 30 33 30 65 38 34 66 38 32 38 34 0d 0a 0d 0a 3c 77 6e 73 3e 3c 76 65 72 3e 31 3c 2f 76 65 72 3e 3c 63 6c 69 65 6e 74 3e 3c 6e 61 6d 65 3e 57 50 4e 3c 2f 6e 61 6d 65 3e 3c 76 65 72 3e 31 2e 30 3c 2f 76 65 72 3e 3c 2f 63 6c 69 65 6e 74 3e 3c 6f 70 74 69 6f 6e 73 3e 3c 70 77 72 6d 6f 64 65 20 6d 6f 64 65 3d 22 30 22 3e 3c 2f 70 77 72 6d 6f 64 65 3e 3c 2f 6f 70 74 69 6f 6e 73 3e 3c 6c 61 73 74 4d 73 67 49 64 3e 30 3c 2f 6c 61 73 74 4d 73 67 49 64 3e 3c 2f 77 6e 73 3e Data Ascii: BND 3 CON\WNS 0 197MS-CV: 7UiFD3U3EUO4ttkx.3Context: 14841030e84f8284<wns><ver>1</ver><client><name>WPN</name><ver>1.0</ver></client><options><pwrmode mode="0"></pwrmode></options><lastMsgId>0</lastMsgId></wns>
2024-10-02 17:06:45 UTC	14	IN	Data Raw: 32 30 32 20 31 20 43 4f 4e 20 35 38 0d 0a Data Ascii: 202 1 CON 58
2024-10-02 17:06:45 UTC	58	IN	Data Raw: 4d 53 2d 43 56 3a 20 66 41 55 45 68 6e 47 4b 68 30 61 72 2f 2f 49 41 46 7a 77 45 53 67 2e 30 0d 0a 0d 0a 50 61 79 6c 6f 61 64 20 70 61 72 73 69 6e 67 20 66 61 69 6c 65 64 2e Data Ascii: MS-CV: fAUEhnGKh0ar//IAFzwESg.0Payload parsing failed.

Session ID	Source IP	Source Port	Destination IP	Destination Port
4	192.168.2.6	49717	40.115.3.253	443

Timestamp	Bytes transferred	Direction	Data
2024-10-02 17:07:05 UTC	71	OUT	Data Raw: 43 4e 54 20 31 20 43 4f 4e 20 33 30 35 0d 0a 4d 53 2d 43 56 3a 20 6d 57 6a 6d 49 4c 78 39 64 55 65 46 38 49 73 43 2e 31 0d 0a 43 6f 6e 74 65 78 74 3a 20 61 34 32 38 36 63 64 61 65 39 61 39 33 62 32 38 0d 0a 0d 0a Data Ascii: CNT 1 CON 305MS-CV: mWjmILx9dUeF8IsC.1Context: a4286cdae9a93b28
2024-10-02 17:07:05 UTC	249	OUT	Data Raw: 3c 63 6f 6e 6e 65 63 74 3e 3c 76 65 72 3e 32 3c 2f 76 65 72 3e 3c 61 67 65 6e 74 3e 3c 6f 73 3e 57 69 6e 64 6f 77 73 3c 2f 6f 73 3e 3c 6f 73 56 65 72 3e 31 30 2e 30 2e 30 2e 30 2e 31 39 30 34 35 3c 2f 6f 73 56 65 72 3e 3c 70 72 6f 63 3e 78 36 34 3c 2f 70 72 6f 63 3e 3c 6c 63 69 64 3e 65 6e 2d 43 48 3c 2f 6c 63 69 64 3e 3c 67 65 6f 49 64 3e 32 32 33 3c 2f 67 65 6f 49 64 3e 3c 61 6f 61 63 3e 30 3c 2f 61 6f 61 63 3e 3c 64 65 76 69 63 65 54 79 70 65 3e 31 3c 2f 64 65 76 69 63 65 54 79 70 65 3e 3c 64 65 76 69 63 65 4e 61 6d 65 3e 56 4d 77 61 72 65 32 30 2c 31 3c 2f 64 65 76 69 63 65 4e 61 6d 65 3e 3c 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 74 72 75 65 3c 2f 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 3c 2f 61 67 65 6e 74 3e 3c 2f 63 6f 6e 6e 65 63 74 3e Data Ascii: <connect><ver>2</ver><agent><os>Windows</os><osVer>10.0.0.0.19045</osVer><proc>x64</proc><lcid>en-CH</lcid><geoId>223</geoId><aoac>0</aoac><deviceType>1</deviceType><deviceName>VMware20,1</deviceName><followRetry>true</followRetry></agent></connect>
2024-10-02 17:07:05 UTC	1084	OUT	Data Raw: 41 54 48 20 32 20 43 4f 4e 5c 44 45 56 49 43 45 20 31 30 36 31 0d 0a 4d 53 2d 43 56 3a 20 6d 57 6a 6d 49 4c 78 39 64 55 65 46 38 49 73 43 2e 32 0d 0a 43 6f 6e 74 65 78 74 3a 20 61 34 32 38 36 63 64 61 65 39 61 39 33 62 32 38 0d 0a 0d 0a 3c 64 65 76 69 63 65 3e 3c 63 6f 6d 70 61 63 74 2d 74 69 63 6b 65 74 3e 74 3d 45 77 43 34 41 75 70 49 42 41 41 55 31 62 44 47 66 64 61 7a 69 44 66 58 70 6a 4e 35 4e 36 63 59 68 54 31 77 62 6d 51 41 41 56 37 6d 76 6a 47 59 36 63 47 46 46 53 6b 52 39 75 30 2f 4a 64 68 4a 4d 68 48 67 50 58 61 54 72 66 68 70 46 63 44 6b 32 34 54 56 73 2f 37 56 72 6f 39 4e 61 31 71 36 5a 35 77 52 4b 55 6c 30 2f 78 53 53 45 36 35 50 42 72 39 2b 34 2f 6d 35 4a 4d 38 36 5a 37 34 39 45 78 79 32 39 32 6a 2f 6d 70 33 69 45 65 72 72 39 5a 45 69 66 63 Data Ascii: ATH 2 CON\DEVICE 1061MS-CV: mWjmILx9dUeF8IsC.2Context: a4286cdae9a93b28<device><compact-ticket>t=EwC4AupIBAAU1bDGfdaziDfXpjN5N6cYhT1wbmQAAV7mvjGY6cGFFSkR9u0/JdhJMhHgPXaTrfhpFcDk24TVs/7Vro9Na1q6Z5wRKUl0/xSSE65PBr9+4/m5JM86Z749Exy292j/mp3iEerr9ZEifc
2024-10-02 17:07:05 UTC	218	OUT	Data Raw: 42 4e 44 20 33 20 43 4f 4e 5c 57 4e 53 20 30 20 31 39 37 0d 0a 4d 53 2d 43 56 3a 20 6d 57 6a 6d 49 4c 78 39 64 55 65 46 38 49 73 43 2e 33 0d 0a 43 6f 6e 74 65 78 74 3a 20 61 34 32 38 36 63 64 61 65 39 61 39 33 62 32 38 0d 0a 0d 0a 3c 77 6e 73 3e 3c 76 65 72 3e 31 3c 2f 76 65 72 3e 3c 63 6c 69 65 6e 74 3e 3c 6e 61 6d 65 3e 57 50 4e 3c 2f 6e 61 6d 65 3e 3c 76 65 72 3e 31 2e 30 3c 2f 76 65 72 3e 3c 2f 63 6c 69 65 6e 74 3e 3c 6f 70 74 69 6f 6e 73 3e 3c 70 77 72 6d 6f 64 65 20 6d 6f 64 65 3d 22 30 22 3e 3c 2f 70 77 72 6d 6f 64 65 3e 3c 2f 6f 70 74 69 6f 6e 73 3e 3c 6c 61 73 74 4d 73 67 49 64 3e 30 3c 2f 6c 61 73 74 4d 73 67 49 64 3e 3c 2f 77 6e 73 3e Data Ascii: BND 3 CON\WNS 0 197MS-CV: mWjmILx9dUeF8IsC.3Context: a4286cdae9a93b28<wns><ver>1</ver><client><name>WPN</name><ver>1.0</ver></client><options><pwrmode mode="0"></pwrmode></options><lastMsgId>0</lastMsgId></wns>
2024-10-02 17:07:05 UTC	14	IN	Data Raw: 32 30 32 20 31 20 43 4f 4e 20 35 38 0d 0a Data Ascii: 202 1 CON 58
2024-10-02 17:07:05 UTC	58	IN	Data Raw: 4d 53 2d 43 56 3a 20 74 33 48 42 6b 6c 59 2b 4e 6b 47 34 42 69 5a 37 6a 4b 75 53 65 77 2e 30 0d 0a 0d 0a 50 61 79 6c 6f 61 64 20 70 61 72 73 69 6e 67 20 66 61 69 6c 65 64 2e Data Ascii: MS-CV: t3HBklY+NkG4BiZ7jKuSew.0Payload parsing failed.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.6	49718	20.114.59.183	443

Timestamp	Bytes transferred	Direction	Data
2024-10-02 17:07:14 UTC	306	OUT	GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=C2wLcow5xOV9Wht&MD=y55AC6D1 HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33 Host: slscr.update.microsoft.com
2024-10-02 17:07:14 UTC	560	IN	HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Type: application/octet-stream Expires: -1 Last-Modified: Mon, 01 Jan 0001 00:00:00 GMT ETag: "vic+p1MiJJ+/WMnK08jaWnCBGDfvkGRzPk9f8ZadQHg=_1440" MS-CorrelationId: eb96a431-f3d0-4bd7-9814-5926526dd544 MS-RequestId: 872ebf8c-3c25-4f09-8115-888d241bd3a3 MS-CV: NYLXX1Wv80GASPNd.0 X-Microsoft-SLSClientCache: 1440 Content-Disposition: attachment; filename=environment.cab X-Content-Type-Options: nosniff Date: Wed, 02 Oct 2024 17:07:14 GMT Connection: close Content-Length: 30005
2024-10-02 17:07:14 UTC	15824	IN	Data Raw: 4d 53 43 46 00 00 00 00 8d 2b 00 00 00 00 00 00 44 00 00 00 00 00 00 00 03 01 01 00 01 00 04 00 5b 49 00 00 14 00 00 00 00 00 10 00 8d 2b 00 00 a8 49 00 00 00 00 00 00 00 00 00 00 64 00 00 00 01 00 01 00 72 4d 00 00 00 00 00 00 00 00 00 00 00 00 80 00 65 6e 76 69 72 6f 6e 6d 65 6e 74 2e 63 61 62 00 fe f6 51 be 21 2b 72 4d 43 4b ed 7c 05 58 54 eb da f6 14 43 49 37 0a 02 d2 b9 86 0e 41 52 a4 1b 24 a5 bb 43 24 44 18 94 90 92 52 41 3a 05 09 95 ee 54 b0 00 91 2e e9 12 10 04 11 c9 6f 10 b7 a2 67 9f bd cf 3e ff b7 ff b3 bf 73 ed e1 9a 99 f5 c6 7a d7 bb de f5 3e cf fd 3c f7 dc 17 4a 1a 52 e7 41 a8 97 1e 14 f4 e5 25 7d f4 05 82 82 c1 20 30 08 06 ba c3 05 02 11 7f a9 c1 ff d2 87 5c 1e f4 ed 65 8e 7a 1f f6 0a 40 03 1d 7b f9 83 2c 1c 2f db b8 3a 39 3a 58 38 ba 73 5e Data Ascii: MSCF+D[I+IdrMenvironment.cabQ!+rMCK\|XTCI7AR$C$DRA:T.og>sz><JRA%} 0\ez@{,/:9:X8s^
2024-10-02 17:07:14 UTC	14181	IN	Data Raw: 06 03 55 04 06 13 02 55 53 31 13 30 11 06 03 55 04 08 13 0a 57 61 73 68 69 6e 67 74 6f 6e 31 10 30 0e 06 03 55 04 07 13 07 52 65 64 6d 6f 6e 64 31 1e 30 1c 06 03 55 04 0a 13 15 4d 69 63 72 6f 73 6f 66 74 20 43 6f 72 70 6f 72 61 74 69 6f 6e 31 26 30 24 06 03 55 04 03 13 1d 4d 69 63 72 6f 73 6f 66 74 20 54 69 6d 65 2d 53 74 61 6d 70 20 50 43 41 20 32 30 31 30 30 1e 17 0d 32 33 31 30 31 32 31 39 30 37 32 35 5a 17 0d 32 35 30 31 31 30 31 39 30 37 32 35 5a 30 81 d2 31 0b 30 09 06 03 55 04 06 13 02 55 53 31 13 30 11 06 03 55 04 08 13 0a 57 61 73 68 69 6e 67 74 6f 6e 31 10 30 0e 06 03 55 04 07 13 07 52 65 64 6d 6f 6e 64 31 1e 30 1c 06 03 55 04 0a 13 15 4d 69 63 72 6f 73 6f 66 74 20 43 6f 72 70 6f 72 61 74 69 6f 6e 31 2d 30 2b 06 03 55 04 0b 13 24 4d 69 63 72 6f Data Ascii: UUS10UWashington10URedmond10UMicrosoft Corporation1&0$UMicrosoft Time-Stamp PCA 20100231012190725Z250110190725Z010UUS10UWashington10URedmond10UMicrosoft Corporation1-0+U$Micro

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.6	49721	142.250.186.46	443	964	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-02 17:07:17 UTC	839	OUT	GET /account?=https://accounts.google.com/v3/signin/challenge/pwd HTTP/1.1 Host: youtube.com Connection: keep-alive sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "Windows" Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 X-Client-Data: CJa2yQEIprbJAQipncoBCO6MywEIlKHLAQj6mM0BCIWgzQEI3L3NAQi5ys0BCOnSzQEI6NXNAQjL1s0BCKjYzQEI+cDUFRi60s0BGOuNpRc= Sec-Fetch-Site: none Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-10-02 17:07:18 UTC	1704	IN	HTTP/1.1 301 Moved Permanently Content-Type: application/binary X-Content-Type-Options: nosniff Expires: Wed, 02 Oct 2024 17:07:18 GMT Date: Wed, 02 Oct 2024 17:07:18 GMT Cache-Control: private, max-age=31536000 Location: https://www.youtube.com/account?=https%3A%2F%2Faccounts.google.com%2Fv3%2Fsignin%2Fchallenge%2Fpwd X-Frame-Options: SAMEORIGIN Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Origin-Trial: AmhMBR6zCLzDDxpW+HfpP67BqwIknWnyMOXOQGfzYswFmJe+fgaI6XZgAzcxOrzNtP7hEDsOo1jdjFnVr2IdxQ4AAAB4eyJvcmlnaW4iOiJodHRwczovL3lvdXR1YmUuY29tOjQ0MyIsImZlYXR1cmUiOiJXZWJWaWV3WFJlcXVlc3RlZFdpdGhEZXByZWNhdGlvbiIsImV4cGlyeSI6MTc1ODA2NzE5OSwiaXNTdWJkb21haW4iOnRydWV9 Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Vary: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Report-To: {"group":"youtube_main","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/youtube_main"}]} Content-Security-Policy: require-trusted-types-for 'script' Cross-Origin-Opener-Policy: same-origin-allow-popups; report-to="youtube_main" Server: ESF Content-Length: 0 X-XSS-Protection: 0 Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.6	49732	184.28.90.27	443

Timestamp	Bytes transferred	Direction	Data
2024-10-02 17:07:22 UTC	161	OUT	HEAD /fs/windows/config.json HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Encoding: identity User-Agent: Microsoft BITS/7.8 Host: fs.microsoft.com
2024-10-02 17:07:22 UTC	466	IN	HTTP/1.1 200 OK Content-Disposition: attachment; filename=config.json; filename*=UTF-8''config.json Content-Type: application/octet-stream ETag: "0x64667F707FF07D62B733DBCB79EFE3855E6886C9975B0C0B467D46231B3FA5E7" Last-Modified: Tue, 16 May 2017 22:58:00 GMT Server: ECAcc (lpl/EF06) X-CID: 11 X-Ms-ApiVersion: Distribute 1.2 X-Ms-Region: prod-neu-z1 Cache-Control: public, max-age=85108 Date: Wed, 02 Oct 2024 17:07:22 GMT Connection: close X-CID: 2

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.6	49736	184.28.90.27	443

Timestamp	Bytes transferred	Direction	Data
2024-10-02 17:07:23 UTC	239	OUT	GET /fs/windows/config.json HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Encoding: identity If-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMT Range: bytes=0-2147483646 User-Agent: Microsoft BITS/7.8 Host: fs.microsoft.com
2024-10-02 17:07:23 UTC	514	IN	HTTP/1.1 200 OK ApiVersion: Distribute 1.1 Content-Disposition: attachment; filename=config.json; filename*=UTF-8''config.json Content-Type: application/octet-stream ETag: "0x64667F707FF07D62B733DBCB79EFE3855E6886C9975B0C0B467D46231B3FA5E7" Last-Modified: Tue, 16 May 2017 22:58:00 GMT Server: ECAcc (lpl/EF06) X-CID: 11 X-Ms-ApiVersion: Distribute 1.2 X-Ms-Region: prod-weu-z1 Cache-Control: public, max-age=85051 Date: Wed, 02 Oct 2024 17:07:23 GMT Content-Length: 55 Connection: close X-CID: 2
2024-10-02 17:07:23 UTC	55	IN	Data Raw: 7b 22 66 6f 6e 74 53 65 74 55 72 69 22 3a 22 66 6f 6e 74 73 65 74 2d 32 30 31 37 2d 30 34 2e 6a 73 6f 6e 22 2c 22 62 61 73 65 55 72 69 22 3a 22 66 6f 6e 74 73 22 7d Data Ascii: {"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.6	49750	142.250.185.206	443	964	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-02 17:07:27 UTC	1204	OUT	GET /accounts/CheckConnection?pmpo=https%3A%2F%2Faccounts.google.com&v=1739765191&timestamp=1727888846436 HTTP/1.1 Host: accounts.youtube.com Connection: keep-alive sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 sec-ch-ua-full-version: "117.0.5938.134" sec-ch-ua-arch: "x86" sec-ch-ua-platform: "Windows" sec-ch-ua-platform-version: "10.0.0" sec-ch-ua-model: "" sec-ch-ua-bitness: "64" sec-ch-ua-wow64: ?0 sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.134", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.134" Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 X-Client-Data: CJa2yQEIprbJAQipncoBCO6MywEIlKHLAQj6mM0BCIWgzQEI3L3NAQi5ys0BCOnSzQEI6NXNAQjL1s0BCKjYzQEI+cDUFRi60s0BGOuNpRc= Sec-Fetch-Site: cross-site Sec-Fetch-Mode: navigate Sec-Fetch-Dest: iframe Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-10-02 17:07:28 UTC	1967	IN	HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 X-Frame-Options: ALLOW-FROM https://accounts.google.com Content-Security-Policy: frame-ancestors https://accounts.google.com Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/AccountsDomainCookiesCheckConnectionHttp/cspreport Content-Security-Policy: script-src 'report-sample' 'nonce-CRVSy9AmqDfzjyVS8Gf7EA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/AccountsDomainCookiesCheckConnectionHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/AccountsDomainCookiesCheckConnectionHttp/cspreport/allowlist Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Wed, 02 Oct 2024 17:07:28 GMT Cross-Origin-Opener-Policy: same-origin Cross-Origin-Resource-Policy: cross-origin Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* reporting-endpoints: default="/_/AccountsDomainCookiesCheckConnectionHttp/web-reports?context=eJzjstDikmJw0JBikPj6kkkNiJ3SZ7AGAHHSv_OsBUB8ufsS63UgVu25xGoMxEUSV1gbgFiIm-PC76_b2QRW9DayKekl5RfGZ6ak5pVkllSm5OcmZuYl5-dnZ6YWF6cWlaUWxRsZGJkYWBoZ6RlYxBcYAACgJizP" Server: ESF X-XSS-Protection: 0 X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2024-10-02 17:07:28 UTC	1967	IN	Data Raw: 37 36 31 39 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 20 6e 6f 6e 63 65 3d 22 43 52 56 53 79 39 41 6d 71 44 66 7a 6a 79 56 53 38 47 66 37 45 41 22 3e 22 75 73 65 20 73 74 72 69 63 74 22 3b 74 68 69 73 2e 64 65 66 61 75 6c 74 5f 41 63 63 6f 75 6e 74 73 44 6f 6d 61 69 6e 63 6f 6f 6b 69 65 73 43 68 65 63 6b 63 6f 6e 6e 65 63 74 69 6f 6e 4a 73 3d 74 68 69 73 2e 64 65 66 61 75 6c 74 5f 41 63 63 6f 75 6e 74 73 44 6f 6d 61 69 6e 63 6f 6f 6b 69 65 73 43 68 65 63 6b 63 6f 6e 6e 65 63 74 69 6f 6e 4a 73 7c 7c 7b 7d 3b 28 66 75 6e 63 74 69 6f 6e 28 5f 29 7b 76 61 72 20 77 69 6e 64 6f 77 3d 74 68 69 73 3b 0a 74 72 79 7b 0a 5f 2e 5f 46 5f 74 6f 67 67 6c 65 73 5f 69 6e 69 74 69 61 6c 69 7a 65 3d 66 75 6e 63 74 69 6f 6e 28 61 29 7b 28 74 79 70 65 6f Data Ascii: 7619<html><head><script nonce="CRVSy9AmqDfzjyVS8Gf7EA">"use strict";this.default_AccountsDomaincookiesCheckconnectionJs=this.default_AccountsDomaincookiesCheckconnectionJs\|\|{};(function(_){var window=this;try{_._F_toggles_initialize=function(a){(typeo
2024-10-02 17:07:28 UTC	1967	IN	Data Raw: 3d 2f 54 72 69 64 65 6e 74 5c 2f 28 5c 64 2e 5c 64 29 2f 2e 65 78 65 63 28 62 29 2c 0a 63 5b 31 5d 3d 3d 22 37 2e 30 22 29 69 66 28 62 26 26 62 5b 31 5d 29 73 77 69 74 63 68 28 62 5b 31 5d 29 7b 63 61 73 65 20 22 34 2e 30 22 3a 61 3d 22 38 2e 30 22 3b 62 72 65 61 6b 3b 63 61 73 65 20 22 35 2e 30 22 3a 61 3d 22 39 2e 30 22 3b 62 72 65 61 6b 3b 63 61 73 65 20 22 36 2e 30 22 3a 61 3d 22 31 30 2e 30 22 3b 62 72 65 61 6b 3b 63 61 73 65 20 22 37 2e 30 22 3a 61 3d 22 31 31 2e 30 22 7d 65 6c 73 65 20 61 3d 22 37 2e 30 22 3b 65 6c 73 65 20 61 3d 63 5b 31 5d 3b 62 3d 61 7d 65 6c 73 65 20 62 3d 22 22 3b 72 65 74 75 72 6e 20 62 7d 76 61 72 20 64 3d 52 65 67 45 78 70 28 22 28 5b 41 2d 5a 5d 5b 5c 5c 77 20 5d 2b 29 2f 28 5b 5e 5c 5c 73 5d 2b 29 5c 5c 73 2a 28 3f 3a 5c Data Ascii: =/Trident\/(\d.\d)/.exec(b),c[1]=="7.0")if(b&&b[1])switch(b[1]){case "4.0":a="8.0";break;case "5.0":a="9.0";break;case "6.0":a="10.0";break;case "7.0":a="11.0"}else a="7.0";else a=c[1];b=a}else b="";return b}var d=RegExp("([A-Z][\\w ]+)/([^\\s]+)\\s*(?:\
2024-10-02 17:07:28 UTC	1967	IN	Data Raw: 7b 73 77 69 74 63 68 28 74 79 70 65 6f 66 20 61 29 7b 63 61 73 65 20 22 6e 75 6d 62 65 72 22 3a 72 65 74 75 72 6e 20 69 73 46 69 6e 69 74 65 28 61 29 3f 61 3a 53 74 72 69 6e 67 28 61 29 3b 63 61 73 65 20 22 62 69 67 69 6e 74 22 3a 72 65 74 75 72 6e 28 41 61 3f 0a 61 3e 3d 42 61 26 26 61 3c 3d 43 61 3a 61 5b 30 5d 3d 3d 3d 22 2d 22 3f 75 61 28 61 2c 44 61 29 3a 75 61 28 61 2c 45 61 29 29 3f 4e 75 6d 62 65 72 28 61 29 3a 53 74 72 69 6e 67 28 61 29 3b 63 61 73 65 20 22 62 6f 6f 6c 65 61 6e 22 3a 72 65 74 75 72 6e 20 61 3f 31 3a 30 3b 63 61 73 65 20 22 6f 62 6a 65 63 74 22 3a 69 66 28 61 29 69 66 28 41 72 72 61 79 2e 69 73 41 72 72 61 79 28 61 29 29 7b 69 66 28 43 28 61 29 29 72 65 74 75 72 6e 7d 65 6c 73 65 20 69 66 28 46 61 26 26 61 21 3d 6e 75 6c 6c 26 26 Data Ascii: {switch(typeof a){case "number":return isFinite(a)?a:String(a);case "bigint":return(Aa?a>=Ba&&a<=Ca:a[0]==="-"?ua(a,Da):ua(a,Ea))?Number(a):String(a);case "boolean":return a?1:0;case "object":if(a)if(Array.isArray(a)){if(C(a))return}else if(Fa&&a!=null&&
2024-10-02 17:07:28 UTC	1967	IN	Data Raw: 69 6f 6e 28 61 29 7b 76 61 72 20 62 3b 69 66 28 61 26 26 28 62 3d 51 61 29 21 3d 6e 75 6c 6c 26 26 62 2e 68 61 73 28 61 29 26 26 28 62 3d 61 2e 43 29 29 66 6f 72 28 76 61 72 20 63 3d 30 3b 63 3c 62 2e 6c 65 6e 67 74 68 3b 63 2b 2b 29 7b 76 61 72 20 64 3d 62 5b 63 5d 3b 69 66 28 63 3d 3d 3d 62 2e 6c 65 6e 67 74 68 2d 31 26 26 41 28 64 29 29 66 6f 72 28 76 61 72 20 65 20 69 6e 20 64 29 7b 76 61 72 20 66 3d 64 5b 65 5d 3b 41 72 72 61 79 2e 69 73 41 72 72 61 79 28 66 29 26 26 0a 52 61 28 66 2c 61 29 7d 65 6c 73 65 20 41 72 72 61 79 2e 69 73 41 72 72 61 79 28 64 29 26 26 52 61 28 64 2c 61 29 7d 61 3d 45 3f 61 2e 43 3a 4d 61 28 61 2e 43 2c 50 61 2c 76 6f 69 64 20 30 2c 76 6f 69 64 20 30 2c 21 31 29 3b 65 3d 21 45 3b 69 66 28 62 3d 61 2e 6c 65 6e 67 74 68 29 7b Data Ascii: ion(a){var b;if(a&&(b=Qa)!=null&&b.has(a)&&(b=a.C))for(var c=0;c<b.length;c++){var d=b[c];if(c===b.length-1&&A(d))for(var e in d){var f=d[e];Array.isArray(f)&&Ra(f,a)}else Array.isArray(d)&&Ra(d,a)}a=E?a.C:Ma(a.C,Pa,void 0,void 0,!1);e=!E;if(b=a.length){
2024-10-02 17:07:28 UTC	1967	IN	Data Raw: 0a 47 28 22 53 79 6d 62 6f 6c 2e 69 74 65 72 61 74 6f 72 22 2c 66 75 6e 63 74 69 6f 6e 28 61 29 7b 69 66 28 61 29 72 65 74 75 72 6e 20 61 3b 61 3d 53 79 6d 62 6f 6c 28 22 63 22 29 3b 66 6f 72 28 76 61 72 20 62 3d 22 41 72 72 61 79 20 49 6e 74 38 41 72 72 61 79 20 55 69 6e 74 38 41 72 72 61 79 20 55 69 6e 74 38 43 6c 61 6d 70 65 64 41 72 72 61 79 20 49 6e 74 31 36 41 72 72 61 79 20 55 69 6e 74 31 36 41 72 72 61 79 20 49 6e 74 33 32 41 72 72 61 79 20 55 69 6e 74 33 32 41 72 72 61 79 20 46 6c 6f 61 74 33 32 41 72 72 61 79 20 46 6c 6f 61 74 36 34 41 72 72 61 79 22 2e 73 70 6c 69 74 28 22 20 22 29 2c 63 3d 30 3b 63 3c 62 2e 6c 65 6e 67 74 68 3b 63 2b 2b 29 7b 76 61 72 20 64 3d 57 61 5b 62 5b 63 5d 5d 3b 74 79 70 65 6f 66 20 64 3d 3d 3d 22 66 75 6e 63 74 69 6f Data Ascii: G("Symbol.iterator",function(a){if(a)return a;a=Symbol("c");for(var b="Array Int8Array Uint8Array Uint8ClampedArray Int16Array Uint16Array Int32Array Uint32Array Float32Array Float64Array".split(" "),c=0;c<b.length;c++){var d=Wa[b[c]];typeof d==="functio
2024-10-02 17:07:28 UTC	1967	IN	Data Raw: 74 68 2e 72 61 6e 64 6f 6d 28 29 3b 65 28 22 66 72 65 65 7a 65 22 29 3b 65 28 22 70 72 65 76 65 6e 74 45 78 74 65 6e 73 69 6f 6e 73 22 29 3b 65 28 22 73 65 61 6c 22 29 3b 76 61 72 20 68 3d 30 2c 67 3d 66 75 6e 63 74 69 6f 6e 28 6b 29 7b 74 68 69 73 2e 67 3d 28 68 2b 3d 4d 61 74 68 2e 72 61 6e 64 6f 6d 28 29 2b 31 29 2e 74 6f 53 74 72 69 6e 67 28 29 3b 69 66 28 6b 29 7b 6b 3d 48 28 6b 29 3b 66 6f 72 28 76 61 72 20 6c 3b 21 28 6c 3d 6b 2e 6e 65 78 74 28 29 29 2e 64 6f 6e 65 3b 29 6c 3d 6c 2e 76 61 6c 75 65 2c 74 68 69 73 2e 73 65 74 28 6c 5b 30 5d 2c 6c 5b 31 5d 29 7d 7d 3b 67 2e 70 72 6f 74 6f 74 79 70 65 2e 73 65 74 3d 66 75 6e 63 74 69 6f 6e 28 6b 2c 6c 29 7b 69 66 28 21 63 28 6b 29 29 74 68 72 6f 77 20 45 72 72 6f 72 28 22 69 22 29 3b 64 28 6b 29 3b 69 Data Ascii: th.random();e("freeze");e("preventExtensions");e("seal");var h=0,g=function(k){this.g=(h+=Math.random()+1).toString();if(k){k=H(k);for(var l;!(l=k.next()).done;)l=l.value,this.set(l[0],l[1])}};g.prototype.set=function(k,l){if(!c(k))throw Error("i");d(k);i
2024-10-02 17:07:28 UTC	1967	IN	Data Raw: 63 74 69 6f 6e 28 67 29 7b 72 65 74 75 72 6e 20 67 2e 76 61 6c 75 65 7d 29 7d 3b 63 2e 70 72 6f 74 6f 74 79 70 65 2e 66 6f 72 45 61 63 68 3d 66 75 6e 63 74 69 6f 6e 28 67 2c 6b 29 7b 66 6f 72 28 76 61 72 20 6c 3d 74 68 69 73 2e 65 6e 74 72 69 65 73 28 29 2c 6d 3b 21 28 6d 3d 6c 2e 6e 65 78 74 28 29 29 2e 64 6f 6e 65 3b 29 6d 3d 0a 6d 2e 76 61 6c 75 65 2c 67 2e 63 61 6c 6c 28 6b 2c 6d 5b 31 5d 2c 6d 5b 30 5d 2c 74 68 69 73 29 7d 3b 63 2e 70 72 6f 74 6f 74 79 70 65 5b 53 79 6d 62 6f 6c 2e 69 74 65 72 61 74 6f 72 5d 3d 63 2e 70 72 6f 74 6f 74 79 70 65 2e 65 6e 74 72 69 65 73 3b 76 61 72 20 64 3d 66 75 6e 63 74 69 6f 6e 28 67 2c 6b 29 7b 76 61 72 20 6c 3d 6b 26 26 74 79 70 65 6f 66 20 6b 3b 6c 3d 3d 22 6f 62 6a 65 63 74 22 7c 7c 6c 3d 3d 22 66 75 6e 63 74 69 Data Ascii: ction(g){return g.value})};c.prototype.forEach=function(g,k){for(var l=this.entries(),m;!(m=l.next()).done;)m=m.value,g.call(k,m[1],m[0],this)};c.prototype[Symbol.iterator]=c.prototype.entries;var d=function(g,k){var l=k&&typeof k;l=="object"\|\|l=="functi
2024-10-02 17:07:28 UTC	1967	IN	Data Raw: 2e 69 73 4e 61 4e 22 2c 66 75 6e 63 74 69 6f 6e 28 61 29 7b 72 65 74 75 72 6e 20 61 3f 61 3a 66 75 6e 63 74 69 6f 6e 28 62 29 7b 72 65 74 75 72 6e 20 74 79 70 65 6f 66 20 62 3d 3d 3d 22 6e 75 6d 62 65 72 22 26 26 69 73 4e 61 4e 28 62 29 7d 7d 29 3b 76 61 72 20 66 62 3d 66 62 7c 7c 7b 7d 2c 71 3d 74 68 69 73 7c 7c 73 65 6c 66 2c 67 62 3d 71 2e 5f 46 5f 74 6f 67 67 6c 65 73 7c 7c 5b 5d 2c 68 62 3d 66 75 6e 63 74 69 6f 6e 28 61 29 7b 61 3d 61 2e 73 70 6c 69 74 28 22 2e 22 29 3b 66 6f 72 28 76 61 72 20 62 3d 71 2c 63 3d 30 3b 63 3c 61 2e 6c 65 6e 67 74 68 3b 63 2b 2b 29 69 66 28 62 3d 62 5b 61 5b 63 5d 5d 2c 62 3d 3d 6e 75 6c 6c 29 72 65 74 75 72 6e 20 6e 75 6c 6c 3b 72 65 74 75 72 6e 20 62 7d 2c 69 62 3d 22 63 6c 6f 73 75 72 65 5f 75 69 64 5f 22 2b 28 4d 61 Data Ascii: .isNaN",function(a){return a?a:function(b){return typeof b==="number"&&isNaN(b)}});var fb=fb\|\|{},q=this\|\|self,gb=q._F_toggles\|\|[],hb=function(a){a=a.split(".");for(var b=q,c=0;c<a.length;c++)if(b=b[a[c]],b==null)return null;return b},ib="closure_uid_"+(Ma
2024-10-02 17:07:28 UTC	1967	IN	Data Raw: 73 75 72 65 5f 5f 65 72 72 6f 72 5f 5f 63 6f 6e 74 65 78 74 5f 5f 39 38 34 33 38 32 3d 7b 7d 29 3b 61 2e 5f 5f 63 6c 6f 73 75 72 65 5f 5f 65 72 72 6f 72 5f 5f 63 6f 6e 74 65 78 74 5f 5f 39 38 34 33 38 32 2e 73 65 76 65 72 69 74 79 3d 62 7d 3b 76 61 72 20 71 62 3d 66 75 6e 63 74 69 6f 6e 28 61 2c 62 2c 63 29 7b 63 3d 63 7c 7c 71 3b 76 61 72 20 64 3d 63 2e 6f 6e 65 72 72 6f 72 2c 65 3d 21 21 62 3b 63 2e 6f 6e 65 72 72 6f 72 3d 66 75 6e 63 74 69 6f 6e 28 66 2c 68 2c 67 2c 6b 2c 6c 29 7b 64 26 26 64 28 66 2c 68 2c 67 2c 6b 2c 6c 29 3b 61 28 7b 6d 65 73 73 61 67 65 3a 66 2c 66 69 6c 65 4e 61 6d 65 3a 68 2c 6c 69 6e 65 3a 67 2c 6c 69 6e 65 4e 75 6d 62 65 72 3a 67 2c 63 61 3a 6b 2c 65 72 72 6f 72 3a 6c 7d 29 3b 72 65 74 75 72 6e 20 65 7d 7d 2c 74 62 3d 66 75 6e Data Ascii: sure__error__context__984382={});a.__closure__error__context__984382.severity=b};var qb=function(a,b,c){c=c\|\|q;var d=c.onerror,e=!!b;c.onerror=function(f,h,g,k,l){d&&d(f,h,g,k,l);a({message:f,fileName:h,line:g,lineNumber:g,ca:k,error:l});return e}},tb=fun
2024-10-02 17:07:28 UTC	1967	IN	Data Raw: 74 72 69 6e 67 22 3a 62 72 65 61 6b 3b 63 61 73 65 20 22 6e 75 6d 62 65 72 22 3a 66 3d 53 74 72 69 6e 67 28 66 29 3b 62 72 65 61 6b 3b 63 61 73 65 20 22 62 6f 6f 6c 65 61 6e 22 3a 66 3d 66 3f 22 74 72 75 65 22 3a 22 66 61 6c 73 65 22 3b 62 72 65 61 6b 3b 63 61 73 65 20 22 66 75 6e 63 74 69 6f 6e 22 3a 66 3d 28 66 3d 73 62 28 66 29 29 3f 66 3a 22 5b 66 6e 5d 22 3b 62 72 65 61 6b 3b 64 65 66 61 75 6c 74 3a 66 3d 0a 74 79 70 65 6f 66 20 66 7d 66 2e 6c 65 6e 67 74 68 3e 34 30 26 26 28 66 3d 66 2e 73 6c 69 63 65 28 30 2c 34 30 29 2b 22 2e 2e 2e 22 29 3b 63 2e 70 75 73 68 28 66 29 7d 62 2e 70 75 73 68 28 61 29 3b 63 2e 70 75 73 68 28 22 29 5c 6e 22 29 3b 74 72 79 7b 63 2e 70 75 73 68 28 77 62 28 61 2e 63 61 6c 6c 65 72 2c 62 29 29 7d 63 61 74 63 68 28 68 29 7b Data Ascii: tring":break;case "number":f=String(f);break;case "boolean":f=f?"true":"false";break;case "function":f=(f=sb(f))?f:"[fn]";break;default:f=typeof f}f.length>40&&(f=f.slice(0,40)+"...");c.push(f)}b.push(a);c.push(")\n");try{c.push(wb(a.caller,b))}catch(h){

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.6	49753	142.250.185.142	443	964	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-02 17:07:28 UTC	549	OUT	OPTIONS /log?format=json&hasfast=true&authuser=0 HTTP/1.1 Host: play.google.com Connection: keep-alive Accept: / Access-Control-Request-Method: POST Access-Control-Request-Headers: x-goog-authuser Origin: https://accounts.google.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Sec-Fetch-Mode: cors Sec-Fetch-Site: same-site Sec-Fetch-Dest: empty Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-10-02 17:07:29 UTC	520	IN	HTTP/1.1 200 OK Access-Control-Allow-Origin: https://accounts.google.com Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Max-Age: 86400 Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: X-Playlog-Web,authorization,origin,x-goog-authuser Content-Type: text/plain; charset=UTF-8 Date: Wed, 02 Oct 2024 17:07:29 GMT Server: Playlog Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.6	49755	142.250.185.142	443	964	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-02 17:07:29 UTC	549	OUT	OPTIONS /log?format=json&hasfast=true&authuser=0 HTTP/1.1 Host: play.google.com Connection: keep-alive Accept: / Access-Control-Request-Method: POST Access-Control-Request-Headers: x-goog-authuser Origin: https://accounts.google.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Sec-Fetch-Mode: cors Sec-Fetch-Site: same-site Sec-Fetch-Dest: empty Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-10-02 17:07:29 UTC	520	IN	HTTP/1.1 200 OK Access-Control-Allow-Origin: https://accounts.google.com Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Max-Age: 86400 Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: X-Playlog-Web,authorization,origin,x-goog-authuser Content-Type: text/plain; charset=UTF-8 Date: Wed, 02 Oct 2024 17:07:29 GMT Server: Playlog Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.6	49758	142.250.185.142	443	964	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-02 17:07:29 UTC	1112	OUT	POST /log?format=json&hasfast=true&authuser=0 HTTP/1.1 Host: play.google.com Connection: keep-alive Content-Length: 519 sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-arch: "x86" Content-Type: application/x-www-form-urlencoded;charset=UTF-8 sec-ch-ua-full-version: "117.0.5938.134" sec-ch-ua-platform-version: "10.0.0" X-Goog-AuthUser: 0 sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.134", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.134" sec-ch-ua-bitness: "64" sec-ch-ua-model: "" sec-ch-ua-wow64: ?0 sec-ch-ua-platform: "Windows" Accept: / Origin: https://accounts.google.com X-Client-Data: CJa2yQEIprbJAQipncoBCO6MywEIlKHLAQj6mM0BCIWgzQEI3L3NAQi5ys0BCOnSzQEI6NXNAQjL1s0BCKjYzQEI+cDUFRi60s0BGOuNpRc= Sec-Fetch-Site: same-site Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-10-02 17:07:29 UTC	519	OUT	Data Raw: 5b 5b 31 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 5b 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 22 65 6e 22 2c 6e 75 6c 6c 2c 22 33 30 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 47 6f 6f 67 6c 65 20 43 68 72 6f 6d 65 22 2c 22 31 31 37 22 5d 2c 5b 22 4e 6f 74 3b 41 3d 42 72 61 6e 64 22 2c 22 38 22 5d 2c 5b 22 43 68 72 6f 6d 69 75 6d 22 2c 22 31 31 37 22 5d 5d 2c 30 2c 22 57 69 6e 64 6f 77 73 22 2c 22 31 30 2e 30 2e 30 22 2c 22 78 38 36 22 2c 22 22 2c 22 31 31 37 2e 30 2e 35 39 33 38 2e 31 33 34 22 5d 2c 5b 31 2c 30 2c 30 2c 30 2c 30 5d 5d 5d 2c 31 38 32 38 2c 5b 5b 22 31 37 32 37 38 38 38 38 34 37 35 38 39 22 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c Data Ascii: [[1,null,null,null,null,null,null,null,null,null,[null,null,null,null,"en",null,"30",null,[[["Google Chrome","117"],["Not;A=Brand","8"],["Chromium","117"]],0,"Windows","10.0.0","x86","","117.0.5938.134"],[1,0,0,0,0]]],1828,[["1727888847589",null,null,null
2024-10-02 17:07:30 UTC	932	IN	HTTP/1.1 200 OK Access-Control-Allow-Origin: https://accounts.google.com Cross-Origin-Resource-Policy: cross-origin Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: X-Playlog-Web Set-Cookie: NID=518=KLPytg-qqAKJF-uiwpZnNjv2jjSHdkUzDs43AFDDj66mmok4n7iELtSIbx1egCpNrv01vAssgCHYb9nmxt41ZNSDbfRg3aeXnikk7_PKcG_-pVywc2jL0bkl0ZtJ12wIWLivnVWo2hovhBo50qg7fw2ongDfR-IXDy_DM-ZtK5w7HQebLw; expires=Thu, 03-Apr-2025 17:07:30 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=none P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info." Content-Type: text/plain; charset=UTF-8 Date: Wed, 02 Oct 2024 17:07:30 GMT Server: Playlog Cache-Control: private X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Expires: Wed, 02 Oct 2024 17:07:30 GMT Connection: close Transfer-Encoding: chunked
2024-10-02 17:07:30 UTC	137	IN	Data Raw: 38 33 0d 0a 5b 22 2d 31 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 41 4e 44 52 4f 49 44 5f 42 41 43 4b 55 50 22 2c 30 5d 2c 5b 22 42 41 54 54 45 52 59 5f 53 54 41 54 53 22 2c 30 5d 2c 5b 22 53 4d 41 52 54 5f 53 45 54 55 50 22 2c 30 5d 2c 5b 22 54 52 4f 4e 22 2c 30 5d 5d 2c 2d 33 33 33 34 37 33 37 35 39 34 30 32 34 39 37 31 32 32 35 5d 2c 5b 5d 2c 7b 22 31 37 35 32 33 37 33 37 35 22 3a 5b 31 30 30 30 30 5d 7d 5d 0d 0a Data Ascii: 83["-1",null,[[["ANDROID_BACKUP",0],["BATTERY_STATS",0],["SMART_SETUP",0],["TRON",0]],-3334737594024971225],[],{"175237375":[10000]}]
2024-10-02 17:07:30 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.6	49759	142.250.185.142	443	964	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-02 17:07:29 UTC	1112	OUT	POST /log?format=json&hasfast=true&authuser=0 HTTP/1.1 Host: play.google.com Connection: keep-alive Content-Length: 518 sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-arch: "x86" Content-Type: application/x-www-form-urlencoded;charset=UTF-8 sec-ch-ua-full-version: "117.0.5938.134" sec-ch-ua-platform-version: "10.0.0" X-Goog-AuthUser: 0 sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.134", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.134" sec-ch-ua-bitness: "64" sec-ch-ua-model: "" sec-ch-ua-wow64: ?0 sec-ch-ua-platform: "Windows" Accept: / Origin: https://accounts.google.com X-Client-Data: CJa2yQEIprbJAQipncoBCO6MywEIlKHLAQj6mM0BCIWgzQEI3L3NAQi5ys0BCOnSzQEI6NXNAQjL1s0BCKjYzQEI+cDUFRi60s0BGOuNpRc= Sec-Fetch-Site: same-site Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-10-02 17:07:29 UTC	518	OUT	Data Raw: 5b 5b 31 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 5b 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 22 65 6e 22 2c 6e 75 6c 6c 2c 22 33 30 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 47 6f 6f 67 6c 65 20 43 68 72 6f 6d 65 22 2c 22 31 31 37 22 5d 2c 5b 22 4e 6f 74 3b 41 3d 42 72 61 6e 64 22 2c 22 38 22 5d 2c 5b 22 43 68 72 6f 6d 69 75 6d 22 2c 22 31 31 37 22 5d 5d 2c 30 2c 22 57 69 6e 64 6f 77 73 22 2c 22 31 30 2e 30 2e 30 22 2c 22 78 38 36 22 2c 22 22 2c 22 31 31 37 2e 30 2e 35 39 33 38 2e 31 33 34 22 5d 2c 5b 31 2c 30 2c 30 2c 30 2c 30 5d 5d 5d 2c 31 38 32 38 2c 5b 5b 22 31 37 32 37 38 38 38 38 34 37 36 37 30 22 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c Data Ascii: [[1,null,null,null,null,null,null,null,null,null,[null,null,null,null,"en",null,"30",null,[[["Google Chrome","117"],["Not;A=Brand","8"],["Chromium","117"]],0,"Windows","10.0.0","x86","","117.0.5938.134"],[1,0,0,0,0]]],1828,[["1727888847670",null,null,null
2024-10-02 17:07:30 UTC	932	IN	HTTP/1.1 200 OK Access-Control-Allow-Origin: https://accounts.google.com Cross-Origin-Resource-Policy: cross-origin Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: X-Playlog-Web Set-Cookie: NID=518=n7heLF4w9b8PogkQBevtUtN8SrbkjsfWFSYQGn4Pvl_GZS4l8akZWaXBvXyu66HGX1sLEfu1B87jo6psfm8M8c59vqgBUwvwHYlpmDISAp_aufGoPNCEwTwYf_NV6-75wvglD8WAHnfqTI-ZaO9rakNvoqhTOok9oK5TH4TAnWesJadtmQ; expires=Thu, 03-Apr-2025 17:07:30 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=none P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info." Content-Type: text/plain; charset=UTF-8 Date: Wed, 02 Oct 2024 17:07:30 GMT Server: Playlog Cache-Control: private X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Expires: Wed, 02 Oct 2024 17:07:30 GMT Connection: close Transfer-Encoding: chunked
2024-10-02 17:07:30 UTC	137	IN	Data Raw: 38 33 0d 0a 5b 22 2d 31 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 41 4e 44 52 4f 49 44 5f 42 41 43 4b 55 50 22 2c 30 5d 2c 5b 22 42 41 54 54 45 52 59 5f 53 54 41 54 53 22 2c 30 5d 2c 5b 22 53 4d 41 52 54 5f 53 45 54 55 50 22 2c 30 5d 2c 5b 22 54 52 4f 4e 22 2c 30 5d 5d 2c 2d 33 33 33 34 37 33 37 35 39 34 30 32 34 39 37 31 32 32 35 5d 2c 5b 5d 2c 7b 22 31 37 35 32 33 37 33 37 35 22 3a 5b 31 30 30 30 30 5d 7d 5d 0d 0a Data Ascii: 83["-1",null,[[["ANDROID_BACKUP",0],["BATTERY_STATS",0],["SMART_SETUP",0],["TRON",0]],-3334737594024971225],[],{"175237375":[10000]}]
2024-10-02 17:07:30 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.6	49729	172.217.18.4	443	964	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-02 17:07:30 UTC	1201	OUT	GET /favicon.ico HTTP/1.1 Host: www.google.com Connection: keep-alive sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-arch: "x86" sec-ch-ua-full-version: "117.0.5938.134" sec-ch-ua-platform-version: "10.0.0" sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.134", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.134" sec-ch-ua-bitness: "64" sec-ch-ua-model: "" sec-ch-ua-wow64: ?0 sec-ch-ua-platform: "Windows" Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8 X-Client-Data: CJa2yQEIprbJAQipncoBCO6MywEIlKHLAQj6mM0BCIWgzQEI3L3NAQi5ys0BCOnSzQEI6NXNAQjL1s0BCKjYzQEI+cDUFRi60s0BGOuNpRc= Sec-Fetch-Site: same-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: image Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: NID=518=n7heLF4w9b8PogkQBevtUtN8SrbkjsfWFSYQGn4Pvl_GZS4l8akZWaXBvXyu66HGX1sLEfu1B87jo6psfm8M8c59vqgBUwvwHYlpmDISAp_aufGoPNCEwTwYf_NV6-75wvglD8WAHnfqTI-ZaO9rakNvoqhTOok9oK5TH4TAnWesJadtmQ
2024-10-02 17:07:30 UTC	705	IN	HTTP/1.1 200 OK Accept-Ranges: bytes Cross-Origin-Resource-Policy: cross-origin Cross-Origin-Opener-Policy-Report-Only: same-origin; report-to="static-on-bigtable" Report-To: {"group":"static-on-bigtable","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/static-on-bigtable"}]} Content-Length: 5430 X-Content-Type-Options: nosniff Server: sffe X-XSS-Protection: 0 Date: Wed, 02 Oct 2024 15:37:10 GMT Expires: Thu, 10 Oct 2024 15:37:10 GMT Cache-Control: public, max-age=691200 Last-Modified: Tue, 22 Oct 2019 18:30:00 GMT Content-Type: image/x-icon Vary: Accept-Encoding Age: 5420 Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-10-02 17:07:30 UTC	685	IN	Data Raw: 00 00 01 00 02 00 10 10 00 00 01 00 20 00 68 04 00 00 26 00 00 00 20 20 00 00 01 00 20 00 a8 10 00 00 8e 04 00 00 28 00 00 00 10 00 00 00 20 00 00 00 01 00 20 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff ff ff 30 fd fd fd 96 fd fd fd d8 fd fd fd f9 fd fd fd f9 fd fd fd d7 fd fd fd 94 fe fe fe 2e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fe fe fe 09 fd fd fd 99 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd 95 ff ff ff 08 00 00 00 00 00 00 00 00 00 00 00 00 fe fe fe 09 fd fd fd c1 ff ff ff ff fa fd f9 ff b4 d9 a7 ff 76 ba 5d ff 58 ab 3a ff 58 aa 3a ff 72 b8 59 ff ac d5 9d ff f8 fb f6 ff ff Data Ascii: h& ( 0.v]X:X:rY
2024-10-02 17:07:30 UTC	1390	IN	Data Raw: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd d8 fd fd fd 99 ff ff ff ff 92 cf fb ff 37 52 ec ff 38 46 ea ff d0 d4 fa ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd 96 fe fe fe 32 ff ff ff ff f9 f9 fe ff 56 62 ed ff 35 43 ea ff 3b 49 eb ff 95 9c f4 ff cf d2 fa ff d1 d4 fa ff 96 9d f4 ff 52 5e ed ff e1 e3 fc ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 30 00 00 00 00 fd fd fd 9d ff ff ff ff e8 ea fd ff 58 63 ee ff 35 43 ea ff 35 43 ea ff 35 43 ea ff 35 43 ea ff 35 43 ea ff 35 43 ea ff 6c 76 f0 ff ff ff ff ff ff ff ff ff fd fd fd 98 00 00 00 00 00 00 00 00 ff ff ff 0a fd fd fd c3 ff ff ff ff f9 f9 fe ff a5 ac f6 ff 5d 69 ee ff 3c 4a Data Ascii: 7R8F2Vb5C;IR^0Xc5C5C5C5C5C5Clv]i<J
2024-10-02 17:07:30 UTC	1390	IN	Data Raw: ff ff ff ff ff ff ff ff ff ff ff fd fd fd d0 ff ff ff 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fd fd fd 8b ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff b1 d8 a3 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 60 a5 35 ff ca 8e 3e ff f9 c1 9f ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd 87 00 00 00 00 00 00 00 00 00 00 00 00 fe fe fe 25 fd fd fd fb ff ff ff ff ff ff ff ff ff ff ff ff c2 e0 b7 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 6e b6 54 ff 9f ce 8d ff b7 da aa ff b8 db ab ff a5 d2 95 ff 7b bc 64 ff 54 a8 35 ff 53 a8 34 ff 77 a0 37 ff e3 89 41 ff f4 85 42 ff f4 85 42 ff Data Ascii: S4S4S4S4S4S4S4S4S4S4S4S4S4S4`5>%S4S4S4S4S4S4nT{dT5S4w7ABB
2024-10-02 17:07:30 UTC	1390	IN	Data Raw: ff f4 85 42 ff f4 85 42 ff f4 85 42 ff f4 85 42 ff f4 85 42 ff f4 85 42 ff fb d5 bf ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd ea fd fd fd cb ff ff ff ff ff ff ff ff ff ff ff ff 46 cd fc ff 05 bc fb ff 05 bc fb ff 05 bc fb ff 21 ae f9 ff fb fb ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd c8 fd fd fd 9c ff ff ff ff ff ff ff ff ff ff ff ff 86 df fd ff 05 bc fb ff 05 bc fb ff 15 93 f5 ff 34 49 eb ff b3 b8 f7 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff Data Ascii: BBBBBBF!4I
2024-10-02 17:07:30 UTC	575	IN	Data Raw: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd d2 fe fe fe 24 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff ff ff 0a fd fd fd 8d fd fd fd fc ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd fb fd fd fd 8b fe fe fe 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fe fe fe 27 fd fd fd 9f fd fd fd f7 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff Data Ascii: $'

Session ID	Source IP	Source Port	Destination IP	Destination Port
15	192.168.2.6	49765	40.115.3.253	443

Timestamp	Bytes transferred	Direction	Data
2024-10-02 17:07:32 UTC	71	OUT	Data Raw: 43 4e 54 20 31 20 43 4f 4e 20 33 30 35 0d 0a 4d 53 2d 43 56 3a 20 71 6a 63 61 52 34 78 77 4d 45 43 73 46 74 6f 2b 2e 31 0d 0a 43 6f 6e 74 65 78 74 3a 20 62 38 33 36 35 64 62 30 65 36 32 37 62 30 31 66 0d 0a 0d 0a Data Ascii: CNT 1 CON 305MS-CV: qjcaR4xwMECsFto+.1Context: b8365db0e627b01f
2024-10-02 17:07:32 UTC	249	OUT	Data Raw: 3c 63 6f 6e 6e 65 63 74 3e 3c 76 65 72 3e 32 3c 2f 76 65 72 3e 3c 61 67 65 6e 74 3e 3c 6f 73 3e 57 69 6e 64 6f 77 73 3c 2f 6f 73 3e 3c 6f 73 56 65 72 3e 31 30 2e 30 2e 30 2e 30 2e 31 39 30 34 35 3c 2f 6f 73 56 65 72 3e 3c 70 72 6f 63 3e 78 36 34 3c 2f 70 72 6f 63 3e 3c 6c 63 69 64 3e 65 6e 2d 43 48 3c 2f 6c 63 69 64 3e 3c 67 65 6f 49 64 3e 32 32 33 3c 2f 67 65 6f 49 64 3e 3c 61 6f 61 63 3e 30 3c 2f 61 6f 61 63 3e 3c 64 65 76 69 63 65 54 79 70 65 3e 31 3c 2f 64 65 76 69 63 65 54 79 70 65 3e 3c 64 65 76 69 63 65 4e 61 6d 65 3e 56 4d 77 61 72 65 32 30 2c 31 3c 2f 64 65 76 69 63 65 4e 61 6d 65 3e 3c 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 74 72 75 65 3c 2f 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 3c 2f 61 67 65 6e 74 3e 3c 2f 63 6f 6e 6e 65 63 74 3e Data Ascii: <connect><ver>2</ver><agent><os>Windows</os><osVer>10.0.0.0.19045</osVer><proc>x64</proc><lcid>en-CH</lcid><geoId>223</geoId><aoac>0</aoac><deviceType>1</deviceType><deviceName>VMware20,1</deviceName><followRetry>true</followRetry></agent></connect>
2024-10-02 17:07:32 UTC	1084	OUT	Data Raw: 41 54 48 20 32 20 43 4f 4e 5c 44 45 56 49 43 45 20 31 30 36 31 0d 0a 4d 53 2d 43 56 3a 20 71 6a 63 61 52 34 78 77 4d 45 43 73 46 74 6f 2b 2e 32 0d 0a 43 6f 6e 74 65 78 74 3a 20 62 38 33 36 35 64 62 30 65 36 32 37 62 30 31 66 0d 0a 0d 0a 3c 64 65 76 69 63 65 3e 3c 63 6f 6d 70 61 63 74 2d 74 69 63 6b 65 74 3e 74 3d 45 77 43 34 41 75 70 49 42 41 41 55 31 62 44 47 66 64 61 7a 69 44 66 58 70 6a 4e 35 4e 36 63 59 68 54 31 77 62 6d 51 41 41 56 37 6d 76 6a 47 59 36 63 47 46 46 53 6b 52 39 75 30 2f 4a 64 68 4a 4d 68 48 67 50 58 61 54 72 66 68 70 46 63 44 6b 32 34 54 56 73 2f 37 56 72 6f 39 4e 61 31 71 36 5a 35 77 52 4b 55 6c 30 2f 78 53 53 45 36 35 50 42 72 39 2b 34 2f 6d 35 4a 4d 38 36 5a 37 34 39 45 78 79 32 39 32 6a 2f 6d 70 33 69 45 65 72 72 39 5a 45 69 66 63 Data Ascii: ATH 2 CON\DEVICE 1061MS-CV: qjcaR4xwMECsFto+.2Context: b8365db0e627b01f<device><compact-ticket>t=EwC4AupIBAAU1bDGfdaziDfXpjN5N6cYhT1wbmQAAV7mvjGY6cGFFSkR9u0/JdhJMhHgPXaTrfhpFcDk24TVs/7Vro9Na1q6Z5wRKUl0/xSSE65PBr9+4/m5JM86Z749Exy292j/mp3iEerr9ZEifc
2024-10-02 17:07:32 UTC	218	OUT	Data Raw: 42 4e 44 20 33 20 43 4f 4e 5c 57 4e 53 20 30 20 31 39 37 0d 0a 4d 53 2d 43 56 3a 20 71 6a 63 61 52 34 78 77 4d 45 43 73 46 74 6f 2b 2e 33 0d 0a 43 6f 6e 74 65 78 74 3a 20 62 38 33 36 35 64 62 30 65 36 32 37 62 30 31 66 0d 0a 0d 0a 3c 77 6e 73 3e 3c 76 65 72 3e 31 3c 2f 76 65 72 3e 3c 63 6c 69 65 6e 74 3e 3c 6e 61 6d 65 3e 57 50 4e 3c 2f 6e 61 6d 65 3e 3c 76 65 72 3e 31 2e 30 3c 2f 76 65 72 3e 3c 2f 63 6c 69 65 6e 74 3e 3c 6f 70 74 69 6f 6e 73 3e 3c 70 77 72 6d 6f 64 65 20 6d 6f 64 65 3d 22 30 22 3e 3c 2f 70 77 72 6d 6f 64 65 3e 3c 2f 6f 70 74 69 6f 6e 73 3e 3c 6c 61 73 74 4d 73 67 49 64 3e 30 3c 2f 6c 61 73 74 4d 73 67 49 64 3e 3c 2f 77 6e 73 3e Data Ascii: BND 3 CON\WNS 0 197MS-CV: qjcaR4xwMECsFto+.3Context: b8365db0e627b01f<wns><ver>1</ver><client><name>WPN</name><ver>1.0</ver></client><options><pwrmode mode="0"></pwrmode></options><lastMsgId>0</lastMsgId></wns>
2024-10-02 17:07:32 UTC	14	IN	Data Raw: 32 30 32 20 31 20 43 4f 4e 20 35 38 0d 0a Data Ascii: 202 1 CON 58
2024-10-02 17:07:32 UTC	58	IN	Data Raw: 4d 53 2d 43 56 3a 20 6d 48 4c 54 55 41 45 35 6b 45 6d 69 6e 51 48 78 36 4d 6e 6d 4e 77 2e 30 0d 0a 0d 0a 50 61 79 6c 6f 61 64 20 70 61 72 73 69 6e 67 20 66 61 69 6c 65 64 2e Data Ascii: MS-CV: mHLTUAE5kEminQHx6MnmNw.0Payload parsing failed.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.6	49767	142.250.185.142	443	964	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-02 17:07:36 UTC	1286	OUT	POST /log?format=json&hasfast=true&authuser=0 HTTP/1.1 Host: play.google.com Connection: keep-alive Content-Length: 1221 sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-arch: "x86" Content-Type: text/plain;charset=UTF-8 sec-ch-ua-full-version: "117.0.5938.134" sec-ch-ua-platform-version: "10.0.0" X-Goog-AuthUser: 0 sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.134", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.134" sec-ch-ua-bitness: "64" sec-ch-ua-model: "" sec-ch-ua-wow64: ?0 sec-ch-ua-platform: "Windows" Accept: / Origin: https://accounts.google.com X-Client-Data: CJa2yQEIprbJAQipncoBCO6MywEIlKHLAQj6mM0BCIWgzQEI3L3NAQi5ys0BCOnSzQEI6NXNAQjL1s0BCKjYzQEI+cDUFRi60s0BGOuNpRc= Sec-Fetch-Site: same-site Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: NID=518=n7heLF4w9b8PogkQBevtUtN8SrbkjsfWFSYQGn4Pvl_GZS4l8akZWaXBvXyu66HGX1sLEfu1B87jo6psfm8M8c59vqgBUwvwHYlpmDISAp_aufGoPNCEwTwYf_NV6-75wvglD8WAHnfqTI-ZaO9rakNvoqhTOok9oK5TH4TAnWesJadtmQ
2024-10-02 17:07:36 UTC	1221	OUT	Data Raw: 5b 5b 31 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 5b 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 22 65 6e 22 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 5b 5b 5b 22 47 6f 6f 67 6c 65 20 43 68 72 6f 6d 65 22 2c 22 31 31 37 22 5d 2c 5b 22 4e 6f 74 3b 41 3d 42 72 61 6e 64 22 2c 22 38 22 5d 2c 5b 22 43 68 72 6f 6d 69 75 6d 22 2c 22 31 31 37 22 5d 5d 2c 30 2c 22 57 69 6e 64 6f 77 73 22 2c 22 31 30 2e 30 2e 30 22 2c 22 78 38 36 22 2c 22 22 2c 22 31 31 37 2e 30 2e 35 39 33 38 2e 31 33 34 22 5d 2c 5b 34 2c 30 2c 30 2c 30 2c 30 5d 5d 5d 2c 35 35 38 2c 5b 5b 22 31 37 32 37 38 38 38 38 34 35 30 30 30 22 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c Data Ascii: [[1,null,null,null,null,null,null,null,null,null,[null,null,null,null,"en",null,null,null,[[["Google Chrome","117"],["Not;A=Brand","8"],["Chromium","117"]],0,"Windows","10.0.0","x86","","117.0.5938.134"],[4,0,0,0,0]]],558,[["1727888845000",null,null,null,
2024-10-02 17:07:37 UTC	940	IN	HTTP/1.1 200 OK Access-Control-Allow-Origin: https://accounts.google.com Cross-Origin-Resource-Policy: cross-origin Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: X-Playlog-Web Set-Cookie: NID=518=XiQtClOrtxs-M95iptROLqqv-JpvbgqwzVF8KL5kwOc9h2pVPyvuaXLxBynbAhD66DOllDwHjaAiC8x6RTV6_aaBC3iznmgSZt3NnL7MmEatIa4cqbzmvMpG-Ld-Cs_rr6knjHcfEGGfYx8bjrqPhCIh58fetqx7G4Lrs_x2t7LLzpwsf_BhYT777Q; expires=Thu, 03-Apr-2025 17:07:36 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=none P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info." Content-Type: text/plain; charset=UTF-8 Date: Wed, 02 Oct 2024 17:07:37 GMT Server: Playlog Cache-Control: private X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Expires: Wed, 02 Oct 2024 17:07:37 GMT Connection: close Transfer-Encoding: chunked
2024-10-02 17:07:37 UTC	137	IN	Data Raw: 38 33 0d 0a 5b 22 2d 31 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 41 4e 44 52 4f 49 44 5f 42 41 43 4b 55 50 22 2c 30 5d 2c 5b 22 42 41 54 54 45 52 59 5f 53 54 41 54 53 22 2c 30 5d 2c 5b 22 53 4d 41 52 54 5f 53 45 54 55 50 22 2c 30 5d 2c 5b 22 54 52 4f 4e 22 2c 30 5d 5d 2c 2d 33 33 33 34 37 33 37 35 39 34 30 32 34 39 37 31 32 32 35 5d 2c 5b 5d 2c 7b 22 31 37 35 32 33 37 33 37 35 22 3a 5b 31 30 30 30 30 5d 7d 5d 0d 0a Data Ascii: 83["-1",null,[[["ANDROID_BACKUP",0],["BATTERY_STATS",0],["SMART_SETUP",0],["TRON",0]],-3334737594024971225],[],{"175237375":[10000]}]
2024-10-02 17:07:37 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.6	63812	142.250.185.142	443	964	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-02 17:07:59 UTC	1317	OUT	POST /log?format=json&hasfast=true&authuser=0 HTTP/1.1 Host: play.google.com Connection: keep-alive Content-Length: 1181 sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-arch: "x86" Content-Type: application/x-www-form-urlencoded;charset=UTF-8 sec-ch-ua-full-version: "117.0.5938.134" sec-ch-ua-platform-version: "10.0.0" X-Goog-AuthUser: 0 sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.134", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.134" sec-ch-ua-bitness: "64" sec-ch-ua-model: "" sec-ch-ua-wow64: ?0 sec-ch-ua-platform: "Windows" Accept: / Origin: https://accounts.google.com X-Client-Data: CJa2yQEIprbJAQipncoBCO6MywEIlKHLAQj6mM0BCIWgzQEI3L3NAQi5ys0BCOnSzQEI6NXNAQjL1s0BCKjYzQEI+cDUFRi60s0BGOuNpRc= Sec-Fetch-Site: same-site Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: NID=518=XiQtClOrtxs-M95iptROLqqv-JpvbgqwzVF8KL5kwOc9h2pVPyvuaXLxBynbAhD66DOllDwHjaAiC8x6RTV6_aaBC3iznmgSZt3NnL7MmEatIa4cqbzmvMpG-Ld-Cs_rr6knjHcfEGGfYx8bjrqPhCIh58fetqx7G4Lrs_x2t7LLzpwsf_BhYT777Q
2024-10-02 17:07:59 UTC	1181	OUT	Data Raw: 5b 5b 31 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 5b 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 22 65 6e 22 2c 6e 75 6c 6c 2c 22 33 30 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 47 6f 6f 67 6c 65 20 43 68 72 6f 6d 65 22 2c 22 31 31 37 22 5d 2c 5b 22 4e 6f 74 3b 41 3d 42 72 61 6e 64 22 2c 22 38 22 5d 2c 5b 22 43 68 72 6f 6d 69 75 6d 22 2c 22 31 31 37 22 5d 5d 2c 30 2c 22 57 69 6e 64 6f 77 73 22 2c 22 31 30 2e 30 2e 30 22 2c 22 78 38 36 22 2c 22 22 2c 22 31 31 37 2e 30 2e 35 39 33 38 2e 31 33 34 22 5d 2c 5b 31 2c 30 2c 30 2c 30 2c 30 5d 5d 5d 2c 31 38 32 38 2c 5b 5b 22 31 37 32 37 38 38 38 38 37 38 32 34 34 22 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c Data Ascii: [[1,null,null,null,null,null,null,null,null,null,[null,null,null,null,"en",null,"30",null,[[["Google Chrome","117"],["Not;A=Brand","8"],["Chromium","117"]],0,"Windows","10.0.0","x86","","117.0.5938.134"],[1,0,0,0,0]]],1828,[["1727888878244",null,null,null
2024-10-02 17:07:59 UTC	523	IN	HTTP/1.1 200 OK Access-Control-Allow-Origin: https://accounts.google.com Cross-Origin-Resource-Policy: cross-origin Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: X-Playlog-Web Content-Type: text/plain; charset=UTF-8 Date: Wed, 02 Oct 2024 17:07:59 GMT Server: Playlog Cache-Control: private X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2024-10-02 17:07:59 UTC	137	IN	Data Raw: 38 33 0d 0a 5b 22 2d 31 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 41 4e 44 52 4f 49 44 5f 42 41 43 4b 55 50 22 2c 30 5d 2c 5b 22 42 41 54 54 45 52 59 5f 53 54 41 54 53 22 2c 30 5d 2c 5b 22 53 4d 41 52 54 5f 53 45 54 55 50 22 2c 30 5d 2c 5b 22 54 52 4f 4e 22 2c 30 5d 5d 2c 2d 33 33 33 34 37 33 37 35 39 34 30 32 34 39 37 31 32 32 35 5d 2c 5b 5d 2c 7b 22 31 37 35 32 33 37 33 37 35 22 3a 5b 31 30 30 30 30 5d 7d 5d 0d 0a Data Ascii: 83["-1",null,[[["ANDROID_BACKUP",0],["BATTERY_STATS",0],["SMART_SETUP",0],["TRON",0]],-3334737594024971225],[],{"175237375":[10000]}]
2024-10-02 17:07:59 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.6	63813	142.250.185.142	443	964	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-02 17:08:00 UTC	1277	OUT	POST /log?hasfast=true&authuser=0&format=json HTTP/1.1 Host: play.google.com Connection: keep-alive Content-Length: 1033 sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-arch: "x86" sec-ch-ua-full-version: "117.0.5938.134" Content-Type: text/plain;charset=UTF-8 sec-ch-ua-platform-version: "10.0.0" sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.134", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.134" sec-ch-ua-bitness: "64" sec-ch-ua-model: "" sec-ch-ua-wow64: ?0 sec-ch-ua-platform: "Windows" Accept: / Origin: https://accounts.google.com X-Client-Data: CJa2yQEIprbJAQipncoBCO6MywEIlKHLAQj6mM0BCIWgzQEI3L3NAQi5ys0BCOnSzQEI6NXNAQjL1s0BCKjYzQEI+cDUFRi60s0BGOuNpRc= Sec-Fetch-Site: same-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: NID=518=XiQtClOrtxs-M95iptROLqqv-JpvbgqwzVF8KL5kwOc9h2pVPyvuaXLxBynbAhD66DOllDwHjaAiC8x6RTV6_aaBC3iznmgSZt3NnL7MmEatIa4cqbzmvMpG-Ld-Cs_rr6knjHcfEGGfYx8bjrqPhCIh58fetqx7G4Lrs_x2t7LLzpwsf_BhYT777Q
2024-10-02 17:08:00 UTC	1033	OUT	Data Raw: 5b 5b 31 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 5b 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 22 65 6e 22 2c 6e 75 6c 6c 2c 22 62 6f 71 5f 69 64 65 6e 74 69 74 79 66 72 6f 6e 74 65 6e 64 61 75 74 68 75 69 73 65 72 76 65 72 5f 32 30 32 34 30 39 32 39 2e 30 37 5f 70 30 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 47 6f 6f 67 6c 65 20 43 68 72 6f 6d 65 22 2c 22 31 31 37 22 5d 2c 5b 22 4e 6f 74 3b 41 3d 42 72 61 6e 64 22 2c 22 38 22 5d 2c 5b 22 43 68 72 6f 6d 69 75 6d 22 2c 22 31 31 37 22 5d 5d 2c 30 2c 22 57 69 6e 64 6f 77 73 22 2c 22 31 30 2e 30 2e 30 22 2c 22 78 38 36 22 2c 22 22 2c 22 31 31 37 2e 30 2e 35 39 33 38 2e 31 33 34 22 5d 2c 5b 33 2c 30 2c 30 Data Ascii: [[1,null,null,null,null,null,null,null,null,null,[null,null,null,null,"en",null,"boq_identityfrontendauthuiserver_20240929.07_p0",null,[[["Google Chrome","117"],["Not;A=Brand","8"],["Chromium","117"]],0,"Windows","10.0.0","x86","","117.0.5938.134"],[3,0,0
2024-10-02 17:08:00 UTC	523	IN	HTTP/1.1 200 OK Access-Control-Allow-Origin: https://accounts.google.com Cross-Origin-Resource-Policy: cross-origin Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: X-Playlog-Web Content-Type: text/plain; charset=UTF-8 Date: Wed, 02 Oct 2024 17:08:00 GMT Server: Playlog Cache-Control: private X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2024-10-02 17:08:00 UTC	137	IN	Data Raw: 38 33 0d 0a 5b 22 2d 31 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 41 4e 44 52 4f 49 44 5f 42 41 43 4b 55 50 22 2c 30 5d 2c 5b 22 42 41 54 54 45 52 59 5f 53 54 41 54 53 22 2c 30 5d 2c 5b 22 53 4d 41 52 54 5f 53 45 54 55 50 22 2c 30 5d 2c 5b 22 54 52 4f 4e 22 2c 30 5d 5d 2c 2d 33 33 33 34 37 33 37 35 39 34 30 32 34 39 37 31 32 32 35 5d 2c 5b 5d 2c 7b 22 31 37 35 32 33 37 33 37 35 22 3a 5b 31 30 30 30 30 5d 7d 5d 0d 0a Data Ascii: 83["-1",null,[[["ANDROID_BACKUP",0],["BATTERY_STATS",0],["SMART_SETUP",0],["TRON",0]],-3334737594024971225],[],{"175237375":[10000]}]
2024-10-02 17:08:00 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.6	63814	142.250.185.142	443	964	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-02 17:08:01 UTC	1317	OUT	POST /log?format=json&hasfast=true&authuser=0 HTTP/1.1 Host: play.google.com Connection: keep-alive Content-Length: 1214 sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-arch: "x86" Content-Type: application/x-www-form-urlencoded;charset=UTF-8 sec-ch-ua-full-version: "117.0.5938.134" sec-ch-ua-platform-version: "10.0.0" X-Goog-AuthUser: 0 sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.134", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.134" sec-ch-ua-bitness: "64" sec-ch-ua-model: "" sec-ch-ua-wow64: ?0 sec-ch-ua-platform: "Windows" Accept: / Origin: https://accounts.google.com X-Client-Data: CJa2yQEIprbJAQipncoBCO6MywEIlKHLAQj6mM0BCIWgzQEI3L3NAQi5ys0BCOnSzQEI6NXNAQjL1s0BCKjYzQEI+cDUFRi60s0BGOuNpRc= Sec-Fetch-Site: same-site Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: NID=518=XiQtClOrtxs-M95iptROLqqv-JpvbgqwzVF8KL5kwOc9h2pVPyvuaXLxBynbAhD66DOllDwHjaAiC8x6RTV6_aaBC3iznmgSZt3NnL7MmEatIa4cqbzmvMpG-Ld-Cs_rr6knjHcfEGGfYx8bjrqPhCIh58fetqx7G4Lrs_x2t7LLzpwsf_BhYT777Q
2024-10-02 17:08:01 UTC	1214	OUT	Data Raw: 5b 5b 31 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 5b 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 22 65 6e 22 2c 6e 75 6c 6c 2c 22 33 30 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 47 6f 6f 67 6c 65 20 43 68 72 6f 6d 65 22 2c 22 31 31 37 22 5d 2c 5b 22 4e 6f 74 3b 41 3d 42 72 61 6e 64 22 2c 22 38 22 5d 2c 5b 22 43 68 72 6f 6d 69 75 6d 22 2c 22 31 31 37 22 5d 5d 2c 30 2c 22 57 69 6e 64 6f 77 73 22 2c 22 31 30 2e 30 2e 30 22 2c 22 78 38 36 22 2c 22 22 2c 22 31 31 37 2e 30 2e 35 39 33 38 2e 31 33 34 22 5d 2c 5b 31 2c 30 2c 30 2c 30 2c 30 5d 5d 5d 2c 31 38 32 38 2c 5b 5b 22 31 37 32 37 38 38 38 38 38 30 32 36 31 22 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c Data Ascii: [[1,null,null,null,null,null,null,null,null,null,[null,null,null,null,"en",null,"30",null,[[["Google Chrome","117"],["Not;A=Brand","8"],["Chromium","117"]],0,"Windows","10.0.0","x86","","117.0.5938.134"],[1,0,0,0,0]]],1828,[["1727888880261",null,null,null
2024-10-02 17:08:01 UTC	523	IN	HTTP/1.1 200 OK Access-Control-Allow-Origin: https://accounts.google.com Cross-Origin-Resource-Policy: cross-origin Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: X-Playlog-Web Content-Type: text/plain; charset=UTF-8 Date: Wed, 02 Oct 2024 17:08:01 GMT Server: Playlog Cache-Control: private X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2024-10-02 17:08:01 UTC	137	IN	Data Raw: 38 33 0d 0a 5b 22 2d 31 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 41 4e 44 52 4f 49 44 5f 42 41 43 4b 55 50 22 2c 30 5d 2c 5b 22 42 41 54 54 45 52 59 5f 53 54 41 54 53 22 2c 30 5d 2c 5b 22 53 4d 41 52 54 5f 53 45 54 55 50 22 2c 30 5d 2c 5b 22 54 52 4f 4e 22 2c 30 5d 5d 2c 2d 33 33 33 34 37 33 37 35 39 34 30 32 34 39 37 31 32 32 35 5d 2c 5b 5d 2c 7b 22 31 37 35 32 33 37 33 37 35 22 3a 5b 31 30 30 30 30 5d 7d 5d 0d 0a Data Ascii: 83["-1",null,[[["ANDROID_BACKUP",0],["BATTERY_STATS",0],["SMART_SETUP",0],["TRON",0]],-3334737594024971225],[],{"175237375":[10000]}]
2024-10-02 17:08:01 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port
20	192.168.2.6	63815	40.115.3.253	443

Timestamp	Bytes transferred	Direction	Data
2024-10-02 17:08:03 UTC	71	OUT	Data Raw: 43 4e 54 20 31 20 43 4f 4e 20 33 30 35 0d 0a 4d 53 2d 43 56 3a 20 74 7a 67 78 47 6e 50 57 55 55 4f 66 63 4d 77 66 2e 31 0d 0a 43 6f 6e 74 65 78 74 3a 20 32 61 66 65 33 66 31 63 62 34 31 65 61 61 62 38 0d 0a 0d 0a Data Ascii: CNT 1 CON 305MS-CV: tzgxGnPWUUOfcMwf.1Context: 2afe3f1cb41eaab8
2024-10-02 17:08:03 UTC	249	OUT	Data Raw: 3c 63 6f 6e 6e 65 63 74 3e 3c 76 65 72 3e 32 3c 2f 76 65 72 3e 3c 61 67 65 6e 74 3e 3c 6f 73 3e 57 69 6e 64 6f 77 73 3c 2f 6f 73 3e 3c 6f 73 56 65 72 3e 31 30 2e 30 2e 30 2e 30 2e 31 39 30 34 35 3c 2f 6f 73 56 65 72 3e 3c 70 72 6f 63 3e 78 36 34 3c 2f 70 72 6f 63 3e 3c 6c 63 69 64 3e 65 6e 2d 43 48 3c 2f 6c 63 69 64 3e 3c 67 65 6f 49 64 3e 32 32 33 3c 2f 67 65 6f 49 64 3e 3c 61 6f 61 63 3e 30 3c 2f 61 6f 61 63 3e 3c 64 65 76 69 63 65 54 79 70 65 3e 31 3c 2f 64 65 76 69 63 65 54 79 70 65 3e 3c 64 65 76 69 63 65 4e 61 6d 65 3e 56 4d 77 61 72 65 32 30 2c 31 3c 2f 64 65 76 69 63 65 4e 61 6d 65 3e 3c 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 74 72 75 65 3c 2f 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 3c 2f 61 67 65 6e 74 3e 3c 2f 63 6f 6e 6e 65 63 74 3e Data Ascii: <connect><ver>2</ver><agent><os>Windows</os><osVer>10.0.0.0.19045</osVer><proc>x64</proc><lcid>en-CH</lcid><geoId>223</geoId><aoac>0</aoac><deviceType>1</deviceType><deviceName>VMware20,1</deviceName><followRetry>true</followRetry></agent></connect>
2024-10-02 17:08:03 UTC	1084	OUT	Data Raw: 41 54 48 20 32 20 43 4f 4e 5c 44 45 56 49 43 45 20 31 30 36 31 0d 0a 4d 53 2d 43 56 3a 20 74 7a 67 78 47 6e 50 57 55 55 4f 66 63 4d 77 66 2e 32 0d 0a 43 6f 6e 74 65 78 74 3a 20 32 61 66 65 33 66 31 63 62 34 31 65 61 61 62 38 0d 0a 0d 0a 3c 64 65 76 69 63 65 3e 3c 63 6f 6d 70 61 63 74 2d 74 69 63 6b 65 74 3e 74 3d 45 77 43 34 41 75 70 49 42 41 41 55 31 62 44 47 66 64 61 7a 69 44 66 58 70 6a 4e 35 4e 36 63 59 68 54 31 77 62 6d 51 41 41 56 37 6d 76 6a 47 59 36 63 47 46 46 53 6b 52 39 75 30 2f 4a 64 68 4a 4d 68 48 67 50 58 61 54 72 66 68 70 46 63 44 6b 32 34 54 56 73 2f 37 56 72 6f 39 4e 61 31 71 36 5a 35 77 52 4b 55 6c 30 2f 78 53 53 45 36 35 50 42 72 39 2b 34 2f 6d 35 4a 4d 38 36 5a 37 34 39 45 78 79 32 39 32 6a 2f 6d 70 33 69 45 65 72 72 39 5a 45 69 66 63 Data Ascii: ATH 2 CON\DEVICE 1061MS-CV: tzgxGnPWUUOfcMwf.2Context: 2afe3f1cb41eaab8<device><compact-ticket>t=EwC4AupIBAAU1bDGfdaziDfXpjN5N6cYhT1wbmQAAV7mvjGY6cGFFSkR9u0/JdhJMhHgPXaTrfhpFcDk24TVs/7Vro9Na1q6Z5wRKUl0/xSSE65PBr9+4/m5JM86Z749Exy292j/mp3iEerr9ZEifc
2024-10-02 17:08:03 UTC	218	OUT	Data Raw: 42 4e 44 20 33 20 43 4f 4e 5c 57 4e 53 20 30 20 31 39 37 0d 0a 4d 53 2d 43 56 3a 20 74 7a 67 78 47 6e 50 57 55 55 4f 66 63 4d 77 66 2e 33 0d 0a 43 6f 6e 74 65 78 74 3a 20 32 61 66 65 33 66 31 63 62 34 31 65 61 61 62 38 0d 0a 0d 0a 3c 77 6e 73 3e 3c 76 65 72 3e 31 3c 2f 76 65 72 3e 3c 63 6c 69 65 6e 74 3e 3c 6e 61 6d 65 3e 57 50 4e 3c 2f 6e 61 6d 65 3e 3c 76 65 72 3e 31 2e 30 3c 2f 76 65 72 3e 3c 2f 63 6c 69 65 6e 74 3e 3c 6f 70 74 69 6f 6e 73 3e 3c 70 77 72 6d 6f 64 65 20 6d 6f 64 65 3d 22 30 22 3e 3c 2f 70 77 72 6d 6f 64 65 3e 3c 2f 6f 70 74 69 6f 6e 73 3e 3c 6c 61 73 74 4d 73 67 49 64 3e 30 3c 2f 6c 61 73 74 4d 73 67 49 64 3e 3c 2f 77 6e 73 3e Data Ascii: BND 3 CON\WNS 0 197MS-CV: tzgxGnPWUUOfcMwf.3Context: 2afe3f1cb41eaab8<wns><ver>1</ver><client><name>WPN</name><ver>1.0</ver></client><options><pwrmode mode="0"></pwrmode></options><lastMsgId>0</lastMsgId></wns>
2024-10-02 17:08:04 UTC	14	IN	Data Raw: 32 30 32 20 31 20 43 4f 4e 20 35 38 0d 0a Data Ascii: 202 1 CON 58
2024-10-02 17:08:04 UTC	58	IN	Data Raw: 4d 53 2d 43 56 3a 20 39 64 56 78 48 2b 72 6e 4e 30 4f 6b 37 2f 32 49 4e 78 39 4b 6c 51 2e 30 0d 0a 0d 0a 50 61 79 6c 6f 61 64 20 70 61 72 73 69 6e 67 20 66 61 69 6c 65 64 2e Data Ascii: MS-CV: 9dVxH+rnN0Ok7/2INx9KlQ.0Payload parsing failed.

Target ID:	0
Start time:	13:06:18
Start date:	02/10/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0xe40000
File size:	918'528 bytes
MD5 hash:	F8F75E38C6AC62437B87E91357B5E4B2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	13:07:13
Start date:	02/10/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM chrome.exe /T
Imagebase:	0x200000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	13:07:13
Start date:	02/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	13:07:14
Start date:	02/10/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --start-fullscreen --no-first-run --disable-session-crashed-bubble --disable-infobars
Imagebase:	0x7ff684c40000
File size:	3'242'272 bytes
MD5 hash:	5BBFA6CBDF4C254EB368D534F9E23C92
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	10
Start time:	13:07:15
Start date:	02/10/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2024 --field-trial-handle=1924,i,15881300021728988269,12277537631577109083,262144 /prefetch:8
Imagebase:	0x7ff684c40000
File size:	3'242'272 bytes
MD5 hash:	5BBFA6CBDF4C254EB368D534F9E23C92
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	11
Start time:	13:07:27
Start date:	02/10/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5508 --field-trial-handle=1924,i,15881300021728988269,12277537631577109083,262144 /prefetch:8
Imagebase:	0x7ff684c40000
File size:	3'242'272 bytes
MD5 hash:	5BBFA6CBDF4C254EB368D534F9E23C92
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	12
Start time:	13:07:27
Start date:	02/10/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5528 --field-trial-handle=1924,i,15881300021728988269,12277537631577109083,262144 /prefetch:8
Imagebase:	0x7ff684c40000
File size:	3'242'272 bytes
MD5 hash:	5BBFA6CBDF4C254EB368D534F9E23C92
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	2.6%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	4.3%
Total number of Nodes:	1769
Total number of Limit Nodes:	84

Executed Functions

Function 00E5F98E Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130
keyboardthreadwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetForegroundWindow.USER32(00000000,00000000,00000000), ref: 00E5F998
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00E9F474
IsIconic.USER32(00000000), ref: 00E9F47D
ShowWindow.USER32(00000000,00000009), ref: 00E9F48A
SetForegroundWindow.USER32(00000000), ref: 00E9F494
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00E9F4AA
GetCurrentThreadId.KERNEL32 ref: 00E9F4B1
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00E9F4BD
AttachThreadInput.USER32(?,00000000,00000001), ref: 00E9F4CE
AttachThreadInput.USER32(?,00000000,00000001), ref: 00E9F4D6
AttachThreadInput.USER32(00000000,000000FF,00000001), ref: 00E9F4DE
SetForegroundWindow.USER32(00000000), ref: 00E9F4E1
MapVirtualKeyW.USER32(00000012,00000000), ref: 00E9F4F6
keybd_event.USER32(00000012,00000000), ref: 00E9F501
MapVirtualKeyW.USER32(00000012,00000000), ref: 00E9F50B
keybd_event.USER32(00000012,00000000), ref: 00E9F510
MapVirtualKeyW.USER32(00000012,00000000), ref: 00E9F519
keybd_event.USER32(00000012,00000000), ref: 00E9F51E
MapVirtualKeyW.USER32(00000012,00000000), ref: 00E9F528
keybd_event.USER32(00000012,00000000), ref: 00E9F52D
SetForegroundWindow.USER32(00000000), ref: 00E9F530
AttachThreadInput.USER32(?,000000FF,00000000), ref: 00E9F557

Strings

Shell_TrayWnd, xrefs: 00E9F46F

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: 0a2872db900ce5d1f47576c6baab7ec1de3f53db25a3d59b38b6fcf1a03f6bf9
Instruction ID: 8803d0eaa2751f640cfc20a4312532d0f4300deff49733441a20a74cb8e1cef3
Opcode Fuzzy Hash: 0a2872db900ce5d1f47576c6baab7ec1de3f53db25a3d59b38b6fcf1a03f6bf9
Instruction Fuzzy Hash: 17315271A412197EEF206BB66C49FBF7F6CEB44B50F210066F601F61D1C6B09D00EA61

Function 00E442DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 00E4430D

Part of subcall function 00E46B57: _wcslen.LIBCMT ref: 00E46B6A

GetCurrentProcess.KERNEL32(?,00EDCB64,00000000,?,?), ref: 00E44422
IsWow64Process.KERNEL32(00000000,?,?), ref: 00E44429
LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 00E44454
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00E44466
GetNativeSystemInfo.KERNELBASE(?,?,?), ref: 00E44474
FreeLibrary.KERNEL32(00000000,?,?), ref: 00E4447B
GetSystemInfo.KERNEL32(?,?,?), ref: 00E444A0

Strings

GetNativeSystemInfo, xrefs: 00E44460
kernel32.dll, xrefs: 00E4444F
|O, xrefs: 00E836F8

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
String ID: GetNativeSystemInfo$kernel32.dll$|O
API String ID: 3290436268-3101561225
Opcode ID: 55941ee0db4d2db7a7b1c936f5701276e1fbcfd795493416a6c3f8266a7ba100
Instruction ID: 7e891b8ae1a9f849d49a28f14ab25ab6c192494d1c276d11c875a358c8364e24
Opcode Fuzzy Hash: 55941ee0db4d2db7a7b1c936f5701276e1fbcfd795493416a6c3f8266a7ba100
Instruction Fuzzy Hash: 08A1E9A190A2CCCFCB11D7B97C443D57FE47B26744F1AE49AD2B5B3A6AD2204508FB21

Function 00E442A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,00E450AA,?,?,00000000,00000000), ref: 00E442B2
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00E450AA,?,?,00000000,00000000), ref: 00E442C9
LoadResource.KERNEL32(?,00000000,?,?,00E450AA,?,?,00000000,00000000,?,?,?,?,?,?,00E44F20), ref: 00E835BE
SizeofResource.KERNEL32(?,00000000,?,?,00E450AA,?,?,00000000,00000000,?,?,?,?,?,?,00E44F20), ref: 00E835D3
LockResource.KERNEL32(00E450AA,?,?,00E450AA,?,?,00000000,00000000,?,?,?,?,?,?,00E44F20,?), ref: 00E835E6

Strings

SCRIPT, xrefs: 00E442BF

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: bf7bf6858f7e86f03d62575d058c309ed6313114d24fcc938d0133725c613de7
Instruction ID: caefd118e8bb3fa077b05847d81d1a1f8703c33c99367eba407977702178dde0
Opcode Fuzzy Hash: bf7bf6858f7e86f03d62575d058c309ed6313114d24fcc938d0133725c613de7
Instruction Fuzzy Hash: BA1170B0201701BFDB219B66EC48F677BB9EBC5B95F20416EB406A62A0DBB1D804C620

Function 00EADBBE Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 29
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenW.KERNEL32(?,"R), ref: 00EADBCE
GetFileAttributesW.KERNELBASE(?), ref: 00EADBDD
FindFirstFileW.KERNEL32(?,?), ref: 00EADBEE
FindClose.KERNEL32(00000000), ref: 00EADBFA

Strings

"R, xrefs: 00EADBCA

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: FileFind$AttributesCloseFirstlstrlen
String ID: "R
API String ID: 2695905019-1746183819
Opcode ID: 23680e49f2c7b13fb65c4a8b442a3f815f9aa95cd02b832c9cda0759f026c88c
Instruction ID: 1ad0a862d29b0573d466b0620cedc4557a32206d62cf6bf6475ea8b42e7b5180
Opcode Fuzzy Hash: 23680e49f2c7b13fb65c4a8b442a3f815f9aa95cd02b832c9cda0759f026c88c
Instruction Fuzzy Hash: 49F0A7304159155B82206B78AC0D4AA777CDF06374B604713F476E24F0EBB46D58C595

Function 00E82BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetCurrentDirectoryW.KERNEL32(?), ref: 00E42B6B

Part of subcall function 00E43A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00F11418,?,00E42E7F,?,?,?,00000000), ref: 00E43A78

Part of subcall function 00E49CB3: _wcslen.LIBCMT ref: 00E49CBD

GetForegroundWindow.USER32(runas,?,?,?,?,?,00F02224), ref: 00E82C10
ShellExecuteW.SHELL32(00000000,?,?,00F02224), ref: 00E82C17

Strings

runas, xrefs: 00E82C0B

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: CurrentDirectoryExecuteFileForegroundModuleNameShellWindow_wcslen
String ID: runas
API String ID: 448630720-4000483414
Opcode ID: 91ccb7d301ecea2c44e6622eebce02e93fdbbd6b1cf3b1bc7a50ffec73823a37
Instruction ID: f46fb37f4ff973cf8c4d50e6498dad5a10b0db843badc3088fa0bd293791ae82
Opcode Fuzzy Hash: 91ccb7d301ecea2c44e6622eebce02e93fdbbd6b1cf3b1bc7a50ffec73823a37
Instruction Fuzzy Hash: 7B11E1316083056AC704FF70F8559AEB7E4EB95744F84342DF286320A3CF618A49E712

Function 00E64CE8 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00E728E9,(,00E64CBE,00000000,00F088B8,0000000C,00E64E15,(,00000002,00000000,?,00E728E9,00000003,00E72DF7,?,?), ref: 00E64D09
TerminateProcess.KERNEL32(00000000,?,00E728E9,00000003,00E72DF7,?,?,?,00E6E6D1,?,00F08A48,00000010,00E44F4A,?,?,00000000), ref: 00E64D10
ExitProcess.KERNEL32 ref: 00E64D22

Strings

(, xrefs: 00E64CEA

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID: (
API String ID: 1703294689-2063206799
Opcode ID: b5860e9e460eb4ceea710090459c600ffbc555e125f38bdedb824db3c44d2c11
Instruction ID: 4134db315a9462d3e302e5a3d5ab8be46796b55628e27341bbf3d3b8cd90d96b
Opcode Fuzzy Hash: b5860e9e460eb4ceea710090459c600ffbc555e125f38bdedb824db3c44d2c11
Instruction Fuzzy Hash: 91E0B6B1441149AFCF11AF65FD09A583B69EB417C5F209055FC09AB162CB35DD46DA80

Function 00ECAFF9 Relevance: 24.4, APIs: 16, Instructions: 418
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_wcslen.LIBCMT ref: 00ECB198
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00ECB1B0
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00ECB1D4
_wcslen.LIBCMT ref: 00ECB200
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00ECB214
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00ECB236
_wcslen.LIBCMT ref: 00ECB332

Part of subcall function 00EB05A7: GetStdHandle.KERNEL32(000000F6), ref: 00EB05C6

_wcslen.LIBCMT ref: 00ECB34B
_wcslen.LIBCMT ref: 00ECB366
CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00ECB3B6
GetLastError.KERNEL32(00000000), ref: 00ECB407
CloseHandle.KERNEL32(?), ref: 00ECB439
CloseHandle.KERNEL32(00000000), ref: 00ECB44A
CloseHandle.KERNEL32(00000000), ref: 00ECB45C
CloseHandle.KERNEL32(00000000), ref: 00ECB46E
CloseHandle.KERNEL32(?), ref: 00ECB4E3

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
String ID:
API String ID: 2178637699-0
Opcode ID: c95ccb5f553953dc3668fbdae8f1876ae51e13f3006621b942194c5264590010
Instruction ID: dce77466a729df91e970f1096f030c4562abbc21dc1dc3e8d5a18bc0250a01b3
Opcode Fuzzy Hash: c95ccb5f553953dc3668fbdae8f1876ae51e13f3006621b942194c5264590010
Instruction Fuzzy Hash: EEF18B315083409FC714EF24D982B6EBBE5AF85314F14995DF899AB2A2DB32EC05CB52

Function 00E4D7CB Relevance: 21.6, APIs: 14, Instructions: 579windowsleeptimeCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 00E4D807
timeGetTime.WINMM ref: 00E4DA07
PeekMessageW.USER32(?), ref: 00E4DB28
TranslateMessage.USER32(?), ref: 00E4DB7B
DispatchMessageW.USER32(?), ref: 00E4DB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00E4DB9F
Sleep.KERNELBASE(0000000A), ref: 00E4DBB1

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: Message$Peek$DispatchInputSleepStateTimeTranslatetime
String ID:
API String ID: 2189390790-0
Opcode ID: eaf4bbee0f9ced3b26fd7605fbf54fda33ae8e989c7367324451bd79db0d9968
Instruction ID: 76e950fc517d326a126ad6d4ba2887cbe8280b2359fa1bcecc8b89633475a5ee
Opcode Fuzzy Hash: eaf4bbee0f9ced3b26fd7605fbf54fda33ae8e989c7367324451bd79db0d9968
Instruction Fuzzy Hash: AE32C330608342EFDB28CF24DC84BAAB7E1FF85308F14A55EE655A7291D771E844DB92

Function 00E42CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00E42D07
RegisterClassExW.USER32(00000030), ref: 00E42D31
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00E42D42
InitCommonControlsEx.COMCTL32(?), ref: 00E42D5F
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00E42D6F
LoadIconW.USER32(000000A9), ref: 00E42D85
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00E42D94

Strings

AutoIt v3 GUI, xrefs: 00E42D23
0, xrefs: 00E42CE9
+, xrefs: 00E42CF0
TaskbarCreated, xrefs: 00E42D37

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: e3eca67da570ad60c6a6598418e2ae9f57f3b6c9952d7a7486d496ab682d46b0
Instruction ID: 9e39ca80f39dd0b3fcf4dccf48b19d012682b3a6d84ee8955da06bb7fa249718
Opcode Fuzzy Hash: e3eca67da570ad60c6a6598418e2ae9f57f3b6c9952d7a7486d496ab682d46b0
Instruction Fuzzy Hash: C221B2B590221DAFDB00DFA5E849BDDBBB8FB08741F10811BE621B62A0D7B14544DF91

Function 00E8065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00E8039A: CreateFileW.KERNELBASE(00000000,00000000,?,00E80704,?,?,00000000,?,00E80704,00000000,0000000C), ref: 00E803B7

GetLastError.KERNEL32 ref: 00E8076F
__dosmaperr.LIBCMT ref: 00E80776
GetFileType.KERNELBASE(00000000), ref: 00E80782
GetLastError.KERNEL32 ref: 00E8078C
__dosmaperr.LIBCMT ref: 00E80795
CloseHandle.KERNEL32(00000000), ref: 00E807B5
CloseHandle.KERNEL32(?), ref: 00E808FF
GetLastError.KERNEL32 ref: 00E80931
__dosmaperr.LIBCMT ref: 00E80938

Strings

H, xrefs: 00E808BD

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: bb69f6e68918d2510af801f9492ac9b0690b822613d4545590ae60814c7113f8
Instruction ID: ae7644bbac790e77f938957f31d143e5fc07c5f795180ae25235f0550d80ef6d
Opcode Fuzzy Hash: bb69f6e68918d2510af801f9492ac9b0690b822613d4545590ae60814c7113f8
Instruction Fuzzy Hash: ACA12832A001088FDF19FF68D852BAD7BE0EB46324F14515AF819BB2A1DB319857DB91

Function 00E4344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00E43A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00F11418,?,00E42E7F,?,?,?,00000000), ref: 00E43A78

Part of subcall function 00E43357: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00E43379

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 00E4356A
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 00E8318D
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 00E831CE
RegCloseKey.ADVAPI32(?), ref: 00E83210
_wcslen.LIBCMT ref: 00E83277
_wcslen.LIBCMT ref: 00E83286

Strings

\, xrefs: 00E8328C
Include, xrefs: 00E83184, 00E831C5
Software\AutoIt v3\AutoIt, xrefs: 00E43560
\Include\, xrefs: 00E43527

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 98802146-2727554177
Opcode ID: 51bd928fd5e7190d26bae68f89fa624ff874c84c36defa22e0216d20e14558dd
Instruction ID: 57395be05b935978e8c3e4806856c8ef9ad9b418b38b557ed1ab86f643a0d5ec
Opcode Fuzzy Hash: 51bd928fd5e7190d26bae68f89fa624ff874c84c36defa22e0216d20e14558dd
Instruction Fuzzy Hash: FA71D2714053059EC304EFA9EC8299BBBE8FF84740F41682EF559E31B1EB348A58DB52

Function 00E42B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00E42B8E
LoadCursorW.USER32(00000000,00007F00), ref: 00E42B9D
LoadIconW.USER32(00000063), ref: 00E42BB3
LoadIconW.USER32(000000A4), ref: 00E42BC5
LoadIconW.USER32(000000A2), ref: 00E42BD7
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00E42BEF
RegisterClassExW.USER32(?), ref: 00E42C40

Part of subcall function 00E42CD4: GetSysColorBrush.USER32(0000000F), ref: 00E42D07
Part of subcall function 00E42CD4: RegisterClassExW.USER32(00000030), ref: 00E42D31
Part of subcall function 00E42CD4: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00E42D42
Part of subcall function 00E42CD4: InitCommonControlsEx.COMCTL32(?), ref: 00E42D5F
Part of subcall function 00E42CD4: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00E42D6F
Part of subcall function 00E42CD4: LoadIconW.USER32(000000A9), ref: 00E42D85
Part of subcall function 00E42CD4: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00E42D94

Strings

0, xrefs: 00E42C0F
AutoIt v3, xrefs: 00E42C2F
#, xrefs: 00E42C16

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: 0b06074dbe8a0b1bb6dff4812a178da5b4f906c99f0348c7573943ad9342f674
Instruction ID: a8e15f0da920cc09ad9ab405f9d24cefa9c2440b6be9bc3cc87eaad3762d1764
Opcode Fuzzy Hash: 0b06074dbe8a0b1bb6dff4812a178da5b4f906c99f0348c7573943ad9342f674
Instruction Fuzzy Hash: AD212C70E02318AFDB109FA6EC55ADABFB4FB48B50F11801BF610B66A4D7B11554EF90

Function 00E43170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,00E4316A,?,?), ref: 00E431D8
KillTimer.USER32(?,00000001,?,?,?,?,?,00E4316A,?,?), ref: 00E43204
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00E43227
RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,00E4316A,?,?), ref: 00E43232
CreatePopupMenu.USER32 ref: 00E43246
PostQuitMessage.USER32(00000000), ref: 00E43267

Strings

TaskbarCreated, xrefs: 00E4322D

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: f7c228720415c08cf19b2f9c5632b89c4a202a4f937433db8c9d84fd3e5b4f78
Instruction ID: 2a377c38c5a62043a303c5bc28dd601c09dcf0c99326e1c8e4def471f4382e36
Opcode Fuzzy Hash: f7c228720415c08cf19b2f9c5632b89c4a202a4f937433db8c9d84fd3e5b4f78
Instruction Fuzzy Hash: D6417B30200208ABDF142B78BC1DBF93B59F705348F14711AFA1AB62E2C7B1AB40E765

Function 00E41410 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00E41459
CoUninitialize.COMBASE ref: 00E414F8
UnregisterHotKey.USER32(?), ref: 00E416DD
DestroyWindow.USER32(?), ref: 00E824B9
FreeLibrary.KERNEL32(?), ref: 00E8251E
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00E8254B

Strings

close all, xrefs: 00E41454

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: a19aaaed3163719815eb46bf1d0e06fef6f9af7dc97259b700d71aa7d5707d9f
Instruction ID: 247d0ed9c3b6ab31c48383703fe400d250eeeb04436db2860942dca53c3ab03f
Opcode Fuzzy Hash: a19aaaed3163719815eb46bf1d0e06fef6f9af7dc97259b700d71aa7d5707d9f
Instruction Fuzzy Hash: 66D18A307012128FCB19EF15E499A69F7A0BF05304F2462AEE94E7B262DB30EC52CF51

Function 00E42C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00E42C91
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00E42CB2
ShowWindow.USER32(00000000,?,?,?,?,?,?,00E41CAD,?), ref: 00E42CC6
ShowWindow.USER32(00000000,?,?,?,?,?,?,00E41CAD,?), ref: 00E42CCF

Strings

AutoIt v3, xrefs: 00E42C89, 00E42C8E, 00E42C8F
edit, xrefs: 00E42CAC

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: edabfae8857b9f2b0d488673203de7f344c6027160587d23f67ca3b683416563
Instruction ID: bc9f3359cccb8720cea0bde07ff5bc6fc13a9419a90f451349e5538d3cdab25a
Opcode Fuzzy Hash: edabfae8857b9f2b0d488673203de7f344c6027160587d23f67ca3b683416563
Instruction Fuzzy Hash: FBF030755402947AEB3007236C08EB77E7DE7C6F50F11411AFA10A2164C2620841EE70

Function 00EAE97B Relevance: 7.5, APIs: 5, Instructions: 47
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

QueryPerformanceCounter.KERNEL32(?), ref: 00EAE997
QueryPerformanceFrequency.KERNEL32(?), ref: 00EAE9A5
Sleep.KERNEL32(00000000), ref: 00EAE9AD
QueryPerformanceCounter.KERNEL32(?), ref: 00EAE9B7
Sleep.KERNELBASE ref: 00EAE9F3

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: f9a13e6ec150ada6519e59df6a1252185b470ecd992cbc07d43dc29173e75878
Instruction ID: e3d63f35112c54a2666c8e82089d6d7e4d206e70a9d1a55f17bfa369f46f7330
Opcode Fuzzy Hash: f9a13e6ec150ada6519e59df6a1252185b470ecd992cbc07d43dc29173e75878
Instruction Fuzzy Hash: 59011E31C02629DBCF049BE5E8596DEBBB8FB4E701F101596D502B6251CB30A555C761

Function 00E43B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,00E43B0F,SwapMouseButtons,00000004,?), ref: 00E43B40
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,00E43B0F,SwapMouseButtons,00000004,?), ref: 00E43B61
RegCloseKey.KERNELBASE(00000000,?,?,?,80000001,80000001,?,00E43B0F,SwapMouseButtons,00000004,?), ref: 00E43B83

Strings

Control Panel\Mouse, xrefs: 00E43B3E

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: 482f5a63ae74c4e05fc42eeb24220e8eb646d3054667ce40dfdb7971b4ba7af5
Instruction ID: 5517fabbf46f0f47191e03271727cad77295ae5b31aeaf5da3a64507aa719665
Opcode Fuzzy Hash: 482f5a63ae74c4e05fc42eeb24220e8eb646d3054667ce40dfdb7971b4ba7af5
Instruction Fuzzy Hash: DD112AB5511208FFDB218FA5EC44AEEB7B9EF04784B10955AA805E7110D2319E449760

Function 00E91C90 Relevance: 6.0, APIs: 4, Instructions: 50windowsleepCOMMON

Download Yara Rule

APIs

TranslateMessage.USER32(?), ref: 00E4DB7B
DispatchMessageW.USER32(?), ref: 00E4DB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00E4DB9F
Sleep.KERNELBASE(0000000A), ref: 00E4DBB1
TranslateAcceleratorW.USER32(?,?,?), ref: 00E91CC9

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchPeekSleep
String ID:
API String ID: 3288985973-0
Opcode ID: 8a911fc0d3e61309f5eb53332e4e2913e90dbdadb7b827d3cd66c69e4917c062
Instruction ID: a74cc014d6c2a22aecac5791dfb7e83dd9590c4e05a70ac71644eb66446a58ca
Opcode Fuzzy Hash: 8a911fc0d3e61309f5eb53332e4e2913e90dbdadb7b827d3cd66c69e4917c062
Instruction Fuzzy Hash: 3411CE307093469FEB38CB31EC98FA677A8EF45354F24555AE609A7091DB30E848DB15

Function 00E51310 Relevance: 5.8, APIs: 2, Strings: 1, Instructions: 531COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,00000001,?,?,?,?,?), ref: 00E51645
__Init_thread_footer.LIBCMT ref: 00E517F6

Strings

CALL, xrefs: 00E517C6

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: CallbackDispatcherInit_thread_footerUser
String ID: CALL
API String ID: 4084840411-4196123274
Opcode ID: 8738abbb5440c8a8c422b5adef4ef78dbdccde2cb064fa722e1f56276198cbe5
Instruction ID: d893a3b025ce0fca4bc95f69c8c699fda6fef6558946729a3cc167d1fae87b6f
Opcode Fuzzy Hash: 8738abbb5440c8a8c422b5adef4ef78dbdccde2cb064fa722e1f56276198cbe5
Instruction Fuzzy Hash: C922AD706083019FC714DF14C481B6ABBF1BF89315F14A99EF896AB362D771E949CB42

Function 00E4EC40 Relevance: 5.7, APIs: 3, Instructions: 1195COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 00E4FE66

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID:
API String ID: 1385522511-0
Opcode ID: 8f605bc2be3952caf6593b7bdcecba49aad99685c58654b79c14e9eaa3648b73
Instruction ID: f0e4fcc02e61e5fc390bf3e2e4994d8704ad61a0974b91b48dfbe65c28a2bb97
Opcode Fuzzy Hash: 8f605bc2be3952caf6593b7bdcecba49aad99685c58654b79c14e9eaa3648b73
Instruction Fuzzy Hash: FFB29C74A08340CFCB24CF18E480A6AB7E1BF89714F24596DF895AB3A1D771EC45DB92

Function 00E43923 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94windowCOMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 00E833A2

Part of subcall function 00E46B57: _wcslen.LIBCMT ref: 00E46B6A

Shell_NotifyIconW.SHELL32(00000001,?), ref: 00E43A04

Strings

Line: , xrefs: 00E833EB

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: IconLoadNotifyShell_String_wcslen
String ID: Line:
API String ID: 2289894680-1585850449
Opcode ID: a96ac457dfc14454d95d99943f3e3c8f054f91143dc13c2dbac5be00cae7abc7
Instruction ID: 43b4c6c5b228ffa32a6016c4ecd1b9286e2b3a41a406593a17c48e6c3f224d0b
Opcode Fuzzy Hash: a96ac457dfc14454d95d99943f3e3c8f054f91143dc13c2dbac5be00cae7abc7
Instruction Fuzzy Hash: CB31C371448304AAD725EB30EC45BEBB7E8AF85714F10692AF6A9A21D1DB709648C7C3

Function 00E5FDDB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 00E60668

Part of subcall function 00E632A4: RaiseException.KERNEL32(?,?,?,00E6068A,?,00F11444,?,?,?,?,?,?,00E6068A,00E41129,00F08738,00E41129), ref: 00E63304

__CxxThrowException@8.LIBVCRUNTIME ref: 00E60685

Strings

Unknown exception, xrefs: 00E60692

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID: Unknown exception
API String ID: 3476068407-410509341
Opcode ID: cafce3833986718dd43bc58f3fbebe3f278bc835fd5e654393d9dc41be1dcee0
Instruction ID: 9585e581713404c449f4be6c813168585c34981d32777ec502192bf1911aa1d0
Opcode Fuzzy Hash: cafce3833986718dd43bc58f3fbebe3f278bc835fd5e654393d9dc41be1dcee0
Instruction Fuzzy Hash: 6BF0C23498020D77CB00BAB4FC56D9E77BC5E403D4B606531F914B69E2EF71DA6AC681

Function 00E410F3 Relevance: 4.7, APIs: 3, Instructions: 153comCOMMON

Download Yara Rule

APIs

Part of subcall function 00E41BC3: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00E41BF4
Part of subcall function 00E41BC3: MapVirtualKeyW.USER32(00000010,00000000), ref: 00E41BFC
Part of subcall function 00E41BC3: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00E41C07
Part of subcall function 00E41BC3: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00E41C12
Part of subcall function 00E41BC3: MapVirtualKeyW.USER32(00000011,00000000), ref: 00E41C1A
Part of subcall function 00E41BC3: MapVirtualKeyW.USER32(00000012,00000000), ref: 00E41C22

Part of subcall function 00E41B4A: RegisterWindowMessageW.USER32(00000004,?,00E412C4), ref: 00E41BA2

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 00E4136A
OleInitialize.OLE32 ref: 00E41388
CloseHandle.KERNEL32(00000000,00000000), ref: 00E824AB

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID:
API String ID: 1986988660-0
Opcode ID: 65b972d935e1756666a95996c322d2b9a11e11bc3339c3abc48ccc78376dc940
Instruction ID: e58b9c5764e5d69171d959777851b6670a220d84d5ebc0884d94e53f86604e78
Opcode Fuzzy Hash: 65b972d935e1756666a95996c322d2b9a11e11bc3339c3abc48ccc78376dc940
Instruction Fuzzy Hash: A471BBB49122098EC784DF7ABD556D53AE2FBC939431AD22ED30AE7362EB304445EF44

Function 00EAC161 Relevance: 4.6, APIs: 3, Instructions: 74timewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00E43923: Shell_NotifyIconW.SHELL32(00000001,?), ref: 00E43A04

Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00EAC259
KillTimer.USER32(?,00000001,?,?), ref: 00EAC261
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00EAC270

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: IconNotifyShell_Timer$Kill
String ID:
API String ID: 3500052701-0
Opcode ID: cbd2ff1097e30652fa87f7aa99cd8e4ab7a7d8e1f38dc78b8bf987a221fe8734
Instruction ID: b565689ebf197cf5257d92185ecabf813d0052e54c4c772ddfbd0071801f4037
Opcode Fuzzy Hash: cbd2ff1097e30652fa87f7aa99cd8e4ab7a7d8e1f38dc78b8bf987a221fe8734
Instruction Fuzzy Hash: 2831C8709047446FEB328F7498557E7BBEC9B1B308F10149ED2DAB7251D3746A84CB51

Function 00E786AE Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE

Download Yara Rule

APIs

CloseHandle.KERNELBASE(00000000,00000000,?,?,00E785CC,?,00F08CC8,0000000C), ref: 00E78704
GetLastError.KERNEL32(?,00E785CC,?,00F08CC8,0000000C), ref: 00E7870E
__dosmaperr.LIBCMT ref: 00E78739

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: CloseErrorHandleLast__dosmaperr
String ID:
API String ID: 2583163307-0
Opcode ID: c5426aafde7d1d654531b9aab214a32cd39bbbf51854d5e806b63d8a3c519b17
Instruction ID: fe38efb050363c26f1b2fad7727bbeae81b59a9e53679cfb4daf2084a1714933
Opcode Fuzzy Hash: c5426aafde7d1d654531b9aab214a32cd39bbbf51854d5e806b63d8a3c519b17
Instruction Fuzzy Hash: 31016F33A4512036D62462746A4E77E27868BA177CF35E11AF80CFB0E2DEE08C818650

Function 00E4DB38 Relevance: 4.5, APIs: 3, Instructions: 29windowsleepCOMMON

Download Yara Rule

APIs

TranslateMessage.USER32(?), ref: 00E4DB7B
DispatchMessageW.USER32(?), ref: 00E4DB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00E4DB9F
Sleep.KERNELBASE(0000000A), ref: 00E4DBB1
TranslateAcceleratorW.USER32(?,?,?), ref: 00E91CC9

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchPeekSleep
String ID:
API String ID: 3288985973-0
Opcode ID: 781447b9b8672ff799139672fc3787231982218bd4c0d38cfd7c09c9f81eae0e
Instruction ID: 1cb1354de8ce03664900e8ff5a34b0bd74cdd4c7ac35afbd30605cde66bae923
Opcode Fuzzy Hash: 781447b9b8672ff799139672fc3787231982218bd4c0d38cfd7c09c9f81eae0e
Instruction Fuzzy Hash: D5F05E306093459BEB34CB71AC49FEA73A8EB44354F105A1AE61AA30C0DB30A488DB15

Function 00ED1EDA Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 166COMMON

Download Yara Rule

APIs

Part of subcall function 00E46B57: _wcslen.LIBCMT ref: 00E46B6A

GetWindowTextW.USER32(?,?,00007FFF), ref: 00ED2043

Part of subcall function 00E49CB3: _wcslen.LIBCMT ref: 00E49CBD

Strings

all, xrefs: 00ED1F09

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: _wcslen$TextWindow
String ID: all
API String ID: 4161112387-991457757
Opcode ID: 59a2592ff1bfdc295743489d37a85248964de6ec18494190968be368c3b5c411
Instruction ID: 6c406062700aca9059bb6be4064e7ff8fd4660b00d1225fda2ccd91bb315c2b3
Opcode Fuzzy Hash: 59a2592ff1bfdc295743489d37a85248964de6ec18494190968be368c3b5c411
Instruction Fuzzy Hash: 36519A71204201AFC304EF24D886E5ABBE5FF88314F04595EF95AAB292DB71E945CB92

Function 00E501E0 Relevance: 3.6, APIs: 2, Instructions: 643COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3df3fbef00cfdff9f1d2b60ba18da025cf81f33dadee1a701206e60b93398149
Instruction ID: 5b8940cf30f495fb49ccf6bb94cd465f7a932be86377e6b4f9f84c04012d68b6
Opcode Fuzzy Hash: 3df3fbef00cfdff9f1d2b60ba18da025cf81f33dadee1a701206e60b93398149
Instruction Fuzzy Hash: 2F32CF31A00605DFCF25DF64C885BAEB3B1AF04315F14A969FD16BB2A2D731AD48CB91

Function 00E42DE3 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 64COMMON

Download Yara Rule

APIs

GetOpenFileNameW.COMDLG32(?), ref: 00E82C8C

Part of subcall function 00E43AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00E43A97,?,?,00E42E7F,?,?,?,00000000), ref: 00E43AC2

Part of subcall function 00E42DA5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00E42DC4

Strings

X, xrefs: 00E82C5A

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen
String ID: X
API String ID: 779396738-3081909835
Opcode ID: 5bd599c2ef7b0e7f46c24ab7bdd5236930f9410afb4e9d29cfc7ff0546909ece
Instruction ID: 479c6942daa0bfd4bce743bbbd05c64fa646392d567b3b362ad9662845bf41e6
Opcode Fuzzy Hash: 5bd599c2ef7b0e7f46c24ab7bdd5236930f9410afb4e9d29cfc7ff0546909ece
Instruction Fuzzy Hash: 4921C370A002589FCB01EF94D805BEE7BFCAF48304F009059E609F7281DBB45A49DF61

Function 00E43837 Relevance: 3.1, APIs: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000000,?), ref: 00E43908

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: 5e459d0d0f37339c4f2d273174cde342222baad201c1b8ac0134cfba8646a7ff
Instruction ID: 97716a7d7ecfe5a41ad2f6397fcda4e834f256add515142c2c3789f4a56eba31
Opcode Fuzzy Hash: 5e459d0d0f37339c4f2d273174cde342222baad201c1b8ac0134cfba8646a7ff
Instruction Fuzzy Hash: 8831A0B05043058FD720DF34E8857D7BBE4FB49708F00092EF6A9A3280E771AA44DB52

Function 00E5F645 Relevance: 3.0, APIs: 2, Instructions: 29sleeptimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 00E5F661
Sleep.KERNEL32(00000000), ref: 00E9F2DE

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: SleepTimetime
String ID:
API String ID: 346578373-0
Opcode ID: 2ebc87946d56c8d6cee828d83202251049b40ee008cdc3cf8dee9e41702418f0
Instruction ID: f0faeba70962be637255110641c31ebaa8c76b4cfa6ad4752cf50143707e94b8
Opcode Fuzzy Hash: 2ebc87946d56c8d6cee828d83202251049b40ee008cdc3cf8dee9e41702418f0
Instruction Fuzzy Hash: 2DF08C31240205AFD310EF79E949BAAB7E9EF85761F00012AE85DE72A0DB70A804CB91

Function 00E4B710 Relevance: 2.1, APIs: 1, Instructions: 587COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 00E4BB4E

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID:
API String ID: 1385522511-0
Opcode ID: cd8568fbe5c4a1c37d7702ec495551023a204f212adc7820ea180d296d020a8f
Instruction ID: 4fff29daffe4fad177b2dcd80671b64822db806816c8d5fd5fb3958053372cb5
Opcode Fuzzy Hash: cd8568fbe5c4a1c37d7702ec495551023a204f212adc7820ea180d296d020a8f
Instruction Fuzzy Hash: 5432CB30A00209DFCF24CF54D894ABEB7B9EF48308F59A059E915BB261C775ED81DB91

Function 00E9647C Relevance: 1.6, APIs: 1, Instructions: 108COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,00000001,?,?,?,?,?), ref: 00E51645

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 8ba8dc9ad0c82f22fa0e0dd426412d3dc584e019d22e827c9ee2611c4a6aa11d
Instruction ID: a288f4320ec3f2a562b0e5f4d0bc2bbcd7c096cc446f6a543be8eb14151b0927
Opcode Fuzzy Hash: 8ba8dc9ad0c82f22fa0e0dd426412d3dc584e019d22e827c9ee2611c4a6aa11d
Instruction Fuzzy Hash: 9B4176746043019FC710DF14C881B1ABBF1BF86319F14AC5EF999A7391D7B2E8698B52

Function 00E9644A Relevance: 1.6, APIs: 1, Instructions: 107COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,00000001,?,?,?,?,?), ref: 00E51645

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 2c2318cfeec003d5ca54a0dd5ab8e709f79690c8255faf436ce389871b40e33e
Instruction ID: 06a41dc119853e3e3b9922574b153bfca9e206ccdbe5b76f8ffe972d22564472
Opcode Fuzzy Hash: 2c2318cfeec003d5ca54a0dd5ab8e709f79690c8255faf436ce389871b40e33e
Instruction Fuzzy Hash: FC4167706043019FD710DF14C881B1ABBF1BF8A319F149C59F999A7351D7B2E869CB52

Function 00ED13B7 Relevance: 1.6, APIs: 1, Instructions: 76COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000001,?), ref: 00ED1420

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: ForegroundWindow
String ID:
API String ID: 2020703349-0
Opcode ID: 598cb70ebe4440e22ccff2837de36eb5828482cfaffe261bde2bb53a510b911a
Instruction ID: a07af06fd58ebda191ef2225f5fb0599ba8116c7800c6fb42023e75264ce4654
Opcode Fuzzy Hash: 598cb70ebe4440e22ccff2837de36eb5828482cfaffe261bde2bb53a510b911a
Instruction Fuzzy Hash: 80318D30204202AFD714EF25C491B69B7E2FF85328F1491AAE8256F392DB35FC46CB90

Function 00E44ECB Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00E44E90: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00E44EDD,?,00F11418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00E44E9C
Part of subcall function 00E44E90: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00E44EAE
Part of subcall function 00E44E90: FreeLibrary.KERNEL32(00000000,?,?,00E44EDD,?,00F11418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00E44EC0

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,00F11418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00E44EFD

Part of subcall function 00E44E59: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00E83CDE,?,00F11418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00E44E62
Part of subcall function 00E44E59: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00E44E74
Part of subcall function 00E44E59: FreeLibrary.KERNEL32(00000000,?,?,00E83CDE,?,00F11418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00E44E87

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: Library$Load$AddressFreeProc
String ID:
API String ID: 2632591731-0
Opcode ID: 442ea5f61fdbaba31b078ba22307fa562a33ca5ef54573cbd2eadd6ad604f9eb
Instruction ID: 4f4df9f8cf0b26c3a6d5e97de7540f9d8fc96c9bf4e56092e095eb4d8d772e3b
Opcode Fuzzy Hash: 442ea5f61fdbaba31b078ba22307fa562a33ca5ef54573cbd2eadd6ad604f9eb
Instruction Fuzzy Hash: C811E372700305ABCB14BF70EC02FAD77E5AF40B10F20A42EF546BA1D1EE709A499760

Function 00ED2658 Relevance: 1.6, APIs: 1, Instructions: 60COMMON

Download Yara Rule

APIs

ShowWindow.USER32(?,00000000,00000001,?), ref: 00ED26E0

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 65bfc455309577cccd7734b62cd84ed820f1f338dcbc97704c2682f0178061f4
Instruction ID: 367a4269ce9b494b5d99e3a9f80a9433787134ec4fdccff1a4f149f6be2e1d54
Opcode Fuzzy Hash: 65bfc455309577cccd7734b62cd84ed820f1f338dcbc97704c2682f0178061f4
Instruction Fuzzy Hash: C711E6302003419FD710DB24C490B26B7D5FBA5358F14605EE556AF352C732EC82CB90

Function 00E78402 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT ref: 00E78440

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: 785d40759ffc415f27517d2d27ed70a453b7496a4c38f8259153bead06069ea0
Instruction ID: fcb06b9c71d9d634afeaba011a716eba10c105f2fa87694d93f40e85cb711ea8
Opcode Fuzzy Hash: 785d40759ffc415f27517d2d27ed70a453b7496a4c38f8259153bead06069ea0
Instruction Fuzzy Hash: 6F11487190410AAFCB05DF58E9449DE7BF4EF48314F108059F818AB312EA70DA11CBA4

Function 00ED29BF Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,?,?,?,00ED14B5,?), ref: 00ED2A01

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: ForegroundWindow
String ID:
API String ID: 2020703349-0
Opcode ID: 3bf4c401a0de76b1d82ce73cb13ca2f76020cb02919247ac54c57e63119f74cf
Instruction ID: 7f03ced42c63b06bb623996e0013cee667e68f8245ce88a96ee8690f41b3e210
Opcode Fuzzy Hash: 3bf4c401a0de76b1d82ce73cb13ca2f76020cb02919247ac54c57e63119f74cf
Instruction Fuzzy Hash: A1019E36300A429FD3258A2DC554B263792EBE5318F29E46EC247AB355DB32EC43C7A0

Function 00E6E602 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction ID: b8eb17cdf11a3998efc85cafae312c082b743952add054f68e96690837f246e0
Opcode Fuzzy Hash: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction Fuzzy Hash: C4F02D36550A1496D7313A75FD05B9E33D89F623B4F105715F525B33D2CB70D80186A6

Function 00E73820 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,00F11444,?,00E5FDF5,?,?,00E4A976,00000010,00F11440,00E413FC,?,00E413C6,?,00E41129), ref: 00E73852

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: a20f1b2574c87ba4c12b7482f5c2291f7297ea8a2e0b797283ebaddd8ba1f43e
Instruction ID: 3547a153486c303656d93628c8176f9e39d9081420111704cf2ff213a7d929b7
Opcode Fuzzy Hash: a20f1b2574c87ba4c12b7482f5c2291f7297ea8a2e0b797283ebaddd8ba1f43e
Instruction Fuzzy Hash: 84E0E53114122596F7652A77AC00FDA77C8AB427F4F15A222FC1CB65D1CB31DD01B1E2

Function 00EADB6D Relevance: 1.5, APIs: 1, Instructions: 29COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,00000000,00010000), ref: 00EADB88

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: ClassName
String ID:
API String ID: 1191326365-0
Opcode ID: 7faa80a64dec6563d601add1963a2d874305f86d2ef5583416c80ad8414de4fb
Instruction ID: 827d9a630b4c58ec93d76d5d858202588ab2807f40c729201f27203e202710d8
Opcode Fuzzy Hash: 7faa80a64dec6563d601add1963a2d874305f86d2ef5583416c80ad8414de4fb
Instruction Fuzzy Hash: FBE0D12260911127C2153B75AC05DEF7ADDDF453B1B051035F045B6291CF5408C1C2E1

Function 00E44F39 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,00F11418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00E44F6D

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 3be04341adf3a91d5908e7c70b5dccd9b838bf974b5b6f6b5d9c7d2f8b10e4fa
Instruction ID: 3994a81bfbef88181a77ed0fd30d60e33ae119a3d2ef9d24ff20c51410ebbd5d
Opcode Fuzzy Hash: 3be04341adf3a91d5908e7c70b5dccd9b838bf974b5b6f6b5d9c7d2f8b10e4fa
Instruction Fuzzy Hash: 1DF01CB1305752CFDB349F65E490956BBE4BF14319320A96EE1EAA2661C7319848DB10

Function 00ED2A55 Relevance: 1.5, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00ED2A66

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: Window
String ID:
API String ID: 2353593579-0
Opcode ID: 191acbc46c6a0fdcb81326b128f106aed68760c44e8a6b40ac09429ca2e368c6
Instruction ID: e6074a4a3887614c7753e4b04bb596f03e024152685cabbff96e80dc6cb55ae5
Opcode Fuzzy Hash: 191acbc46c6a0fdcb81326b128f106aed68760c44e8a6b40ac09429ca2e368c6
Instruction Fuzzy Hash: 08E048753511166EC714EA30DC804FA779CDBA5395710653BBD16E6240EB30D95686A0

Function 00E430F2 Relevance: 1.5, APIs: 1, Instructions: 24windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000002,?), ref: 00E4314E

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: ede20d7b232b2d836c80d5efc572748c668ac1c0f6c12c73c5c0d2d5eb72899f
Instruction ID: a444c53e8b0775b1975e9b336aa03f3925cda7a1081d6ea88f06efb32f84cca2
Opcode Fuzzy Hash: ede20d7b232b2d836c80d5efc572748c668ac1c0f6c12c73c5c0d2d5eb72899f
Instruction Fuzzy Hash: 84F0A7709003189FE7529B24EC457D57BFCB70170CF0001E9A258A6285D7704788CF41

Function 00E42DA5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00E42DC4

Part of subcall function 00E46B57: _wcslen.LIBCMT ref: 00E46B6A

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: LongNamePath_wcslen
String ID:
API String ID: 541455249-0
Opcode ID: dc92a20e526c2ffd96f79b954a9db1c8ea828be7a2f0a84051adcd204d507ef4
Instruction ID: 0f6aab4bb52d6e418fb3a2038ac1802b8bad07b481293cb54be9f4b3cdabcc46
Opcode Fuzzy Hash: dc92a20e526c2ffd96f79b954a9db1c8ea828be7a2f0a84051adcd204d507ef4
Instruction Fuzzy Hash: 41E0CD726001245BCB10A2989C05FDA77DDDFC87D4F0400B1FD0DF7258D960AD84C651

Function 00E42B3D Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00E43837: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00E43908

SetCurrentDirectoryW.KERNEL32(?), ref: 00E42B6B

Part of subcall function 00E430F2: Shell_NotifyIconW.SHELL32(00000002,?), ref: 00E4314E

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: IconNotifyShell_$CurrentDirectory
String ID:
API String ID: 2619246295-0
Opcode ID: fa13e4e472819d2d117e340dadee8405431e3b3bae061751f4f34acc4fcf018e
Instruction ID: 94d0a414e82a376f021ee5de6dbc68a3af64f4afdb28bd39b9eb9f9d4b724872
Opcode Fuzzy Hash: fa13e4e472819d2d117e340dadee8405431e3b3bae061751f4f34acc4fcf018e
Instruction Fuzzy Hash: BEE0862170424407CA08FB75B8565AEF7D9DBD6755F40353EF242B31A3CE6545898251

Function 00EADB3C Relevance: 1.5, APIs: 1, Instructions: 21COMMON

Download Yara Rule

APIs

EnumChildWindows.USER32(?,Function_0006DB6D,00000000), ref: 00EADB57

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: ChildEnumWindows
String ID:
API String ID: 3555792229-0
Opcode ID: 01b85d9656935a1b482cdc3582eb1ffeb611c7362925fbc7348b28bf338d4f19
Instruction ID: d40c048058ccd3201f24fb673a1dadda6d89d03ad88669ac803b833da94bddee
Opcode Fuzzy Hash: 01b85d9656935a1b482cdc3582eb1ffeb611c7362925fbc7348b28bf338d4f19
Instruction Fuzzy Hash: 98D0A76234111027C618265D7CD1EAE92CEDFCE731B1E107AF116F71810E641C011179

Function 00E8039A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,00000000,?,00E80704,?,?,00000000,?,00E80704,00000000,0000000C), ref: 00E803B7

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 57fe7a093191346b065deb32a9d46b88e368fb7e519e9ccde43dc136fc9be68c
Instruction ID: 0cd696c910461c659d4f3299ca304a64bde9ea4b0f3ab533817766873ecb6ea3
Opcode Fuzzy Hash: 57fe7a093191346b065deb32a9d46b88e368fb7e519e9ccde43dc136fc9be68c
Instruction Fuzzy Hash: A6D06C3204010DBFDF028F85ED06EDA3BAAFB48754F114000BE5866020C732E821EB90

Function 00E41CAD Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00002001,00000000,00000002), ref: 00E41CBC

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: InfoParametersSystem
String ID:
API String ID: 3098949447-0
Opcode ID: 14126ab6f435094387aa61801611db27ac7f5b5f48c5f88553938393c23241a8
Instruction ID: df4ac21abf85d989e4da064012c141ae06923602e4601da8776efb3f329f56b7
Opcode Fuzzy Hash: 14126ab6f435094387aa61801611db27ac7f5b5f48c5f88553938393c23241a8
Instruction Fuzzy Hash: 8FC09236280309AFF6548BC0BC9AF907B65F34CB00F19C102F709A95E3C3A22820FA50

Non-executed Functions

Function 00ED9576 Relevance: 72.4, APIs: 39, Strings: 2, Instructions: 625windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00E59BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00E59BB2

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 00ED961A
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00ED965B
GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 00ED969F
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00ED96C9
SendMessageW.USER32 ref: 00ED96F2
GetKeyState.USER32(00000011), ref: 00ED978B
GetKeyState.USER32(00000009), ref: 00ED9798
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00ED97AE
GetKeyState.USER32(00000010), ref: 00ED97B8
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00ED97E9
SendMessageW.USER32 ref: 00ED9810
SendMessageW.USER32(?,00001030,?,00ED7E95), ref: 00ED9918
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 00ED992E
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 00ED9941
SetCapture.USER32(?), ref: 00ED994A
ClientToScreen.USER32(?,?), ref: 00ED99AF
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 00ED99BC
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00ED99D6
ReleaseCapture.USER32 ref: 00ED99E1
GetCursorPos.USER32(?), ref: 00ED9A19
ScreenToClient.USER32(?,?), ref: 00ED9A26
SendMessageW.USER32(?,00001012,00000000,?), ref: 00ED9A80
SendMessageW.USER32 ref: 00ED9AAE
SendMessageW.USER32(?,00001111,00000000,?), ref: 00ED9AEB
SendMessageW.USER32 ref: 00ED9B1A
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00ED9B3B
SendMessageW.USER32(?,0000110B,00000009,?), ref: 00ED9B4A
GetCursorPos.USER32(?), ref: 00ED9B68
ScreenToClient.USER32(?,?), ref: 00ED9B75
GetParent.USER32(?), ref: 00ED9B93
SendMessageW.USER32(?,00001012,00000000,?), ref: 00ED9BFA
SendMessageW.USER32 ref: 00ED9C2B
ClientToScreen.USER32(?,?), ref: 00ED9C84
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00ED9CB4
SendMessageW.USER32(?,00001111,00000000,?), ref: 00ED9CDE
SendMessageW.USER32 ref: 00ED9D01
ClientToScreen.USER32(?,?), ref: 00ED9D4E
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00ED9D82

Part of subcall function 00E59944: GetWindowLongW.USER32(?,000000EB), ref: 00E59952

GetWindowLongW.USER32(?,000000F0), ref: 00ED9E05

Strings

@GUI_DRAGID, xrefs: 00ED997D
F, xrefs: 00ED9D07

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease
String ID: @GUI_DRAGID$F
API String ID: 3429851547-4164748364
Opcode ID: 207390fbc2afa9d37b4d86a273268d274532e745d3c894ec26b229bd99d8083e
Instruction ID: 83f987b614e6fe54f260cbb7dc2243208a20a142dd237f77decb72b277ddbf0a
Opcode Fuzzy Hash: 207390fbc2afa9d37b4d86a273268d274532e745d3c894ec26b229bd99d8083e
Instruction Fuzzy Hash: 0A42BE30204201AFDB24CF24DC44AAABBE5FF48754F14561EF6A9A73E2D731E856DB42

Function 00ED4873 Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 566windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000408,00000000,00000000), ref: 00ED48F3
SendMessageW.USER32(00000000,00000188,00000000,00000000), ref: 00ED4908
SendMessageW.USER32(00000000,0000018A,00000000,00000000), ref: 00ED4927
SendMessageW.USER32(?,00000148,00000000,00000000), ref: 00ED494B
SendMessageW.USER32(00000000,00000147,00000000,00000000), ref: 00ED495C
SendMessageW.USER32(00000000,00000149,00000000,00000000), ref: 00ED497B
SendMessageW.USER32(00000000,0000130B,00000000,00000000), ref: 00ED49AE
SendMessageW.USER32(00000000,0000133C,00000000,?), ref: 00ED49D4
SendMessageW.USER32(00000000,0000110A,00000009,00000000), ref: 00ED4A0F
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00ED4A56
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00ED4A7E
IsMenu.USER32(?), ref: 00ED4A97
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00ED4AF2
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00ED4B20
GetWindowLongW.USER32(?,000000F0), ref: 00ED4B94
SendMessageW.USER32(?,0000113E,00000000,00000008), ref: 00ED4BE3
SendMessageW.USER32(00000000,00001001,00000000,?), ref: 00ED4C82
wsprintfW.USER32 ref: 00ED4CAE
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00ED4CC9
GetWindowTextW.USER32(?,00000000,00000001), ref: 00ED4CF1
SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00ED4D13
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00ED4D33
GetWindowTextW.USER32(?,00000000,00000001), ref: 00ED4D5A

Strings

%d/%02d/%02d, xrefs: 00ED4CA8

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: MessageSend$MenuWindow$InfoItemText$Longwsprintf
String ID: %d/%02d/%02d
API String ID: 4054740463-328681919
Opcode ID: b20c6a977a42d38fd922bc39536bd0683ee77d06b020103d8e84039173c6252d
Instruction ID: af28778781d3a616326c1c04e9c506d6ba6460255e01d6a67b849e187d9d32d6
Opcode Fuzzy Hash: b20c6a977a42d38fd922bc39536bd0683ee77d06b020103d8e84039173c6252d
Instruction Fuzzy Hash: 331210B1600205AFEB248F25DC49FAE7BF8EF55714F10612AF915FA2E0DB749A42CB50

Function 00EA1201 Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 241COMMON

Download Yara Rule

APIs

Part of subcall function 00EA16C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00EA170D
Part of subcall function 00EA16C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00EA173A
Part of subcall function 00EA16C3: GetLastError.KERNEL32 ref: 00EA174A

LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 00EA1286
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 00EA12A8
CloseHandle.KERNEL32(?), ref: 00EA12B9
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 00EA12D1
GetProcessWindowStation.USER32 ref: 00EA12EA
SetProcessWindowStation.USER32(00000000), ref: 00EA12F4
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00EA1310

Part of subcall function 00EA10BF: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00EA11FC), ref: 00EA10D4
Part of subcall function 00EA10BF: CloseHandle.KERNEL32(?,?,00EA11FC), ref: 00EA10E9

Strings

, xrefs: 00EA125A
default, xrefs: 00EA130B
winsta0, xrefs: 00EA12CC

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
String ID: $default$winsta0
API String ID: 22674027-1027155976
Opcode ID: b6304ce1b4356e174fd301161f00aae4d949eed4025be7aa6e4a19fdc21af862
Instruction ID: 1ffcd77d93266806ec079102a4c1175759c1d8184a5dba7ae7ec07df65e83dc8
Opcode Fuzzy Hash: b6304ce1b4356e174fd301161f00aae4d949eed4025be7aa6e4a19fdc21af862
Instruction Fuzzy Hash: 72819E71900209AFDF119FA9DC49FEE7BB9EF0D744F1451AAF920BA1A0C774A944CB21

Function 00EA0B62 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00EA10F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00EA1114
Part of subcall function 00EA10F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00EA0B9B,?,?,?), ref: 00EA1120
Part of subcall function 00EA10F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00EA0B9B,?,?,?), ref: 00EA112F
Part of subcall function 00EA10F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00EA0B9B,?,?,?), ref: 00EA1136
Part of subcall function 00EA10F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00EA114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00EA0BCC
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00EA0C00
GetLengthSid.ADVAPI32(?), ref: 00EA0C17
GetAce.ADVAPI32(?,00000000,?), ref: 00EA0C51
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00EA0C6D
GetLengthSid.ADVAPI32(?), ref: 00EA0C84
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00EA0C8C
HeapAlloc.KERNEL32(00000000), ref: 00EA0C93
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00EA0CB4
CopySid.ADVAPI32(00000000), ref: 00EA0CBB
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00EA0CEA
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00EA0D0C
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00EA0D1E
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00EA0D45
HeapFree.KERNEL32(00000000), ref: 00EA0D4C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00EA0D55
HeapFree.KERNEL32(00000000), ref: 00EA0D5C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00EA0D65
HeapFree.KERNEL32(00000000), ref: 00EA0D6C
GetProcessHeap.KERNEL32(00000000,?), ref: 00EA0D78
HeapFree.KERNEL32(00000000), ref: 00EA0D7F

Part of subcall function 00EA1193: GetProcessHeap.KERNEL32(00000008,00EA0BB1,?,00000000,?,00EA0BB1,?), ref: 00EA11A1
Part of subcall function 00EA1193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00EA0BB1,?), ref: 00EA11A8
Part of subcall function 00EA1193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00EA0BB1,?), ref: 00EA11B7

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: c98619d79d091faf9cbd5fdfdc4bb88a39fed2139c1c67d2345f19e7bdbf72ed
Instruction ID: 25e20835a46eee071662b84aedb00990ef1781747f0852107cf4265c5fec66fa
Opcode Fuzzy Hash: c98619d79d091faf9cbd5fdfdc4bb88a39fed2139c1c67d2345f19e7bdbf72ed
Instruction Fuzzy Hash: 22719C7290121AAFDF10DFA5EC44BAEBBB8FF09354F144115E914BB190D771A909CBA0

Function 00EBEAFF Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(00EDCC08), ref: 00EBEB29
IsClipboardFormatAvailable.USER32(0000000D), ref: 00EBEB37
GetClipboardData.USER32(0000000D), ref: 00EBEB43
CloseClipboard.USER32 ref: 00EBEB4F
GlobalLock.KERNEL32(00000000), ref: 00EBEB87
CloseClipboard.USER32 ref: 00EBEB91
GlobalUnlock.KERNEL32(00000000), ref: 00EBEBBC
IsClipboardFormatAvailable.USER32(00000001), ref: 00EBEBC9
GetClipboardData.USER32(00000001), ref: 00EBEBD1
GlobalLock.KERNEL32(00000000), ref: 00EBEBE2
GlobalUnlock.KERNEL32(00000000), ref: 00EBEC22
IsClipboardFormatAvailable.USER32(0000000F), ref: 00EBEC38
GetClipboardData.USER32(0000000F), ref: 00EBEC44
GlobalLock.KERNEL32(00000000), ref: 00EBEC55
DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 00EBEC77
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 00EBEC94
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 00EBECD2
GlobalUnlock.KERNEL32(00000000), ref: 00EBECF3
CountClipboardFormats.USER32 ref: 00EBED14
CloseClipboard.USER32 ref: 00EBED59

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
String ID:
API String ID: 420908878-0
Opcode ID: 0c43b91d3ca4a845b6720699581d11eeb391d04392496613a8ef1d79bb202de7
Instruction ID: 930d26ced6e287c3c7b785a65c0e80cb59d0be1a2a3ce3195e79de56f8d9d516
Opcode Fuzzy Hash: 0c43b91d3ca4a845b6720699581d11eeb391d04392496613a8ef1d79bb202de7
Instruction Fuzzy Hash: D461A0352042029FD310EF25E885FABB7E8EF84758F14651AF456B72A2CB71DD09CB62

Function 00EB698F Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00EB69BE
FindClose.KERNEL32(00000000), ref: 00EB6A12
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00EB6A4E
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00EB6A75

Part of subcall function 00E49CB3: _wcslen.LIBCMT ref: 00E49CBD

FileTimeToSystemTime.KERNEL32(?,?), ref: 00EB6AB2
FileTimeToSystemTime.KERNEL32(?,?), ref: 00EB6ADF

Strings

%4d, xrefs: 00EB6BB1
%03d, xrefs: 00EB6DA2
%4d%02d%02d%02d%02d%02d%03d, xrefs: 00EB6B32
%4d%02d%02d%02d%02d%02d, xrefs: 00EB6B6A
%02d, xrefs: 00EB6C00, 00EB6C0A, 00EB6C5A, 00EB6CAA, 00EB6CFA, 00EB6D4A

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
API String ID: 3830820486-3289030164
Opcode ID: cb82f0b20df9ab2a6d69cac5f7e861d4ab3a9a3de641bb088c79f84dff4de4b6
Instruction ID: 7207e7a5f80b42f7a5d6624915460cff32c8031bddc64e36fb570d1e61b40e8b
Opcode Fuzzy Hash: cb82f0b20df9ab2a6d69cac5f7e861d4ab3a9a3de641bb088c79f84dff4de4b6
Instruction Fuzzy Hash: 77D14271508300AFC714EBA4D891EAFB7ECAF88704F44591DF585E7192EB78DA48CB62

Function 00EB9642 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,76228FB0,?,00000000), ref: 00EB9663
GetFileAttributesW.KERNEL32(?), ref: 00EB96A1
SetFileAttributesW.KERNEL32(?,?), ref: 00EB96BB
FindNextFileW.KERNEL32(00000000,?), ref: 00EB96D3
FindClose.KERNEL32(00000000), ref: 00EB96DE
FindFirstFileW.KERNEL32(*.*,?), ref: 00EB96FA
SetCurrentDirectoryW.KERNEL32(?), ref: 00EB974A
SetCurrentDirectoryW.KERNEL32(00F06B7C), ref: 00EB9768
FindNextFileW.KERNEL32(00000000,00000010), ref: 00EB9772
FindClose.KERNEL32(00000000), ref: 00EB977F
FindClose.KERNEL32(00000000), ref: 00EB978F

Strings

*.*, xrefs: 00EB96F5

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1409584000-438819550
Opcode ID: c5368aac009b2882671d91a76362d834c48f6f1c1e0d66220677198b6e9d288d
Instruction ID: 477f0aeabb417e520eca6b65039dc6e0fe1a440efb38c0746422e3dfc3f58c3c
Opcode Fuzzy Hash: c5368aac009b2882671d91a76362d834c48f6f1c1e0d66220677198b6e9d288d
Instruction Fuzzy Hash: 3F31D07264161A6ECB20AFB5EC48ADF77ECDF49364F205157FA04F21A1EB34D944CA50

Function 00EB979D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,76228FB0,?,00000000), ref: 00EB97BE
FindNextFileW.KERNEL32(00000000,?), ref: 00EB9819
FindClose.KERNEL32(00000000), ref: 00EB9824
FindFirstFileW.KERNEL32(*.*,?), ref: 00EB9840
SetCurrentDirectoryW.KERNEL32(?), ref: 00EB9890
SetCurrentDirectoryW.KERNEL32(00F06B7C), ref: 00EB98AE
FindNextFileW.KERNEL32(00000000,00000010), ref: 00EB98B8
FindClose.KERNEL32(00000000), ref: 00EB98C5
FindClose.KERNEL32(00000000), ref: 00EB98D5

Part of subcall function 00EADAE5: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 00EADB00

Strings

*.*, xrefs: 00EB983B

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 2640511053-438819550
Opcode ID: c2363b867b95f64ad2523ae09c5c1e8bf9863d396c5430e6cc840b6667743050
Instruction ID: ed3aba3130f830c6eb02f0d6be297807dbd4a13ef59cc3e153c186fa3e1e084a
Opcode Fuzzy Hash: c2363b867b95f64ad2523ae09c5c1e8bf9863d396c5430e6cc840b6667743050
Instruction Fuzzy Hash: 7A31F27254161A6EDB24AFB4EC48ADF77BCDF0A364F205166EA00F20A1DB30D948DB60

Function 00ECBE44 Relevance: 17.0, APIs: 11, Instructions: 456registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00ECC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00ECB6AE,?,?), ref: 00ECC9B5
Part of subcall function 00ECC998: _wcslen.LIBCMT ref: 00ECC9F1
Part of subcall function 00ECC998: _wcslen.LIBCMT ref: 00ECCA68
Part of subcall function 00ECC998: _wcslen.LIBCMT ref: 00ECCA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00ECBF3E
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?), ref: 00ECBFA9
RegCloseKey.ADVAPI32(00000000), ref: 00ECBFCD
RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 00ECC02C
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 00ECC0E7
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 00ECC154
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 00ECC1E9
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,?,?,?,00000000), ref: 00ECC23A
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 00ECC2E3
RegCloseKey.ADVAPI32(?,?,00000000), ref: 00ECC382
RegCloseKey.ADVAPI32(00000000), ref: 00ECC38F

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: QueryValue$Close_wcslen$BuffCharConnectOpenRegistryUpper
String ID:
API String ID: 3102970594-0
Opcode ID: c2f92a6b4cdb14d0eb6b9d10a38077a7755592c04d75797528d886a21286ae3f
Instruction ID: 09805840f822113d2a30beb89c459f27f4a16e64c7a24afb857285d864f6af19
Opcode Fuzzy Hash: c2f92a6b4cdb14d0eb6b9d10a38077a7755592c04d75797528d886a21286ae3f
Instruction Fuzzy Hash: 5B024E716042409FC714CF28D995F2ABBE5EF89318F18949DF849EB2A2D732EC46CB51

Function 00EB8195 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00EB8257
SystemTimeToFileTime.KERNEL32(?,?), ref: 00EB8267
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00EB8273
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00EB8310
SetCurrentDirectoryW.KERNEL32(?), ref: 00EB8324
SetCurrentDirectoryW.KERNEL32(?), ref: 00EB8356
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00EB838C
SetCurrentDirectoryW.KERNEL32(?), ref: 00EB8395

Strings

*.*, xrefs: 00EB839B

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local$System
String ID: *.*
API String ID: 1464919966-438819550
Opcode ID: c753f7f1a1c615a18d02a1b5ada9234e975bb21eeedf9f1e7406e780320d50e2
Instruction ID: f7ed375c8c6cad6828da5ca2b102b2d51f1c4282a4b2064a14955e08dc69fd39
Opcode Fuzzy Hash: c753f7f1a1c615a18d02a1b5ada9234e975bb21eeedf9f1e7406e780320d50e2
Instruction Fuzzy Hash: EB616A725043059FC710EF64D84099FB3EDFF89314F04591AF989A7251EB35E909CB92

Function 00EAD076 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00E43AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00E43A97,?,?,00E42E7F,?,?,?,00000000), ref: 00E43AC2

Part of subcall function 00EAE199: GetFileAttributesW.KERNEL32(?,00EACF95), ref: 00EAE19A

FindFirstFileW.KERNEL32(?,?), ref: 00EAD122
DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 00EAD1DD
MoveFileW.KERNEL32(?,?), ref: 00EAD1F0
DeleteFileW.KERNEL32(?,?,?,?), ref: 00EAD20D
FindNextFileW.KERNEL32(00000000,00000010), ref: 00EAD237

Part of subcall function 00EAD29C: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,00EAD21C,?,?), ref: 00EAD2B2

FindClose.KERNEL32(00000000,?,?,?), ref: 00EAD253
FindClose.KERNEL32(00000000), ref: 00EAD264

Strings

\*.*, xrefs: 00EAD0CD, 00EAD0D6, 00EAD0EB

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 1946585618-1173974218
Opcode ID: ba7fc205b6547c51bcca324981bf54fa493701e81ee7fb1aaf12a549e0988d97
Instruction ID: 3cd9308bcbdbfe248c167277da91c0cb89bb5cad4f5cc9fd2ce2f6ef014fa0b8
Opcode Fuzzy Hash: ba7fc205b6547c51bcca324981bf54fa493701e81ee7fb1aaf12a549e0988d97
Instruction Fuzzy Hash: CB615D31C0610D9ECF05EBE0ED92AEDB7B5AF5A304F245165E4027B1A2EB346F09DB60

Function 00EBED6A Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00EBED91
EmptyClipboard.USER32 ref: 00EBED97
GlobalAlloc.KERNEL32(00000002,?), ref: 00EBEDAC
CloseClipboard.USER32 ref: 00EBEEA3

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: 9da623f1393b692299d7c3dbe53b0839800dcf5bfdb2a2f781dc11aca17ffbd1
Instruction ID: ded7399f6d92ae488658a5e73f8b543b15343829dab0b48a17c384bb6301141e
Opcode Fuzzy Hash: 9da623f1393b692299d7c3dbe53b0839800dcf5bfdb2a2f781dc11aca17ffbd1
Instruction Fuzzy Hash: 4D41EF30205612AFD310CF26E888B9ABBE5FF44358F24E099E425AB762C775EC41CBC0

Function 00EAE8F6 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 00EA16C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00EA170D
Part of subcall function 00EA16C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00EA173A
Part of subcall function 00EA16C3: GetLastError.KERNEL32 ref: 00EA174A

ExitWindowsEx.USER32(?,00000000), ref: 00EAE932

Strings

, xrefs: 00EAE95C
SeShutdownPrivilege, xrefs: 00EAE902
@, xrefs: 00EAE925
, xrefs: 00EAE920

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $ $@$SeShutdownPrivilege
API String ID: 2234035333-3163812486
Opcode ID: 4975ece6f32a3a6b1fd7ed23b818f19019c737d1c82475be0533af2deec58a2f
Instruction ID: e61f3434aae2fd4143754d1ed7b0e95a82bbdbdb8e4d2e9138c538f8ecc64f9c
Opcode Fuzzy Hash: 4975ece6f32a3a6b1fd7ed23b818f19019c737d1c82475be0533af2deec58a2f
Instruction Fuzzy Hash: 0C012632610311AFEB1422B9AC86BFB729C9B4E784F2464A2FC02FA2D1D5A07C4481A0

Function 00EC1204 Relevance: 12.1, APIs: 8, Instructions: 113networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006), ref: 00EC1276
WSAGetLastError.WSOCK32 ref: 00EC1283
bind.WSOCK32(00000000,?,00000010), ref: 00EC12BA
WSAGetLastError.WSOCK32 ref: 00EC12C5
closesocket.WSOCK32(00000000), ref: 00EC12F4
listen.WSOCK32(00000000,00000005), ref: 00EC1303
WSAGetLastError.WSOCK32 ref: 00EC130D
closesocket.WSOCK32(00000000), ref: 00EC133C

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: ErrorLast$closesocket$bindlistensocket
String ID:
API String ID: 540024437-0
Opcode ID: 9d5f819410692149e0ad9b1c110e98181f675e73a8dff4899b2d38919c886681
Instruction ID: dd0dee481eea1b26f553316639560b5a868a9ee7da30f535b43d184769e20fce
Opcode Fuzzy Hash: 9d5f819410692149e0ad9b1c110e98181f675e73a8dff4899b2d38919c886681
Instruction Fuzzy Hash: A041A0356001419FD714DF24D584F29BBE5EF46318F28918DD856AF2A3C732EC86DBA1

Function 00E7B952 Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00E7B9D4
_free.LIBCMT ref: 00E7B9F8
_free.LIBCMT ref: 00E7BB7F
GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,00EE3700), ref: 00E7BB91
WideCharToMultiByte.KERNEL32(00000000,00000000,00F1121C,000000FF,00000000,0000003F,00000000,?,?), ref: 00E7BC09
WideCharToMultiByte.KERNEL32(00000000,00000000,00F11270,000000FF,?,0000003F,00000000,?), ref: 00E7BC36
_free.LIBCMT ref: 00E7BD4B

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: _free$ByteCharMultiWide$InformationTimeZone
String ID:
API String ID: 314583886-0
Opcode ID: 2940a3841b95e59d357ee8180379c688fd86a63c5a3889203ec01eb95dc68c27
Instruction ID: d468f0c2463efc6ff6d7f69f517233c935cf313bbbe0b12fdb3351fc60f3a14a
Opcode Fuzzy Hash: 2940a3841b95e59d357ee8180379c688fd86a63c5a3889203ec01eb95dc68c27
Instruction Fuzzy Hash: 88C12771904249AFDB21EF789C41BAABBF8EF41314F14E19AE998F7251E7308E41D750

Function 00EAD3A9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00E43AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00E43A97,?,?,00E42E7F,?,?,?,00000000), ref: 00E43AC2

Part of subcall function 00EAE199: GetFileAttributesW.KERNEL32(?,00EACF95), ref: 00EAE19A

FindFirstFileW.KERNEL32(?,?), ref: 00EAD420
DeleteFileW.KERNEL32(?,?,?,?), ref: 00EAD470
FindNextFileW.KERNEL32(00000000,00000010), ref: 00EAD481
FindClose.KERNEL32(00000000), ref: 00EAD498
FindClose.KERNEL32(00000000), ref: 00EAD4A1

Strings

\*.*, xrefs: 00EAD3F2

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: eda246a229c0365aa2ed2d573acdb73c9e790d6ae7833c3e1b999b590a68e9ff
Instruction ID: b05f46a3ac9404aaf104b11cddc43c038a40aebe69984c735607053de94f0c40
Opcode Fuzzy Hash: eda246a229c0365aa2ed2d573acdb73c9e790d6ae7833c3e1b999b590a68e9ff
Instruction Fuzzy Hash: E531727100D3459FC304EF64E8558AF77E8AE9A314F446A2DF4E2631A1EB30AA09D763

Function 00E7E4FF Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 00E7E645

Strings

1#IND, xrefs: 00E7F83D
1#SNAN, xrefs: 00E7F844
1#INF, xrefs: 00E7F852
1#QNAN, xrefs: 00E7F84B

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: c042906b44b52d05239c06e5fd8d32ccc7da0edd1f8ba3f852942a8c388dc3af
Instruction ID: 58a0f769a54dbd9bfde5d09c8e8f59e997df20bc96f32fa46e0062ab8b5b5e98
Opcode Fuzzy Hash: c042906b44b52d05239c06e5fd8d32ccc7da0edd1f8ba3f852942a8c388dc3af
Instruction Fuzzy Hash: D9C22972E086298FDB29CE28DD407EAB7B5EB49305F1491EAD44DF7241E774AE818F40

Function 00EB648E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00EB64DC
CoInitialize.OLE32(00000000), ref: 00EB6639
CoCreateInstance.OLE32(00EDFCF8,00000000,00000001,00EDFB68,?), ref: 00EB6650
CoUninitialize.OLE32 ref: 00EB68D4

Strings

.lnk, xrefs: 00EB64BA, 00EB6524, 00EB65E0

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_wcslen
String ID: .lnk
API String ID: 886957087-24824748
Opcode ID: fe8ef9693371eac7437e0c73065c1cd0df05249df03aa415dcaf6ff40f9835b7
Instruction ID: 02cd940b522b5d10f01e5dbef5662dde1e220d0bf1849d1a1ec407f7d4b10e2c
Opcode Fuzzy Hash: fe8ef9693371eac7437e0c73065c1cd0df05249df03aa415dcaf6ff40f9835b7
Instruction Fuzzy Hash: C7D159716093019FC314EF24D881DABB7E8FF98304F14596DF595AB2A2DB31E909CB92

Function 00EC22DA Relevance: 9.1, APIs: 6, Instructions: 103COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,00000000), ref: 00EC22E8

Part of subcall function 00EBE4EC: GetWindowRect.USER32(?,?), ref: 00EBE504

GetDesktopWindow.USER32 ref: 00EC2312
GetWindowRect.USER32(00000000), ref: 00EC2319
mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 00EC2355
GetCursorPos.USER32(?), ref: 00EC2381
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00EC23DF

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForeground
String ID:
API String ID: 2387181109-0
Opcode ID: 893d05dedc6ee8cb0f1938cf81a44282b66a8183107c13ec1bf48e07189b1b92
Instruction ID: c8e071173daab4885897037d8360d8b41836da500d2418ea1a607264b72aa621
Opcode Fuzzy Hash: 893d05dedc6ee8cb0f1938cf81a44282b66a8183107c13ec1bf48e07189b1b92
Instruction Fuzzy Hash: 2031DE72105346AFCB20DF19D904F9BB7A9FB88714F10191EF984A7181DA35E909CB92

Function 00EB9B2B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00E49CB3: _wcslen.LIBCMT ref: 00E49CBD

FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 00EB9B78
FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 00EB9C8B

Part of subcall function 00EB3874: GetInputState.USER32 ref: 00EB38CB
Part of subcall function 00EB3874: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00EB3966

Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 00EB9BA8
FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 00EB9C75

Strings

*.*, xrefs: 00EB9B5D

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
String ID: *.*
API String ID: 1972594611-438819550
Opcode ID: d735f93a7f136cb9f5ccf4c9b4e886e08617fd52e912c8e82caf59f84362144f
Instruction ID: 4ca11864184f32fdc87c7695ca01d3f37928dcfa101a1ea79a50892fb97972ff
Opcode Fuzzy Hash: d735f93a7f136cb9f5ccf4c9b4e886e08617fd52e912c8e82caf59f84362144f
Instruction Fuzzy Hash: 68417E7194020A9FCF14DFA4D889AEEBBF4EF05354F245156E505B21A2EB309E44CF60

Function 00E5997D Relevance: 7.9, APIs: 5, Instructions: 375COMMON

Download Yara Rule

APIs

Part of subcall function 00E59BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00E59BB2

DefDlgProcW.USER32(?,?,?,?,?), ref: 00E59A4E
GetSysColor.USER32(0000000F), ref: 00E59B23
SetBkColor.GDI32(?,00000000), ref: 00E59B36

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: Color$LongProcWindow
String ID:
API String ID: 3131106179-0
Opcode ID: 213502412a30f1875ae5b618d1ba164bc9f80fc7f00d9c6b2d1653436be6ecb7
Instruction ID: e991aa8b500467bcff86a0bf8d9b0af14f6a31608b24ad48844238fbb28bfacc
Opcode Fuzzy Hash: 213502412a30f1875ae5b618d1ba164bc9f80fc7f00d9c6b2d1653436be6ecb7
Instruction Fuzzy Hash: 36A15CB0218144FEEB289A3C8C48DFB369DEB42346F15790AF942F66D3CA259D0DD275

Function 00EC1806 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00EC304E: inet_addr.WSOCK32(?), ref: 00EC307A
Part of subcall function 00EC304E: _wcslen.LIBCMT ref: 00EC309B

socket.WSOCK32(00000002,00000002,00000011), ref: 00EC185D
WSAGetLastError.WSOCK32 ref: 00EC1884
bind.WSOCK32(00000000,?,00000010), ref: 00EC18DB
WSAGetLastError.WSOCK32 ref: 00EC18E6
closesocket.WSOCK32(00000000), ref: 00EC1915

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
String ID:
API String ID: 1601658205-0
Opcode ID: f4996a1eca3ff34f356ac2be4f6ac43b42c422a45d01fbbf01928fc6e9082fff
Instruction ID: b5783655b5d5dd336b8adc63228a01c7edf4873f55daa6c4781a9d80b1151601
Opcode Fuzzy Hash: f4996a1eca3ff34f356ac2be4f6ac43b42c422a45d01fbbf01928fc6e9082fff
Instruction Fuzzy Hash: 6251E071A00200AFDB10AF24D986F2AB7E5AB45718F18948CF9057F383C771AD42CBA1

Function 00ED1C41 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 00ED1CC0
IsWindowEnabled.USER32 ref: 00ED1CCE
GetForegroundWindow.USER32(?,?,00000001,?), ref: 00ED1CDB
IsIconic.USER32 ref: 00ED1CE9
IsZoomed.USER32 ref: 00ED1CF7

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: 6ebffdfd9202398d5b4d0e8df747aa035c5df5927315b5a3c9d0a76f12acfc51
Instruction ID: e0fc917365b182e51e0d5c97e3f1d18c1ae5abecbd80f083b9012200fb4439b4
Opcode Fuzzy Hash: 6ebffdfd9202398d5b4d0e8df747aa035c5df5927315b5a3c9d0a76f12acfc51
Instruction Fuzzy Hash: B92127317512016FD7248F2AD844B6ABBE5EF84319F29A09EE846EB351C771EC43CB90

Function 00E48060 Relevance: 7.4, Strings: 5, Instructions: 1151COMMON

Download Yara Rule

Strings

VUUU, xrefs: 00E4843C
VUUU, xrefs: 00E483E8
ERCP, xrefs: 00E4813C
VUUU, xrefs: 00E483FA
VUUU, xrefs: 00E85DF0

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID:
String ID: ERCP$VUUU$VUUU$VUUU$VUUU
API String ID: 0-1546025612
Opcode ID: 688611b9938f8d8cfb817c40f6345a22bc7d83e6869e7e19ae9150cbacae0f63
Instruction ID: f0e7da436bc44c66b1d1775b697bfc4a048daea386c54bd7bbe5877b18365af5
Opcode Fuzzy Hash: 688611b9938f8d8cfb817c40f6345a22bc7d83e6869e7e19ae9150cbacae0f63
Instruction Fuzzy Hash: C0A28C71A0021ACBDF24DF58D9407EEB7B1BB54318F2491AAE81DB7285EB749D81CF90

Function 00ECA67C Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00ECA6AC
Process32FirstW.KERNEL32(00000000,?), ref: 00ECA6BA

Part of subcall function 00E49CB3: _wcslen.LIBCMT ref: 00E49CBD

Process32NextW.KERNEL32(00000000,?), ref: 00ECA79C
CloseHandle.KERNEL32(00000000), ref: 00ECA7AB

Part of subcall function 00E5CE60: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,00E83303,?), ref: 00E5CE8A

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
String ID:
API String ID: 1991900642-0
Opcode ID: 59b666813608933f58757719ce938ec0ea86908994780112bd6c178064ff647a
Instruction ID: 78e3bbbdce3cd18381c443bedbadbf74291c25bc87c9c8e9f877c29257eb3706
Opcode Fuzzy Hash: 59b666813608933f58757719ce938ec0ea86908994780112bd6c178064ff647a
Instruction Fuzzy Hash: A3517B71508300AFD314EF24D886E6BBBE8FF89754F04592DF985A7262EB31D905CB92

Function 00EAAA57 Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 00EAAAAC
SetKeyboardState.USER32(00000080), ref: 00EAAAC8
PostMessageW.USER32(?,00000102,00000001,00000001), ref: 00EAAB36
SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 00EAAB88

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 5a9c2462101e06a0ae1594722ff01e83c2344e1124dba40515f6a2633883d44c
Instruction ID: 2d8f3c3ecfad7c31784d8087dade4d7c92fd67736f94431bb4c98fc56a59922c
Opcode Fuzzy Hash: 5a9c2462101e06a0ae1594722ff01e83c2344e1124dba40515f6a2633883d44c
Instruction Fuzzy Hash: 83312B30A40308AEEB308A65CC05BFA77E6AB4E314F18622AE0817A1D1D374A985C772

Function 00EBCE44 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON

Download Yara Rule

APIs

InternetReadFile.WININET(?,?,00000400,?), ref: 00EBCE89
GetLastError.KERNEL32(?,00000000), ref: 00EBCEEA
SetEvent.KERNEL32(?,?,00000000), ref: 00EBCEFE

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: ErrorEventFileInternetLastRead
String ID:
API String ID: 234945975-0
Opcode ID: e0b84d36dc232042125b3e49e1b8e53341daeab533a43a62280452eb8958fea7
Instruction ID: 604334c2866849024459bec55f17169701b04b29556e9b6a7e0d2b70db844d2b
Opcode Fuzzy Hash: e0b84d36dc232042125b3e49e1b8e53341daeab533a43a62280452eb8958fea7
Instruction Fuzzy Hash: 7D21AC71608706DFDB209FA5E948BA777F8EB00358F20541AE646E2151E770EA08CBA0

Function 00EA8298 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 568stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 00EA82AA

Strings

|, xrefs: 00EA82DA
(, xrefs: 00EA82F0

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: lstrlen
String ID: ($|
API String ID: 1659193697-1631851259
Opcode ID: 8a6e4e0814b456e002068ce25980486684f5d89611b88713272e90db2f26628a
Instruction ID: a4323a4e47fdb3d6ebcc9c043bafdae6fcd56d01f9ed86c09140408016711286
Opcode Fuzzy Hash: 8a6e4e0814b456e002068ce25980486684f5d89611b88713272e90db2f26628a
Instruction Fuzzy Hash: CA323574A007059FCB28CF59C581AAAB7F0FF48714B15D56EE49AEB3A1EB70E941CB40

Function 00EB5C97 Relevance: 4.6, APIs: 3, Instructions: 138fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00EB5CC1
FindNextFileW.KERNEL32(00000000,?), ref: 00EB5D17
FindClose.KERNEL32(?), ref: 00EB5D5F

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: Find$File$CloseFirstNext
String ID:
API String ID: 3541575487-0
Opcode ID: dc47e9514cb3a16d9a2569429d927e753c02294963a22e9d02b52638f07f20a3
Instruction ID: e61b962e254d0f028e4fc59aed72b2fedef3e06ccd89daed40eac57bfd05bf69
Opcode Fuzzy Hash: dc47e9514cb3a16d9a2569429d927e753c02294963a22e9d02b52638f07f20a3
Instruction Fuzzy Hash: 9C51AA75604A019FC714CF28D494A96B7E4FF49318F24965EE99AAB3A1CB30FD04CF91

Function 00E72622 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 00E7271A
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00E72724
UnhandledExceptionFilter.KERNEL32(?), ref: 00E72731

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 54fd4f21b4f81ae6a2d426225aa8dcc6de1ea72e5210a0badfffee44c5461969
Instruction ID: c5c1d3c0dd03271da6c693d085602d89b81c3d34c122a858ffbc33d01a3db0fe
Opcode Fuzzy Hash: 54fd4f21b4f81ae6a2d426225aa8dcc6de1ea72e5210a0badfffee44c5461969
Instruction Fuzzy Hash: 7C31D574D5122D9BCB21DF68DD8879DB7B8AF08350F5052EAE91CA7260E7309F858F44

Function 00EB51CD Relevance: 4.6, APIs: 3, Instructions: 76COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00EB51DA
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00EB5238
SetErrorMode.KERNEL32(00000000), ref: 00EB52A1

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: 26b6c16d751b8bee3c797ba98abdf866d9a36a3524e3462942f80fbf32e2d7c1
Instruction ID: f4924257ee179838f7c612a5fe09ec43a6d601e6c709565d2b84f9870286c2b1
Opcode Fuzzy Hash: 26b6c16d751b8bee3c797ba98abdf866d9a36a3524e3462942f80fbf32e2d7c1
Instruction Fuzzy Hash: 9D316B35A00518DFDB00DF54D884EAEBBF4FF09318F188099E805AB362CB35E84ACB90

Function 00EA16C3 Relevance: 4.6, APIs: 3, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 00E5FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00E60668
Part of subcall function 00E5FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00E60685

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00EA170D
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00EA173A
GetLastError.KERNEL32 ref: 00EA174A

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
String ID:
API String ID: 577356006-0
Opcode ID: 2570771ae66440b652b1c5affe74f27e3c0e04fcc3f010371d9be1446bfaf68e
Instruction ID: 8038ef606234dc1b52faec3812050c316e9181108154f33cfd3d4bca9287e245
Opcode Fuzzy Hash: 2570771ae66440b652b1c5affe74f27e3c0e04fcc3f010371d9be1446bfaf68e
Instruction Fuzzy Hash: A31101B2400305AFD7189F54EC86E6AB7F8EB09754B20856EF446A7241EB70BC45CB20

Function 00EAD5EB Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 00EAD608
DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 00EAD645
CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 00EAD650

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle
String ID:
API String ID: 33631002-0
Opcode ID: 2a077ebed2c4fa12a5f73b5384bd9e3711aeb6d98e78a61ca2c26c6f3db14f91
Instruction ID: 0da9eaed6b0fcae0cc36905c788bf1643e9f474e1db81ce83e2d5757476e2500
Opcode Fuzzy Hash: 2a077ebed2c4fa12a5f73b5384bd9e3711aeb6d98e78a61ca2c26c6f3db14f91
Instruction Fuzzy Hash: 39118EB1E05228BFDB108F95EC44FAFBBBCEB49B50F108152F904F7290C2705A058BA1

Function 00EA1663 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 00EA168C
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 00EA16A1
FreeSid.ADVAPI32(?), ref: 00EA16B1

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: 5dbb4ad850b4aef1ba3818db497cb15726fe71f75ae37a5bfd20f1b8d85922af
Instruction ID: 2b7d307d7313f5549cb8882c87bef58c4204d0e4dddeee5cede7daeb92e2e947
Opcode Fuzzy Hash: 5dbb4ad850b4aef1ba3818db497cb15726fe71f75ae37a5bfd20f1b8d85922af
Instruction Fuzzy Hash: 92F0F471951309FFDF00DFE59C89AAEBBBCEB08644F5045A5E501E2181E774AA489A50

Function 00E7C2A2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 127COMMON

Download Yara Rule

Strings

/, xrefs: 00E7C36C

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID:
String ID: /
API String ID: 0-2043925204
Opcode ID: d008abf90b94c0dbbae59f30f76c11069507d0f2c49fcc728f122dab47554e93
Instruction ID: 288e1503de583aee8c9262c994d069ec2df7083c012322ee2ac499d1be08a592
Opcode Fuzzy Hash: d008abf90b94c0dbbae59f30f76c11069507d0f2c49fcc728f122dab47554e93
Instruction Fuzzy Hash: 2A413A725006197FCB209FB9DC48DAB77BCEB84358F2092ADF919E7180E6309D41CB50

Function 00E9D27A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 00E9D28C

Strings

X64, xrefs: 00E9D2A8

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: NameUser
String ID: X64
API String ID: 2645101109-893830106
Opcode ID: 127c0c3e2e492691856ebedaf245c628a6d0ca614bd562e6ee2c1ea1621d90e0
Instruction ID: 69e81a45222168db081b3cce7d3a7c486d2f104dfd537e7d85ea7d160790bab5
Opcode Fuzzy Hash: 127c0c3e2e492691856ebedaf245c628a6d0ca614bd562e6ee2c1ea1621d90e0
Instruction Fuzzy Hash: 48D0C9B480512DEECF90CB90EC88DD9B37CFB04345F100552F506B2080D73095488F10

Function 00E6CAA0 Relevance: 3.5, APIs: 2, Instructions: 464COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction ID: f745cfb2b28293938f5a0d7ca4c6ebeac9b6fe71a102a0967cc08f798c8dd093
Opcode Fuzzy Hash: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction Fuzzy Hash: 2F023B71E402199BDF14CFA9D8806ADFBF1EF88354F25916AD859FB380D731AA41CB90

Function 00EB68EE Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00EB6918
FindClose.KERNEL32(00000000), ref: 00EB6961

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: be000ff2110ff5b5e99c25d3c4690137ea75d5167baecfd13597eb7bf1aeb489
Instruction ID: af807acd4400e3ac72f522a9ed71dcc7d5735fcdecb7c4dc90e5a09430fe4113
Opcode Fuzzy Hash: be000ff2110ff5b5e99c25d3c4690137ea75d5167baecfd13597eb7bf1aeb489
Instruction Fuzzy Hash: 9B11E2316046019FC710CF29D484A16BBE1FF84328F14C699F8699F7A2C734EC05CB90

Function 00EB37B5 Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,00EC4891,?,?,00000035,?), ref: 00EB37E4
FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,00EC4891,?,?,00000035,?), ref: 00EB37F4

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: bcb37172e9eaea9b52ff33dce189676370754b763500dbecb73dba15d283f60f
Instruction ID: 584da97fcfaef2656eecd55635d0db2d2e61d23699d3bfb2fcdd126aa33abf65
Opcode Fuzzy Hash: bcb37172e9eaea9b52ff33dce189676370754b763500dbecb73dba15d283f60f
Instruction Fuzzy Hash: 60F0EC707052356AD71017B66C4DFDB779DEFC4761F100166F509F2191D9605904C7B0

Function 00EA10BF Relevance: 3.0, APIs: 2, Instructions: 24COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00EA11FC), ref: 00EA10D4
CloseHandle.KERNEL32(?,?,00EA11FC), ref: 00EA10E9

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: 8794cd9a8ef945b56d71fb6c863306d58a607046e561387acd6e588a77b4942f
Instruction ID: 0d29c5fde237f6591117c915852a5adc3110294861df175df5346124028f6932
Opcode Fuzzy Hash: 8794cd9a8ef945b56d71fb6c863306d58a607046e561387acd6e588a77b4942f
Instruction Fuzzy Hash: 04E04F32008601AEE7252B11FC06F7377E9EB04321F20882EF9A5904B1DB626C94DB10

Function 00E4CAF0 Relevance: 1.9, Strings: 1, Instructions: 659COMMON

Download Yara Rule

Strings

Variable is not of type 'Object'., xrefs: 00E90C40

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID:
String ID: Variable is not of type 'Object'.
API String ID: 0-1840281001
Opcode ID: df52f8fc48e0e7b201adf010a35fea65a59ad3ae26def8a886a10ae9881e6b28
Instruction ID: 3895e5ae798c2d95135c5af48b799497c9a463ae74e532670823b01b8408a686
Opcode Fuzzy Hash: df52f8fc48e0e7b201adf010a35fea65a59ad3ae26def8a886a10ae9881e6b28
Instruction Fuzzy Hash: 4D328C70A01218DFCF54DF90E881AEDB7F5BF04308F646069E806BB292D775AE49CB51

Function 00E7676B Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00E76766,?,?,00000008,?,?,00E7FEFE,00000000), ref: 00E76998

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: c4e062eb8f3ef88bf291c4039619f478634e0f4db52d0be5de11fc8545ebe67c
Instruction ID: 288c9deec47d916d0f88ff407f3ef69113f65278fb31594c8d494ade3caa8b58
Opcode Fuzzy Hash: c4e062eb8f3ef88bf291c4039619f478634e0f4db52d0be5de11fc8545ebe67c
Instruction Fuzzy Hash: D1B15A31510A099FEB19CF28C486BA47BA0FF4536CF25D658E99DDF2A2C335D985CB40

Function 00E5B119 Relevance: 1.8, Strings: 1, Instructions: 511COMMON

Download Yara Rule

Strings

, xrefs: 00E9851F

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 27f27ef3bcaffaea332546f642ab64086685eae004bac4d2db74eede92c3336a
Instruction ID: 66d51a5b02c6600f08322ad3bf127e337dbbadeda0578f60d534046f4f0728a4
Opcode Fuzzy Hash: 27f27ef3bcaffaea332546f642ab64086685eae004bac4d2db74eede92c3336a
Instruction Fuzzy Hash: 65125E719002299FCF24CF58C9806EEB7F5FF48710F1495AAE849FB251EB309A85CB90

Function 00EBEAA2 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 00EBEABD

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: 1294b131ae9ee6417c5b89271af1979ba5c180dd9bc59e376be93220a9a760cd
Instruction ID: eabadcdb31dab44adf2383981fd2a70825f3b97093efa623a671b3c8c92d5891
Opcode Fuzzy Hash: 1294b131ae9ee6417c5b89271af1979ba5c180dd9bc59e376be93220a9a760cd
Instruction Fuzzy Hash: 61E01A312002049FC710EF6AE804EDAF7EDAF987A0F109416FC49E7391DA74E8448B90

Function 00E609D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_000209E1,00E603EE), ref: 00E609DA

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 128992c9a0924e98686d029631696cc138958293d2a4f309f701d02586dc4cb1
Instruction ID: a51352dea29d5da1aae6c28f4b69eb0c5a151e18a0a3b1a529b1576b1b15d2aa
Opcode Fuzzy Hash: 128992c9a0924e98686d029631696cc138958293d2a4f309f701d02586dc4cb1
Instruction Fuzzy Hash:

Function 00E6781B Relevance: 1.5, Strings: 1, Instructions: 214COMMON

Download Yara Rule

Strings

0, xrefs: 00E6798B

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction ID: e28de22f18323e8738e4032b13a837609c76468a38f2786d242f951a0b6e3ed0
Opcode Fuzzy Hash: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction Fuzzy Hash: 815175616CC7155ADB3C8578B95A7FE67D59B823CCF183A09D8C2F7282C611EE41C352

Function 00E76DD9 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c4c0a90d39b8f0880a393ad7422cafc973ccc430c49948ee9628ca16e5862d6e
Instruction ID: d3b2989061178b3841704a7c655c19f9a09ee567bd8e524cc4acd4cc21fbcdd1
Opcode Fuzzy Hash: c4c0a90d39b8f0880a393ad7422cafc973ccc430c49948ee9628ca16e5862d6e
Instruction Fuzzy Hash: 61327722D28F454DD7239A35CC62335664DAFB33C9F15E33BF86AB99A5EB28C4834100

Function 00E5CC39 Relevance: .6, Instructions: 635COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 23015ca265ea2371c5dc6969254b61d8b32be6b128f0564d495978259327052d
Instruction ID: 3b41a8e60b8ed503fe562693d5582591b50509ffd18e6437e78d4309345cc5ab
Opcode Fuzzy Hash: 23015ca265ea2371c5dc6969254b61d8b32be6b128f0564d495978259327052d
Instruction Fuzzy Hash: E3324D31A002458FDF24EF28C4A46BDBBA1EF45309F38A966D95AF7292D330DD85DB41

Function 00E47920 Relevance: .6, Instructions: 563COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 540738c78e41960d4189a561f72d5b676c9780a0eb2221919cde045b999d51b8
Instruction ID: 9418db575c0d50f9fca21dbfc9c19f26433baccc40a183e888a55ba99e9508dd
Opcode Fuzzy Hash: 540738c78e41960d4189a561f72d5b676c9780a0eb2221919cde045b999d51b8
Instruction Fuzzy Hash: BA22AFB1A006099FDF14DF64D881AEEB3F6FF48304F146529E85AB7291EB359D14CB90

Function 00E491C0 Relevance: .5, Instructions: 475COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0281456644e252f2aa8e89be23e4b6d7704c5f4d6f31fd1e4fbdf4de18bd65e
Instruction ID: 892e1c86a3e8f8972cbee48e23541117006a2f91213e732a5c85686458c9c86b
Opcode Fuzzy Hash: e0281456644e252f2aa8e89be23e4b6d7704c5f4d6f31fd1e4fbdf4de18bd65e
Instruction Fuzzy Hash: DD02A6B1E00119EBDB04EF64D881AAEB7F5FF44304F109565E81ABB391EB31AE14CB95

Function 00E79EEE Relevance: .3, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1737cf7944651f8ce679964b7215a09e5dfaa4a85c1b3a9c82f525a178b9a9ff
Instruction ID: 84c53d66de31f4a72bf1407f37cd623394cc4164eac872639898fb2eeac84ca1
Opcode Fuzzy Hash: 1737cf7944651f8ce679964b7215a09e5dfaa4a85c1b3a9c82f525a178b9a9ff
Instruction Fuzzy Hash: C3B12520D2AF844DC323963A8875336B65CAFBB6C5F91D31BFC2679D22EB2285874140

Function 00E67A4A Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc81c82a6aefd173da273a4439c703ea70c765aeea8ca6fd5c29bf869fa744fe
Instruction ID: bbce84a6cb32f16bc6df218121047e9c2ecbbbb2aa125f319845ce9af0b00e5f
Opcode Fuzzy Hash: bc81c82a6aefd173da273a4439c703ea70c765aeea8ca6fd5c29bf869fa744fe
Instruction Fuzzy Hash: 2B6179312C830956DA349A68BDA5BFE63D6DF417CCF103A19E8C2FB281DA119E42C315

Function 00E67CA7 Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8886071ef8d770af383eebb9520f45e43df3b2e81ea008822f76a9053935d752
Instruction ID: acce68d2c9d1cb7493d9f2f368231ab79c07bbd2f7d52aaa4c641c710ae7b0d9
Opcode Fuzzy Hash: 8886071ef8d770af383eebb9520f45e43df3b2e81ea008822f76a9053935d752
Instruction Fuzzy Hash: 8A6179316C870956DA388A28B955BBF23C49F437CCF103D5EE9C2FB281EA12AD46C355

Function 00EB2046 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f2b2d792071d3d466ff05be23aaf14e1eefe31ddf6e4b421f8706f09f2ad14eb
Instruction ID: 75457d5ac0c09eb27e5ff6bf8dd96618d0c348003039c38630c43e025da7ed2e
Opcode Fuzzy Hash: f2b2d792071d3d466ff05be23aaf14e1eefe31ddf6e4b421f8706f09f2ad14eb
Instruction Fuzzy Hash: C721E7323206158BDB28CF79C8236BE73E5AB54310F158A2EE4A7D33D0DE35A904DB80

Function 00E5D071 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5eccedda4d59d461ace39051ca89190d02fb05e6e9ef7f3bff90add423f835b6
Instruction ID: d93f52d3f7135b4b8f3aa4e95b6eea1228a09e60594e80fd9dd8b36be13ecfd8
Opcode Fuzzy Hash: 5eccedda4d59d461ace39051ca89190d02fb05e6e9ef7f3bff90add423f835b6
Instruction Fuzzy Hash: B9F0DE0204DEDABBCB5B0622987F1A66FB0C84702422807CF849B06BD79BCC109DC352

Function 00EC2ADE Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 486filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00EC2B30
DeleteObject.GDI32(00000000), ref: 00EC2B43
DestroyWindow.USER32 ref: 00EC2B52
GetDesktopWindow.USER32 ref: 00EC2B6D
GetWindowRect.USER32(00000000), ref: 00EC2B74
SetRect.USER32(?,00000000,00000000,00000007,00000002), ref: 00EC2CA3
AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 00EC2CB1
CreateWindowExW.USER32(?,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00EC2CF8
GetClientRect.USER32(00000000,?), ref: 00EC2D04
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00EC2D40
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00EC2D62
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00EC2D75
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00EC2D80
GlobalLock.KERNEL32(00000000), ref: 00EC2D89
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00EC2D98
GlobalUnlock.KERNEL32(00000000), ref: 00EC2DA1
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00EC2DA8
GlobalFree.KERNEL32(00000000), ref: 00EC2DB3
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00EC2DC5
OleLoadPicture.OLEAUT32(?,00000000,00000000,00EDFC38,00000000), ref: 00EC2DDB
GlobalFree.KERNEL32(00000000), ref: 00EC2DEB
CopyImage.USER32(00000007,00000000,00000000,00000000,00002000), ref: 00EC2E11
SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 00EC2E30
SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00EC2E52
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00EC303F

Strings

, xrefs: 00EC2FC5
static, xrefs: 00EC2D3A, 00EC2E91
AutoIt v3, xrefs: 00EC2CF2
DISPLAY, xrefs: 00EC2EA2

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: 30f87ed827aeecfe911223f58ce8a4b71d1e09d8ef01470de223ace09725f984
Instruction ID: 827ee94c17b2a395d80f7bb784f8655bdf822858598a4407694c863e6c25240c
Opcode Fuzzy Hash: 30f87ed827aeecfe911223f58ce8a4b71d1e09d8ef01470de223ace09725f984
Instruction Fuzzy Hash: 1F028871A00219AFDB14CF65DD89EAEBBB9EB48750F10811DF915BB2A0CB35ED05CB60

Function 00ED70D5 Relevance: 49.8, APIs: 33, Instructions: 273COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 00ED712F
GetSysColorBrush.USER32(0000000F), ref: 00ED7160
GetSysColor.USER32(0000000F), ref: 00ED716C
SetBkColor.GDI32(?,000000FF), ref: 00ED7186
SelectObject.GDI32(?,?), ref: 00ED7195
InflateRect.USER32(?,000000FF,000000FF), ref: 00ED71C0
GetSysColor.USER32(00000010), ref: 00ED71C8
CreateSolidBrush.GDI32(00000000), ref: 00ED71CF
FrameRect.USER32(?,?,00000000), ref: 00ED71DE
DeleteObject.GDI32(00000000), ref: 00ED71E5
InflateRect.USER32(?,000000FE,000000FE), ref: 00ED7230
FillRect.USER32(?,?,?), ref: 00ED7262
GetWindowLongW.USER32(?,000000F0), ref: 00ED7284

Part of subcall function 00ED73E8: GetSysColor.USER32(00000012), ref: 00ED7421
Part of subcall function 00ED73E8: SetTextColor.GDI32(?,?), ref: 00ED7425
Part of subcall function 00ED73E8: GetSysColorBrush.USER32(0000000F), ref: 00ED743B
Part of subcall function 00ED73E8: GetSysColor.USER32(0000000F), ref: 00ED7446
Part of subcall function 00ED73E8: GetSysColor.USER32(00000011), ref: 00ED7463
Part of subcall function 00ED73E8: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00ED7471
Part of subcall function 00ED73E8: SelectObject.GDI32(?,00000000), ref: 00ED7482
Part of subcall function 00ED73E8: SetBkColor.GDI32(?,00000000), ref: 00ED748B
Part of subcall function 00ED73E8: SelectObject.GDI32(?,?), ref: 00ED7498
Part of subcall function 00ED73E8: InflateRect.USER32(?,000000FF,000000FF), ref: 00ED74B7
Part of subcall function 00ED73E8: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00ED74CE
Part of subcall function 00ED73E8: GetWindowLongW.USER32(00000000,000000F0), ref: 00ED74DB

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
String ID:
API String ID: 4124339563-0
Opcode ID: e5cdfd44391e091c897dddc346f3a508db0e4f01c836368c27eff554ab94871d
Instruction ID: c9843158cc381d81fb8e6334725b3db8d135ca083aede7d5ba52e481a272b33c
Opcode Fuzzy Hash: e5cdfd44391e091c897dddc346f3a508db0e4f01c836368c27eff554ab94871d
Instruction Fuzzy Hash: 4BA1B67100A312AFDB009F61EC48E5BB7A9FF49364F201B1AF9A2B61E1D731D949CB51

Function 00EC2711 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 330windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 00EC273E
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00EC286A
SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 00EC28A9
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 00EC28B9
CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 00EC2900
GetClientRect.USER32(00000000,?), ref: 00EC290C
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 00EC2955
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00EC2964
GetStockObject.GDI32(00000011), ref: 00EC2974
SelectObject.GDI32(00000000,00000000), ref: 00EC2978
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 00EC2988
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00EC2991
DeleteDC.GDI32(00000000), ref: 00EC299A
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 00EC29C6
SendMessageW.USER32(00000030,00000000,00000001), ref: 00EC29DD
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 00EC2A1D
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00EC2A31
SendMessageW.USER32(00000404,00000001,00000000), ref: 00EC2A42
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 00EC2A77
GetStockObject.GDI32(00000011), ref: 00EC2A82
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00EC2A8D
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 00EC2A97

Strings

msctls_progress32, xrefs: 00EC2A13
static, xrefs: 00EC294F, 00EC2A71
AutoIt v3, xrefs: 00EC28F8
DISPLAY, xrefs: 00EC295A

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: 622af39e8d8297870e511d33b3c4cca8ccd49367dd94bed867a907842baaa71f
Instruction ID: 4a030619d16aba4dbd159d14c1a026e0f3e2e57f5f9ca204d2b43cbb28306a59
Opcode Fuzzy Hash: 622af39e8d8297870e511d33b3c4cca8ccd49367dd94bed867a907842baaa71f
Instruction Fuzzy Hash: DAB15D71A00219AFEB14DF69DD85FAEBBA9FB48710F108519FA14EB290D774ED01CB90

Function 00EB4ADF Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00EB4AED
GetDriveTypeW.KERNEL32(?,00EDCB68,?,\\.\,00EDCC08), ref: 00EB4BCA
SetErrorMode.KERNEL32(00000000,00EDCB68,?,\\.\,00EDCC08), ref: 00EB4D36

Strings

Fibre, xrefs: 00EB4CAD
RAID, xrefs: 00EB4CBB
iSCSI, xrefs: 00EB4CC2
Removable, xrefs: 00EB4C10, 00EB4C15
FileBackedVirtual, xrefs: 00EB4CEC
ATAPI, xrefs: 00EB4C91
Fixed, xrefs: 00EB4C09
USB, xrefs: 00EB4CB4
SCSI, xrefs: 00EB4C8A
RAMDisk, xrefs: 00EB4BF4
Network, xrefs: 00EB4C02
\\.\, xrefs: 00EB4B3F
1394, xrefs: 00EB4C9F
MMC, xrefs: 00EB4CDE
SATA, xrefs: 00EB4CD0
CDROM, xrefs: 00EB4BFB
ATA, xrefs: 00EB4C98
Virtual, xrefs: 00EB4CE5
PhysicalDrive, xrefs: 00EB4B76
Unknown, xrefs: 00EB4BED, 00EB4C83
SSD, xrefs: 00EB4C4A
SAS, xrefs: 00EB4CC9
SSA, xrefs: 00EB4CA6

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: fac8c8204e0fe19e7a885f1839b95069b2ffad6c234be0cc1afa3d67f160cc3b
Instruction ID: 697f2f391c1b6108d36f96d29e07087026614b21abfa2262b266196be4a2461e
Opcode Fuzzy Hash: fac8c8204e0fe19e7a885f1839b95069b2ffad6c234be0cc1afa3d67f160cc3b
Instruction Fuzzy Hash: 5961C4B16061069BDB04DF14CA81AFABBA0AB44B44B20A415F846FB6D3DB35ED45FF42

Function 00ED73E8 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 00ED7421
SetTextColor.GDI32(?,?), ref: 00ED7425
GetSysColorBrush.USER32(0000000F), ref: 00ED743B
GetSysColor.USER32(0000000F), ref: 00ED7446
CreateSolidBrush.GDI32(?), ref: 00ED744B
GetSysColor.USER32(00000011), ref: 00ED7463
CreatePen.GDI32(00000000,00000001,00743C00), ref: 00ED7471
SelectObject.GDI32(?,00000000), ref: 00ED7482
SetBkColor.GDI32(?,00000000), ref: 00ED748B
SelectObject.GDI32(?,?), ref: 00ED7498
InflateRect.USER32(?,000000FF,000000FF), ref: 00ED74B7
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00ED74CE
GetWindowLongW.USER32(00000000,000000F0), ref: 00ED74DB
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00ED752A
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00ED7554
InflateRect.USER32(?,000000FD,000000FD), ref: 00ED7572
DrawFocusRect.USER32(?,?), ref: 00ED757D
GetSysColor.USER32(00000011), ref: 00ED758E
SetTextColor.GDI32(?,00000000), ref: 00ED7596
DrawTextW.USER32(?,00ED70F5,000000FF,?,00000000), ref: 00ED75A8
SelectObject.GDI32(?,?), ref: 00ED75BF
DeleteObject.GDI32(?), ref: 00ED75CA
SelectObject.GDI32(?,?), ref: 00ED75D0
DeleteObject.GDI32(?), ref: 00ED75D5
SetTextColor.GDI32(?,?), ref: 00ED75DB
SetBkColor.GDI32(?,?), ref: 00ED75E5

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: 3cb68d3a2f6a6bd2de34fcb129c92347c44d6ca4abdfe6f7a5adfb3ac89d1311
Instruction ID: 7b3e91065f736fb192d551bc820d4e2502216e8e63f0c4017f3366ea38885848
Opcode Fuzzy Hash: 3cb68d3a2f6a6bd2de34fcb129c92347c44d6ca4abdfe6f7a5adfb3ac89d1311
Instruction Fuzzy Hash: 05617E72901219AFDF019FA5EC49EEEBFB9EB08360F204116F915BB2A1D7709941CB90

Function 00ED0FF3 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00ED1128
GetDesktopWindow.USER32 ref: 00ED113D
GetWindowRect.USER32(00000000), ref: 00ED1144
GetWindowLongW.USER32(?,000000F0), ref: 00ED1199
DestroyWindow.USER32(?), ref: 00ED11B9
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00ED11ED
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00ED120B
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00ED121D
SendMessageW.USER32(00000000,00000421,?,?), ref: 00ED1232
SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 00ED1245
IsWindowVisible.USER32(00000000), ref: 00ED12A1
SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 00ED12BC
SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 00ED12D0
GetWindowRect.USER32(00000000,?), ref: 00ED12E8
MonitorFromPoint.USER32(?,?,00000002), ref: 00ED130E
GetMonitorInfoW.USER32(00000000,?), ref: 00ED1328
CopyRect.USER32(?,?), ref: 00ED133F
SendMessageW.USER32(00000000,00000412,00000000), ref: 00ED13AA

Strings

tooltips_class32, xrefs: 00ED11E6
0, xrefs: 00ED10D3
(, xrefs: 00ED131B

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: 77575c93e99b111f8decd8eba502c17c7378c6b4bc3189c95f24cfa1fa4e4881
Instruction ID: da723d3c6420e06c84cacd83655ebf8bbdd0553d6d8445937e901d0932896e4e
Opcode Fuzzy Hash: 77575c93e99b111f8decd8eba502c17c7378c6b4bc3189c95f24cfa1fa4e4881
Instruction Fuzzy Hash: DDB19C71608341AFD700DF65D884B6BFBE4FF88744F00995AF999AB2A1C731E845CB92

Function 00ED0241 Relevance: 35.4, APIs: 7, Strings: 13, Instructions: 391windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00ED02E5
_wcslen.LIBCMT ref: 00ED031F
_wcslen.LIBCMT ref: 00ED0389
_wcslen.LIBCMT ref: 00ED03F1
_wcslen.LIBCMT ref: 00ED0475
SendMessageW.USER32(?,00001032,00000000,00000000), ref: 00ED04C5
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00ED0504

Part of subcall function 00E5F9F2: _wcslen.LIBCMT ref: 00E5F9FD

Part of subcall function 00EA223F: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00EA2258
Part of subcall function 00EA223F: SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00EA228A

Strings

GETSUBITEMCOUNT, xrefs: 00ED0384, 00ED039F
GETTEXT, xrefs: 00ED03EC, 00ED0407
DESELECT, xrefs: 00ED059C
SELECTINVERT, xrefs: 00ED057E
SELECTALL, xrefs: 00ED0515
SELECT, xrefs: 00ED0548
GETSELECTEDCOUNT, xrefs: 00ED0470, 00ED048B
GETITEMCOUNT, xrefs: 00ED0316, 00ED0337
GETSELECTED, xrefs: 00ED05E1
SELECTCLEAR, xrefs: 00ED052D
VIEWCHANGE, xrefs: 00ED0675
ISSELECTED, xrefs: 00ED04DD
FINDITEM, xrefs: 00ED0627

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
API String ID: 1103490817-719923060
Opcode ID: bdca0238a45da6816cd0491265ba1604588ca77f9db37f757a7e22866955f290
Instruction ID: 11168c712190625e69fcf231d30ba7ef5f8517f35ee2cd04e13d4ed4f131ad81
Opcode Fuzzy Hash: bdca0238a45da6816cd0491265ba1604588ca77f9db37f757a7e22866955f290
Instruction Fuzzy Hash: A6E19D316082018BC714DF24D550A6AB3E6FFC8318F18695EF896BB7A2DB30ED46DB51

Function 00E58891 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 282windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00E58968
GetSystemMetrics.USER32(00000007), ref: 00E58970
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00E5899B
GetSystemMetrics.USER32(00000008), ref: 00E589A3
GetSystemMetrics.USER32(00000004), ref: 00E589C8
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00E589E5
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00E589F5
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00E58A28
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00E58A3C
GetClientRect.USER32(00000000,000000FF), ref: 00E58A5A
GetStockObject.GDI32(00000011), ref: 00E58A76
SendMessageW.USER32(00000000,00000030,00000000), ref: 00E58A81

Part of subcall function 00E5912D: GetCursorPos.USER32(?), ref: 00E59141
Part of subcall function 00E5912D: ScreenToClient.USER32(00000000,?), ref: 00E5915E
Part of subcall function 00E5912D: GetAsyncKeyState.USER32(00000001), ref: 00E59183
Part of subcall function 00E5912D: GetAsyncKeyState.USER32(00000002), ref: 00E5919D

SetTimer.USER32(00000000,00000000,00000028,00E590FC), ref: 00E58AA8

Strings

AutoIt v3 GUI, xrefs: 00E58A20

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: cec0649b0b5edec04da82f9857e81a96a27e7911c9363938c96f8c264907f9bc
Instruction ID: 73f8f8ee1e6f29df2936b7f1b377a37e27838e6dc3b269f5826552ca37b6aa5a
Opcode Fuzzy Hash: cec0649b0b5edec04da82f9857e81a96a27e7911c9363938c96f8c264907f9bc
Instruction Fuzzy Hash: 5FB17831A0020A9FDF14DFA8D945BEA3BB5FB48355F11962AFA15BB290DB30E845CB50

Function 00EA0D8B Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00EA10F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00EA1114
Part of subcall function 00EA10F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00EA0B9B,?,?,?), ref: 00EA1120
Part of subcall function 00EA10F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00EA0B9B,?,?,?), ref: 00EA112F
Part of subcall function 00EA10F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00EA0B9B,?,?,?), ref: 00EA1136
Part of subcall function 00EA10F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00EA114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00EA0DF5
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00EA0E29
GetLengthSid.ADVAPI32(?), ref: 00EA0E40
GetAce.ADVAPI32(?,00000000,?), ref: 00EA0E7A
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00EA0E96
GetLengthSid.ADVAPI32(?), ref: 00EA0EAD
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00EA0EB5
HeapAlloc.KERNEL32(00000000), ref: 00EA0EBC
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00EA0EDD
CopySid.ADVAPI32(00000000), ref: 00EA0EE4
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00EA0F13
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00EA0F35
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00EA0F47
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00EA0F6E
HeapFree.KERNEL32(00000000), ref: 00EA0F75
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00EA0F7E
HeapFree.KERNEL32(00000000), ref: 00EA0F85
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00EA0F8E
HeapFree.KERNEL32(00000000), ref: 00EA0F95
GetProcessHeap.KERNEL32(00000000,?), ref: 00EA0FA1
HeapFree.KERNEL32(00000000), ref: 00EA0FA8

Part of subcall function 00EA1193: GetProcessHeap.KERNEL32(00000008,00EA0BB1,?,00000000,?,00EA0BB1,?), ref: 00EA11A1
Part of subcall function 00EA1193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00EA0BB1,?), ref: 00EA11A8
Part of subcall function 00EA1193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00EA0BB1,?), ref: 00EA11B7

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 29a3ac5c173e3f594fb304f76c91bee8de59c3c3314ea47b540e777d058b093a
Instruction ID: 16fbed68407c8c04fae7a95c7b455eb0cf3460c74a471ad37adb8cd05d57456c
Opcode Fuzzy Hash: 29a3ac5c173e3f594fb304f76c91bee8de59c3c3314ea47b540e777d058b093a
Instruction Fuzzy Hash: 8E717F75A0121AEFDF209FA5EC44BAEBBB8FF09345F148116F915BA191D730A905CB60

Function 00ECC3B7 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00ECC4BD
RegCreateKeyExW.ADVAPI32(?,?,00000000,00EDCC08,00000000,?,00000000,?,?), ref: 00ECC544
RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 00ECC5A4
_wcslen.LIBCMT ref: 00ECC5F4
_wcslen.LIBCMT ref: 00ECC66F
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 00ECC6B2
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 00ECC7C1
RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 00ECC84D
RegCloseKey.ADVAPI32(?), ref: 00ECC881
RegCloseKey.ADVAPI32(00000000), ref: 00ECC88E
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 00ECC960

Strings

REG_QWORD, xrefs: 00ECC8C3
REG_BINARY, xrefs: 00ECC913
REG_MULTI_SZ, xrefs: 00ECC6F5
REG_EXPAND_SZ, xrefs: 00ECC5CD
REG_SZ, xrefs: 00ECC644
REG_DWORD, xrefs: 00ECC804

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: Value$Close$_wcslen$ConnectCreateRegistry
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 9721498-966354055
Opcode ID: 2a80656fcb238cb8845aad6fa90df8b34321d62f9d1709eb6d0549533029e3e4
Instruction ID: d19c3d68e5046ad5af4452db1188b4be7f871359e62b27b8531d50cdd2cce932
Opcode Fuzzy Hash: 2a80656fcb238cb8845aad6fa90df8b34321d62f9d1709eb6d0549533029e3e4
Instruction Fuzzy Hash: 421258756042019FDB14DF14D981F2AB7E5EF88714F14985DF88AAB2A2DB35FC42CB81

Function 00ED091E Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 372windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00ED09C6
_wcslen.LIBCMT ref: 00ED0A01
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00ED0A54
_wcslen.LIBCMT ref: 00ED0A8A
_wcslen.LIBCMT ref: 00ED0B06
_wcslen.LIBCMT ref: 00ED0B81

Part of subcall function 00E5F9F2: _wcslen.LIBCMT ref: 00E5F9FD

Part of subcall function 00EA2BE8: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00EA2BFA

Strings

GETTEXT, xrefs: 00ED0C97
GETTOTALCOUNT, xrefs: 00ED09F2, 00ED0A17
COLLAPSE, xrefs: 00ED0B01, 00ED0B1C
SELECT, xrefs: 00ED0D11
UNCHECK, xrefs: 00ED0D3E
CHECK, xrefs: 00ED0A85, 00ED0AA0
EXPAND, xrefs: 00ED0BF8
EXISTS, xrefs: 00ED0B7C, 00ED0B97
ISCHECKED, xrefs: 00ED0CE1
GETSELECTED, xrefs: 00ED0C4E
GETITEMCOUNT, xrefs: 00ED0C1E

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 1103490817-4258414348
Opcode ID: 322b61fa44fd1eb41f2c29b5514e0b887b756f3fdc3d3aa6bc557a8a5a56c23d
Instruction ID: 59977e36a3b3fb5cc884f906914e8222ba72c78ddf761ae62fc1f5816673bdd2
Opcode Fuzzy Hash: 322b61fa44fd1eb41f2c29b5514e0b887b756f3fdc3d3aa6bc557a8a5a56c23d
Instruction Fuzzy Hash: DDE15C316087019FC714DF24C450A6AB7E2FF98318F18595EF8966B3A2D731ED46DB81

Function 00ECC998 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,00ECB6AE,?,?), ref: 00ECC9B5
_wcslen.LIBCMT ref: 00ECC9F1
_wcslen.LIBCMT ref: 00ECCA68
_wcslen.LIBCMT ref: 00ECCA9E
_wcslen.LIBCMT ref: 00ECCAF9
_wcslen.LIBCMT ref: 00ECCB2F
_wcslen.LIBCMT ref: 00ECCB7F

Strings

HKU, xrefs: 00ECCBF0
HKLM, xrefs: 00ECCA98, 00ECCA9D
HKCC, xrefs: 00ECCBAC
HKEY_LOCAL_MACHINE, xrefs: 00ECCA62, 00ECCA67
HKEY_CURRENT_USER, xrefs: 00ECCBBD
HKCU, xrefs: 00ECCBCE
HKEY_CURRENT_CONFIG, xrefs: 00ECCB79, 00ECCB7E
HKEY_CLASSES_ROOT, xrefs: 00ECCAF3, 00ECCAF8
HKCR, xrefs: 00ECCB29, 00ECCB2E
HKEY_USERS, xrefs: 00ECCBDF

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 1256254125-909552448
Opcode ID: 3a31276eab0cf72c76dda2a4f92c78e69c1d00d5436ed6bf87cbc5fea8913ee1
Instruction ID: 1f6345e48e902dd0a2c0449419dd776b1305353a85f2916a2679c3acba92258d
Opcode Fuzzy Hash: 3a31276eab0cf72c76dda2a4f92c78e69c1d00d5436ed6bf87cbc5fea8913ee1
Instruction Fuzzy Hash: 3571EA32A0052A8BCB10DE7CDA41FBB73919BA4758B35252CFC5EB7285E632DD46D350

Function 00ED833C Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 196windowlibraryCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00ED835A
_wcslen.LIBCMT ref: 00ED836E
_wcslen.LIBCMT ref: 00ED8391
_wcslen.LIBCMT ref: 00ED83B4
LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 00ED83F2
LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,00ED5BF2), ref: 00ED844E
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00ED8487
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 00ED84CA
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00ED8501
FreeLibrary.KERNEL32(?), ref: 00ED850D
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00ED851D
DestroyIcon.USER32(?,?,?,?,?,00ED5BF2), ref: 00ED852C
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00ED8549
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00ED8555

Strings

.icl, xrefs: 00ED8368
.exe, xrefs: 00ED8388
.dll, xrefs: 00ED83AB

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
String ID: .dll$.exe$.icl
API String ID: 799131459-1154884017
Opcode ID: 4db1fb0400f97f3093d8ea484c7ccd6c2d8cfbb42ba5bee7f5ee0f8e2bd59adc
Instruction ID: 556a943fe3b21afc1117bc1a1e963ad7e1c92e7f77b652010cc43b7539b83df5
Opcode Fuzzy Hash: 4db1fb0400f97f3093d8ea484c7ccd6c2d8cfbb42ba5bee7f5ee0f8e2bd59adc
Instruction Fuzzy Hash: 29610171940216BEEB14DF64ED41BBF77A8FB04B51F10560AF815F62D0DB74A981C7A0

Function 00E47778 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 273COMMON

Download Yara Rule

Strings

#notrayicon, xrefs: 00E477E7
Unterminated group of comments, xrefs: 00E8528C
#OnAutoItStartRegister, xrefs: 00E47817
', xrefs: 00E85169
", xrefs: 00E85153
#pragma compile, xrefs: 00E477D3
#cs, xrefs: 00E47873, 00E478C5
#requireadmin, xrefs: 00E477FF
#ce, xrefs: 00E478ED
#comments-end, xrefs: 00E478D9
#include, xrefs: 00E47847
Bad directive syntax error, xrefs: 00E8519A
#include-once, xrefs: 00E4782F
Cannot parse #include, xrefs: 00E85279
#comments-start, xrefs: 00E4785F, 00E478B1

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID:
String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 0-1645009161
Opcode ID: 749b8555cd62c599a0ac41d3d5a0b4ac1686a046a14dd1e91242c0a65f21fcce
Instruction ID: 35380326381e831f8450b4f25175fd647433452b2d318bee3166df6c9ebf3f1e
Opcode Fuzzy Hash: 749b8555cd62c599a0ac41d3d5a0b4ac1686a046a14dd1e91242c0a65f21fcce
Instruction Fuzzy Hash: CD811471A40605BBDB20AF60EC46FAE77A8EF14340F006426F949BA292EF71D911C7D1

Function 00EB3E79 Relevance: 28.2, APIs: 8, Strings: 8, Instructions: 205COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 00EB3EF8
_wcslen.LIBCMT ref: 00EB3F03
_wcslen.LIBCMT ref: 00EB3F5A
_wcslen.LIBCMT ref: 00EB3F98
GetDriveTypeW.KERNEL32(?), ref: 00EB3FD6
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00EB401E
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00EB4059
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00EB4087

Strings

type cdaudio alias cd wait, xrefs: 00EB4001
close cd wait, xrefs: 00EB4072
set cd door , xrefs: 00EB4028
wait, xrefs: 00EB4044
closed, xrefs: 00EB3F08, 00EB3F2D, 00EB3F46, 00EB3F7E, 00EB3F97
close, xrefs: 00EB3EFE, 00EB3F18
open, xrefs: 00EB3F54, 00EB3F59
open , xrefs: 00EB3FE5

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: SendString_wcslen$BuffCharDriveLowerType
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 1839972693-4113822522
Opcode ID: 5e8d943e75a26f0cc183160a9b490d223f1991654b52991d170bc694528945b5
Instruction ID: 00e39425e9d7342ab6ecac960cbac45fe1e18ed59e5c3ae631c7ea30f12e09e5
Opcode Fuzzy Hash: 5e8d943e75a26f0cc183160a9b490d223f1991654b52991d170bc694528945b5
Instruction Fuzzy Hash: 7B71D271A042129FC310EF34D8818ABB7F4EF94758F10592DF995A7292EB31ED45CB92

Function 00EA5A1B Relevance: 27.2, APIs: 18, Instructions: 198windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 00EA5A2E
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00EA5A40
SetWindowTextW.USER32(?,?), ref: 00EA5A57
GetDlgItem.USER32(?,000003EA), ref: 00EA5A6C
SetWindowTextW.USER32(00000000,?), ref: 00EA5A72
GetDlgItem.USER32(?,000003E9), ref: 00EA5A82
SetWindowTextW.USER32(00000000,?), ref: 00EA5A88
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00EA5AA9
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00EA5AC3
GetWindowRect.USER32(?,?), ref: 00EA5ACC
_wcslen.LIBCMT ref: 00EA5B33
SetWindowTextW.USER32(?,?), ref: 00EA5B6F
GetDesktopWindow.USER32 ref: 00EA5B75
GetWindowRect.USER32(00000000), ref: 00EA5B7C
MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 00EA5BD3
GetClientRect.USER32(?,?), ref: 00EA5BE0
PostMessageW.USER32(?,00000005,00000000,?), ref: 00EA5C05
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00EA5C2F

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
String ID:
API String ID: 895679908-0
Opcode ID: 37967337e00b6ad85399e146e7dc868ce6400c0fd4516819e6ea086952a6141b
Instruction ID: d5a49b9c2243cad6ee555788137c7efecbb871d2d7ca1f1d6c92504dd7213151
Opcode Fuzzy Hash: 37967337e00b6ad85399e146e7dc868ce6400c0fd4516819e6ea086952a6141b
Instruction Fuzzy Hash: AB718F32A00B09AFDB20DFA9CE45AAEBBF5FF48705F105519E152B65A0D774F904CB20

Function 00EBFE0E Relevance: 27.1, APIs: 18, Instructions: 128COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F89), ref: 00EBFE27
LoadCursorW.USER32(00000000,00007F8A), ref: 00EBFE32
LoadCursorW.USER32(00000000,00007F00), ref: 00EBFE3D
LoadCursorW.USER32(00000000,00007F03), ref: 00EBFE48
LoadCursorW.USER32(00000000,00007F8B), ref: 00EBFE53
LoadCursorW.USER32(00000000,00007F01), ref: 00EBFE5E
LoadCursorW.USER32(00000000,00007F81), ref: 00EBFE69
LoadCursorW.USER32(00000000,00007F88), ref: 00EBFE74
LoadCursorW.USER32(00000000,00007F80), ref: 00EBFE7F
LoadCursorW.USER32(00000000,00007F86), ref: 00EBFE8A
LoadCursorW.USER32(00000000,00007F83), ref: 00EBFE95
LoadCursorW.USER32(00000000,00007F85), ref: 00EBFEA0
LoadCursorW.USER32(00000000,00007F82), ref: 00EBFEAB
LoadCursorW.USER32(00000000,00007F84), ref: 00EBFEB6
LoadCursorW.USER32(00000000,00007F04), ref: 00EBFEC1
LoadCursorW.USER32(00000000,00007F02), ref: 00EBFECC
GetCursorInfo.USER32(?), ref: 00EBFEDC
GetLastError.KERNEL32 ref: 00EBFF1E

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: Cursor$Load$ErrorInfoLast
String ID:
API String ID: 3215588206-0
Opcode ID: e0e9008c97eb65a0a315d0579e7e3f9520d83c3d2be3caec7262159d270246d3
Instruction ID: b29a9e28769719299e68671fae57a3b997fb45f30db6980a55ac2dbcd2fb1eab
Opcode Fuzzy Hash: e0e9008c97eb65a0a315d0579e7e3f9520d83c3d2be3caec7262159d270246d3
Instruction Fuzzy Hash: C34152B0E053196ADB109FBA9C8986EBFE8FF04754B50452AE11DE7281DB78E901CE91

Function 00E600C6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON

Download Yara Rule

APIs

__scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 00E600C6

Part of subcall function 00E600ED: InitializeCriticalSectionAndSpinCount.KERNEL32(00F1070C,00000FA0,C54101FB,?,?,?,?,00E823B3,000000FF), ref: 00E6011C
Part of subcall function 00E600ED: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,00E823B3,000000FF), ref: 00E60127
Part of subcall function 00E600ED: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,00E823B3,000000FF), ref: 00E60138
Part of subcall function 00E600ED: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 00E6014E
Part of subcall function 00E600ED: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 00E6015C
Part of subcall function 00E600ED: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 00E6016A
Part of subcall function 00E600ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00E60195
Part of subcall function 00E600ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00E601A0

___scrt_fastfail.LIBCMT ref: 00E600E7

Part of subcall function 00E600A3: __onexit.LIBCMT ref: 00E600A9

Strings

WakeAllConditionVariable, xrefs: 00E60162
InitializeConditionVariable, xrefs: 00E60148
api-ms-win-core-synch-l1-2-0.dll, xrefs: 00E60122
SleepConditionVariableCS, xrefs: 00E60154
kernel32.dll, xrefs: 00E60133

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 66158676-1714406822
Opcode ID: a7645e602b5c32d63f77dcf0cb2204b227bd1783a8071797e39ed93401b418ba
Instruction ID: 3e7d46bf459501383869cd68b77511736f2309d770a671cf2e9054a1c1f2cc77
Opcode Fuzzy Hash: a7645e602b5c32d63f77dcf0cb2204b227bd1783a8071797e39ed93401b418ba
Instruction Fuzzy Hash: 2121F9326867266FD7105BA5BC06B6B33E5DB06BE1F10552BF902F32D1DFA09804CA91

Function 00EA30F7 Relevance: 24.9, APIs: 8, Strings: 6, Instructions: 400COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00EA318D
_wcslen.LIBCMT ref: 00EA31F8

Strings

CLASS, xrefs: 00EA3188, 00EA31A5
INSTANCE, xrefs: 00EA3453
TEXT, xrefs: 00EA347C
CLASSNN, xrefs: 00EA31F3, 00EA3204
NAME, xrefs: 00EA3335, 00EA3346
REGEXPCLASS, xrefs: 00EA3255, 00EA3266

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: _wcslen
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 176396367-1603158881
Opcode ID: 349e6b88fbb4a2462886f3a671c6634c9a5a465f506f4ee1a77295b9269de164
Instruction ID: c0234be5378886f56790b59e41c73248ef3c9f871bc5a810344fa9b7e6e263bf
Opcode Fuzzy Hash: 349e6b88fbb4a2462886f3a671c6634c9a5a465f506f4ee1a77295b9269de164
Instruction Fuzzy Hash: 4FE1E431A005169BCB189FB8C4517EEFBB0BF5E754F14A119F466BB240DB30BE899B90

Function 00EB44C0 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(00000000,00000000,00EDCC08), ref: 00EB4527
_wcslen.LIBCMT ref: 00EB453B
_wcslen.LIBCMT ref: 00EB4599
_wcslen.LIBCMT ref: 00EB45F4
_wcslen.LIBCMT ref: 00EB463F
_wcslen.LIBCMT ref: 00EB46A7

Part of subcall function 00E5F9F2: _wcslen.LIBCMT ref: 00E5F9FD

GetDriveTypeW.KERNEL32(?,00F06BF0,00000061), ref: 00EB4743

Strings

network, xrefs: 00EB469D, 00EB46A2
all, xrefs: 00EB4531, 00EB4536
ramdisk, xrefs: 00EB46F1
cdrom, xrefs: 00EB458F, 00EB4594
unknown, xrefs: 00EB4708
fixed, xrefs: 00EB4635, 00EB463A
removable, xrefs: 00EB45EA, 00EB45EF

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: _wcslen$BuffCharDriveLowerType
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2055661098-1000479233
Opcode ID: 9279262e0fd6c007970a37ecfd89a055c6e3e4dff292c85e71ef11102b56c231
Instruction ID: 55f69feb1f740363d48bc1a0a36ea8ab85d7af3c303d7d6969fe606b4a92affb
Opcode Fuzzy Hash: 9279262e0fd6c007970a37ecfd89a055c6e3e4dff292c85e71ef11102b56c231
Instruction Fuzzy Hash: 9CB112B16083029FC710DF28D890AABB7E5AFA5764F50691DF496E72D2DB30D844CB92

Function 00EC3FE9 Relevance: 23.2, APIs: 11, Strings: 2, Instructions: 478libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00EDCC08), ref: 00EC40BB
GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 00EC40CD
GetModuleFileNameW.KERNEL32(?,?,00000104,?,?,?,00EDCC08), ref: 00EC40F2
FreeLibrary.KERNEL32(00000000,?,00EDCC08), ref: 00EC413E
StringFromGUID2.OLE32(?,?,00000028,?,00EDCC08), ref: 00EC41A8
SysFreeString.OLEAUT32(00000009), ref: 00EC4262
QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 00EC42C8
SysFreeString.OLEAUT32(?), ref: 00EC42F2

Strings

kernel32.dll, xrefs: 00EC40B6
GetModuleHandleExW, xrefs: 00EC40C7

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: FreeString$Library$AddressFileFromLoadModuleNamePathProcQueryType
String ID: GetModuleHandleExW$kernel32.dll
API String ID: 354098117-199464113
Opcode ID: 22f43ac5a12cd3a1b3b3199ab6afb6ab910d9a6a85baa618e68953da5dc23623
Instruction ID: 2b7ab5c10520ee3fbf9a1bd894b1bcdbf729e91b122d3f1403002f1ffd4b72a4
Opcode Fuzzy Hash: 22f43ac5a12cd3a1b3b3199ab6afb6ab910d9a6a85baa618e68953da5dc23623
Instruction Fuzzy Hash: 3B125BB5A00105EFDB14DF54C994FAEB7B5FF84318F249098E915AB291C732ED46CBA0

Function 00E4326F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(00F11990), ref: 00E82F8D
GetMenuItemCount.USER32(00F11990), ref: 00E8303D
GetCursorPos.USER32(?), ref: 00E83081
SetForegroundWindow.USER32(00000000), ref: 00E8308A
TrackPopupMenuEx.USER32(00F11990,00000000,?,00000000,00000000,00000000), ref: 00E8309D
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00E830A9

Strings

0, xrefs: 00E4327D

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
String ID: 0
API String ID: 36266755-4108050209
Opcode ID: 6f164dd52aed0b3e7601628cc9ed6417e7de630f25505cd46ec22d9d7ac19796
Instruction ID: 7a9a8a011d81d02838b951551ba85c51959b5acc6c36ef0ce773a54ed75871d3
Opcode Fuzzy Hash: 6f164dd52aed0b3e7601628cc9ed6417e7de630f25505cd46ec22d9d7ac19796
Instruction Fuzzy Hash: 4C712730640206BEEB219F75DC49FAABF68FF05768F205206F62C7A1E1C7B1A914DB54

Function 00ED6CD9 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 194windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,?), ref: 00ED6DEB

Part of subcall function 00E46B57: _wcslen.LIBCMT ref: 00E46B6A

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00ED6E5F
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00ED6E81
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00ED6E94
DestroyWindow.USER32(?), ref: 00ED6EB5
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00E40000,00000000), ref: 00ED6EE4
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00ED6EFD
GetDesktopWindow.USER32 ref: 00ED6F16
GetWindowRect.USER32(00000000), ref: 00ED6F1D
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00ED6F35
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00ED6F4D

Part of subcall function 00E59944: GetWindowLongW.USER32(?,000000EB), ref: 00E59952

Strings

tooltips_class32, xrefs: 00ED6E58, 00ED6EDD
0, xrefs: 00ED6D98

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
String ID: 0$tooltips_class32
API String ID: 2429346358-3619404913
Opcode ID: cbef19aa3a87c2214e867928736868d2d434d86ec1de6e009b074adb13ef6e0c
Instruction ID: 1e43ce2644ea6f63cd23bad9fbe59453255449de5e3d6564f9c703f7b1bb78e3
Opcode Fuzzy Hash: cbef19aa3a87c2214e867928736868d2d434d86ec1de6e009b074adb13ef6e0c
Instruction Fuzzy Hash: 2E718B70204245AFDB21CF18DC44EAABBF9FB89708F54541EF999A7361C770E90ADB12

Function 00ED911E Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00E59BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00E59BB2

DragQueryPoint.SHELL32(?,?), ref: 00ED9147

Part of subcall function 00ED7674: ClientToScreen.USER32(?,?), ref: 00ED769A
Part of subcall function 00ED7674: GetWindowRect.USER32(?,?), ref: 00ED7710
Part of subcall function 00ED7674: PtInRect.USER32(?,?,00ED8B89), ref: 00ED7720

SendMessageW.USER32(?,000000B0,?,?), ref: 00ED91B0
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 00ED91BB
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 00ED91DE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 00ED9225
SendMessageW.USER32(?,000000B0,?,?), ref: 00ED923E
SendMessageW.USER32(?,000000B1,?,?), ref: 00ED9255
SendMessageW.USER32(?,000000B1,?,?), ref: 00ED9277
DragFinish.SHELL32(?), ref: 00ED927E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 00ED9371

Strings

@GUI_DRAGFILE, xrefs: 00ED9320
@GUI_DROPID, xrefs: 00ED929E
@GUI_DRAGID, xrefs: 00ED92E9

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
API String ID: 221274066-3440237614
Opcode ID: 5ee885da093f8bf8c6aad13e050561aaf9292866d6ecaf37e836697b27ad8586
Instruction ID: b2c69659bdd4815b81c42efd767a75b4526a7afe87e89616d96b9263d2be3a1f
Opcode Fuzzy Hash: 5ee885da093f8bf8c6aad13e050561aaf9292866d6ecaf37e836697b27ad8586
Instruction Fuzzy Hash: E2617C71108301AFD701DF55EC85DAFBBE8EF88750F50191EF5A5A32A1DB309A49CB52

Function 00EBC476 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00EBC4B0
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 00EBC4C3
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 00EBC4D7
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 00EBC4F0
InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 00EBC533
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 00EBC549
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00EBC554
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00EBC584
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 00EBC5DC
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 00EBC5F0
InternetCloseHandle.WININET(00000000), ref: 00EBC5FB

Strings

, xrefs: 00EBC575

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
String ID:
API String ID: 3800310941-3916222277
Opcode ID: 5347f39de38aadec8f766a28d7e098bec8ceb16b7426ce7b4ab496769733773b
Instruction ID: ba4c642f51cca2e5588d567d9bb1f1a174c80fd78523b2413672bf95ae157614
Opcode Fuzzy Hash: 5347f39de38aadec8f766a28d7e098bec8ceb16b7426ce7b4ab496769733773b
Instruction Fuzzy Hash: F6516FB0505609BFDB218F61D988AEB7BFCFF08788F20541AF945E6110DB30E948DB60

Function 00ED856F Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,00000000,?,000000EC), ref: 00ED8592
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00ED85A2
GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00ED85AD
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00ED85BA
GlobalLock.KERNEL32(00000000), ref: 00ED85C8
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00ED85D7
GlobalUnlock.KERNEL32(00000000), ref: 00ED85E0
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00ED85E7
CreateStreamOnHGlobal.OLE32(00000000,00000001,000000F0,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00ED85F8
OleLoadPicture.OLEAUT32(000000F0,00000000,00000000,00EDFC38,?), ref: 00ED8611
GlobalFree.KERNEL32(00000000), ref: 00ED8621
GetObjectW.GDI32(?,00000018,?), ref: 00ED8641
CopyImage.USER32(?,00000000,00000000,?,00002000), ref: 00ED8671
DeleteObject.GDI32(?), ref: 00ED8699
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 00ED86AF

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: 670f6d1d2c84e65b3ef72af4b1388a66ec853bf59af8790587e501142431052c
Instruction ID: 2b6c321261d40578cf546b029dcc050abcf2ded06488a28d6b3772cf8db8799a
Opcode Fuzzy Hash: 670f6d1d2c84e65b3ef72af4b1388a66ec853bf59af8790587e501142431052c
Instruction Fuzzy Hash: 4E415B71601205AFDB10CFA6ED48EAE7BBCEF89B55F10415AF815E72A0DB309905CB20

Function 00EB14BD Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 360timeCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000000), ref: 00EB1502
VariantCopy.OLEAUT32(?,?), ref: 00EB150B
VariantClear.OLEAUT32(?), ref: 00EB1517
VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 00EB15FB
VarR8FromDec.OLEAUT32(?,?), ref: 00EB1657
VariantInit.OLEAUT32(?), ref: 00EB1708
SysFreeString.OLEAUT32(?), ref: 00EB178C
VariantClear.OLEAUT32(?), ref: 00EB17D8
VariantClear.OLEAUT32(?), ref: 00EB17E7
VariantInit.OLEAUT32(00000000), ref: 00EB1823

Strings

Default, xrefs: 00EB16AF
%4d%02d%02d%02d%02d%02d, xrefs: 00EB1625

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem
String ID: %4d%02d%02d%02d%02d%02d$Default
API String ID: 1234038744-3931177956
Opcode ID: 4be8f1672d97a98fb8c55485db476a70f7769d84aa03da4f270db6047d79814a
Instruction ID: a85e244d679b2dfd034a641c4ca818b432d4472f6539c324ce85b55ae84dfb65
Opcode Fuzzy Hash: 4be8f1672d97a98fb8c55485db476a70f7769d84aa03da4f270db6047d79814a
Instruction Fuzzy Hash: B9D10132A01215DBCB209F65E8A4BFAB7F5BF45720FA49596F806BB180DB30DC44DB91

Function 00ECB60E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00E49CB3: _wcslen.LIBCMT ref: 00E49CBD

Part of subcall function 00ECC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00ECB6AE,?,?), ref: 00ECC9B5
Part of subcall function 00ECC998: _wcslen.LIBCMT ref: 00ECC9F1
Part of subcall function 00ECC998: _wcslen.LIBCMT ref: 00ECCA68
Part of subcall function 00ECC998: _wcslen.LIBCMT ref: 00ECCA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00ECB6F4
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00ECB772
RegDeleteValueW.ADVAPI32(?,?), ref: 00ECB80A
RegCloseKey.ADVAPI32(?), ref: 00ECB87E
RegCloseKey.ADVAPI32(?), ref: 00ECB89C
LoadLibraryA.KERNEL32(advapi32.dll), ref: 00ECB8F2
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00ECB904
RegDeleteKeyW.ADVAPI32(?,?), ref: 00ECB922
FreeLibrary.KERNEL32(00000000), ref: 00ECB983
RegCloseKey.ADVAPI32(00000000), ref: 00ECB994

Strings

RegDeleteKeyExW, xrefs: 00ECB8FE
advapi32.dll, xrefs: 00ECB8ED

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 146587525-4033151799
Opcode ID: 28e69333f2d53bd837c72ace5a45f4882afabce54af65d697c8a0850858645e5
Instruction ID: 0b2459d7dacb68c62ad91c213a1d5bd11992714c61284e67eb92c8903ae73645
Opcode Fuzzy Hash: 28e69333f2d53bd837c72ace5a45f4882afabce54af65d697c8a0850858645e5
Instruction Fuzzy Hash: 3CC1B131205201AFD714DF14D595F2ABBE5FF84308F24955CF49AAB2A2CB36EC46CB91

Function 00EC255C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00EC25D8
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 00EC25E8
CreateCompatibleDC.GDI32(?), ref: 00EC25F4
SelectObject.GDI32(00000000,?), ref: 00EC2601
StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 00EC266D
GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 00EC26AC
GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 00EC26D0
SelectObject.GDI32(?,?), ref: 00EC26D8
DeleteObject.GDI32(?), ref: 00EC26E1
DeleteDC.GDI32(?), ref: 00EC26E8
ReleaseDC.USER32(00000000,?), ref: 00EC26F3

Strings

(, xrefs: 00EC268D

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: 941914ca4baca4c4f2af567a4e70f4b8e334264224b5063ff7c73b16c2888fe8
Instruction ID: 51d1817580d60614511228ac0848bcc9463cab7432c81a95ad9aa78b7576db1e
Opcode Fuzzy Hash: 941914ca4baca4c4f2af567a4e70f4b8e334264224b5063ff7c73b16c2888fe8
Instruction Fuzzy Hash: 1561D275D01219AFCB04CFA4D985EAEBBF5FF48310F20852AE955B7250D771A941CFA0

Function 00E7DA5D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 00E7DAA1

Part of subcall function 00E7D63C: _free.LIBCMT ref: 00E7D659
Part of subcall function 00E7D63C: _free.LIBCMT ref: 00E7D66B
Part of subcall function 00E7D63C: _free.LIBCMT ref: 00E7D67D
Part of subcall function 00E7D63C: _free.LIBCMT ref: 00E7D68F
Part of subcall function 00E7D63C: _free.LIBCMT ref: 00E7D6A1
Part of subcall function 00E7D63C: _free.LIBCMT ref: 00E7D6B3
Part of subcall function 00E7D63C: _free.LIBCMT ref: 00E7D6C5
Part of subcall function 00E7D63C: _free.LIBCMT ref: 00E7D6D7
Part of subcall function 00E7D63C: _free.LIBCMT ref: 00E7D6E9
Part of subcall function 00E7D63C: _free.LIBCMT ref: 00E7D6FB
Part of subcall function 00E7D63C: _free.LIBCMT ref: 00E7D70D
Part of subcall function 00E7D63C: _free.LIBCMT ref: 00E7D71F
Part of subcall function 00E7D63C: _free.LIBCMT ref: 00E7D731

_free.LIBCMT ref: 00E7DA96

Part of subcall function 00E729C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00E7D7D1,00000000,00000000,00000000,00000000,?,00E7D7F8,00000000,00000007,00000000,?,00E7DBF5,00000000), ref: 00E729DE
Part of subcall function 00E729C8: GetLastError.KERNEL32(00000000,?,00E7D7D1,00000000,00000000,00000000,00000000,?,00E7D7F8,00000000,00000007,00000000,?,00E7DBF5,00000000,00000000), ref: 00E729F0

_free.LIBCMT ref: 00E7DAB8
_free.LIBCMT ref: 00E7DACD
_free.LIBCMT ref: 00E7DAD8
_free.LIBCMT ref: 00E7DAFA
_free.LIBCMT ref: 00E7DB0D
_free.LIBCMT ref: 00E7DB1B
_free.LIBCMT ref: 00E7DB26
_free.LIBCMT ref: 00E7DB5E
_free.LIBCMT ref: 00E7DB65
_free.LIBCMT ref: 00E7DB82
_free.LIBCMT ref: 00E7DB9A

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: f71ee1bc201349dab409c5880805b1165cd6324cf71382ad94946cb2a75fb368
Instruction ID: feadde61d19aaccbe3f1dc575a09e4cd389d0d3dfa909180ac1ff50bcb36c6b8
Opcode Fuzzy Hash: f71ee1bc201349dab409c5880805b1165cd6324cf71382ad94946cb2a75fb368
Instruction Fuzzy Hash: 08314A316086059FEB21AA79EC45B5AB7F9FF40314F15E419E64DF7192DB31AC808760

Function 00EA365B Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 267windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 00EA369C
_wcslen.LIBCMT ref: 00EA36A7
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00EA3797
GetClassNameW.USER32(?,?,00000400), ref: 00EA380C
GetDlgCtrlID.USER32(?), ref: 00EA385D
GetWindowRect.USER32(?,?), ref: 00EA3882
GetParent.USER32(?), ref: 00EA38A0
ScreenToClient.USER32(00000000), ref: 00EA38A7
GetClassNameW.USER32(?,?,00000100), ref: 00EA3921
GetWindowTextW.USER32(?,?,00000400), ref: 00EA395D

Strings

%s%u, xrefs: 00EA3734

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout_wcslen
String ID: %s%u
API String ID: 4010501982-679674701
Opcode ID: a13f3e276bff7b69fde4edbdbabc7cca029ef7357e0c7205c2dfe6d11b808528
Instruction ID: a586d54842d3cf8df8c5e428e5848ce94dc786d5f8a9064abb33481ad675f98f
Opcode Fuzzy Hash: a13f3e276bff7b69fde4edbdbabc7cca029ef7357e0c7205c2dfe6d11b808528
Instruction Fuzzy Hash: D391D471204606AFD708DF34D885BABB7E8FF49344F105619F999EA190DB30FA45CB91

Function 00EA4954 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 253COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000400), ref: 00EA4994
GetWindowTextW.USER32(?,?,00000400), ref: 00EA49DA
_wcslen.LIBCMT ref: 00EA49EB
CharUpperBuffW.USER32(?,00000000), ref: 00EA49F7
_wcsstr.LIBVCRUNTIME ref: 00EA4A2C
GetClassNameW.USER32(00000018,?,00000400), ref: 00EA4A64
GetWindowTextW.USER32(?,?,00000400), ref: 00EA4A9D
GetClassNameW.USER32(00000018,?,00000400), ref: 00EA4AE6
GetClassNameW.USER32(?,?,00000400), ref: 00EA4B20
GetWindowRect.USER32(?,?), ref: 00EA4B8B

Strings

ThumbnailClass, xrefs: 00EA4A6F, 00EA4AF1

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
String ID: ThumbnailClass
API String ID: 1311036022-1241985126
Opcode ID: e3fc6295e9d86531c58c6f2f7b4109f9c5b69ffa8080b16b6aa9fc6e41a1f56f
Instruction ID: fcc3b6d302abac2956813e8fa843f1b353f47437fae51995ab024a7468d24fb5
Opcode Fuzzy Hash: e3fc6295e9d86531c58c6f2f7b4109f9c5b69ffa8080b16b6aa9fc6e41a1f56f
Instruction Fuzzy Hash: 8A91C1B10042059FDB04CF14D981BAAB7E8EF89758F04646AFD85AE0D6DB70FD45CBA1

Function 00ED8D0E Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 221windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00E59BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00E59BB2

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00ED8D5A
GetFocus.USER32 ref: 00ED8D6A
GetDlgCtrlID.USER32(00000000), ref: 00ED8D75
DefDlgProcW.USER32(?,00000111,?,?,00000000,?,?,?,?,?,?,?), ref: 00ED8E1D
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 00ED8ECF
GetMenuItemCount.USER32(?), ref: 00ED8EEC
GetMenuItemID.USER32(?,00000000), ref: 00ED8EFC
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 00ED8F2E
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 00ED8F70
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00ED8FA1

Strings

0, xrefs: 00ED8E9F

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow
String ID: 0
API String ID: 1026556194-4108050209
Opcode ID: 51dbca8dc4b1ee165207633827e54c3878deeffc6d2a2bbfc3da8d110344da45
Instruction ID: 095d54bbc1780bcc5fad21463019d54299782f5474ee3c4b90586476e486beba
Opcode Fuzzy Hash: 51dbca8dc4b1ee165207633827e54c3878deeffc6d2a2bbfc3da8d110344da45
Instruction Fuzzy Hash: 4181BE716043059FD720CF14DE84AAB7BE9FB88758F142A1EF994A7391DB30D906CB62

Function 00EADC0E Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 178COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(?,?), ref: 00EADC20
GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 00EADC46
_wcslen.LIBCMT ref: 00EADC50
_wcsstr.LIBVCRUNTIME ref: 00EADCA0
VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 00EADCBC

Strings

%u.%u.%u.%u, xrefs: 00EADD9A
\VarFileInfo\Translation, xrefs: 00EADCB4
DefaultLangCodepage, xrefs: 00EADD1F
04090000, xrefs: 00EADCF2
StringFileInfo\, xrefs: 00EADC8F

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: FileInfoVersion$QuerySizeValue_wcslen_wcsstr
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 1939486746-1459072770
Opcode ID: 2a3c5840fd16041b3aa3de2e43b7d2d935dd4b62a7c031305b0f46e80208f594
Instruction ID: dbc6919c9bf85e7594021f0064efca01d152d8b20842183380884d6494f4089f
Opcode Fuzzy Hash: 2a3c5840fd16041b3aa3de2e43b7d2d935dd4b62a7c031305b0f46e80208f594
Instruction Fuzzy Hash: 854127729842017ADB00A770AC03EFF77ECDF567A0F10256AF901FA192EB30E90196A5

Function 00ECCC34 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 00ECCC64
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 00ECCC8D
FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 00ECCD48

Part of subcall function 00ECCC34: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 00ECCCAA
Part of subcall function 00ECCC34: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 00ECCCBD
Part of subcall function 00ECCC34: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00ECCCCF
Part of subcall function 00ECCC34: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 00ECCD05
Part of subcall function 00ECCC34: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 00ECCD28

RegDeleteKeyW.ADVAPI32(?,?), ref: 00ECCCF3

Strings

RegDeleteKeyExW, xrefs: 00ECCCC9
advapi32.dll, xrefs: 00ECCCB8

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2734957052-4033151799
Opcode ID: 47313d79c2dce7d96feeb668c97ac6978b1055418bb5b8cca99fdbeff1f85811
Instruction ID: 142fb7362b4672e9a8a3cbdb9b361fa93c6b0d7837166fd4f75684416b5c66c0
Opcode Fuzzy Hash: 47313d79c2dce7d96feeb668c97ac6978b1055418bb5b8cca99fdbeff1f85811
Instruction Fuzzy Hash: 6D318671902129BFDB209B51DD88EFFBF7CEF15744F204169E90AF2140D7349A46DAA1

Function 00EB3D1E Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 101fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00EB3D40
_wcslen.LIBCMT ref: 00EB3D6D
CreateDirectoryW.KERNEL32(?,00000000), ref: 00EB3D9D
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00EB3DBE
RemoveDirectoryW.KERNEL32(?), ref: 00EB3DCE
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 00EB3E55
CloseHandle.KERNEL32(00000000), ref: 00EB3E60
CloseHandle.KERNEL32(00000000), ref: 00EB3E6B

Strings

\, xrefs: 00EB3D77
:, xrefs: 00EB3D82
\??\%s, xrefs: 00EB3D5B

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove_wcslen
String ID: :$\$\??\%s
API String ID: 1149970189-3457252023
Opcode ID: b12a4dadce9e92844c5b2e246ef2f6e50b35ef080561d0ce3b332c5ec0cd93c3
Instruction ID: 98b7c84c688a2347e07fb75a86ab7209d658ecbd7d825e6582c5f8c97725a8dd
Opcode Fuzzy Hash: b12a4dadce9e92844c5b2e246ef2f6e50b35ef080561d0ce3b332c5ec0cd93c3
Instruction Fuzzy Hash: 9631A57194021AABDB209BA1DC49FEF37BDEF88744F5051A6F505F6060E7709744CB24

Function 00EAE6B0 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 00EAE6B4

Part of subcall function 00E5E551: timeGetTime.WINMM(?,?,00EAE6D4), ref: 00E5E555

Sleep.KERNEL32(0000000A), ref: 00EAE6E1
EnumThreadWindows.USER32(?,Function_0006E665,00000000), ref: 00EAE705
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 00EAE727
SetActiveWindow.USER32 ref: 00EAE746
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00EAE754
SendMessageW.USER32(00000010,00000000,00000000), ref: 00EAE773
Sleep.KERNEL32(000000FA), ref: 00EAE77E
IsWindow.USER32 ref: 00EAE78A
EndDialog.USER32(00000000), ref: 00EAE79B

Strings

BUTTON, xrefs: 00EAE719

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: d86733227b8e44673365a9e160c79fa6a5c5e50dbd384d7f03bb3930bcffefa0
Instruction ID: 24c0668b0b7fa3e24d34d3aed7421e884e76efb6cabdda9182de1c5ac10258fa
Opcode Fuzzy Hash: d86733227b8e44673365a9e160c79fa6a5c5e50dbd384d7f03bb3930bcffefa0
Instruction Fuzzy Hash: 9B21C670301209AFEB005F71FC89B653BA9F79A788F216426F511B62E1DB71BC14EA25

Function 00EAE9FC Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 00E49CB3: _wcslen.LIBCMT ref: 00E49CBD

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00EAEA5D
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00EAEA73
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00EAEA84
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00EAEA96
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 00EAEAA7

Strings

play PlayMe, xrefs: 00EAEAA2
alias PlayMe, xrefs: 00EAEA36
close PlayMe, xrefs: 00EAEA6E, 00EAEA9B
play PlayMe wait, xrefs: 00EAEA91
status PlayMe mode, xrefs: 00EAEA58
open , xrefs: 00EAEA0C

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: SendString$_wcslen
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2420728520-1007645807
Opcode ID: aa097e1a97246b1e42a448f98b2e373570a60edde66379bb9de129c40cc77e9e
Instruction ID: 25010fb5920d0fcaa49ee53d916b4caf623c0e37ea5100faf51f384cdc67a17e
Opcode Fuzzy Hash: aa097e1a97246b1e42a448f98b2e373570a60edde66379bb9de129c40cc77e9e
Instruction Fuzzy Hash: BC11A331A902597DE720A7A1EC4AEFF6BBCEBD6B04F001429B411F60D1EE705914D5B1

Function 00EA5CC6 Relevance: 18.2, APIs: 12, Instructions: 173COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 00EA5CE2
GetWindowRect.USER32(00000000,?), ref: 00EA5CFB
MoveWindow.USER32(?,0000000A,00000004,?,?,00000004,00000000), ref: 00EA5D59
GetDlgItem.USER32(?,00000002), ref: 00EA5D69
GetWindowRect.USER32(00000000,?), ref: 00EA5D7B
MoveWindow.USER32(?,?,00000004,00000000,?,00000004,00000000), ref: 00EA5DCF
GetDlgItem.USER32(?,000003E9), ref: 00EA5DDD
GetWindowRect.USER32(00000000,?), ref: 00EA5DEF
MoveWindow.USER32(?,0000000A,00000000,?,00000004,00000000), ref: 00EA5E31
GetDlgItem.USER32(?,000003EA), ref: 00EA5E44
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00EA5E5A
InvalidateRect.USER32(?,00000000,00000001), ref: 00EA5E67

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: 62cbb7ad48e20fd52f67604d292e2b6f200e2c2d047a11ffb05f27c2169bb0ff
Instruction ID: 9aa5039e65a423d05c80dd12941d5ceaaa360197c51be19ff4eae2833b1a6380
Opcode Fuzzy Hash: 62cbb7ad48e20fd52f67604d292e2b6f200e2c2d047a11ffb05f27c2169bb0ff
Instruction Fuzzy Hash: 6D512DB1A00606AFDF18CF69DD89AAEBBB5FB49740F209129F515F6290D770AE04CB50

Function 00E58BCD Relevance: 18.2, APIs: 12, Instructions: 168timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00E58F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00E58BE8,?,00000000,?,?,?,?,00E58BBA,00000000,?), ref: 00E58FC5

DestroyWindow.USER32(?), ref: 00E58C81
KillTimer.USER32(00000000,?,?,?,?,00E58BBA,00000000,?), ref: 00E58D1B
DestroyAcceleratorTable.USER32(00000000), ref: 00E96973
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,00E58BBA,00000000,?), ref: 00E969A1
ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,00E58BBA,00000000,?), ref: 00E969B8
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,00E58BBA,00000000), ref: 00E969D4
DeleteObject.GDI32(00000000), ref: 00E969E6

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: 2ef4d4add92141dbb38d121a37643de85c4b709a1760aea4edbcea70831fff30
Instruction ID: bcb999d4409d5c7823d8e7242d8a5f359d4f96cbb37867e3edd021f8c2a65c13
Opcode Fuzzy Hash: 2ef4d4add92141dbb38d121a37643de85c4b709a1760aea4edbcea70831fff30
Instruction Fuzzy Hash: B661BD30102605DFDF219F25DA48BA9B7F1FB4036AF11A91EE542BA560CB71AC88DF91

Function 00E59838 Relevance: 18.1, APIs: 12, Instructions: 137COMMON

Download Yara Rule

APIs

Part of subcall function 00E59944: GetWindowLongW.USER32(?,000000EB), ref: 00E59952

GetSysColor.USER32(0000000F), ref: 00E59862

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: 20dd3a74a76edf4e24e551a7a2285e988b729d5ee1c6cffbe60c678edabb414b
Instruction ID: 95a5e341e01231a7c0c0d44c2401a66ab57d146b92bc0b00bbafa5b56988d5d6
Opcode Fuzzy Hash: 20dd3a74a76edf4e24e551a7a2285e988b729d5ee1c6cffbe60c678edabb414b
Instruction Fuzzy Hash: 1B41B131105610DFDF245F39AC84BF93BA5EB06376F245A06FAA2AB1E2C7309C49DB10

Function 00E78D45 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 300COMMONLIBRARYCODE

Download Yara Rule

Strings

., xrefs: 00E7903A, 00E78FD0, 00E78FF2

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID:
String ID: .
API String ID: 0-3963672497
Opcode ID: 1addaeb056a19e08121e9d66ce074e917d78f1148585f28ca469f42fb299d883
Instruction ID: 01b15b178c08e32abd94f0ceea9bf65856c3ced2908146a2ba4fb7a69d4c1d28
Opcode Fuzzy Hash: 1addaeb056a19e08121e9d66ce074e917d78f1148585f28ca469f42fb299d883
Instruction Fuzzy Hash: 2FC10274A44249AFCB11DFA8E845BEDBBF0AF5A314F189199F518B7392CB308941CB61

Function 00EA96E2 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,?,?,00E8F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?), ref: 00EA9717
LoadStringW.USER32(00000000,?,00E8F7F8,00000001), ref: 00EA9720

Part of subcall function 00E49CB3: _wcslen.LIBCMT ref: 00E49CBD

GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,00E8F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?,00000000), ref: 00EA9742
LoadStringW.USER32(00000000,?,00E8F7F8,00000001), ref: 00EA9745
MessageBoxW.USER32(00000000,00000000,?,00011010), ref: 00EA9866

Strings

Line %d:, xrefs: 00EA97A0
Error: , xrefs: 00EA981D
Line %d (File "%s"):, xrefs: 00EA978F
%s (%d) : ==> %s: %s %s, xrefs: 00EA984A
^ ERROR, xrefs: 00EA97FB

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wcslen
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 747408836-2268648507
Opcode ID: 17db5233b94d35bf7f801d70fae7e851b2159bdddc8632d7e5605ef02f497b40
Instruction ID: 9d7710d0b9c4e36a0b0cdfe798123ed66401c4f342068e0054a7cc9f7d834afb
Opcode Fuzzy Hash: 17db5233b94d35bf7f801d70fae7e851b2159bdddc8632d7e5605ef02f497b40
Instruction Fuzzy Hash: 98413E72900219AADF04EFE0ED86DEEB7B8AF59340F601065F60576092EB356F48DB61

Function 00EA06DE Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 00E46B57: _wcslen.LIBCMT ref: 00E46B6A

WNetAddConnection2W.MPR(?,?,?,00000000), ref: 00EA07A2
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 00EA07BE
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 00EA07DA
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00EA0804
CLSIDFromString.OLE32(?,000001FE,?,SOFTWARE\Classes\), ref: 00EA082C
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00EA0837
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00EA083C

Strings

\CLSID, xrefs: 00EA0724
SOFTWARE\Classes\, xrefs: 00EA070E
\IPC$, xrefs: 00EA0784

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 323675364-22481851
Opcode ID: 1fbdc5a30241af7cdc291507b4a278bedba895f3ec3e06162eab853bb19ad72f
Instruction ID: 756f7f10579faed60af4d3b4397abe69d804afd61b8f6567174477b81f365f65
Opcode Fuzzy Hash: 1fbdc5a30241af7cdc291507b4a278bedba895f3ec3e06162eab853bb19ad72f
Instruction Fuzzy Hash: C2411A72C00129AFDF15EBA4EC858EEB7B8FF48754B145125E901B71A1DB30AD04CB90

Function 00EC3C30 Relevance: 16.8, APIs: 11, Instructions: 344fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00EC3C5C
CoInitialize.OLE32(00000000), ref: 00EC3C8A
CoUninitialize.OLE32 ref: 00EC3C94
_wcslen.LIBCMT ref: 00EC3D2D
GetRunningObjectTable.OLE32(00000000,?), ref: 00EC3DB1
SetErrorMode.KERNEL32(00000001,00000029), ref: 00EC3ED5
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,?), ref: 00EC3F0E
CoGetObject.OLE32(?,00000000,00EDFB98,?), ref: 00EC3F2D
SetErrorMode.KERNEL32(00000000), ref: 00EC3F40
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00EC3FC4
VariantClear.OLEAUT32(?), ref: 00EC3FD8

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize_wcslen
String ID:
API String ID: 429561992-0
Opcode ID: ab525d899641167c4a004335f1f49e8d3f7888f7d1d6acba1369d3072b0a5dcf
Instruction ID: 4d04f891bb24805ac19e079fcdb2a08524992640cee4515d3d5d9aa935b6f4b9
Opcode Fuzzy Hash: ab525d899641167c4a004335f1f49e8d3f7888f7d1d6acba1369d3072b0a5dcf
Instruction Fuzzy Hash: 3AC113716083019F9700DF68C984E6BBBE9FF89748F10991DF98AAB251D731ED06CB52

Function 00EB7A96 Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00EB7AF3
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00EB7B8F
SHGetDesktopFolder.SHELL32(?), ref: 00EB7BA3
CoCreateInstance.OLE32(00EDFD08,00000000,00000001,00F06E6C,?), ref: 00EB7BEF
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00EB7C74
CoTaskMemFree.OLE32(?,?), ref: 00EB7CCC
SHBrowseForFolderW.SHELL32(?), ref: 00EB7D57
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00EB7D7A
CoTaskMemFree.OLE32(00000000), ref: 00EB7D81
CoTaskMemFree.OLE32(00000000), ref: 00EB7DD6
CoUninitialize.OLE32 ref: 00EB7DDC

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
String ID:
API String ID: 2762341140-0
Opcode ID: 4f4f98680fa1c1f0d0d63629d2d5d6dde0ab687f1db6145fe45602568fa9b9cd
Instruction ID: 482aebb42f00eca01547aaf749eaf7affefd315bc0630d05aff1776204a3cfd0
Opcode Fuzzy Hash: 4f4f98680fa1c1f0d0d63629d2d5d6dde0ab687f1db6145fe45602568fa9b9cd
Instruction Fuzzy Hash: E5C15A74A04109AFCB04DFA4D884DAEBBF9FF88344B149499E859EB761C730ED45CB90

Function 00ED541D Relevance: 16.7, APIs: 11, Instructions: 191windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00ED5504
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00ED5515
CharNextW.USER32(00000158), ref: 00ED5544
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00ED5585
SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 00ED559B
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00ED55AC

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: MessageSend$CharNext
String ID:
API String ID: 1350042424-0
Opcode ID: 928830bf6e96702ab88693edbb37c7fe01a9bfa06dff8f4634e7d946613f39a6
Instruction ID: b36c146dc1d689201712b305ea480b974bdf0ce6650046c1cc994af990970506
Opcode Fuzzy Hash: 928830bf6e96702ab88693edbb37c7fe01a9bfa06dff8f4634e7d946613f39a6
Instruction Fuzzy Hash: 39618D32901609EFDB108F55DC849FE7BB9EB05764F10514BF935BA390D7708A82DB62

Function 00E9FA88 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 00E9FAAF
SafeArrayAllocData.OLEAUT32(?), ref: 00E9FB08
VariantInit.OLEAUT32(?), ref: 00E9FB1A
SafeArrayAccessData.OLEAUT32(?,?), ref: 00E9FB3A
VariantCopy.OLEAUT32(?,?), ref: 00E9FB8D
SafeArrayUnaccessData.OLEAUT32(?), ref: 00E9FBA1
VariantClear.OLEAUT32(?), ref: 00E9FBB6
SafeArrayDestroyData.OLEAUT32(?), ref: 00E9FBC3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00E9FBCC
VariantClear.OLEAUT32(?), ref: 00E9FBDE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00E9FBE9

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: b543d504fb3ee7c52ae182ce244d8a6a6701e98c0f48f7accbb5a2bbb7330d96
Instruction ID: 2c6c6a232b428d372e0ad810e7015b19fdb2c38a9cff2e277acd7261e7dc7088
Opcode Fuzzy Hash: b543d504fb3ee7c52ae182ce244d8a6a6701e98c0f48f7accbb5a2bbb7330d96
Instruction Fuzzy Hash: 9D417035A0021A9FCF04DF64D8649EEBBB9FF08344F109069E955F7261DB70A945CF90

Function 00EA9C79 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00EA9CA1
GetAsyncKeyState.USER32(000000A0), ref: 00EA9D22
GetKeyState.USER32(000000A0), ref: 00EA9D3D
GetAsyncKeyState.USER32(000000A1), ref: 00EA9D57
GetKeyState.USER32(000000A1), ref: 00EA9D6C
GetAsyncKeyState.USER32(00000011), ref: 00EA9D84
GetKeyState.USER32(00000011), ref: 00EA9D96
GetAsyncKeyState.USER32(00000012), ref: 00EA9DAE
GetKeyState.USER32(00000012), ref: 00EA9DC0
GetAsyncKeyState.USER32(0000005B), ref: 00EA9DD8
GetKeyState.USER32(0000005B), ref: 00EA9DEA

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: ae1b53eb5400c017343da7ccf4f5c250e7fcbfe0a838fe4cca55ed9adc397490
Instruction ID: 506d288515bfa5406750d3e90786c7ceadfddb10f8ff159e2c522af694095074
Opcode Fuzzy Hash: ae1b53eb5400c017343da7ccf4f5c250e7fcbfe0a838fe4cca55ed9adc397490
Instruction Fuzzy Hash: 9A41C734504BCA6DFF30866094443A5FEE0AF1B358F08905AD6C67E5C3D7A4B9C8C792

Function 00EC055B Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00EC05BC
inet_addr.WSOCK32(?), ref: 00EC061C
gethostbyname.WSOCK32(?), ref: 00EC0628
IcmpCreateFile.IPHLPAPI ref: 00EC0636
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00EC06C6
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00EC06E5
IcmpCloseHandle.IPHLPAPI(?), ref: 00EC07B9
WSACleanup.WSOCK32 ref: 00EC07BF

Strings

Ping, xrefs: 00EC0676

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: c4ff512b4077af9797e8c299313de90d3bb01a585d9f91218cc5d20f8b3ef594
Instruction ID: a934fd4e5c16a680a1b7de5626ec4c7349ba41d9153cb0317ba1b4f5e9cdfe7b
Opcode Fuzzy Hash: c4ff512b4077af9797e8c299313de90d3bb01a585d9f91218cc5d20f8b3ef594
Instruction Fuzzy Hash: 5591AC34608201DFD724DF15D689F1ABBE0EF48318F1495AEE469AB6A2C731ED46CF81

Function 00EC8CD3 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,00000000,?), ref: 00EC8CF3

Part of subcall function 00EA8E54: _wcslen.LIBCMT ref: 00EA8E77

_wcslen.LIBCMT ref: 00EC8D4E
_wcslen.LIBCMT ref: 00EC8D9C
_wcslen.LIBCMT ref: 00EC8DDC
_wcslen.LIBCMT ref: 00EC8E6E

Strings

none, xrefs: 00EC8E65, 00EC8E6A
cdecl, xrefs: 00EC8D48, 00EC8D4D
stdcall, xrefs: 00EC8DD6, 00EC8DDB
winapi, xrefs: 00EC8D96, 00EC8D9B

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: _wcslen$BuffCharLower
String ID: cdecl$none$stdcall$winapi
API String ID: 707087890-567219261
Opcode ID: 6e74fbf46b8306b90543d4e65272cda32b53a6383d5edb8cc7404a0c7a1fa702
Instruction ID: 3339b709c0a213b7b03b38cf2a9e9dc7cb5fb9e6c833d71dea169b2d9cb2cc65
Opcode Fuzzy Hash: 6e74fbf46b8306b90543d4e65272cda32b53a6383d5edb8cc7404a0c7a1fa702
Instruction Fuzzy Hash: FC518D31A001169ACB14DF68CB50ABEB7E5AF64328B20522DE426F72C5DB32ED42C790

Function 00EC372C Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32 ref: 00EC3774
CoUninitialize.OLE32 ref: 00EC377F
CoCreateInstance.OLE32(?,00000000,00000017,00EDFB78,?), ref: 00EC37D9
IIDFromString.OLE32(?,?), ref: 00EC384C
VariantInit.OLEAUT32(?), ref: 00EC38E4
VariantClear.OLEAUT32(?), ref: 00EC3936

Strings

Failed to create object, xrefs: 00EC37E4, 00EC389A
Invalid parameter, xrefs: 00EC3865
NULL Pointer assignment, xrefs: 00EC381E

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 636576611-1287834457
Opcode ID: 31302255aeb3ee8f497aa3f2bddb3753525829a4283c030e71435fb9dabfb7bc
Instruction ID: e9d7b0446c6a16912fa1cb3767fc1d4af5852fa2e44968ab67c3ff090f670d5d
Opcode Fuzzy Hash: 31302255aeb3ee8f497aa3f2bddb3753525829a4283c030e71435fb9dabfb7bc
Instruction Fuzzy Hash: 7261BD71608301AFD314DF64D988F9ABBE4EF49714F10980EF985AB291C771EE49CB92

Function 00EB3388 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 149COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,?), ref: 00EB33CF

Part of subcall function 00E49CB3: _wcslen.LIBCMT ref: 00E49CBD

LoadStringW.USER32(00000072,?,00000FFF,?), ref: 00EB33F0

Strings

"%s" (%d) : ==> %s:, xrefs: 00EB3522
"%s" (%d) : ==> %s:%s%s, xrefs: 00EB3504
^ ERROR , xrefs: 00EB349E
Incorrect parameters to object property !, xrefs: 00EB34AB
Error: , xrefs: 00EB34D1
Line %d (File "%s"):, xrefs: 00EB3443, 00EB345C

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-3080491070
Opcode ID: 3c08b6af42e307bab3e9dbb9d0e5cc08b6d7bd5a9952ba0d063397227a261e9f
Instruction ID: d7190169f1d8b9aa70a09650f4b59cfb2f1075d947c484973b5de2579d271f8a
Opcode Fuzzy Hash: 3c08b6af42e307bab3e9dbb9d0e5cc08b6d7bd5a9952ba0d063397227a261e9f
Instruction Fuzzy Hash: B151A272D00209AADF15EBE0ED46EEEB3B9EF08340F205165F51572092EB356F58EB61

Function 00EAB5C8 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 142COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00EAB5FC
_wcslen.LIBCMT ref: 00EAB608
_wcslen.LIBCMT ref: 00EAB64D
_wcslen.LIBCMT ref: 00EAB68C
_wcslen.LIBCMT ref: 00EAB6C7

Strings

APPEND, xrefs: 00EAB6C1, 00EAB6C6
REMOVE, xrefs: 00EAB602, 00EAB607
EXISTS, xrefs: 00EAB686, 00EAB68B
KEYS, xrefs: 00EAB647, 00EAB64C

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 1256254125-769500911
Opcode ID: e1782025a3b2838c75b98c32b0351370c4c6278639a2e965d73207f51e8916f8
Instruction ID: 97223d1f27c8c40dfa3129a70fad2361a066279bc4cbae0465fd4efbd5ae2c10
Opcode Fuzzy Hash: e1782025a3b2838c75b98c32b0351370c4c6278639a2e965d73207f51e8916f8
Instruction Fuzzy Hash: B241EC32A000279BCB105F7DC8905BE77E5AFEA758B245229E421FF286E731DD81D790

Function 00EB5393 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 103COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00EB53A0
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00EB5416
GetLastError.KERNEL32 ref: 00EB5420
SetErrorMode.KERNEL32(00000000,READY), ref: 00EB54A7

Strings

NOTREADY, xrefs: 00EB544B
UNKNOWN, xrefs: 00EB5444
READONLY, xrefs: 00EB5452
INVALID, xrefs: 00EB5459
READY, xrefs: 00EB5460, 00EB5468

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: 66080c257d91e04a68380c5e0f189d1bf3b751b5830d9ac7343956cdc4b26ece
Instruction ID: 0bbb4fc5ee9c83fd06890bc0d1ba6193be72887f5061cb1e4f5a4afd4c2a329d
Opcode Fuzzy Hash: 66080c257d91e04a68380c5e0f189d1bf3b751b5830d9ac7343956cdc4b26ece
Instruction Fuzzy Hash: 2A31B036A006059FD710DF68D884BEBBBF4EF45309F149066E416EB292DB71DD86CB90

Function 00ED3C46 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON

Download Yara Rule

APIs

CreateMenu.USER32 ref: 00ED3C79
SetMenu.USER32(?,00000000), ref: 00ED3C88
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00ED3D10
IsMenu.USER32(?), ref: 00ED3D24
CreatePopupMenu.USER32 ref: 00ED3D2E
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00ED3D5B
DrawMenuBar.USER32 ref: 00ED3D63

Strings

F, xrefs: 00ED3D4E
0, xrefs: 00ED3C54

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup
String ID: 0$F
API String ID: 161812096-3044882817
Opcode ID: 33e65c90e69cbc94b2e18e932df941d9b6fa2b55c1cfce9b20a33b2d6c35626b
Instruction ID: b0f0d3346c1054d9dec3ff9c146eb38ca015f22bfbd7fa22c80814dc6b83bfe3
Opcode Fuzzy Hash: 33e65c90e69cbc94b2e18e932df941d9b6fa2b55c1cfce9b20a33b2d6c35626b
Instruction Fuzzy Hash: AF417E75A0120AEFDF14CF65E844ADA77B6FF49354F24002AF946A7360D730AA15CF51

Function 00EA1EDF Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00E49CB3: _wcslen.LIBCMT ref: 00E49CBD

Part of subcall function 00EA3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00EA3CCA

SendMessageW.USER32(?,0000018C,000000FF,00020000), ref: 00EA1F64
GetDlgCtrlID.USER32 ref: 00EA1F6F
GetParent.USER32 ref: 00EA1F8B
SendMessageW.USER32(00000000,?,00000111,?), ref: 00EA1F8E
GetDlgCtrlID.USER32(?), ref: 00EA1F97
GetParent.USER32(?), ref: 00EA1FAB
SendMessageW.USER32(00000000,?,00000111,?), ref: 00EA1FAE

Strings

ComboBox, xrefs: 00EA1EEC
ListBox, xrefs: 00EA1F21

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_wcslen
String ID: ComboBox$ListBox
API String ID: 711023334-1403004172
Opcode ID: 7bc752ed4032718e28d8c6859ede319dfe6dc4bc86c30083e0c289e9bee3ab73
Instruction ID: 137fd97e28f3185bcab59ddd27516a544e738022563c734532849cdffc5e4a83
Opcode Fuzzy Hash: 7bc752ed4032718e28d8c6859ede319dfe6dc4bc86c30083e0c289e9bee3ab73
Instruction Fuzzy Hash: EC21B374E00114BFCF04AFA0EC859EEBBB4EF0A350F101156B961772D1CB74A908DB61

Function 00ED3A23 Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00ED3A9D
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00ED3AA0
GetWindowLongW.USER32(?,000000F0), ref: 00ED3AC7
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00ED3AEA
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00ED3B62
SendMessageW.USER32(?,00001074,00000000,00000007), ref: 00ED3BAC
SendMessageW.USER32(?,00001057,00000000,00000000), ref: 00ED3BC7
SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 00ED3BE2
SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 00ED3BF6
SendMessageW.USER32(?,00001008,00000000,00000007), ref: 00ED3C13

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: MessageSend$LongWindow
String ID:
API String ID: 312131281-0
Opcode ID: f10e226a1cd8e3d05961841f2bc4f072351faf821fbb23e4409249597fc38637
Instruction ID: 9ba20eb11699899047fb5f43ef814fff2d704ede4fe1c31fb97acd1694ad3692
Opcode Fuzzy Hash: f10e226a1cd8e3d05961841f2bc4f072351faf821fbb23e4409249597fc38637
Instruction Fuzzy Hash: 9E615B75A00248AFDB10DFA8CC81EEE77F8EB09714F10419AFA15A7391D770AE46DB61

Function 00E72C80 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00E72C94

Part of subcall function 00E729C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00E7D7D1,00000000,00000000,00000000,00000000,?,00E7D7F8,00000000,00000007,00000000,?,00E7DBF5,00000000), ref: 00E729DE
Part of subcall function 00E729C8: GetLastError.KERNEL32(00000000,?,00E7D7D1,00000000,00000000,00000000,00000000,?,00E7D7F8,00000000,00000007,00000000,?,00E7DBF5,00000000,00000000), ref: 00E729F0

_free.LIBCMT ref: 00E72CA0
_free.LIBCMT ref: 00E72CAB
_free.LIBCMT ref: 00E72CB6
_free.LIBCMT ref: 00E72CC1
_free.LIBCMT ref: 00E72CCC
_free.LIBCMT ref: 00E72CD7
_free.LIBCMT ref: 00E72CE2
_free.LIBCMT ref: 00E72CED
_free.LIBCMT ref: 00E72CFB

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 9f19e327e29317bc26eaae652a9fdabb019bb6843338b74cd61ef6d379592a61
Instruction ID: 3a2aae6ce47a1cb69755843b8c97b571b5a9609d963a5aa2637e0a22983ddb2f
Opcode Fuzzy Hash: 9f19e327e29317bc26eaae652a9fdabb019bb6843338b74cd61ef6d379592a61
Instruction Fuzzy Hash: B511A776500108AFCB02EF64D842CDD7BA5FF45350F4594A9FB4C6F222D631EE909B90

Function 00EB7DF0 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00EB7FAD
SetCurrentDirectoryW.KERNEL32(?), ref: 00EB7FC1
GetFileAttributesW.KERNEL32(?), ref: 00EB7FEB
SetFileAttributesW.KERNEL32(?,00000000), ref: 00EB8005
SetCurrentDirectoryW.KERNEL32(?), ref: 00EB8017
SetCurrentDirectoryW.KERNEL32(?), ref: 00EB8060
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00EB80B0

Strings

*.*, xrefs: 00EB8066

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile
String ID: *.*
API String ID: 769691225-438819550
Opcode ID: 468841fdd3a09dd053eb56bebc77cefc51b1e368cd054a1be410d4b99f350514
Instruction ID: dcabc4ec09e831817637197586a52e090e32ba34acf1b43be4ecb994f1897ea5
Opcode Fuzzy Hash: 468841fdd3a09dd053eb56bebc77cefc51b1e368cd054a1be410d4b99f350514
Instruction Fuzzy Hash: 03818F715082019BDB20EF14C844AEBB3E8AFC8354F14685EF8C5E7651EB35ED49CB92

Function 00E45BEA Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 00E45C7A

Part of subcall function 00E45D0A: GetClientRect.USER32(?,?), ref: 00E45D30
Part of subcall function 00E45D0A: GetWindowRect.USER32(?,?), ref: 00E45D71
Part of subcall function 00E45D0A: ScreenToClient.USER32(?,?), ref: 00E45D99

GetDC.USER32 ref: 00E846F5
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00E84708
SelectObject.GDI32(00000000,00000000), ref: 00E84716
SelectObject.GDI32(00000000,00000000), ref: 00E8472B
ReleaseDC.USER32(?,00000000), ref: 00E84733
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 00E847C4

Strings

U, xrefs: 00E84693

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: ad9eb968f4d2c3e03df7ca4835b04fcabf3d19d78a7f5266714c1c1ebd5094c9
Instruction ID: 3af10999165d3c4369e10c078ec488f4308bedfb5ad2a99fd9bc548911739a52
Opcode Fuzzy Hash: ad9eb968f4d2c3e03df7ca4835b04fcabf3d19d78a7f5266714c1c1ebd5094c9
Instruction Fuzzy Hash: A571F371400206DFCF21AF64D984AFA7BB1FF4A368F14626AED5D7A1A6D3318841DF50

Function 00EB359C Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 150COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 00EB35E4

Part of subcall function 00E49CB3: _wcslen.LIBCMT ref: 00E49CBD

LoadStringW.USER32(00F12390,?,00000FFF,?), ref: 00EB360A

Strings

"%s" (%d) : ==> %s:, xrefs: 00EB3742
"%s" (%d) : ==> %s:%s%s, xrefs: 00EB3724
Error: , xrefs: 00EB36EF
Line %d (File "%s"):, xrefs: 00EB366B
^ ERROR, xrefs: 00EB36C9

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-2391861430
Opcode ID: f94a393468cf298b46d49bdcb374926ecafdedfd1f8a5570ad2780746c09d554
Instruction ID: 062f3bf06dacd8b8dbb4651591184ac011de47535affbf2acf854f7c22fb30d0
Opcode Fuzzy Hash: f94a393468cf298b46d49bdcb374926ecafdedfd1f8a5570ad2780746c09d554
Instruction Fuzzy Hash: 5F517171D00219BADF15EBA0EC42EEEBBB4EF04304F146125F51572192DB316B99DFA1

Function 00ED8B02 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 149windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00E59BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00E59BB2

Part of subcall function 00E5912D: GetCursorPos.USER32(?), ref: 00E59141
Part of subcall function 00E5912D: ScreenToClient.USER32(00000000,?), ref: 00E5915E
Part of subcall function 00E5912D: GetAsyncKeyState.USER32(00000001), ref: 00E59183
Part of subcall function 00E5912D: GetAsyncKeyState.USER32(00000002), ref: 00E5919D

ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?,?,?), ref: 00ED8B6B
ImageList_EndDrag.COMCTL32 ref: 00ED8B71
ReleaseCapture.USER32 ref: 00ED8B77
SetWindowTextW.USER32(?,00000000), ref: 00ED8C12
SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 00ED8C25
DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?,?,?), ref: 00ED8CFF

Strings

@GUI_DRAGFILE, xrefs: 00ED8C9A
@GUI_DROPID, xrefs: 00ED8C51

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
String ID: @GUI_DRAGFILE$@GUI_DROPID
API String ID: 1924731296-2107944366
Opcode ID: b3c11b9ed1b7ca0438c9d64d156b912036adbf878dc4b52e940d1cd8afbc1280
Instruction ID: a169a562c1efb29a4ca07d099ee420b6cc4e5d740f2ed2207c0960e94d552e00
Opcode Fuzzy Hash: b3c11b9ed1b7ca0438c9d64d156b912036adbf878dc4b52e940d1cd8afbc1280
Instruction Fuzzy Hash: 5451BD70205304AFD714DF14ED56FAAB7E4FB88754F50162EFA52A72E2CB709908CB62

Function 00EBC253 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00EBC272
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00EBC29A
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00EBC2CA
GetLastError.KERNEL32 ref: 00EBC322
SetEvent.KERNEL32(?), ref: 00EBC336
InternetCloseHandle.WININET(00000000), ref: 00EBC341

Strings

, xrefs: 00EBC2BB

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: 9014e2d29b3639eae70fa05e23f8fbe997609ae97b66f551bc5af3af50d66ebe
Instruction ID: 60db359300a64e65523e288ee972d3946d387bf5b4953c92321809d92e7aae95
Opcode Fuzzy Hash: 9014e2d29b3639eae70fa05e23f8fbe997609ae97b66f551bc5af3af50d66ebe
Instruction Fuzzy Hash: 17319171608608AFD7219F659C84AEB7BFCEB49784B64951EF486F2210DB34DD058B60

Function 00EA989B Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00E83AAF,?,?,Bad directive syntax error,00EDCC08,00000000,00000010,?,?,>>>AUTOIT SCRIPT<<<), ref: 00EA98BC
LoadStringW.USER32(00000000,?,00E83AAF,?), ref: 00EA98C3

Part of subcall function 00E49CB3: _wcslen.LIBCMT ref: 00E49CBD

MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 00EA9987

Strings

%s (%d) : ==> %s.: %s %s, xrefs: 00EA98F1
Error: , xrefs: 00EA9955
Line %d:, xrefs: 00EA9912
., xrefs: 00EA996D
Line %d (File "%s"):, xrefs: 00EA992D

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: HandleLoadMessageModuleString_wcslen
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 858772685-4153970271
Opcode ID: d3ba866c33aec441cb43705e14ce2e790514772ad6e8c0f1ab1bcb98205c5db6
Instruction ID: 2576b4bc77724f5333dc225012532664db0eb139bac5c52413cf6227ebac7a06
Opcode Fuzzy Hash: d3ba866c33aec441cb43705e14ce2e790514772ad6e8c0f1ab1bcb98205c5db6
Instruction Fuzzy Hash: 90216F3290021AABDF15EF90DC0AEEE77B5FF18300F045466F515760A2DA31A628EB51

Function 00EA209F Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 00EA20AB
GetClassNameW.USER32(00000000,?,00000100), ref: 00EA20C0
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00EA214D

Strings

details, xrefs: 00EA20FB
SHELLDLL_DefView, xrefs: 00EA20CC
list, xrefs: 00EA212F
largeicons, xrefs: 00EA20E1
smallicons, xrefs: 00EA2115

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: ClassMessageNameParentSend
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1290815626-3381328864
Opcode ID: 1abe62878f475493a2e02de6b2e0fdfc191c28f6f7b68ae1485886910dec67d7
Instruction ID: 36a9a6f159d9abd93355379aa3cdaef99d2f7e2064395906c36239dd5401f912
Opcode Fuzzy Hash: 1abe62878f475493a2e02de6b2e0fdfc191c28f6f7b68ae1485886910dec67d7
Instruction Fuzzy Hash: 2C11EBB66C570779FA012224AC06DE737DCCB1A754B20211AF704B90D1FAA1B8416915

Function 00E7CE90 Relevance: 13.7, APIs: 9, Instructions: 209COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 00E7CEB7
_free.LIBCMT ref: 00E7CF22
_free.LIBCMT ref: 00E7CF48
_free.LIBCMT ref: 00E7CF71
_free.LIBCMT ref: 00E7CFA9
_free.LIBCMT ref: 00E7CFDA
_free.LIBCMT ref: 00E7D01B
SetEnvironmentVariableA.KERNEL32(00000000,00000000), ref: 00E7D09C
_free.LIBCMT ref: 00E7D0B5

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: _free$EnvironmentVariable___from_strstr_to_strchr
String ID:
API String ID: 1282221369-0
Opcode ID: 1f89cdd5db8b572cf99f02201c47eaa972848ba6250a8936733bc492809ef6f0
Instruction ID: f3aa07bc893811c36776752ab7f8dbffbb93a8711fb6d340c72557a0443d79de
Opcode Fuzzy Hash: 1f89cdd5db8b572cf99f02201c47eaa972848ba6250a8936733bc492809ef6f0
Instruction Fuzzy Hash: 36616C71A043046FDB29AFB4AC41AAD7BE9EF05314F24E16EFA4CB7281DB319D418750

Function 00ED50D4 Relevance: 13.7, APIs: 9, Instructions: 162windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00002001,00000000,00000000), ref: 00ED5186
ShowWindow.USER32(?,00000000), ref: 00ED51C7
ShowWindow.USER32(?,00000005,?,00000000), ref: 00ED51CD
SetFocus.USER32(?,?,00000005,?,00000000), ref: 00ED51D1

Part of subcall function 00ED6FBA: DeleteObject.GDI32(00000000), ref: 00ED6FE6

GetWindowLongW.USER32(?,000000F0), ref: 00ED520D
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00ED521A
InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 00ED524D
SendMessageW.USER32(?,00001001,00000000,000000FE), ref: 00ED5287
SendMessageW.USER32(?,00001026,00000000,000000FE), ref: 00ED5296

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: Window$MessageSend$LongShow$DeleteFocusInvalidateObjectRect
String ID:
API String ID: 3210457359-0
Opcode ID: 5ee5f043e640fff9802f63288cd71322b959af5090fe02bc63ef3fc48bba9302
Instruction ID: bb6c7b596e60c810477dbd800c52b5380bac80f325720869d2a81d0a01467c1d
Opcode Fuzzy Hash: 5ee5f043e640fff9802f63288cd71322b959af5090fe02bc63ef3fc48bba9302
Instruction Fuzzy Hash: 7F51B032A42A09FEEF209F24CC45BD83BB5EB05365F146013FA24B63E1C371998ADB41

Function 00E58B06 Relevance: 13.7, APIs: 9, Instructions: 155windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 00E96890
ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 00E968A9
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 00E968B9
ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 00E968D1
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 00E968F2
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00E58874,00000000,00000000,00000000,000000FF,00000000), ref: 00E96901
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 00E9691E
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00E58874,00000000,00000000,00000000,000000FF,00000000), ref: 00E9692D

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend
String ID:
API String ID: 1268354404-0
Opcode ID: ebe2255d40106ef29fda36e1941c4b52d65deadb87561bf40e69b4366d6419ba
Instruction ID: fe58c51601bd8a988c1cebdfa159795454045e249f7d7e831ea8421b01a003fc
Opcode Fuzzy Hash: ebe2255d40106ef29fda36e1941c4b52d65deadb87561bf40e69b4366d6419ba
Instruction Fuzzy Hash: BC519774600209EFDF208F25CC51BAA3BB9FB88765F105919F952B72A0DB70E984DB40

Function 00EBC143 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00EBC182
GetLastError.KERNEL32 ref: 00EBC195
SetEvent.KERNEL32(?), ref: 00EBC1A9

Part of subcall function 00EBC253: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00EBC272
Part of subcall function 00EBC253: GetLastError.KERNEL32 ref: 00EBC322
Part of subcall function 00EBC253: SetEvent.KERNEL32(?), ref: 00EBC336
Part of subcall function 00EBC253: InternetCloseHandle.WININET(00000000), ref: 00EBC341

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
String ID:
API String ID: 337547030-0
Opcode ID: 3959f465c13e919dbf8e7c1975526f0207ae7eadfb636f95af5326793091074b
Instruction ID: e862237edf43b0c3de7e9b45e75631de607145237dcfd871e1dd27a5ea4e5cb0
Opcode Fuzzy Hash: 3959f465c13e919dbf8e7c1975526f0207ae7eadfb636f95af5326793091074b
Instruction Fuzzy Hash: B231AE71205A01EFDB219FB6ED04AA7BBF9FF58344B20541EF956E6620D730E814DBA0

Function 00EA25A2 Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00EA3A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00EA3A57
Part of subcall function 00EA3A3D: GetCurrentThreadId.KERNEL32 ref: 00EA3A5E
Part of subcall function 00EA3A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00EA25B3), ref: 00EA3A65

MapVirtualKeyW.USER32(00000025,00000000), ref: 00EA25BD
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 00EA25DB
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 00EA25DF
MapVirtualKeyW.USER32(00000025,00000000), ref: 00EA25E9
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00EA2601
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 00EA2605
MapVirtualKeyW.USER32(00000025,00000000), ref: 00EA260F
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00EA2623
Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 00EA2627

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: 2bf182d6245bb70e03e6ce09ed133e6146626363897b8b7c47a716743d6f2550
Instruction ID: d26dba73aca0b683351b03458e48d0f21d3b053076758dd1a06d3f1ffeb78840
Opcode Fuzzy Hash: 2bf182d6245bb70e03e6ce09ed133e6146626363897b8b7c47a716743d6f2550
Instruction Fuzzy Hash: E101D830791320BBFB1067699C8AF597F99DB4EB51F201006F314BF0D1C9E16444CA6A

Function 00EA1803 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,00EA1449,?,?,00000000), ref: 00EA180C
HeapAlloc.KERNEL32(00000000,?,00EA1449,?,?,00000000), ref: 00EA1813
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00EA1449,?,?,00000000), ref: 00EA1828
GetCurrentProcess.KERNEL32(?,00000000,?,00EA1449,?,?,00000000), ref: 00EA1830
DuplicateHandle.KERNEL32(00000000,?,00EA1449,?,?,00000000), ref: 00EA1833
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00EA1449,?,?,00000000), ref: 00EA1843
GetCurrentProcess.KERNEL32(00EA1449,00000000,?,00EA1449,?,?,00000000), ref: 00EA184B
DuplicateHandle.KERNEL32(00000000,?,00EA1449,?,?,00000000), ref: 00EA184E
CreateThread.KERNEL32(00000000,00000000,00EA1874,00000000,00000000,00000000), ref: 00EA1868

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: 2ec8ea440af999fb76cddd360519d0aa03b6c25d66d9180e63d94c5733206564
Instruction ID: 5a47dc6ecb0c89f957f1d9940f7adec5a6182c998889f851c2630b9f5472a180
Opcode Fuzzy Hash: 2ec8ea440af999fb76cddd360519d0aa03b6c25d66d9180e63d94c5733206564
Instruction Fuzzy Hash: B701C275241315BFE710AF75EC4DF573B6CEB89B51F104451FA05EB192C6749804CB20

Function 00E73E80 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 305COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 00E73F0B
__alldvrm.LIBCMT ref: 00E7410C
__alldvrm.LIBCMT ref: 00E7412E

Strings

}}, xrefs: 00E73E8A
}}, xrefs: 00E740CD
}}, xrefs: 00E73E96, 00E73EF1, 00E73F0A, 00E74090

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: __alldvrm$_strrchr
String ID: }}$}}$}}
API String ID: 1036877536-1495402609
Opcode ID: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
Instruction ID: a298016f6ce550ca3a3934011ff869a4d739e6678305edcb31cd6bcd499797a1
Opcode Fuzzy Hash: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
Instruction Fuzzy Hash: 0EA179B1E003869FDB25DF28C8917AEBBE4EF61354F1491ADE59DAB2C1C3348981C751

Function 00ECA0E2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON

Download Yara Rule

APIs

Part of subcall function 00EAD4DC: CreateToolhelp32Snapshot.KERNEL32 ref: 00EAD501
Part of subcall function 00EAD4DC: Process32FirstW.KERNEL32(00000000,?), ref: 00EAD50F
Part of subcall function 00EAD4DC: CloseHandle.KERNEL32(00000000), ref: 00EAD5DC

OpenProcess.KERNEL32(00000001,00000000,?), ref: 00ECA16D
GetLastError.KERNEL32 ref: 00ECA180
OpenProcess.KERNEL32(00000001,00000000,?), ref: 00ECA1B3
TerminateProcess.KERNEL32(00000000,00000000), ref: 00ECA268
GetLastError.KERNEL32(00000000), ref: 00ECA273
CloseHandle.KERNEL32(00000000), ref: 00ECA2C4

Strings

SeDebugPrivilege, xrefs: 00ECA18F

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: 38234d12fe0da88c22838343ac9e8352caab7bd98066251dc2faab371a039c30
Instruction ID: 876f00ea9c28dfab003b570519960227b1103a7c5e199e1af2a7d974ad0b3f20
Opcode Fuzzy Hash: 38234d12fe0da88c22838343ac9e8352caab7bd98066251dc2faab371a039c30
Instruction Fuzzy Hash: E261CE702092529FD724DF14D594F16BBE1AF4430CF18949CE466ABBA3C776EC4ACB82

Function 00ED3886 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00ED3925
SendMessageW.USER32(00000000,00001036,00000000,?), ref: 00ED393A
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00ED3954
_wcslen.LIBCMT ref: 00ED3999
SendMessageW.USER32(?,00001057,00000000,?), ref: 00ED39C6
SendMessageW.USER32(?,00001061,?,0000000F), ref: 00ED39F4

Strings

SysListView32, xrefs: 00ED38F7

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: MessageSend$Window_wcslen
String ID: SysListView32
API String ID: 2147712094-78025650
Opcode ID: a5b90bddc5862a55a98c2f60c341889b455a1e93a94775dccbce30ad43ae9b4b
Instruction ID: cbda60ec0352c8dd25d9804208f83e348b2564014b7e3bd19de0612e0f19ebc8
Opcode Fuzzy Hash: a5b90bddc5862a55a98c2f60c341889b455a1e93a94775dccbce30ad43ae9b4b
Instruction Fuzzy Hash: 4D41FC31A00209ABEB219F64CC49BEA7BA9EF08354F101127F958F72C1D7B0DA81CB91

Function 00EABC5E Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00EABCFD
IsMenu.USER32(00000000), ref: 00EABD1D
CreatePopupMenu.USER32 ref: 00EABD53
GetMenuItemCount.USER32(00985920), ref: 00EABDA4
InsertMenuItemW.USER32(00985920,?,00000001,00000030), ref: 00EABDCC

Strings

2, xrefs: 00EABD37
0, xrefs: 00EABCA8

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup
String ID: 0$2
API String ID: 93392585-3793063076
Opcode ID: b31b71c0d0b5035d76bdb83c510a7460d8dabd311d0ae8b5ad77363a1b0ba3b6
Instruction ID: dfb823da3c7afee7ccb9887285d651b024b7f33aa5556310720427865b4d91a8
Opcode Fuzzy Hash: b31b71c0d0b5035d76bdb83c510a7460d8dabd311d0ae8b5ad77363a1b0ba3b6
Instruction Fuzzy Hash: 21518D70A002059BDF10CFB9D884BAEBBF4AF4A358F24525AE411FF292D770A945CB61

Function 00E62D20 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00E62D4B
___except_validate_context_record.LIBVCRUNTIME ref: 00E62D53
_ValidateLocalCookies.LIBCMT ref: 00E62DE1
__IsNonwritableInCurrentImage.LIBCMT ref: 00E62E0C
_ValidateLocalCookies.LIBCMT ref: 00E62E61

Strings

&H, xrefs: 00E62DFE, 00E62E07, 00E62E18
csm, xrefs: 00E62DF6

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: &H$csm
API String ID: 1170836740-1242228090
Opcode ID: 66d71331d893b4d8ee2ba6df2acec8571e79f0ea7eb553902d293bc957e5a528
Instruction ID: 1ac4f54686859ad85031b06dc361493fa17f75f03032c07ef95acec7e4abd6b5
Opcode Fuzzy Hash: 66d71331d893b4d8ee2ba6df2acec8571e79f0ea7eb553902d293bc957e5a528
Instruction Fuzzy Hash: D941F634A406099BCF10DF68E844ADEBBF4BF443A8F149159E914BB392D731DA05CBD0

Function 00EAC874 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 00EAC913

Strings

warning, xrefs: 00EAC8FC
info, xrefs: 00EAC8B4
stop, xrefs: 00EAC8E4
blank, xrefs: 00EAC895
question, xrefs: 00EAC8CC

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: 094124fdfe9f04892ff9cba257cda3e7bb0aa426aa9f818343b378e59b5fb3ca
Instruction ID: 4ecd18623a356dad3e42bb1eddddadae5736f8ae779830baa4d2839d826d3ead
Opcode Fuzzy Hash: 094124fdfe9f04892ff9cba257cda3e7bb0aa426aa9f818343b378e59b5fb3ca
Instruction Fuzzy Hash: 70112B35689307BEE7055B54AC82CEB67DCDF5A358B30102FF504FA2C2EBA4BD006265

Function 00EADE27 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 70networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00EADE42
gethostname.WSOCK32(?,00000100), ref: 00EADE5C
gethostbyname.WSOCK32(?), ref: 00EADE69
inet_ntoa.WSOCK32(?), ref: 00EADEAB
_strcat.LIBCMT ref: 00EADEB9
WSACleanup.WSOCK32 ref: 00EADEDE

Strings

0.0.0.0, xrefs: 00EADE87

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: CleanupStartup_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 642191829-3771769585
Opcode ID: 7959e5e3f264cc74bcec35c17463a406bcfbc40f4de1d9a8e78415c24f9c62a2
Instruction ID: b0edc4c278910f00f7b90629c239d76afbdd620ba958834b0aee5513be906a68
Opcode Fuzzy Hash: 7959e5e3f264cc74bcec35c17463a406bcfbc40f4de1d9a8e78415c24f9c62a2
Instruction Fuzzy Hash: 53113A71948115AFCB246B30AC0AEDE77FCDF19364F10116AF406BA091EF70AA81DA50

Function 00EAED19 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 00EAED2A
_wcslen.LIBCMT ref: 00EAED3B
_wcslen.LIBCMT ref: 00EAED79
_wcslen.LIBCMT ref: 00EAEDAF
_wcslen.LIBCMT ref: 00EAEDDF
_wcslen.LIBCMT ref: 00EAEDEF
_wcslen.LIBCMT ref: 00EAEE2B
_wcslen.LIBCMT ref: 00EAEE5A

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: _wcslen$LocalTime
String ID:
API String ID: 952045576-0
Opcode ID: 1ee220d49d26e52248a42dcb4c3b732b82efe94fddd8a11d0054d4f20bf9d5f1
Instruction ID: 9643025c03bf2f63c07f79b96ff80355545f462ffe9133af136c9f9b9d56b249
Opcode Fuzzy Hash: 1ee220d49d26e52248a42dcb4c3b732b82efe94fddd8a11d0054d4f20bf9d5f1
Instruction Fuzzy Hash: F041BE65C5021876DB11EBB49C8A9CFB3ECAF46340F50A462E518F3262FB34E245C3A6

Function 00E5F8D8 Relevance: 12.1, APIs: 8, Instructions: 124COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,00E9682C,00000004,00000000,00000000), ref: 00E5F953
ShowWindow.USER32(FFFFFFFF,00000006,?,00000000,?,00E9682C,00000004,00000000,00000000), ref: 00E9F3D1
ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,00E9682C,00000004,00000000,00000000), ref: 00E9F454

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: f7ce70b61f509e50f53f2d0b78b92cfaac760aefab4c03ebcc4dc0eae77907d0
Instruction ID: 17a4e69865342fde6c06e6f83e885f2161124e0fc2c15a93f66fa64921cd8021
Opcode Fuzzy Hash: f7ce70b61f509e50f53f2d0b78b92cfaac760aefab4c03ebcc4dc0eae77907d0
Instruction Fuzzy Hash: E6414031504A80BECB348B79D9887AA7BD1BBD635AF14783DE857B2560C671D488C711

Function 00ED2D03 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00ED2D1B
GetDC.USER32(00000000), ref: 00ED2D23
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00ED2D2E
ReleaseDC.USER32(00000000,00000000), ref: 00ED2D3A
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00ED2D76
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00ED2D87
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00ED5A65,?,?,000000FF,00000000,?,000000FF,?), ref: 00ED2DC2
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00ED2DE1

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: 9ac7d97e943a787bd0c943834d328580d70de4825014d392990d932fa325d548
Instruction ID: 6bcfc957c7d86159057803afc26c3bd19136da4c2ebb8367243c2336d6e2f487
Opcode Fuzzy Hash: 9ac7d97e943a787bd0c943834d328580d70de4825014d392990d932fa325d548
Instruction Fuzzy Hash: BC31AE72202214BFEB118F51DC8AFEB3FADEF19755F144056FE08AA291C6759C41CBA1

Function 00EA5622 Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00EA5637
_memcmp.LIBVCRUNTIME ref: 00EA5659
_memcmp.LIBVCRUNTIME ref: 00EA5671
_memcmp.LIBVCRUNTIME ref: 00EA5684
_memcmp.LIBVCRUNTIME ref: 00EA569E
_memcmp.LIBVCRUNTIME ref: 00EA56B1
_memcmp.LIBVCRUNTIME ref: 00EA56C9
_memcmp.LIBVCRUNTIME ref: 00EA56E4

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 87a98ab4f77f0d3fec6f0d8f83887b5ec44708487b3e162d553a5faf3d89ff34
Instruction ID: fda035ffbc755e9b7ae9aabebd4edf0ed6b81a3062c308f632feb057ea846190
Opcode Fuzzy Hash: 87a98ab4f77f0d3fec6f0d8f83887b5ec44708487b3e162d553a5faf3d89ff34
Instruction Fuzzy Hash: D121DA636C0B05B7D21595105E82FFA739CEF6A388F456022FD067E741F720FD1181A5

Function 00EC4FAE Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON

Download Yara Rule

Strings

Not an Object type, xrefs: 00EC5007
NULL Pointer assignment, xrefs: 00EC502E, 00EC5383

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: ca1cef884fceb145b3b74604b7fc58416236bf6df03ff00eaa62c7b22d4fda68
Instruction ID: 1e86bbe561bc673312c02fc4999c90f1698d9087d93bf410a067c62f713dbf0d
Opcode Fuzzy Hash: ca1cef884fceb145b3b74604b7fc58416236bf6df03ff00eaa62c7b22d4fda68
Instruction Fuzzy Hash: FFD1AE72A0060A9FDF14CF98C981FAEB7B5BF48344F14906DE915BB281D772E986CB50

Function 00E81522 Relevance: 10.8, APIs: 7, Instructions: 268COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(00000000,00000000,?,7FFFFFFF,?,?,00E817FB,00000000,00000000,?,00000000,?,?,?,?,00000000), ref: 00E815CE
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,00E817FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00E81651
MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00E817FB,?,00E817FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00E816E4
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,00E817FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00E816FB

Part of subcall function 00E73820: RtlAllocateHeap.NTDLL(00000000,?,00F11444,?,00E5FDF5,?,?,00E4A976,00000010,00F11440,00E413FC,?,00E413C6,?,00E41129), ref: 00E73852

MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,00E817FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00E81777
__freea.LIBCMT ref: 00E817A2
__freea.LIBCMT ref: 00E817AE

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
String ID:
API String ID: 2829977744-0
Opcode ID: 6f086f8591e48f68ac799a6befb344f564a33e25fc80df3a074a84fa0b24a662
Instruction ID: 11a2eb21246f0f0dc470b831a69aeae5bbb9861f86c31c94da705990384db0db
Opcode Fuzzy Hash: 6f086f8591e48f68ac799a6befb344f564a33e25fc80df3a074a84fa0b24a662
Instruction Fuzzy Hash: 4991B371E002169ADB20AF74D841AEE7BF9EF49354F18669AE80DF7181D735CC42CB60

Function 00EC4523 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00EC4648
VariantInit.OLEAUT32(?), ref: 00EC4749
VariantClear.OLEAUT32(?), ref: 00EC4753
VariantClear.OLEAUT32(?), ref: 00EC47B0

Strings

Incorrect Object type in FOR..IN loop, xrefs: 00EC472C
Null Object assignment in FOR..IN loop, xrefs: 00EC45D8, 00EC4706, 00EC47BE

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: Variant$ClearInit
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2610073882-625585964
Opcode ID: 00e5b151b6ab568d984dd41c0d77a9cfeab6264077e6cf5f12e2845cf39cbea2
Instruction ID: 6f7d13fc56f42cabc31211c69096c2a5cf8e90b28dcb1bc5e00a930786e8469e
Opcode Fuzzy Hash: 00e5b151b6ab568d984dd41c0d77a9cfeab6264077e6cf5f12e2845cf39cbea2
Instruction Fuzzy Hash: 1091ADB0A00219ABDF20CFA4C954FAEBBB8EF46714F10955EF505BB2C0D7719946CBA0

Function 00EB1187 Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000001,?), ref: 00EB125C
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00EB1284
SafeArrayUnaccessData.OLEAUT32(00000001), ref: 00EB12A8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00EB12D8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00EB135F
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00EB13C4
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00EB1430

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: ArraySafe$Data$Access$UnaccessVartype
String ID:
API String ID: 2550207440-0
Opcode ID: 417d9d6fa021622f3171de7bd486ad86f99d2816631dc7836380c772d714e42a
Instruction ID: f32a3651642e62ab668c47e07d71f204be6c88a9943d20c0f46bfeac11c5ac5b
Opcode Fuzzy Hash: 417d9d6fa021622f3171de7bd486ad86f99d2816631dc7836380c772d714e42a
Instruction Fuzzy Hash: F191DD71A00219AFDB009FA8D8A4BEFB7F5FF45325F1050A9E910FB2A1D774A941CB90

Function 00E5948A Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: a3dc267ffcffdee285cf28971c9187ac05f76f1311874feb813d93315e5de164
Instruction ID: 0e453b04db58b4d5fd563277b4b9d1e65502f9a7c9c2efbed517fef6e045b4ca
Opcode Fuzzy Hash: a3dc267ffcffdee285cf28971c9187ac05f76f1311874feb813d93315e5de164
Instruction Fuzzy Hash: 1A914871D00219EFCB10CFA9CC84AEEBBB8FF48320F149555E915B7252D378A955CB60

Function 00EC3947 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00EC396B
CharUpperBuffW.USER32(?,?), ref: 00EC3A7A
_wcslen.LIBCMT ref: 00EC3A8A
VariantClear.OLEAUT32(?), ref: 00EC3C1F

Part of subcall function 00EB0CDF: VariantInit.OLEAUT32(00000000), ref: 00EB0D1F
Part of subcall function 00EB0CDF: VariantCopy.OLEAUT32(?,?), ref: 00EB0D28
Part of subcall function 00EB0CDF: VariantClear.OLEAUT32(?), ref: 00EB0D34

Strings

Incorrect Parameter format, xrefs: 00EC39A6, 00EC3BA1
AUTOIT.ERROR, xrefs: 00EC3A80, 00EC3A85

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4137639002-1221869570
Opcode ID: b8bbf6cd75a75d49b01bca24d02c582ef5b2f628fe020fecc9e8712222c63be3
Instruction ID: cc4406ed9777d18d69dcd13f6d30c68630b009058372202029bcfe71564db454
Opcode Fuzzy Hash: b8bbf6cd75a75d49b01bca24d02c582ef5b2f628fe020fecc9e8712222c63be3
Instruction Fuzzy Hash: 21915A75A083019FC704EF24C580A6AB7E5FF89314F14996DF889AB351DB31EE46CB92

Function 00EC4BAD Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

APIs

Part of subcall function 00EA000E: CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,00E9FF41,80070057,?,?,?,00EA035E), ref: 00EA002B
Part of subcall function 00EA000E: ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00E9FF41,80070057,?,?), ref: 00EA0046
Part of subcall function 00EA000E: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00E9FF41,80070057,?,?), ref: 00EA0054
Part of subcall function 00EA000E: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00E9FF41,80070057,?), ref: 00EA0064

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,00000001,?,?), ref: 00EC4C51
_wcslen.LIBCMT ref: 00EC4D59
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 00EC4DCF
CoTaskMemFree.OLE32(?), ref: 00EC4DDA

Strings

NULL Pointer assignment, xrefs: 00EC4E23, 00EC4E52

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
String ID: NULL Pointer assignment
API String ID: 614568839-2785691316
Opcode ID: b42a7e126d594fe774e103495b45504c0fccda28c9ae7a06134cd3d9b5fb171a
Instruction ID: 7efb8c24e2c97cb7b04f166fdae6ef54f90bdab476d32a45d15506d1e6acc57f
Opcode Fuzzy Hash: b42a7e126d594fe774e103495b45504c0fccda28c9ae7a06134cd3d9b5fb171a
Instruction Fuzzy Hash: DD9127B1D002199FDF14DFA4D890EEEBBB8BF08314F10516AE915BB291DB315A45CF60

Function 00ED20FD Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 00ED2183
GetMenuItemCount.USER32(00000000), ref: 00ED21B5
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 00ED21DD
_wcslen.LIBCMT ref: 00ED2213
GetMenuItemID.USER32(?,?), ref: 00ED224D
GetSubMenu.USER32(?,?), ref: 00ED225B

Part of subcall function 00EA3A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00EA3A57
Part of subcall function 00EA3A3D: GetCurrentThreadId.KERNEL32 ref: 00EA3A5E
Part of subcall function 00EA3A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00EA25B3), ref: 00EA3A65

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00ED22E3

Part of subcall function 00EAE97B: Sleep.KERNELBASE ref: 00EAE9F3

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
String ID:
API String ID: 4196846111-0
Opcode ID: 374919aa332711ffdc93c66dd504511f5a492fc7b9d62733f54242ecc9d355a5
Instruction ID: 0de30793a11257d6f62fff956cdd1e6efde87e5d80f42686aa8eac7ddb070936
Opcode Fuzzy Hash: 374919aa332711ffdc93c66dd504511f5a492fc7b9d62733f54242ecc9d355a5
Instruction Fuzzy Hash: A8719D35A00205AFCB10DF64C841AAEB7F5EF98310F14945EEA26FB351DB35EE428B90

Function 00ED7E9E Relevance: 10.7, APIs: 7, Instructions: 193windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(009858D0), ref: 00ED7F37
IsWindowEnabled.USER32(009858D0), ref: 00ED7F43
SendMessageW.USER32(00000000,0000041C,00000000,00000000), ref: 00ED801E
SendMessageW.USER32(009858D0,000000B0,?,?), ref: 00ED8051
IsDlgButtonChecked.USER32(?,?), ref: 00ED8089
GetWindowLongW.USER32(009858D0,000000EC), ref: 00ED80AB
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 00ED80C3

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID:
API String ID: 4072528602-0
Opcode ID: 3d8a39e4fd668ed8973ca399504cf480b6e3cd377f430eef1687e145196c8a68
Instruction ID: 98cf63a531aeb161e3d019394570066d928e9997c117445b177eed20927dfdf8
Opcode Fuzzy Hash: 3d8a39e4fd668ed8973ca399504cf480b6e3cd377f430eef1687e145196c8a68
Instruction Fuzzy Hash: B571BF34608204AFEB319F54C984FEABBB5FF09344F14505BE995B73A1DB31A84ADB10

Function 00EAAEBA Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 00EAAEF9
GetKeyboardState.USER32(?), ref: 00EAAF0E
SetKeyboardState.USER32(?), ref: 00EAAF6F
PostMessageW.USER32(?,00000101,00000010,?), ref: 00EAAF9D
PostMessageW.USER32(?,00000101,00000011,?), ref: 00EAAFBC
PostMessageW.USER32(?,00000101,00000012,?), ref: 00EAAFFD
PostMessageW.USER32(?,00000101,0000005B,?), ref: 00EAB020

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: d3742b4b2d6e4adced2cae38e52fbe23e7872cc49037d31ba46e06b0cbc4ba06
Instruction ID: 64a21f1a8dd9cef2de80d49d4351d7782b9e8f8bbdde54ad4533e17f07b9ce19
Opcode Fuzzy Hash: d3742b4b2d6e4adced2cae38e52fbe23e7872cc49037d31ba46e06b0cbc4ba06
Instruction Fuzzy Hash: 2851A1A06047D57DFB364234CC45BBABEE95B0B308F0C959AE1E9694D3C398B8C8D761

Function 00EAACDA Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 00EAAD19
GetKeyboardState.USER32(?), ref: 00EAAD2E
SetKeyboardState.USER32(?), ref: 00EAAD8F
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00EAADBB
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00EAADD8
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 00EAAE17
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 00EAAE38

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: cd6c720ed9dbd346596bca661c55961ea46415057befb20c3c27c122e0934c1f
Instruction ID: 0bb846b9dcbcafe2b78f4a2e6e01b234125d7dd69c170b7bbffdad4ee7b587c0
Opcode Fuzzy Hash: cd6c720ed9dbd346596bca661c55961ea46415057befb20c3c27c122e0934c1f
Instruction Fuzzy Hash: C651B1A15047D53DFB3782248C55B7ABEE85B4B308F0CA499E1D56E8C2D394FC88E762

Function 00E7542E Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(00E83CD6,?,?,?,?,?,?,?,?,00E75BA3,?,?,00E83CD6,?,?), ref: 00E75470
__fassign.LIBCMT ref: 00E754EB
__fassign.LIBCMT ref: 00E75506
WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,00E83CD6,00000005,00000000,00000000), ref: 00E7552C
WriteFile.KERNEL32(?,00E83CD6,00000000,00E75BA3,00000000,?,?,?,?,?,?,?,?,?,00E75BA3,?), ref: 00E7554B
WriteFile.KERNEL32(?,?,00000001,00E75BA3,00000000,?,?,?,?,?,?,?,?,?,00E75BA3,?), ref: 00E75584

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: b1d2584cd52ba57a4b2f81552fd9a4ddb0389c3d9d7cd78d477568355f725ea2
Instruction ID: 08ea1f466b4951d206d57d74364a43a5c3d74fc5251e306170f658535b1c9d7d
Opcode Fuzzy Hash: b1d2584cd52ba57a4b2f81552fd9a4ddb0389c3d9d7cd78d477568355f725ea2
Instruction Fuzzy Hash: A951C371A006499FDB10CFA8D845AEEBBF9EF09300F14915AF959F7291E7709A41CF60

Function 00EC10B8 Relevance: 10.6, APIs: 7, Instructions: 110networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00EC304E: inet_addr.WSOCK32(?), ref: 00EC307A
Part of subcall function 00EC304E: _wcslen.LIBCMT ref: 00EC309B

socket.WSOCK32(00000002,00000001,00000006), ref: 00EC1112
WSAGetLastError.WSOCK32 ref: 00EC1121
WSAGetLastError.WSOCK32 ref: 00EC11C9
closesocket.WSOCK32(00000000), ref: 00EC11F9

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: ErrorLast$_wcslenclosesocketinet_addrsocket
String ID:
API String ID: 2675159561-0
Opcode ID: b3d58cc91b204d878eac776423f070a1d24fd37a0032fef4d6c23c93e09f3784
Instruction ID: c6ee3c473a1b174a36258815ca5a08abbf64193c667d71cf6c4ed9a0d421e5e8
Opcode Fuzzy Hash: b3d58cc91b204d878eac776423f070a1d24fd37a0032fef4d6c23c93e09f3784
Instruction Fuzzy Hash: 31412631201205AFDB109F24D944FA9B7E9EF42368F188099FD15BB282C779ED46CBE0

Function 00EACF00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00EADDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00EACF22,?), ref: 00EADDFD

Part of subcall function 00EADDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00EACF22,?), ref: 00EADE16

lstrcmpiW.KERNEL32(?,?), ref: 00EACF45
MoveFileW.KERNEL32(?,?), ref: 00EACF7F
_wcslen.LIBCMT ref: 00EAD005
_wcslen.LIBCMT ref: 00EAD01B
SHFileOperationW.SHELL32(?), ref: 00EAD061

Strings

\*.*, xrefs: 00EACFF3

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
String ID: \*.*
API String ID: 3164238972-1173974218
Opcode ID: 43f4a9803427c3664b6eb5cfb1c8234cdb01baa90abffc9ba1204462a19c1b0d
Instruction ID: bdb834b0035608c79aa57c4a8aff04b30b679d09253491f862cd5c4f839c9b27
Opcode Fuzzy Hash: 43f4a9803427c3664b6eb5cfb1c8234cdb01baa90abffc9ba1204462a19c1b0d
Instruction Fuzzy Hash: 854163759452199EDF12EBA4DD81ADEB7F9AF0D380F1010E6E505FF142EA34BA48CB50

Function 00ED2DFD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 00ED2E1C
GetWindowLongW.USER32(?,000000F0), ref: 00ED2E4F
GetWindowLongW.USER32(?,000000F0), ref: 00ED2E84
SendMessageW.USER32(?,000000F1,00000000,00000000), ref: 00ED2EB6
SendMessageW.USER32(?,000000F1,00000001,00000000), ref: 00ED2EE0
GetWindowLongW.USER32(?,000000F0), ref: 00ED2EF1
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00ED2F0B

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: c1e0075132796b7b62d1594597beceb35ed3730008d737b31ed8f1b40e8913f8
Instruction ID: cffaae7062b80b5f2377fe1877905cc5de853d2bb572238bc47f7e64c5d4331e
Opcode Fuzzy Hash: c1e0075132796b7b62d1594597beceb35ed3730008d737b31ed8f1b40e8913f8
Instruction Fuzzy Hash: F53137306451459FEB22CF19DC84FA537E0FBAAB14F1551AAFA10AB2B1CB71E841EB01

Function 00EA7726 Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00EA7769
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00EA778F
SysAllocString.OLEAUT32(00000000), ref: 00EA7792
SysAllocString.OLEAUT32(?), ref: 00EA77B0
SysFreeString.OLEAUT32(?), ref: 00EA77B9
StringFromGUID2.OLE32(?,?,00000028), ref: 00EA77DE
SysAllocString.OLEAUT32(?), ref: 00EA77EC

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: f93ca2e64289b37bf4f061e26f98cc2c2928b095572520d0be1e467f0d0596df
Instruction ID: 5381c3f32a7bfa77aa367c67d9c6589896e3728b2c8d3e7874a64ec91569e37d
Opcode Fuzzy Hash: f93ca2e64289b37bf4f061e26f98cc2c2928b095572520d0be1e467f0d0596df
Instruction Fuzzy Hash: BD21DE3660921AAFDB00DFA8DC88CFB33ECEB0A3A47108026FA54EB150D670EC45C760

Function 00EA77FD Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00EA7842
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00EA7868
SysAllocString.OLEAUT32(00000000), ref: 00EA786B
SysAllocString.OLEAUT32 ref: 00EA788C
SysFreeString.OLEAUT32 ref: 00EA7895
StringFromGUID2.OLE32(?,?,00000028), ref: 00EA78AF
SysAllocString.OLEAUT32(?), ref: 00EA78BD

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 835db5766452d3011483eb0faca50f785a01ac16d225b7c69281cacc3965cc53
Instruction ID: 8dee8932953ff464b1bf56c7147d45b52a0cab070113167c2947fcc016d2c439
Opcode Fuzzy Hash: 835db5766452d3011483eb0faca50f785a01ac16d225b7c69281cacc3965cc53
Instruction Fuzzy Hash: 8721F131608215AFDB14DFA8DC88CAA77ECEF0E3607108125F910EF2A0DA78EC44CB64

Function 00EB04D2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 00EB04F2
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00EB052E

Strings

nul, xrefs: 00EB0567

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 96d951cc77f723bc107fab92b26bf372136fa59dcf3d58d31a082d27d7671191
Instruction ID: 1f4911eb983a6fd0b481e5ae044077419c55709775b4006c441bf68bfe2921e0
Opcode Fuzzy Hash: 96d951cc77f723bc107fab92b26bf372136fa59dcf3d58d31a082d27d7671191
Instruction Fuzzy Hash: 24215CB5501306AFDB309F69DC44ADB77E4AF44768F204A19E9A1F62E0D770A944CF20

Function 00EB05A7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 00EB05C6
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00EB0601

Strings

nul, xrefs: 00EB0639

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 34177229644d88f0d70f42d21cdbedfa568b42b61661ab9fa3876513ad2e1e94
Instruction ID: a39fd1d75259ba30cd029af6fe82df90c8fd69112c3ef0c30b0f284ffb6163f3
Opcode Fuzzy Hash: 34177229644d88f0d70f42d21cdbedfa568b42b61661ab9fa3876513ad2e1e94
Instruction Fuzzy Hash: B2217F755003069FDB209F699C04ADB77E4BF95764F201B19E9A1F72E4D770A860CB10

Function 00ED40AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00E4600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00E4604C
Part of subcall function 00E4600E: GetStockObject.GDI32(00000011), ref: 00E46060
Part of subcall function 00E4600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 00E4606A

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00ED4112
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 00ED411F
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 00ED412A
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00ED4139
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00ED4145

Strings

Msctls_Progress32, xrefs: 00ED40E3

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: a5bd4d371bd1cf06cb0e63985d166ef12192f33427c05433a47883f97ac5021f
Instruction ID: 2a944d1e6c4f87751a5925e6be0c4e2622ce37e05e1d9d857edb217d5ed187cf
Opcode Fuzzy Hash: a5bd4d371bd1cf06cb0e63985d166ef12192f33427c05433a47883f97ac5021f
Instruction Fuzzy Hash: F31193B2150219BFEF119E64CC85EE77FADEF18798F015111B718A2190C672DC21DBA4

Function 00E7D7DF Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00E7D7A3: _free.LIBCMT ref: 00E7D7CC

_free.LIBCMT ref: 00E7D82D

Part of subcall function 00E729C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00E7D7D1,00000000,00000000,00000000,00000000,?,00E7D7F8,00000000,00000007,00000000,?,00E7DBF5,00000000), ref: 00E729DE
Part of subcall function 00E729C8: GetLastError.KERNEL32(00000000,?,00E7D7D1,00000000,00000000,00000000,00000000,?,00E7D7F8,00000000,00000007,00000000,?,00E7DBF5,00000000,00000000), ref: 00E729F0

_free.LIBCMT ref: 00E7D838
_free.LIBCMT ref: 00E7D843
_free.LIBCMT ref: 00E7D897
_free.LIBCMT ref: 00E7D8A2
_free.LIBCMT ref: 00E7D8AD
_free.LIBCMT ref: 00E7D8B8

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction ID: 011f3f40f8d44a1f048a904bc20134d84f79604b1242c55b2019989e3726f615
Opcode Fuzzy Hash: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction Fuzzy Hash: B7115E71544B04AAD625FFB4CC47FCBBBECAF80700F44982AF39DB6092DA65B5458760

Function 00EADA5A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00EADA74
LoadStringW.USER32(00000000), ref: 00EADA7B
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 00EADA91
LoadStringW.USER32(00000000), ref: 00EADA98
MessageBoxW.USER32(00000000,?,?,00011010), ref: 00EADADC

Strings

%s (%d) : ==> %s: %s %s, xrefs: 00EADAB9

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: HandleLoadModuleString$Message
String ID: %s (%d) : ==> %s: %s %s
API String ID: 4072794657-3128320259
Opcode ID: d4d4676b85d8c7708552735d5f5db3d1754e49e1ec5e28122f05acd26995d2f9
Instruction ID: 86aa0f2e761d5b46082847452e6cccf3916435cb00e85ef6bdce3dc257fdbf9a
Opcode Fuzzy Hash: d4d4676b85d8c7708552735d5f5db3d1754e49e1ec5e28122f05acd26995d2f9
Instruction Fuzzy Hash: 690162F65002197FE7109BA0AD89EEB776CEB09741F500592B716F6081EA74AE888F74

Function 00EB096B Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(0097DC18,0097DC18), ref: 00EB097B
EnterCriticalSection.KERNEL32(0097DBF8,00000000), ref: 00EB098D
TerminateThread.KERNEL32(?,000001F6), ref: 00EB099B
WaitForSingleObject.KERNEL32(?,000003E8), ref: 00EB09A9
CloseHandle.KERNEL32(?), ref: 00EB09B8
InterlockedExchange.KERNEL32(0097DC18,000001F6), ref: 00EB09C8
LeaveCriticalSection.KERNEL32(0097DBF8), ref: 00EB09CF

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: 9218f37f30d8eb2c7ef6a692d95781085852642f6b3f28d6afffd525848183be
Instruction ID: 44d6566f0f21e971f22311cdcd547c165a7fb50712dd13f3a6515fb0fca00771
Opcode Fuzzy Hash: 9218f37f30d8eb2c7ef6a692d95781085852642f6b3f28d6afffd525848183be
Instruction Fuzzy Hash: FEF01D31483913AFD7515B95EE88BD67B35FF41742F502116F101B08B1C774A469CF90

Function 00EC1C60 Relevance: 9.3, APIs: 6, Instructions: 298networkCOMMON

Download Yara Rule

APIs

__WSAFDIsSet.WSOCK32(00000000,?), ref: 00EC1DC0
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00EC1DE1
WSAGetLastError.WSOCK32 ref: 00EC1DF2
htons.WSOCK32(?), ref: 00EC1EDB
inet_ntoa.WSOCK32(?), ref: 00EC1E8C

Part of subcall function 00EA39E8: _strlen.LIBCMT ref: 00EA39F2

Part of subcall function 00EC3224: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000000,?,?,?,?,00EBEC0C), ref: 00EC3240

_strlen.LIBCMT ref: 00EC1F35

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: _strlen$ByteCharErrorLastMultiWidehtonsinet_ntoa
String ID:
API String ID: 3203458085-0
Opcode ID: 452f41956b6e5795f8102b31cd1ec988a995f1773b3b5cf8369b17315bec6958
Instruction ID: cc916149436749c06c7a3cfef11d72dcdc34042b3a6f29764299b75335333de4
Opcode Fuzzy Hash: 452f41956b6e5795f8102b31cd1ec988a995f1773b3b5cf8369b17315bec6958
Instruction Fuzzy Hash: 95B1C331204340AFC324DF24D885F6AB7E5AF85318F54A98CF4566B2A3CB72ED46CB91

Function 00E45D0A Relevance: 9.3, APIs: 6, Instructions: 276COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 00E45D30
GetWindowRect.USER32(?,?), ref: 00E45D71
ScreenToClient.USER32(?,?), ref: 00E45D99
GetClientRect.USER32(?,?), ref: 00E45ED7
GetWindowRect.USER32(?,?), ref: 00E45EF8

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: Rect$Client$Window$Screen
String ID:
API String ID: 1296646539-0
Opcode ID: dd4a675fb4208d651e64e3bd88e8911cfdf4970acac869bda8ef469ce336cb42
Instruction ID: 983f76d339ba2abed68a21bdb3157202d52da9b479051533ea5737851a06988a
Opcode Fuzzy Hash: dd4a675fb4208d651e64e3bd88e8911cfdf4970acac869bda8ef469ce336cb42
Instruction Fuzzy Hash: 6BB17975A0074ADFDB14DFA9D4807EAB7F1FF48314F14A41AE8A9E7290DB34AA41CB50

Function 00E701B7 Relevance: 9.3, APIs: 6, Instructions: 269COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 00E700BA
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00E700D6
__allrem.LIBCMT ref: 00E700ED
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00E7010B
__allrem.LIBCMT ref: 00E70122
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00E70140

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
Instruction ID: f17930a8099cba36ff5f834a769c489e17097516d9d3bf99dea1af598bdd60a9
Opcode Fuzzy Hash: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
Instruction Fuzzy Hash: 8A812871B00706DBE724AF68DC41B6B73E9AF41368F24A53EF559F6281E7B0D9008B50

Function 00E761FE Relevance: 9.2, APIs: 6, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,00E682D9,00E682D9,?,?,?,00E7644F,00000001,00000001,?), ref: 00E76258
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,00E7644F,00000001,00000001,?,?,?,?), ref: 00E762DE
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,?,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00E763D8
__freea.LIBCMT ref: 00E763E5

Part of subcall function 00E73820: RtlAllocateHeap.NTDLL(00000000,?,00F11444,?,00E5FDF5,?,?,00E4A976,00000010,00F11440,00E413FC,?,00E413C6,?,00E41129), ref: 00E73852

__freea.LIBCMT ref: 00E763EE
__freea.LIBCMT ref: 00E76413

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: 18246aebe001c43b35eeaa7687d007a59f999b4a7f398e88f72ee94894b76a00
Instruction ID: 90ae7889a8b5f0f0e2f1ec6fbc365116a29fa2849fc69243361c20133a57b950
Opcode Fuzzy Hash: 18246aebe001c43b35eeaa7687d007a59f999b4a7f398e88f72ee94894b76a00
Instruction Fuzzy Hash: A8510272600616BFEB258F64DC81EAF77A9EB84758F249229FC09F6150EB34DC44C760

Function 00ECBBDB Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00E49CB3: _wcslen.LIBCMT ref: 00E49CBD

Part of subcall function 00ECC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00ECB6AE,?,?), ref: 00ECC9B5
Part of subcall function 00ECC998: _wcslen.LIBCMT ref: 00ECC9F1
Part of subcall function 00ECC998: _wcslen.LIBCMT ref: 00ECCA68
Part of subcall function 00ECC998: _wcslen.LIBCMT ref: 00ECCA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00ECBCCA
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00ECBD25
RegCloseKey.ADVAPI32(00000000), ref: 00ECBD6A
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 00ECBD99
RegCloseKey.ADVAPI32(?,?,00000000), ref: 00ECBDF3
RegCloseKey.ADVAPI32(?), ref: 00ECBDFF

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
String ID:
API String ID: 1120388591-0
Opcode ID: bf56193fff988b08eb70291147fb1dce6c756a7e628b2e07d10a1eacb390b82d
Instruction ID: 47eb1c94af0c87e90d23af818d55cfa9468ce928fb1f652e818b50b6ea9e1e11
Opcode Fuzzy Hash: bf56193fff988b08eb70291147fb1dce6c756a7e628b2e07d10a1eacb390b82d
Instruction Fuzzy Hash: 9581A230108241AFC714DF24D585E2ABBE5FF84308F14595DF55AAB2A2CB32ED06CB92

Function 00E9F7AD Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000035), ref: 00E9F7B9
SysAllocString.OLEAUT32(00000001), ref: 00E9F860
VariantCopy.OLEAUT32(00E9FA64,00000000), ref: 00E9F889
VariantClear.OLEAUT32(00E9FA64), ref: 00E9F8AD
VariantCopy.OLEAUT32(00E9FA64,00000000), ref: 00E9F8B1
VariantClear.OLEAUT32(?), ref: 00E9F8BB

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: Variant$ClearCopy$AllocInitString
String ID:
API String ID: 3859894641-0
Opcode ID: 23eff87f627570911fec4030b14c4137d8769d2fefe2a605baf9e6972b2cb528
Instruction ID: 450ec3434c5eb298e56546a3b199cca0c54bc77d5d0353a92994bf83758c2b8b
Opcode Fuzzy Hash: 23eff87f627570911fec4030b14c4137d8769d2fefe2a605baf9e6972b2cb528
Instruction Fuzzy Hash: EA51B531600310BACF24ABA5D895B69B3E9EF85324B24A467E905FF296DB70CC40C796

Function 00EB910C Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 383COMMON

Download Yara Rule

APIs

Part of subcall function 00E47620: _wcslen.LIBCMT ref: 00E47625

Part of subcall function 00E46B57: _wcslen.LIBCMT ref: 00E46B6A

GetOpenFileNameW.COMDLG32(00000058), ref: 00EB94E5
_wcslen.LIBCMT ref: 00EB9506
_wcslen.LIBCMT ref: 00EB952D
GetSaveFileNameW.COMDLG32(00000058), ref: 00EB9585

Strings

X, xrefs: 00EB9412

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: _wcslen$FileName$OpenSave
String ID: X
API String ID: 83654149-3081909835
Opcode ID: 6b515237d6a2b6aeb2833194b0eb7be28f25c6eaf25db0e4007ae82a5bd33a35
Instruction ID: a8b149f197423e1622a18e378fd52fbbdf8282cc479f183d2801d30be547167d
Opcode Fuzzy Hash: 6b515237d6a2b6aeb2833194b0eb7be28f25c6eaf25db0e4007ae82a5bd33a35
Instruction Fuzzy Hash: 12E1B0319083008FD724DF24D881AABB7E5FF85314F14996DF999AB2A2DB31DD05CB92

Function 00E5920C Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00E59BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00E59BB2

BeginPaint.USER32(?,?,?), ref: 00E59241
GetWindowRect.USER32(?,?), ref: 00E592A5
ScreenToClient.USER32(?,?), ref: 00E592C2
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00E592D3
EndPaint.USER32(?,?,?,?,?), ref: 00E59321
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 00E971EA

Part of subcall function 00E59339: BeginPath.GDI32(00000000), ref: 00E59357

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
String ID:
API String ID: 3050599898-0
Opcode ID: 1d4294e9c280fa81eab6007ceb2fee3f67e1a92403cadfb7d4d0faf6bb3427b0
Instruction ID: 363ff46f6508d0a2aa9bcec269e5d88ed3cf95727aefe36ff468b5f91a2d2ae4
Opcode Fuzzy Hash: 1d4294e9c280fa81eab6007ceb2fee3f67e1a92403cadfb7d4d0faf6bb3427b0
Instruction Fuzzy Hash: B741AD30105201EFDB10DF25DC84FEA7BF8FB55765F140629FAA4A72A2C7309849EB61

Function 00EB07EF Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 00EB080C
ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 00EB0847
EnterCriticalSection.KERNEL32(?), ref: 00EB0863
LeaveCriticalSection.KERNEL32(?), ref: 00EB08DC
ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 00EB08F3
InterlockedExchange.KERNEL32(?,000001F6), ref: 00EB0921

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
String ID:
API String ID: 3368777196-0
Opcode ID: e0e6ffef3b11a244e8fb7a3f1ed129fac040101a64fce9d593c3081f29c2b7ad
Instruction ID: 919511a540d3421a9d999c9b1631059f5ae623144fd60fbbfea01912a914a7d7
Opcode Fuzzy Hash: e0e6ffef3b11a244e8fb7a3f1ed129fac040101a64fce9d593c3081f29c2b7ad
Instruction Fuzzy Hash: 35417A71900206EFDF14AF54DC85AAB77B8FF44310F1440A9ED04AA2A7DB30EE65DBA0

Function 00ED81DB Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,00E9F3AB,00000000,?,?,00000000,?,00E9682C,00000004,00000000,00000000), ref: 00ED824C
EnableWindow.USER32(?,00000000), ref: 00ED8272
ShowWindow.USER32(FFFFFFFF,00000000), ref: 00ED82D1
ShowWindow.USER32(?,00000004), ref: 00ED82E5
EnableWindow.USER32(?,00000001), ref: 00ED830B
SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 00ED832F

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: 5af9e2be6c5f94a45134bcf6d52339766a769359a7f7043a88eb9d773b467daf
Instruction ID: a6b0b1a890bb936de5b01c693d9173578348a4f21f391a5632a78022a34eab7e
Opcode Fuzzy Hash: 5af9e2be6c5f94a45134bcf6d52339766a769359a7f7043a88eb9d773b467daf
Instruction Fuzzy Hash: 1D41C634601644EFDB11CF25DE95BE47BF0FB06718F19626AE6586B3B2CB319846CB40

Function 00EA4C7D Relevance: 9.1, APIs: 6, Instructions: 87windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00EA4C95
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00EA4CB2
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00EA4CEA
_wcslen.LIBCMT ref: 00EA4D08
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00EA4D10
_wcsstr.LIBVCRUNTIME ref: 00EA4D1A

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
String ID:
API String ID: 72514467-0
Opcode ID: a76dfadd2fdda45ac6fb9e26a75503b32ad65ef913098733d13d31402002f78d
Instruction ID: faf10d4f2e7820a5b406741725f825797ec148135719de54c3c35dec55a70770
Opcode Fuzzy Hash: a76dfadd2fdda45ac6fb9e26a75503b32ad65ef913098733d13d31402002f78d
Instruction Fuzzy Hash: 262107B16052017BEB155B39AC0AE7B7BDCDF8A760F10502AF809EE1D1DEA1EC00C2A1

Function 00EB581E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON

Download Yara Rule

APIs

Part of subcall function 00E43AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00E43A97,?,?,00E42E7F,?,?,?,00000000), ref: 00E43AC2

_wcslen.LIBCMT ref: 00EB587B
CoInitialize.OLE32(00000000), ref: 00EB5995
CoCreateInstance.OLE32(00EDFCF8,00000000,00000001,00EDFB68,?), ref: 00EB59AE
CoUninitialize.OLE32 ref: 00EB59CC

Strings

.lnk, xrefs: 00EB5876, 00EB58C1, 00EB5985

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
String ID: .lnk
API String ID: 3172280962-24824748
Opcode ID: cf30eff35cfb344b81d1ca51b5ddf31d0d981713cc1ccf01e2524fdede9dd7e8
Instruction ID: efc111af340f888dc017c464b0ad053b320e9fe2f8cf764c41d62032c8b0cebb
Opcode Fuzzy Hash: cf30eff35cfb344b81d1ca51b5ddf31d0d981713cc1ccf01e2524fdede9dd7e8
Instruction Fuzzy Hash: 0ED16472A087019FC714DF24C480A6BBBE1EF89714F14985DF899AB361DB31EC45CB92

Function 00EA175D Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00EA0FB4: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00EA0FCA
Part of subcall function 00EA0FB4: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00EA0FD6
Part of subcall function 00EA0FB4: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00EA0FE5
Part of subcall function 00EA0FB4: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00EA0FEC
Part of subcall function 00EA0FB4: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00EA1002

GetLengthSid.ADVAPI32(?,00000000,00EA1335), ref: 00EA17AE
GetProcessHeap.KERNEL32(00000008,00000000), ref: 00EA17BA
HeapAlloc.KERNEL32(00000000), ref: 00EA17C1
CopySid.ADVAPI32(00000000,00000000,?), ref: 00EA17DA
GetProcessHeap.KERNEL32(00000000,00000000,00EA1335), ref: 00EA17EE
HeapFree.KERNEL32(00000000), ref: 00EA17F5

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: 45b086bf88dcee8625e626b7714ca2d0df3268a492d03d8667c4b993e6b22f59
Instruction ID: a730db22cb49a51665b7ba171a6345e474ba00baf55a3c1d29c21ab1d3978dc5
Opcode Fuzzy Hash: 45b086bf88dcee8625e626b7714ca2d0df3268a492d03d8667c4b993e6b22f59
Instruction Fuzzy Hash: 9611E131506206FFDB108FA4DC48FAE7BB8EB4B359F20605AF441BB150C731A944CB60

Function 00EA14CE Relevance: 9.1, APIs: 6, Instructions: 64processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 00EA14FF
OpenProcessToken.ADVAPI32(00000000), ref: 00EA1506
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00EA1515
CloseHandle.KERNEL32(00000004), ref: 00EA1520
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00EA154F
DestroyEnvironmentBlock.USERENV(00000000), ref: 00EA1563

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: d281599537196fea392ca71bbfa90361465db7c896bcb64a770b1d4a394fb1f9
Instruction ID: 620e614c07e9cd8a24927c0a678fab361a2a417e3a727b7359f4ee3fe8221be6
Opcode Fuzzy Hash: d281599537196fea392ca71bbfa90361465db7c896bcb64a770b1d4a394fb1f9
Instruction Fuzzy Hash: 1D11897250120AAFDF118FA8ED09BDE3BA9EF49748F144056FA05B60A0C371DE64DB60

Function 00E63382 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00E63379,00E62FE5), ref: 00E63390
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00E6339E
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00E633B7
SetLastError.KERNEL32(00000000,?,00E63379,00E62FE5), ref: 00E63409

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 0354e635a859c587f050436e37bae140d1fceb94fb061d8e5a9c7e17787b104f
Instruction ID: e02629d24045e691c59801bcf201368607c2b4cbedd1fa2aec1a85c3f1efa03f
Opcode Fuzzy Hash: 0354e635a859c587f050436e37bae140d1fceb94fb061d8e5a9c7e17787b104f
Instruction Fuzzy Hash: 7E01D4326C9312BEEA252775BC8556B2E94EB157F9720232AF520F12F0EF114E16A584

Function 00E72D74 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00E75686,00E83CD6,?,00000000,?,00E75B6A,?,?,?,?,?,00E6E6D1,?,00F08A48), ref: 00E72D78
_free.LIBCMT ref: 00E72DAB
_free.LIBCMT ref: 00E72DD3
SetLastError.KERNEL32(00000000,?,?,?,?,00E6E6D1,?,00F08A48,00000010,00E44F4A,?,?,00000000,00E83CD6), ref: 00E72DE0
SetLastError.KERNEL32(00000000,?,?,?,?,00E6E6D1,?,00F08A48,00000010,00E44F4A,?,?,00000000,00E83CD6), ref: 00E72DEC
_abort.LIBCMT ref: 00E72DF2

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: e402ab0083cb0ef9a009b897f59d3a6bf66e6ccb54d79975a336e564c89dd3a9
Instruction ID: f4f44b87e7a7f2cad65053029bfcf22b073f2c3f642cc767a77613655dc20213
Opcode Fuzzy Hash: e402ab0083cb0ef9a009b897f59d3a6bf66e6ccb54d79975a336e564c89dd3a9
Instruction Fuzzy Hash: F1F028319056013BC6322339BC06E5A26A9AFC17A4F34E11DFB2CB21E6EF2088825260

Function 00ED8A24 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 00E59639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00E59693
Part of subcall function 00E59639: SelectObject.GDI32(?,00000000), ref: 00E596A2
Part of subcall function 00E59639: BeginPath.GDI32(?), ref: 00E596B9
Part of subcall function 00E59639: SelectObject.GDI32(?,00000000), ref: 00E596E2

MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 00ED8A4E
LineTo.GDI32(?,00000003,00000000), ref: 00ED8A62
MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 00ED8A70
LineTo.GDI32(?,00000000,00000003), ref: 00ED8A80
EndPath.GDI32(?), ref: 00ED8A90
StrokePath.GDI32(?), ref: 00ED8AA0

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: 92811e0ce3a2b15a05f74afbbe62621b5e33b1af4d5697fa722a79b229afbf88
Instruction ID: 3d8d872bbe340496467df8325d04dcae833a2bf500abad9110ff38416d0d15c4
Opcode Fuzzy Hash: 92811e0ce3a2b15a05f74afbbe62621b5e33b1af4d5697fa722a79b229afbf88
Instruction Fuzzy Hash: 9511097600114DFFDF129F91EC88EEA7F6CEB08394F108012BA19AA1A1C7719D59DBA0

Function 00EA51FD Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00EA5218
GetDeviceCaps.GDI32(00000000,00000058), ref: 00EA5229
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00EA5230
ReleaseDC.USER32(00000000,00000000), ref: 00EA5238
MulDiv.KERNEL32(000009EC,?,00000000), ref: 00EA524F
MulDiv.KERNEL32(000009EC,00000001,?), ref: 00EA5261

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: 7e6cacf4d2f4e7872cb65bbdbaceb291baddaf895ab6bb396414af7fcd189048
Instruction ID: 5ee6e5e43251f6c8ee21dd1dbc540f1468e018313bd64d945987c263a9ebe22b
Opcode Fuzzy Hash: 7e6cacf4d2f4e7872cb65bbdbaceb291baddaf895ab6bb396414af7fcd189048
Instruction Fuzzy Hash: 49018F75A01719BFEB109BA69C49B4EBFB8EF48751F144066FA04BB290D6709804CBA0

Function 00E41BC3 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 00E41BF4
MapVirtualKeyW.USER32(00000010,00000000), ref: 00E41BFC
MapVirtualKeyW.USER32(000000A0,00000000), ref: 00E41C07
MapVirtualKeyW.USER32(000000A1,00000000), ref: 00E41C12
MapVirtualKeyW.USER32(00000011,00000000), ref: 00E41C1A
MapVirtualKeyW.USER32(00000012,00000000), ref: 00E41C22

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: f2c31b82b125c18e0bd3086d108db1b0c7c5801e9966e094baafa347a8979dcb
Instruction ID: 2e5cb0a1c8bee41dca7816845741dd2ec213c222263cda0caf1d0ddbc3b1d28e
Opcode Fuzzy Hash: f2c31b82b125c18e0bd3086d108db1b0c7c5801e9966e094baafa347a8979dcb
Instruction Fuzzy Hash: 46016CB090275A7DE3008F5A8C85B52FFA8FF19754F00411B915C47941C7F5A864CBE5

Function 00EAEB20 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00EAEB30
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 00EAEB46
GetWindowThreadProcessId.USER32(?,?), ref: 00EAEB55
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00EAEB64
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00EAEB6E
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00EAEB75

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: e4268b1669d5fc7ef357529e9ed540a846981f4a7a119c641700315fedf604ac
Instruction ID: 150cd661603dbfd7cf676f9841ff766ae6dbcb98c4eb4d3ad65efa942c1276ed
Opcode Fuzzy Hash: e4268b1669d5fc7ef357529e9ed540a846981f4a7a119c641700315fedf604ac
Instruction Fuzzy Hash: CFF06D72142129BFEA205B53AC0DEAF3B7CEBCAF51F10015AF611E109097A05A05C6B5

Function 00E97439 Relevance: 9.0, APIs: 6, Instructions: 37windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?), ref: 00E97452
SendMessageW.USER32(?,00001328,00000000,?), ref: 00E97469
GetWindowDC.USER32(?), ref: 00E97475
GetPixel.GDI32(00000000,?,?), ref: 00E97484
ReleaseDC.USER32(?,00000000), ref: 00E97496
GetSysColor.USER32(00000005), ref: 00E974B0

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: ClientColorMessagePixelRectReleaseSendWindow
String ID:
API String ID: 272304278-0
Opcode ID: f2e48a5e8a203443d3c33271ce0f9735b5c93dfd994dafb16a654df9d47eecf3
Instruction ID: 6b1abf6515557d62da2d50c6614d7234559e2bc744a6dd33fd0f560afca48da2
Opcode Fuzzy Hash: f2e48a5e8a203443d3c33271ce0f9735b5c93dfd994dafb16a654df9d47eecf3
Instruction Fuzzy Hash: EC018B31405216EFDB105FA5EC08BEE7BB6FB04751F210161F925B21A1CB311E49EB51

Function 00EA1874 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 00EA187F
UnloadUserProfile.USERENV(?,?), ref: 00EA188B
CloseHandle.KERNEL32(?), ref: 00EA1894
CloseHandle.KERNEL32(?), ref: 00EA189C
GetProcessHeap.KERNEL32(00000000,?), ref: 00EA18A5
HeapFree.KERNEL32(00000000), ref: 00EA18AC

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: 715406c03e5c085824a071c9258aaedfa3a43c1dddc250e49885c144f7f14695
Instruction ID: d614da822dc974fa651dc61df538268893f676eacd53a44d8fa61df08f34cb84
Opcode Fuzzy Hash: 715406c03e5c085824a071c9258aaedfa3a43c1dddc250e49885c144f7f14695
Instruction Fuzzy Hash: 4BE0ED36046112FFDB016FA2FD0C905BF39FF497627208222F225A10B1CB325464DF50

Function 00EC7B7E Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 230COMMON

Download Yara Rule

APIs

Part of subcall function 00E60242: EnterCriticalSection.KERNEL32(00F1070C,00F11884,?,?,00E5198B,00F12518,?,?,?,00E412F9,00000000), ref: 00E6024D
Part of subcall function 00E60242: LeaveCriticalSection.KERNEL32(00F1070C,?,00E5198B,00F12518,?,?,?,00E412F9,00000000), ref: 00E6028A

Part of subcall function 00E49CB3: _wcslen.LIBCMT ref: 00E49CBD

Part of subcall function 00E600A3: __onexit.LIBCMT ref: 00E600A9

__Init_thread_footer.LIBCMT ref: 00EC7BFB

Part of subcall function 00E601F8: EnterCriticalSection.KERNEL32(00F1070C,?,?,00E58747,00F12514), ref: 00E60202
Part of subcall function 00E601F8: LeaveCriticalSection.KERNEL32(00F1070C,?,00E58747,00F12514), ref: 00E60235

Strings

+T, xrefs: 00EC7E2E
Variable must be of type 'Object'., xrefs: 00EC7C3A
G, xrefs: 00EC7C7F
5, xrefs: 00EC7C78

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit_wcslen
String ID: +T$5$G$Variable must be of type 'Object'.
API String ID: 535116098-4125810065
Opcode ID: f9e53bed9c690fe2ed813c4ccfb17ddbec69b8b18fe23aee15d7ab4d14ea5359
Instruction ID: 10eb7524a06a5a67d28265376f074236a43182abe8de1e3c9cfc2b4e1cdba1f7
Opcode Fuzzy Hash: f9e53bed9c690fe2ed813c4ccfb17ddbec69b8b18fe23aee15d7ab4d14ea5359
Instruction Fuzzy Hash: 2F916C70A04209AFCB14EF54DA91EADBBB1AF49304F14905DF8467B292DB32AE42DB51

Function 00EAC5D0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00E47620: _wcslen.LIBCMT ref: 00E47625

GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00EAC6EE
_wcslen.LIBCMT ref: 00EAC735
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00EAC79C
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00EAC7CA

Strings

0, xrefs: 00EAC6AF

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: ItemMenu$Info_wcslen$Default
String ID: 0
API String ID: 1227352736-4108050209
Opcode ID: 08b00cedfdff74222128c9a1995b3ccb796f153ac41689a69910a656c1fea64a
Instruction ID: cbc50b5b6453b23a3a1e6e7a0336678204d605d018395e37335225295087895a
Opcode Fuzzy Hash: 08b00cedfdff74222128c9a1995b3ccb796f153ac41689a69910a656c1fea64a
Instruction Fuzzy Hash: 2351F1716043019BD715DF38C845BAB77E4AF8E318F242A2AF991FB190DB60E844CF92

Function 00ECAD64 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(0000003C), ref: 00ECAEA3

Part of subcall function 00E47620: _wcslen.LIBCMT ref: 00E47625

GetProcessId.KERNEL32(00000000), ref: 00ECAF38
CloseHandle.KERNEL32(00000000), ref: 00ECAF67

Strings

@, xrefs: 00ECAE72
<, xrefs: 00ECAE6B

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: CloseExecuteHandleProcessShell_wcslen
String ID: <$@
API String ID: 146682121-1426351568
Opcode ID: 51740f88454d92f31b66c8b8ad6473c559537c4ecb398fad3bc786602df40b35
Instruction ID: be7966c8a278d4893d5704f8a0107b02a26ef6b9975dee78fced07550e577778
Opcode Fuzzy Hash: 51740f88454d92f31b66c8b8ad6473c559537c4ecb398fad3bc786602df40b35
Instruction Fuzzy Hash: 7F715470A002199FCB14DF54D584A9EBBF1EF08318F0894ADE856BB352CB35ED46CB91

Function 00EA719E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00EA7206
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 00EA723C
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 00EA724D
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00EA72CF

Strings

DllGetClassObject, xrefs: 00EA7242

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: 4f028085f7fdb0b7a35351b5efafca64da0cf17e9a8bda4de1e5ac6f21c51942
Instruction ID: 977ad8cc838fc0e221e033bbc923bb2a4ae59e945a5346e7ca7e94f7752afa8f
Opcode Fuzzy Hash: 4f028085f7fdb0b7a35351b5efafca64da0cf17e9a8bda4de1e5ac6f21c51942
Instruction Fuzzy Hash: D5418EB1604204AFDB15CF54CC84B9A7BB9EF49314F2490AABD45EF21AD7B0E945CBA0

Function 00ED3D7C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00ED3E35
IsMenu.USER32(?), ref: 00ED3E4A
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00ED3E92
DrawMenuBar.USER32 ref: 00ED3EA5

Strings

0, xrefs: 00ED3D89

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert
String ID: 0
API String ID: 3076010158-4108050209
Opcode ID: 89dd0c6610d5b7896fd7e017023fb927689fe4c993ba2fe0caa38c8993cb43ed
Instruction ID: fc1d7419be2efa0cd654330377cb68e221dd8fd4654fc2a707edc2fd3b4fff32
Opcode Fuzzy Hash: 89dd0c6610d5b7896fd7e017023fb927689fe4c993ba2fe0caa38c8993cb43ed
Instruction Fuzzy Hash: 2A416875A01309AFDB10DF60E884AEABBB9FF48354F04512AED05A7390D730AE46CF51

Function 00EA1DE2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00E49CB3: _wcslen.LIBCMT ref: 00E49CBD

Part of subcall function 00EA3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00EA3CCA

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00EA1E66
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00EA1E79
SendMessageW.USER32(?,00000189,?,00000000), ref: 00EA1EA9

Part of subcall function 00E46B57: _wcslen.LIBCMT ref: 00E46B6A

Strings

ComboBox, xrefs: 00EA1DF0
ListBox, xrefs: 00EA1E25

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: MessageSend$_wcslen$ClassName
String ID: ComboBox$ListBox
API String ID: 2081771294-1403004172
Opcode ID: 86211b54086b0c6707fefabcc01d4707ad59b68b79da1dea62bbced79e94fc13
Instruction ID: dacf1ac69f920cf170e19436c7e464cbcfd6e8a580e21d2cb6399e3df644d4cc
Opcode Fuzzy Hash: 86211b54086b0c6707fefabcc01d4707ad59b68b79da1dea62bbced79e94fc13
Instruction Fuzzy Hash: 24212771A00104BEDB14AB64EC46CFFBBF9DF4A3A4F10A119F825BB1E1DB346909D621

Function 00ED2F17 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00ED2F8D
LoadLibraryW.KERNEL32(?), ref: 00ED2F94
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00ED2FA9
DestroyWindow.USER32(?), ref: 00ED2FB1

Strings

SysAnimate32, xrefs: 00ED2F68

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: MessageSend$DestroyLibraryLoadWindow
String ID: SysAnimate32
API String ID: 3529120543-1011021900
Opcode ID: 9349e014e0ce185d58f7e3685ac2ab1c88fca2f51a8ecaf3a2c6cf7fda0ecd43
Instruction ID: b71acb02d47604ac5bd48fb0be1ee07bfae6c61e0688dfc2a78c68a40d7f74ba
Opcode Fuzzy Hash: 9349e014e0ce185d58f7e3685ac2ab1c88fca2f51a8ecaf3a2c6cf7fda0ecd43
Instruction Fuzzy Hash: 2C219F71204205AFEB104F64DC80EBB37B9EB69368F106A1EFA50F2290D772DC52A760

Function 00E64D6D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00E64D1E,00E728E9,(,00E64CBE,00000000,00F088B8,0000000C,00E64E15,(,00000002), ref: 00E64D8D
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00E64DA0
FreeLibrary.KERNEL32(00000000,?,?,?,00E64D1E,00E728E9,(,00E64CBE,00000000,00F088B8,0000000C,00E64E15,(,00000002,00000000), ref: 00E64DC3

Strings

mscoree.dll, xrefs: 00E64D86
CorExitProcess, xrefs: 00E64D98

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 961263a0705ac434497514321bf30bba9a01d767c6c041685291de66b7b8a5d8
Instruction ID: c7322128ec536831a87c3b8e78fd65c9853a6815767fe1da06cd6706fb20e3f2
Opcode Fuzzy Hash: 961263a0705ac434497514321bf30bba9a01d767c6c041685291de66b7b8a5d8
Instruction Fuzzy Hash: A7F0AF74A41219BFDB109F91EC09BAEBBB8EF44795F1001A5F805B22A0CF705984DA91

Function 00E44E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00E44EDD,?,00F11418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00E44E9C
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00E44EAE
FreeLibrary.KERNEL32(00000000,?,?,00E44EDD,?,00F11418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00E44EC0

Strings

Wow64DisableWow64FsRedirection, xrefs: 00E44EA8
kernel32.dll, xrefs: 00E44E94

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 145871493-3689287502
Opcode ID: 0d49e1595c5238e619a4dec6f29f2cc96fdf1d5d982c0dea5d696a144cfc7cf5
Instruction ID: a5b8a858ae6d76e5c5b7353a520cca2b82410db50d34fdd949574660c2285df4
Opcode Fuzzy Hash: 0d49e1595c5238e619a4dec6f29f2cc96fdf1d5d982c0dea5d696a144cfc7cf5
Instruction Fuzzy Hash: BFE08635B036339FD22117267C1CB6F6668EF81BA67151117FC00F6290DF60CD06C0A2

Function 00E44E59 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00E83CDE,?,00F11418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00E44E62
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00E44E74
FreeLibrary.KERNEL32(00000000,?,?,00E83CDE,?,00F11418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00E44E87

Strings

Wow64RevertWow64FsRedirection, xrefs: 00E44E6E
kernel32.dll, xrefs: 00E44E5B

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 145871493-1355242751
Opcode ID: 685e76d49d0c0599f32aa529235d4e99c93b12f77d4b7a7161479d0591f630fd
Instruction ID: cf264d2b584d901d701e47c044a955c78ba24434dc9bca83246cba6c233affbc
Opcode Fuzzy Hash: 685e76d49d0c0599f32aa529235d4e99c93b12f77d4b7a7161479d0591f630fd
Instruction Fuzzy Hash: BED0C231A036335B8B221B267C08E8F6B2CEF81B953151613B800F7194CF20CD02C1D1

Function 00EB2947 Relevance: 7.8, APIs: 5, Instructions: 313fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00EB2C05
DeleteFileW.KERNEL32(?), ref: 00EB2C87
CopyFileW.KERNEL32(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00EB2C9D
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00EB2CAE
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00EB2CC0

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: File$Delete$Copy
String ID:
API String ID: 3226157194-0
Opcode ID: 31916acef93b5433bd5a9a1375fda523a89ec8d94efeafaa2f2c1e7640f1708c
Instruction ID: 74df4bf540242c12a642b7919f6b0f7ff8dd6a1e75fc6ea64051c57a71125987
Opcode Fuzzy Hash: 31916acef93b5433bd5a9a1375fda523a89ec8d94efeafaa2f2c1e7640f1708c
Instruction Fuzzy Hash: 0FB13A72A01119ABDF21DFA4DC85EDFBBBDEF48350F1050AAF609F6151EA309A448F61

Function 00ECA387 Relevance: 7.8, APIs: 5, Instructions: 256COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 00ECA427
OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 00ECA435
GetProcessIoCounters.KERNEL32(00000000,?), ref: 00ECA468
CloseHandle.KERNEL32(?), ref: 00ECA63D

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: Process$CloseCountersCurrentHandleOpen
String ID:
API String ID: 3488606520-0
Opcode ID: 74dccc195e38275952283b3ab0844b3a31a4f490e99d76ddc150d3e02205b561
Instruction ID: e81242b043f1189b3a933e80154d22d4634f8b5ed72fe5fa2b9d69a330efe4b1
Opcode Fuzzy Hash: 74dccc195e38275952283b3ab0844b3a31a4f490e99d76ddc150d3e02205b561
Instruction Fuzzy Hash: 8DA1C1716043009FD720DF24D986F2AB7E1AF84718F18985DF95AAB392D771EC05CB82

Function 00E7BB27 Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,00EE3700), ref: 00E7BB91
WideCharToMultiByte.KERNEL32(00000000,00000000,00F1121C,000000FF,00000000,0000003F,00000000,?,?), ref: 00E7BC09
WideCharToMultiByte.KERNEL32(00000000,00000000,00F11270,000000FF,?,0000003F,00000000,?), ref: 00E7BC36
_free.LIBCMT ref: 00E7BB7F

Part of subcall function 00E729C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00E7D7D1,00000000,00000000,00000000,00000000,?,00E7D7F8,00000000,00000007,00000000,?,00E7DBF5,00000000), ref: 00E729DE
Part of subcall function 00E729C8: GetLastError.KERNEL32(00000000,?,00E7D7D1,00000000,00000000,00000000,00000000,?,00E7D7F8,00000000,00000007,00000000,?,00E7DBF5,00000000,00000000), ref: 00E729F0

_free.LIBCMT ref: 00E7BD4B

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
String ID:
API String ID: 1286116820-0
Opcode ID: f6b5f7afd60a0be80cb66775a3c93d6589d658a434b3b910fa13fd045f9c3eed
Instruction ID: 9ec80f9b5c5370bc0d3b5d92d5f3b7486b8abfc9888ea757a3d79a15d5e9dbd3
Opcode Fuzzy Hash: f6b5f7afd60a0be80cb66775a3c93d6589d658a434b3b910fa13fd045f9c3eed
Instruction Fuzzy Hash: B451E371900209AFCB20EF659C81AAEB7BCFF40354B11D26AE658F7191EB709E419B90

Function 00EAE3FB Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00EADDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00EACF22,?), ref: 00EADDFD

Part of subcall function 00EADDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00EACF22,?), ref: 00EADE16

Part of subcall function 00EAE199: GetFileAttributesW.KERNEL32(?,00EACF95), ref: 00EAE19A

lstrcmpiW.KERNEL32(?,?), ref: 00EAE473
MoveFileW.KERNEL32(?,?), ref: 00EAE4AC
_wcslen.LIBCMT ref: 00EAE5EB
_wcslen.LIBCMT ref: 00EAE603
SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 00EAE650

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
String ID:
API String ID: 3183298772-0
Opcode ID: 4fffc37df1ad8ea38d65ad114a0e2a98afd416b9b4214b492b98ae7630fc1d26
Instruction ID: c9b7f0c46393860761603c79110719b1bb92513c94719fdaa37aa6efa8532d7b
Opcode Fuzzy Hash: 4fffc37df1ad8ea38d65ad114a0e2a98afd416b9b4214b492b98ae7630fc1d26
Instruction Fuzzy Hash: C25193B24083459BC724DB94EC819DBB3ECAF99344F10191EF589E7192EF34B5888766

Function 00ECB9C9 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00E49CB3: _wcslen.LIBCMT ref: 00E49CBD

Part of subcall function 00ECC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00ECB6AE,?,?), ref: 00ECC9B5
Part of subcall function 00ECC998: _wcslen.LIBCMT ref: 00ECC9F1
Part of subcall function 00ECC998: _wcslen.LIBCMT ref: 00ECCA68
Part of subcall function 00ECC998: _wcslen.LIBCMT ref: 00ECCA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00ECBAA5
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00ECBB00
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00ECBB63
RegCloseKey.ADVAPI32(?,?), ref: 00ECBBA6
RegCloseKey.ADVAPI32(00000000), ref: 00ECBBB3

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
String ID:
API String ID: 826366716-0
Opcode ID: ed70b07f19392b05eaaf879fc978ddf3c07f8d656895a689dab2052be7e3e45d
Instruction ID: f7a88e900281ebca27ea71c7c6157301807f4f352db61dad3aea93e297cadce8
Opcode Fuzzy Hash: ed70b07f19392b05eaaf879fc978ddf3c07f8d656895a689dab2052be7e3e45d
Instruction Fuzzy Hash: D461B131208241AFC314DF14C591F2ABBE5FF84308F14955DF499AB2A2CB32ED46CB92

Function 00EA8BB0 Relevance: 7.7, APIs: 5, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00EA8BCD
VariantClear.OLEAUT32 ref: 00EA8C3E
VariantClear.OLEAUT32 ref: 00EA8C9D
VariantClear.OLEAUT32(?), ref: 00EA8D10
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00EA8D3B

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType
String ID:
API String ID: 4136290138-0
Opcode ID: b5d9c4d64393562bfe1e18aeb4b37633a2d4b5d9a6cd036990f6e7be2eaad840
Instruction ID: 13939e7ca9ba1c99436b7c5c30617b2c4f2268f0300e26e00f23936bae498ed8
Opcode Fuzzy Hash: b5d9c4d64393562bfe1e18aeb4b37633a2d4b5d9a6cd036990f6e7be2eaad840
Instruction Fuzzy Hash: 0A5169B5A0021AEFCB14CF68D894AAAB7F8FF8D314B158559E915EB350E730E911CF90

Function 00EB8AFB Relevance: 7.6, APIs: 5, Instructions: 143COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00EB8BAE
GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 00EB8BDA
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00EB8C32
WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00EB8C57
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00EB8C5F

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String
String ID:
API String ID: 2832842796-0
Opcode ID: 2d044fcc55c692d330432da5a552a113f084734cf4479190967d1bd5aca6beb9
Instruction ID: 9b077bf75f593496199fbb27c5c5b8fe5cc4b25e052cb51899ce243178fe6e66
Opcode Fuzzy Hash: 2d044fcc55c692d330432da5a552a113f084734cf4479190967d1bd5aca6beb9
Instruction Fuzzy Hash: F0516835A00215AFCB00DF64D881AAEBBF5FF48314F089459E849AB362CB35ED41CF91

Function 00EC8EE4 Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(?,00000000,?), ref: 00EC8F40
GetProcAddress.KERNEL32(00000000,?), ref: 00EC8FD0
GetProcAddress.KERNEL32(00000000,00000000), ref: 00EC8FEC
GetProcAddress.KERNEL32(00000000,?), ref: 00EC9032
FreeLibrary.KERNEL32(00000000), ref: 00EC9052

Part of subcall function 00E5F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,00EB1043,?,7644E610), ref: 00E5F6E6
Part of subcall function 00E5F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00E9FA64,00000000,00000000,?,?,00EB1043,?,7644E610,?,00E9FA64), ref: 00E5F70D

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
String ID:
API String ID: 666041331-0
Opcode ID: a9437bddb9d00975fa404fa061da138d040e1843e1dc5349fd015219b69662b7
Instruction ID: aa355bd4e8cb84cb994bc38e46ae54be88ef8ad67cdfa28c280b8574e26525e6
Opcode Fuzzy Hash: a9437bddb9d00975fa404fa061da138d040e1843e1dc5349fd015219b69662b7
Instruction Fuzzy Hash: 3C514934601245DFC715DF58C685DADBBF1FF49314B0490A9E80AAB362DB32ED86CB90

Function 00ED6B76 Relevance: 7.6, APIs: 5, Instructions: 131windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(00000002,000000F0,?), ref: 00ED6C33
SetWindowLongW.USER32(?,000000EC,?), ref: 00ED6C4A
SendMessageW.USER32(00000002,00001036,00000000,?), ref: 00ED6C73
ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,00EBAB79,00000000,00000000), ref: 00ED6C98
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 00ED6CC7

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: Window$Long$MessageSendShow
String ID:
API String ID: 3688381893-0
Opcode ID: cd24e5426c96d44d4a7f8b964efee2fc7fa0d45c1b4c2f3f8fb3eb07190b31d9
Instruction ID: 799f39137f5f52045aecca97fab1c80b62ce69a3fc543ed0ffc5c003a9d17f9f
Opcode Fuzzy Hash: cd24e5426c96d44d4a7f8b964efee2fc7fa0d45c1b4c2f3f8fb3eb07190b31d9
Instruction Fuzzy Hash: 5E41F235A10104AFDB24CF28CD58FE9BBA5EB09364F15122AF999B73E0C371ED42DA40

Function 00E72051 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00E720C3
_free.LIBCMT ref: 00E720E3

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 64f8b19f632615cf1a276ba881ab003d14d69f53de49c0016f29dd456f6d3117
Instruction ID: cd7e69a10f852b5aab075beab2ad2d339550c3e0b27d0774d95a3b93812abff3
Opcode Fuzzy Hash: 64f8b19f632615cf1a276ba881ab003d14d69f53de49c0016f29dd456f6d3117
Instruction Fuzzy Hash: 2141D032A002049FCB24DF78C881A5AB3E5EF89714F1595ACEA19FB391DA31AD01CB91

Function 00E5912D Relevance: 7.6, APIs: 5, Instructions: 121keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00E59141
ScreenToClient.USER32(00000000,?), ref: 00E5915E
GetAsyncKeyState.USER32(00000001), ref: 00E59183
GetAsyncKeyState.USER32(00000002), ref: 00E5919D

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: 76d069d338b80cf55d25338acacce8cfde2718ba0fec15de47143e74676e0f7a
Instruction ID: baf4d275da3b464599714efb5dfd114e718788abab21433b877a6f279035e678
Opcode Fuzzy Hash: 76d069d338b80cf55d25338acacce8cfde2718ba0fec15de47143e74676e0f7a
Instruction Fuzzy Hash: 6C41AE31A0961AEBCF059F65C844BEEB7B4FB05324F20961AE865B3291C7306D58CB91

Function 00EB3874 Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 00EB38CB
TranslateAcceleratorW.USER32(?,00000000,?), ref: 00EB3922
TranslateMessage.USER32(?), ref: 00EB394B
DispatchMessageW.USER32(?), ref: 00EB3955
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00EB3966

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchInputPeekState
String ID:
API String ID: 2256411358-0
Opcode ID: dc01d18e4c4d446e3876b5eb96921b573e6120377a83fe4a74e6a56e34579d24
Instruction ID: c6728e7153dd4feb5041d68c68f5db282ea6e8817dee8268f75e6e9e142d2f22
Opcode Fuzzy Hash: dc01d18e4c4d446e3876b5eb96921b573e6120377a83fe4a74e6a56e34579d24
Instruction Fuzzy Hash: 1131F770504346AEEB35CB35AC4ABF737A8EB45308F14556EE562F20E4E7B0A684DB11

Function 00EBCF1A Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,00000000,?,?,?,00EBC21E,00000000), ref: 00EBCF38
InternetReadFile.WININET(?,00000000,?,?), ref: 00EBCF6F
GetLastError.KERNEL32(?,00000000,?,?,?,00EBC21E,00000000), ref: 00EBCFB4
SetEvent.KERNEL32(?,?,00000000,?,?,?,00EBC21E,00000000), ref: 00EBCFC8
SetEvent.KERNEL32(?,?,00000000,?,?,?,00EBC21E,00000000), ref: 00EBCFF2

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: EventInternet$AvailableDataErrorFileLastQueryRead
String ID:
API String ID: 3191363074-0
Opcode ID: 4ed64cef10a13232eaf86a16b9238920ef7b2d6074f4050b4ab50ad6b7bb6b74
Instruction ID: ebd7083ffc46257bbc1cc54fab4837c6c59a6fdefd3c0d55717972259e33a59b
Opcode Fuzzy Hash: 4ed64cef10a13232eaf86a16b9238920ef7b2d6074f4050b4ab50ad6b7bb6b74
Instruction Fuzzy Hash: AC317F71608206AFDB20DFA5D884AFBBBF9EB04355B20546EF506F2110DB30ED44DB60

Function 00EA1901 Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00EA1915
PostMessageW.USER32(00000001,00000201,00000001), ref: 00EA19C1
Sleep.KERNEL32(00000000,?,?,?), ref: 00EA19C9
PostMessageW.USER32(00000001,00000202,00000000), ref: 00EA19DA
Sleep.KERNEL32(00000000,?,?,?,?), ref: 00EA19E2

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: abbb4e803998ab71ff554713817aab1b2926695a6e3632324af8e15125375e15
Instruction ID: 9ae2c9aff18c90bc5f528b2adfab5caa044e1170d5e16431cf0b92fc0fdb2b60
Opcode Fuzzy Hash: abbb4e803998ab71ff554713817aab1b2926695a6e3632324af8e15125375e15
Instruction Fuzzy Hash: 7931BF71A00219EFCB00CFA8DD99ADE3BB5EB49319F105269F921BB2D1C770A944CB91

Function 00ED5706 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001053,000000FF,?), ref: 00ED5745
SendMessageW.USER32(?,00001074,?,00000001), ref: 00ED579D
_wcslen.LIBCMT ref: 00ED57AF
_wcslen.LIBCMT ref: 00ED57BA
SendMessageW.USER32(?,00001002,00000000,?), ref: 00ED5816

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: MessageSend$_wcslen
String ID:
API String ID: 763830540-0
Opcode ID: 7853552fc24abcfea64eb0c5ac2e4d8574659fcff593a9d0fdde61b70bbf8ef4
Instruction ID: 28abeefc88f35858909d67efaf2f1050308fd46c2695c9a7c6265eae038dc50d
Opcode Fuzzy Hash: 7853552fc24abcfea64eb0c5ac2e4d8574659fcff593a9d0fdde61b70bbf8ef4
Instruction Fuzzy Hash: 4A218272904618DADB209FA4DC85AEE77B8FF44764F109217F929FA2C0D7708986CF51

Function 00EC0930 Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00EC0951
GetForegroundWindow.USER32 ref: 00EC0968
GetDC.USER32(00000000), ref: 00EC09A4
GetPixel.GDI32(00000000,?,00000003), ref: 00EC09B0
ReleaseDC.USER32(00000000,00000003), ref: 00EC09E8

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: 3d5ec06e6be6a2ec547238e01b0d41292d55be7854571635f366bf40965ef50d
Instruction ID: 850208b914a90bea2fc945abd24a45b807ec483a6b797e2048a9e1ebefe1b1ad
Opcode Fuzzy Hash: 3d5ec06e6be6a2ec547238e01b0d41292d55be7854571635f366bf40965ef50d
Instruction Fuzzy Hash: D5216F35600214AFD704EF65D984AAFBBF9EF84740F14806DE85AA7752CB34EC05CB90

Function 00E7CDBD Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 00E7CDC6
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00E7CDE9

Part of subcall function 00E73820: RtlAllocateHeap.NTDLL(00000000,?,00F11444,?,00E5FDF5,?,?,00E4A976,00000010,00F11440,00E413FC,?,00E413C6,?,00E41129), ref: 00E73852

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 00E7CE0F
_free.LIBCMT ref: 00E7CE22
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00E7CE31

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: 8e211bed2e476e3251588a7bedc831112cb66962ebc9b52ff9bccfb33699438e
Instruction ID: 2bc6deab2bb7af8136acedee3283433536b9666fe269d0baed958d564dc1eb13
Opcode Fuzzy Hash: 8e211bed2e476e3251588a7bedc831112cb66962ebc9b52ff9bccfb33699438e
Instruction Fuzzy Hash: B701D8726026157F272116B76C48C7F6B6DDFC6BA5335912EFA0DF7100DA608D0281B1

Function 00E59639 Relevance: 7.6, APIs: 5, Instructions: 66COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00E59693
SelectObject.GDI32(?,00000000), ref: 00E596A2
BeginPath.GDI32(?), ref: 00E596B9
SelectObject.GDI32(?,00000000), ref: 00E596E2

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 02d8046ec9496c37e41cfc7a31732ca4a9a44cd749eac77ec1b447dd00859b99
Instruction ID: 96edd93b0ff5e1762962b1063070f3ed5d6b03a05127e4a10152ee35680e4a56
Opcode Fuzzy Hash: 02d8046ec9496c37e41cfc7a31732ca4a9a44cd749eac77ec1b447dd00859b99
Instruction Fuzzy Hash: CD217F7080230AEFDB119F25EC157E97BB9FB0039AF518616F920B61A1D3B4589DEF90

Function 00EA5711 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00EA5726
_memcmp.LIBVCRUNTIME ref: 00EA5744
_memcmp.LIBVCRUNTIME ref: 00EA5757
_memcmp.LIBVCRUNTIME ref: 00EA576F
_memcmp.LIBVCRUNTIME ref: 00EA5787

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 4623e1739c9d2d9416b92bf413b6ed4ce56eae1b2a4949f867b583ac571056a9
Instruction ID: 7cd66e6c8aa6c6658acfb82ecf304b474b2c4f2f2ee5da72dfcea1b05c795d9e
Opcode Fuzzy Hash: 4623e1739c9d2d9416b92bf413b6ed4ce56eae1b2a4949f867b583ac571056a9
Instruction Fuzzy Hash: 5E019663681B15FAD21896109D42EFA639CDB263A8B046423FD16BE741F760FD2182A4

Function 00E72DF8 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,00E6F2DE,00E73863,00F11444,?,00E5FDF5,?,?,00E4A976,00000010,00F11440,00E413FC,?,00E413C6), ref: 00E72DFD
_free.LIBCMT ref: 00E72E32
_free.LIBCMT ref: 00E72E59
SetLastError.KERNEL32(00000000,00E41129), ref: 00E72E66
SetLastError.KERNEL32(00000000,00E41129), ref: 00E72E6F

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 451b0e8758167728a1ec146d160ef447aa1d2f15f98bde7b42a1efc58b2fb1ea
Instruction ID: 19c694f109b8a64850f39f713806696a292162cfa5efd4de4476ca35cfdaec15
Opcode Fuzzy Hash: 451b0e8758167728a1ec146d160ef447aa1d2f15f98bde7b42a1efc58b2fb1ea
Instruction Fuzzy Hash: 2D01F4326056017BCA1327357C45D6B2699EBC57A9B34E12DFA2DB22D7EF608C455120

Function 00EA000E Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,00E9FF41,80070057,?,?,?,00EA035E), ref: 00EA002B
ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00E9FF41,80070057,?,?), ref: 00EA0046
lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00E9FF41,80070057,?,?), ref: 00EA0054
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00E9FF41,80070057,?), ref: 00EA0064
CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00E9FF41,80070057,?,?), ref: 00EA0070

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: 96121ec54e96c2ce0623c10d480e5f7ad02d8d1ccccee6345f4d8435bf5f95ca
Instruction ID: 7444c391303644cf44aa893cc0f81cbe286243414928a68390714c92e92bf72a
Opcode Fuzzy Hash: 96121ec54e96c2ce0623c10d480e5f7ad02d8d1ccccee6345f4d8435bf5f95ca
Instruction Fuzzy Hash: 0E01DF76601205BFDB114F69EC84FAA7BAEEB48391F205525F901FA210D770ED04EBA0

Function 00EA10F9 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00EA1114
GetLastError.KERNEL32(?,00000000,00000000,?,?,00EA0B9B,?,?,?), ref: 00EA1120
GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00EA0B9B,?,?,?), ref: 00EA112F
HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00EA0B9B,?,?,?), ref: 00EA1136
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00EA114D

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: 31454a0a9608b3db796ffc5d33f8fc8f3d3ff7ca17912d6e98bb23ef8a9baadf
Instruction ID: 47d7a2c050437b53b17b8c7ff0b2009dba360d369c0c3795d0176d19cc3eef03
Opcode Fuzzy Hash: 31454a0a9608b3db796ffc5d33f8fc8f3d3ff7ca17912d6e98bb23ef8a9baadf
Instruction Fuzzy Hash: 4A016D75102216BFDB114F65EC49A6A3B7EEF8A3A4B200456FA41E7350DA31DC40DA60

Function 00EA0FB4 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00EA0FCA
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00EA0FD6
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00EA0FE5
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00EA0FEC
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00EA1002

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 02ff084c8d1b68331c6aa745fc8bd3d8b14f42a238fe9d2d0555106af9166e73
Instruction ID: 7c77fcc91fead49e183515841903845c7a65768db442f8b3c8d980066b8ca2d7
Opcode Fuzzy Hash: 02ff084c8d1b68331c6aa745fc8bd3d8b14f42a238fe9d2d0555106af9166e73
Instruction Fuzzy Hash: B1F0C235102312EFD7210FA5EC8DF563B6EEF8A7A1F210455F905EB290CA30EC40CA60

Function 00EA1014 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00EA102A
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00EA1036
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00EA1045
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00EA104C
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00EA1062

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 18516ab73edff971aeb3cb4e5f38c300e2424b85c7d698aa45adb3b07ecd351a
Instruction ID: 46cb90a7561caadf5b62cc306215be335a7b23694a0d98121feeb7d4df6a8802
Opcode Fuzzy Hash: 18516ab73edff971aeb3cb4e5f38c300e2424b85c7d698aa45adb3b07ecd351a
Instruction Fuzzy Hash: 11F0C235102312EFD7211FA5EC48F563B6DEF8A7A1F200455F905EB290CA70E840DA60

Function 00EB030F Relevance: 7.5, APIs: 6, Instructions: 41COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,?,?,00EB017D,?,00EB32FC,?,00000001,00E82592,?), ref: 00EB0324
CloseHandle.KERNEL32(?,?,?,?,00EB017D,?,00EB32FC,?,00000001,00E82592,?), ref: 00EB0331
CloseHandle.KERNEL32(?,?,?,?,00EB017D,?,00EB32FC,?,00000001,00E82592,?), ref: 00EB033E
CloseHandle.KERNEL32(?,?,?,?,00EB017D,?,00EB32FC,?,00000001,00E82592,?), ref: 00EB034B
CloseHandle.KERNEL32(?,?,?,?,00EB017D,?,00EB32FC,?,00000001,00E82592,?), ref: 00EB0358
CloseHandle.KERNEL32(?,?,?,?,00EB017D,?,00EB32FC,?,00000001,00E82592,?), ref: 00EB0365

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: f426876a7d5014a6726304705876ebb49322127cf1dce596496e5d73ae446639
Instruction ID: 78392f5885e1dd9961208f84140a4a92bd5d30d7fb00fb11d704c16a696bcd54
Opcode Fuzzy Hash: f426876a7d5014a6726304705876ebb49322127cf1dce596496e5d73ae446639
Instruction Fuzzy Hash: 8F019872801B159FCB30AF66D890857FBF9BF602193159A3FD19662931C7B1B998CE80

Function 00E7D73A Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00E7D752

Part of subcall function 00E729C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00E7D7D1,00000000,00000000,00000000,00000000,?,00E7D7F8,00000000,00000007,00000000,?,00E7DBF5,00000000), ref: 00E729DE
Part of subcall function 00E729C8: GetLastError.KERNEL32(00000000,?,00E7D7D1,00000000,00000000,00000000,00000000,?,00E7D7F8,00000000,00000007,00000000,?,00E7DBF5,00000000,00000000), ref: 00E729F0

_free.LIBCMT ref: 00E7D764
_free.LIBCMT ref: 00E7D776
_free.LIBCMT ref: 00E7D788
_free.LIBCMT ref: 00E7D79A

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 89767dfb9f3cf4f79e66ec8e3085421ecaa4f5182c64b26ebf1a35078788a09f
Instruction ID: 0f2aa021962741d8a21089b66f5c351f36036ac5fd86597201046be43c65df55
Opcode Fuzzy Hash: 89767dfb9f3cf4f79e66ec8e3085421ecaa4f5182c64b26ebf1a35078788a09f
Instruction Fuzzy Hash: 8AF0F4325442086BC615EB78FDC5C167BEDBF84714B98A90AF24DF7541C720FC8057A4

Function 00EA5C44 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 00EA5C58
GetWindowTextW.USER32(00000000,?,00000100), ref: 00EA5C6F
MessageBeep.USER32(00000000), ref: 00EA5C87
KillTimer.USER32(?,0000040A), ref: 00EA5CA3
EndDialog.USER32(?,00000001), ref: 00EA5CBD

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: d483f00ca8cf0c5ac445a47846b6a8425ee444bbd6f56343f898b4005d0b6c11
Instruction ID: 1df7a4f36c46794eb65754a06a7ff6c982cfc70f1d19324ca0702e948f66677f
Opcode Fuzzy Hash: d483f00ca8cf0c5ac445a47846b6a8425ee444bbd6f56343f898b4005d0b6c11
Instruction Fuzzy Hash: 9701DB315007049FEB205B11FD4EFD6B7B8FB05B45F04125AA553750E0D7F0A988CE50

Function 00E722A0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00E722BE

Part of subcall function 00E729C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00E7D7D1,00000000,00000000,00000000,00000000,?,00E7D7F8,00000000,00000007,00000000,?,00E7DBF5,00000000), ref: 00E729DE
Part of subcall function 00E729C8: GetLastError.KERNEL32(00000000,?,00E7D7D1,00000000,00000000,00000000,00000000,?,00E7D7F8,00000000,00000007,00000000,?,00E7DBF5,00000000,00000000), ref: 00E729F0

_free.LIBCMT ref: 00E722D0
_free.LIBCMT ref: 00E722E3
_free.LIBCMT ref: 00E722F4
_free.LIBCMT ref: 00E72305

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 2800826fc0d51c5b41c8c126e872f9fa26adf9201f00b0feb81a1e53bb48c381
Instruction ID: e65591eb819ed53545c59c5401482ce965ab5dac436fccc7917a3d2953c789dc
Opcode Fuzzy Hash: 2800826fc0d51c5b41c8c126e872f9fa26adf9201f00b0feb81a1e53bb48c381
Instruction Fuzzy Hash: 85F030704011588BC712AF64BC028897BE5F758750B07D60EF718E22B1CB750492BBE4

Function 00E595C5 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 00E595D4
StrokeAndFillPath.GDI32(?,?,00E971F7,00000000,?,?,?), ref: 00E595F0
SelectObject.GDI32(?,00000000), ref: 00E59603
DeleteObject.GDI32 ref: 00E59616
StrokePath.GDI32(?), ref: 00E59631

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: 6bbf8f66ed69c308f6845e42e128ba2d140a9d3f3db74ebb79ea42ce467da8a2
Instruction ID: b21b9a874611965ea41406fd076b523946a4e7cf33b05fcab4e5a232b6ed61ed
Opcode Fuzzy Hash: 6bbf8f66ed69c308f6845e42e128ba2d140a9d3f3db74ebb79ea42ce467da8a2
Instruction Fuzzy Hash: 2DF01430006209EFDB225F6AED18BE43B61FB003A6F548215FA25690F1C77189ADEF20

Function 00E70F47 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE

Download Yara Rule

APIs

__freea.LIBCMT ref: 00E710F9
__freea.LIBCMT ref: 00E71117

Part of subcall function 00E71537: _free.LIBCMT ref: 00E7154F

Strings

am/pm, xrefs: 00E7117A
a/p, xrefs: 00E711DE

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: __freea$_free
String ID: a/p$am/pm
API String ID: 3432400110-3206640213
Opcode ID: e1239504ff7f474e1f0f45ef7139a7fb6d2dc2386d3d4c32ebddb557d0b1aae2
Instruction ID: 79363974f0a2caa56b8139e7d365087b392a91a3c31ee3966ad40b883119d734
Opcode Fuzzy Hash: e1239504ff7f474e1f0f45ef7139a7fb6d2dc2386d3d4c32ebddb557d0b1aae2
Instruction Fuzzy Hash: C9D13331900346EADB288F6CC885BFAB7B0EF01308F25E199E90DBB651D3359D80DB91

Function 00E75AA9 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 186COMMONLIBRARYCODE

Download Yara Rule

Strings

JO, xrefs: 00E75BA8, 00E75C6C

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID:
String ID: JO
API String ID: 0-1663374661
Opcode ID: 42e9b3fc98ac9d42533902c57b8753ebd6683c8a3567b622775da0b7d2c31167
Instruction ID: 711b3b0861085b4973cd48a19efda04023994b12bed7da3b534e520157357ea4
Opcode Fuzzy Hash: 42e9b3fc98ac9d42533902c57b8753ebd6683c8a3567b622775da0b7d2c31167
Instruction Fuzzy Hash: CE51CD72D0060A9FCB21DFA4D845BFEBBB8EF05314F14A15AF409B7291D7B19A019B61

Function 00E78A61 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 124COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,00000002,00000000,?,?,?,00000000,?,?,?,?), ref: 00E78B6E
GetLastError.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,00000000,00001000,?), ref: 00E78B7A
__dosmaperr.LIBCMT ref: 00E78B81

Strings

., xrefs: 00E78A63

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: ByteCharErrorLastMultiWide__dosmaperr
String ID: .
API String ID: 2434981716-3963672497
Opcode ID: 15eaf04ec6a3e2ceca022eeca67ee18efd65f2d46f121f1461ed7202f5db236f
Instruction ID: fa8d5bb16e6b8ecbd6563aa16254f46a6b8ab2c2d574a6daa59093ced2a85889
Opcode Fuzzy Hash: 15eaf04ec6a3e2ceca022eeca67ee18efd65f2d46f121f1461ed7202f5db236f
Instruction Fuzzy Hash: 8141AC74604045AFCB249F24D989ABD3FE5DF95304F28E1AAF88CA7242DE318C03A790

Function 00EA2716 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00EAB403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00EA21D0,?,?,00000034,00000800,?,00000034), ref: 00EAB42D

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00EA2760

Part of subcall function 00EAB3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00EA21FF,?,?,00000800,?,00001073,00000000,?,?), ref: 00EAB3F8

Part of subcall function 00EAB32A: GetWindowThreadProcessId.USER32(?,?), ref: 00EAB355
Part of subcall function 00EAB32A: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00EA2194,00000034,?,?,00001004,00000000,00000000), ref: 00EAB365
Part of subcall function 00EAB32A: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00EA2194,00000034,?,?,00001004,00000000,00000000), ref: 00EAB37B

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00EA27CD
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00EA281A

Strings

@, xrefs: 00EA2832

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: 534e84e9ffff583c87ed146a723acaa7708dd14a0f9f1d70a481a31a87190cc4
Instruction ID: 9a16392ed31f36d3fa3d1925896d3285d41cc600fa1069b4df2214cd7bc86278
Opcode Fuzzy Hash: 534e84e9ffff583c87ed146a723acaa7708dd14a0f9f1d70a481a31a87190cc4
Instruction Fuzzy Hash: 91412E72900218AFDB10DFA4CD45ADEBBB8EF0A700F105099FA55BB181DB707E49CB61

Function 00E7172E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\file.exe,00000104), ref: 00E71769
_free.LIBCMT ref: 00E71834
_free.LIBCMT ref: 00E7183E

Strings

C:\Users\user\Desktop\file.exe, xrefs: 00E71760, 00E71767, 00E71796, 00E717CE

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\file.exe
API String ID: 2506810119-3695852857
Opcode ID: f0de03eff4dabeb4b7573dfb4fe157a85cabfeb7af824f9f6993c990c910f2b3
Instruction ID: a57ff9def3c2e8460bba43a35f9d801641de3cc91962fa96e032715a57bebcbf
Opcode Fuzzy Hash: f0de03eff4dabeb4b7573dfb4fe157a85cabfeb7af824f9f6993c990c910f2b3
Instruction Fuzzy Hash: FB318071A00358AFDB25DF99D881D9EBBFCEB85310B1491AAF908E7211D6708E40DB91

Function 00EAC27D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 00EAC306
DeleteMenu.USER32(?,00000007,00000000), ref: 00EAC34C
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00F11990,00985920), ref: 00EAC395

Strings

0, xrefs: 00EAC2DF

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: Menu$Delete$InfoItem
String ID: 0
API String ID: 135850232-4108050209
Opcode ID: 62baf5b57b6138a21614c0291b9acc3fa58a1b2113dfbb026950c8716d1e0b2e
Instruction ID: 147338d728e213bc40fe0f33075cf6917c662c7645ebafba140564f7880a5a96
Opcode Fuzzy Hash: 62baf5b57b6138a21614c0291b9acc3fa58a1b2113dfbb026950c8716d1e0b2e
Instruction Fuzzy Hash: DD41B6312043019FDB24DF25D844B5ABBE4EF8A314F24966DF965AB2D1D770F908CB52

Function 00ED4416 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,00EDCC08,00000000,?,?,?,?), ref: 00ED44AA
GetWindowLongW.USER32 ref: 00ED44C7
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00ED44D7

Strings

SysTreeView32, xrefs: 00ED447C

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: bc4fac9f7f90270a69a0e95467595796619dfa97ee4dc6cbdc0e79c7b7ce097c
Instruction ID: f4e7309c2971d5131bac03f48c922d94844e0c3b454c94efd4aa8e64ae3f3524
Opcode Fuzzy Hash: bc4fac9f7f90270a69a0e95467595796619dfa97ee4dc6cbdc0e79c7b7ce097c
Instruction Fuzzy Hash: 92318D71210206AFDF219E38EC45BEA77A9EB18338F206716F975A22D0D770EC969750

Function 00EA6E71 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 92memoryCOMMON

Download Yara Rule

APIs

SysReAllocString.OLEAUT32(?,?), ref: 00EA6EED
VariantCopyInd.OLEAUT32(?,?), ref: 00EA6F08
VariantClear.OLEAUT32(?), ref: 00EA6F12

Strings

*j, xrefs: 00EA6E8B, 00EA6E90, 00EA6EF8

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: Variant$AllocClearCopyString
String ID: *j
API String ID: 2173805711-1845181700
Opcode ID: a82a0c5c02af5120b99e7493cd7eaac95f42710ceb1f1baa257e4d08787ff74c
Instruction ID: 1bf968b1655257d7a597c45bea22f64bf146efd910545158aa018b3ccc740453
Opcode Fuzzy Hash: a82a0c5c02af5120b99e7493cd7eaac95f42710ceb1f1baa257e4d08787ff74c
Instruction Fuzzy Hash: 7531B175704215DFCB04AFA4E8519BD77B6EF8B304B141499F8026F2A1C734E916DBD0

Function 00EC304E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00EC335B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,00EC3077,?,?), ref: 00EC3378

inet_addr.WSOCK32(?), ref: 00EC307A
_wcslen.LIBCMT ref: 00EC309B
htons.WSOCK32(00000000), ref: 00EC3106

Strings

255.255.255.255, xrefs: 00EC3095, 00EC309A

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: ByteCharMultiWide_wcslenhtonsinet_addr
String ID: 255.255.255.255
API String ID: 946324512-2422070025
Opcode ID: abdadaaf70145b92187e893ae56789abfe46c910027acf83e9dc30ffcd70d2fc
Instruction ID: 82b254272116de5906a97e65622141bb0e56bbfe8f86c201051f37d155e0578a
Opcode Fuzzy Hash: abdadaaf70145b92187e893ae56789abfe46c910027acf83e9dc30ffcd70d2fc
Instruction Fuzzy Hash: 0031A33A6002019FCB10CF39D686FAA77E0EF54318F28D059E915AB392D732EE46C761

Function 00ED3EB8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00ED3F40
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00ED3F54
SendMessageW.USER32(?,00001002,00000000,?), ref: 00ED3F78

Strings

SysMonthCal32, xrefs: 00ED3F0B

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: 9a0336cae2568fe7907dd5f5dc81d82384319f9eddd03161557528a24f1fde62
Instruction ID: 43313cc4a2ae874ff9bda89ec4204d1d2f8de555ea211939444cecba48ec3db5
Opcode Fuzzy Hash: 9a0336cae2568fe7907dd5f5dc81d82384319f9eddd03161557528a24f1fde62
Instruction Fuzzy Hash: 2421AD32600219BFDF218F60DC46FEA3BB6EB48718F111215FA157B2D0D6B1E855DB90

Function 00ED4653 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00ED4705
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00ED4713
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00ED471A

Strings

msctls_updown32, xrefs: 00ED4684

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: f86fbbc50f7583eb00dd39209b388aaa2cbdecd44331c83bb5940f41f3d6c6d9
Instruction ID: ddad5523a81194be1017c5f5903bb85759fdb9c79842cb5d381445d90edacbf5
Opcode Fuzzy Hash: f86fbbc50f7583eb00dd39209b388aaa2cbdecd44331c83bb5940f41f3d6c6d9
Instruction Fuzzy Hash: 2D2151F5600209AFEB10DF64DCC1DA737EDEB5A3A8B14105AF610A7391CB71EC12DA60

Function 00EA95AD Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 85COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00EA961D

Strings

#notrayicon, xrefs: 00EA95B7
#OnAutoItStartRegister, xrefs: 00EA95F3
#requireadmin, xrefs: 00EA95D9

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: _wcslen
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 176396367-2734436370
Opcode ID: 940dbad16a593a10d0107e343a499a52a98717ccf5d5c031e19b4a32c59f77e9
Instruction ID: 1d98ce326d18496520cef90a5a52cf5b25fb8acc13f31e6880b524633ef6c491
Opcode Fuzzy Hash: 940dbad16a593a10d0107e343a499a52a98717ccf5d5c031e19b4a32c59f77e9
Instruction Fuzzy Hash: D121357264421166D331EA24AC02FBB73D8DF9A314F106426F94ABF182EB51BD52C2E5

Function 00ED37B7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00ED3840
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00ED3850
MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00ED3876

Strings

Listbox, xrefs: 00ED380F

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: a8714103e5e488eb544ed7d1e16fb96abb7eefaa25bed9419e9240bea7763c2d
Instruction ID: 7839afd483a48a3b45aff4310c0440d487b00c366db7fc36c346673ad3e0b482
Opcode Fuzzy Hash: a8714103e5e488eb544ed7d1e16fb96abb7eefaa25bed9419e9240bea7763c2d
Instruction Fuzzy Hash: 8721F272600218BFEF218F64DC41FBB376EEF89754F109116F900AB290C671DC1297A1

Function 00EB49F4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00EB4A08
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00EB4A5C
SetErrorMode.KERNEL32(00000000,?,?,00EDCC08), ref: 00EB4AD0

Strings

%lu, xrefs: 00EB4A6F

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: ErrorMode$InformationVolume
String ID: %lu
API String ID: 2507767853-685833217
Opcode ID: b16e5bb8456a00d46ba7c8458075a3fc7a8701e99b12415c07b30b1f63208282
Instruction ID: ba811b3137ca246a2fcc93e8136cba30e50e651ddfae59aad3f4bea3de6158fa
Opcode Fuzzy Hash: b16e5bb8456a00d46ba7c8458075a3fc7a8701e99b12415c07b30b1f63208282
Instruction Fuzzy Hash: BE315E71A00219AFDB10DF54C885EAABBF8EF08308F1490A5F909EB253D771ED46CB61

Function 00ED41EB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00ED424F
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00ED4264
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00ED4271

Strings

msctls_trackbar32, xrefs: 00ED4226

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: a909184fcf419c6ac527439e339c167a142b082150add3b0b2aee2420c7933ef
Instruction ID: 9b4af89a3c44217aead5768ed787665d8f5e42191f51c593aa2ad765b1430bac
Opcode Fuzzy Hash: a909184fcf419c6ac527439e339c167a142b082150add3b0b2aee2420c7933ef
Instruction Fuzzy Hash: 2311E371240208BFEF205E69CC06FAB3BACEF95B68F111115FA55F61E0D671D8129B10

Function 00EA2F52 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00E46B57: _wcslen.LIBCMT ref: 00E46B6A

Part of subcall function 00EA2DA7: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00EA2DC5
Part of subcall function 00EA2DA7: GetWindowThreadProcessId.USER32(?,00000000), ref: 00EA2DD6
Part of subcall function 00EA2DA7: GetCurrentThreadId.KERNEL32 ref: 00EA2DDD
Part of subcall function 00EA2DA7: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00EA2DE4

GetFocus.USER32 ref: 00EA2F78

Part of subcall function 00EA2DEE: GetParent.USER32(00000000), ref: 00EA2DF9

GetClassNameW.USER32(?,?,00000100), ref: 00EA2FC3
EnumChildWindows.USER32(?,00EA303B), ref: 00EA2FEB

Strings

%s%d, xrefs: 00EA2FFF

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
String ID: %s%d
API String ID: 1272988791-1110647743
Opcode ID: 0362dba1f4b8b1a9b3cb285e1aba45691725f9f96183ab80433641450f238f0b
Instruction ID: 3f5fae523b1e91279ed15f94f7a4c323ba2716baba336ca6aa8155505a93597b
Opcode Fuzzy Hash: 0362dba1f4b8b1a9b3cb285e1aba45691725f9f96183ab80433641450f238f0b
Instruction Fuzzy Hash: D41196716002055BCF146F749C85EED77A9DF89308F145075FE09BF192DE70A949DB60

Function 00ED5882 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 00ED58C1
SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 00ED58EE
DrawMenuBar.USER32(?), ref: 00ED58FD

Strings

0, xrefs: 00ED588F

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: Menu$InfoItem$Draw
String ID: 0
API String ID: 3227129158-4108050209
Opcode ID: 482331fa98f713c622b2c4233c7ee2de74a930f62c6617f1d5c5ee7d948ff401
Instruction ID: 23090bbff10462df08205ce6bd8e2b1b3b5a5d919dbbbc43f2b4952617e66e6e
Opcode Fuzzy Hash: 482331fa98f713c622b2c4233c7ee2de74a930f62c6617f1d5c5ee7d948ff401
Instruction Fuzzy Hash: D7018432500218EFDB219F15EC45BEEBBB4FF45365F10909AE859E6251DB308A85DF21

Function 00E9D3A0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 30libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,GetSystemWow64DirectoryW), ref: 00E9D3BF
FreeLibrary.KERNEL32 ref: 00E9D3E5

Strings

GetSystemWow64DirectoryW, xrefs: 00E9D3B9
X64, xrefs: 00E9D2A8

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: AddressFreeLibraryProc
String ID: GetSystemWow64DirectoryW$X64
API String ID: 3013587201-2590602151
Opcode ID: 9e157bf6757c4d12f15d539337441f6450fde72d494182fb07f81a711bbc2adf
Instruction ID: ed3891ee947bb3beebe8b1a01335d152a57957255eaa80fff1ab9d240c1cbc1c
Opcode Fuzzy Hash: 9e157bf6757c4d12f15d539337441f6450fde72d494182fb07f81a711bbc2adf
Instruction Fuzzy Hash: 93F0E53180F632DBDF7597214C589E93324EF10742FA4BA6AE802F2155DB20CD49D693

Function 00EA007F Relevance: 6.3, APIs: 4, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f428f921a1218c08ee32032ab0d1f6225ce3c1ba697fc11ee52809afe507f83
Instruction ID: f7fa707f98de5a2aebf3311749a10904e16ebfb768561d891c1b9dff9bef9686
Opcode Fuzzy Hash: 1f428f921a1218c08ee32032ab0d1f6225ce3c1ba697fc11ee52809afe507f83
Instruction Fuzzy Hash: 5EC13875A0020AAFDB14CFA8C894BAEB7B5FF49708F209598E505EF251D731EE45CB90

Function 00EC342E Relevance: 6.3, APIs: 4, Instructions: 257COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00EC3459
CoUninitialize.OLE32 ref: 00EC3463
VariantInit.OLEAUT32(?), ref: 00EC346E
VariantClear.OLEAUT32(?), ref: 00EC371B

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: Variant$ClearInitInitializeUninitialize
String ID:
API String ID: 1998397398-0
Opcode ID: da8b6b56de5cc109420d84120702a06a8ebc61b011d31583250e4ebb7e7f4e0f
Instruction ID: 7463e5888849321e6949a89b51e228dcbb0178211be015e02ba9c019b6389e5c
Opcode Fuzzy Hash: da8b6b56de5cc109420d84120702a06a8ebc61b011d31583250e4ebb7e7f4e0f
Instruction Fuzzy Hash: 5FA167756042109FC700DF28C585E6AB7E5FF88314F14985DF98AAB362DB35EE06CB91

Function 00EA0436 Relevance: 6.2, APIs: 4, Instructions: 230COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,00EDFC08,?), ref: 00EA05F0
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,00EDFC08,?), ref: 00EA0608
CLSIDFromProgID.OLE32(?,?,00000000,00EDCC40,000000FF,?,00000000,00000800,00000000,?,00EDFC08,?), ref: 00EA062D
_memcmp.LIBVCRUNTIME ref: 00EA064E

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: 6ad60c8405859170d7bf2f032f6da8fe74f61b845d521b143eaf4201f03f6c09
Instruction ID: 607f98472032dfb2156f945ae8a67845d28fb4608194800e8a3f99aacd6fdc5f
Opcode Fuzzy Hash: 6ad60c8405859170d7bf2f032f6da8fe74f61b845d521b143eaf4201f03f6c09
Instruction Fuzzy Hash: 04812B75A00109EFCB04DF94C984EEEB7B9FF89315F205598E516BB250DB71AE06CB60

Function 00E81391 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00E814C0

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 85896201c91039d0d0f52af985ec081b97ca23c3975ca1331502f9d29c74eee6
Instruction ID: de2fa5699bfb5755bf77ee8ebc0ca8684a9e7ad43b59588ff4186fbffbd94090
Opcode Fuzzy Hash: 85896201c91039d0d0f52af985ec081b97ca23c3975ca1331502f9d29c74eee6
Instruction Fuzzy Hash: D0417D31A40100ABDB217BF9AC45ABE3BEDEF41370F1462A5F43DF21A2E67448435761

Function 00ED6278 Relevance: 6.1, APIs: 4, Instructions: 138COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00ED62E2
ScreenToClient.USER32(?,?), ref: 00ED6315
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 00ED6382

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: 382727c7f606b1008a10cc2e06a4488cd145ffd47ede7cd67c5dce5d8272cf01
Instruction ID: ed7ef3c5350704fc06c7ea2251643edd84dd879ed7332e0fd8dcc9c7024f4c13
Opcode Fuzzy Hash: 382727c7f606b1008a10cc2e06a4488cd145ffd47ede7cd67c5dce5d8272cf01
Instruction Fuzzy Hash: CA512D74900209AFDF10DF68D8809AE7BB5FF95364F10925AF925AB3A0D730ED42CB50

Function 00EC1AD6 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 00EC1AFD
WSAGetLastError.WSOCK32 ref: 00EC1B0B
#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00EC1B8A
WSAGetLastError.WSOCK32 ref: 00EC1B94

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: ErrorLast$socket
String ID:
API String ID: 1881357543-0
Opcode ID: 702cfca242b2c6ae904dc5a423722bfbaaadb3063ae6baffdc00742f6ffb2d3e
Instruction ID: 1fe8fc04447f65f023f47a2b621ba7f3df72558c73d5263e8aad39c98f371ca5
Opcode Fuzzy Hash: 702cfca242b2c6ae904dc5a423722bfbaaadb3063ae6baffdc00742f6ffb2d3e
Instruction Fuzzy Hash: 8541BB34600201AFE720AF24D986F2A77E5AB45718F54948CF91AAF3D3D772ED42CB90

Function 00E7B41F Relevance: 6.1, APIs: 4, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 582d45ad4665ed6982358232c169e71aa2043f081a02704233f3a2654b6e29b7
Instruction ID: d212b9d13aec51cd84143a55c4d9b9f749769f82c00eea0fec61e5c7740e6829
Opcode Fuzzy Hash: 582d45ad4665ed6982358232c169e71aa2043f081a02704233f3a2654b6e29b7
Instruction Fuzzy Hash: 1E411971A40304BFD724AF38CC41BAABBF9EB84710F10966EF559FB292E77199018780

Function 00EB56D9 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00EB5783
GetLastError.KERNEL32(?,00000000), ref: 00EB57A9
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 00EB57CE
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 00EB57FA

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: d8d6f4d8bf67a143e7af84ecebad089c2b239768744b9c3f4279e3ebe5fbe2e9
Instruction ID: 7156527d8f8483fffd3aa34361b6db0c9faddfe2220cd259f7797a312e4e388a
Opcode Fuzzy Hash: d8d6f4d8bf67a143e7af84ecebad089c2b239768744b9c3f4279e3ebe5fbe2e9
Instruction Fuzzy Hash: ED413D35600A11DFCB11DF15D544A5EBBE2EF89324B189899E84ABF362CB35FD00CB91

Function 00E7D8C3 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,00E682D9,?,00E682D9,?,00000001,?,?,00000001,00E682D9,00E682D9), ref: 00E7D910
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00E7D999
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 00E7D9AB
__freea.LIBCMT ref: 00E7D9B4

Part of subcall function 00E73820: RtlAllocateHeap.NTDLL(00000000,?,00F11444,?,00E5FDF5,?,?,00E4A976,00000010,00F11440,00E413FC,?,00E413C6,?,00E41129), ref: 00E73852

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: 4ab87cb1ce22cc9815c6659eb1810d135b5c4db2824c9b8f52377f934d68c7a3
Instruction ID: 56004ef0c587fecd4889223df945accdaf90b145b656466b97644e3c1a3fe1a2
Opcode Fuzzy Hash: 4ab87cb1ce22cc9815c6659eb1810d135b5c4db2824c9b8f52377f934d68c7a3
Instruction Fuzzy Hash: 1131CE72A0021AABDB249F65DC41EAE7BB5EF80354B158268FD08E6290EB75CD54CB90

Function 00ED52C1 Relevance: 6.1, APIs: 4, Instructions: 104windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001024,00000000,?), ref: 00ED5352
GetWindowLongW.USER32(?,000000F0), ref: 00ED5375
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00ED5382
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00ED53A8

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: LongWindow$InvalidateMessageRectSend
String ID:
API String ID: 3340791633-0
Opcode ID: e35aa7cc9964b49eba6a279ab20ceaf9a4aa3f6564a8cf0f2bca075f1aa392f8
Instruction ID: edafc73a8898fc41d4c36f75bb6b03d195d0f78203ce7753ff2d0f128057fa27
Opcode Fuzzy Hash: e35aa7cc9964b49eba6a279ab20ceaf9a4aa3f6564a8cf0f2bca075f1aa392f8
Instruction Fuzzy Hash: 4831E232A55A0CEFEB309B14CC05BE837A1EB043D4F586103FA10B63E5C7B09942EB42

Function 00EAAB9C Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,7694C0D0,?,00008000), ref: 00EAABF1
SetKeyboardState.USER32(00000080,?,00008000), ref: 00EAAC0D
PostMessageW.USER32(00000000,00000101,00000000), ref: 00EAAC74
SendInput.USER32(00000001,?,0000001C,7694C0D0,?,00008000), ref: 00EAACC6

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 1323fb4234f62e0304ee0faeba8131fe29241d5bb670ae705dba50671935e9bc
Instruction ID: e287bfbce0c2ed0d5928478b1d60e17c1517b2d8a23b6245b8a6ae21e6b5696b
Opcode Fuzzy Hash: 1323fb4234f62e0304ee0faeba8131fe29241d5bb670ae705dba50671935e9bc
Instruction Fuzzy Hash: 4C311A309007186FFF35CB6598047FAFBA5AB4E334F0C622AE4817A1D1C375A945C752

Function 00ED7674 Relevance: 6.1, APIs: 4, Instructions: 102windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 00ED769A
GetWindowRect.USER32(?,?), ref: 00ED7710
PtInRect.USER32(?,?,00ED8B89), ref: 00ED7720
MessageBeep.USER32(00000000), ref: 00ED778C

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: 3d6e2265923eb9ddd7ff3d51c2789966ed10b708f9c961ccef6ba08834ae0aff
Instruction ID: e81973d2f1e9507e7b34afca13f96bdd1bd6d0e542645d7a52cfb8cd97e1db55
Opcode Fuzzy Hash: 3d6e2265923eb9ddd7ff3d51c2789966ed10b708f9c961ccef6ba08834ae0aff
Instruction Fuzzy Hash: D241BC34A092189FCB01CF58C884EA977F0FB48315F5594ABE9A4AB360E330E942CB90

Function 00ED16DA Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 00ED16EB

Part of subcall function 00EA3A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00EA3A57
Part of subcall function 00EA3A3D: GetCurrentThreadId.KERNEL32 ref: 00EA3A5E
Part of subcall function 00EA3A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00EA25B3), ref: 00EA3A65

GetCaretPos.USER32(?), ref: 00ED16FF
ClientToScreen.USER32(00000000,?), ref: 00ED174C
GetForegroundWindow.USER32 ref: 00ED1752

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: 6479599717cdd6e7652347ad5002ac7c6c161caf00bd3813cdd4ee039debcf75
Instruction ID: e5be881473e7a8da7a368949b1abb3619993eab547a32e1b090482835c5ca21d
Opcode Fuzzy Hash: 6479599717cdd6e7652347ad5002ac7c6c161caf00bd3813cdd4ee039debcf75
Instruction Fuzzy Hash: BB316F75E01249AFC700EFAAD881CAEBBF9EF49304B5490AAE415F7211D731DE45CBA0

Function 00EAD4DC Relevance: 6.1, APIs: 4, Instructions: 86processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00EAD501
Process32FirstW.KERNEL32(00000000,?), ref: 00EAD50F
Process32NextW.KERNEL32(00000000,?), ref: 00EAD52F
CloseHandle.KERNEL32(00000000), ref: 00EAD5DC

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: 0fd0f7bc04876bfc20f26b67ee6fea63bafc67718f910b1d4d173cdd78353189
Instruction ID: c6315df6c394dce4720fb49039a8b2a2441ac3719c3031c99d2c177eb480c223
Opcode Fuzzy Hash: 0fd0f7bc04876bfc20f26b67ee6fea63bafc67718f910b1d4d173cdd78353189
Instruction Fuzzy Hash: 2331A4315083019FD304EF54EC81AAFBBF8EFD9354F14052DF582A61A2EB71A948CB92

Function 00ED8FC9 Relevance: 6.1, APIs: 4, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00E59BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00E59BB2

GetCursorPos.USER32(?), ref: 00ED9001
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00E97711,?,?,?,?,?), ref: 00ED9016
GetCursorPos.USER32(?), ref: 00ED905E
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00E97711,?,?,?), ref: 00ED9094

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: a248a83aac3353cd1fb5ab84f60589c43b972494792f128f6b922658c084b367
Instruction ID: 3ed1458825d1c45a46395cb4f9a43aee0cdd0a93b4e0801ffb99ebc8d2ca23de
Opcode Fuzzy Hash: a248a83aac3353cd1fb5ab84f60589c43b972494792f128f6b922658c084b367
Instruction Fuzzy Hash: 6121D331600018EFDB259F94EC58EFA3BB9FF49350F148156F905AB2A2C3759991EB60

Function 00EAD2C1 Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,00EDCB68), ref: 00EAD2FB
GetLastError.KERNEL32 ref: 00EAD30A
CreateDirectoryW.KERNEL32(?,00000000), ref: 00EAD319
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,00EDCB68), ref: 00EAD376

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: ca7529efec5dd0261dfa50066d84bd69d1e7e49cb8db56b13543c2e1e2ea7c48
Instruction ID: 40d173e5158b41f47e16d46e50bc7579a6a149a65010d48e801b62e65f79e2b1
Opcode Fuzzy Hash: ca7529efec5dd0261dfa50066d84bd69d1e7e49cb8db56b13543c2e1e2ea7c48
Instruction Fuzzy Hash: 802194705097019F8700DF28D8814AE77E4EF5A358F205A1EF496EB2A1D730E94ACB93

Function 00EA1571 Relevance: 6.1, APIs: 4, Instructions: 78memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00EA1014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00EA102A
Part of subcall function 00EA1014: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00EA1036
Part of subcall function 00EA1014: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00EA1045
Part of subcall function 00EA1014: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00EA104C
Part of subcall function 00EA1014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00EA1062

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 00EA15BE
_memcmp.LIBVCRUNTIME ref: 00EA15E1
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00EA1617
HeapFree.KERNEL32(00000000), ref: 00EA161E

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: dba0d55ccba0aaa211415d03495aa3ee3d0f557ea974e5f158b0ca3f21f72511
Instruction ID: a8581ba0c74e7e47cedb82923b4e3e9bff9cbd6b5fe0a3ad20cdd7a3b2490f82
Opcode Fuzzy Hash: dba0d55ccba0aaa211415d03495aa3ee3d0f557ea974e5f158b0ca3f21f72511
Instruction Fuzzy Hash: 15218931E41109EFDF00DFA4C945BEEB7B8EF89348F184499E441BB241E730AA49CBA0

Function 00ED2782 Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 00ED280A
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00ED2824
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00ED2832
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 00ED2840

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: a7e334fd8d35f96f7a0f6f89c290ad7bd3f7953f3a36550c4b157ef3db0b2733
Instruction ID: fc424cb0a44a6c89ea2019a5e362aa31ad4059bb799d4213c33426f16b4ba5b8
Opcode Fuzzy Hash: a7e334fd8d35f96f7a0f6f89c290ad7bd3f7953f3a36550c4b157ef3db0b2733
Instruction Fuzzy Hash: D6213335205111AFD7149B24D840FAA7B9AEF95324F24924EF526AB3E2C771FC43C790

Function 00EA78F5 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00EA8D7D: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,00EA790A,?,000000FF,?,00EA8754,00000000,?,0000001C,?,?), ref: 00EA8D8C
Part of subcall function 00EA8D7D: lstrcpyW.KERNEL32(00000000,?,?,00EA790A,?,000000FF,?,00EA8754,00000000,?,0000001C,?,?,00000000), ref: 00EA8DB2
Part of subcall function 00EA8D7D: lstrcmpiW.KERNEL32(00000000,?,00EA790A,?,000000FF,?,00EA8754,00000000,?,0000001C,?,?), ref: 00EA8DE3

lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,00EA8754,00000000,?,0000001C,?,?,00000000), ref: 00EA7923
lstrcpyW.KERNEL32(00000000,?,?,00EA8754,00000000,?,0000001C,?,?,00000000), ref: 00EA7949
lstrcmpiW.KERNEL32(00000002,cdecl,?,00EA8754,00000000,?,0000001C,?,?,00000000), ref: 00EA7984

Strings

cdecl, xrefs: 00EA797B

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: b0bd1bd99997d9ebfd90c187b2a18cb5da3dedb63449a6abc5847324254c9377
Instruction ID: 279e2aa856d7fc945494959a697949fcb21b8fe905f86b0adcddd466422e6562
Opcode Fuzzy Hash: b0bd1bd99997d9ebfd90c187b2a18cb5da3dedb63449a6abc5847324254c9377
Instruction Fuzzy Hash: 4411E43A201202AFCB159F35DC45D7B77E9EF8A394B10502BE982DB2A4EB31A811C791

Function 00ED7CC2 Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 00ED7D0B
SetWindowLongW.USER32(00000000,000000F0,?), ref: 00ED7D2A
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 00ED7D42
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,00EBB7AD,00000000), ref: 00ED7D6B

Part of subcall function 00E59BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00E59BB2

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: Window$Long
String ID:
API String ID: 847901565-0
Opcode ID: fcec1a5cf94dc6aba393990bb998d406c70fdcdb94a8bc9531f58cfa9a425a39
Instruction ID: 1437cfb19b1f96d7c790d72fe1d0ca409bed70d4da367617cf6ea2e54d6ed17d
Opcode Fuzzy Hash: fcec1a5cf94dc6aba393990bb998d406c70fdcdb94a8bc9531f58cfa9a425a39
Instruction Fuzzy Hash: 2111D5312056159FCB108F28DC04AA63BA5FF463B4B219726F975E72F0E730C952DB40

Function 00ED5660 Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001060,?,00000004), ref: 00ED56BB
_wcslen.LIBCMT ref: 00ED56CD
_wcslen.LIBCMT ref: 00ED56D8
SendMessageW.USER32(?,00001002,00000000,?), ref: 00ED5816

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: MessageSend_wcslen
String ID:
API String ID: 455545452-0
Opcode ID: 7d9cb05c3cb832c347efa68f8263423dd266ba43598b0bf44f5b77cf597a5089
Instruction ID: b7acd16da99bc6ebd977b3b96b9d3852be27e150291961c4a55df286e678c647
Opcode Fuzzy Hash: 7d9cb05c3cb832c347efa68f8263423dd266ba43598b0bf44f5b77cf597a5089
Instruction Fuzzy Hash: 98110A7264060996DB209F65DC81AFE37ACEF50764B10502BF926F6281E770C985CF61

Function 00E71D09 Relevance: 6.1, APIs: 4, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a4b60aca295274b0f20e32a54a1132853ddc56bae205e9db53e2e20dae06651
Instruction ID: 3470e3ee83f7b92b20a3af82d048777424f0e8323e579ae71857ff4bbe8dc0a8
Opcode Fuzzy Hash: 2a4b60aca295274b0f20e32a54a1132853ddc56bae205e9db53e2e20dae06651
Instruction Fuzzy Hash: F4017CB220A7163EFA2116787CC1F67666CDF813B9B35A36AF629B11D2DB608C405560

Function 00EA1A27 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00EA1A47
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00EA1A59
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00EA1A6F
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00EA1A8A

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 082d04152f05058cb34b8f7a4c2966d6dafd307dae1e73aa78a88413f6c0e4c4
Instruction ID: b1e8497cad4f14307a88400e4cdeb98964e23569a3f1dc9017fc982d8b87b13b
Opcode Fuzzy Hash: 082d04152f05058cb34b8f7a4c2966d6dafd307dae1e73aa78a88413f6c0e4c4
Instruction Fuzzy Hash: 54110C3AD01219FFEB11DBA5CD85FADBB78EB09754F200091E604B7290D6716E50DB94

Function 00EAE1D6 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00EAE1FD
MessageBoxW.USER32(?,?,?,?), ref: 00EAE230
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00EAE246
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00EAE24D

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait
String ID:
API String ID: 2880819207-0
Opcode ID: daab476b080271b19e84f4b78fb21165fb82e7e694a57adb30fb0f96f2c8aea7
Instruction ID: cc0bad06e8bedfe9b91f018a894be50991c3ab03f2c24aa2224c502481f8a2e0
Opcode Fuzzy Hash: daab476b080271b19e84f4b78fb21165fb82e7e694a57adb30fb0f96f2c8aea7
Instruction Fuzzy Hash: 26110872905259BFC7019BA8AC09BDE7FACEB46354F108256F924F7391D270DD0487B0

Function 00E6D1CC Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,?,00E6CFF9,00000000,00000004,00000000), ref: 00E6D218
GetLastError.KERNEL32 ref: 00E6D224
__dosmaperr.LIBCMT ref: 00E6D22B
ResumeThread.KERNEL32(00000000), ref: 00E6D249

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: Thread$CreateErrorLastResume__dosmaperr
String ID:
API String ID: 173952441-0
Opcode ID: b9713357dc2122f9a249756cdb567051a06fc89f159c10703d9309f5ddfc67f6
Instruction ID: 25677885a85a2323275547d7ea8a58aa67dfd9b2f949a518af8ae0217eabd9e0
Opcode Fuzzy Hash: b9713357dc2122f9a249756cdb567051a06fc89f159c10703d9309f5ddfc67f6
Instruction Fuzzy Hash: FF012636E8A204BBC7115BA5FC05BAA3BA9DF813B0F205219F924B20E0CB70C901C6A0

Function 00ED9EF3 Relevance: 6.1, APIs: 4, Instructions: 55COMMON

Download Yara Rule

APIs

Part of subcall function 00E59BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00E59BB2

GetClientRect.USER32(?,?), ref: 00ED9F31
GetCursorPos.USER32(?), ref: 00ED9F3B
ScreenToClient.USER32(?,?), ref: 00ED9F46
DefDlgProcW.USER32(?,00000020,?,00000000,?,?,?), ref: 00ED9F7A

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID:
API String ID: 4127811313-0
Opcode ID: bdc6bf76ea329cb2da865d4b716a45cdc72751a094e0c3220cefbb3ef0f27072
Instruction ID: a48fee5e1c303a6a5359a039c8c41a2a859e4040ad9dea50d7123bdd230e39c4
Opcode Fuzzy Hash: bdc6bf76ea329cb2da865d4b716a45cdc72751a094e0c3220cefbb3ef0f27072
Instruction Fuzzy Hash: 96112532A0011AABDB109F69DC499FE77B9FB05311F500552F911F7242D330AA86CBA1

Function 00E4600E Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00E4604C
GetStockObject.GDI32(00000011), ref: 00E46060
SendMessageW.USER32(00000000,00000030,00000000), ref: 00E4606A

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID:
API String ID: 3970641297-0
Opcode ID: b5783e0ad905217875550319bbf3773a7ea60fdde8e1b1d815613e0f9b47a3e3
Instruction ID: 26ec6ad9f68e3d952e3173739283a7e85fe79b4d4a87dcdc620ab66ff31fcb3e
Opcode Fuzzy Hash: b5783e0ad905217875550319bbf3773a7ea60fdde8e1b1d815613e0f9b47a3e3
Instruction Fuzzy Hash: 7711C4B2502509BFEF224FA4EC44EEABB6DFF09395F101202FA1466010C732DC60DB91

Function 00E63B3C Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 00E63B56

Part of subcall function 00E63AA3: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 00E63AD2
Part of subcall function 00E63AA3: ___AdjustPointer.LIBCMT ref: 00E63AED

_UnwindNestedFrames.LIBCMT ref: 00E63B6B
__FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 00E63B7C
CallCatchBlock.LIBVCRUNTIME ref: 00E63BA4

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
String ID:
API String ID: 737400349-0
Opcode ID: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction ID: bcc0ba2ee1b9262ccddc979006d1de299d4340fdda2b3b72e4581ab4c3b30731
Opcode Fuzzy Hash: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction Fuzzy Hash: 88018C72140149BBDF125EA5EC42EEB3FADEF58798F045004FE4866121C732E961EBA0

Function 00E73073 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00E413C6,00000000,00000000,?,00E7301A,00E413C6,00000000,00000000,00000000,?,00E7328B,00000006,FlsSetValue), ref: 00E730A5
GetLastError.KERNEL32(?,00E7301A,00E413C6,00000000,00000000,00000000,?,00E7328B,00000006,FlsSetValue,00EE2290,FlsSetValue,00000000,00000364,?,00E72E46), ref: 00E730B1
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,00E7301A,00E413C6,00000000,00000000,00000000,?,00E7328B,00000006,FlsSetValue,00EE2290,FlsSetValue,00000000), ref: 00E730BF

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 492e43957e03f317f6591a1216bf2ead11818b31cdd5c8966ef342e7ca15e91c
Instruction ID: 4ed08233c0a1dd1baa08a69a5f79447377f5317844673ada44cd45e898e277f6
Opcode Fuzzy Hash: 492e43957e03f317f6591a1216bf2ead11818b31cdd5c8966ef342e7ca15e91c
Instruction Fuzzy Hash: A5014732342223AFCB704B79AC44A977B98EF05BA1B208321F909F3180CB21C945D6E0

Function 00EA7464 Relevance: 6.1, APIs: 4, Instructions: 51registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000), ref: 00EA747F
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 00EA7497
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 00EA74AC
RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 00EA74CA

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: 73cbb7f5b7c73d900c3724f7ff855f85503c0259e9532d6da9eee2723a46f5e2
Instruction ID: f7a3ad06131a26305a65de4f042a9f83841bd3fab32c458103c6da9a377d1b83
Opcode Fuzzy Hash: 73cbb7f5b7c73d900c3724f7ff855f85503c0259e9532d6da9eee2723a46f5e2
Instruction Fuzzy Hash: 6B11A1B12063119FE720CF14ED08BD27FFCEB09B44F10856AA6A6EA151D770F908DB50

Function 00EAB0A8 Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,00EAACD3,?,00008000), ref: 00EAB0C4
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,00EAACD3,?,00008000), ref: 00EAB0E9
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,00EAACD3,?,00008000), ref: 00EAB0F3
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,00EAACD3,?,00008000), ref: 00EAB126

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: db4eac699b7c557d7d5379b3c93bcba3455a4bcbd9dbe1a281a4817f4fc5f85d
Instruction ID: 333d21db13c06685dd44166d9491f9d835b7f99c6eab77e5ba312c8bdac7f1fb
Opcode Fuzzy Hash: db4eac699b7c557d7d5379b3c93bcba3455a4bcbd9dbe1a281a4817f4fc5f85d
Instruction Fuzzy Hash: 20118B30C0252DEBCF04AFE5E9A86EEBB78FF1E311F105096D981B6282CB306650CB51

Function 00ED7E14 Relevance: 6.0, APIs: 4, Instructions: 46COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00ED7E33
ScreenToClient.USER32(?,?), ref: 00ED7E4B
ScreenToClient.USER32(?,?), ref: 00ED7E6F
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00ED7E8A

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: 1702e718e75c46a069e4fce8d4563cabe30adec5993ef539593f2cb79f4de887
Instruction ID: 4f4c9e6618d67cdc6253bda1589157e603c62c4f9adf12a4ed51cd926888d231
Opcode Fuzzy Hash: 1702e718e75c46a069e4fce8d4563cabe30adec5993ef539593f2cb79f4de887
Instruction Fuzzy Hash: 331156B9D0020AAFDB41CFA9D884AEEBBF5FF08350F505166E915E3210D735AA55CF50

Function 00EA2DA7 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00EA2DC5
GetWindowThreadProcessId.USER32(?,00000000), ref: 00EA2DD6
GetCurrentThreadId.KERNEL32 ref: 00EA2DDD
AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00EA2DE4

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: 827055fed8b2548c5a5bb4220fa5203504b6e50d5d3464af7464e30e83e3556c
Instruction ID: 81001c7a6a29458d410d2c183386fd63c018ddbca9a45d26b4b5b471622a070f
Opcode Fuzzy Hash: 827055fed8b2548c5a5bb4220fa5203504b6e50d5d3464af7464e30e83e3556c
Instruction Fuzzy Hash: F9E06D711022257BDB201B67AC0DEEB3F6CEF47FA1F10101AB606F90819AA4D884C6B0

Function 00ED8863 Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00E59639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00E59693
Part of subcall function 00E59639: SelectObject.GDI32(?,00000000), ref: 00E596A2
Part of subcall function 00E59639: BeginPath.GDI32(?), ref: 00E596B9
Part of subcall function 00E59639: SelectObject.GDI32(?,00000000), ref: 00E596E2

MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 00ED8887
LineTo.GDI32(?,?,?), ref: 00ED8894
EndPath.GDI32(?), ref: 00ED88A4
StrokePath.GDI32(?), ref: 00ED88B2

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: 3d0c14fd00eb59fc1fff8cdb5bcbc90c7f6c9e2ae5db48f7d6bae67647f96211
Instruction ID: 135e4c0c619938c97b6be694ba8098f23fb721e73ff772a6e48790f53c55cf30
Opcode Fuzzy Hash: 3d0c14fd00eb59fc1fff8cdb5bcbc90c7f6c9e2ae5db48f7d6bae67647f96211
Instruction Fuzzy Hash: 1CF09A36002259FADB121F95AC09FCE3B69AF06310F508002FA11710E2C7B51515DBE5

Function 00E598B0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 00E598CC
SetTextColor.GDI32(?,?), ref: 00E598D6
SetBkMode.GDI32(?,00000001), ref: 00E598E9
GetStockObject.GDI32(00000005), ref: 00E598F1

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: Color$ModeObjectStockText
String ID:
API String ID: 4037423528-0
Opcode ID: b9b6f4387e5de3d0ff1cfc0aefef34a35ffebd8f815b4059762c6b01ff9f77ae
Instruction ID: d2ec47e0fc8a638f9833a677932d183443f589799a7b41c3affb7d25300d2a30
Opcode Fuzzy Hash: b9b6f4387e5de3d0ff1cfc0aefef34a35ffebd8f815b4059762c6b01ff9f77ae
Instruction Fuzzy Hash: F8E06531245251AEDF215B75BC09BD83F21EB11376F14821AF6F9640E1C3714648DB10

Function 00EA162B Relevance: 6.0, APIs: 4, Instructions: 22threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 00EA1634
OpenThreadToken.ADVAPI32(00000000,?,?,?,00EA11D9), ref: 00EA163B
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,00EA11D9), ref: 00EA1648
OpenProcessToken.ADVAPI32(00000000,?,?,?,00EA11D9), ref: 00EA164F

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: 024cfddb878e58993d49d6bc6d1b636aa0ab3c93b2e1259137531a040df79714
Instruction ID: a0776455a6acb6ca12f7a12047889efb78c4d13742cfebd2696ccd48d49421bd
Opcode Fuzzy Hash: 024cfddb878e58993d49d6bc6d1b636aa0ab3c93b2e1259137531a040df79714
Instruction Fuzzy Hash: 4CE04F316022129FD7201BA2AE0DB463B68EF457E5F244849F245E9090E6245449C750

Function 00E9D858 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00E9D858
GetDC.USER32(00000000), ref: 00E9D862
GetDeviceCaps.GDI32(00000000,0000000C), ref: 00E9D882
ReleaseDC.USER32(?), ref: 00E9D8A3

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 0ba61739e30bf54ddca0fd94e7f75f8560201a895a6ea3eb94bbaaadebc57e12
Instruction ID: ba4352ae397a10076e9d6489bbf4645241e754a13a9961ca606127c2e1bf5a3b
Opcode Fuzzy Hash: 0ba61739e30bf54ddca0fd94e7f75f8560201a895a6ea3eb94bbaaadebc57e12
Instruction Fuzzy Hash: 26E01AB0805206DFCF519FA1EC0866DBBF2FB08751F28A40AE816F7250C738890AEF40

Function 00E9D86C Relevance: 6.0, APIs: 4, Instructions: 18COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00E9D86C
GetDC.USER32(00000000), ref: 00E9D876
GetDeviceCaps.GDI32(00000000,0000000C), ref: 00E9D882
ReleaseDC.USER32(?), ref: 00E9D8A3

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 30260d566edd4a357adb12f796ef747985aa59350e96cf38c2f9f74232d18c27
Instruction ID: b75b238e1c4f6b84fc62bbbfc64e731d555d32cb06f5444c90130940517ea50b
Opcode Fuzzy Hash: 30260d566edd4a357adb12f796ef747985aa59350e96cf38c2f9f74232d18c27
Instruction Fuzzy Hash: 58E01A70801201DFCB509FA1E80866DBBF1FB08751B28940AE816F7250C738990ADF40

Function 00EB4D87 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON

Download Yara Rule

APIs

Part of subcall function 00E47620: _wcslen.LIBCMT ref: 00E47625

WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 00EB4ED4

Strings

LPT, xrefs: 00EB4DFB
*, xrefs: 00EB4E10

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: Connection_wcslen
String ID: *$LPT
API String ID: 1725874428-3443410124
Opcode ID: 7b27bf438d3b5592ea40193fc5a7801a2d392feb61411fce93d107e00fa7a033
Instruction ID: cfd71b008700ca13c39de1f7ec06447231271cfcd75a61f94c1e6ed5c412b3f2
Opcode Fuzzy Hash: 7b27bf438d3b5592ea40193fc5a7801a2d392feb61411fce93d107e00fa7a033
Instruction Fuzzy Hash: F69142B5A002149FCB14DF54C484EEABBF5BF44308F19A099E84AAF3A2D735ED45CB91

Function 00E5E187 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON

Download Yara Rule

Strings

#, xrefs: 00E5E1B1

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: 0c705a103237629ae7ba233f1e0e1fa303b508dfe717039fece017e0011277ec
Instruction ID: 0e346a94bc2b67c75d30021fad6849d385f60df6463aa7d8f3a7ec1488813c65
Opcode Fuzzy Hash: 0c705a103237629ae7ba233f1e0e1fa303b508dfe717039fece017e0011277ec
Instruction Fuzzy Hash: CC511F35904206DEDF18DFA8C0816FA7BA8EF15314F246856ED91BB390D6309E86CBA1

Function 00E5F291 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 00E5F2A2
GlobalMemoryStatusEx.KERNEL32(?), ref: 00E5F2BB

Strings

@, xrefs: 00E5F2AF

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: 7316116f2896bb166389c4025699dd7109cf37f7fafd2711b49f87fe079c5a4b
Instruction ID: 7947a6dcedf0b2a909d11ce490598b4a3831c176922d1363f96648b27449fee2
Opcode Fuzzy Hash: 7316116f2896bb166389c4025699dd7109cf37f7fafd2711b49f87fe079c5a4b
Instruction Fuzzy Hash: C85156715097489BD320AF51EC86BABBBF8FF84300F91884DF1D9611A5EB318529CB67

Function 00EC5745 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,00000003,?,?), ref: 00EC57E0
_wcslen.LIBCMT ref: 00EC57EC

Strings

CALLARGARRAY, xrefs: 00EC57E6, 00EC57EB

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: BuffCharUpper_wcslen
String ID: CALLARGARRAY
API String ID: 157775604-1150593374
Opcode ID: 5ab30297bbceddb5a4218a09185f2937dbfe1cbfc48c8e1c22a36de8d31a4f09
Instruction ID: aa31f90762ecf853725af5829bd9ab4627bae54f905d97feefe91c543d45f42f
Opcode Fuzzy Hash: 5ab30297bbceddb5a4218a09185f2937dbfe1cbfc48c8e1c22a36de8d31a4f09
Instruction Fuzzy Hash: 75417F32A002059FCB18DFA8C982DAEBBF5EF59354B14606DF515B7251D731AD82CBA0

Function 00EBD0F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98networkCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00EBD130
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 00EBD13A

Strings

|, xrefs: 00EBD10B

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: CrackInternet_wcslen
String ID: |
API String ID: 596671847-2343686810
Opcode ID: ef46ab4ea963801ed14de2f674b7167030f31a1179d0624f9095edb15f572459
Instruction ID: 9e29d86a8b50da7e2d28df3774bd56f4ca26776f58f60cb4ed09fb040e8e1ecc
Opcode Fuzzy Hash: ef46ab4ea963801ed14de2f674b7167030f31a1179d0624f9095edb15f572459
Instruction Fuzzy Hash: A3311871D01219ABCF15EFA4DC85AEFBFB9FF09344F101019E815B6162EB31AA06DB61

Function 00ED356C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 00ED3621
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 00ED365C

Strings

static, xrefs: 00ED35BC

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: 807c07caa2d3dbeb5fd1b7fd2075087ea70f0acd2924410163ed75121b879821
Instruction ID: bd377ffa44ca0ae24d931270e5e5e9c1b6c95a989c953e7171f96a4c0e9f34b7
Opcode Fuzzy Hash: 807c07caa2d3dbeb5fd1b7fd2075087ea70f0acd2924410163ed75121b879821
Instruction Fuzzy Hash: AA319071110604AEDB20DF38DC41EFB73A9FF48764F10A61AF9A5A7280DA31ED82D761

Function 00ED4537 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000027,00001132,00000000,?), ref: 00ED461F
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00ED4634

Strings

', xrefs: 00ED458E

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: eaab1231e63d7d4fba61b9f057d594300d7f5743eef435ae8789e7331dd9fe24
Instruction ID: 3acbf01f238a222087ab89312cbe3ce6d97a111fefc7a8f45f4aeb2453246b23
Opcode Fuzzy Hash: eaab1231e63d7d4fba61b9f057d594300d7f5743eef435ae8789e7331dd9fe24
Instruction Fuzzy Hash: 9D3136B4A0120A9FDF14CFA9D981BDABBB5FF19304F14506AE915AB381D770E942CF90

Function 00ED31EF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00ED327C
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00ED3287

Strings

Combobox, xrefs: 00ED3249

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: 97df0d6d33b01a9c9c96153b6388d6b977e2a9ba987de7522c82473feacf9526
Instruction ID: bc2a86d4a7ce17867ffd0ce45cd9b9d21114241a04bf824fa4a1e5f3cf0fd0d3
Opcode Fuzzy Hash: 97df0d6d33b01a9c9c96153b6388d6b977e2a9ba987de7522c82473feacf9526
Instruction Fuzzy Hash: B611E6717002087FEF219E64DC80EBB375BEB54368F105126F514A73A0D631DD529761

Function 00ED3710 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 00E4600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00E4604C
Part of subcall function 00E4600E: GetStockObject.GDI32(00000011), ref: 00E46060
Part of subcall function 00E4600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 00E4606A

GetWindowRect.USER32(00000000,?), ref: 00ED377A
GetSysColor.USER32(00000012), ref: 00ED3794

Strings

static, xrefs: 00ED3757

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: 098288a9121bba36e2dc249e83ccfb15e470f3bda34828314007283d75e5178b
Instruction ID: c8cf64924c723a1720f81c760165d343c21dbfabb677c207a46dfe6e84a58cac
Opcode Fuzzy Hash: 098288a9121bba36e2dc249e83ccfb15e470f3bda34828314007283d75e5178b
Instruction Fuzzy Hash: 531156B261020AAFDF00DFB8DC46AEA7BF8FB08354F005926F955E2250E735E811DB60

Function 00EBCD1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00EBCD7D
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00EBCDA6

Strings

<local>, xrefs: 00EBCD66

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: f8b5c3d5059409741ae00ba3c945bf57dc49b9b63236e1aca839881d5b9bee53
Instruction ID: 4598f9587df83011c28640f385effd09bb292665bd3175198b70fd09f73ec428
Opcode Fuzzy Hash: f8b5c3d5059409741ae00ba3c945bf57dc49b9b63236e1aca839881d5b9bee53
Instruction Fuzzy Hash: 2A11C6792096327AD7344B668C45EE7BE6CEF527A8F60522AB149A3080D7709845D6F0

Function 00ED3429 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 00ED34AB
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 00ED34BA

Strings

edit, xrefs: 00ED348F

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: 5f30f6050efc630e1cdc681154858fe26a1ffcbb6b964a13a26cfb9ed1d91c91
Instruction ID: b5d35a4dbbea7d50cf90bb37105df8ee202284ede228c9b4fb240279d340c708
Opcode Fuzzy Hash: 5f30f6050efc630e1cdc681154858fe26a1ffcbb6b964a13a26cfb9ed1d91c91
Instruction Fuzzy Hash: 19118F71100208AFEF214E74EC44AEB37AAEB05778F606326F971A32D0C779DC569752

Function 00EA6C86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 00E49CB3: _wcslen.LIBCMT ref: 00E49CBD

CharUpperBuffW.USER32(?,?,?), ref: 00EA6CB6
_wcslen.LIBCMT ref: 00EA6CC2

Strings

STOP, xrefs: 00EA6CBC, 00EA6CC1

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: STOP
API String ID: 1256254125-2411985666
Opcode ID: 02c6ea1d6a59916bbb2a9829f9f87cd0bf80edd5e9b8a908e00e5e5a7ac3b149
Instruction ID: 8d8e8ae0e85dd5e8c5b6a0d360f718f22fb76c80889b6d4294fe085614bd8705
Opcode Fuzzy Hash: 02c6ea1d6a59916bbb2a9829f9f87cd0bf80edd5e9b8a908e00e5e5a7ac3b149
Instruction Fuzzy Hash: B20108326005278BCB20AFBDDC809BF73F4EF6B7647151924E462BA195EA31E900C650

Function 00EA1CDE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00E49CB3: _wcslen.LIBCMT ref: 00E49CBD

Part of subcall function 00EA3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00EA3CCA

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00EA1D4C

Strings

ComboBox, xrefs: 00EA1CEB
ListBox, xrefs: 00EA1D16

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: ea33eddc187e917535488184a96e17666a7c04bac5d381ee2d1e9c9ad690ef51
Instruction ID: 9290958704025a967a23dd35ae0de3e910e8d13fcb24479d18c9d7117d3bbbe6
Opcode Fuzzy Hash: ea33eddc187e917535488184a96e17666a7c04bac5d381ee2d1e9c9ad690ef51
Instruction Fuzzy Hash: 2301DD75A411146BCB08EBA4DC55CFFB7A8EB4B750F141559F8327B2C2DA3069089661

Function 00EA1BD8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00E49CB3: _wcslen.LIBCMT ref: 00E49CBD

Part of subcall function 00EA3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00EA3CCA

SendMessageW.USER32(?,00000180,00000000,?), ref: 00EA1C46

Strings

ComboBox, xrefs: 00EA1BE5
ListBox, xrefs: 00EA1C10

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: ec8faf27040514b6bb632098e07a93da6d445bf5f334e9b4df4034ea26cb5d01
Instruction ID: 5c2e13396629d93e2da47827307ef6c3bcd78d1d7a0c082cdde3d122b0ca2f4b
Opcode Fuzzy Hash: ec8faf27040514b6bb632098e07a93da6d445bf5f334e9b4df4034ea26cb5d01
Instruction Fuzzy Hash: C501FC75AC110466CB08E7A0DD51AFFF7E89B1A350F102015B4067B1C2EA20AE0CD6B2

Function 00EA1C5C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00E49CB3: _wcslen.LIBCMT ref: 00E49CBD

Part of subcall function 00EA3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00EA3CCA

SendMessageW.USER32(?,00000182,?,00000000), ref: 00EA1CC8

Strings

ComboBox, xrefs: 00EA1C69
ListBox, xrefs: 00EA1C94

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 30b671a2c9114b2a0fe6177ccfb1bb7ff11e1ce0b128efb3b10b5fb3a18a6aec
Instruction ID: e92989d0edaf5264cdcb1d7cdcba3caf58f19e7fe0bfe2a1950a78c280db5c09
Opcode Fuzzy Hash: 30b671a2c9114b2a0fe6177ccfb1bb7ff11e1ce0b128efb3b10b5fb3a18a6aec
Instruction Fuzzy Hash: 2B01DBB5A8111467CF08E7A4DE41AFFF7E89F1A750F142015B80177282EA60AF08D6B2

Function 00EA1D68 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00E49CB3: _wcslen.LIBCMT ref: 00E49CBD

Part of subcall function 00EA3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00EA3CCA

SendMessageW.USER32(?,0000018B,00000000,00000000), ref: 00EA1DD3

Strings

ComboBox, xrefs: 00EA1D75
ListBox, xrefs: 00EA1DA0

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 70f430e988bb80531f26d442ef09d7b0766cac8c09f4d1385e1268842e8dfb86
Instruction ID: 537a94fb0bf7134c2acb020c152d94b589ce99bdae6aa537d28ddabd01a32ccb
Opcode Fuzzy Hash: 70f430e988bb80531f26d442ef09d7b0766cac8c09f4d1385e1268842e8dfb86
Instruction Fuzzy Hash: E6F0A971E4121466D704F7A4DD51AFFB7A8AF0A750F142915B422772C2DA60A9089661

Function 00EC747E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00EC7493
_wcslen.LIBCMT ref: 00EC74B9

Strings

3, 3, 16, 1, xrefs: 00EC7483

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: _wcslen
String ID: 3, 3, 16, 1
API String ID: 176396367-3042988571
Opcode ID: 03e3b5fb4c48b5f3f9cf5b25ad3bc8cdadcc595fe2a2c25878b18e8d38cf900e
Instruction ID: 50301d8d6cd767563261378fef792c9ca4ba072525ea2120f104ef47c695cc4c
Opcode Fuzzy Hash: 03e3b5fb4c48b5f3f9cf5b25ad3bc8cdadcc595fe2a2c25878b18e8d38cf900e
Instruction Fuzzy Hash: B4E023416847111093351275ADC1F7F56C9EFC5790710381FF5D1E1196D655CD9353A1

Function 00EA0B15 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00EA0B23

Strings

Error allocating memory., xrefs: 00EA0B1C
AutoIt, xrefs: 00EA0B17

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: Message
String ID: AutoIt$Error allocating memory.
API String ID: 2030045667-4017498283
Opcode ID: 2f6e5b26c49d9e9901c92237fabc002bfcd053809dd35e4747834b69510f46c7
Instruction ID: e02906922190620d2630f565ddb89958b4c7d4ea1802f2865b0aa297685611f9
Opcode Fuzzy Hash: 2f6e5b26c49d9e9901c92237fabc002bfcd053809dd35e4747834b69510f46c7
Instruction Fuzzy Hash: FEE0D8312843092AD2143754BC03F897BC4CF05FA1F201427FB48795C38AD2645096AA

Function 00E60D42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00E5F7C9: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00E60D71,?,?,?,00E4100A), ref: 00E5F7CE

IsDebuggerPresent.KERNEL32(?,?,?,00E4100A), ref: 00E60D75
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,00E4100A), ref: 00E60D84

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00E60D7F

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 55579361-631824599
Opcode ID: 2354b399bc05fb1f5134adaf6967352b64075e8d8517b788689fb26b5d0b1675
Instruction ID: 2cf56bbf3dc93a1ba0754b34027d93944ff84448aceecd2361d7fa20997a3d2a
Opcode Fuzzy Hash: 2354b399bc05fb1f5134adaf6967352b64075e8d8517b788689fb26b5d0b1675
Instruction Fuzzy Hash: 48E06D702007118FD320DFB9F4043427BE4EB14795F009A2EE886E6765DBB0E448CB91

Function 00EB3017 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?,00000001), ref: 00EB302F
GetTempFileNameW.KERNEL32(?,aut,00000000,?), ref: 00EB3044

Strings

aut, xrefs: 00EB3038

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: 90d190593a44918596161014c23cc717ae715431e2aaa29c13d85cb138f084f0
Instruction ID: aae1dcb79f1b4d651246a440150005793c99785265ecbe46acd2a05e95d67987
Opcode Fuzzy Hash: 90d190593a44918596161014c23cc717ae715431e2aaa29c13d85cb138f084f0
Instruction Fuzzy Hash: 75D05B71501314AFDA20A795AC0DFC73B6CD704750F000252B655E20E1DAB4D544CAD0

Function 00E9D21C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00E9D220

Strings

X64, xrefs: 00E9D2A8
%.3d, xrefs: 00E9D22B

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: LocalTime
String ID: %.3d$X64
API String ID: 481472006-1077770165
Opcode ID: edef71415f64599753d4925bd53ba4c4286924dd6b910c77c7402e7233677155
Instruction ID: f65e2e8403e43f9de52d53cee7b2df8aeb97dd0a3ce9ccac959c6d5a3cf928b7
Opcode Fuzzy Hash: edef71415f64599753d4925bd53ba4c4286924dd6b910c77c7402e7233677155
Instruction Fuzzy Hash: EBD06265C0D129E9CF9097D0DD459F9B3BCEB18341F60A852FD06B1090E624D54CA761

Function 00ED2356 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00ED236C
PostMessageW.USER32(00000000), ref: 00ED2373

Part of subcall function 00EAE97B: Sleep.KERNELBASE ref: 00EAE9F3

Strings

Shell_TrayWnd, xrefs: 00ED2365

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: c21fc7afe4942961bf9fdb3ffb28fc8f9d20af7dc0be4b5b3cc188538aa1a716
Instruction ID: fbc4acc27eb417b4e67923079191bb5cb28732ff265923e0af09d43453abc8f3
Opcode Fuzzy Hash: c21fc7afe4942961bf9fdb3ffb28fc8f9d20af7dc0be4b5b3cc188538aa1a716
Instruction Fuzzy Hash: 90D0C9323823117AEA64A771AC0FFCA76589B45B50F1049167655FA1D0C9A0B805CA55

Function 00ED2322 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00ED232C
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 00ED233F

Part of subcall function 00EAE97B: Sleep.KERNELBASE ref: 00EAE9F3

Strings

Shell_TrayWnd, xrefs: 00ED2325

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: fa83ab96d4a12b243c3194e7050381783a17e87ec345eedc4bb17cb8e01ba404
Instruction ID: 8045392fc2e695a8890c6b59cccdb03a07225d4fcea5dd817d7eb4cdaa533834
Opcode Fuzzy Hash: fa83ab96d4a12b243c3194e7050381783a17e87ec345eedc4bb17cb8e01ba404
Instruction Fuzzy Hash: D1D0A932381310BAEA64A331AC0FFCA7A489B00B00F1009027205BA1D0C9A0A804CA00

Function 00E7BDFD Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,?,?,00000000,?,?,?,?,?,00000000,?), ref: 00E7BE93
GetLastError.KERNEL32 ref: 00E7BEA1
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00E7BEFC

Memory Dump Source

Source File: 00000000.00000002.2718262048.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.2718248361.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718326432.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718374208.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2718394460.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_file.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: e0c8f7bebfac49cffeef9b79875f85a7b546cb70c849af2b7f65ee0c626a372d
Instruction ID: ba0baa95fb0c4b1897bd14294864ef0be6c901c489c0665f19a40e3e03bce114
Opcode Fuzzy Hash: e0c8f7bebfac49cffeef9b79875f85a7b546cb70c849af2b7f65ee0c626a372d
Instruction Fuzzy Hash: A841F634701216AFCF258F65DC54BBA7BA4EF41B54F24A16AF95DBB2A1DB308C00DB50

Source: Joe Sandbox View	JA3 fingerprint: 28a2c9bd18a11de089ef85a160da29e4
Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 40.115.3.253
Source: unknown	TCP traffic detected without corresponding DNS query: 40.115.3.253
Source: unknown	TCP traffic detected without corresponding DNS query: 40.115.3.253
Source: unknown	TCP traffic detected without corresponding DNS query: 40.115.3.253
Source: unknown	TCP traffic detected without corresponding DNS query: 40.115.3.253
Source: unknown	TCP traffic detected without corresponding DNS query: 40.115.3.253
Source: unknown	TCP traffic detected without corresponding DNS query: 40.115.3.253
Source: unknown	TCP traffic detected without corresponding DNS query: 40.115.3.253
Source: unknown	TCP traffic detected without corresponding DNS query: 40.115.3.253
Source: unknown	TCP traffic detected without corresponding DNS query: 40.115.3.253
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 40.115.3.253
Source: unknown	TCP traffic detected without corresponding DNS query: 40.115.3.253
Source: unknown	TCP traffic detected without corresponding DNS query: 40.115.3.253
Source: unknown	TCP traffic detected without corresponding DNS query: 40.115.3.253
Source: unknown	TCP traffic detected without corresponding DNS query: 40.115.3.253
Source: unknown	TCP traffic detected without corresponding DNS query: 40.115.3.253
Source: unknown	TCP traffic detected without corresponding DNS query: 40.115.3.253
Source: unknown	TCP traffic detected without corresponding DNS query: 40.115.3.253
Source: unknown	TCP traffic detected without corresponding DNS query: 40.115.3.253
Source: unknown	TCP traffic detected without corresponding DNS query: 40.115.3.253
Source: unknown	TCP traffic detected without corresponding DNS query: 40.115.3.253
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 40.115.3.253
Source: unknown	TCP traffic detected without corresponding DNS query: 40.115.3.253
Source: unknown	TCP traffic detected without corresponding DNS query: 40.115.3.253
Source: unknown	TCP traffic detected without corresponding DNS query: 40.115.3.253
Source: unknown	TCP traffic detected without corresponding DNS query: 40.115.3.253
Source: unknown	TCP traffic detected without corresponding DNS query: 40.115.3.253
Source: unknown	TCP traffic detected without corresponding DNS query: 40.115.3.253
Source: unknown	TCP traffic detected without corresponding DNS query: 40.115.3.253
Source: unknown	TCP traffic detected without corresponding DNS query: 40.115.3.253

Source: global traffic	HTTP traffic detected: GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=C2wLcow5xOV9Wht&MD=y55AC6D1 HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic	HTTP traffic detected: GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=C2wLcow5xOV9Wht&MD=y55AC6D1 HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic	HTTP traffic detected: GET /account?=https://accounts.google.com/v3/signin/challenge/pwd HTTP/1.1Host: youtube.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7X-Client-Data: CJa2yQEIprbJAQipncoBCO6MywEIlKHLAQj6mM0BCIWgzQEI3L3NAQi5ys0BCOnSzQEI6NXNAQjL1s0BCKjYzQEI+cDUFRi60s0BGOuNpRc=Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /fs/windows/config.json HTTP/1.1Connection: Keep-AliveAccept: /Accept-Encoding: identityIf-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMTRange: bytes=0-2147483646User-Agent: Microsoft BITS/7.8Host: fs.microsoft.com
Source: global traffic	HTTP traffic detected: GET /accounts/CheckConnection?pmpo=https%3A%2F%2Faccounts.google.com&v=1739765191&timestamp=1727888846436 HTTP/1.1Host: accounts.youtube.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-full-version: "117.0.5938.134"sec-ch-ua-arch: "x86"sec-ch-ua-platform: "Windows"sec-ch-ua-platform-version: "10.0.0"sec-ch-ua-model: ""sec-ch-ua-bitness: "64"sec-ch-ua-wow64: ?0sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.134", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.134"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7X-Client-Data: CJa2yQEIprbJAQipncoBCO6MywEIlKHLAQj6mM0BCIWgzQEI3L3NAQi5ys0BCOnSzQEI6NXNAQjL1s0BCKjYzQEI+cDUFRi60s0BGOuNpRc=Sec-Fetch-Site: cross-siteSec-Fetch-Mode: navigateSec-Fetch-Dest: iframeReferer: https://accounts.google.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /favicon.ico HTTP/1.1Host: www.google.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-arch: "x86"sec-ch-ua-full-version: "117.0.5938.134"sec-ch-ua-platform-version: "10.0.0"sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.134", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.134"sec-ch-ua-bitness: "64"sec-ch-ua-model: ""sec-ch-ua-wow64: ?0sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8X-Client-Data: CJa2yQEIprbJAQipncoBCO6MywEIlKHLAQj6mM0BCIWgzQEI3L3NAQi5ys0BCOnSzQEI6NXNAQjL1s0BCKjYzQEI+cDUFRi60s0BGOuNpRc=Sec-Fetch-Site: same-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://accounts.google.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: NID=518=n7heLF4w9b8PogkQBevtUtN8SrbkjsfWFSYQGn4Pvl_GZS4l8akZWaXBvXyu66HGX1sLEfu1B87jo6psfm8M8c59vqgBUwvwHYlpmDISAp_aufGoPNCEwTwYf_NV6-75wvglD8WAHnfqTI-ZaO9rakNvoqhTOok9oK5TH4TAnWesJadtmQ

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Chrome Cache Entry: 139

Chrome Cache Entry: 140

Chrome Cache Entry: 141

Chrome Cache Entry: 142

Chrome Cache Entry: 143

Chrome Cache Entry: 144

Chrome Cache Entry: 145

Chrome Cache Entry: 146

Chrome Cache Entry: 147

Chrome Cache Entry: 148

Chrome Cache Entry: 149

Chrome Cache Entry: 150

Chrome Cache Entry: 151

Chrome Cache Entry: 152

Chrome Cache Entry: 153

Static File Info

General

File Icon

Windows Analysis Report
file.exe

Function 00E5F98E Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130
keyboardthreadwindowCOMMON

Function 00E442DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Function 00E442A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Function 00EADBBE Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 29
filestringCOMMON

Function 00E82BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Function 00ECAFF9 Relevance: 24.4, APIs: 16, Instructions: 418
processCOMMON

Function 00E42CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Function 00E8065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Function 00E4344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre