Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1524418
MD5:	dcc55f9d576b4f7c3e10ce148a6b5573
SHA1:	670551f9924140aa4e7fd6c4881902e87686cce8
SHA256:	22a657c00ca607d94697d97c1b9fa774c7daaa4a7dee29e0f1e6afd8117f4e5d
Tags:	exeuser-Bitsight
Infos:

Detection

Credential Flusher

Score:	68
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Yara detected Credential Flusher

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Found API chain indicative of debugger detection

Found API chain indicative of sandbox detection

Machine Learning detection for sample

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected potential crypto function

Enables debug privileges

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

OS version to string mapping found (often used in BOTs)

Potential key logger detected (key state polling based)

Sample execution stops while process was sleeping (likely an evasion)

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Uses taskkill to terminate processes

Classification

Process Tree

System is w10x64

file.exe (PID: 6644 cmdline: "C:\Users\user\Desktop\file.exe" MD5: DCC55F9D576B4F7C3E10CE148A6B5573)

taskkill.exe (PID: 6564 cmdline: taskkill /F /IM chrome.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 6688 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

chrome.exe (PID: 3548 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --start-fullscreen --no-first-run --disable-session-crashed-bubble --disable-infobars MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 6964 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2272 --field-trial-handle=2220,i,9680789941441355712,1419918958670403505,262144 /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 8000 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5340 --field-trial-handle=2220,i,9680789941441355712,1419918958670403505,262144 /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 8008 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5412 --field-trial-handle=2220,i,9680789941441355712,1419918958670403505,262144 /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
Process Memory Space: file.exe PID: 6644	JoeSecurity_CredentialFlusher	Yara detected Credential Flusher	Joe Security

String found in binary or memory: _.fq(p)+"/familylink/privacy/notice/embedded?langCountry="+_.fq(p);break;case "PuZJUb":a+="https://www.youtube.com/t/terms?chromeless=1&hl="+_.fq(m);break;case "fxTQxb":a+="https://youtube.com/t/terms?gl="+_.fq(_.oq(c))+"&hl="+_.fq(d)+"&override_hl=1"+(f?"&linkless=1":"");break;case "prAmvd":a+="https://www.google.com/intl/"+_.fq(m)+"/chromebook/termsofservice.html?languageCode="+_.fq(d)+"&regionCode="+_.fq(c);break;case "NfnTze":a+="https://policies.google.com/privacy/google-partners"+(f?"/embedded": equals www.youtube.com (Youtube)

Source: global traffic	DNS traffic detected: DNS query: youtube.com
Source: global traffic	DNS traffic detected: DNS query: www.youtube.com
Source: global traffic	DNS traffic detected: DNS query: www.google.com
Source: global traffic	DNS traffic detected: DNS query: accounts.youtube.com
Source: global traffic	DNS traffic detected: DNS query: play.google.com

Source: unknown

HTTP traffic detected: POST /log?format=json&hasfast=true&authuser=0 HTTP/1.1Host: play.google.comConnection: keep-aliveContent-Length: 519sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-arch: "x86"Content-Type: application/x-www-form-urlencoded;charset=UTF-8sec-ch-ua-full-version: "117.0.5938.132"sec-ch-ua-platform-version: "10.0.0"X-Goog-AuthUser: 0sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132"sec-ch-ua-bitness: "64"sec-ch-ua-model: ""sec-ch-ua-wow64: ?0sec-ch-ua-platform: "Windows"Accept: */*Origin: https://accounts.google.comX-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiSocsBCJz+zAEIhaDNAQjcvc0BCI/KzQEIucrNAQii0c0BCIrTzQEIntbNAQin2M0BCPnA1BUY9snNARi60s0BGOuNpRc=Sec-Fetch-Site: same-siteSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: https://accounts.google.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9

Source: chromecache_79.5.dr	String found in binary or memory: https://accounts.google.com
Source: chromecache_79.5.dr	String found in binary or memory: https://accounts.google.com/TOS?loc=
Source: file.exe, 00000000.00000002.2083938060.0000000001098000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/v3/signin/challenge/pwd
Source: chromecache_85.5.dr	String found in binary or memory: https://apis.google.com/js/api.js
Source: chromecache_79.5.dr	String found in binary or memory: https://apis.google.com/js/rpc:shindig_random.js?onload=credentialservice.postMessage
Source: chromecache_79.5.dr	String found in binary or memory: https://families.google.com/intl/
Source: chromecache_85.5.dr	String found in binary or memory: https://fonts.gstatic.com/s/i/productlogos/drive_2020q4/v10/192px.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://fonts.gstatic.com/s/i/productlogos/gmail_2020q4/v10/web-48dp/logo_gmail_2020q4_color_2x_web_
Source: chromecache_85.5.dr	String found in binary or memory: https://fonts.gstatic.com/s/i/productlogos/maps/v7/192px.svg
Source: chromecache_79.5.dr	String found in binary or memory: https://g.co/recover
Source: chromecache_79.5.dr	String found in binary or memory: https://play.google.com/log?format=json&hasfast=true
Source: chromecache_79.5.dr	String found in binary or memory: https://play.google.com/work/enroll?identifier=
Source: chromecache_79.5.dr	String found in binary or memory: https://play.google/intl/
Source: chromecache_79.5.dr	String found in binary or memory: https://policies.google.com/privacy
Source: chromecache_79.5.dr	String found in binary or memory: https://policies.google.com/privacy/additional
Source: chromecache_79.5.dr	String found in binary or memory: https://policies.google.com/privacy/google-partners
Source: chromecache_79.5.dr	String found in binary or memory: https://policies.google.com/technologies/cookies
Source: chromecache_79.5.dr	String found in binary or memory: https://policies.google.com/technologies/location-data
Source: chromecache_79.5.dr	String found in binary or memory: https://policies.google.com/terms
Source: chromecache_79.5.dr	String found in binary or memory: https://policies.google.com/terms/location
Source: chromecache_79.5.dr	String found in binary or memory: https://policies.google.com/terms/service-specific
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/account-recovery-email-pin.gif
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/account-recovery-password.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/account-recovery-sms-or-voice-pin.gif
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/account-recovery-sms-pin.gif
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/account-recovery-stop-go-landing-page_1x.png
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/animation/
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/ble_device.png
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/ble_pin.png
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/contacts_backup_sync.png
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/contacts_backup_sync_1x.png
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/contacts_backup_sync_2x.png
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/contacts_backup_sync_darkmode_1x.png
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/continue_on_your_phone.png
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/device_phone_number_verification.png
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/device_prompt_silent_tap_yes_darkmode.gif
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/device_prompt_tap_yes.gif
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/device_prompt_tap_yes_darkmode.gif
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kid_success.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kid_success_darkmode.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidfork_who_will_use_dark_v2.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidfork_who_will_use_updated.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidfork_who_will_use_updated_darkmode.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidfork_who_will_use_v2.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignin_not_ready.png
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignin_stick_around_1.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignin_stick_around_dark_1.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_child_account_1.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_child_account_darkmode_1.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_child_privacy_1.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_child_privacy_darkmode_1.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_created.png
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_double_device.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_double_device_darkmode.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_full_house.png
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_link_accounts_1.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_link_accounts_darkmode_1.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_parent_app_decision.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_parent_app_decision_darkmode.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_parent_supervision_1.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_parent_supervision_darkmode_1.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_respect_others_1.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_respect_others_darkmode_1.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_single_device.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_single_device_darkmode.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_stop.png
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/personalization_reminders.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/phone_number_sign_in_2x.png
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/return_to_desktop.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/return_to_desktop_darkmode.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/security_key.gif
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/security_key_ios_center.png
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/security_key_laptop.gif
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/security_key_nfc_discovered.gif
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/security_key_nfc_discovered_darkmode.gif
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/security_key_phone.gif
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/signin_googleapp_ios.gif
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/signin_googleapp_pulldown.gif
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/signin_tapyes.gif
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/smart_lock_2x.png
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/usb_key.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/web_and_app_activity.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/who_will_be_using_this_device.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/you_tube_history.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/feature_not_available.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/feature_not_available_dark.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/gmail_ios_authzen.gif
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/paaskey.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_challenge.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_challenge_darkmode.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_darkmode.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_enrollment.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_enrollment_cross_device.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_enrollment_cross_device_darkmode.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_enrollment_darkmode.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_enrollment_error.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_enrollment_error_darkmode.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_enrollment_reauth.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_enrollment_reauth_darkmode.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_success.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_success_darkmode.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkeyerror.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkeyerror_darkmode.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/red_globe_dark.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/red_globe_light.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/screenlock.png
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/security_key_ipad.gif
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/security_key_iphone.gif
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/security_key_iphone_nfc.gif
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/security_key_iphone_usb.gif
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/security_key_phone.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/security_keys.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/success_checkmark_2.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/success_checkmark_2_darkmode.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/ui/loading_spinner_gm.gif
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/ui/progress_spinner_color_20dp_4x.gif
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/ui/success-gm-default_2x.png
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/apps/signup/resources/custom-email-address.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/images/hpp/shield_security_checkup_green_2x_web_96dp.png
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/chaptering/account_setup_chapter_dark_1.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/chaptering/account_setup_chapter_v1.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/chaptering/device_setup_chapter_dark_v1.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/chaptering/device_setup_chapter_v1.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/chaptering/parental_control_chapter_dark_v1.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/chaptering/parental_control_chapter_v1.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/conversion/conversion_accountslinked.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/conversion/conversion_accountslinked_dark.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/conversion/conversion_childneedshelp.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/conversion/conversion_childneedshelp_dark.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/conversion/conversion_nextstepsforparents.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/conversion/conversion_nextstepsforparents_dark.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_allset.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_allset_dark.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_apps_devices.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_apps_devices_darkmode.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_areyousurekid.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_areyousurekid_dark.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_birthdayemail.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_birthdayemail_dark.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_choose_apps.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_choose_apps_darkmode.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_confirmation.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_exploremore.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_exploremore_dark.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_intro.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_intro_darkmode.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_privacy_terms_a18.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_privacy_terms_a18_darkmode.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_privacyterms.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_privacyterms_dark.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_review_settings.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_review_settings_darkmode.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_safe_search.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_safe_search_darkmode.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_success_unchanged_a18.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_success_unchanged_a18_darkmode.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_success_update_a18.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_success_update_a18_darkmode.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_supervision_choice.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_supervision_choice_a18.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_supervision_choice_a18_darkmode.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_supervision_choice_darkmode.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_supervisiongrad.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_supervisiongrad_dark.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/guardianlinking/linking_complete_0.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/guardianlinking/linking_complete_dark_0.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/ads_personalization.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/ads_personalization_darkmode.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/confirmation.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/confirmation_darkmode.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/eligibility_error.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/eligibility_error_darkmode.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/fork.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/fork_darkmode.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/intro.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/intro_darkmode.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/personal_results.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/personal_results_darkmode.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/safe_search.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/safe_search_darkmode.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/check_notifications.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/check_notifications_dark.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/kid_watch_installing_family_link_2.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/kid_watch_installing_family_link_dark_2.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/kid_watch_set_up_location_sharing_2.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/kid_watch_set_up_location_sharing_dark_2.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/kid_watch_set_up_parental_controls_2.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/kid_watch_set_up_parental_controls_dark_2.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/kid_watch_set_up_school_time_2.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/kid_watch_set_up_school_time_dark_2.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/location_sharing_enabled_2.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/location_sharing_enabled_dark_3.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/parent_sign_in_prologue_1.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/parent_sign_in_prologue_dark_1.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/set_up_complete_1.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/set_up_complete_dark_1.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/set_up_contacts_2.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/set_up_contacts_dark_2.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/set_up_family_link_boy_1.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/set_up_family_link_boy_dark_1.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/set_up_family_link_girl_2.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/set_up_family_link_girl_dark_2.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/ulp_continue_without_gmail_dark_v2.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/ulp_continue_without_gmail_v2.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/all_set.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/all_set_dark.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/are_you_sure_parent.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/are_you_sure_parent_dark.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/content_restriction.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/content_restriction_dark.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/error.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/error_dark.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/how_controls_work.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/how_controls_work_dark.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/next_steps.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/next_steps_dark.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/setup_controls.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/setup_controls_dark.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/who_parent.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/who_parent_dark.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/who_teen.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/who_teen_dark.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teentoadultgraduation/supervision_choice.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teentoadultgraduation/supervision_choice_darkmode.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/ulp_appblock/kid_setup_parent_escalation.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/ulp_appblock/kid_setup_parent_escalation_dark.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/ulp_appblock/send_email_confirmation.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/ulp_appblock/send_email_confirmation_dark.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/ulp_appblock/success_sent_email.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/ulp_appblock/success_sent_email_dark.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/ulpupgrade/kidprofileupgrade_all_set.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/ulpupgrade/kidprofileupgrade_all_set_darkmode.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/all_set.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/all_set_dark.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/almost_done_kids_space_dark.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/almost_done_kids_space_v2.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/devices_connected_tablet_v2.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/devices_connected_tablet_v2_dark.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/devices_connected_v2.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/devices_connected_v2_dark.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/emailinstallfamilylink.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/emailinstallfamilylink_dark.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/familylinkinstalling.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/familylinkinstalling_dark.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/hand_over_device_dark_v2.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/hand_over_device_v2.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/linking_accounts_v2.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/linking_accounts_v2_dark.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/locationsetup.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/locationsetup_dark.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/manage_parental_controls_email.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/manage_parental_controls_email_v2.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/manage_parental_controls_email_v2_dark.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/manage_parental_controls_v2.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/manage_parental_controls_v2_dark.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/open_family_link_v2.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/open_family_link_v2_dark.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/parents_help.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/parents_help_dark.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/set_up_kids_space.png
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/set_up_kids_space_dark.png
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/setupcontrol.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/setupcontrol_dark.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/setuplocation.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/setuplocation_dark.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/setuptimelimits.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/setuptimelimits_dark.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/supervision_ready_v2.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/supervision_ready_v2_dark.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/youtubeaccess.svg
Source: chromecache_85.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/youtubeaccess_dark.svg
Source: chromecache_79.5.dr	String found in binary or memory: https://support.google.com/accounts?hl=
Source: chromecache_79.5.dr	String found in binary or memory: https://support.google.com/accounts?p=new-si-ui
Source: chromecache_79.5.dr	String found in binary or memory: https://support.google.com/websearch/answer/4358949?hl=ko&ref_topic=3285072
Source: chromecache_85.5.dr	String found in binary or memory: https://uberproxy-pen-redirect.corp.google.com/uberproxy/pen?url=
Source: chromecache_79.5.dr	String found in binary or memory: https://www.google.com
Source: chromecache_79.5.dr	String found in binary or memory: https://www.google.com/intl/
Source: chromecache_85.5.dr	String found in binary or memory: https://www.gstatic.com/accounts/speedbump/authzen_optin_illustration.gif
Source: chromecache_85.5.dr	String found in binary or memory: https://www.gstatic.com/images/branding/product/2x/chrome_48dp.png
Source: chromecache_85.5.dr	String found in binary or memory: https://www.gstatic.com/images/branding/product/2x/googleg_48dp.png
Source: chromecache_85.5.dr	String found in binary or memory: https://www.gstatic.com/images/branding/product/2x/gsa_48dp.png
Source: chromecache_85.5.dr	String found in binary or memory: https://www.gstatic.com/images/branding/product/2x/play_prism_48dp.png
Source: chromecache_85.5.dr	String found in binary or memory: https://www.gstatic.com/images/branding/product/2x/youtube_48dp.png
Source: chromecache_79.5.dr	String found in binary or memory: https://www.gstatic.com/images/branding/productlogos/googleg/v6/36px.svg
Source: chromecache_79.5.dr	String found in binary or memory: https://www.youtube.com/t/terms?chromeless=1&hl=
Source: file.exe, 00000000.00000003.2083439477.00000000010C7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2084024186.00000000010C7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2083466883.00000000010C7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2083322557.00000000010C7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd
Source: chromecache_79.5.dr	String found in binary or memory: https://youtube.com/t/terms?gl=

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49788
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49765
Source: unknown	Network traffic detected: HTTP traffic on port 49783 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49764
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49786
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 49672 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49779 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49785
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49784
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49783
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49785 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49762 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49764 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49769 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49793 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49795 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49791 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49779
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49756
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49795
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49794
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49672
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49793
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49791
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49790
Source: unknown	Network traffic detected: HTTP traffic on port 49786 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49788 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49784 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49765 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49794 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49769
Source: unknown	Network traffic detected: HTTP traffic on port 49790 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49756 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745

Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.4:49743 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.4:49745 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.114.59.183:443 -> 192.168.2.4:49769 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.114.59.183:443 -> 192.168.2.4:49786 version: TLS 1.2

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00EDEAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_00EDEAFF

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00EDED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_00EDED6A

Source: C:\Users\user\Desktop\file.exe

0_2_00EDEAFF

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00ECAA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,

0_2_00ECAA57

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00EF9576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_00EF9576

System Summary

Binary is likely a compiled AutoIt script file

Source: file.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: file.exe, 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_d1287816-e
Source: file.exe, 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_89955c38-7
Source: file.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_213ae10b-a
Source: file.exe	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_642cebb3-4

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00ECD5EB: CreateFileW,DeviceIoControl,CloseHandle,

0_2_00ECD5EB

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00EC1201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_00EC1201

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00ECE8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_00ECE8F6

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E6CAF0	0_2_00E6CAF0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E68060	0_2_00E68060
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00ED2046	0_2_00ED2046
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00EC8298	0_2_00EC8298
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E9E4FF	0_2_00E9E4FF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E9676B	0_2_00E9676B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00EF4873	0_2_00EF4873
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E8CAA0	0_2_00E8CAA0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E7CC39	0_2_00E7CC39
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E96DD9	0_2_00E96DD9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E7D063	0_2_00E7D063
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E691C0	0_2_00E691C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E7B119	0_2_00E7B119
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E81394	0_2_00E81394
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E81706	0_2_00E81706
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E8781B	0_2_00E8781B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E819B0	0_2_00E819B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E7997D	0_2_00E7997D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E67920	0_2_00E67920
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E87A4A	0_2_00E87A4A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E87CA7	0_2_00E87CA7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E81C77	0_2_00E81C77
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E99EEE	0_2_00E99EEE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00EEBE44	0_2_00EEBE44
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E81F32	0_2_00E81F32

Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00E80A30 appears 46 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00E7F9F2 appears 31 times

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: classification engine

Classification label: mal68.troj.evad.winEXE@34/30@12/7

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00ED37B5 GetLastError,FormatMessageW,

0_2_00ED37B5

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00EC10BF AdjustTokenPrivileges,CloseHandle,		0_2_00EC10BF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00EC16C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_00EC16C3

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00ED51CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_00ED51CD

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00EEA67C CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_00EEA67C

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00ED648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize,

0_2_00ED648E

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00E642A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_00E642A2

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6688:120:WilError_03

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\SysWOW64\taskkill.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --start-fullscreen --no-first-run --disable-session-crashed-bubble --disable-infobars
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2272 --field-trial-handle=2220,i,9680789941441355712,1419918958670403505,262144 /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5340 --field-trial-handle=2220,i,9680789941441355712,1419918958670403505,262144 /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5412 --field-trial-handle=2220,i,9680789941441355712,1419918958670403505,262144 /prefetch:8
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --start-fullscreen --no-first-run --disable-session-crashed-bubble --disable-infobars	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2272 --field-trial-handle=2220,i,9680789941441355712,1419918958670403505,262144 /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5340 --field-trial-handle=2220,i,9680789941441355712,1419918958670403505,262144 /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5412 --field-trial-handle=2220,i,9680789941441355712,1419918958670403505,262144 /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00E642DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00E642DE

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00E80A76 push ecx; ret

0_2_00E80A89

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E7F98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_00E7F98E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00EF1C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_00EF1C41

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Found API chain indicative of sandbox detection

Source: C:\Users\user\Desktop\file.exe

Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep

graph_0-96263

Source: C:\Users\user\Desktop\file.exe

API coverage: 4.1 %

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00ECDBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00ECDBBE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00ED68EE FindFirstFileW,FindClose,	0_2_00ED68EE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00ED698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	0_2_00ED698F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00ECD076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00ECD076
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00ECD3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00ECD3A9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00ED9642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00ED9642
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00ED979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00ED979D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00ED9B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_00ED9B2B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00ED5C97 FindFirstFileW,FindNextFileW,FindClose,	0_2_00ED5C97

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00E642DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00E642DE

Anti Debugging

Found API chain indicative of debugger detection

Source: C:\Users\user\Desktop\file.exe

Debugger detection routine: QueryPerformanceCounter, DebugActiveProcess, DecisionNodes, ExitProcess or Sleep

graph_0-95820

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00EDEAA2 BlockInput,

0_2_00EDEAA2

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00E92622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00E92622

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00E642DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00E642DE

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00E84CE8 mov eax, dword ptr fs:[00000030h]

0_2_00E84CE8

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00EC0B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

0_2_00EC0B62

Source: C:\Windows\SysWOW64\taskkill.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E92622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00E92622
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E8083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00E8083F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E809D5 SetUnhandledExceptionFilter,	0_2_00E809D5
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E80C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00E80C21

Source: C:\Users\user\Desktop\file.exe

0_2_00EC1201

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00EA2BA5 KiUserCallbackDispatcher,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00EA2BA5

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00E7F98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,

0_2_00E7F98E

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00EE22DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event,

0_2_00EE22DA

Source: C:\Users\user\Desktop\file.exe

Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

0_2_00EC0B62

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00EC1663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_00EC1663

Source: file.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: file.exe, 00000000.00000003.1749724215.00000000010DC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1757008229.00000000010DC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1749780175.00000000010DC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: file.exe	Binary or memory string: Shell_TrayWnd

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00E80698 cpuid

0_2_00E80698

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00ED8195 GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,

0_2_00ED8195

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00EBD27A GetUserNameW,

0_2_00EBD27A

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00E9BB6F _free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

0_2_00E9BB6F

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00E642DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00E642DE

Stealing of Sensitive Information

Yara detected Credential Flusher

Source: Yara match

File source: Process Memory Space: file.exe PID: 6644, type: MEMORYSTR

Source: file.exe	Binary or memory string: WIN_81
Source: file.exe	Binary or memory string: WIN_XP
Source: file.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]\|%%\|%[-+ 0#]?([0-9]\|\)?(\.[0-9]\|\.\)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: file.exe	Binary or memory string: WIN_XPe
Source: file.exe	Binary or memory string: WIN_VISTA
Source: file.exe	Binary or memory string: WIN_7
Source: file.exe	Binary or memory string: WIN_8

Remote Access Functionality

Yara detected Credential Flusher

Source: Yara match

File source: Process Memory Space: file.exe PID: 6644, type: MEMORYSTR

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00EE1204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,		0_2_00EE1204
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00EE1806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_00EE1806

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	2 Disable or Modify Tools	21 Input Capture	2 System Time Discovery	Remote Services	1 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Native API	2 Valid Accounts	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	21 Input Capture	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	2 Valid Accounts	2 Obfuscated Files or Information	Security Account Manager	1 File and Directory Discovery	SMB/Windows Admin Shares	3 Clipboard Data	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	21 Access Token Manipulation	1 DLL Side-Loading	NTDS	16 System Information Discovery	Distributed Component Object Model	Input Capture	4 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	2 Process Injection	2 Valid Accounts	LSA Secrets	22 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	2 Virtualization/Sandbox Evasion	Cached Domain Credentials	2 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	21 Access Token Manipulation	DCSync	2 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	2 Process Injection	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	HTML Smuggling	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
file.exe	8%	ReversingLabs
file.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
https://play.google/intl/	0%	URL Reputation	safe
https://families.google.com/intl/	0%	URL Reputation	safe
https://policies.google.com/technologies/location-data	0%	URL Reputation	safe
https://apis.google.com/js/api.js	0%	URL Reputation	safe
https://policies.google.com/privacy/google-partners	0%	URL Reputation	safe
https://policies.google.com/terms/service-specific	0%	URL Reputation	safe
https://g.co/recover	0%	URL Reputation	safe
https://policies.google.com/privacy/additional	0%	URL Reputation	safe
https://support.google.com/websearch/answer/4358949?hl=ko&ref_topic=3285072	0%	URL Reputation	safe
https://policies.google.com/technologies/cookies	0%	URL Reputation	safe
https://policies.google.com/terms	0%	URL Reputation	safe
https://uberproxy-pen-redirect.corp.google.com/uberproxy/pen?url=	0%	URL Reputation	safe
https://support.google.com/accounts?hl=	0%	URL Reputation	safe
https://policies.google.com/terms/location	0%	URL Reputation	safe
https://policies.google.com/privacy	0%	URL Reputation	safe
https://support.google.com/accounts?p=new-si-ui	0%	URL Reputation	safe
https://apis.google.com/js/rpc:shindig_random.js?onload=credentialservice.postMessage	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
youtube-ui.l.google.com	142.250.181.238	true	false	unknown
www3.l.google.com	216.58.206.78	true	false	unknown
play.google.com	216.58.212.142	true	false	unknown
www.google.com	142.250.184.196	true	false	unknown
youtube.com	142.250.185.142	true	false	unknown
accounts.youtube.com	unknown	unknown	false	unknown
www.youtube.com	unknown	unknown	false	unknown

Contacted URLs

Name	Malicious	Reputation
https://play.google.com/log?format=json&hasfast=true&authuser=0	false	unknown
https://www.google.com/favicon.ico	false	unknown
https://play.google.com/log?hasfast=true&authuser=0&format=json	false	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://play.google/intl/	chromecache_79.5.dr	false	URL Reputation: safe	unknown
https://families.google.com/intl/	chromecache_79.5.dr	false	URL Reputation: safe	unknown
https://youtube.com/t/terms?gl=	chromecache_79.5.dr	false		unknown
https://policies.google.com/technologies/location-data	chromecache_79.5.dr	false	URL Reputation: safe	unknown
https://www.google.com/intl/	chromecache_79.5.dr	false		unknown
https://apis.google.com/js/api.js	chromecache_85.5.dr	false	URL Reputation: safe	unknown
https://policies.google.com/privacy/google-partners	chromecache_79.5.dr	false	URL Reputation: safe	unknown
https://play.google.com/work/enroll?identifier=	chromecache_79.5.dr	false		unknown
https://policies.google.com/terms/service-specific	chromecache_79.5.dr	false	URL Reputation: safe	unknown
https://g.co/recover	chromecache_79.5.dr	false	URL Reputation: safe	unknown
https://policies.google.com/privacy/additional	chromecache_79.5.dr	false	URL Reputation: safe	unknown
https://support.google.com/websearch/answer/4358949?hl=ko&ref_topic=3285072	chromecache_79.5.dr	false	URL Reputation: safe	unknown
https://policies.google.com/technologies/cookies	chromecache_79.5.dr	false	URL Reputation: safe	unknown
https://policies.google.com/terms	chromecache_79.5.dr	false	URL Reputation: safe	unknown
https://uberproxy-pen-redirect.corp.google.com/uberproxy/pen?url=	chromecache_85.5.dr	false	URL Reputation: safe	unknown
https://www.google.com	chromecache_79.5.dr	false		unknown
https://play.google.com/log?format=json&hasfast=true	chromecache_79.5.dr	false		unknown
https://www.youtube.com/t/terms?chromeless=1&hl=	chromecache_79.5.dr	false		unknown
https://support.google.com/accounts?hl=	chromecache_79.5.dr	false	URL Reputation: safe	unknown
https://policies.google.com/terms/location	chromecache_79.5.dr	false	URL Reputation: safe	unknown
https://policies.google.com/privacy	chromecache_79.5.dr	false	URL Reputation: safe	unknown
https://support.google.com/accounts?p=new-si-ui	chromecache_79.5.dr	false	URL Reputation: safe	unknown
https://apis.google.com/js/rpc:shindig_random.js?onload=credentialservice.postMessage	chromecache_79.5.dr	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
142.250.184.196	www.google.com	United States	15169	GOOGLEUS	false
216.58.212.142	play.google.com	United States	15169	GOOGLEUS	false
216.58.206.78	www3.l.google.com	United States	15169	GOOGLEUS	false
142.250.181.238	youtube-ui.l.google.com	United States	15169	GOOGLEUS	false
239.255.255.250	unknown	Reserved	unknown	unknown	false
142.250.185.142	youtube.com	United States	15169	GOOGLEUS	false

Private

IP
192.168.2.4

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1524418
Start date and time:	2024-10-02 19:06:57 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 1s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	12
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal68.troj.evad.winEXE@34/30@12/7
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 96% Number of executed functions: 51 Number of non-executed functions: 308
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 142.250.186.131, 172.217.16.206, 108.177.15.84, 34.104.35.123, 142.250.186.99, 142.250.181.227, 142.250.185.170, 142.250.186.74, 172.217.16.138, 142.250.185.106, 172.217.18.10, 216.58.206.74, 142.250.186.138, 142.250.186.106, 142.250.186.42, 172.217.16.202, 142.250.185.74, 216.58.212.170, 142.250.185.138, 216.58.206.42, 142.250.186.170, 142.250.74.202, 142.250.184.234, 172.217.23.106, 142.250.181.234, 142.250.185.234, 142.250.185.202, 216.58.212.138, 172.217.18.106, 142.250.184.202, 93.184.221.240, 192.229.221.95, 172.217.18.3, 142.250.110.84, 172.217.18.14
Excluded domains from analysis (whitelisted): clients1.google.com, fs.microsoft.com, accounts.google.com, content-autofill.googleapis.com, slscr.update.microsoft.com, fonts.gstatic.com, ctldl.windowsupdate.com, clientservices.googleapis.com, fe3cr.delivery.mp.microsoft.com, clients2.google.com, ocsp.digicert.com, edgedl.me.gvt1.com, update.googleapis.com, clients.l.google.com, www.gstatic.com, optimizationguide-pa.googleapis.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing disassembly code.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: file.exe

Simulations

Behavior and APIs

Time	Type	Description
18:07:45	Task Scheduler	Run new task: {C67E0542-A958-43AF-ABDB-AEF340797637} path:

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
239.255.255.250	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	27987136e29b3032ad40982c8b7c2e168112c9601e08da806119dcba615524b5.html	Get hash	malicious	Unknown	Browse

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
28a2c9bd18a11de089ef85a160da29e4	file.exe	Get hash	malicious	Credential Flusher	Browse	184.28.90.27 20.114.59.183
	file.exe	Get hash	malicious	Credential Flusher	Browse	184.28.90.27 20.114.59.183
	file.exe	Get hash	malicious	Credential Flusher	Browse	184.28.90.27 20.114.59.183
	file.exe	Get hash	malicious	Credential Flusher	Browse	184.28.90.27 20.114.59.183
	file.exe	Get hash	malicious	Unknown	Browse	184.28.90.27 20.114.59.183
	file.exe	Get hash	malicious	Credential Flusher	Browse	184.28.90.27 20.114.59.183
	file.exe	Get hash	malicious	Credential Flusher	Browse	184.28.90.27 20.114.59.183
	file.exe	Get hash	malicious	Credential Flusher	Browse	184.28.90.27 20.114.59.183
	file.exe	Get hash	malicious	Credential Flusher	Browse	184.28.90.27 20.114.59.183
	27987136e29b3032ad40982c8b7c2e168112c9601e08da806119dcba615524b5.html	Get hash	malicious	Unknown	Browse	184.28.90.27 20.114.59.183

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (468)
Category:	downloaded
Size (bytes):	1858
Entropy (8bit):	5.298162049824456
Encrypted:	false
SSDEEP:	48:o7vGoolL3ALFKphnpiu7xOKAcfO/3d/rYh4vZorw:o/QLUFUL4KA+2y0Mw
MD5:	CE055F881BDAB4EF6C1C8AA4B3890348
SHA1:	2671741A70E9F5B608F690AAEEA4972003747654
SHA-256:	9B91C23691D6032CDFE28863E369624B2EDB033E1487A1D1BB0977E3590E5462
SHA-512:	8A22250628985C2E570E6FBADFC0D5CB6753F0735130F9E74962A409476C2859C5C81F8A0F5C427A9F13ED399C8E251FA43FF67AD5F16860640D45E7A538E857
Malicious:	false
Reputation:	moderate, very likely benign file
URL:	"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en.RgRbaBHDctU.es5.O/ck=boq-identity.AccountsSignInUi.gAiX_O5afVA.L.B1.O/am=xIFgKBi2EQjEE54DekBRIOQAAAAAAAAAAKANAAB0DA/d=1/exm=A7fCU,AvtSve,CMcBD,E87wgc,EFQ78c,EIOG1e,EN3i8d,Fndnac,GwYlN,I6YDgd,IZT63,K0PMbc,K1ZKnb,KUM7Z,L1AAkb,L9OGUe,LDQI,LEikZe,MY7mZe,MpJwZc,NOeYWe,NTMZac,O6y8ed,P6sQOc,PHUIyb,PrPYRd,RMhBfe,Rkm0ef,RqjULd,SCuOPb,SD8Jgb,STuCOe,SpsfSb,Tbb4sb,UUJqVe,Uas9Hd,WpP9Yc,XVq9Qb,YHI3We,YTxL4,YgOFye,ZDZcre,ZZ4WUe,ZakeSe,ZwDk9d,_b,_tp,aC1iue,aW3pY,b3kMqb,bSspM,bTi8wc,byfTOb,cYShmd,eVCnO,f8Gu1e,gJzDyc,hc6Ubd,inNHtf,iyZMqd,lsjVmc,ltDFwf,lwddkf,m9oV,mvkUhe,mzzZzc,n73qwf,njlZCf,oLggrd,pxq3x,q0xTif,qPYxq,qPfo0c,qmdT9,rCcCxc,rmumx,sOXFj,siKnQd,soHxf,t2srLd,tUnxGc,vHEMJe,vfuNJf,vjKJJ,vvMGie,w9hDv,ws9Tlc,xBaz7b,xQtZb,xiZRqc,y5vRwf,yRXbo,ywOR5c,z0u0L,zbML3c,ziZ8Mc,zr1jrb,zy0vNb/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlG_aYNE-Dz95N0OV63231Yfi4Jf5g/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:GwYlN;EmZ2Bf:zr1jrb;JsbNhc:Xd8iUd;K5nYTd:ZDZcre;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;ScI3Yc:e7Hzgb;UpnZUd:nnwwYc;Uvc8o:VDovNc;XdiAjb:NLiXbe;YIZmRd:A1yn5d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;dowIGb:ebZ3mb;eBAeSb:zbML3c;iFQyKf:vfuNJf;lOO0Vd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qafBPd:yDVVkb;qddgKe:xQtZb;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=iAskyc,ziXSP"
Preview:	"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi\|\|{};(function(_){var window=this;.try{._.k("iAskyc");._.QZ=function(a){_.W.call(this,a.Fa);this.window=a.Ea.window.get();this.Nc=a.Ea.Nc};_.J(_.QZ,_.W);_.QZ.Ba=function(){return{Ea:{window:_.qu,Nc:_.DE}}};_.QZ.prototype.Po=function(){};_.QZ.prototype.addEncryptionRecoveryMethod=function(){};_.RZ=function(a){return(a==null?void 0:a.Jo)\|\|function(){}};_.SZ=function(a){return(a==null?void 0:a.m3)\|\|function(){}};_.GPb=function(a){return(a==null?void 0:a.Op)\|\|function(){}};._.HPb=function(a){return new Map(Array.from(a,function(b){var c=_.n(b);b=c.next().value;c=c.next().value;return[b,c.map(function(d){return{epoch:d.epoch,key:new Uint8Array(d.key)}})]}))};_.IPb=function(a){setTimeout(function(){throw a;},0)};_.QZ.prototype.kO=function(){return!0};_.nu(_.An,_.QZ);._.l();._.k("ziXSP");.var j_=function(a){_.QZ.call(this,a.Fa)};_.J(j_,_.QZ);j_.Ba=_.QZ.Ba;j_.prototype.Po=function(a,b,c){var d;if((d=this.window.chrome)==nu

Chrome Cache Entry: 77

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (683)
Category:	downloaded
Size (bytes):	3131
Entropy (8bit):	5.355381206612617
Encrypted:	false
SSDEEP:	48:o7FEEM3MtH15jNQ8jsK3rnw0dkckTrKEp/OqLE9xz0W5Bzv3M6hIHYA+JITbwrF8:oq675jOArwoAmI/DLaxNPL5m+m6w
MD5:	E2A7251AD83A0D0634FEA2703D10ED07
SHA1:	90D72011F31FC40D3DA3748F2817F90A29EB5C01
SHA-256:	1079B49C4AAF5C10E4F2E6A086623F40D200A71FF2A1F64E88AA6C91E4BE7A6F
SHA-512:	CD6D75580EA8BD97CF7C7C0E0BD9D9A54FB6EA7DF1DDB5A95E94D38B260F9EE1425C640839ECD229B8D01E145CF2786CA374D31EC537EB8FE17FF415D5B985F5
Malicious:	false
Reputation:	moderate, very likely benign file
URL:	"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en.RgRbaBHDctU.es5.O/ck=boq-identity.AccountsSignInUi.gAiX_O5afVA.L.B1.O/am=xIFgKBi2EQjEE54DekBRIOQAAAAAAAAAAKANAAB0DA/d=1/exm=AvtSve,CMcBD,E87wgc,EFQ78c,EIOG1e,EN3i8d,Fndnac,GwYlN,I6YDgd,IZT63,K0PMbc,K1ZKnb,KUM7Z,L1AAkb,L9OGUe,LDQI,LEikZe,MY7mZe,MpJwZc,NOeYWe,NTMZac,O6y8ed,PHUIyb,PrPYRd,Rkm0ef,RqjULd,SCuOPb,SD8Jgb,STuCOe,SpsfSb,Tbb4sb,UUJqVe,Uas9Hd,WpP9Yc,XVq9Qb,YHI3We,YTxL4,YgOFye,ZakeSe,_b,_tp,aC1iue,aW3pY,b3kMqb,bSspM,bTi8wc,byfTOb,cYShmd,eVCnO,f8Gu1e,gJzDyc,hc6Ubd,inNHtf,iyZMqd,lsjVmc,ltDFwf,lwddkf,m9oV,mvkUhe,mzzZzc,n73qwf,njlZCf,oLggrd,pxq3x,qPYxq,qPfo0c,qmdT9,rCcCxc,rmumx,siKnQd,soHxf,t2srLd,tUnxGc,vHEMJe,vfuNJf,vjKJJ,vvMGie,ws9Tlc,xBaz7b,xQtZb,xiZRqc,y5vRwf,yRXbo,ywOR5c,z0u0L,zbML3c,ziZ8Mc,zr1jrb,zy0vNb/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlG_aYNE-Dz95N0OV63231Yfi4Jf5g/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:GwYlN;EmZ2Bf:zr1jrb;JsbNhc:Xd8iUd;K5nYTd:ZDZcre;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;ScI3Yc:e7Hzgb;UpnZUd:nnwwYc;Uvc8o:VDovNc;XdiAjb:NLiXbe;YIZmRd:A1yn5d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;dowIGb:ebZ3mb;eBAeSb:zbML3c;iFQyKf:vfuNJf;lOO0Vd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qafBPd:yDVVkb;qddgKe:xQtZb;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=ZwDk9d,RMhBfe"
Preview:	"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi\|\|{};(function(_){var window=this;.try{._.k("ZwDk9d");.var gA=function(a){_.W.call(this,a.Fa)};_.J(gA,_.W);gA.Ba=_.W.Ba;gA.prototype.eS=function(a){return _.Xe(this,{Xa:{gT:_.ll}}).then(function(b){var c=window._wjdd,d=window._wjdc;return!c&&d?new _.li(function(e){window._wjdc=function(f){d(f);e(ZJa(f,b,a))}}):ZJa(c,b,a)})};var ZJa=function(a,b,c){return(a=a&&a[c])?a:b.Xa.gT.eS(c)};.gA.prototype.aa=function(a,b){var c=_.Zra(b).Rj;if(c.startsWith("$")){var d=_.gm.get(a);_.uq[b]&&(d\|\|(d={},_.gm.set(a,d)),d[c]=_.uq[b],delete _.uq[b],_.vq--);if(d)if(a=d[c])b=_.af(a);else throw Error("Jb`"+b);else b=null}else b=null;return b};_.nu(_.Lfa,gA);._.l();._.k("SNUn3");._.YJa=new _.pf(_.wg);._.l();._.k("RMhBfe");.var $Ja=function(a){var b=_.tq(a);return b?new _.li(function(c,d){var e=function(){b=_.tq(a);var f=_.Sfa(a,b);f?c(f.getAttribute("jsdata")):window.document.readyState=="complete"?(f=["Unable to find deferred jsdata wit

Chrome Cache Entry: 78

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows icon resource - 2 icons, 16x16, 32 bits/pixel, 32x32, 32 bits/pixel
Category:	downloaded
Size (bytes):	5430
Entropy (8bit):	3.6534652184263736
Encrypted:	false
SSDEEP:	48:wIJct3xIAxG/7nvWDtZcdYLtX7B6QXL3aqG8Q:wIJct+A47v+rcqlBPG9B
MD5:	F3418A443E7D841097C714D69EC4BCB8
SHA1:	49263695F6B0CDD72F45CF1B775E660FDC36C606
SHA-256:	6DA5620880159634213E197FAFCA1DDE0272153BE3E4590818533FAB8D040770
SHA-512:	82D017C4B7EC8E0C46E8B75DA0CA6A52FD8BCE7FCF4E556CBDF16B49FC81BE9953FE7E25A05F63ECD41C7272E8BB0A9FD9AEDF0AC06CB6032330B096B3702563
Malicious:	false
Reputation:	high, very likely benign file
URL:	https://www.google.com/favicon.ico
Preview:	............ .h...&... .... .........(....... ..... ............................................0...................................................................................................................................v.].X.:.X.:.r.Y........................................q.X.S.4.S.4.S.4.S.4.S.4.S.4...X....................0........q.W.S.4.X.:.................J...A...g.........................K.H.V.8..........................F..B.....................,.......................................B..............................................B..B..B..B..B...u..........................................B..B..B..B..B...{.................5.......k...........................................................7R..8F.................................................2........Vb..5C..;I..................R^.....................0................Xc..5C..5C..5C..5C..5C..5C..lv..........................................]i..<J..:G..Zf....................................................

Chrome Cache Entry: 79

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (5693)
Category:	downloaded
Size (bytes):	698314
Entropy (8bit):	5.595120835898624
Encrypted:	false
SSDEEP:	6144:TJvaKtQfcxene0F2HhPM8RGYcBlKmd5r6XISxi7SlncOpYMSrBg5X3O4mAEFD7:TJyKtkIct842ISxXJ09
MD5:	F82438F9EAD5F57493C673008EED9E09
SHA1:	E4681E68FD66D8C76C6ACBC21E2C45F36FD645BC
SHA-256:	B4B092F54EAAA82BFAA159B8D61FB867B51C3067CBD60F4904A205A11F503250
SHA-512:	89027A7B1B3A080D40411F2E6E3B62BF57AC60879223566E71BD41D900C17051F0A058EFE04F8F1FED5E05DC54617D7A86F83D21BDED0F79347795C8B980B4B2
Malicious:	false
URL:	"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en.RgRbaBHDctU.es5.O/ck=boq-identity.AccountsSignInUi.gAiX_O5afVA.L.B1.O/am=xIFgKBi2EQjEE54DekBRIOQAAAAAAAAAAKANAAB0DA/d=1/exm=LEikZe,_b,_tp,byfTOb,lsjVmc/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlG_aYNE-Dz95N0OV63231Yfi4Jf5g/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:GwYlN;EmZ2Bf:zr1jrb;JsbNhc:Xd8iUd;K5nYTd:ZDZcre;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;ScI3Yc:e7Hzgb;UpnZUd:nnwwYc;Uvc8o:VDovNc;XdiAjb:NLiXbe;YIZmRd:A1yn5d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;dowIGb:ebZ3mb;eBAeSb:zbML3c;iFQyKf:vfuNJf;lOO0Vd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qafBPd:yDVVkb;qddgKe:xQtZb;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=n73qwf,SCuOPb,IZT63,vfuNJf,UUJqVe,ws9Tlc,siKnQd,XVq9Qb,STuCOe,njlZCf,m9oV,vjKJJ,y5vRwf,iyZMqd,NTMZac,mzzZzc,rCcCxc,vvMGie,K1ZKnb,ziZ8Mc,b3kMqb,mvkUhe,CMcBD,Fndnac,t2srLd,EN3i8d,z0u0L,xiZRqc,NOeYWe,O6y8ed,L9OGUe,PrPYRd,MpJwZc,qPfo0c,cYShmd,hc6Ubd,Rkm0ef,KUM7Z,oLggrd,inNHtf,L1AAkb,WpP9Yc,lwddkf,gJzDyc,SpsfSb,aC1iue,tUnxGc,aW3pY,ZakeSe,EFQ78c,xQtZb,I6YDgd,zbML3c,zr1jrb,vHEMJe,YHI3We,YTxL4,bSspM,Uas9Hd,zy0vNb,K0PMbc,AvtSve,qmdT9,MY7mZe,xBaz7b,GwYlN,eVCnO,EIOG1e,LDQI"
Preview:	"use strict";_F_installCss(".r4WGQb{position:relative}.Dl08I>:first-child{margin-top:0}.Dl08I>:last-child{margin-bottom:0}.IzwVE{color:#1f1f1f;color:var(--gm3-sys-color-on-surface,#1f1f1f);font-family:\"Google Sans\",roboto,\"Noto Sans Myanmar UI\",arial,sans-serif;font-size:1.25rem;font-weight:400;letter-spacing:0rem;line-height:1.2}.l5PPKe{color:#1f1f1f;color:var(--gm3-sys-color-on-surface,#1f1f1f);font-size:1rem}.l5PPKe .dMNVAe{margin:0;padding:0}.l5PPKe>:first-child{margin-top:0;padding-top:0}.l5PPKe>:last-child{margin-bottom:0;padding-bottom:0}.Dl08I{margin:0;padding:0;position:relative}.Dl08I>.SmR8:only-child{padding-top:1px}.Dl08I>.SmR8:only-child::before{top:0}.Dl08I>.SmR8:not(first-child){padding-bottom:1px}.Dl08I>.SmR8::after{bottom:0}.Dl08I>.SmR8:only-child::before,.Dl08I>.SmR8::after{border-bottom:1px solid #c4c7c5;border-bottom:1px solid var(--gm3-sys-color-outline-variant,#c4c7c5);content:\"\";height:0;left:0;position:absolute;width:100%}.aZvCDf{margin-top:8px;margin-left

Chrome Cache Entry: 80

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (2907)
Category:	downloaded
Size (bytes):	22833
Entropy (8bit):	5.425034548615223
Encrypted:	false
SSDEEP:	384:7lFo6ZEdpgtmyiPixV9OX9gMBpHkHnfst9lZulagGcwYHiRFjJzN7:77o6ZviPixV8xpEHn89l4IgGcwYCRtb7
MD5:	749B18538FE32BFE0815D75F899F5B21
SHA1:	AF95A019211AF69F752A43CAA54A83C2AFD41D28
SHA-256:	116B2687C1D5E00DB56A79894AB0C12D4E2E000B9379B7E7AD751B84DF611F3F
SHA-512:	E4B6F4556AA0FD9979BB52681508F5E26FFB256473803F74F7F5C8D93FA3636D7D0A5835618FBC6123022805CE0D9616A7451A0F302C665E28A6090B5D588505
Malicious:	false
URL:	"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en.RgRbaBHDctU.es5.O/ck=boq-identity.AccountsSignInUi.gAiX_O5afVA.L.B1.O/am=xIFgKBi2EQjEE54DekBRIOQAAAAAAAAAAKANAAB0DA/d=1/exm=AvtSve,CMcBD,E87wgc,EFQ78c,EIOG1e,EN3i8d,Fndnac,GwYlN,I6YDgd,IZT63,K0PMbc,K1ZKnb,KUM7Z,L1AAkb,L9OGUe,LDQI,LEikZe,MY7mZe,MpJwZc,NOeYWe,NTMZac,O6y8ed,PHUIyb,PrPYRd,Rkm0ef,SCuOPb,SD8Jgb,STuCOe,SpsfSb,Tbb4sb,UUJqVe,Uas9Hd,WpP9Yc,XVq9Qb,YHI3We,YTxL4,YgOFye,ZakeSe,_b,_tp,aC1iue,aW3pY,b3kMqb,bSspM,bTi8wc,byfTOb,cYShmd,eVCnO,f8Gu1e,gJzDyc,hc6Ubd,inNHtf,iyZMqd,lsjVmc,ltDFwf,lwddkf,m9oV,mvkUhe,mzzZzc,n73qwf,njlZCf,oLggrd,pxq3x,qPYxq,qPfo0c,qmdT9,rCcCxc,rmumx,siKnQd,soHxf,t2srLd,tUnxGc,vHEMJe,vfuNJf,vjKJJ,vvMGie,ws9Tlc,xBaz7b,xQtZb,xiZRqc,y5vRwf,yRXbo,ywOR5c,z0u0L,zbML3c,ziZ8Mc,zr1jrb,zy0vNb/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlG_aYNE-Dz95N0OV63231Yfi4Jf5g/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:GwYlN;EmZ2Bf:zr1jrb;JsbNhc:Xd8iUd;K5nYTd:ZDZcre;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;ScI3Yc:e7Hzgb;UpnZUd:nnwwYc;Uvc8o:VDovNc;XdiAjb:NLiXbe;YIZmRd:A1yn5d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;dowIGb:ebZ3mb;eBAeSb:zbML3c;iFQyKf:vfuNJf;lOO0Vd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qafBPd:yDVVkb;qddgKe:xQtZb;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=RqjULd"
Preview:	"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi\|\|{};(function(_){var window=this;.try{._.uu.prototype.da=_.ca(40,function(){return _.rj(this,3)});_.$y=function(a,b){this.key=a;this.defaultValue=!1;this.flagName=b};_.$y.prototype.ctor=function(a){return typeof a==="boolean"?a:this.defaultValue};_.az=function(){this.ka=!0;var a=_.vj(_.dk(_.Be("TSDtV",window),_.zya),_.uu,1,_.qj())[0];if(a){var b={};for(var c=_.n(_.vj(a,_.Aya,2,_.qj())),d=c.next();!d.done;d=c.next()){d=d.value;var e=_.Jj(d,1).toString();switch(_.tj(d,_.vu)){case 3:b[e]=_.Hj(d,_.lj(d,_.vu,3));break;case 2:b[e]=_.Jj(d,_.lj(d,_.vu,2));break;case 4:b[e]=_.Kj(d,_.lj(d,_.vu,4));break;case 5:b[e]=_.Lj(d,_.lj(d,_.vu,5));break;case 6:b[e]=_.Pj(d,_.ff,6,_.vu);break;default:throw Error("jd`"+_.tj(d,_.vu));}}}else b={};this.ea=b;this.token=.a?a.da():null};_.az.prototype.aa=function(a){if(!this.ka\|\|a.key in this.ea)a=a.ctor(this.ea[a.key]);else if(_.Be("nQyAE",window)){var b=_.Cya(a.flagName);if(b===null)a=a.de

Chrome Cache Entry: 81

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	HTML document, ASCII text, with very long lines (681)
Category:	downloaded
Size (bytes):	4066
Entropy (8bit):	5.363016925556486
Encrypted:	false
SSDEEP:	96:G2CiFZX5BReR68ujioIRVrqtyzBeTV6SfyAKLif9c7w:bCMZXVeR6jiosVrqtyzBaImyAKw9x
MD5:	FC5E597D923838E10390DADD12651A81
SHA1:	C9959F8D539DB5DF07B8246EC12539B6A9CC101F
SHA-256:	A7EBD5280C50AE93C061EAE1E9727329E015E97531F8F2D82D0E3EA76ADB37B4
SHA-512:	784CA572808F184A849388723FBB3701E6981D885BBA8A330A933F90BF0B36A2E4A491D4463A27911B1D9F7A7134F23E15F187FC7CB4554EAE9BC252513EED7C
Malicious:	false
URL:	"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en.RgRbaBHDctU.es5.O/ck=boq-identity.AccountsSignInUi.gAiX_O5afVA.L.B1.O/am=xIFgKBi2EQjEE54DekBRIOQAAAAAAAAAAKANAAB0DA/d=1/exm=A7fCU,AvtSve,CMcBD,E87wgc,EFQ78c,EIOG1e,EN3i8d,Fndnac,GwYlN,I6YDgd,IZT63,K0PMbc,K1ZKnb,KUM7Z,L1AAkb,L9OGUe,LDQI,LEikZe,MY7mZe,MpJwZc,NOeYWe,NTMZac,O6y8ed,P6sQOc,PHUIyb,PrPYRd,RMhBfe,Rkm0ef,RqjULd,SCuOPb,SD8Jgb,STuCOe,SpsfSb,Tbb4sb,UUJqVe,Uas9Hd,WpP9Yc,XVq9Qb,YHI3We,YTxL4,YgOFye,ZDZcre,ZakeSe,ZwDk9d,_b,_tp,aC1iue,aW3pY,b3kMqb,bSspM,bTi8wc,byfTOb,cYShmd,eVCnO,f8Gu1e,gJzDyc,hc6Ubd,inNHtf,iyZMqd,lsjVmc,ltDFwf,lwddkf,m9oV,mvkUhe,mzzZzc,n73qwf,njlZCf,oLggrd,pxq3x,qPYxq,qPfo0c,qmdT9,rCcCxc,rmumx,siKnQd,soHxf,t2srLd,tUnxGc,vHEMJe,vfuNJf,vjKJJ,vvMGie,w9hDv,ws9Tlc,xBaz7b,xQtZb,xiZRqc,y5vRwf,yRXbo,ywOR5c,z0u0L,zbML3c,ziZ8Mc,zr1jrb,zy0vNb/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlG_aYNE-Dz95N0OV63231Yfi4Jf5g/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:GwYlN;EmZ2Bf:zr1jrb;JsbNhc:Xd8iUd;K5nYTd:ZDZcre;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;ScI3Yc:e7Hzgb;UpnZUd:nnwwYc;Uvc8o:VDovNc;XdiAjb:NLiXbe;YIZmRd:A1yn5d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;dowIGb:ebZ3mb;eBAeSb:zbML3c;iFQyKf:vfuNJf;lOO0Vd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qafBPd:yDVVkb;qddgKe:xQtZb;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=sOXFj,q0xTif,ZZ4WUe"
Preview:	"use strict";_F_installCss(".N7rBcd{overflow-x:auto}sentinel{}");.this.default_AccountsSignInUi=this.default_AccountsSignInUi\|\|{};(function(_){var window=this;.try{._.vg(_.aqa);._.k("sOXFj");.var tu=function(a){_.W.call(this,a.Fa)};_.J(tu,_.W);tu.Ba=_.W.Ba;tu.prototype.aa=function(a){return a()};_.nu(_.$pa,tu);._.l();._.k("oGtAuc");._.yya=new _.pf(_.aqa);._.l();._.k("q0xTif");.var sza=function(a){var b=function(d){_.Sn(d)&&(_.Sn(d).Jc=null,_.Du(d,null));d.XyHi9&&(d.XyHi9=null)};b(a);a=a.querySelectorAll("[c-wiz]");for(var c=0;c<a.length;c++)b(a[c])},Pu=function(a){_.kt.call(this,a.Fa);this.Qa=this.dom=null;if(this.kl()){var b=_.zm(this.Ug(),[_.Em,_.Dm]);b=_.ni([b[_.Em],b[_.Dm]]).then(function(c){this.Qa=c[0];this.dom=c[1]},null,this);_.hu(this,b)}this.Ra=a.lm.zea};_.J(Pu,_.kt);Pu.Ba=function(){return{lm:{zea:function(a){return _.Ue(a)}}}};Pu.prototype.zp=function(a){return this.Ra.zp(a)};.Pu.prototype.getData=function(a){return this.Ra.getData(a)};Pu.prototype.qo=function(){_.Kt(this.d

Chrome Cache Entry: 82

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	Web Open Font Format (Version 2), TrueType, length 52280, version 1.0
Category:	downloaded
Size (bytes):	52280
Entropy (8bit):	7.995413196679271
Encrypted:	true
SSDEEP:	1536:1rvqtK8DZilXxwJ8mMwAZy7phqsFLdG3B4d:xytBZits8bw4wzbFxG3B4d
MD5:	F61F0D4D0F968D5BBA39A84C76277E1A
SHA1:	AA3693EA140ECA418B4B2A30F6A68F6F43B4BEB2
SHA-256:	57147F08949ABABE7DEEF611435AE418475A693E3823769A25C2A39B6EAD9CCC
SHA-512:	6C3BD90F709BCF9151C9ED9FFEA55C4F6883E7FDA2A4E26BF018C83FE1CFBE4F4AA0DB080D6D024070D53B2257472C399C8AC44EEFD38B9445640EFA85D5C487
Malicious:	false
URL:	https://fonts.gstatic.com/s/googlesans/v58/4UaRrENHsxJlGDuGo1OIlJfC6l_24rlCK1Yo_Iq2vgCI.woff2
Preview:	wOF2.......8.....................................^...$..4?HVAR..?MVAR9.`?STAT.',..J/.......`..(..Z.0..R.6.$.... .....K..[..q..c..T.....>.P.j.`.w..#...%......N.".....$..3.0.6......... .L.rX/r[j.y.\|(.4.%#.....2.v.m..-..%.....;-.Y.{..&..O=#l@...k..7g..ZI...#.Z./+T..r7...M..3).Z%.x....s..sL..[A!.51w'/.8V..2Z..%.X.h.o.).]..9..Q`.$.....7..kZ.~O........d..g.n.d.Rw+&....Cz..uy#..fz,(.J....v.%..`..9.....h...?O..:...c%.....6s....xl..#...5..._......1.>.)"U.4 W....?%......6//!$...!.n9C@n...........!""^.....W..Z<.7.x.."UT.T....E.."R>.R..t.....H d..e_.K../.+8.Q.P.ZQ....;...U....]......._.e......71.?.7.ORv.?...l...G\|.P...\|:...I.X..2.,.L........d.g.]}W#uW]QnuP-s.;.-Y.....].......C..j_.M0...y.......J..........NY..@A...,....-.F......'..w./j5g.vUS...U..0.&...y7.LP.....%.....Y......Y..D. e.A..G.?.$.......6...eaK.n5.m...N...,...+BCl..L> .E9~.b[.w.x....6<...}.e...%V....O.......*.?...a..#[eE.4..p..$...].....%......o._......N.._~..El....b..A.0.r8.....\|..D.d..

Chrome Cache Entry: 83

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (533)
Category:	downloaded
Size (bytes):	9210
Entropy (8bit):	5.404371326611379
Encrypted:	false
SSDEEP:	192:EEFZpeip4HzZlY0If0Ma23jcUcrhCx6VD1TYPi8:Es/p4jgjUhtD1TY68
MD5:	21E893B65627B397E22619A9F5BB9662
SHA1:	F561B0F66211C1E7B22F94B4935C312AB7087E85
SHA-256:	FFA9B8BC8EF2CDFF5EB4BA1A0BA1710A253A5B42535E2A369D5026967DCF4673
SHA-512:	3DE3CD6A4E9B06AB3EB324E90A40B5F2AEEA8D7D6A2651C310E993CF79EEB5AC6E2E33C587F46B2DD20CC862354FD1A61AEBB9B990E6805F6629404BA285F8FA
Malicious:	false
URL:	"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en.RgRbaBHDctU.es5.O/ck=boq-identity.AccountsSignInUi.gAiX_O5afVA.L.B1.O/am=xIFgKBi2EQjEE54DekBRIOQAAAAAAAAAAKANAAB0DA/d=1/exm=AvtSve,CMcBD,EFQ78c,EIOG1e,EN3i8d,Fndnac,GwYlN,I6YDgd,IZT63,K0PMbc,K1ZKnb,KUM7Z,L1AAkb,L9OGUe,LDQI,LEikZe,MY7mZe,MpJwZc,NOeYWe,NTMZac,O6y8ed,PrPYRd,Rkm0ef,SCuOPb,STuCOe,SpsfSb,UUJqVe,Uas9Hd,WpP9Yc,XVq9Qb,YHI3We,YTxL4,ZakeSe,_b,_tp,aC1iue,aW3pY,b3kMqb,bSspM,byfTOb,cYShmd,eVCnO,gJzDyc,hc6Ubd,inNHtf,iyZMqd,lsjVmc,lwddkf,m9oV,mvkUhe,mzzZzc,n73qwf,njlZCf,oLggrd,qPfo0c,qmdT9,rCcCxc,siKnQd,t2srLd,tUnxGc,vHEMJe,vfuNJf,vjKJJ,vvMGie,ws9Tlc,xBaz7b,xQtZb,xiZRqc,y5vRwf,z0u0L,zbML3c,ziZ8Mc,zr1jrb,zy0vNb/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlG_aYNE-Dz95N0OV63231Yfi4Jf5g/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:GwYlN;EmZ2Bf:zr1jrb;JsbNhc:Xd8iUd;K5nYTd:ZDZcre;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;ScI3Yc:e7Hzgb;UpnZUd:nnwwYc;Uvc8o:VDovNc;XdiAjb:NLiXbe;YIZmRd:A1yn5d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;dowIGb:ebZ3mb;eBAeSb:zbML3c;iFQyKf:vfuNJf;lOO0Vd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qafBPd:yDVVkb;qddgKe:xQtZb;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=ltDFwf,SD8Jgb,rmumx,E87wgc,qPYxq,Tbb4sb,pxq3x,f8Gu1e,soHxf,YgOFye,yRXbo,bTi8wc,ywOR5c,PHUIyb"
Preview:	"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi\|\|{};(function(_){var window=this;.try{._.qNa=_.y("SD8Jgb",[]);._.GX=function(a,b){if(typeof b==="string")a.Lc(b);else if(b instanceof _.Fp&&b.ia&&b.ia===_.A)b=_.Ya(b.Lw()),a.empty().append(b);else if(b instanceof _.Ua)b=_.Ya(b),a.empty().append(b);else if(b instanceof Node)a.empty().append(b);else throw Error("Vf");};_.HX=function(a){var b=_.Io(a,"[jsslot]");if(b.size()>0)return b;b=new _.Go([_.Kk("span")]);_.Jo(b,"jsslot","");a.empty().append(b);return b};_.NLb=function(a){return a===null\|\|typeof a==="string"&&_.Hi(a)};._.k("SD8Jgb");._.MX=function(a){_.X.call(this,a.Fa);this.Ua=a.controller.Ua;this.od=a.controllers.od[0]\|\|null;this.header=a.controller.header;this.nav=a.controller.nav;var b;(b=this.oa().find("button:not([type])").el())==null\|\|b.setAttribute("type","button")};_.J(_.MX,_.X);_.MX.Ba=function(){return{controller:{Ua:{jsname:"n7vHCb",ctor:_.mv},header:{jsname:"tJHJj",ctor:_.mv},nav:{jsname:"DH6Rkf",ct

Chrome Cache Entry: 84

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (755)
Category:	downloaded
Size (bytes):	1460
Entropy (8bit):	5.291808298251231
Encrypted:	false
SSDEEP:	24:kMYD7DuZvuhqCsNRxoYTY9/qoVk7hz1l2p6vDMW94uEQOeGbCx4VGbgCSFBV87OU:o7DuZWhv6oy12kvwKEeGbC6GbHSh/Hrw
MD5:	4CA7ADFE744A690411EA4D3EA8DB9E4B
SHA1:	2CF1777A199E25378D330DA68BED1871B5C5BC32
SHA-256:	128129BA736B3094323499B0498A5B3A909C1529717461C34B70080A5B1603BD
SHA-512:	8BD3477AF41D1F0FE74AFFCB177BEC0F5F4FDCBBA6BD29D9C2567E6FFDEF5DEB7FF74BF348F33209C39D7BB4958E748DF6731D3DC8F6947352276BC92EAF9E79
Malicious:	false
URL:	"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en.RgRbaBHDctU.es5.O/ck=boq-identity.AccountsSignInUi.gAiX_O5afVA.L.B1.O/am=xIFgKBi2EQjEE54DekBRIOQAAAAAAAAAAKANAAB0DA/d=1/exm=AvtSve,CMcBD,E87wgc,EFQ78c,EIOG1e,EN3i8d,Fndnac,GwYlN,I6YDgd,IZT63,K0PMbc,K1ZKnb,KUM7Z,L1AAkb,L9OGUe,LDQI,LEikZe,MY7mZe,MpJwZc,NOeYWe,NTMZac,O6y8ed,PHUIyb,PrPYRd,RMhBfe,Rkm0ef,RqjULd,SCuOPb,SD8Jgb,STuCOe,SpsfSb,Tbb4sb,UUJqVe,Uas9Hd,WpP9Yc,XVq9Qb,YHI3We,YTxL4,YgOFye,ZakeSe,ZwDk9d,_b,_tp,aC1iue,aW3pY,b3kMqb,bSspM,bTi8wc,byfTOb,cYShmd,eVCnO,f8Gu1e,gJzDyc,hc6Ubd,inNHtf,iyZMqd,lsjVmc,ltDFwf,lwddkf,m9oV,mvkUhe,mzzZzc,n73qwf,njlZCf,oLggrd,pxq3x,qPYxq,qPfo0c,qmdT9,rCcCxc,rmumx,siKnQd,soHxf,t2srLd,tUnxGc,vHEMJe,vfuNJf,vjKJJ,vvMGie,ws9Tlc,xBaz7b,xQtZb,xiZRqc,y5vRwf,yRXbo,ywOR5c,z0u0L,zbML3c,ziZ8Mc,zr1jrb,zy0vNb/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlG_aYNE-Dz95N0OV63231Yfi4Jf5g/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:GwYlN;EmZ2Bf:zr1jrb;JsbNhc:Xd8iUd;K5nYTd:ZDZcre;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;ScI3Yc:e7Hzgb;UpnZUd:nnwwYc;Uvc8o:VDovNc;XdiAjb:NLiXbe;YIZmRd:A1yn5d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;dowIGb:ebZ3mb;eBAeSb:zbML3c;iFQyKf:vfuNJf;lOO0Vd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qafBPd:yDVVkb;qddgKe:xQtZb;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=P6sQOc"
Preview:	"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi\|\|{};(function(_){var window=this;.try{._.k("lOO0Vd");._.VZa=new _.pf(_.Am);._.l();._.k("P6sQOc");.var $Za=!!(_.Kh[1]&16);var b_a=function(a,b,c,d,e){this.ea=a;this.wa=b;this.ka=c;this.Ca=d;this.Ga=e;this.aa=0;this.da=a_a(this)},c_a=function(a){var b={};_.La(a.yS(),function(e){b[e]=!0});var c=a.pS(),d=a.tS();return new b_a(a.qP(),c.aa()1E3,a.WR(),d.aa()1E3,b)},a_a=function(a){return Math.random()Math.min(a.waMath.pow(a.ka,a.aa),a.Ca)},OG=function(a,b){return a.aa>=a.ea?!1:b!=null?!!a.Ga[b]:!0};var PG=function(a){_.W.call(this,a.Fa);this.da=a.Ea.EV;this.ea=a.Ea.metadata;a=a.Ea.Xga;this.fetch=a.fetch.bind(a)};_.J(PG,_.W);PG.Ba=function(){return{Ea:{EV:_.YZa,metadata:_.VZa,Xga:_.OZa}}};PG.prototype.aa=function(a,b){if(this.ea.getType(a.Od())!==1)return _.Sm(a);var c=this.da.eV;return(c=c?c_a(c):null)&&OG(c)?_.wya(a,d_a(this,a,b,c)):_.Sm(a)};.var d_a=function(a,b,c,d){return c.then(function(e){return e},function(e)

Chrome Cache Entry: 85

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (553)
Category:	downloaded
Size (bytes):	743936
Entropy (8bit):	5.791086230020914
Encrypted:	false
SSDEEP:	6144:YVXWBQkPdzg5pTX1ROv/duPzd8C3s891/N:Nfd8j91/N
MD5:	1A3606C746E7B1C949D9078E8E8C1244
SHA1:	56A3EB1E93E61ACD7AAD39DC3526CB60E23651B1
SHA-256:	5F49AE5162183E2EF6F082B29EC99F18DB0212B8ADDB03699B1BFB0AC7869742
SHA-512:	F2D15243311C472331C5F3F083BB6C18D38EC0247A3F3CBAFD96DBA40E4EAE489CDA04176672E39FE3760EF7347596B2A5EAB0FB0125E881EF514475C99863B9
Malicious:	false
URL:	"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en.RgRbaBHDctU.es5.O/am=xIFgKBi2EQjEE54DekBRIOQAAAAAAAAAAKANAAB0DA/d=1/excm=_b,_tp,identifierview/ed=1/dg=0/wt=2/ujg=1/rs=AOaEmlE6O04h0gj7Nu50q-nmaRKM6WWcJw/m=_b,_tp"
Preview:	"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi\|\|{};(function(_){var window=this;.try{._._F_toggles_initialize=function(a){(typeof globalThis!=="undefined"?globalThis:typeof self!=="undefined"?self:this)._F_toggles=a\|\|[]};(0,_._F_toggles_initialize)([0x286081c4, 0x2046d860, 0x39e13c40, 0x14501e80, 0xe420, 0x0, 0x1a000000, 0x1d000003, 0xc, ]);./.. Copyright The Closure Library Authors.. SPDX-License-Identifier: Apache-2.0././.. Copyright Google LLC. SPDX-License-Identifier: Apache-2.0././.. Copyright 2024 Google, Inc. SPDX-License-Identifier: MIT././. SPDX-License-Identifier: Apache-2.0././. Copyright The Closure Library Authors.. SPDX-License-Identifier: Apache-2.0./.var baa,daa,Ma,Sa,gaa,iaa,jb,qaa,waa,Caa,Haa,Kaa,Jb,Laa,Ob,Qb,Rb,Maa,Naa,Sb,Oaa,Paa,Qaa,Yb,Vaa,Xaa,ec,fc,gc,bba,cba,gba,jba,lba,mba,qba,tba,nba,sba,rba,pba,oba,uba,yba,Cba,Dba,Aba,Hc,Ic,Gba,Iba,Mba,Nba,Oba,Pba,Lba,Qba,Sba,dd,Uba,Vba,Xba,Zba,Yba,aca,bca,cca,dca,fca,eca,hca,ica,jca,kca,nca,

Chrome Cache Entry: 86

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (570)
Category:	downloaded
Size (bytes):	3467
Entropy (8bit):	5.514745431912774
Encrypted:	false
SSDEEP:	96:ozbld2fNUmeqJNizhNtt1W8t//loyIpXmdVE2w:onSKE8PWe/Cy4X3j
MD5:	8DEF399E8355ABC23E64505281005099
SHA1:	24FF74C3AEFD7696D84FF148465DF4B1B60B1696
SHA-256:	F128D7218E1286B05DF11310AD3C8F4CF781402698E45448850D2A3A22F5F185
SHA-512:	33721DD47658D8E12ADF6BD9E9316EB89F5B6297927F7FD60F954E04B829DCBF0E1AE6DDD9A3401F45E0011AE4B1397B960C218238A3D0F633A2173D8E604082
Malicious:	false
URL:	"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en.RgRbaBHDctU.es5.O/ck=boq-identity.AccountsSignInUi.gAiX_O5afVA.L.B1.O/am=xIFgKBi2EQjEE54DekBRIOQAAAAAAAAAAKANAAB0DA/d=1/exm=A7fCU,AvtSve,CMcBD,E87wgc,EFQ78c,EIOG1e,EN3i8d,Fndnac,GwYlN,I6YDgd,IZT63,K0PMbc,K1ZKnb,KUM7Z,L1AAkb,L9OGUe,LDQI,LEikZe,MY7mZe,MpJwZc,NOeYWe,NTMZac,O6y8ed,P6sQOc,PHUIyb,PrPYRd,RMhBfe,Rkm0ef,RqjULd,SCuOPb,SD8Jgb,STuCOe,SpsfSb,Tbb4sb,UUJqVe,Uas9Hd,WpP9Yc,XVq9Qb,YHI3We,YTxL4,YgOFye,ZDZcre,ZZ4WUe,ZakeSe,ZwDk9d,_b,_tp,aC1iue,aW3pY,b3kMqb,bSspM,bTi8wc,byfTOb,cYShmd,eVCnO,f8Gu1e,gJzDyc,hc6Ubd,iAskyc,inNHtf,iyZMqd,lsjVmc,ltDFwf,lwddkf,m9oV,mvkUhe,mzzZzc,n73qwf,njlZCf,oLggrd,pxq3x,q0xTif,qPYxq,qPfo0c,qmdT9,rCcCxc,rmumx,sOXFj,siKnQd,soHxf,t2srLd,tUnxGc,vHEMJe,vfuNJf,vjKJJ,vvMGie,w9hDv,wg1P6b,ws9Tlc,xBaz7b,xQtZb,xiZRqc,y5vRwf,yRXbo,ywOR5c,z0u0L,zbML3c,ziXSP,ziZ8Mc,zr1jrb,zy0vNb/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlG_aYNE-Dz95N0OV63231Yfi4Jf5g/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:GwYlN;EmZ2Bf:zr1jrb;JsbNhc:Xd8iUd;K5nYTd:ZDZcre;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;ScI3Yc:e7Hzgb;UpnZUd:nnwwYc;Uvc8o:VDovNc;XdiAjb:NLiXbe;YIZmRd:A1yn5d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;dowIGb:ebZ3mb;eBAeSb:zbML3c;iFQyKf:vfuNJf;lOO0Vd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qafBPd:yDVVkb;qddgKe:xQtZb;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=Wt6vjf,hhhU8,FCpbqb,WhJNk"
Preview:	"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi\|\|{};(function(_){var window=this;.try{._.k("Wt6vjf");.var cya=function(){var a=_.He();return _.Lj(a,1)},Yt=function(a){this.Da=_.t(a,0,Yt.messageId)};_.J(Yt,_.w);Yt.prototype.Ha=function(){return _.Dj(this,1)};Yt.prototype.Va=function(a){return _.Vj(this,1,a)};Yt.messageId="f.bo";var Zt=function(){_.hm.call(this)};_.J(Zt,_.hm);Zt.prototype.xd=function(){this.CT=!1;dya(this);_.hm.prototype.xd.call(this)};Zt.prototype.aa=function(){eya(this);if(this.wC)return fya(this),!1;if(!this.KV)return $t(this),!0;this.dispatchEvent("p");if(!this.zP)return $t(this),!0;this.wM?(this.dispatchEvent("r"),$t(this)):fya(this);return!1};.var gya=function(a){var b=new _.ap(a.W4);a.qQ!=null&&_.Jn(b,"authuser",a.qQ);return b},fya=function(a){a.wC=!0;var b=gya(a),c="rt=r&f_uid="+_.pk(a.zP);_.cn(b,(0,_.bg)(a.ea,a),"POST",c)};.Zt.prototype.ea=function(a){a=a.target;eya(this);if(_.fn(a)){this.cK=0;if(this.wM)this.wC=!1,this.dispatchEvent("r"

Chrome Cache Entry: 87

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with no line terminators
Category:	downloaded
Size (bytes):	84
Entropy (8bit):	4.875266466142591
Encrypted:	false
SSDEEP:	3:DZFJu0+WVTBCq2Bjdw2KsJJuYHSKnZ:lFJuuVTBudw29nu4SKZ
MD5:	87B6333E98B7620EA1FF98D1A837A39E
SHA1:	105DE6815B0885357DE1414BFC0D77FCC9E924EF
SHA-256:	DCD3C133C5C40BECD4100BBE6EDAE84C9735E778E4234A5E8395C56FF8A733BA
SHA-512:	867D7943D813685FAA76394E53199750C55817E836FD19C933F74D11E9657CE66719A6D6B2E39EE1DE62358BCE364E38A55F4E138DF92337DE6985DDCD5D0994
Malicious:	false
URL:	https://content-autofill.googleapis.com/v1/pages/ChVDaHJvbWUvMTE3LjAuNTkzOC4xMzISHgmA6QC9dWevzxIFDRkBE_oSBQ3oIX6GEgUN05ioBw==?alt=proto
Preview:	Cj0KBw0ZARP6GgAKKQ3oIX6GGgQISxgCKhwIClIYCg5AIS4jJF8qLSY/Ky8lLBABGP////8PCgcN05ioBxoA

Chrome Cache Entry: 88

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (395)
Category:	downloaded
Size (bytes):	1608
Entropy (8bit):	5.257113147606035
Encrypted:	false
SSDEEP:	48:o72ZrNZ4yNAbU+15fMxIdf5WENoBCbw7DbG2bEJrw:oyNNAY+1i4HoBNG2Ilw
MD5:	F06E2DC5CC446B39F878B5F8E4D78418
SHA1:	9F1F34FDD8F8DAB942A9B95D9F720587B6F6AD48
SHA-256:	118E4D2FE7CEF205F9AFC87636554C6D8220882B158333EE3D1990282D158B8F
SHA-512:	893C4F883CD1C88C6AAF5A6E7F232D62823A53E1FFDE5C1C52BB066D75781DD041F4D281CDBF18070D921CE862652D8863E2B9D5E0190CFA4128890D62C44168
Malicious:	false
URL:	"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en.RgRbaBHDctU.es5.O/ck=boq-identity.AccountsSignInUi.gAiX_O5afVA.L.B1.O/am=xIFgKBi2EQjEE54DekBRIOQAAAAAAAAAAKANAAB0DA/d=1/exm=AvtSve,CMcBD,E87wgc,EFQ78c,EIOG1e,EN3i8d,Fndnac,GwYlN,I6YDgd,IZT63,K0PMbc,K1ZKnb,KUM7Z,L1AAkb,L9OGUe,LDQI,LEikZe,MY7mZe,MpJwZc,NOeYWe,NTMZac,O6y8ed,P6sQOc,PHUIyb,PrPYRd,RMhBfe,Rkm0ef,RqjULd,SCuOPb,SD8Jgb,STuCOe,SpsfSb,Tbb4sb,UUJqVe,Uas9Hd,WpP9Yc,XVq9Qb,YHI3We,YTxL4,YgOFye,ZakeSe,ZwDk9d,_b,_tp,aC1iue,aW3pY,b3kMqb,bSspM,bTi8wc,byfTOb,cYShmd,eVCnO,f8Gu1e,gJzDyc,hc6Ubd,inNHtf,iyZMqd,lsjVmc,ltDFwf,lwddkf,m9oV,mvkUhe,mzzZzc,n73qwf,njlZCf,oLggrd,pxq3x,qPYxq,qPfo0c,qmdT9,rCcCxc,rmumx,siKnQd,soHxf,t2srLd,tUnxGc,vHEMJe,vfuNJf,vjKJJ,vvMGie,ws9Tlc,xBaz7b,xQtZb,xiZRqc,y5vRwf,yRXbo,ywOR5c,z0u0L,zbML3c,ziZ8Mc,zr1jrb,zy0vNb/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlG_aYNE-Dz95N0OV63231Yfi4Jf5g/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:GwYlN;EmZ2Bf:zr1jrb;JsbNhc:Xd8iUd;K5nYTd:ZDZcre;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;ScI3Yc:e7Hzgb;UpnZUd:nnwwYc;Uvc8o:VDovNc;XdiAjb:NLiXbe;YIZmRd:A1yn5d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;dowIGb:ebZ3mb;eBAeSb:zbML3c;iFQyKf:vfuNJf;lOO0Vd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qafBPd:yDVVkb;qddgKe:xQtZb;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=w9hDv,ZDZcre,A7fCU"
Preview:	"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi\|\|{};(function(_){var window=this;.try{._.k("w9hDv");._.vg(_.Hla);_.eA=function(a){_.W.call(this,a.Fa);this.aa=a.Xa.cache};_.J(_.eA,_.W);_.eA.Ba=function(){return{Xa:{cache:_.dt}}};_.eA.prototype.execute=function(a){_.Bb(a,function(b){var c;_.$e(b)&&(c=b.eb.kc(b.kb));c&&this.aa.xG(c)},this);return{}};_.nu(_.Nla,_.eA);._.l();._.k("ZDZcre");.var fH=function(a){_.W.call(this,a.Fa);this.Wl=a.Ea.Wl;this.d4=a.Ea.metadata;this.aa=a.Ea.ot};_.J(fH,_.W);fH.Ba=function(){return{Ea:{Wl:_.KG,metadata:_.VZa,ot:_.HG}}};fH.prototype.execute=function(a){var b=this;a=this.aa.create(a);return _.Bb(a,function(c){var d=b.d4.getType(c.Od())===2?b.Wl.Rb(c):b.Wl.fetch(c);return _.yl(c,_.LG)?d.then(function(e){return _.Dd(e)}):d},this)};_.nu(_.Sla,fH);._.l();._.k("K5nYTd");._.UZa=new _.pf(_.Ola);._.l();._.k("sP4Vbe");.._.l();._.k("kMFpHd");.._.l();._.k("A7fCU");.var NG=function(a){_.W.call(this,a.Fa);this.aa=a.Ea.tQ};_.J(NG,_.W);NG.Ba=func

Chrome Cache Entry: 89

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (522)
Category:	downloaded
Size (bytes):	5050
Entropy (8bit):	5.289052544075544
Encrypted:	false
SSDEEP:	96:o4We0hP7OBFXYvB1sig3Fd8HkaXzLmUrv8Vh1WJlLQXT2v2gqw:655758Fd8HkaPZ0GmAD
MD5:	26E26FD11772DFF5C7004BEA334289CC
SHA1:	638DAAF541BDE31E95AEE4F8ADA677434D7051DB
SHA-256:	ADFE3E4960982F5EF4C043052A9990D8683C5FC2B590E817B6B1A5774DDE2CE3
SHA-512:	C31929EB6D1C60D6A84A2574FF60490394A6D6F9B354972F3328952F570D80B3F2AEC916B0E1B66DDB1AC056EB75BFAC477E7AF631D0AD1810EDBAF025465D66
Malicious:	false
URL:	"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en.RgRbaBHDctU.es5.O/ck=boq-identity.AccountsSignInUi.gAiX_O5afVA.L.B1.O/am=xIFgKBi2EQjEE54DekBRIOQAAAAAAAAAAKANAAB0DA/d=1/exm=A7fCU,AvtSve,CMcBD,E87wgc,EFQ78c,EIOG1e,EN3i8d,Fndnac,GwYlN,I6YDgd,IZT63,K0PMbc,K1ZKnb,KUM7Z,L1AAkb,L9OGUe,LDQI,LEikZe,MY7mZe,MpJwZc,NOeYWe,NTMZac,O6y8ed,P6sQOc,PHUIyb,PrPYRd,RMhBfe,Rkm0ef,RqjULd,SCuOPb,SD8Jgb,STuCOe,SpsfSb,Tbb4sb,UUJqVe,Uas9Hd,WpP9Yc,XVq9Qb,YHI3We,YTxL4,YgOFye,ZDZcre,ZZ4WUe,ZakeSe,ZwDk9d,_b,_tp,aC1iue,aW3pY,b3kMqb,bSspM,bTi8wc,byfTOb,cYShmd,eVCnO,f8Gu1e,gJzDyc,hc6Ubd,iAskyc,inNHtf,iyZMqd,lsjVmc,ltDFwf,lwddkf,m9oV,mvkUhe,mzzZzc,n73qwf,njlZCf,oLggrd,pxq3x,q0xTif,qPYxq,qPfo0c,qmdT9,rCcCxc,rmumx,sOXFj,siKnQd,soHxf,t2srLd,tUnxGc,vHEMJe,vfuNJf,vjKJJ,vvMGie,w9hDv,ws9Tlc,xBaz7b,xQtZb,xiZRqc,y5vRwf,yRXbo,ywOR5c,z0u0L,zbML3c,ziXSP,ziZ8Mc,zr1jrb,zy0vNb/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlG_aYNE-Dz95N0OV63231Yfi4Jf5g/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:GwYlN;EmZ2Bf:zr1jrb;JsbNhc:Xd8iUd;K5nYTd:ZDZcre;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;ScI3Yc:e7Hzgb;UpnZUd:nnwwYc;Uvc8o:VDovNc;XdiAjb:NLiXbe;YIZmRd:A1yn5d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;dowIGb:ebZ3mb;eBAeSb:zbML3c;iFQyKf:vfuNJf;lOO0Vd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qafBPd:yDVVkb;qddgKe:xQtZb;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=wg1P6b"
Preview:	"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi\|\|{};(function(_){var window=this;.try{._.jNa=_.y("wg1P6b",[_.TA,_.Cn,_.Kn]);._.k("wg1P6b");.var Z5a;Z5a=_.mh(["aria-"]);._.uJ=function(a){_.X.call(this,a.Fa);this.Ka=this.wa=this.aa=this.viewportElement=this.Na=null;this.Hc=a.Ea.ff;this.ab=a.Ea.focus;this.Fc=a.Ea.Fc;this.ea=this.Pi();a=-1*parseInt(_.Co(this.Pi().el(),"marginTop")\|\|"0",10);var b=parseInt(_.Co(this.Pi().el(),"marginBottom")\|\|"0",10);this.Ta={top:a,right:0,bottom:b,left:0};a=_.cf(this.getData("isMenuDynamic"),!1);b=_.cf(this.getData("isMenuHoisted"),!1);this.Ga=a?1:b?2:0;this.ka=!1;this.Ca=1;this.Ga!==1&&(this.aa=this.Sa("U0exHf").children().Wc(0),_.ku(this,.$5a(this,this.aa.el())));_.kF(this.oa())&&(a=this.oa().el(),b=this.we.bind(this),a.__soy_skip_handler=b)};_.J(_.uJ,_.X);_.uJ.Ba=function(){return{Ea:{ff:_.ZE,focus:_.KE,Fc:_.ru}}};_.uJ.prototype.xF=function(a){var b=a.source;this.Na=b;var c;((c=a.data)==null?0:c.fz)?(a=a.data.fz,this.Ca=a==="MOUS

Chrome Cache Entry: 90

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (1694)
Category:	downloaded
Size (bytes):	32500
Entropy (8bit):	5.378903546681047
Encrypted:	false
SSDEEP:	768:zYlbuROstb0e39nKGrkysU0smpu4OLOdzIf1p/5GeSsngurz6aKEEEGo/:zYl61Cysbu4OLOdzIfrIen72ZFo/
MD5:	BF4BF9728A7C302FBA5B14F3D0F1878B
SHA1:	2607CA7A93710D629400077FF3602CB207E6F53D
SHA-256:	8981E7B228DF7D6A8797C0CD1E9B0F1F88337D5F0E1C27A04E7A57D2C4309798
SHA-512:	AC9E170FC3AFDC0CF6BB8E926B93EF129A5FAD1BBA51B60BABCF3555E9B652E98F86A00FB099879DED35DD3FFE72ECFA597E20E6CA8CF402BEDEC40F78412EDA
Malicious:	false
URL:	"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en.RgRbaBHDctU.es5.O/ck=boq-identity.AccountsSignInUi.gAiX_O5afVA.L.B1.O/am=xIFgKBi2EQjEE54DekBRIOQAAAAAAAAAAKANAAB0DA/d=1/exm=_b,_tp/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlG_aYNE-Dz95N0OV63231Yfi4Jf5g/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:GwYlN;EmZ2Bf:zr1jrb;JsbNhc:Xd8iUd;K5nYTd:ZDZcre;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;ScI3Yc:e7Hzgb;UpnZUd:nnwwYc;Uvc8o:VDovNc;XdiAjb:NLiXbe;YIZmRd:A1yn5d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;dowIGb:ebZ3mb;eBAeSb:zbML3c;iFQyKf:vfuNJf;lOO0Vd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qafBPd:yDVVkb;qddgKe:xQtZb;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=byfTOb,lsjVmc,LEikZe"
Preview:	"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi\|\|{};(function(_){var window=this;.try{.var Aua=function(a,b){this.da=a;this.ea=b;if(!c){var c=new _.ap("//www.google.com/images/cleardot.gif");_.op(c)}this.ka=c};_.h=Aua.prototype;_.h.Zc=null;_.h.lZ=1E4;_.h.bA=!1;_.h.nQ=0;_.h.zJ=null;_.h.bV=null;_.h.setTimeout=function(a){this.lZ=a};_.h.start=function(){if(this.bA)throw Error("dc");this.bA=!0;this.nQ=0;Bua(this)};_.h.stop=function(){Cua(this);this.bA=!1};.var Bua=function(a){a.nQ++;navigator!==null&&"onLine"in navigator&&!navigator.onLine?_.km((0,_.bg)(a.aH,a,!1),0):(a.aa=new Image,a.aa.onload=(0,_.bg)(a.Fja,a),a.aa.onerror=(0,_.bg)(a.Eja,a),a.aa.onabort=(0,_.bg)(a.Dja,a),a.zJ=_.km(a.Gja,a.lZ,a),a.aa.src=String(a.ka))};_.h=Aua.prototype;_.h.Fja=function(){this.aH(!0)};_.h.Eja=function(){this.aH(!1)};_.h.Dja=function(){this.aH(!1)};_.h.Gja=function(){this.aH(!1)};._.h.aH=function(a){Cua(this);a?(this.bA=!1,this.da.call(this.ea,!0)):this.nQ<=0?Bua(this):(this.bA=!1,

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.582311838864741
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	918'528 bytes
MD5:	dcc55f9d576b4f7c3e10ce148a6b5573
SHA1:	670551f9924140aa4e7fd6c4881902e87686cce8
SHA256:	22a657c00ca607d94697d97c1b9fa774c7daaa4a7dee29e0f1e6afd8117f4e5d
SHA512:	0095471940fe15e1f7c87d758e016e8960046f765a11429fbcf91d92a5c0419c5dffb00a027cd4f0492fbc508610236b82fbdb4377fe514de0091e91bb5aaa6c
SSDEEP:	12288:5qDEvFo+yo4DdbbMWu/jrQu4M9lBAlKhQcDGB3cuBNGE6iOrpfe4JdaDgayT+:5qDEvCTbMWu7rQYlBQcBiT6rprG8aS+
TLSH:	C8159E0273D1C062FFAB92334B5AF6515BBC69260123E61F13981DB9BE701B1563E7A3
File Content Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......................j:......j:..C...j:......@.*...............................n.......~.............{.......{.......{.........z....

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x420577
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x66FD7880 [Wed Oct 2 16:44:48 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	948cc502fe9226992dce9417f952fce3

Entrypoint Preview

Instruction
call 00007FD3D973F6F3h
jmp 00007FD3D973EFFFh
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007FD3D973F1DDh
mov dword ptr [esi], 0049FDF0h
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FDF8h
mov dword ptr [ecx], 0049FDF0h
ret
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007FD3D973F1AAh
mov dword ptr [esi], 0049FE0Ch
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FE14h
mov dword ptr [ecx], 0049FE0Ch
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
and dword ptr [eax], 00000000h
and dword ptr [eax+04h], 00000000h
push eax
mov eax, dword ptr [ebp+08h]
add eax, 04h
push eax
call 00007FD3D9741D9Dh
pop ecx
pop ecx
mov eax, esi
pop esi
pop ebp
retn 0004h
lea eax, dword ptr [ecx+04h]
mov dword ptr [ecx], 0049FDD0h
push eax
call 00007FD3D9741DE8h
pop ecx
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
push eax
call 00007FD3D9741DD1h
test byte ptr [ebp+08h], 00000001h
pop ecx

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc8e64	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xd4000	0x9990	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xde000	0x7594	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xb0ff0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xc3400	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xb1010	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x9c000	0x894	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x9ab1d	0x9ac00	0a1473f3064dcbc32ef93c5c8a90f3a6	False	0.565500681542811	data	6.668273581389308	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x9c000	0x2fb82	0x2fc00	c9cf2468b60bf4f80f136ed54b3989fb	False	0.35289185209424084	data	5.691811547483722	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xcc000	0x706c	0x4800	53b9025d545d65e23295e30afdbd16d9	False	0.04356553819444445	DOS executable (block device driver @\273\)	0.5846666986982398	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xd4000	0x9990	0x9a00	94062f9a09f2d8301696eb0f4d902598	False	0.3059303977272727	data	5.281275157676861	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xde000	0x7594	0x7600	c68ee8931a32d45eb82dc450ee40efc3	False	0.7628111758474576	data	6.7972128181359786	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xd45a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xd46d0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xd47f8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xd4920	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xd4c08	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xd4d30	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xd5bd8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xd6480	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xd69e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xd8f90	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xda038	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xda4a0	0x50	data	English	Great Britain	0.9
RT_STRING	0xda4f0	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xdaa84	0x68a	data	English	Great Britain	0.2735961768219833
RT_STRING	0xdb110	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xdb5a0	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xdbb9c	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xdc1f8	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xdc660	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xdc7b8	0xc56	data			1.0034832172260926
RT_GROUP_ICON	0xdd410	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0xdd488	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0xdd49c	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0xdd4b0	0x14	data	English	Great Britain	1.25
RT_VERSION	0xdd4c4	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0xdd5a0	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	gethostbyname, recv, send, socket, inet_ntoa, setsockopt, ntohs, WSACleanup, WSAStartup, sendto, htons, __WSAFDIsSet, select, accept, listen, bind, inet_addr, ioctlsocket, recvfrom, WSAGetLastError, closesocket, gethostname, connect
VERSION.dll	GetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetGetConnectionW, WNetCancelConnection2W, WNetUseConnectionW, WNetAddConnection2W
WININET.dll	HttpOpenRequestW, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, InternetConnectW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetQueryDataAvailable
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpSendEcho, IcmpCloseHandle, IcmpCreateFile
USERENV.dll	DestroyEnvironmentBlock, LoadUserProfileW, CreateEnvironmentBlock, UnloadUserProfile
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetShortPathNameW, DeleteFileW, IsDebuggerPresent, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, LoadResource, LockResource, SizeofResource, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, LoadLibraryW, GetLocalTime, CompareStringW, GetCurrentThread, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, VirtualAlloc, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, ResetEvent, WaitForSingleObjectEx, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, CloseHandle, GetFullPathNameW, GetStartupInfoW, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, SetLastError, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, ResumeThread, FreeLibraryAndExitThread, GetACP, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetStringTypeW, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, ReadConsoleW, GetTimeZoneInformation, FindFirstFileExW, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableA, SetCurrentDirectoryW, FindNextFileW, WriteConsoleW
USER32.dll	GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, PeekMessageW, GetInputState, UnregisterHotKey, CharLowerBuffW, MonitorFromPoint, MonitorFromRect, LoadImageW, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, ClientToScreen, GetCursorPos, DeleteMenu, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, LockWindowUpdate, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, RegisterHotKey, GetCursorInfo, SetWindowPos, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, TrackPopupMenuEx, GetMessageW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, DispatchMessageW, keybd_event, TranslateMessage, ScreenToClient
GDI32.dll	EndPath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, GetDeviceCaps, SetPixel, CloseFigure, LineTo, AngleArc, MoveToEx, Ellipse, CreateCompatibleBitmap, CreateCompatibleDC, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, SelectObject, StretchBlt, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, GetDIBits, StrokePath
COMDLG32.dll	GetSaveFileNameW, GetOpenFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, RegCreateKeyExW, GetSecurityDescriptorDacl, GetAclInformation, GetUserNameW, AddAce, SetSecurityDescriptorDacl, InitiateSystemShutdownExW
SHELL32.dll	DragFinish, DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
OLEAUT32.dll	CreateStdDispatch, CreateDispTypeInfo, UnRegisterTypeLib, UnRegisterTypeLibForUser, RegisterTypeLibForUser, RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, VariantChangeType, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysStringLen, QueryPathOfRegTypeLib, SysAllocString, VariantInit, VariantClear, DispCallFunc, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, SafeArrayDestroyDescriptor, VariantCopy, OleLoadPicture

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 2, 2024 19:07:58.004426956 CEST	49731	443	192.168.2.4	142.250.185.142
Oct 2, 2024 19:07:58.004477978 CEST	443	49731	142.250.185.142	192.168.2.4
Oct 2, 2024 19:07:58.004542112 CEST	49731	443	192.168.2.4	142.250.185.142
Oct 2, 2024 19:07:58.005942106 CEST	49731	443	192.168.2.4	142.250.185.142
Oct 2, 2024 19:07:58.005953074 CEST	443	49731	142.250.185.142	192.168.2.4
Oct 2, 2024 19:07:58.649652958 CEST	443	49731	142.250.185.142	192.168.2.4
Oct 2, 2024 19:07:58.649847984 CEST	49731	443	192.168.2.4	142.250.185.142
Oct 2, 2024 19:07:58.649880886 CEST	443	49731	142.250.185.142	192.168.2.4
Oct 2, 2024 19:07:58.650284052 CEST	443	49731	142.250.185.142	192.168.2.4
Oct 2, 2024 19:07:58.650341988 CEST	49731	443	192.168.2.4	142.250.185.142
Oct 2, 2024 19:07:58.650958061 CEST	443	49731	142.250.185.142	192.168.2.4
Oct 2, 2024 19:07:58.651005983 CEST	49731	443	192.168.2.4	142.250.185.142
Oct 2, 2024 19:07:58.652318001 CEST	49731	443	192.168.2.4	142.250.185.142
Oct 2, 2024 19:07:58.652375937 CEST	443	49731	142.250.185.142	192.168.2.4
Oct 2, 2024 19:07:58.652467012 CEST	49731	443	192.168.2.4	142.250.185.142
Oct 2, 2024 19:07:58.652476072 CEST	443	49731	142.250.185.142	192.168.2.4
Oct 2, 2024 19:07:58.698482990 CEST	49731	443	192.168.2.4	142.250.185.142
Oct 2, 2024 19:07:58.929960012 CEST	443	49731	142.250.185.142	192.168.2.4
Oct 2, 2024 19:07:58.930041075 CEST	443	49731	142.250.185.142	192.168.2.4
Oct 2, 2024 19:07:58.930088043 CEST	49731	443	192.168.2.4	142.250.185.142
Oct 2, 2024 19:07:58.930883884 CEST	49731	443	192.168.2.4	142.250.185.142
Oct 2, 2024 19:07:58.930900097 CEST	443	49731	142.250.185.142	192.168.2.4
Oct 2, 2024 19:07:58.940747023 CEST	49736	443	192.168.2.4	142.250.181.238
Oct 2, 2024 19:07:58.940778971 CEST	443	49736	142.250.181.238	192.168.2.4
Oct 2, 2024 19:07:58.940829039 CEST	49736	443	192.168.2.4	142.250.181.238
Oct 2, 2024 19:07:58.941021919 CEST	49736	443	192.168.2.4	142.250.181.238
Oct 2, 2024 19:07:58.941031933 CEST	443	49736	142.250.181.238	192.168.2.4
Oct 2, 2024 19:07:59.597903013 CEST	443	49736	142.250.181.238	192.168.2.4
Oct 2, 2024 19:07:59.643558025 CEST	49736	443	192.168.2.4	142.250.181.238
Oct 2, 2024 19:07:59.643573046 CEST	443	49736	142.250.181.238	192.168.2.4
Oct 2, 2024 19:07:59.644285917 CEST	443	49736	142.250.181.238	192.168.2.4
Oct 2, 2024 19:07:59.644346952 CEST	49736	443	192.168.2.4	142.250.181.238
Oct 2, 2024 19:07:59.645028114 CEST	443	49736	142.250.181.238	192.168.2.4
Oct 2, 2024 19:07:59.645062923 CEST	49736	443	192.168.2.4	142.250.181.238
Oct 2, 2024 19:07:59.646147013 CEST	49736	443	192.168.2.4	142.250.181.238
Oct 2, 2024 19:07:59.646214962 CEST	443	49736	142.250.181.238	192.168.2.4
Oct 2, 2024 19:07:59.646470070 CEST	49736	443	192.168.2.4	142.250.181.238
Oct 2, 2024 19:07:59.646476030 CEST	443	49736	142.250.181.238	192.168.2.4
Oct 2, 2024 19:07:59.698470116 CEST	49736	443	192.168.2.4	142.250.181.238
Oct 2, 2024 19:07:59.908118010 CEST	443	49736	142.250.181.238	192.168.2.4
Oct 2, 2024 19:07:59.908173084 CEST	443	49736	142.250.181.238	192.168.2.4
Oct 2, 2024 19:07:59.908243895 CEST	49736	443	192.168.2.4	142.250.181.238
Oct 2, 2024 19:07:59.908293009 CEST	443	49736	142.250.181.238	192.168.2.4
Oct 2, 2024 19:07:59.908355951 CEST	443	49736	142.250.181.238	192.168.2.4
Oct 2, 2024 19:07:59.908420086 CEST	49736	443	192.168.2.4	142.250.181.238
Oct 2, 2024 19:07:59.910453081 CEST	49736	443	192.168.2.4	142.250.181.238
Oct 2, 2024 19:07:59.910486937 CEST	443	49736	142.250.181.238	192.168.2.4
Oct 2, 2024 19:08:01.839097023 CEST	49741	443	192.168.2.4	142.250.184.196
Oct 2, 2024 19:08:01.839169979 CEST	443	49741	142.250.184.196	192.168.2.4
Oct 2, 2024 19:08:01.840094090 CEST	49741	443	192.168.2.4	142.250.184.196
Oct 2, 2024 19:08:01.840094090 CEST	49741	443	192.168.2.4	142.250.184.196
Oct 2, 2024 19:08:01.840150118 CEST	443	49741	142.250.184.196	192.168.2.4
Oct 2, 2024 19:08:02.506840944 CEST	443	49741	142.250.184.196	192.168.2.4
Oct 2, 2024 19:08:02.507201910 CEST	49741	443	192.168.2.4	142.250.184.196
Oct 2, 2024 19:08:02.507229090 CEST	443	49741	142.250.184.196	192.168.2.4
Oct 2, 2024 19:08:02.508434057 CEST	443	49741	142.250.184.196	192.168.2.4
Oct 2, 2024 19:08:02.508497953 CEST	49741	443	192.168.2.4	142.250.184.196
Oct 2, 2024 19:08:02.527414083 CEST	49741	443	192.168.2.4	142.250.184.196
Oct 2, 2024 19:08:02.527638912 CEST	443	49741	142.250.184.196	192.168.2.4
Oct 2, 2024 19:08:02.581310987 CEST	49741	443	192.168.2.4	142.250.184.196
Oct 2, 2024 19:08:02.581340075 CEST	443	49741	142.250.184.196	192.168.2.4
Oct 2, 2024 19:08:02.636873007 CEST	49741	443	192.168.2.4	142.250.184.196
Oct 2, 2024 19:08:02.715449095 CEST	49743	443	192.168.2.4	184.28.90.27
Oct 2, 2024 19:08:02.715486050 CEST	443	49743	184.28.90.27	192.168.2.4
Oct 2, 2024 19:08:02.715567112 CEST	49743	443	192.168.2.4	184.28.90.27
Oct 2, 2024 19:08:02.717243910 CEST	49743	443	192.168.2.4	184.28.90.27
Oct 2, 2024 19:08:02.717272043 CEST	443	49743	184.28.90.27	192.168.2.4
Oct 2, 2024 19:08:03.693916082 CEST	443	49743	184.28.90.27	192.168.2.4
Oct 2, 2024 19:08:03.694051027 CEST	49743	443	192.168.2.4	184.28.90.27
Oct 2, 2024 19:08:03.709557056 CEST	49743	443	192.168.2.4	184.28.90.27
Oct 2, 2024 19:08:03.709583998 CEST	443	49743	184.28.90.27	192.168.2.4
Oct 2, 2024 19:08:03.710134983 CEST	443	49743	184.28.90.27	192.168.2.4
Oct 2, 2024 19:08:03.751219988 CEST	49743	443	192.168.2.4	184.28.90.27
Oct 2, 2024 19:08:03.766571999 CEST	49743	443	192.168.2.4	184.28.90.27
Oct 2, 2024 19:08:03.811399937 CEST	443	49743	184.28.90.27	192.168.2.4
Oct 2, 2024 19:08:03.965688944 CEST	443	49743	184.28.90.27	192.168.2.4
Oct 2, 2024 19:08:03.965761900 CEST	443	49743	184.28.90.27	192.168.2.4
Oct 2, 2024 19:08:03.966006994 CEST	49743	443	192.168.2.4	184.28.90.27
Oct 2, 2024 19:08:03.966557980 CEST	49743	443	192.168.2.4	184.28.90.27
Oct 2, 2024 19:08:03.966579914 CEST	443	49743	184.28.90.27	192.168.2.4
Oct 2, 2024 19:08:03.966677904 CEST	49743	443	192.168.2.4	184.28.90.27
Oct 2, 2024 19:08:03.966686010 CEST	443	49743	184.28.90.27	192.168.2.4
Oct 2, 2024 19:08:04.000293970 CEST	49745	443	192.168.2.4	184.28.90.27
Oct 2, 2024 19:08:04.000329971 CEST	443	49745	184.28.90.27	192.168.2.4
Oct 2, 2024 19:08:04.000451088 CEST	49745	443	192.168.2.4	184.28.90.27
Oct 2, 2024 19:08:04.000742912 CEST	49745	443	192.168.2.4	184.28.90.27
Oct 2, 2024 19:08:04.000752926 CEST	443	49745	184.28.90.27	192.168.2.4
Oct 2, 2024 19:08:04.681962967 CEST	443	49745	184.28.90.27	192.168.2.4
Oct 2, 2024 19:08:04.682040930 CEST	49745	443	192.168.2.4	184.28.90.27
Oct 2, 2024 19:08:04.770987988 CEST	49745	443	192.168.2.4	184.28.90.27
Oct 2, 2024 19:08:04.771020889 CEST	443	49745	184.28.90.27	192.168.2.4
Oct 2, 2024 19:08:04.771374941 CEST	443	49745	184.28.90.27	192.168.2.4
Oct 2, 2024 19:08:04.780844927 CEST	49745	443	192.168.2.4	184.28.90.27
Oct 2, 2024 19:08:04.823407888 CEST	443	49745	184.28.90.27	192.168.2.4
Oct 2, 2024 19:08:04.970088959 CEST	443	49745	184.28.90.27	192.168.2.4
Oct 2, 2024 19:08:04.970160961 CEST	443	49745	184.28.90.27	192.168.2.4
Oct 2, 2024 19:08:04.970221996 CEST	49745	443	192.168.2.4	184.28.90.27
Oct 2, 2024 19:08:04.972178936 CEST	49745	443	192.168.2.4	184.28.90.27
Oct 2, 2024 19:08:04.972206116 CEST	443	49745	184.28.90.27	192.168.2.4
Oct 2, 2024 19:08:04.972222090 CEST	49745	443	192.168.2.4	184.28.90.27
Oct 2, 2024 19:08:04.972229004 CEST	443	49745	184.28.90.27	192.168.2.4
Oct 2, 2024 19:08:07.496762991 CEST	49756	443	192.168.2.4	216.58.206.78
Oct 2, 2024 19:08:07.496825933 CEST	443	49756	216.58.206.78	192.168.2.4
Oct 2, 2024 19:08:07.496906996 CEST	49756	443	192.168.2.4	216.58.206.78
Oct 2, 2024 19:08:07.497138023 CEST	49756	443	192.168.2.4	216.58.206.78
Oct 2, 2024 19:08:07.497169971 CEST	443	49756	216.58.206.78	192.168.2.4
Oct 2, 2024 19:08:08.144625902 CEST	443	49756	216.58.206.78	192.168.2.4
Oct 2, 2024 19:08:08.145073891 CEST	49756	443	192.168.2.4	216.58.206.78
Oct 2, 2024 19:08:08.145142078 CEST	443	49756	216.58.206.78	192.168.2.4
Oct 2, 2024 19:08:08.145575047 CEST	443	49756	216.58.206.78	192.168.2.4
Oct 2, 2024 19:08:08.145652056 CEST	49756	443	192.168.2.4	216.58.206.78
Oct 2, 2024 19:08:08.146296024 CEST	443	49756	216.58.206.78	192.168.2.4
Oct 2, 2024 19:08:08.146344900 CEST	49756	443	192.168.2.4	216.58.206.78
Oct 2, 2024 19:08:08.147450924 CEST	49756	443	192.168.2.4	216.58.206.78
Oct 2, 2024 19:08:08.147521019 CEST	443	49756	216.58.206.78	192.168.2.4
Oct 2, 2024 19:08:08.147857904 CEST	49756	443	192.168.2.4	216.58.206.78
Oct 2, 2024 19:08:08.147877932 CEST	443	49756	216.58.206.78	192.168.2.4
Oct 2, 2024 19:08:08.192392111 CEST	49756	443	192.168.2.4	216.58.206.78
Oct 2, 2024 19:08:08.523643970 CEST	443	49756	216.58.206.78	192.168.2.4
Oct 2, 2024 19:08:08.523699045 CEST	443	49756	216.58.206.78	192.168.2.4
Oct 2, 2024 19:08:08.523731947 CEST	443	49756	216.58.206.78	192.168.2.4
Oct 2, 2024 19:08:08.523761034 CEST	443	49756	216.58.206.78	192.168.2.4
Oct 2, 2024 19:08:08.523777008 CEST	49756	443	192.168.2.4	216.58.206.78
Oct 2, 2024 19:08:08.523777962 CEST	49756	443	192.168.2.4	216.58.206.78
Oct 2, 2024 19:08:08.523792982 CEST	443	49756	216.58.206.78	192.168.2.4
Oct 2, 2024 19:08:08.523847103 CEST	443	49756	216.58.206.78	192.168.2.4
Oct 2, 2024 19:08:08.523875952 CEST	443	49756	216.58.206.78	192.168.2.4
Oct 2, 2024 19:08:08.523896933 CEST	49756	443	192.168.2.4	216.58.206.78
Oct 2, 2024 19:08:08.523896933 CEST	49756	443	192.168.2.4	216.58.206.78
Oct 2, 2024 19:08:08.523915052 CEST	443	49756	216.58.206.78	192.168.2.4
Oct 2, 2024 19:08:08.523924112 CEST	443	49756	216.58.206.78	192.168.2.4
Oct 2, 2024 19:08:08.523968935 CEST	49756	443	192.168.2.4	216.58.206.78
Oct 2, 2024 19:08:08.523982048 CEST	443	49756	216.58.206.78	192.168.2.4
Oct 2, 2024 19:08:08.524039030 CEST	443	49756	216.58.206.78	192.168.2.4
Oct 2, 2024 19:08:08.524063110 CEST	49756	443	192.168.2.4	216.58.206.78
Oct 2, 2024 19:08:08.528395891 CEST	443	49756	216.58.206.78	192.168.2.4
Oct 2, 2024 19:08:08.528460979 CEST	49756	443	192.168.2.4	216.58.206.78
Oct 2, 2024 19:08:08.528486013 CEST	443	49756	216.58.206.78	192.168.2.4
Oct 2, 2024 19:08:08.564250946 CEST	443	49756	216.58.206.78	192.168.2.4
Oct 2, 2024 19:08:08.564299107 CEST	443	49756	216.58.206.78	192.168.2.4
Oct 2, 2024 19:08:08.564322948 CEST	49756	443	192.168.2.4	216.58.206.78
Oct 2, 2024 19:08:08.564336061 CEST	443	49756	216.58.206.78	192.168.2.4
Oct 2, 2024 19:08:08.564347982 CEST	443	49756	216.58.206.78	192.168.2.4
Oct 2, 2024 19:08:08.564378977 CEST	49756	443	192.168.2.4	216.58.206.78
Oct 2, 2024 19:08:08.569339037 CEST	443	49756	216.58.206.78	192.168.2.4
Oct 2, 2024 19:08:08.569385052 CEST	443	49756	216.58.206.78	192.168.2.4
Oct 2, 2024 19:08:08.569395065 CEST	49756	443	192.168.2.4	216.58.206.78
Oct 2, 2024 19:08:08.569417953 CEST	443	49756	216.58.206.78	192.168.2.4
Oct 2, 2024 19:08:08.569463968 CEST	49756	443	192.168.2.4	216.58.206.78
Oct 2, 2024 19:08:08.575651884 CEST	443	49756	216.58.206.78	192.168.2.4
Oct 2, 2024 19:08:08.575730085 CEST	49756	443	192.168.2.4	216.58.206.78
Oct 2, 2024 19:08:08.595937967 CEST	443	49756	216.58.206.78	192.168.2.4
Oct 2, 2024 19:08:08.595997095 CEST	443	49756	216.58.206.78	192.168.2.4
Oct 2, 2024 19:08:08.596035004 CEST	49756	443	192.168.2.4	216.58.206.78
Oct 2, 2024 19:08:08.596055984 CEST	443	49756	216.58.206.78	192.168.2.4
Oct 2, 2024 19:08:08.596107006 CEST	49756	443	192.168.2.4	216.58.206.78
Oct 2, 2024 19:08:08.596160889 CEST	443	49756	216.58.206.78	192.168.2.4
Oct 2, 2024 19:08:08.596226931 CEST	443	49756	216.58.206.78	192.168.2.4
Oct 2, 2024 19:08:08.596271038 CEST	49756	443	192.168.2.4	216.58.206.78
Oct 2, 2024 19:08:08.596285105 CEST	443	49756	216.58.206.78	192.168.2.4
Oct 2, 2024 19:08:08.596468925 CEST	49756	443	192.168.2.4	216.58.206.78
Oct 2, 2024 19:08:08.596514940 CEST	443	49756	216.58.206.78	192.168.2.4
Oct 2, 2024 19:08:08.596566916 CEST	49756	443	192.168.2.4	216.58.206.78
Oct 2, 2024 19:08:08.651913881 CEST	49760	443	192.168.2.4	216.58.212.142
Oct 2, 2024 19:08:08.651942015 CEST	443	49760	216.58.212.142	192.168.2.4
Oct 2, 2024 19:08:08.652000904 CEST	49760	443	192.168.2.4	216.58.212.142
Oct 2, 2024 19:08:08.652230024 CEST	49760	443	192.168.2.4	216.58.212.142
Oct 2, 2024 19:08:08.652245045 CEST	443	49760	216.58.212.142	192.168.2.4
Oct 2, 2024 19:08:08.702177048 CEST	49762	443	192.168.2.4	216.58.212.142
Oct 2, 2024 19:08:08.702274084 CEST	443	49762	216.58.212.142	192.168.2.4
Oct 2, 2024 19:08:08.702361107 CEST	49762	443	192.168.2.4	216.58.212.142
Oct 2, 2024 19:08:08.702805042 CEST	49762	443	192.168.2.4	216.58.212.142
Oct 2, 2024 19:08:08.702836037 CEST	443	49762	216.58.212.142	192.168.2.4
Oct 2, 2024 19:08:09.373992920 CEST	443	49762	216.58.212.142	192.168.2.4
Oct 2, 2024 19:08:09.394360065 CEST	49762	443	192.168.2.4	216.58.212.142
Oct 2, 2024 19:08:09.394368887 CEST	443	49762	216.58.212.142	192.168.2.4
Oct 2, 2024 19:08:09.394907951 CEST	443	49762	216.58.212.142	192.168.2.4
Oct 2, 2024 19:08:09.394969940 CEST	49762	443	192.168.2.4	216.58.212.142
Oct 2, 2024 19:08:09.395932913 CEST	443	49762	216.58.212.142	192.168.2.4
Oct 2, 2024 19:08:09.396001101 CEST	49762	443	192.168.2.4	216.58.212.142
Oct 2, 2024 19:08:09.398215055 CEST	49762	443	192.168.2.4	216.58.212.142
Oct 2, 2024 19:08:09.398288012 CEST	443	49762	216.58.212.142	192.168.2.4
Oct 2, 2024 19:08:09.398957968 CEST	49762	443	192.168.2.4	216.58.212.142
Oct 2, 2024 19:08:09.398964882 CEST	443	49762	216.58.212.142	192.168.2.4
Oct 2, 2024 19:08:09.418442011 CEST	443	49760	216.58.212.142	192.168.2.4
Oct 2, 2024 19:08:09.420366049 CEST	49760	443	192.168.2.4	216.58.212.142
Oct 2, 2024 19:08:09.420389891 CEST	443	49760	216.58.212.142	192.168.2.4
Oct 2, 2024 19:08:09.420763969 CEST	443	49760	216.58.212.142	192.168.2.4
Oct 2, 2024 19:08:09.420818090 CEST	49760	443	192.168.2.4	216.58.212.142
Oct 2, 2024 19:08:09.421483040 CEST	443	49760	216.58.212.142	192.168.2.4
Oct 2, 2024 19:08:09.421523094 CEST	49760	443	192.168.2.4	216.58.212.142
Oct 2, 2024 19:08:09.421827078 CEST	49760	443	192.168.2.4	216.58.212.142
Oct 2, 2024 19:08:09.421876907 CEST	443	49760	216.58.212.142	192.168.2.4
Oct 2, 2024 19:08:09.422498941 CEST	49760	443	192.168.2.4	216.58.212.142
Oct 2, 2024 19:08:09.422504902 CEST	443	49760	216.58.212.142	192.168.2.4
Oct 2, 2024 19:08:09.449925900 CEST	49762	443	192.168.2.4	216.58.212.142
Oct 2, 2024 19:08:09.466286898 CEST	49760	443	192.168.2.4	216.58.212.142
Oct 2, 2024 19:08:09.711884022 CEST	443	49762	216.58.212.142	192.168.2.4
Oct 2, 2024 19:08:09.711988926 CEST	443	49762	216.58.212.142	192.168.2.4
Oct 2, 2024 19:08:09.712100983 CEST	49762	443	192.168.2.4	216.58.212.142
Oct 2, 2024 19:08:09.719655037 CEST	443	49760	216.58.212.142	192.168.2.4
Oct 2, 2024 19:08:09.719779015 CEST	443	49760	216.58.212.142	192.168.2.4
Oct 2, 2024 19:08:09.719852924 CEST	49760	443	192.168.2.4	216.58.212.142
Oct 2, 2024 19:08:09.778326035 CEST	49762	443	192.168.2.4	216.58.212.142
Oct 2, 2024 19:08:09.778358936 CEST	443	49762	216.58.212.142	192.168.2.4
Oct 2, 2024 19:08:09.783322096 CEST	49760	443	192.168.2.4	216.58.212.142
Oct 2, 2024 19:08:09.783358097 CEST	443	49760	216.58.212.142	192.168.2.4
Oct 2, 2024 19:08:09.785311937 CEST	49764	443	192.168.2.4	216.58.212.142
Oct 2, 2024 19:08:09.785362005 CEST	443	49764	216.58.212.142	192.168.2.4
Oct 2, 2024 19:08:09.785433054 CEST	49764	443	192.168.2.4	216.58.212.142
Oct 2, 2024 19:08:09.788463116 CEST	49765	443	192.168.2.4	216.58.212.142
Oct 2, 2024 19:08:09.788522959 CEST	443	49765	216.58.212.142	192.168.2.4
Oct 2, 2024 19:08:09.788676023 CEST	49765	443	192.168.2.4	216.58.212.142
Oct 2, 2024 19:08:09.796225071 CEST	49764	443	192.168.2.4	216.58.212.142
Oct 2, 2024 19:08:09.796255112 CEST	443	49764	216.58.212.142	192.168.2.4
Oct 2, 2024 19:08:09.796359062 CEST	49765	443	192.168.2.4	216.58.212.142
Oct 2, 2024 19:08:09.796381950 CEST	443	49765	216.58.212.142	192.168.2.4
Oct 2, 2024 19:08:10.058722019 CEST	49672	443	192.168.2.4	173.222.162.32
Oct 2, 2024 19:08:10.058825970 CEST	443	49672	173.222.162.32	192.168.2.4
Oct 2, 2024 19:08:10.440073013 CEST	443	49764	216.58.212.142	192.168.2.4
Oct 2, 2024 19:08:10.440453053 CEST	49764	443	192.168.2.4	216.58.212.142
Oct 2, 2024 19:08:10.440488100 CEST	443	49764	216.58.212.142	192.168.2.4
Oct 2, 2024 19:08:10.440579891 CEST	443	49765	216.58.212.142	192.168.2.4
Oct 2, 2024 19:08:10.440836906 CEST	49765	443	192.168.2.4	216.58.212.142
Oct 2, 2024 19:08:10.440865040 CEST	443	49765	216.58.212.142	192.168.2.4
Oct 2, 2024 19:08:10.441911936 CEST	443	49765	216.58.212.142	192.168.2.4
Oct 2, 2024 19:08:10.441972971 CEST	49765	443	192.168.2.4	216.58.212.142
Oct 2, 2024 19:08:10.442086935 CEST	443	49764	216.58.212.142	192.168.2.4
Oct 2, 2024 19:08:10.442142963 CEST	49764	443	192.168.2.4	216.58.212.142
Oct 2, 2024 19:08:10.442702055 CEST	443	49764	216.58.212.142	192.168.2.4
Oct 2, 2024 19:08:10.442754984 CEST	49764	443	192.168.2.4	216.58.212.142
Oct 2, 2024 19:08:10.442920923 CEST	49764	443	192.168.2.4	216.58.212.142
Oct 2, 2024 19:08:10.442922115 CEST	443	49765	216.58.212.142	192.168.2.4
Oct 2, 2024 19:08:10.442964077 CEST	49765	443	192.168.2.4	216.58.212.142
Oct 2, 2024 19:08:10.442991018 CEST	443	49764	216.58.212.142	192.168.2.4
Oct 2, 2024 19:08:10.443068981 CEST	49764	443	192.168.2.4	216.58.212.142
Oct 2, 2024 19:08:10.443093061 CEST	443	49764	216.58.212.142	192.168.2.4
Oct 2, 2024 19:08:10.443120956 CEST	49764	443	192.168.2.4	216.58.212.142
Oct 2, 2024 19:08:10.443188906 CEST	49765	443	192.168.2.4	216.58.212.142
Oct 2, 2024 19:08:10.443272114 CEST	443	49765	216.58.212.142	192.168.2.4
Oct 2, 2024 19:08:10.443285942 CEST	49765	443	192.168.2.4	216.58.212.142
Oct 2, 2024 19:08:10.443308115 CEST	49765	443	192.168.2.4	216.58.212.142
Oct 2, 2024 19:08:10.443344116 CEST	443	49765	216.58.212.142	192.168.2.4
Oct 2, 2024 19:08:10.487409115 CEST	443	49764	216.58.212.142	192.168.2.4
Oct 2, 2024 19:08:10.496341944 CEST	49765	443	192.168.2.4	216.58.212.142
Oct 2, 2024 19:08:10.496370077 CEST	443	49765	216.58.212.142	192.168.2.4
Oct 2, 2024 19:08:10.496397972 CEST	49764	443	192.168.2.4	216.58.212.142
Oct 2, 2024 19:08:10.543232918 CEST	49765	443	192.168.2.4	216.58.212.142
Oct 2, 2024 19:08:10.661823034 CEST	443	49765	216.58.212.142	192.168.2.4
Oct 2, 2024 19:08:10.663376093 CEST	443	49765	216.58.212.142	192.168.2.4
Oct 2, 2024 19:08:10.663439035 CEST	49765	443	192.168.2.4	216.58.212.142
Oct 2, 2024 19:08:10.664402962 CEST	49765	443	192.168.2.4	216.58.212.142
Oct 2, 2024 19:08:10.664426088 CEST	443	49765	216.58.212.142	192.168.2.4
Oct 2, 2024 19:08:10.671633005 CEST	443	49764	216.58.212.142	192.168.2.4
Oct 2, 2024 19:08:10.671958923 CEST	443	49764	216.58.212.142	192.168.2.4
Oct 2, 2024 19:08:10.672030926 CEST	49764	443	192.168.2.4	216.58.212.142
Oct 2, 2024 19:08:10.672636986 CEST	49764	443	192.168.2.4	216.58.212.142
Oct 2, 2024 19:08:10.672660112 CEST	443	49764	216.58.212.142	192.168.2.4
Oct 2, 2024 19:08:10.817652941 CEST	49741	443	192.168.2.4	142.250.184.196
Oct 2, 2024 19:08:10.863404989 CEST	443	49741	142.250.184.196	192.168.2.4
Oct 2, 2024 19:08:11.082688093 CEST	49769	443	192.168.2.4	20.114.59.183
Oct 2, 2024 19:08:11.082710981 CEST	443	49769	20.114.59.183	192.168.2.4
Oct 2, 2024 19:08:11.082794905 CEST	49769	443	192.168.2.4	20.114.59.183
Oct 2, 2024 19:08:11.084754944 CEST	49769	443	192.168.2.4	20.114.59.183
Oct 2, 2024 19:08:11.084767103 CEST	443	49769	20.114.59.183	192.168.2.4
Oct 2, 2024 19:08:11.088651896 CEST	443	49741	142.250.184.196	192.168.2.4
Oct 2, 2024 19:08:11.088701010 CEST	443	49741	142.250.184.196	192.168.2.4
Oct 2, 2024 19:08:11.088731050 CEST	443	49741	142.250.184.196	192.168.2.4
Oct 2, 2024 19:08:11.088762999 CEST	443	49741	142.250.184.196	192.168.2.4
Oct 2, 2024 19:08:11.088778019 CEST	49741	443	192.168.2.4	142.250.184.196
Oct 2, 2024 19:08:11.088793039 CEST	443	49741	142.250.184.196	192.168.2.4
Oct 2, 2024 19:08:11.088814020 CEST	49741	443	192.168.2.4	142.250.184.196
Oct 2, 2024 19:08:11.089215040 CEST	443	49741	142.250.184.196	192.168.2.4
Oct 2, 2024 19:08:11.089320898 CEST	49741	443	192.168.2.4	142.250.184.196
Oct 2, 2024 19:08:11.091403961 CEST	49741	443	192.168.2.4	142.250.184.196
Oct 2, 2024 19:08:11.091419935 CEST	443	49741	142.250.184.196	192.168.2.4
Oct 2, 2024 19:08:11.881483078 CEST	443	49769	20.114.59.183	192.168.2.4
Oct 2, 2024 19:08:11.881551027 CEST	49769	443	192.168.2.4	20.114.59.183
Oct 2, 2024 19:08:11.884877920 CEST	49769	443	192.168.2.4	20.114.59.183
Oct 2, 2024 19:08:11.884886026 CEST	443	49769	20.114.59.183	192.168.2.4
Oct 2, 2024 19:08:11.885169029 CEST	443	49769	20.114.59.183	192.168.2.4
Oct 2, 2024 19:08:11.948357105 CEST	49769	443	192.168.2.4	20.114.59.183
Oct 2, 2024 19:08:12.997939110 CEST	49769	443	192.168.2.4	20.114.59.183
Oct 2, 2024 19:08:13.043399096 CEST	443	49769	20.114.59.183	192.168.2.4
Oct 2, 2024 19:08:13.257499933 CEST	443	49769	20.114.59.183	192.168.2.4
Oct 2, 2024 19:08:13.257520914 CEST	443	49769	20.114.59.183	192.168.2.4
Oct 2, 2024 19:08:13.257529020 CEST	443	49769	20.114.59.183	192.168.2.4
Oct 2, 2024 19:08:13.257544994 CEST	443	49769	20.114.59.183	192.168.2.4
Oct 2, 2024 19:08:13.257563114 CEST	49769	443	192.168.2.4	20.114.59.183
Oct 2, 2024 19:08:13.257571936 CEST	443	49769	20.114.59.183	192.168.2.4
Oct 2, 2024 19:08:13.257587910 CEST	49769	443	192.168.2.4	20.114.59.183
Oct 2, 2024 19:08:13.257594109 CEST	443	49769	20.114.59.183	192.168.2.4
Oct 2, 2024 19:08:13.257616997 CEST	443	49769	20.114.59.183	192.168.2.4
Oct 2, 2024 19:08:13.257637024 CEST	49769	443	192.168.2.4	20.114.59.183
Oct 2, 2024 19:08:13.257642984 CEST	443	49769	20.114.59.183	192.168.2.4
Oct 2, 2024 19:08:13.257662058 CEST	49769	443	192.168.2.4	20.114.59.183
Oct 2, 2024 19:08:13.258078098 CEST	443	49769	20.114.59.183	192.168.2.4
Oct 2, 2024 19:08:13.258132935 CEST	49769	443	192.168.2.4	20.114.59.183
Oct 2, 2024 19:08:13.258140087 CEST	443	49769	20.114.59.183	192.168.2.4
Oct 2, 2024 19:08:13.258277893 CEST	443	49769	20.114.59.183	192.168.2.4
Oct 2, 2024 19:08:13.258318901 CEST	49769	443	192.168.2.4	20.114.59.183
Oct 2, 2024 19:08:14.176211119 CEST	49769	443	192.168.2.4	20.114.59.183
Oct 2, 2024 19:08:14.176211119 CEST	49769	443	192.168.2.4	20.114.59.183
Oct 2, 2024 19:08:14.176238060 CEST	443	49769	20.114.59.183	192.168.2.4
Oct 2, 2024 19:08:14.176243067 CEST	443	49769	20.114.59.183	192.168.2.4
Oct 2, 2024 19:08:16.498702049 CEST	49779	443	192.168.2.4	216.58.212.142
Oct 2, 2024 19:08:16.498755932 CEST	443	49779	216.58.212.142	192.168.2.4
Oct 2, 2024 19:08:16.498814106 CEST	49779	443	192.168.2.4	216.58.212.142
Oct 2, 2024 19:08:16.500372887 CEST	49779	443	192.168.2.4	216.58.212.142
Oct 2, 2024 19:08:16.500386953 CEST	443	49779	216.58.212.142	192.168.2.4
Oct 2, 2024 19:08:17.240262032 CEST	443	49779	216.58.212.142	192.168.2.4
Oct 2, 2024 19:08:17.240675926 CEST	49779	443	192.168.2.4	216.58.212.142
Oct 2, 2024 19:08:17.240721941 CEST	443	49779	216.58.212.142	192.168.2.4
Oct 2, 2024 19:08:17.241261005 CEST	443	49779	216.58.212.142	192.168.2.4
Oct 2, 2024 19:08:17.241579056 CEST	49779	443	192.168.2.4	216.58.212.142
Oct 2, 2024 19:08:17.241667032 CEST	443	49779	216.58.212.142	192.168.2.4
Oct 2, 2024 19:08:17.241728067 CEST	49779	443	192.168.2.4	216.58.212.142
Oct 2, 2024 19:08:17.241744995 CEST	49779	443	192.168.2.4	216.58.212.142
Oct 2, 2024 19:08:17.241761923 CEST	443	49779	216.58.212.142	192.168.2.4
Oct 2, 2024 19:08:17.550843000 CEST	443	49779	216.58.212.142	192.168.2.4
Oct 2, 2024 19:08:17.551059008 CEST	443	49779	216.58.212.142	192.168.2.4
Oct 2, 2024 19:08:17.551105022 CEST	49779	443	192.168.2.4	216.58.212.142
Oct 2, 2024 19:08:17.551753044 CEST	49779	443	192.168.2.4	216.58.212.142
Oct 2, 2024 19:08:17.551779032 CEST	443	49779	216.58.212.142	192.168.2.4
Oct 2, 2024 19:08:39.358917952 CEST	49783	443	192.168.2.4	216.58.212.142
Oct 2, 2024 19:08:39.358963966 CEST	443	49783	216.58.212.142	192.168.2.4
Oct 2, 2024 19:08:39.359127998 CEST	49783	443	192.168.2.4	216.58.212.142
Oct 2, 2024 19:08:39.359700918 CEST	49783	443	192.168.2.4	216.58.212.142
Oct 2, 2024 19:08:39.359714031 CEST	443	49783	216.58.212.142	192.168.2.4
Oct 2, 2024 19:08:39.898570061 CEST	49784	443	192.168.2.4	216.58.212.142
Oct 2, 2024 19:08:39.898621082 CEST	443	49784	216.58.212.142	192.168.2.4
Oct 2, 2024 19:08:39.898823977 CEST	49784	443	192.168.2.4	216.58.212.142
Oct 2, 2024 19:08:39.898983002 CEST	49784	443	192.168.2.4	216.58.212.142
Oct 2, 2024 19:08:39.898998022 CEST	443	49784	216.58.212.142	192.168.2.4
Oct 2, 2024 19:08:40.013752937 CEST	443	49783	216.58.212.142	192.168.2.4
Oct 2, 2024 19:08:40.014086962 CEST	49783	443	192.168.2.4	216.58.212.142
Oct 2, 2024 19:08:40.014168978 CEST	443	49783	216.58.212.142	192.168.2.4
Oct 2, 2024 19:08:40.014518976 CEST	443	49783	216.58.212.142	192.168.2.4
Oct 2, 2024 19:08:40.014844894 CEST	49783	443	192.168.2.4	216.58.212.142
Oct 2, 2024 19:08:40.014920950 CEST	443	49783	216.58.212.142	192.168.2.4
Oct 2, 2024 19:08:40.015014887 CEST	49783	443	192.168.2.4	216.58.212.142
Oct 2, 2024 19:08:40.015053988 CEST	49783	443	192.168.2.4	216.58.212.142
Oct 2, 2024 19:08:40.015068054 CEST	443	49783	216.58.212.142	192.168.2.4
Oct 2, 2024 19:08:40.038497925 CEST	49785	443	192.168.2.4	216.58.212.142
Oct 2, 2024 19:08:40.038557053 CEST	443	49785	216.58.212.142	192.168.2.4
Oct 2, 2024 19:08:40.038657904 CEST	49785	443	192.168.2.4	216.58.212.142
Oct 2, 2024 19:08:40.038887978 CEST	49785	443	192.168.2.4	216.58.212.142
Oct 2, 2024 19:08:40.038897991 CEST	443	49785	216.58.212.142	192.168.2.4
Oct 2, 2024 19:08:40.317161083 CEST	443	49783	216.58.212.142	192.168.2.4
Oct 2, 2024 19:08:40.317514896 CEST	443	49783	216.58.212.142	192.168.2.4
Oct 2, 2024 19:08:40.317601919 CEST	49783	443	192.168.2.4	216.58.212.142
Oct 2, 2024 19:08:40.317842007 CEST	49783	443	192.168.2.4	216.58.212.142
Oct 2, 2024 19:08:40.317888021 CEST	443	49783	216.58.212.142	192.168.2.4
Oct 2, 2024 19:08:40.542823076 CEST	443	49784	216.58.212.142	192.168.2.4
Oct 2, 2024 19:08:40.543102026 CEST	49784	443	192.168.2.4	216.58.212.142
Oct 2, 2024 19:08:40.543126106 CEST	443	49784	216.58.212.142	192.168.2.4
Oct 2, 2024 19:08:40.543498993 CEST	443	49784	216.58.212.142	192.168.2.4
Oct 2, 2024 19:08:40.543777943 CEST	49784	443	192.168.2.4	216.58.212.142
Oct 2, 2024 19:08:40.543845892 CEST	443	49784	216.58.212.142	192.168.2.4
Oct 2, 2024 19:08:40.543951988 CEST	49784	443	192.168.2.4	216.58.212.142
Oct 2, 2024 19:08:40.543972015 CEST	49784	443	192.168.2.4	216.58.212.142
Oct 2, 2024 19:08:40.543982983 CEST	443	49784	216.58.212.142	192.168.2.4
Oct 2, 2024 19:08:40.675051928 CEST	443	49785	216.58.212.142	192.168.2.4
Oct 2, 2024 19:08:40.675375938 CEST	49785	443	192.168.2.4	216.58.212.142
Oct 2, 2024 19:08:40.675422907 CEST	443	49785	216.58.212.142	192.168.2.4
Oct 2, 2024 19:08:40.675757885 CEST	443	49785	216.58.212.142	192.168.2.4
Oct 2, 2024 19:08:40.676037073 CEST	49785	443	192.168.2.4	216.58.212.142
Oct 2, 2024 19:08:40.676094055 CEST	443	49785	216.58.212.142	192.168.2.4
Oct 2, 2024 19:08:40.676186085 CEST	49785	443	192.168.2.4	216.58.212.142
Oct 2, 2024 19:08:40.676207066 CEST	49785	443	192.168.2.4	216.58.212.142
Oct 2, 2024 19:08:40.676214933 CEST	443	49785	216.58.212.142	192.168.2.4
Oct 2, 2024 19:08:40.842154026 CEST	443	49784	216.58.212.142	192.168.2.4
Oct 2, 2024 19:08:40.842804909 CEST	443	49784	216.58.212.142	192.168.2.4
Oct 2, 2024 19:08:40.842917919 CEST	49784	443	192.168.2.4	216.58.212.142
Oct 2, 2024 19:08:40.845032930 CEST	49784	443	192.168.2.4	216.58.212.142
Oct 2, 2024 19:08:40.845052958 CEST	443	49784	216.58.212.142	192.168.2.4
Oct 2, 2024 19:08:40.904489994 CEST	443	49785	216.58.212.142	192.168.2.4
Oct 2, 2024 19:08:40.904609919 CEST	443	49785	216.58.212.142	192.168.2.4
Oct 2, 2024 19:08:40.904687881 CEST	49785	443	192.168.2.4	216.58.212.142
Oct 2, 2024 19:08:40.908869982 CEST	49785	443	192.168.2.4	216.58.212.142
Oct 2, 2024 19:08:40.908917904 CEST	443	49785	216.58.212.142	192.168.2.4
Oct 2, 2024 19:08:50.633042097 CEST	49786	443	192.168.2.4	20.114.59.183
Oct 2, 2024 19:08:50.633141994 CEST	443	49786	20.114.59.183	192.168.2.4
Oct 2, 2024 19:08:50.633223057 CEST	49786	443	192.168.2.4	20.114.59.183
Oct 2, 2024 19:08:50.633554935 CEST	49786	443	192.168.2.4	20.114.59.183
Oct 2, 2024 19:08:50.633590937 CEST	443	49786	20.114.59.183	192.168.2.4
Oct 2, 2024 19:08:51.407753944 CEST	443	49786	20.114.59.183	192.168.2.4
Oct 2, 2024 19:08:51.408066034 CEST	49786	443	192.168.2.4	20.114.59.183
Oct 2, 2024 19:08:51.411726952 CEST	49786	443	192.168.2.4	20.114.59.183
Oct 2, 2024 19:08:51.411741972 CEST	443	49786	20.114.59.183	192.168.2.4
Oct 2, 2024 19:08:51.412003040 CEST	443	49786	20.114.59.183	192.168.2.4
Oct 2, 2024 19:08:51.421642065 CEST	49786	443	192.168.2.4	20.114.59.183
Oct 2, 2024 19:08:51.463399887 CEST	443	49786	20.114.59.183	192.168.2.4
Oct 2, 2024 19:08:51.739331961 CEST	443	49786	20.114.59.183	192.168.2.4
Oct 2, 2024 19:08:51.739356041 CEST	443	49786	20.114.59.183	192.168.2.4
Oct 2, 2024 19:08:51.739439011 CEST	443	49786	20.114.59.183	192.168.2.4
Oct 2, 2024 19:08:51.739500999 CEST	49786	443	192.168.2.4	20.114.59.183
Oct 2, 2024 19:08:51.739525080 CEST	443	49786	20.114.59.183	192.168.2.4
Oct 2, 2024 19:08:51.739552975 CEST	49786	443	192.168.2.4	20.114.59.183
Oct 2, 2024 19:08:51.739574909 CEST	49786	443	192.168.2.4	20.114.59.183
Oct 2, 2024 19:08:51.740439892 CEST	443	49786	20.114.59.183	192.168.2.4
Oct 2, 2024 19:08:51.740474939 CEST	443	49786	20.114.59.183	192.168.2.4
Oct 2, 2024 19:08:51.740506887 CEST	49786	443	192.168.2.4	20.114.59.183
Oct 2, 2024 19:08:51.740511894 CEST	443	49786	20.114.59.183	192.168.2.4
Oct 2, 2024 19:08:51.740534067 CEST	49786	443	192.168.2.4	20.114.59.183
Oct 2, 2024 19:08:51.740537882 CEST	443	49786	20.114.59.183	192.168.2.4
Oct 2, 2024 19:08:51.740587950 CEST	49786	443	192.168.2.4	20.114.59.183
Oct 2, 2024 19:08:51.744827032 CEST	49786	443	192.168.2.4	20.114.59.183
Oct 2, 2024 19:08:51.744842052 CEST	443	49786	20.114.59.183	192.168.2.4
Oct 2, 2024 19:08:51.744853973 CEST	49786	443	192.168.2.4	20.114.59.183
Oct 2, 2024 19:08:51.744858980 CEST	443	49786	20.114.59.183	192.168.2.4
Oct 2, 2024 19:09:01.888168097 CEST	49788	443	192.168.2.4	142.250.184.196
Oct 2, 2024 19:09:01.888293982 CEST	443	49788	142.250.184.196	192.168.2.4
Oct 2, 2024 19:09:01.888417006 CEST	49788	443	192.168.2.4	142.250.184.196
Oct 2, 2024 19:09:01.888662100 CEST	49788	443	192.168.2.4	142.250.184.196
Oct 2, 2024 19:09:01.888695002 CEST	443	49788	142.250.184.196	192.168.2.4
Oct 2, 2024 19:09:02.528027058 CEST	443	49788	142.250.184.196	192.168.2.4
Oct 2, 2024 19:09:02.528865099 CEST	49788	443	192.168.2.4	142.250.184.196
Oct 2, 2024 19:09:02.528892040 CEST	443	49788	142.250.184.196	192.168.2.4
Oct 2, 2024 19:09:02.529354095 CEST	443	49788	142.250.184.196	192.168.2.4
Oct 2, 2024 19:09:02.529644012 CEST	49788	443	192.168.2.4	142.250.184.196
Oct 2, 2024 19:09:02.529755116 CEST	443	49788	142.250.184.196	192.168.2.4
Oct 2, 2024 19:09:02.575290918 CEST	49788	443	192.168.2.4	142.250.184.196
Oct 2, 2024 19:09:09.605787039 CEST	49790	443	192.168.2.4	142.250.185.142
Oct 2, 2024 19:09:09.605828047 CEST	443	49790	142.250.185.142	192.168.2.4
Oct 2, 2024 19:09:09.605897903 CEST	49790	443	192.168.2.4	142.250.185.142
Oct 2, 2024 19:09:09.606061935 CEST	49790	443	192.168.2.4	142.250.185.142
Oct 2, 2024 19:09:09.606086016 CEST	443	49790	142.250.185.142	192.168.2.4
Oct 2, 2024 19:09:10.246675968 CEST	443	49790	142.250.185.142	192.168.2.4
Oct 2, 2024 19:09:10.246997118 CEST	49790	443	192.168.2.4	142.250.185.142
Oct 2, 2024 19:09:10.247035027 CEST	443	49790	142.250.185.142	192.168.2.4
Oct 2, 2024 19:09:10.247574091 CEST	443	49790	142.250.185.142	192.168.2.4
Oct 2, 2024 19:09:10.247860909 CEST	49790	443	192.168.2.4	142.250.185.142
Oct 2, 2024 19:09:10.247936010 CEST	443	49790	142.250.185.142	192.168.2.4
Oct 2, 2024 19:09:10.248034000 CEST	49790	443	192.168.2.4	142.250.185.142
Oct 2, 2024 19:09:10.248058081 CEST	49790	443	192.168.2.4	142.250.185.142
Oct 2, 2024 19:09:10.248065948 CEST	443	49790	142.250.185.142	192.168.2.4
Oct 2, 2024 19:09:10.567142963 CEST	443	49790	142.250.185.142	192.168.2.4
Oct 2, 2024 19:09:10.569106102 CEST	443	49790	142.250.185.142	192.168.2.4
Oct 2, 2024 19:09:10.569189072 CEST	49790	443	192.168.2.4	142.250.185.142
Oct 2, 2024 19:09:10.569580078 CEST	49790	443	192.168.2.4	142.250.185.142
Oct 2, 2024 19:09:10.569602013 CEST	443	49790	142.250.185.142	192.168.2.4
Oct 2, 2024 19:09:12.493989944 CEST	443	49788	142.250.184.196	192.168.2.4
Oct 2, 2024 19:09:12.494062901 CEST	443	49788	142.250.184.196	192.168.2.4
Oct 2, 2024 19:09:12.494118929 CEST	49788	443	192.168.2.4	142.250.184.196
Oct 2, 2024 19:09:12.561664104 CEST	49788	443	192.168.2.4	142.250.184.196
Oct 2, 2024 19:09:12.561711073 CEST	443	49788	142.250.184.196	192.168.2.4
Oct 2, 2024 19:09:12.562000990 CEST	49791	443	192.168.2.4	142.250.185.142
Oct 2, 2024 19:09:12.562100887 CEST	443	49791	142.250.185.142	192.168.2.4
Oct 2, 2024 19:09:12.562194109 CEST	49791	443	192.168.2.4	142.250.185.142
Oct 2, 2024 19:09:12.562477112 CEST	49791	443	192.168.2.4	142.250.185.142
Oct 2, 2024 19:09:12.562517881 CEST	443	49791	142.250.185.142	192.168.2.4
Oct 2, 2024 19:09:13.219430923 CEST	443	49791	142.250.185.142	192.168.2.4
Oct 2, 2024 19:09:13.219779968 CEST	49791	443	192.168.2.4	142.250.185.142
Oct 2, 2024 19:09:13.219810963 CEST	443	49791	142.250.185.142	192.168.2.4
Oct 2, 2024 19:09:13.220169067 CEST	443	49791	142.250.185.142	192.168.2.4
Oct 2, 2024 19:09:13.220633984 CEST	49791	443	192.168.2.4	142.250.185.142
Oct 2, 2024 19:09:13.220719099 CEST	443	49791	142.250.185.142	192.168.2.4
Oct 2, 2024 19:09:13.220818996 CEST	49791	443	192.168.2.4	142.250.185.142
Oct 2, 2024 19:09:13.220865011 CEST	49791	443	192.168.2.4	142.250.185.142
Oct 2, 2024 19:09:13.220890045 CEST	443	49791	142.250.185.142	192.168.2.4
Oct 2, 2024 19:09:13.538187027 CEST	443	49791	142.250.185.142	192.168.2.4
Oct 2, 2024 19:09:13.538316965 CEST	443	49791	142.250.185.142	192.168.2.4
Oct 2, 2024 19:09:13.538405895 CEST	49791	443	192.168.2.4	142.250.185.142
Oct 2, 2024 19:09:13.538873911 CEST	49791	443	192.168.2.4	142.250.185.142
Oct 2, 2024 19:09:13.538901091 CEST	443	49791	142.250.185.142	192.168.2.4
Oct 2, 2024 19:09:40.372940063 CEST	49793	443	192.168.2.4	142.250.185.142
Oct 2, 2024 19:09:40.373027086 CEST	443	49793	142.250.185.142	192.168.2.4
Oct 2, 2024 19:09:40.373126984 CEST	49793	443	192.168.2.4	142.250.185.142
Oct 2, 2024 19:09:40.373575926 CEST	49793	443	192.168.2.4	142.250.185.142
Oct 2, 2024 19:09:40.373608112 CEST	443	49793	142.250.185.142	192.168.2.4
Oct 2, 2024 19:09:41.047610044 CEST	443	49793	142.250.185.142	192.168.2.4
Oct 2, 2024 19:09:41.090858936 CEST	49793	443	192.168.2.4	142.250.185.142
Oct 2, 2024 19:09:41.097275972 CEST	49793	443	192.168.2.4	142.250.185.142
Oct 2, 2024 19:09:41.097290039 CEST	443	49793	142.250.185.142	192.168.2.4
Oct 2, 2024 19:09:41.097855091 CEST	443	49793	142.250.185.142	192.168.2.4
Oct 2, 2024 19:09:41.098469973 CEST	49793	443	192.168.2.4	142.250.185.142
Oct 2, 2024 19:09:41.098536968 CEST	443	49793	142.250.185.142	192.168.2.4
Oct 2, 2024 19:09:41.098697901 CEST	49793	443	192.168.2.4	142.250.185.142
Oct 2, 2024 19:09:41.098723888 CEST	49793	443	192.168.2.4	142.250.185.142
Oct 2, 2024 19:09:41.098728895 CEST	443	49793	142.250.185.142	192.168.2.4
Oct 2, 2024 19:09:41.349783897 CEST	443	49793	142.250.185.142	192.168.2.4
Oct 2, 2024 19:09:41.350497961 CEST	443	49793	142.250.185.142	192.168.2.4
Oct 2, 2024 19:09:41.350610971 CEST	49793	443	192.168.2.4	142.250.185.142
Oct 2, 2024 19:09:41.350769997 CEST	49793	443	192.168.2.4	142.250.185.142
Oct 2, 2024 19:09:41.350796938 CEST	443	49793	142.250.185.142	192.168.2.4
Oct 2, 2024 19:09:44.315779924 CEST	49794	443	192.168.2.4	142.250.185.142
Oct 2, 2024 19:09:44.315834999 CEST	443	49794	142.250.185.142	192.168.2.4
Oct 2, 2024 19:09:44.315933943 CEST	49794	443	192.168.2.4	142.250.185.142
Oct 2, 2024 19:09:44.316344023 CEST	49794	443	192.168.2.4	142.250.185.142
Oct 2, 2024 19:09:44.316365004 CEST	443	49794	142.250.185.142	192.168.2.4
Oct 2, 2024 19:09:44.962802887 CEST	443	49794	142.250.185.142	192.168.2.4
Oct 2, 2024 19:09:44.963175058 CEST	49794	443	192.168.2.4	142.250.185.142
Oct 2, 2024 19:09:44.963192940 CEST	443	49794	142.250.185.142	192.168.2.4
Oct 2, 2024 19:09:44.963761091 CEST	443	49794	142.250.185.142	192.168.2.4
Oct 2, 2024 19:09:44.964143991 CEST	49794	443	192.168.2.4	142.250.185.142
Oct 2, 2024 19:09:44.964236975 CEST	443	49794	142.250.185.142	192.168.2.4
Oct 2, 2024 19:09:44.964358091 CEST	49794	443	192.168.2.4	142.250.185.142
Oct 2, 2024 19:09:44.964395046 CEST	49794	443	192.168.2.4	142.250.185.142
Oct 2, 2024 19:09:44.964405060 CEST	443	49794	142.250.185.142	192.168.2.4
Oct 2, 2024 19:09:45.263124943 CEST	443	49794	142.250.185.142	192.168.2.4
Oct 2, 2024 19:09:45.264413118 CEST	443	49794	142.250.185.142	192.168.2.4
Oct 2, 2024 19:09:45.264810085 CEST	49794	443	192.168.2.4	142.250.185.142
Oct 2, 2024 19:09:45.264909983 CEST	49794	443	192.168.2.4	142.250.185.142
Oct 2, 2024 19:09:45.264951944 CEST	443	49794	142.250.185.142	192.168.2.4
Oct 2, 2024 19:10:01.952799082 CEST	49795	443	192.168.2.4	142.250.184.196
Oct 2, 2024 19:10:01.952867031 CEST	443	49795	142.250.184.196	192.168.2.4
Oct 2, 2024 19:10:01.952944994 CEST	49795	443	192.168.2.4	142.250.184.196
Oct 2, 2024 19:10:01.953330994 CEST	49795	443	192.168.2.4	142.250.184.196
Oct 2, 2024 19:10:01.953346014 CEST	443	49795	142.250.184.196	192.168.2.4
Oct 2, 2024 19:10:02.612844944 CEST	443	49795	142.250.184.196	192.168.2.4
Oct 2, 2024 19:10:02.613177061 CEST	49795	443	192.168.2.4	142.250.184.196
Oct 2, 2024 19:10:02.613231897 CEST	443	49795	142.250.184.196	192.168.2.4
Oct 2, 2024 19:10:02.613713980 CEST	443	49795	142.250.184.196	192.168.2.4
Oct 2, 2024 19:10:02.614156961 CEST	49795	443	192.168.2.4	142.250.184.196
Oct 2, 2024 19:10:02.614242077 CEST	443	49795	142.250.184.196	192.168.2.4
Oct 2, 2024 19:10:02.654340982 CEST	49795	443	192.168.2.4	142.250.184.196

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 2, 2024 19:07:57.941554070 CEST	53	54586	1.1.1.1	192.168.2.4
Oct 2, 2024 19:07:57.982687950 CEST	63529	53	192.168.2.4	1.1.1.1
Oct 2, 2024 19:07:57.982840061 CEST	55914	53	192.168.2.4	1.1.1.1
Oct 2, 2024 19:07:57.991305113 CEST	53	55914	1.1.1.1	192.168.2.4
Oct 2, 2024 19:07:57.996385098 CEST	53	52732	1.1.1.1	192.168.2.4
Oct 2, 2024 19:07:58.002360106 CEST	53	63529	1.1.1.1	192.168.2.4
Oct 2, 2024 19:07:58.933322906 CEST	64947	53	192.168.2.4	1.1.1.1
Oct 2, 2024 19:07:58.933468103 CEST	62467	53	192.168.2.4	1.1.1.1
Oct 2, 2024 19:07:58.940129995 CEST	53	64947	1.1.1.1	192.168.2.4
Oct 2, 2024 19:07:58.940398932 CEST	53	62467	1.1.1.1	192.168.2.4
Oct 2, 2024 19:07:58.991235971 CEST	53	59705	1.1.1.1	192.168.2.4
Oct 2, 2024 19:08:01.825097084 CEST	50689	53	192.168.2.4	1.1.1.1
Oct 2, 2024 19:08:01.825146914 CEST	56020	53	192.168.2.4	1.1.1.1
Oct 2, 2024 19:08:01.834147930 CEST	53	50689	1.1.1.1	192.168.2.4
Oct 2, 2024 19:08:01.834165096 CEST	53	56020	1.1.1.1	192.168.2.4
Oct 2, 2024 19:08:04.863596916 CEST	53	63440	1.1.1.1	192.168.2.4
Oct 2, 2024 19:08:07.486665010 CEST	60281	53	192.168.2.4	1.1.1.1
Oct 2, 2024 19:08:07.486829996 CEST	61717	53	192.168.2.4	1.1.1.1
Oct 2, 2024 19:08:07.493500948 CEST	53	60281	1.1.1.1	192.168.2.4
Oct 2, 2024 19:08:07.493640900 CEST	53	61717	1.1.1.1	192.168.2.4
Oct 2, 2024 19:08:08.629462957 CEST	58906	53	192.168.2.4	1.1.1.1
Oct 2, 2024 19:08:08.629621983 CEST	49355	53	192.168.2.4	1.1.1.1
Oct 2, 2024 19:08:08.636389017 CEST	53	58906	1.1.1.1	192.168.2.4
Oct 2, 2024 19:08:08.636974096 CEST	53	49355	1.1.1.1	192.168.2.4
Oct 2, 2024 19:08:10.365333080 CEST	53	60525	1.1.1.1	192.168.2.4
Oct 2, 2024 19:08:11.013300896 CEST	138	138	192.168.2.4	192.168.2.255
Oct 2, 2024 19:08:15.982424974 CEST	53	60664	1.1.1.1	192.168.2.4
Oct 2, 2024 19:08:34.722138882 CEST	53	55188	1.1.1.1	192.168.2.4
Oct 2, 2024 19:08:57.771334887 CEST	53	56736	1.1.1.1	192.168.2.4
Oct 2, 2024 19:08:57.772254944 CEST	53	51150	1.1.1.1	192.168.2.4
Oct 2, 2024 19:09:09.507644892 CEST	53	50591	1.1.1.1	192.168.2.4
Oct 2, 2024 19:09:09.598110914 CEST	62490	53	192.168.2.4	1.1.1.1
Oct 2, 2024 19:09:09.598261118 CEST	58533	53	192.168.2.4	1.1.1.1
Oct 2, 2024 19:09:09.605359077 CEST	53	58533	1.1.1.1	192.168.2.4
Oct 2, 2024 19:09:09.605407000 CEST	53	62490	1.1.1.1	192.168.2.4
Oct 2, 2024 19:09:25.926584959 CEST	53	55507	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 2, 2024 19:07:57.982687950 CEST	192.168.2.4	1.1.1.1	0x9b30	Standard query (0)	youtube.com	A (IP address)	IN (0x0001)	false
Oct 2, 2024 19:07:57.982840061 CEST	192.168.2.4	1.1.1.1	0xf3fb	Standard query (0)	youtube.com	65	IN (0x0001)	false
Oct 2, 2024 19:07:58.933322906 CEST	192.168.2.4	1.1.1.1	0x48ae	Standard query (0)	www.youtube.com	A (IP address)	IN (0x0001)	false
Oct 2, 2024 19:07:58.933468103 CEST	192.168.2.4	1.1.1.1	0x3fd3	Standard query (0)	www.youtube.com	65	IN (0x0001)	false
Oct 2, 2024 19:08:01.825097084 CEST	192.168.2.4	1.1.1.1	0xc79e	Standard query (0)	www.google.com	A (IP address)	IN (0x0001)	false
Oct 2, 2024 19:08:01.825146914 CEST	192.168.2.4	1.1.1.1	0x3799	Standard query (0)	www.google.com	65	IN (0x0001)	false
Oct 2, 2024 19:08:07.486665010 CEST	192.168.2.4	1.1.1.1	0x3341	Standard query (0)	accounts.youtube.com	A (IP address)	IN (0x0001)	false
Oct 2, 2024 19:08:07.486829996 CEST	192.168.2.4	1.1.1.1	0x5db1	Standard query (0)	accounts.youtube.com	65	IN (0x0001)	false
Oct 2, 2024 19:08:08.629462957 CEST	192.168.2.4	1.1.1.1	0x701b	Standard query (0)	play.google.com	A (IP address)	IN (0x0001)	false
Oct 2, 2024 19:08:08.629621983 CEST	192.168.2.4	1.1.1.1	0xac20	Standard query (0)	play.google.com	65	IN (0x0001)	false
Oct 2, 2024 19:09:09.598110914 CEST	192.168.2.4	1.1.1.1	0x20ee	Standard query (0)	play.google.com	A (IP address)	IN (0x0001)	false
Oct 2, 2024 19:09:09.598261118 CEST	192.168.2.4	1.1.1.1	0x6ff5	Standard query (0)	play.google.com	65	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 2, 2024 19:07:57.991305113 CEST	1.1.1.1	192.168.2.4	0xf3fb	No error (0)	youtube.com			65	IN (0x0001)	false
Oct 2, 2024 19:07:58.002360106 CEST	1.1.1.1	192.168.2.4	0x9b30	No error (0)	youtube.com		142.250.185.142	A (IP address)	IN (0x0001)	false
Oct 2, 2024 19:07:58.940129995 CEST	1.1.1.1	192.168.2.4	0x48ae	No error (0)	www.youtube.com	youtube-ui.l.google.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 2, 2024 19:07:58.940129995 CEST	1.1.1.1	192.168.2.4	0x48ae	No error (0)	youtube-ui.l.google.com		142.250.181.238	A (IP address)	IN (0x0001)	false
Oct 2, 2024 19:07:58.940129995 CEST	1.1.1.1	192.168.2.4	0x48ae	No error (0)	youtube-ui.l.google.com		142.250.185.206	A (IP address)	IN (0x0001)	false
Oct 2, 2024 19:07:58.940129995 CEST	1.1.1.1	192.168.2.4	0x48ae	No error (0)	youtube-ui.l.google.com		216.58.212.142	A (IP address)	IN (0x0001)	false
Oct 2, 2024 19:07:58.940129995 CEST	1.1.1.1	192.168.2.4	0x48ae	No error (0)	youtube-ui.l.google.com		142.250.186.110	A (IP address)	IN (0x0001)	false
Oct 2, 2024 19:07:58.940129995 CEST	1.1.1.1	192.168.2.4	0x48ae	No error (0)	youtube-ui.l.google.com		142.250.184.238	A (IP address)	IN (0x0001)	false
Oct 2, 2024 19:07:58.940129995 CEST	1.1.1.1	192.168.2.4	0x48ae	No error (0)	youtube-ui.l.google.com		142.250.185.142	A (IP address)	IN (0x0001)	false
Oct 2, 2024 19:07:58.940129995 CEST	1.1.1.1	192.168.2.4	0x48ae	No error (0)	youtube-ui.l.google.com		216.58.206.78	A (IP address)	IN (0x0001)	false
Oct 2, 2024 19:07:58.940129995 CEST	1.1.1.1	192.168.2.4	0x48ae	No error (0)	youtube-ui.l.google.com		142.250.186.142	A (IP address)	IN (0x0001)	false
Oct 2, 2024 19:07:58.940129995 CEST	1.1.1.1	192.168.2.4	0x48ae	No error (0)	youtube-ui.l.google.com		142.250.185.238	A (IP address)	IN (0x0001)	false
Oct 2, 2024 19:07:58.940129995 CEST	1.1.1.1	192.168.2.4	0x48ae	No error (0)	youtube-ui.l.google.com		172.217.18.110	A (IP address)	IN (0x0001)	false
Oct 2, 2024 19:07:58.940129995 CEST	1.1.1.1	192.168.2.4	0x48ae	No error (0)	youtube-ui.l.google.com		142.250.185.174	A (IP address)	IN (0x0001)	false
Oct 2, 2024 19:07:58.940129995 CEST	1.1.1.1	192.168.2.4	0x48ae	No error (0)	youtube-ui.l.google.com		142.250.186.78	A (IP address)	IN (0x0001)	false
Oct 2, 2024 19:07:58.940129995 CEST	1.1.1.1	192.168.2.4	0x48ae	No error (0)	youtube-ui.l.google.com		142.250.185.78	A (IP address)	IN (0x0001)	false
Oct 2, 2024 19:07:58.940129995 CEST	1.1.1.1	192.168.2.4	0x48ae	No error (0)	youtube-ui.l.google.com		142.250.185.110	A (IP address)	IN (0x0001)	false
Oct 2, 2024 19:07:58.940129995 CEST	1.1.1.1	192.168.2.4	0x48ae	No error (0)	youtube-ui.l.google.com		142.250.184.206	A (IP address)	IN (0x0001)	false
Oct 2, 2024 19:07:58.940129995 CEST	1.1.1.1	192.168.2.4	0x48ae	No error (0)	youtube-ui.l.google.com		172.217.16.206	A (IP address)	IN (0x0001)	false
Oct 2, 2024 19:07:58.940398932 CEST	1.1.1.1	192.168.2.4	0x3fd3	No error (0)	www.youtube.com	youtube-ui.l.google.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 2, 2024 19:07:58.940398932 CEST	1.1.1.1	192.168.2.4	0x3fd3	No error (0)	youtube-ui.l.google.com			65	IN (0x0001)	false
Oct 2, 2024 19:08:01.834147930 CEST	1.1.1.1	192.168.2.4	0xc79e	No error (0)	www.google.com		142.250.184.196	A (IP address)	IN (0x0001)	false
Oct 2, 2024 19:08:01.834165096 CEST	1.1.1.1	192.168.2.4	0x3799	No error (0)	www.google.com			65	IN (0x0001)	false
Oct 2, 2024 19:08:07.493500948 CEST	1.1.1.1	192.168.2.4	0x3341	No error (0)	accounts.youtube.com	www3.l.google.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 2, 2024 19:08:07.493500948 CEST	1.1.1.1	192.168.2.4	0x3341	No error (0)	www3.l.google.com		216.58.206.78	A (IP address)	IN (0x0001)	false
Oct 2, 2024 19:08:07.493640900 CEST	1.1.1.1	192.168.2.4	0x5db1	No error (0)	accounts.youtube.com	www3.l.google.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 2, 2024 19:08:08.636389017 CEST	1.1.1.1	192.168.2.4	0x701b	No error (0)	play.google.com		216.58.212.142	A (IP address)	IN (0x0001)	false
Oct 2, 2024 19:09:09.605407000 CEST	1.1.1.1	192.168.2.4	0x20ee	No error (0)	play.google.com		142.250.185.142	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

youtube.com

www.youtube.com

fs.microsoft.com

https:

accounts.youtube.com

play.google.com

www.google.com

slscr.update.microsoft.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49731	142.250.185.142	443	6964	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-02 17:07:58 UTC	859	OUT	GET /account?=https://accounts.google.com/v3/signin/challenge/pwd HTTP/1.1 Host: youtube.com Connection: keep-alive sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "Windows" Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 X-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiSocsBCJz+zAEIhaDNAQjcvc0BCI/KzQEIucrNAQii0c0BCIrTzQEIntbNAQin2M0BCPnA1BUY9snNARi60s0BGOuNpRc= Sec-Fetch-Site: none Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-10-02 17:07:58 UTC	1704	IN	HTTP/1.1 301 Moved Permanently Content-Type: application/binary X-Content-Type-Options: nosniff Expires: Wed, 02 Oct 2024 17:07:58 GMT Date: Wed, 02 Oct 2024 17:07:58 GMT Cache-Control: private, max-age=31536000 Location: https://www.youtube.com/account?=https%3A%2F%2Faccounts.google.com%2Fv3%2Fsignin%2Fchallenge%2Fpwd Strict-Transport-Security: max-age=31536000; includeSubDomains; preload X-Frame-Options: SAMEORIGIN Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Cross-Origin-Opener-Policy: same-origin-allow-popups; report-to="youtube_main" Origin-Trial: AmhMBR6zCLzDDxpW+HfpP67BqwIknWnyMOXOQGfzYswFmJe+fgaI6XZgAzcxOrzNtP7hEDsOo1jdjFnVr2IdxQ4AAAB4eyJvcmlnaW4iOiJodHRwczovL3lvdXR1YmUuY29tOjQ0MyIsImZlYXR1cmUiOiJXZWJWaWV3WFJlcXVlc3RlZFdpdGhEZXByZWNhdGlvbiIsImV4cGlyeSI6MTc1ODA2NzE5OSwiaXNTdWJkb21haW4iOnRydWV9 Content-Security-Policy: require-trusted-types-for 'script' Report-To: {"group":"youtube_main","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/youtube_main"}]} Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Vary: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Server: ESF Content-Length: 0 X-XSS-Protection: 0 Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49736	142.250.181.238	443	6964	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-02 17:07:59 UTC	877	OUT	GET /account?=https%3A%2F%2Faccounts.google.com%2Fv3%2Fsignin%2Fchallenge%2Fpwd HTTP/1.1 Host: www.youtube.com Connection: keep-alive Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 X-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiSocsBCJz+zAEIhaDNAQjcvc0BCI/KzQEIucrNAQii0c0BCIrTzQEIntbNAQin2M0BCPnA1BUY9snNARi60s0BGOuNpRc= Sec-Fetch-Site: none Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "Windows" Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-10-02 17:07:59 UTC	2634	IN	HTTP/1.1 303 See Other Content-Type: application/binary X-Content-Type-Options: nosniff Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Wed, 02 Oct 2024 17:07:59 GMT Location: https://accounts.google.com/ServiceLogin?service=youtube&uilel=3&passive=true&continue=https%3A%2F%2Fwww.youtube.com%2Fsignin%3Faction_handle_signin%3Dtrue%26app%3Ddesktop%26hl%3Den%26next%3Dhttps%253A%252F%252Fwww.youtube.com%252Faccount%253F%253Dhttps%25253A%25252F%25252Faccounts.google.com%25252Fv3%25252Fsignin%25252Fchallenge%25252Fpwd%26feature%3Dredirect_login&hl=en X-Frame-Options: SAMEORIGIN Strict-Transport-Security: max-age=31536000 Origin-Trial: AmhMBR6zCLzDDxpW+HfpP67BqwIknWnyMOXOQGfzYswFmJe+fgaI6XZgAzcxOrzNtP7hEDsOo1jdjFnVr2IdxQ4AAAB4eyJvcmlnaW4iOiJodHRwczovL3lvdXR1YmUuY29tOjQ0MyIsImZlYXR1cmUiOiJXZWJWaWV3WFJlcXVlc3RlZFdpdGhEZXByZWNhdGlvbiIsImV4cGlyeSI6MTc1ODA2NzE5OSwiaXNTdWJkb21haW4iOnRydWV9 Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Vary: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Report-To: {"group":"youtube_main","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/youtube_main"}]} Cross-Origin-Opener-Policy: same-origin-allow-popups; report-to="youtube_main" Content-Security-Policy: require-trusted-types-for 'script' P3P: CP="This is not a P3P policy! See http://support.google.com/accounts/answer/151657?hl=en for more info." Server: ESF Content-Length: 0 X-XSS-Protection: 0 Set-Cookie: GPS=1; Domain=.youtube.com; Expires=Wed, 02-Oct-2024 17:37:59 GMT; Path=/; Secure; HttpOnly Set-Cookie: YSC=RhAHj0uPIQA; Domain=.youtube.com; Path=/; Secure; HttpOnly; SameSite=none; Partitioned Set-Cookie: VISITOR_INFO1_LIVE=nJkrCbMxTrI; Domain=.youtube.com; Expires=Mon, 31-Mar-2025 17:07:59 GMT; Path=/; Secure; HttpOnly; SameSite=none; Partitioned Set-Cookie: VISITOR_PRIVACY_METADATA=CgJVUxIEGgAgWg%3D%3D; Domain=.youtube.com; Expires=Mon, 31-Mar-2025 17:07:59 GMT; Path=/; Secure; HttpOnly; SameSite=none; Partitioned Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49743	184.28.90.27	443

Timestamp	Bytes transferred	Direction	Data
2024-10-02 17:08:03 UTC	161	OUT	HEAD /fs/windows/config.json HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Encoding: identity User-Agent: Microsoft BITS/7.8 Host: fs.microsoft.com
2024-10-02 17:08:03 UTC	466	IN	HTTP/1.1 200 OK Content-Disposition: attachment; filename=config.json; filename*=UTF-8''config.json Content-Type: application/octet-stream ETag: "0x64667F707FF07D62B733DBCB79EFE3855E6886C9975B0C0B467D46231B3FA5E7" Last-Modified: Tue, 16 May 2017 22:58:00 GMT Server: ECAcc (lpl/EF06) X-CID: 11 X-Ms-ApiVersion: Distribute 1.2 X-Ms-Region: prod-neu-z1 Cache-Control: public, max-age=85067 Date: Wed, 02 Oct 2024 17:08:03 GMT Connection: close X-CID: 2

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49745	184.28.90.27	443

Timestamp	Bytes transferred	Direction	Data
2024-10-02 17:08:04 UTC	239	OUT	GET /fs/windows/config.json HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Encoding: identity If-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMT Range: bytes=0-2147483646 User-Agent: Microsoft BITS/7.8 Host: fs.microsoft.com
2024-10-02 17:08:04 UTC	514	IN	HTTP/1.1 200 OK ApiVersion: Distribute 1.1 Content-Disposition: attachment; filename=config.json; filename*=UTF-8''config.json Content-Type: application/octet-stream ETag: "0x64667F707FF07D62B733DBCB79EFE3855E6886C9975B0C0B467D46231B3FA5E7" Last-Modified: Tue, 16 May 2017 22:58:00 GMT Server: ECAcc (lpl/EF06) X-CID: 11 X-Ms-ApiVersion: Distribute 1.2 X-Ms-Region: prod-weu-z1 Cache-Control: public, max-age=85010 Date: Wed, 02 Oct 2024 17:08:04 GMT Content-Length: 55 Connection: close X-CID: 2
2024-10-02 17:08:04 UTC	55	IN	Data Raw: 7b 22 66 6f 6e 74 53 65 74 55 72 69 22 3a 22 66 6f 6e 74 73 65 74 2d 32 30 31 37 2d 30 34 2e 6a 73 6f 6e 22 2c 22 62 61 73 65 55 72 69 22 3a 22 66 6f 6e 74 73 22 7d Data Ascii: {"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49756	216.58.206.78	443	6964	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-02 17:08:08 UTC	1244	OUT	GET /accounts/CheckConnection?pmpo=https%3A%2F%2Faccounts.google.com&v=-988342958&timestamp=1727888886778 HTTP/1.1 Host: accounts.youtube.com Connection: keep-alive sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 sec-ch-ua-full-version: "117.0.5938.132" sec-ch-ua-arch: "x86" sec-ch-ua-platform: "Windows" sec-ch-ua-platform-version: "10.0.0" sec-ch-ua-model: "" sec-ch-ua-bitness: "64" sec-ch-ua-wow64: ?0 sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132" Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 X-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiSocsBCJz+zAEIhaDNAQjcvc0BCI/KzQEIucrNAQii0c0BCIrTzQEIntbNAQin2M0BCPnA1BUY9snNARi60s0BGOuNpRc= Sec-Fetch-Site: cross-site Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: iframe Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-10-02 17:08:08 UTC	1969	IN	HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 X-Frame-Options: ALLOW-FROM https://accounts.google.com Content-Security-Policy: frame-ancestors https://accounts.google.com Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/AccountsDomainCookiesCheckConnectionHttp/cspreport Content-Security-Policy: script-src 'report-sample' 'nonce-UWPRyMj54idNeGDi_vaMQg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/AccountsDomainCookiesCheckConnectionHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/AccountsDomainCookiesCheckConnectionHttp/cspreport/allowlist Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Wed, 02 Oct 2024 17:08:08 GMT Cross-Origin-Resource-Policy: cross-origin Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Cross-Origin-Opener-Policy: same-origin Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version reporting-endpoints: default="/_/AccountsDomainCookiesCheckConnectionHttp/web-reports?context=eJzjstDikmJw1ZBikPj6kkkNiJ3SZ7AGAHHSv_OsBUB8ufsS63UgVu25xGoMxEUSV1gbgFiIh-PH76_b2QQezJ60glFJLym_MD4zJTWvJLOkMiU_NzEzLzk_Pzsztbg4tagstSjeyMDIxMDSyEjPwCK-wAAA-Wwt9w" Server: ESF X-XSS-Protection: 0 X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2024-10-02 17:08:08 UTC	1969	IN	Data Raw: 37 36 32 30 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 20 6e 6f 6e 63 65 3d 22 55 57 50 52 79 4d 6a 35 34 69 64 4e 65 47 44 69 5f 76 61 4d 51 67 22 3e 22 75 73 65 20 73 74 72 69 63 74 22 3b 74 68 69 73 2e 64 65 66 61 75 6c 74 5f 41 63 63 6f 75 6e 74 73 44 6f 6d 61 69 6e 63 6f 6f 6b 69 65 73 43 68 65 63 6b 63 6f 6e 6e 65 63 74 69 6f 6e 4a 73 3d 74 68 69 73 2e 64 65 66 61 75 6c 74 5f 41 63 63 6f 75 6e 74 73 44 6f 6d 61 69 6e 63 6f 6f 6b 69 65 73 43 68 65 63 6b 63 6f 6e 6e 65 63 74 69 6f 6e 4a 73 7c 7c 7b 7d 3b 28 66 75 6e 63 74 69 6f 6e 28 5f 29 7b 76 61 72 20 77 69 6e 64 6f 77 3d 74 68 69 73 3b 0a 74 72 79 7b 0a 5f 2e 5f 46 5f 74 6f 67 67 6c 65 73 5f 69 6e 69 74 69 61 6c 69 7a 65 3d 66 75 6e 63 74 69 6f 6e 28 61 29 7b 28 74 79 70 65 6f Data Ascii: 7620<html><head><script nonce="UWPRyMj54idNeGDi_vaMQg">"use strict";this.default_AccountsDomaincookiesCheckconnectionJs=this.default_AccountsDomaincookiesCheckconnectionJs\|\|{};(function(_){var window=this;try{_._F_toggles_initialize=function(a){(typeo
2024-10-02 17:08:08 UTC	1969	IN	Data Raw: 54 72 69 64 65 6e 74 5c 2f 28 5c 64 2e 5c 64 29 2f 2e 65 78 65 63 28 62 29 2c 0a 63 5b 31 5d 3d 3d 22 37 2e 30 22 29 69 66 28 62 26 26 62 5b 31 5d 29 73 77 69 74 63 68 28 62 5b 31 5d 29 7b 63 61 73 65 20 22 34 2e 30 22 3a 61 3d 22 38 2e 30 22 3b 62 72 65 61 6b 3b 63 61 73 65 20 22 35 2e 30 22 3a 61 3d 22 39 2e 30 22 3b 62 72 65 61 6b 3b 63 61 73 65 20 22 36 2e 30 22 3a 61 3d 22 31 30 2e 30 22 3b 62 72 65 61 6b 3b 63 61 73 65 20 22 37 2e 30 22 3a 61 3d 22 31 31 2e 30 22 7d 65 6c 73 65 20 61 3d 22 37 2e 30 22 3b 65 6c 73 65 20 61 3d 63 5b 31 5d 3b 62 3d 61 7d 65 6c 73 65 20 62 3d 22 22 3b 72 65 74 75 72 6e 20 62 7d 76 61 72 20 64 3d 52 65 67 45 78 70 28 22 28 5b 41 2d 5a 5d 5b 5c 5c 77 20 5d 2b 29 2f 28 5b 5e 5c 5c 73 5d 2b 29 5c 5c 73 2a 28 3f 3a 5c 5c 28 Data Ascii: Trident\/(\d.\d)/.exec(b),c[1]=="7.0")if(b&&b[1])switch(b[1]){case "4.0":a="8.0";break;case "5.0":a="9.0";break;case "6.0":a="10.0";break;case "7.0":a="11.0"}else a="7.0";else a=c[1];b=a}else b="";return b}var d=RegExp("([A-Z][\\w ]+)/([^\\s]+)\\s*(?:\\(
2024-10-02 17:08:08 UTC	1969	IN	Data Raw: 74 63 68 28 74 79 70 65 6f 66 20 61 29 7b 63 61 73 65 20 22 6e 75 6d 62 65 72 22 3a 72 65 74 75 72 6e 20 69 73 46 69 6e 69 74 65 28 61 29 3f 61 3a 53 74 72 69 6e 67 28 61 29 3b 63 61 73 65 20 22 62 69 67 69 6e 74 22 3a 72 65 74 75 72 6e 28 41 61 3f 0a 61 3e 3d 42 61 26 26 61 3c 3d 43 61 3a 61 5b 30 5d 3d 3d 3d 22 2d 22 3f 75 61 28 61 2c 44 61 29 3a 75 61 28 61 2c 45 61 29 29 3f 4e 75 6d 62 65 72 28 61 29 3a 53 74 72 69 6e 67 28 61 29 3b 63 61 73 65 20 22 62 6f 6f 6c 65 61 6e 22 3a 72 65 74 75 72 6e 20 61 3f 31 3a 30 3b 63 61 73 65 20 22 6f 62 6a 65 63 74 22 3a 69 66 28 61 29 69 66 28 41 72 72 61 79 2e 69 73 41 72 72 61 79 28 61 29 29 7b 69 66 28 43 28 61 29 29 72 65 74 75 72 6e 7d 65 6c 73 65 20 69 66 28 46 61 26 26 61 21 3d 6e 75 6c 6c 26 26 61 20 69 6e Data Ascii: tch(typeof a){case "number":return isFinite(a)?a:String(a);case "bigint":return(Aa?a>=Ba&&a<=Ca:a[0]==="-"?ua(a,Da):ua(a,Ea))?Number(a):String(a);case "boolean":return a?1:0;case "object":if(a)if(Array.isArray(a)){if(C(a))return}else if(Fa&&a!=null&&a in
2024-10-02 17:08:08 UTC	1969	IN	Data Raw: 7b 76 61 72 20 62 3b 69 66 28 61 26 26 28 62 3d 51 61 29 21 3d 6e 75 6c 6c 26 26 62 2e 68 61 73 28 61 29 26 26 28 62 3d 61 2e 43 29 29 66 6f 72 28 76 61 72 20 63 3d 30 3b 63 3c 62 2e 6c 65 6e 67 74 68 3b 63 2b 2b 29 7b 76 61 72 20 64 3d 62 5b 63 5d 3b 69 66 28 63 3d 3d 3d 62 2e 6c 65 6e 67 74 68 2d 31 26 26 41 28 64 29 29 66 6f 72 28 76 61 72 20 65 20 69 6e 20 64 29 7b 76 61 72 20 66 3d 64 5b 65 5d 3b 41 72 72 61 79 2e 69 73 41 72 72 61 79 28 66 29 26 26 0a 52 61 28 66 2c 61 29 7d 65 6c 73 65 20 41 72 72 61 79 2e 69 73 41 72 72 61 79 28 64 29 26 26 52 61 28 64 2c 61 29 7d 61 3d 45 3f 61 2e 43 3a 4d 61 28 61 2e 43 2c 50 61 2c 76 6f 69 64 20 30 2c 76 6f 69 64 20 30 2c 21 31 29 3b 65 3d 21 45 3b 69 66 28 62 3d 61 2e 6c 65 6e 67 74 68 29 7b 64 3d 61 5b 62 2d Data Ascii: {var b;if(a&&(b=Qa)!=null&&b.has(a)&&(b=a.C))for(var c=0;c<b.length;c++){var d=b[c];if(c===b.length-1&&A(d))for(var e in d){var f=d[e];Array.isArray(f)&&Ra(f,a)}else Array.isArray(d)&&Ra(d,a)}a=E?a.C:Ma(a.C,Pa,void 0,void 0,!1);e=!E;if(b=a.length){d=a[b-
2024-10-02 17:08:08 UTC	1969	IN	Data Raw: 6f 6c 2e 69 74 65 72 61 74 6f 72 22 2c 66 75 6e 63 74 69 6f 6e 28 61 29 7b 69 66 28 61 29 72 65 74 75 72 6e 20 61 3b 61 3d 53 79 6d 62 6f 6c 28 22 63 22 29 3b 66 6f 72 28 76 61 72 20 62 3d 22 41 72 72 61 79 20 49 6e 74 38 41 72 72 61 79 20 55 69 6e 74 38 41 72 72 61 79 20 55 69 6e 74 38 43 6c 61 6d 70 65 64 41 72 72 61 79 20 49 6e 74 31 36 41 72 72 61 79 20 55 69 6e 74 31 36 41 72 72 61 79 20 49 6e 74 33 32 41 72 72 61 79 20 55 69 6e 74 33 32 41 72 72 61 79 20 46 6c 6f 61 74 33 32 41 72 72 61 79 20 46 6c 6f 61 74 36 34 41 72 72 61 79 22 2e 73 70 6c 69 74 28 22 20 22 29 2c 63 3d 30 3b 63 3c 62 2e 6c 65 6e 67 74 68 3b 63 2b 2b 29 7b 76 61 72 20 64 3d 57 61 5b 62 5b 63 5d 5d 3b 74 79 70 65 6f 66 20 64 3d 3d 3d 22 66 75 6e 63 74 69 6f 6e 22 26 26 74 79 70 65 Data Ascii: ol.iterator",function(a){if(a)return a;a=Symbol("c");for(var b="Array Int8Array Uint8Array Uint8ClampedArray Int16Array Uint16Array Int32Array Uint32Array Float32Array Float64Array".split(" "),c=0;c<b.length;c++){var d=Wa[b[c]];typeof d==="function"&&type
2024-10-02 17:08:08 UTC	1969	IN	Data Raw: 29 3b 65 28 22 66 72 65 65 7a 65 22 29 3b 65 28 22 70 72 65 76 65 6e 74 45 78 74 65 6e 73 69 6f 6e 73 22 29 3b 65 28 22 73 65 61 6c 22 29 3b 76 61 72 20 68 3d 30 2c 67 3d 66 75 6e 63 74 69 6f 6e 28 6b 29 7b 74 68 69 73 2e 67 3d 28 68 2b 3d 4d 61 74 68 2e 72 61 6e 64 6f 6d 28 29 2b 31 29 2e 74 6f 53 74 72 69 6e 67 28 29 3b 69 66 28 6b 29 7b 6b 3d 48 28 6b 29 3b 66 6f 72 28 76 61 72 20 6c 3b 21 28 6c 3d 6b 2e 6e 65 78 74 28 29 29 2e 64 6f 6e 65 3b 29 6c 3d 6c 2e 76 61 6c 75 65 2c 74 68 69 73 2e 73 65 74 28 6c 5b 30 5d 2c 6c 5b 31 5d 29 7d 7d 3b 67 2e 70 72 6f 74 6f 74 79 70 65 2e 73 65 74 3d 66 75 6e 63 74 69 6f 6e 28 6b 2c 6c 29 7b 69 66 28 21 63 28 6b 29 29 74 68 72 6f 77 20 45 72 72 6f 72 28 22 69 22 29 3b 64 28 6b 29 3b 69 66 28 21 49 28 6b 2c 66 29 29 Data Ascii: );e("freeze");e("preventExtensions");e("seal");var h=0,g=function(k){this.g=(h+=Math.random()+1).toString();if(k){k=H(k);for(var l;!(l=k.next()).done;)l=l.value,this.set(l[0],l[1])}};g.prototype.set=function(k,l){if(!c(k))throw Error("i");d(k);if(!I(k,f))
2024-10-02 17:08:08 UTC	1969	IN	Data Raw: 75 72 6e 20 67 2e 76 61 6c 75 65 7d 29 7d 3b 63 2e 70 72 6f 74 6f 74 79 70 65 2e 66 6f 72 45 61 63 68 3d 66 75 6e 63 74 69 6f 6e 28 67 2c 6b 29 7b 66 6f 72 28 76 61 72 20 6c 3d 74 68 69 73 2e 65 6e 74 72 69 65 73 28 29 2c 6d 3b 21 28 6d 3d 6c 2e 6e 65 78 74 28 29 29 2e 64 6f 6e 65 3b 29 6d 3d 0a 6d 2e 76 61 6c 75 65 2c 67 2e 63 61 6c 6c 28 6b 2c 6d 5b 31 5d 2c 6d 5b 30 5d 2c 74 68 69 73 29 7d 3b 63 2e 70 72 6f 74 6f 74 79 70 65 5b 53 79 6d 62 6f 6c 2e 69 74 65 72 61 74 6f 72 5d 3d 63 2e 70 72 6f 74 6f 74 79 70 65 2e 65 6e 74 72 69 65 73 3b 76 61 72 20 64 3d 66 75 6e 63 74 69 6f 6e 28 67 2c 6b 29 7b 76 61 72 20 6c 3d 6b 26 26 74 79 70 65 6f 66 20 6b 3b 6c 3d 3d 22 6f 62 6a 65 63 74 22 7c 7c 6c 3d 3d 22 66 75 6e 63 74 69 6f 6e 22 3f 62 2e 68 61 73 28 6b 29 Data Ascii: urn g.value})};c.prototype.forEach=function(g,k){for(var l=this.entries(),m;!(m=l.next()).done;)m=m.value,g.call(k,m[1],m[0],this)};c.prototype[Symbol.iterator]=c.prototype.entries;var d=function(g,k){var l=k&&typeof k;l=="object"\|\|l=="function"?b.has(k)
2024-10-02 17:08:08 UTC	1969	IN	Data Raw: 6f 6e 28 61 29 7b 72 65 74 75 72 6e 20 61 3f 61 3a 66 75 6e 63 74 69 6f 6e 28 62 29 7b 72 65 74 75 72 6e 20 74 79 70 65 6f 66 20 62 3d 3d 3d 22 6e 75 6d 62 65 72 22 26 26 69 73 4e 61 4e 28 62 29 7d 7d 29 3b 76 61 72 20 66 62 3d 66 62 7c 7c 7b 7d 2c 71 3d 74 68 69 73 7c 7c 73 65 6c 66 2c 67 62 3d 71 2e 5f 46 5f 74 6f 67 67 6c 65 73 7c 7c 5b 5d 2c 68 62 3d 66 75 6e 63 74 69 6f 6e 28 61 29 7b 61 3d 61 2e 73 70 6c 69 74 28 22 2e 22 29 3b 66 6f 72 28 76 61 72 20 62 3d 71 2c 63 3d 30 3b 63 3c 61 2e 6c 65 6e 67 74 68 3b 63 2b 2b 29 69 66 28 62 3d 62 5b 61 5b 63 5d 5d 2c 62 3d 3d 6e 75 6c 6c 29 72 65 74 75 72 6e 20 6e 75 6c 6c 3b 72 65 74 75 72 6e 20 62 7d 2c 69 62 3d 22 63 6c 6f 73 75 72 65 5f 75 69 64 5f 22 2b 28 4d 61 74 68 2e 72 61 6e 64 6f 6d 28 29 2a 31 45 Data Ascii: on(a){return a?a:function(b){return typeof b==="number"&&isNaN(b)}});var fb=fb\|\|{},q=this\|\|self,gb=q._F_toggles\|\|[],hb=function(a){a=a.split(".");for(var b=q,c=0;c<a.length;c++)if(b=b[a[c]],b==null)return null;return b},ib="closure_uid_"+(Math.random()*1E
2024-10-02 17:08:08 UTC	1969	IN	Data Raw: 74 65 78 74 5f 5f 39 38 34 33 38 32 3d 7b 7d 29 3b 61 2e 5f 5f 63 6c 6f 73 75 72 65 5f 5f 65 72 72 6f 72 5f 5f 63 6f 6e 74 65 78 74 5f 5f 39 38 34 33 38 32 2e 73 65 76 65 72 69 74 79 3d 62 7d 3b 76 61 72 20 71 62 3d 66 75 6e 63 74 69 6f 6e 28 61 2c 62 2c 63 29 7b 63 3d 63 7c 7c 71 3b 76 61 72 20 64 3d 63 2e 6f 6e 65 72 72 6f 72 2c 65 3d 21 21 62 3b 63 2e 6f 6e 65 72 72 6f 72 3d 66 75 6e 63 74 69 6f 6e 28 66 2c 68 2c 67 2c 6b 2c 6c 29 7b 64 26 26 64 28 66 2c 68 2c 67 2c 6b 2c 6c 29 3b 61 28 7b 6d 65 73 73 61 67 65 3a 66 2c 66 69 6c 65 4e 61 6d 65 3a 68 2c 6c 69 6e 65 3a 67 2c 6c 69 6e 65 4e 75 6d 62 65 72 3a 67 2c 63 61 3a 6b 2c 65 72 72 6f 72 3a 6c 7d 29 3b 72 65 74 75 72 6e 20 65 7d 7d 2c 74 62 3d 66 75 6e 63 74 69 6f 6e 28 61 29 7b 76 61 72 20 62 3d 68 Data Ascii: text__984382={});a.__closure__error__context__984382.severity=b};var qb=function(a,b,c){c=c\|\|q;var d=c.onerror,e=!!b;c.onerror=function(f,h,g,k,l){d&&d(f,h,g,k,l);a({message:f,fileName:h,line:g,lineNumber:g,ca:k,error:l});return e}},tb=function(a){var b=h
2024-10-02 17:08:08 UTC	1969	IN	Data Raw: 22 6e 75 6d 62 65 72 22 3a 66 3d 53 74 72 69 6e 67 28 66 29 3b 62 72 65 61 6b 3b 63 61 73 65 20 22 62 6f 6f 6c 65 61 6e 22 3a 66 3d 66 3f 22 74 72 75 65 22 3a 22 66 61 6c 73 65 22 3b 62 72 65 61 6b 3b 63 61 73 65 20 22 66 75 6e 63 74 69 6f 6e 22 3a 66 3d 28 66 3d 73 62 28 66 29 29 3f 66 3a 22 5b 66 6e 5d 22 3b 62 72 65 61 6b 3b 64 65 66 61 75 6c 74 3a 66 3d 0a 74 79 70 65 6f 66 20 66 7d 66 2e 6c 65 6e 67 74 68 3e 34 30 26 26 28 66 3d 66 2e 73 6c 69 63 65 28 30 2c 34 30 29 2b 22 2e 2e 2e 22 29 3b 63 2e 70 75 73 68 28 66 29 7d 62 2e 70 75 73 68 28 61 29 3b 63 2e 70 75 73 68 28 22 29 5c 6e 22 29 3b 74 72 79 7b 63 2e 70 75 73 68 28 77 62 28 61 2e 63 61 6c 6c 65 72 2c 62 29 29 7d 63 61 74 63 68 28 68 29 7b 63 2e 70 75 73 68 28 22 5b 65 78 63 65 70 74 69 6f 6e Data Ascii: "number":f=String(f);break;case "boolean":f=f?"true":"false";break;case "function":f=(f=sb(f))?f:"[fn]";break;default:f=typeof f}f.length>40&&(f=f.slice(0,40)+"...");c.push(f)}b.push(a);c.push(")\n");try{c.push(wb(a.caller,b))}catch(h){c.push("[exception

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49762	216.58.212.142	443	6964	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-02 17:08:09 UTC	549	OUT	OPTIONS /log?format=json&hasfast=true&authuser=0 HTTP/1.1 Host: play.google.com Connection: keep-alive Accept: / Access-Control-Request-Method: POST Access-Control-Request-Headers: x-goog-authuser Origin: https://accounts.google.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Sec-Fetch-Mode: cors Sec-Fetch-Site: same-site Sec-Fetch-Dest: empty Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-10-02 17:08:09 UTC	520	IN	HTTP/1.1 200 OK Access-Control-Allow-Origin: https://accounts.google.com Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Max-Age: 86400 Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: X-Playlog-Web,authorization,origin,x-goog-authuser Content-Type: text/plain; charset=UTF-8 Date: Wed, 02 Oct 2024 17:08:09 GMT Server: Playlog Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	49760	216.58.212.142	443	6964	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-02 17:08:09 UTC	549	OUT	OPTIONS /log?format=json&hasfast=true&authuser=0 HTTP/1.1 Host: play.google.com Connection: keep-alive Accept: / Access-Control-Request-Method: POST Access-Control-Request-Headers: x-goog-authuser Origin: https://accounts.google.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Sec-Fetch-Mode: cors Sec-Fetch-Site: same-site Sec-Fetch-Dest: empty Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-10-02 17:08:09 UTC	520	IN	HTTP/1.1 200 OK Access-Control-Allow-Origin: https://accounts.google.com Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Max-Age: 86400 Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: X-Playlog-Web,authorization,origin,x-goog-authuser Content-Type: text/plain; charset=UTF-8 Date: Wed, 02 Oct 2024 17:08:09 GMT Server: Playlog Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.4	49764	216.58.212.142	443	6964	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-02 17:08:10 UTC	1132	OUT	POST /log?format=json&hasfast=true&authuser=0 HTTP/1.1 Host: play.google.com Connection: keep-alive Content-Length: 519 sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-arch: "x86" Content-Type: application/x-www-form-urlencoded;charset=UTF-8 sec-ch-ua-full-version: "117.0.5938.132" sec-ch-ua-platform-version: "10.0.0" X-Goog-AuthUser: 0 sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132" sec-ch-ua-bitness: "64" sec-ch-ua-model: "" sec-ch-ua-wow64: ?0 sec-ch-ua-platform: "Windows" Accept: / Origin: https://accounts.google.com X-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiSocsBCJz+zAEIhaDNAQjcvc0BCI/KzQEIucrNAQii0c0BCIrTzQEIntbNAQin2M0BCPnA1BUY9snNARi60s0BGOuNpRc= Sec-Fetch-Site: same-site Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-10-02 17:08:10 UTC	519	OUT	Data Raw: 5b 5b 31 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 5b 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 22 65 6e 22 2c 6e 75 6c 6c 2c 22 33 30 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 47 6f 6f 67 6c 65 20 43 68 72 6f 6d 65 22 2c 22 31 31 37 22 5d 2c 5b 22 4e 6f 74 3b 41 3d 42 72 61 6e 64 22 2c 22 38 22 5d 2c 5b 22 43 68 72 6f 6d 69 75 6d 22 2c 22 31 31 37 22 5d 5d 2c 30 2c 22 57 69 6e 64 6f 77 73 22 2c 22 31 30 2e 30 2e 30 22 2c 22 78 38 36 22 2c 22 22 2c 22 31 31 37 2e 30 2e 35 39 33 38 2e 31 33 32 22 5d 2c 5b 31 2c 30 2c 30 2c 30 2c 30 5d 5d 5d 2c 31 38 32 38 2c 5b 5b 22 31 37 32 37 38 38 38 38 38 37 39 32 34 22 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c Data Ascii: [[1,null,null,null,null,null,null,null,null,null,[null,null,null,null,"en",null,"30",null,[[["Google Chrome","117"],["Not;A=Brand","8"],["Chromium","117"]],0,"Windows","10.0.0","x86","","117.0.5938.132"],[1,0,0,0,0]]],1828,[["1727888887924",null,null,null
2024-10-02 17:08:10 UTC	933	IN	HTTP/1.1 200 OK Access-Control-Allow-Origin: https://accounts.google.com Cross-Origin-Resource-Policy: cross-origin Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: X-Playlog-Web Set-Cookie: NID=518=e18Ty73cNctU-x-JfN4SojX4PcnEo1Dct535sF23s5zGil8NI1Ieor1cshi73dBRsUZOWYv9o3px5TxTrnfZcfGOT54v28QW9Wuh8Qt5KH0IYa4hQPLbP4CtCFQTD3hIojucazjRTAwZ6Qt5GxWUHWpvIST0Ru38iFyVDG4fqL48Fu4Pz0g; expires=Thu, 03-Apr-2025 17:08:10 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=none P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info." Content-Type: text/plain; charset=UTF-8 Date: Wed, 02 Oct 2024 17:08:10 GMT Server: Playlog Cache-Control: private X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Expires: Wed, 02 Oct 2024 17:08:10 GMT Connection: close Transfer-Encoding: chunked
2024-10-02 17:08:10 UTC	137	IN	Data Raw: 38 33 0d 0a 5b 22 2d 31 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 41 4e 44 52 4f 49 44 5f 42 41 43 4b 55 50 22 2c 30 5d 2c 5b 22 42 41 54 54 45 52 59 5f 53 54 41 54 53 22 2c 30 5d 2c 5b 22 53 4d 41 52 54 5f 53 45 54 55 50 22 2c 30 5d 2c 5b 22 54 52 4f 4e 22 2c 30 5d 5d 2c 2d 33 33 33 34 37 33 37 35 39 34 30 32 34 39 37 31 32 32 35 5d 2c 5b 5d 2c 7b 22 31 37 35 32 33 37 33 37 35 22 3a 5b 31 30 30 30 30 5d 7d 5d 0d 0a Data Ascii: 83["-1",null,[[["ANDROID_BACKUP",0],["BATTERY_STATS",0],["SMART_SETUP",0],["TRON",0]],-3334737594024971225],[],{"175237375":[10000]}]
2024-10-02 17:08:10 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.4	49765	216.58.212.142	443	6964	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-02 17:08:10 UTC	1132	OUT	POST /log?format=json&hasfast=true&authuser=0 HTTP/1.1 Host: play.google.com Connection: keep-alive Content-Length: 505 sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-arch: "x86" Content-Type: application/x-www-form-urlencoded;charset=UTF-8 sec-ch-ua-full-version: "117.0.5938.132" sec-ch-ua-platform-version: "10.0.0" X-Goog-AuthUser: 0 sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132" sec-ch-ua-bitness: "64" sec-ch-ua-model: "" sec-ch-ua-wow64: ?0 sec-ch-ua-platform: "Windows" Accept: / Origin: https://accounts.google.com X-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiSocsBCJz+zAEIhaDNAQjcvc0BCI/KzQEIucrNAQii0c0BCIrTzQEIntbNAQin2M0BCPnA1BUY9snNARi60s0BGOuNpRc= Sec-Fetch-Site: same-site Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-10-02 17:08:10 UTC	505	OUT	Data Raw: 5b 5b 31 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 5b 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 22 65 6e 22 2c 6e 75 6c 6c 2c 22 33 30 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 47 6f 6f 67 6c 65 20 43 68 72 6f 6d 65 22 2c 22 31 31 37 22 5d 2c 5b 22 4e 6f 74 3b 41 3d 42 72 61 6e 64 22 2c 22 38 22 5d 2c 5b 22 43 68 72 6f 6d 69 75 6d 22 2c 22 31 31 37 22 5d 5d 2c 30 2c 22 57 69 6e 64 6f 77 73 22 2c 22 31 30 2e 30 2e 30 22 2c 22 78 38 36 22 2c 22 22 2c 22 31 31 37 2e 30 2e 35 39 33 38 2e 31 33 32 22 5d 2c 5b 31 2c 30 2c 30 2c 30 2c 30 5d 5d 5d 2c 31 38 32 38 2c 5b 5b 22 31 37 32 37 38 38 38 38 38 37 39 39 39 22 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c Data Ascii: [[1,null,null,null,null,null,null,null,null,null,[null,null,null,null,"en",null,"30",null,[[["Google Chrome","117"],["Not;A=Brand","8"],["Chromium","117"]],0,"Windows","10.0.0","x86","","117.0.5938.132"],[1,0,0,0,0]]],1828,[["1727888887999",null,null,null
2024-10-02 17:08:10 UTC	932	IN	HTTP/1.1 200 OK Access-Control-Allow-Origin: https://accounts.google.com Cross-Origin-Resource-Policy: cross-origin Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: X-Playlog-Web Set-Cookie: NID=518=uDc8AmXDKN_vOVtvbjeWx4r3JtTRUcdQERXSh1jDJXIe7gpiQAePkz1f6WqjFJqKAe2imIrX_MBlu1lXDRjQ5-UgNbTUoJ9I1DpK6lUPmwAolDdZXdogkyCBTVKKrZvFdUTdgELWLkP_QbgXKu-KHVRdRcWQ9OM9A9FxdNi2dKH5nrMZDg; expires=Thu, 03-Apr-2025 17:08:10 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=none P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info." Content-Type: text/plain; charset=UTF-8 Date: Wed, 02 Oct 2024 17:08:10 GMT Server: Playlog Cache-Control: private X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Expires: Wed, 02 Oct 2024 17:08:10 GMT Connection: close Transfer-Encoding: chunked
2024-10-02 17:08:10 UTC	137	IN	Data Raw: 38 33 0d 0a 5b 22 2d 31 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 41 4e 44 52 4f 49 44 5f 42 41 43 4b 55 50 22 2c 30 5d 2c 5b 22 42 41 54 54 45 52 59 5f 53 54 41 54 53 22 2c 30 5d 2c 5b 22 53 4d 41 52 54 5f 53 45 54 55 50 22 2c 30 5d 2c 5b 22 54 52 4f 4e 22 2c 30 5d 5d 2c 2d 33 33 33 34 37 33 37 35 39 34 30 32 34 39 37 31 32 32 35 5d 2c 5b 5d 2c 7b 22 31 37 35 32 33 37 33 37 35 22 3a 5b 31 30 30 30 30 5d 7d 5d 0d 0a Data Ascii: 83["-1",null,[[["ANDROID_BACKUP",0],["BATTERY_STATS",0],["SMART_SETUP",0],["TRON",0]],-3334737594024971225],[],{"175237375":[10000]}]
2024-10-02 17:08:10 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.4	49741	142.250.184.196	443	6964	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-02 17:08:10 UTC	1222	OUT	GET /favicon.ico HTTP/1.1 Host: www.google.com Connection: keep-alive sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-arch: "x86" sec-ch-ua-full-version: "117.0.5938.132" sec-ch-ua-platform-version: "10.0.0" sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132" sec-ch-ua-bitness: "64" sec-ch-ua-model: "" sec-ch-ua-wow64: ?0 sec-ch-ua-platform: "Windows" Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8 X-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiSocsBCJz+zAEIhaDNAQjcvc0BCI/KzQEIucrNAQii0c0BCIrTzQEIntbNAQin2M0BCPnA1BUY9snNARi60s0BGOuNpRc= Sec-Fetch-Site: same-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: image Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: NID=518=e18Ty73cNctU-x-JfN4SojX4PcnEo1Dct535sF23s5zGil8NI1Ieor1cshi73dBRsUZOWYv9o3px5TxTrnfZcfGOT54v28QW9Wuh8Qt5KH0IYa4hQPLbP4CtCFQTD3hIojucazjRTAwZ6Qt5GxWUHWpvIST0Ru38iFyVDG4fqL48Fu4Pz0g
2024-10-02 17:08:11 UTC	705	IN	HTTP/1.1 200 OK Accept-Ranges: bytes Cross-Origin-Resource-Policy: cross-origin Cross-Origin-Opener-Policy-Report-Only: same-origin; report-to="static-on-bigtable" Report-To: {"group":"static-on-bigtable","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/static-on-bigtable"}]} Content-Length: 5430 X-Content-Type-Options: nosniff Server: sffe X-XSS-Protection: 0 Date: Wed, 02 Oct 2024 15:37:10 GMT Expires: Thu, 10 Oct 2024 15:37:10 GMT Cache-Control: public, max-age=691200 Last-Modified: Tue, 22 Oct 2019 18:30:00 GMT Content-Type: image/x-icon Vary: Accept-Encoding Age: 5460 Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-10-02 17:08:11 UTC	685	IN	Data Raw: 00 00 01 00 02 00 10 10 00 00 01 00 20 00 68 04 00 00 26 00 00 00 20 20 00 00 01 00 20 00 a8 10 00 00 8e 04 00 00 28 00 00 00 10 00 00 00 20 00 00 00 01 00 20 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff ff ff 30 fd fd fd 96 fd fd fd d8 fd fd fd f9 fd fd fd f9 fd fd fd d7 fd fd fd 94 fe fe fe 2e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fe fe fe 09 fd fd fd 99 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd 95 ff ff ff 08 00 00 00 00 00 00 00 00 00 00 00 00 fe fe fe 09 fd fd fd c1 ff ff ff ff fa fd f9 ff b4 d9 a7 ff 76 ba 5d ff 58 ab 3a ff 58 aa 3a ff 72 b8 59 ff ac d5 9d ff f8 fb f6 ff ff Data Ascii: h& ( 0.v]X:X:rY
2024-10-02 17:08:11 UTC	1390	IN	Data Raw: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd d8 fd fd fd 99 ff ff ff ff 92 cf fb ff 37 52 ec ff 38 46 ea ff d0 d4 fa ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd 96 fe fe fe 32 ff ff ff ff f9 f9 fe ff 56 62 ed ff 35 43 ea ff 3b 49 eb ff 95 9c f4 ff cf d2 fa ff d1 d4 fa ff 96 9d f4 ff 52 5e ed ff e1 e3 fc ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 30 00 00 00 00 fd fd fd 9d ff ff ff ff e8 ea fd ff 58 63 ee ff 35 43 ea ff 35 43 ea ff 35 43 ea ff 35 43 ea ff 35 43 ea ff 35 43 ea ff 6c 76 f0 ff ff ff ff ff ff ff ff ff fd fd fd 98 00 00 00 00 00 00 00 00 ff ff ff 0a fd fd fd c3 ff ff ff ff f9 f9 fe ff a5 ac f6 ff 5d 69 ee ff 3c 4a Data Ascii: 7R8F2Vb5C;IR^0Xc5C5C5C5C5C5Clv]i<J
2024-10-02 17:08:11 UTC	1390	IN	Data Raw: ff ff ff ff ff ff ff ff ff ff ff fd fd fd d0 ff ff ff 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fd fd fd 8b ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff b1 d8 a3 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 60 a5 35 ff ca 8e 3e ff f9 c1 9f ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd 87 00 00 00 00 00 00 00 00 00 00 00 00 fe fe fe 25 fd fd fd fb ff ff ff ff ff ff ff ff ff ff ff ff c2 e0 b7 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 6e b6 54 ff 9f ce 8d ff b7 da aa ff b8 db ab ff a5 d2 95 ff 7b bc 64 ff 54 a8 35 ff 53 a8 34 ff 77 a0 37 ff e3 89 41 ff f4 85 42 ff f4 85 42 ff Data Ascii: S4S4S4S4S4S4S4S4S4S4S4S4S4S4`5>%S4S4S4S4S4S4nT{dT5S4w7ABB
2024-10-02 17:08:11 UTC	1390	IN	Data Raw: ff f4 85 42 ff f4 85 42 ff f4 85 42 ff f4 85 42 ff f4 85 42 ff f4 85 42 ff fb d5 bf ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd ea fd fd fd cb ff ff ff ff ff ff ff ff ff ff ff ff 46 cd fc ff 05 bc fb ff 05 bc fb ff 05 bc fb ff 21 ae f9 ff fb fb ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd c8 fd fd fd 9c ff ff ff ff ff ff ff ff ff ff ff ff 86 df fd ff 05 bc fb ff 05 bc fb ff 15 93 f5 ff 34 49 eb ff b3 b8 f7 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff Data Ascii: BBBBBBF!4I
2024-10-02 17:08:11 UTC	575	IN	Data Raw: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd d2 fe fe fe 24 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff ff ff 0a fd fd fd 8d fd fd fd fc ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd fb fd fd fd 8b fe fe fe 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fe fe fe 27 fd fd fd 9f fd fd fd f7 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff Data Ascii: $'

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.4	49769	20.114.59.183	443

Timestamp	Bytes transferred	Direction	Data
2024-10-02 17:08:12 UTC	306	OUT	GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=N8RZGtEacBEtvUL&MD=sR+8pM3y HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33 Host: slscr.update.microsoft.com
2024-10-02 17:08:13 UTC	560	IN	HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Type: application/octet-stream Expires: -1 Last-Modified: Mon, 01 Jan 0001 00:00:00 GMT ETag: "XAopazV00XDWnJCwkmEWRv6JkbjRA9QSSZ2+e/3MzEk=_2880" MS-CorrelationId: ab34f9cf-184d-42f7-97c0-2c1b314cb2b6 MS-RequestId: 823bd687-696e-44a0-ae93-a738532ca0e5 MS-CV: eyl34PNQjkWjkCJm.0 X-Microsoft-SLSClientCache: 2880 Content-Disposition: attachment; filename=environment.cab X-Content-Type-Options: nosniff Date: Wed, 02 Oct 2024 17:08:13 GMT Connection: close Content-Length: 24490
2024-10-02 17:08:13 UTC	15824	IN	Data Raw: 4d 53 43 46 00 00 00 00 92 1e 00 00 00 00 00 00 44 00 00 00 00 00 00 00 03 01 01 00 01 00 04 00 23 d0 00 00 14 00 00 00 00 00 10 00 92 1e 00 00 18 41 00 00 00 00 00 00 00 00 00 00 64 00 00 00 01 00 01 00 e6 42 00 00 00 00 00 00 00 00 00 00 00 00 80 00 65 6e 76 69 72 6f 6e 6d 65 6e 74 2e 63 61 62 00 78 cf 8d 5c 26 1e e6 42 43 4b ed 5c 07 54 13 db d6 4e a3 f7 2e d5 d0 3b 4c 42 af 4a 57 10 e9 20 bd 77 21 94 80 88 08 24 2a 02 02 d2 55 10 a4 a8 88 97 22 8a 0a d2 11 04 95 ae d2 8b 20 28 0a 88 20 45 05 f4 9f 80 05 bd ed dd f7 ff 77 dd f7 bf 65 d6 4a 66 ce 99 33 67 4e d9 7b 7f fb db 7b 56 f4 4d 34 b4 21 e0 a7 03 0a d9 fc 68 6e 1d 20 70 28 14 02 85 20 20 ad 61 10 08 e3 66 0d ed 66 9b 1d 6a 90 af 1f 17 f0 4b 68 35 01 83 6c fb 44 42 5c 7d 83 3d 03 30 be 3e ae be 58 Data Ascii: MSCFD#AdBenvironment.cabx\&BCK\TN.;LBJW w!$*U" ( EweJf3gN{{VM4!hn p( affjKh5lDB\}=0>X
2024-10-02 17:08:13 UTC	8666	IN	Data Raw: 04 01 31 2f 30 2d 30 0a 02 05 00 e1 2b 8a 50 02 01 00 30 0a 02 01 00 02 02 12 fe 02 01 ff 30 07 02 01 00 02 02 11 e6 30 0a 02 05 00 e1 2c db d0 02 01 00 30 36 06 0a 2b 06 01 04 01 84 59 0a 04 02 31 28 30 26 30 0c 06 0a 2b 06 01 04 01 84 59 0a 03 02 a0 0a 30 08 02 01 00 02 03 07 a1 20 a1 0a 30 08 02 01 00 02 03 01 86 a0 30 0d 06 09 2a 86 48 86 f7 0d 01 01 05 05 00 03 81 81 00 0c d9 08 df 48 94 57 65 3e ad e7 f2 17 9c 1f ca 3d 4d 6c cd 51 e1 ed 9c 17 a5 52 35 0f fd de 4b bd 22 92 c5 69 e5 d7 9f 29 23 72 40 7a ca 55 9d 8d 11 ad d5 54 00 bb 53 b4 87 7b 72 84 da 2d f6 e3 2c 4f 7e ba 1a 58 88 6e d6 b9 6d 16 ae 85 5b b5 c2 81 a8 e0 ee 0a 9c 60 51 3a 7b e4 61 f8 c3 e4 38 bd 7d 28 17 d6 79 f0 c8 58 c6 ef 1f f7 88 65 b1 ea 0a c0 df f7 ee 5c 23 c2 27 fd 98 63 08 31 Data Ascii: 1/0-0+P000,06+Y1(0&0+Y0 00*HHWe>=MlQR5K"i)#r@zUTS{r-,O~Xnm[`Q:{a8}(yXe\#'c1

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.4	49779	216.58.212.142	443	6964	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-02 17:08:17 UTC	1307	OUT	POST /log?format=json&hasfast=true&authuser=0 HTTP/1.1 Host: play.google.com Connection: keep-alive Content-Length: 1221 sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-arch: "x86" Content-Type: text/plain;charset=UTF-8 sec-ch-ua-full-version: "117.0.5938.132" sec-ch-ua-platform-version: "10.0.0" X-Goog-AuthUser: 0 sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132" sec-ch-ua-bitness: "64" sec-ch-ua-model: "" sec-ch-ua-wow64: ?0 sec-ch-ua-platform: "Windows" Accept: / Origin: https://accounts.google.com X-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiSocsBCJz+zAEIhaDNAQjcvc0BCI/KzQEIucrNAQii0c0BCIrTzQEIntbNAQin2M0BCPnA1BUY9snNARi60s0BGOuNpRc= Sec-Fetch-Site: same-site Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: NID=518=e18Ty73cNctU-x-JfN4SojX4PcnEo1Dct535sF23s5zGil8NI1Ieor1cshi73dBRsUZOWYv9o3px5TxTrnfZcfGOT54v28QW9Wuh8Qt5KH0IYa4hQPLbP4CtCFQTD3hIojucazjRTAwZ6Qt5GxWUHWpvIST0Ru38iFyVDG4fqL48Fu4Pz0g
2024-10-02 17:08:17 UTC	1221	OUT	Data Raw: 5b 5b 31 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 5b 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 22 65 6e 22 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 5b 5b 5b 22 47 6f 6f 67 6c 65 20 43 68 72 6f 6d 65 22 2c 22 31 31 37 22 5d 2c 5b 22 4e 6f 74 3b 41 3d 42 72 61 6e 64 22 2c 22 38 22 5d 2c 5b 22 43 68 72 6f 6d 69 75 6d 22 2c 22 31 31 37 22 5d 5d 2c 30 2c 22 57 69 6e 64 6f 77 73 22 2c 22 31 30 2e 30 2e 30 22 2c 22 78 38 36 22 2c 22 22 2c 22 31 31 37 2e 30 2e 35 39 33 38 2e 31 33 32 22 5d 2c 5b 34 2c 30 2c 30 2c 30 2c 30 5d 5d 5d 2c 35 35 38 2c 5b 5b 22 31 37 32 37 38 38 38 38 38 35 30 30 30 22 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c Data Ascii: [[1,null,null,null,null,null,null,null,null,null,[null,null,null,null,"en",null,null,null,[[["Google Chrome","117"],["Not;A=Brand","8"],["Chromium","117"]],0,"Windows","10.0.0","x86","","117.0.5938.132"],[4,0,0,0,0]]],558,[["1727888885000",null,null,null,
2024-10-02 17:08:17 UTC	941	IN	HTTP/1.1 200 OK Access-Control-Allow-Origin: https://accounts.google.com Cross-Origin-Resource-Policy: cross-origin Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: X-Playlog-Web Set-Cookie: NID=518=mjrIG4hZaFmqazVPCWesv39nOS2IWsEigaF3Rd8xi13vQPWPKsAF3dNhipOb4XZDS1xsGJMd_9RsqobS-hCOjFUBWEGvms_wfweZfhTA-0GkzNu_hBc715CR2hBc7YZDjaBw4ehNNW01MvaNEwojb5VU4wXMc2lXfCQbKIEqscRYntuDL88GdTJWNdw; expires=Thu, 03-Apr-2025 17:08:17 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=none P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info." Content-Type: text/plain; charset=UTF-8 Date: Wed, 02 Oct 2024 17:08:17 GMT Server: Playlog Cache-Control: private X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Expires: Wed, 02 Oct 2024 17:08:17 GMT Connection: close Transfer-Encoding: chunked
2024-10-02 17:08:17 UTC	137	IN	Data Raw: 38 33 0d 0a 5b 22 2d 31 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 41 4e 44 52 4f 49 44 5f 42 41 43 4b 55 50 22 2c 30 5d 2c 5b 22 42 41 54 54 45 52 59 5f 53 54 41 54 53 22 2c 30 5d 2c 5b 22 53 4d 41 52 54 5f 53 45 54 55 50 22 2c 30 5d 2c 5b 22 54 52 4f 4e 22 2c 30 5d 5d 2c 2d 33 33 33 34 37 33 37 35 39 34 30 32 34 39 37 31 32 32 35 5d 2c 5b 5d 2c 7b 22 31 37 35 32 33 37 33 37 35 22 3a 5b 31 30 30 30 30 5d 7d 5d 0d 0a Data Ascii: 83["-1",null,[[["ANDROID_BACKUP",0],["BATTERY_STATS",0],["SMART_SETUP",0],["TRON",0]],-3334737594024971225],[],{"175237375":[10000]}]
2024-10-02 17:08:17 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.4	49783	216.58.212.142	443	6964	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-02 17:08:40 UTC	1338	OUT	POST /log?format=json&hasfast=true&authuser=0 HTTP/1.1 Host: play.google.com Connection: keep-alive Content-Length: 1323 sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-arch: "x86" Content-Type: application/x-www-form-urlencoded;charset=UTF-8 sec-ch-ua-full-version: "117.0.5938.132" sec-ch-ua-platform-version: "10.0.0" X-Goog-AuthUser: 0 sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132" sec-ch-ua-bitness: "64" sec-ch-ua-model: "" sec-ch-ua-wow64: ?0 sec-ch-ua-platform: "Windows" Accept: / Origin: https://accounts.google.com X-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiSocsBCJz+zAEIhaDNAQjcvc0BCI/KzQEIucrNAQii0c0BCIrTzQEIntbNAQin2M0BCPnA1BUY9snNARi60s0BGOuNpRc= Sec-Fetch-Site: same-site Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: NID=518=mjrIG4hZaFmqazVPCWesv39nOS2IWsEigaF3Rd8xi13vQPWPKsAF3dNhipOb4XZDS1xsGJMd_9RsqobS-hCOjFUBWEGvms_wfweZfhTA-0GkzNu_hBc715CR2hBc7YZDjaBw4ehNNW01MvaNEwojb5VU4wXMc2lXfCQbKIEqscRYntuDL88GdTJWNdw
2024-10-02 17:08:40 UTC	1323	OUT	Data Raw: 5b 5b 31 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 5b 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 22 65 6e 22 2c 6e 75 6c 6c 2c 22 33 30 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 47 6f 6f 67 6c 65 20 43 68 72 6f 6d 65 22 2c 22 31 31 37 22 5d 2c 5b 22 4e 6f 74 3b 41 3d 42 72 61 6e 64 22 2c 22 38 22 5d 2c 5b 22 43 68 72 6f 6d 69 75 6d 22 2c 22 31 31 37 22 5d 5d 2c 30 2c 22 57 69 6e 64 6f 77 73 22 2c 22 31 30 2e 30 2e 30 22 2c 22 78 38 36 22 2c 22 22 2c 22 31 31 37 2e 30 2e 35 39 33 38 2e 31 33 32 22 5d 2c 5b 31 2c 30 2c 30 2c 30 2c 30 5d 5d 5d 2c 31 38 32 38 2c 5b 5b 22 31 37 32 37 38 38 38 39 31 38 36 35 35 22 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c Data Ascii: [[1,null,null,null,null,null,null,null,null,null,[null,null,null,null,"en",null,"30",null,[[["Google Chrome","117"],["Not;A=Brand","8"],["Chromium","117"]],0,"Windows","10.0.0","x86","","117.0.5938.132"],[1,0,0,0,0]]],1828,[["1727888918655",null,null,null
2024-10-02 17:08:40 UTC	523	IN	HTTP/1.1 200 OK Access-Control-Allow-Origin: https://accounts.google.com Cross-Origin-Resource-Policy: cross-origin Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: X-Playlog-Web Content-Type: text/plain; charset=UTF-8 Date: Wed, 02 Oct 2024 17:08:40 GMT Server: Playlog Cache-Control: private X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2024-10-02 17:08:40 UTC	137	IN	Data Raw: 38 33 0d 0a 5b 22 2d 31 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 41 4e 44 52 4f 49 44 5f 42 41 43 4b 55 50 22 2c 30 5d 2c 5b 22 42 41 54 54 45 52 59 5f 53 54 41 54 53 22 2c 30 5d 2c 5b 22 53 4d 41 52 54 5f 53 45 54 55 50 22 2c 30 5d 2c 5b 22 54 52 4f 4e 22 2c 30 5d 5d 2c 2d 33 33 33 34 37 33 37 35 39 34 30 32 34 39 37 31 32 32 35 5d 2c 5b 5d 2c 7b 22 31 37 35 32 33 37 33 37 35 22 3a 5b 31 30 30 30 30 5d 7d 5d 0d 0a Data Ascii: 83["-1",null,[[["ANDROID_BACKUP",0],["BATTERY_STATS",0],["SMART_SETUP",0],["TRON",0]],-3334737594024971225],[],{"175237375":[10000]}]
2024-10-02 17:08:40 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.4	49784	216.58.212.142	443	6964	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-02 17:08:40 UTC	1338	OUT	POST /log?format=json&hasfast=true&authuser=0 HTTP/1.1 Host: play.google.com Connection: keep-alive Content-Length: 1334 sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-arch: "x86" Content-Type: application/x-www-form-urlencoded;charset=UTF-8 sec-ch-ua-full-version: "117.0.5938.132" sec-ch-ua-platform-version: "10.0.0" X-Goog-AuthUser: 0 sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132" sec-ch-ua-bitness: "64" sec-ch-ua-model: "" sec-ch-ua-wow64: ?0 sec-ch-ua-platform: "Windows" Accept: / Origin: https://accounts.google.com X-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiSocsBCJz+zAEIhaDNAQjcvc0BCI/KzQEIucrNAQii0c0BCIrTzQEIntbNAQin2M0BCPnA1BUY9snNARi60s0BGOuNpRc= Sec-Fetch-Site: same-site Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: NID=518=mjrIG4hZaFmqazVPCWesv39nOS2IWsEigaF3Rd8xi13vQPWPKsAF3dNhipOb4XZDS1xsGJMd_9RsqobS-hCOjFUBWEGvms_wfweZfhTA-0GkzNu_hBc715CR2hBc7YZDjaBw4ehNNW01MvaNEwojb5VU4wXMc2lXfCQbKIEqscRYntuDL88GdTJWNdw
2024-10-02 17:08:40 UTC	1334	OUT	Data Raw: 5b 5b 31 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 5b 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 22 65 6e 22 2c 6e 75 6c 6c 2c 22 33 30 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 47 6f 6f 67 6c 65 20 43 68 72 6f 6d 65 22 2c 22 31 31 37 22 5d 2c 5b 22 4e 6f 74 3b 41 3d 42 72 61 6e 64 22 2c 22 38 22 5d 2c 5b 22 43 68 72 6f 6d 69 75 6d 22 2c 22 31 31 37 22 5d 5d 2c 30 2c 22 57 69 6e 64 6f 77 73 22 2c 22 31 30 2e 30 2e 30 22 2c 22 78 38 36 22 2c 22 22 2c 22 31 31 37 2e 30 2e 35 39 33 38 2e 31 33 32 22 5d 2c 5b 31 2c 30 2c 30 2c 30 2c 30 5d 5d 5d 2c 31 38 32 38 2c 5b 5b 22 31 37 32 37 38 38 38 39 31 39 33 33 35 22 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c Data Ascii: [[1,null,null,null,null,null,null,null,null,null,[null,null,null,null,"en",null,"30",null,[[["Google Chrome","117"],["Not;A=Brand","8"],["Chromium","117"]],0,"Windows","10.0.0","x86","","117.0.5938.132"],[1,0,0,0,0]]],1828,[["1727888919335",null,null,null
2024-10-02 17:08:40 UTC	523	IN	HTTP/1.1 200 OK Access-Control-Allow-Origin: https://accounts.google.com Cross-Origin-Resource-Policy: cross-origin Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: X-Playlog-Web Content-Type: text/plain; charset=UTF-8 Date: Wed, 02 Oct 2024 17:08:40 GMT Server: Playlog Cache-Control: private X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2024-10-02 17:08:40 UTC	137	IN	Data Raw: 38 33 0d 0a 5b 22 2d 31 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 41 4e 44 52 4f 49 44 5f 42 41 43 4b 55 50 22 2c 30 5d 2c 5b 22 42 41 54 54 45 52 59 5f 53 54 41 54 53 22 2c 30 5d 2c 5b 22 53 4d 41 52 54 5f 53 45 54 55 50 22 2c 30 5d 2c 5b 22 54 52 4f 4e 22 2c 30 5d 5d 2c 2d 33 33 33 34 37 33 37 35 39 34 30 32 34 39 37 31 32 32 35 5d 2c 5b 5d 2c 7b 22 31 37 35 32 33 37 33 37 35 22 3a 5b 31 30 30 30 30 5d 7d 5d 0d 0a Data Ascii: 83["-1",null,[[["ANDROID_BACKUP",0],["BATTERY_STATS",0],["SMART_SETUP",0],["TRON",0]],-3334737594024971225],[],{"175237375":[10000]}]
2024-10-02 17:08:40 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.4	49785	216.58.212.142	443	6964	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-02 17:08:40 UTC	1297	OUT	POST /log?hasfast=true&authuser=0&format=json HTTP/1.1 Host: play.google.com Connection: keep-alive Content-Length: 864 sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-arch: "x86" sec-ch-ua-full-version: "117.0.5938.132" Content-Type: text/plain;charset=UTF-8 sec-ch-ua-platform-version: "10.0.0" sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132" sec-ch-ua-bitness: "64" sec-ch-ua-model: "" sec-ch-ua-wow64: ?0 sec-ch-ua-platform: "Windows" Accept: / Origin: https://accounts.google.com X-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiSocsBCJz+zAEIhaDNAQjcvc0BCI/KzQEIucrNAQii0c0BCIrTzQEIntbNAQin2M0BCPnA1BUY9snNARi60s0BGOuNpRc= Sec-Fetch-Site: same-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: NID=518=mjrIG4hZaFmqazVPCWesv39nOS2IWsEigaF3Rd8xi13vQPWPKsAF3dNhipOb4XZDS1xsGJMd_9RsqobS-hCOjFUBWEGvms_wfweZfhTA-0GkzNu_hBc715CR2hBc7YZDjaBw4ehNNW01MvaNEwojb5VU4wXMc2lXfCQbKIEqscRYntuDL88GdTJWNdw
2024-10-02 17:08:40 UTC	864	OUT	Data Raw: 5b 5b 31 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 5b 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 22 65 6e 22 2c 6e 75 6c 6c 2c 22 62 6f 71 5f 69 64 65 6e 74 69 74 79 66 72 6f 6e 74 65 6e 64 61 75 74 68 75 69 73 65 72 76 65 72 5f 32 30 32 34 30 39 32 39 2e 30 37 5f 70 30 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 47 6f 6f 67 6c 65 20 43 68 72 6f 6d 65 22 2c 22 31 31 37 22 5d 2c 5b 22 4e 6f 74 3b 41 3d 42 72 61 6e 64 22 2c 22 38 22 5d 2c 5b 22 43 68 72 6f 6d 69 75 6d 22 2c 22 31 31 37 22 5d 5d 2c 30 2c 22 57 69 6e 64 6f 77 73 22 2c 22 31 30 2e 30 2e 30 22 2c 22 78 38 36 22 2c 22 22 2c 22 31 31 37 2e 30 2e 35 39 33 38 2e 31 33 32 22 5d 2c 5b 33 2c 30 2c 30 Data Ascii: [[1,null,null,null,null,null,null,null,null,null,[null,null,null,null,"en",null,"boq_identityfrontendauthuiserver_20240929.07_p0",null,[[["Google Chrome","117"],["Not;A=Brand","8"],["Chromium","117"]],0,"Windows","10.0.0","x86","","117.0.5938.132"],[3,0,0
2024-10-02 17:08:40 UTC	523	IN	HTTP/1.1 200 OK Access-Control-Allow-Origin: https://accounts.google.com Cross-Origin-Resource-Policy: cross-origin Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: X-Playlog-Web Content-Type: text/plain; charset=UTF-8 Date: Wed, 02 Oct 2024 17:08:40 GMT Server: Playlog Cache-Control: private X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2024-10-02 17:08:40 UTC	137	IN	Data Raw: 38 33 0d 0a 5b 22 2d 31 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 41 4e 44 52 4f 49 44 5f 42 41 43 4b 55 50 22 2c 30 5d 2c 5b 22 42 41 54 54 45 52 59 5f 53 54 41 54 53 22 2c 30 5d 2c 5b 22 53 4d 41 52 54 5f 53 45 54 55 50 22 2c 30 5d 2c 5b 22 54 52 4f 4e 22 2c 30 5d 5d 2c 2d 33 33 33 34 37 33 37 35 39 34 30 32 34 39 37 31 32 32 35 5d 2c 5b 5d 2c 7b 22 31 37 35 32 33 37 33 37 35 22 3a 5b 31 30 30 30 30 5d 7d 5d 0d 0a Data Ascii: 83["-1",null,[[["ANDROID_BACKUP",0],["BATTERY_STATS",0],["SMART_SETUP",0],["TRON",0]],-3334737594024971225],[],{"175237375":[10000]}]
2024-10-02 17:08:40 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.4	49786	20.114.59.183	443

Timestamp	Bytes transferred	Direction	Data
2024-10-02 17:08:51 UTC	306	OUT	GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=N8RZGtEacBEtvUL&MD=sR+8pM3y HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33 Host: slscr.update.microsoft.com
2024-10-02 17:08:51 UTC	560	IN	HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Type: application/octet-stream Expires: -1 Last-Modified: Mon, 01 Jan 0001 00:00:00 GMT ETag: "vic+p1MiJJ+/WMnK08jaWnCBGDfvkGRzPk9f8ZadQHg=_1440" MS-CorrelationId: 7723b481-ea9a-464a-87a0-8bcb6f1cc49f MS-RequestId: 9d91695d-6297-4aa9-8f8b-d17887f6ea35 MS-CV: QuEcT8rHuke3XzYv.0 X-Microsoft-SLSClientCache: 1440 Content-Disposition: attachment; filename=environment.cab X-Content-Type-Options: nosniff Date: Wed, 02 Oct 2024 17:08:50 GMT Connection: close Content-Length: 30005
2024-10-02 17:08:51 UTC	15824	IN	Data Raw: 4d 53 43 46 00 00 00 00 8d 2b 00 00 00 00 00 00 44 00 00 00 00 00 00 00 03 01 01 00 01 00 04 00 5b 49 00 00 14 00 00 00 00 00 10 00 8d 2b 00 00 a8 49 00 00 00 00 00 00 00 00 00 00 64 00 00 00 01 00 01 00 72 4d 00 00 00 00 00 00 00 00 00 00 00 00 80 00 65 6e 76 69 72 6f 6e 6d 65 6e 74 2e 63 61 62 00 fe f6 51 be 21 2b 72 4d 43 4b ed 7c 05 58 54 eb da f6 14 43 49 37 0a 02 d2 b9 86 0e 41 52 a4 1b 24 a5 bb 43 24 44 18 94 90 92 52 41 3a 05 09 95 ee 54 b0 00 91 2e e9 12 10 04 11 c9 6f 10 b7 a2 67 9f bd cf 3e ff b7 ff b3 bf 73 ed e1 9a 99 f5 c6 7a d7 bb de f5 3e cf fd 3c f7 dc 17 4a 1a 52 e7 41 a8 97 1e 14 f4 e5 25 7d f4 05 82 82 c1 20 30 08 06 ba c3 05 02 11 7f a9 c1 ff d2 87 5c 1e f4 ed 65 8e 7a 1f f6 0a 40 03 1d 7b f9 83 2c 1c 2f db b8 3a 39 3a 58 38 ba 73 5e Data Ascii: MSCF+D[I+IdrMenvironment.cabQ!+rMCK\|XTCI7AR$C$DRA:T.og>sz><JRA%} 0\ez@{,/:9:X8s^
2024-10-02 17:08:51 UTC	14181	IN	Data Raw: 06 03 55 04 06 13 02 55 53 31 13 30 11 06 03 55 04 08 13 0a 57 61 73 68 69 6e 67 74 6f 6e 31 10 30 0e 06 03 55 04 07 13 07 52 65 64 6d 6f 6e 64 31 1e 30 1c 06 03 55 04 0a 13 15 4d 69 63 72 6f 73 6f 66 74 20 43 6f 72 70 6f 72 61 74 69 6f 6e 31 26 30 24 06 03 55 04 03 13 1d 4d 69 63 72 6f 73 6f 66 74 20 54 69 6d 65 2d 53 74 61 6d 70 20 50 43 41 20 32 30 31 30 30 1e 17 0d 32 33 31 30 31 32 31 39 30 37 32 35 5a 17 0d 32 35 30 31 31 30 31 39 30 37 32 35 5a 30 81 d2 31 0b 30 09 06 03 55 04 06 13 02 55 53 31 13 30 11 06 03 55 04 08 13 0a 57 61 73 68 69 6e 67 74 6f 6e 31 10 30 0e 06 03 55 04 07 13 07 52 65 64 6d 6f 6e 64 31 1e 30 1c 06 03 55 04 0a 13 15 4d 69 63 72 6f 73 6f 66 74 20 43 6f 72 70 6f 72 61 74 69 6f 6e 31 2d 30 2b 06 03 55 04 0b 13 24 4d 69 63 72 6f Data Ascii: UUS10UWashington10URedmond10UMicrosoft Corporation1&0$UMicrosoft Time-Stamp PCA 20100231012190725Z250110190725Z010UUS10UWashington10URedmond10UMicrosoft Corporation1-0+U$Micro

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.4	49790	142.250.185.142	443	6964	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-02 17:09:10 UTC	1338	OUT	POST /log?format=json&hasfast=true&authuser=0 HTTP/1.1 Host: play.google.com Connection: keep-alive Content-Length: 1397 sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-arch: "x86" Content-Type: application/x-www-form-urlencoded;charset=UTF-8 sec-ch-ua-full-version: "117.0.5938.132" sec-ch-ua-platform-version: "10.0.0" X-Goog-AuthUser: 0 sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132" sec-ch-ua-bitness: "64" sec-ch-ua-model: "" sec-ch-ua-wow64: ?0 sec-ch-ua-platform: "Windows" Accept: / Origin: https://accounts.google.com X-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiSocsBCJz+zAEIhaDNAQjcvc0BCI/KzQEIucrNAQii0c0BCIrTzQEIntbNAQin2M0BCPnA1BUY9snNARi60s0BGOuNpRc= Sec-Fetch-Site: same-site Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: NID=518=mjrIG4hZaFmqazVPCWesv39nOS2IWsEigaF3Rd8xi13vQPWPKsAF3dNhipOb4XZDS1xsGJMd_9RsqobS-hCOjFUBWEGvms_wfweZfhTA-0GkzNu_hBc715CR2hBc7YZDjaBw4ehNNW01MvaNEwojb5VU4wXMc2lXfCQbKIEqscRYntuDL88GdTJWNdw
2024-10-02 17:09:10 UTC	1397	OUT	Data Raw: 5b 5b 31 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 5b 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 22 65 6e 22 2c 6e 75 6c 6c 2c 22 33 30 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 47 6f 6f 67 6c 65 20 43 68 72 6f 6d 65 22 2c 22 31 31 37 22 5d 2c 5b 22 4e 6f 74 3b 41 3d 42 72 61 6e 64 22 2c 22 38 22 5d 2c 5b 22 43 68 72 6f 6d 69 75 6d 22 2c 22 31 31 37 22 5d 5d 2c 30 2c 22 57 69 6e 64 6f 77 73 22 2c 22 31 30 2e 30 2e 30 22 2c 22 78 38 36 22 2c 22 22 2c 22 31 31 37 2e 30 2e 35 39 33 38 2e 31 33 32 22 5d 2c 5b 31 2c 30 2c 30 2c 30 2c 30 5d 5d 5d 2c 31 38 32 38 2c 5b 5b 22 31 37 32 37 38 38 38 39 34 38 38 39 38 22 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c Data Ascii: [[1,null,null,null,null,null,null,null,null,null,[null,null,null,null,"en",null,"30",null,[[["Google Chrome","117"],["Not;A=Brand","8"],["Chromium","117"]],0,"Windows","10.0.0","x86","","117.0.5938.132"],[1,0,0,0,0]]],1828,[["1727888948898",null,null,null
2024-10-02 17:09:10 UTC	523	IN	HTTP/1.1 200 OK Access-Control-Allow-Origin: https://accounts.google.com Cross-Origin-Resource-Policy: cross-origin Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: X-Playlog-Web Content-Type: text/plain; charset=UTF-8 Date: Wed, 02 Oct 2024 17:09:10 GMT Server: Playlog Cache-Control: private X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2024-10-02 17:09:10 UTC	137	IN	Data Raw: 38 33 0d 0a 5b 22 2d 31 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 41 4e 44 52 4f 49 44 5f 42 41 43 4b 55 50 22 2c 30 5d 2c 5b 22 42 41 54 54 45 52 59 5f 53 54 41 54 53 22 2c 30 5d 2c 5b 22 53 4d 41 52 54 5f 53 45 54 55 50 22 2c 30 5d 2c 5b 22 54 52 4f 4e 22 2c 30 5d 5d 2c 2d 33 33 33 34 37 33 37 35 39 34 30 32 34 39 37 31 32 32 35 5d 2c 5b 5d 2c 7b 22 31 37 35 32 33 37 33 37 35 22 3a 5b 31 30 30 30 30 5d 7d 5d 0d 0a Data Ascii: 83["-1",null,[[["ANDROID_BACKUP",0],["BATTERY_STATS",0],["SMART_SETUP",0],["TRON",0]],-3334737594024971225],[],{"175237375":[10000]}]
2024-10-02 17:09:10 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.4	49791	142.250.185.142	443	6964	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-02 17:09:13 UTC	1338	OUT	POST /log?format=json&hasfast=true&authuser=0 HTTP/1.1 Host: play.google.com Connection: keep-alive Content-Length: 1524 sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-arch: "x86" Content-Type: application/x-www-form-urlencoded;charset=UTF-8 sec-ch-ua-full-version: "117.0.5938.132" sec-ch-ua-platform-version: "10.0.0" X-Goog-AuthUser: 0 sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132" sec-ch-ua-bitness: "64" sec-ch-ua-model: "" sec-ch-ua-wow64: ?0 sec-ch-ua-platform: "Windows" Accept: / Origin: https://accounts.google.com X-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiSocsBCJz+zAEIhaDNAQjcvc0BCI/KzQEIucrNAQii0c0BCIrTzQEIntbNAQin2M0BCPnA1BUY9snNARi60s0BGOuNpRc= Sec-Fetch-Site: same-site Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: NID=518=mjrIG4hZaFmqazVPCWesv39nOS2IWsEigaF3Rd8xi13vQPWPKsAF3dNhipOb4XZDS1xsGJMd_9RsqobS-hCOjFUBWEGvms_wfweZfhTA-0GkzNu_hBc715CR2hBc7YZDjaBw4ehNNW01MvaNEwojb5VU4wXMc2lXfCQbKIEqscRYntuDL88GdTJWNdw
2024-10-02 17:09:13 UTC	1524	OUT	Data Raw: 5b 5b 31 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 5b 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 22 65 6e 22 2c 6e 75 6c 6c 2c 22 33 30 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 47 6f 6f 67 6c 65 20 43 68 72 6f 6d 65 22 2c 22 31 31 37 22 5d 2c 5b 22 4e 6f 74 3b 41 3d 42 72 61 6e 64 22 2c 22 38 22 5d 2c 5b 22 43 68 72 6f 6d 69 75 6d 22 2c 22 31 31 37 22 5d 5d 2c 30 2c 22 57 69 6e 64 6f 77 73 22 2c 22 31 30 2e 30 2e 30 22 2c 22 78 38 36 22 2c 22 22 2c 22 31 31 37 2e 30 2e 35 39 33 38 2e 31 33 32 22 5d 2c 5b 31 2c 30 2c 30 2c 30 2c 30 5d 5d 5d 2c 31 38 32 38 2c 5b 5b 22 31 37 32 37 38 38 38 39 35 31 38 36 31 22 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c Data Ascii: [[1,null,null,null,null,null,null,null,null,null,[null,null,null,null,"en",null,"30",null,[[["Google Chrome","117"],["Not;A=Brand","8"],["Chromium","117"]],0,"Windows","10.0.0","x86","","117.0.5938.132"],[1,0,0,0,0]]],1828,[["1727888951861",null,null,null
2024-10-02 17:09:13 UTC	523	IN	HTTP/1.1 200 OK Access-Control-Allow-Origin: https://accounts.google.com Cross-Origin-Resource-Policy: cross-origin Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: X-Playlog-Web Content-Type: text/plain; charset=UTF-8 Date: Wed, 02 Oct 2024 17:09:13 GMT Server: Playlog Cache-Control: private X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2024-10-02 17:09:13 UTC	137	IN	Data Raw: 38 33 0d 0a 5b 22 2d 31 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 41 4e 44 52 4f 49 44 5f 42 41 43 4b 55 50 22 2c 30 5d 2c 5b 22 42 41 54 54 45 52 59 5f 53 54 41 54 53 22 2c 30 5d 2c 5b 22 53 4d 41 52 54 5f 53 45 54 55 50 22 2c 30 5d 2c 5b 22 54 52 4f 4e 22 2c 30 5d 5d 2c 2d 33 33 33 34 37 33 37 35 39 34 30 32 34 39 37 31 32 32 35 5d 2c 5b 5d 2c 7b 22 31 37 35 32 33 37 33 37 35 22 3a 5b 31 30 30 30 30 5d 7d 5d 0d 0a Data Ascii: 83["-1",null,[[["ANDROID_BACKUP",0],["BATTERY_STATS",0],["SMART_SETUP",0],["TRON",0]],-3334737594024971225],[],{"175237375":[10000]}]
2024-10-02 17:09:13 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.4	49793	142.250.185.142	443	6964	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-02 17:09:41 UTC	1338	OUT	POST /log?format=json&hasfast=true&authuser=0 HTTP/1.1 Host: play.google.com Connection: keep-alive Content-Length: 1274 sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-arch: "x86" Content-Type: application/x-www-form-urlencoded;charset=UTF-8 sec-ch-ua-full-version: "117.0.5938.132" sec-ch-ua-platform-version: "10.0.0" X-Goog-AuthUser: 0 sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132" sec-ch-ua-bitness: "64" sec-ch-ua-model: "" sec-ch-ua-wow64: ?0 sec-ch-ua-platform: "Windows" Accept: / Origin: https://accounts.google.com X-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiSocsBCJz+zAEIhaDNAQjcvc0BCI/KzQEIucrNAQii0c0BCIrTzQEIntbNAQin2M0BCPnA1BUY9snNARi60s0BGOuNpRc= Sec-Fetch-Site: same-site Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: NID=518=mjrIG4hZaFmqazVPCWesv39nOS2IWsEigaF3Rd8xi13vQPWPKsAF3dNhipOb4XZDS1xsGJMd_9RsqobS-hCOjFUBWEGvms_wfweZfhTA-0GkzNu_hBc715CR2hBc7YZDjaBw4ehNNW01MvaNEwojb5VU4wXMc2lXfCQbKIEqscRYntuDL88GdTJWNdw
2024-10-02 17:09:41 UTC	1274	OUT	Data Raw: 5b 5b 31 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 5b 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 22 65 6e 22 2c 6e 75 6c 6c 2c 22 33 30 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 47 6f 6f 67 6c 65 20 43 68 72 6f 6d 65 22 2c 22 31 31 37 22 5d 2c 5b 22 4e 6f 74 3b 41 3d 42 72 61 6e 64 22 2c 22 38 22 5d 2c 5b 22 43 68 72 6f 6d 69 75 6d 22 2c 22 31 31 37 22 5d 5d 2c 30 2c 22 57 69 6e 64 6f 77 73 22 2c 22 31 30 2e 30 2e 30 22 2c 22 78 38 36 22 2c 22 22 2c 22 31 31 37 2e 30 2e 35 39 33 38 2e 31 33 32 22 5d 2c 5b 31 2c 30 2c 30 2c 30 2c 30 5d 5d 5d 2c 31 38 32 38 2c 5b 5b 22 31 37 32 37 38 38 38 39 37 39 36 37 32 22 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c Data Ascii: [[1,null,null,null,null,null,null,null,null,null,[null,null,null,null,"en",null,"30",null,[[["Google Chrome","117"],["Not;A=Brand","8"],["Chromium","117"]],0,"Windows","10.0.0","x86","","117.0.5938.132"],[1,0,0,0,0]]],1828,[["1727888979672",null,null,null
2024-10-02 17:09:41 UTC	523	IN	HTTP/1.1 200 OK Access-Control-Allow-Origin: https://accounts.google.com Cross-Origin-Resource-Policy: cross-origin Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: X-Playlog-Web Content-Type: text/plain; charset=UTF-8 Date: Wed, 02 Oct 2024 17:09:41 GMT Server: Playlog Cache-Control: private X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2024-10-02 17:09:41 UTC	137	IN	Data Raw: 38 33 0d 0a 5b 22 2d 31 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 41 4e 44 52 4f 49 44 5f 42 41 43 4b 55 50 22 2c 30 5d 2c 5b 22 42 41 54 54 45 52 59 5f 53 54 41 54 53 22 2c 30 5d 2c 5b 22 53 4d 41 52 54 5f 53 45 54 55 50 22 2c 30 5d 2c 5b 22 54 52 4f 4e 22 2c 30 5d 5d 2c 2d 33 33 33 34 37 33 37 35 39 34 30 32 34 39 37 31 32 32 35 5d 2c 5b 5d 2c 7b 22 31 37 35 32 33 37 33 37 35 22 3a 5b 31 30 30 30 30 5d 7d 5d 0d 0a Data Ascii: 83["-1",null,[[["ANDROID_BACKUP",0],["BATTERY_STATS",0],["SMART_SETUP",0],["TRON",0]],-3334737594024971225],[],{"175237375":[10000]}]
2024-10-02 17:09:41 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.4	49794	142.250.185.142	443	6964	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-02 17:09:44 UTC	1338	OUT	POST /log?format=json&hasfast=true&authuser=0 HTTP/1.1 Host: play.google.com Connection: keep-alive Content-Length: 1260 sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-arch: "x86" Content-Type: application/x-www-form-urlencoded;charset=UTF-8 sec-ch-ua-full-version: "117.0.5938.132" sec-ch-ua-platform-version: "10.0.0" X-Goog-AuthUser: 0 sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132" sec-ch-ua-bitness: "64" sec-ch-ua-model: "" sec-ch-ua-wow64: ?0 sec-ch-ua-platform: "Windows" Accept: / Origin: https://accounts.google.com X-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiSocsBCJz+zAEIhaDNAQjcvc0BCI/KzQEIucrNAQii0c0BCIrTzQEIntbNAQin2M0BCPnA1BUY9snNARi60s0BGOuNpRc= Sec-Fetch-Site: same-site Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: NID=518=mjrIG4hZaFmqazVPCWesv39nOS2IWsEigaF3Rd8xi13vQPWPKsAF3dNhipOb4XZDS1xsGJMd_9RsqobS-hCOjFUBWEGvms_wfweZfhTA-0GkzNu_hBc715CR2hBc7YZDjaBw4ehNNW01MvaNEwojb5VU4wXMc2lXfCQbKIEqscRYntuDL88GdTJWNdw
2024-10-02 17:09:44 UTC	1260	OUT	Data Raw: 5b 5b 31 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 5b 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 22 65 6e 22 2c 6e 75 6c 6c 2c 22 33 30 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 47 6f 6f 67 6c 65 20 43 68 72 6f 6d 65 22 2c 22 31 31 37 22 5d 2c 5b 22 4e 6f 74 3b 41 3d 42 72 61 6e 64 22 2c 22 38 22 5d 2c 5b 22 43 68 72 6f 6d 69 75 6d 22 2c 22 31 31 37 22 5d 5d 2c 30 2c 22 57 69 6e 64 6f 77 73 22 2c 22 31 30 2e 30 2e 30 22 2c 22 78 38 36 22 2c 22 22 2c 22 31 31 37 2e 30 2e 35 39 33 38 2e 31 33 32 22 5d 2c 5b 31 2c 30 2c 30 2c 30 2c 30 5d 5d 5d 2c 31 38 32 38 2c 5b 5b 22 31 37 32 37 38 38 38 39 38 33 36 31 35 22 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c Data Ascii: [[1,null,null,null,null,null,null,null,null,null,[null,null,null,null,"en",null,"30",null,[[["Google Chrome","117"],["Not;A=Brand","8"],["Chromium","117"]],0,"Windows","10.0.0","x86","","117.0.5938.132"],[1,0,0,0,0]]],1828,[["1727888983615",null,null,null
2024-10-02 17:09:45 UTC	523	IN	HTTP/1.1 200 OK Access-Control-Allow-Origin: https://accounts.google.com Cross-Origin-Resource-Policy: cross-origin Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: X-Playlog-Web Content-Type: text/plain; charset=UTF-8 Date: Wed, 02 Oct 2024 17:09:45 GMT Server: Playlog Cache-Control: private X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2024-10-02 17:09:45 UTC	137	IN	Data Raw: 38 33 0d 0a 5b 22 2d 31 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 41 4e 44 52 4f 49 44 5f 42 41 43 4b 55 50 22 2c 30 5d 2c 5b 22 42 41 54 54 45 52 59 5f 53 54 41 54 53 22 2c 30 5d 2c 5b 22 53 4d 41 52 54 5f 53 45 54 55 50 22 2c 30 5d 2c 5b 22 54 52 4f 4e 22 2c 30 5d 5d 2c 2d 33 33 33 34 37 33 37 35 39 34 30 32 34 39 37 31 32 32 35 5d 2c 5b 5d 2c 7b 22 31 37 35 32 33 37 33 37 35 22 3a 5b 31 30 30 30 30 5d 7d 5d 0d 0a Data Ascii: 83["-1",null,[[["ANDROID_BACKUP",0],["BATTERY_STATS",0],["SMART_SETUP",0],["TRON",0]],-3334737594024971225],[],{"175237375":[10000]}]
2024-10-02 17:09:45 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Target ID:	0
Start time:	13:07:53
Start date:	02/10/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0xe60000
File size:	918'528 bytes
MD5 hash:	DCC55F9D576B4F7C3E10CE148A6B5573
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	13:07:54
Start date:	02/10/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM chrome.exe /T
Imagebase:	0xef0000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	13:07:54
Start date:	02/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	13:07:55
Start date:	02/10/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --start-fullscreen --no-first-run --disable-session-crashed-bubble --disable-infobars
Imagebase:	0x7ff76e190000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	5
Start time:	13:07:56
Start date:	02/10/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2272 --field-trial-handle=2220,i,9680789941441355712,1419918958670403505,262144 /prefetch:8
Imagebase:	0x7ff76e190000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	6
Start time:	13:08:07
Start date:	02/10/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5340 --field-trial-handle=2220,i,9680789941441355712,1419918958670403505,262144 /prefetch:8
Imagebase:	0x7ff76e190000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	7
Start time:	13:08:07
Start date:	02/10/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5412 --field-trial-handle=2220,i,9680789941441355712,1419918958670403505,262144 /prefetch:8
Imagebase:	0x7ff76e190000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	2.5%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	8.4%
Total number of Nodes:	1820
Total number of Limit Nodes:	116

Executed Functions

Function 00E7F98E Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130
keyboardthreadwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetForegroundWindow.USER32(00000000,00000000,00000000), ref: 00E7F998
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00EBF474
IsIconic.USER32(00000000), ref: 00EBF47D
ShowWindow.USER32(00000000,00000009), ref: 00EBF48A
SetForegroundWindow.USER32(00000000), ref: 00EBF494
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00EBF4AA
GetCurrentThreadId.KERNEL32 ref: 00EBF4B1
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00EBF4BD
AttachThreadInput.USER32(?,00000000,00000001), ref: 00EBF4CE
AttachThreadInput.USER32(?,00000000,00000001), ref: 00EBF4D6
AttachThreadInput.USER32(00000000,000000FF,00000001), ref: 00EBF4DE
SetForegroundWindow.USER32(00000000), ref: 00EBF4E1
MapVirtualKeyW.USER32(00000012,00000000), ref: 00EBF4F6
keybd_event.USER32(00000012,00000000), ref: 00EBF501
MapVirtualKeyW.USER32(00000012,00000000), ref: 00EBF50B
keybd_event.USER32(00000012,00000000), ref: 00EBF510
MapVirtualKeyW.USER32(00000012,00000000), ref: 00EBF519
keybd_event.USER32(00000012,00000000), ref: 00EBF51E
MapVirtualKeyW.USER32(00000012,00000000), ref: 00EBF528
keybd_event.USER32(00000012,00000000), ref: 00EBF52D
SetForegroundWindow.USER32(00000000), ref: 00EBF530
AttachThreadInput.USER32(?,000000FF,00000000), ref: 00EBF557

Strings

Shell_TrayWnd, xrefs: 00EBF46F

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: 6d0b5694ecdecdf28e6869992220305103261ac4c63ce9935243b887c6a25c40
Instruction ID: d3b6af7a2ead75d6ef86a8885960eb56785b49d3ea52fc1a5b8a5cb03d7ed9fe
Opcode Fuzzy Hash: 6d0b5694ecdecdf28e6869992220305103261ac4c63ce9935243b887c6a25c40
Instruction Fuzzy Hash: 58313071A4021CBEEB206BB65D4AFBF7E6CEB84B50F211066F605F61D1C6B19D00EA61

Function 00E642DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 00E6430D

Part of subcall function 00E66B57: _wcslen.LIBCMT ref: 00E66B6A

GetCurrentProcess.KERNEL32(?,00EFCB64,00000000,?,?), ref: 00E64422
IsWow64Process.KERNEL32(00000000,?,?), ref: 00E64429
LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 00E64454
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00E64466
GetNativeSystemInfo.KERNELBASE(?,?,?), ref: 00E64474
FreeLibrary.KERNEL32(00000000,?,?), ref: 00E6447B
GetSystemInfo.KERNEL32(?,?,?), ref: 00E644A0

Strings

GetNativeSystemInfo, xrefs: 00E64460
kernel32.dll, xrefs: 00E6444F
|O, xrefs: 00EA36F8

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
String ID: GetNativeSystemInfo$kernel32.dll$|O
API String ID: 3290436268-3101561225
Opcode ID: 7d6e8da77edcb8850a8473d8d8558e590fbbb0e87a818eff7f081d09210f73d6
Instruction ID: 0a7a4a1367e33d15900d209d9e9337fca000f8ba6528b3730500a93f0bcc9356
Opcode Fuzzy Hash: 7d6e8da77edcb8850a8473d8d8558e590fbbb0e87a818eff7f081d09210f73d6
Instruction Fuzzy Hash: E8A106B290A3CCCFC721C7B97C451E57FE67B26364B186899E481B7B62D6304508FB22

Function 00E642A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,00E650AA,?,?,00000000,00000000), ref: 00E642B2
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00E650AA,?,?,00000000,00000000), ref: 00E642C9
LoadResource.KERNEL32(?,00000000,?,?,00E650AA,?,?,00000000,00000000,?,?,?,?,?,?,00E64F20), ref: 00EA35BE
SizeofResource.KERNEL32(?,00000000,?,?,00E650AA,?,?,00000000,00000000,?,?,?,?,?,?,00E64F20), ref: 00EA35D3
LockResource.KERNEL32(00E650AA,?,?,00E650AA,?,?,00000000,00000000,?,?,?,?,?,?,00E64F20,?), ref: 00EA35E6

Strings

SCRIPT, xrefs: 00E642BF

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: eafbd54413dcb70be702a1cbb25d729d3f160a5fb4b008e7acca7ece14c93a87
Instruction ID: 0c715c6e35e63fb6a7e5c9405f955d4580cef84b40fce3885f29be30013ef7e1
Opcode Fuzzy Hash: eafbd54413dcb70be702a1cbb25d729d3f160a5fb4b008e7acca7ece14c93a87
Instruction Fuzzy Hash: 78117CB0240704BFE7219B66ED58F677BB9EBC5B95F304169F502E62A0DB71EC14C620

Function 00ECDBBE Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 29
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenW.KERNEL32(?,"R), ref: 00ECDBCE
GetFileAttributesW.KERNELBASE(?), ref: 00ECDBDD
FindFirstFileW.KERNEL32(?,?), ref: 00ECDBEE
FindClose.KERNEL32(00000000), ref: 00ECDBFA

Strings

"R, xrefs: 00ECDBCA

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: FileFind$AttributesCloseFirstlstrlen
String ID: "R
API String ID: 2695905019-1746183819
Opcode ID: 73df1e0be4a3bc6f9e9f7528e0a1bb5a3f80be7cd026672ca653d2e3ac519e6f
Instruction ID: dcb3cd32175a2bb64639f84c6c76064a85b1a8b4cf410afb5d1ee3ff86afa7b4
Opcode Fuzzy Hash: 73df1e0be4a3bc6f9e9f7528e0a1bb5a3f80be7cd026672ca653d2e3ac519e6f
Instruction Fuzzy Hash: 94F0A7304149185B92206B789E0DDBA776C9F81334B304716F435E20F0EBB26959C595

Function 00EF1C41 Relevance: 7.6, APIs: 5, Instructions: 83
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

IsWindowVisible.USER32 ref: 00EF1CC0
IsWindowEnabled.USER32 ref: 00EF1CCE
GetForegroundWindow.USER32(?,?,00000001,?), ref: 00EF1CDB
IsIconic.USER32 ref: 00EF1CE9
IsZoomed.USER32 ref: 00EF1CF7

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: 7a9c868ff65eb693fd1c0b1c9bc156cd9de9667af1981ede2fbe8834e88675aa
Instruction ID: 5447e4ea11d3fa37ce503d8d4d07ddf16882d9fd243d35f5b03eeab44da4d15e
Opcode Fuzzy Hash: 7a9c868ff65eb693fd1c0b1c9bc156cd9de9667af1981ede2fbe8834e88675aa
Instruction Fuzzy Hash: 0921B4317402089FD7248F1AD844B76BBE5AF85315B29A098E945EB351C771DC46CB90

Function 00EA2BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62COMMON

Download Yara Rule

APIs

SetCurrentDirectoryW.KERNEL32(?), ref: 00E62B6B

Part of subcall function 00E63A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00F31418,?,00E62E7F,?,?,?,00000000), ref: 00E63A78

Part of subcall function 00E69CB3: _wcslen.LIBCMT ref: 00E69CBD

GetForegroundWindow.USER32(runas,?,?,?,?,?,00F22224), ref: 00EA2C10
ShellExecuteW.SHELL32(00000000,?,?,00F22224), ref: 00EA2C17

Strings

runas, xrefs: 00EA2C0B

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: CurrentDirectoryExecuteFileForegroundModuleNameShellWindow_wcslen
String ID: runas
API String ID: 448630720-4000483414
Opcode ID: 4504a88034555ca8e4711ec6524304778f7b100f00c2ce539a648b575324d69d
Instruction ID: 6f6386b87cad41a48d12edaeb11aefbeaa81f7396502e81aa71ce065eeda90fc
Opcode Fuzzy Hash: 4504a88034555ca8e4711ec6524304778f7b100f00c2ce539a648b575324d69d
Instruction Fuzzy Hash: D111AF31288245AAC704FF74F8519BEB7E8AB957A4F54342DF182721A3CF319A49E712

Function 00E84CE8 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00E928E9,(,00E84CBE,00000000,00F288B8,0000000C,00E84E15,(,00000002,00000000,?,00E928E9,00000003,00E92DF7,?,?), ref: 00E84D09
TerminateProcess.KERNEL32(00000000,?,00E928E9,00000003,00E92DF7,?,?,?,00E8E6D1,?,00F28A48,00000010,00E64F4A,?,?,00000000), ref: 00E84D10
ExitProcess.KERNEL32 ref: 00E84D22

Strings

(, xrefs: 00E84CEA

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID: (
API String ID: 1703294689-2063206799
Opcode ID: 8c60731689ea6db52b8d6cbf6582964a2bfb84c045ad3246ae8519958375c57b
Instruction ID: 478ee07082e5b1fa9b45883d52d1c386a008be264d02cc1554eea81d115ecd99
Opcode Fuzzy Hash: 8c60731689ea6db52b8d6cbf6582964a2bfb84c045ad3246ae8519958375c57b
Instruction Fuzzy Hash: 7CE0B6B1001149AFCF12BF65DE09A687B69EB81785B205054FC0DAA1A2DB35ED56DB80

Function 00E6CAF0 Relevance: 1.9, Strings: 1, Instructions: 659COMMON

Download Yara Rule

Strings

Variable is not of type 'Object'., xrefs: 00EB0C40

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID:
String ID: Variable is not of type 'Object'.
API String ID: 0-1840281001
Opcode ID: a051041236e4181fc4a035e9f7fcc83d345a21da5e7198de2e295aff5382497a
Instruction ID: 3d1db921c466dd925040ca56c27f61b8b388cb07f98f544b7a9a97465979b4cd
Opcode Fuzzy Hash: a051041236e4181fc4a035e9f7fcc83d345a21da5e7198de2e295aff5382497a
Instruction Fuzzy Hash: 05328F70A40218DBCF14DF90E885AFEB7F5BF04388F24A069E846BB292D775AD45CB51

Function 00EEAFF9 Relevance: 24.4, APIs: 16, Instructions: 418
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_wcslen.LIBCMT ref: 00EEB198
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00EEB1B0
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00EEB1D4
_wcslen.LIBCMT ref: 00EEB200
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00EEB214
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00EEB236
_wcslen.LIBCMT ref: 00EEB332

Part of subcall function 00ED05A7: GetStdHandle.KERNEL32(000000F6), ref: 00ED05C6

_wcslen.LIBCMT ref: 00EEB34B
_wcslen.LIBCMT ref: 00EEB366
CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00EEB3B6
GetLastError.KERNEL32(00000000), ref: 00EEB407
CloseHandle.KERNEL32(?), ref: 00EEB439
CloseHandle.KERNEL32(00000000), ref: 00EEB44A
CloseHandle.KERNEL32(00000000), ref: 00EEB45C
CloseHandle.KERNEL32(00000000), ref: 00EEB46E
CloseHandle.KERNEL32(?), ref: 00EEB4E3

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
String ID:
API String ID: 2178637699-0
Opcode ID: c42f9d57292f131414c339307cd0ef2fa03f7b2970224757b5f003a5a733a156
Instruction ID: f275052cccd3f35b2acaef2d232986f94780f817a53bb17a128f1ea946615576
Opcode Fuzzy Hash: c42f9d57292f131414c339307cd0ef2fa03f7b2970224757b5f003a5a733a156
Instruction Fuzzy Hash: 83F1CC316083449FC724EF25D891B6FBBE5AF85314F18945DF899AB2A2DB30EC04CB52

Function 00E6D730 Relevance: 21.6, APIs: 14, Instructions: 631windowsleeptimeCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 00E6D807
timeGetTime.WINMM ref: 00E6DA07
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00E6DB28
TranslateMessage.USER32(?), ref: 00E6DB7B
DispatchMessageW.USER32(?), ref: 00E6DB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00E6DB9F
Sleep.KERNELBASE(0000000A), ref: 00E6DBB1

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: Message$Peek$DispatchInputSleepStateTimeTranslatetime
String ID:
API String ID: 2189390790-0
Opcode ID: 21ee069ffcd0fb843d7498c4a28e0ae65ac6d2a1d23c5b624dd35ef463693698
Instruction ID: 96223b3abc3af53e5b80ac887e679aaa783146790bcdd6f23add468af623132b
Opcode Fuzzy Hash: 21ee069ffcd0fb843d7498c4a28e0ae65ac6d2a1d23c5b624dd35ef463693698
Instruction Fuzzy Hash: 05422030B48245DFE728CF24DC84BAAB7E0FF85358F98A55DE559A7291C770E844CB82

Function 00E62CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00E62D07
RegisterClassExW.USER32(00000030), ref: 00E62D31
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00E62D42
InitCommonControlsEx.COMCTL32(?), ref: 00E62D5F
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00E62D6F
LoadIconW.USER32(000000A9), ref: 00E62D85
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00E62D94

Strings

TaskbarCreated, xrefs: 00E62D37
AutoIt v3 GUI, xrefs: 00E62D23
+, xrefs: 00E62CF0
0, xrefs: 00E62CE9

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 0d5c3dde379aee1e2096059da2fbeda73496277ebc7a1e422b05e58ad9dc8608
Instruction ID: e509c690eca4d0afe3341efbf34c5ae69c3c8bc91459ffc3baceaad507ed91cd
Opcode Fuzzy Hash: 0d5c3dde379aee1e2096059da2fbeda73496277ebc7a1e422b05e58ad9dc8608
Instruction Fuzzy Hash: 5721E2B190220CEFDB00DFA5E949BEDBBB5FB48710F20811AE611B62A0D7B15548DF90

Function 00EA065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00EA039A: CreateFileW.KERNELBASE(00000000,00000000,?,00EA0704,?,?,00000000,?,00EA0704,00000000,0000000C), ref: 00EA03B7

GetLastError.KERNEL32 ref: 00EA076F
__dosmaperr.LIBCMT ref: 00EA0776
GetFileType.KERNELBASE(00000000), ref: 00EA0782
GetLastError.KERNEL32 ref: 00EA078C
__dosmaperr.LIBCMT ref: 00EA0795
CloseHandle.KERNEL32(00000000), ref: 00EA07B5
CloseHandle.KERNEL32(?), ref: 00EA08FF
GetLastError.KERNEL32 ref: 00EA0931
__dosmaperr.LIBCMT ref: 00EA0938

Strings

H, xrefs: 00EA08BD

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: b9cd2e5c4225b71f686d2098bf64f37961aa17e4b036135c99e201699330fb4f
Instruction ID: c82ed8b3607d37e3009a56678f97ea8ff5c00aed19b6560f8b77df2dc4dee840
Opcode Fuzzy Hash: b9cd2e5c4225b71f686d2098bf64f37961aa17e4b036135c99e201699330fb4f
Instruction Fuzzy Hash: AEA12932A001088FDF19EF78D851BAE7BE1EB4A324F14115AF815BF391DB31A816CB91

Function 00E6344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00E63A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00F31418,?,00E62E7F,?,?,?,00000000), ref: 00E63A78

Part of subcall function 00E63357: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00E63379

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 00E6356A
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 00EA318D
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 00EA31CE
RegCloseKey.ADVAPI32(?), ref: 00EA3210
_wcslen.LIBCMT ref: 00EA3277
_wcslen.LIBCMT ref: 00EA3286

Strings

Include, xrefs: 00EA3184, 00EA31C5
\, xrefs: 00EA328C
\Include\, xrefs: 00E63527
Software\AutoIt v3\AutoIt, xrefs: 00E63560

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 98802146-2727554177
Opcode ID: f99708d1c3dc848d6875f4aaad313e5af1276987e8e4b401282fa557b3388915
Instruction ID: 4188a32e2ef4c5c3621befaa8c196437550a07922f27516679df3a3d43d5f711
Opcode Fuzzy Hash: f99708d1c3dc848d6875f4aaad313e5af1276987e8e4b401282fa557b3388915
Instruction Fuzzy Hash: 2F71E7715043099EC314EF69EC819ABBBE8FF89360F50142EF545E71B1DB309A48DB62

Function 00E62B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00E62B8E
LoadCursorW.USER32(00000000,00007F00), ref: 00E62B9D
LoadIconW.USER32(00000063), ref: 00E62BB3
LoadIconW.USER32(000000A4), ref: 00E62BC5
LoadIconW.USER32(000000A2), ref: 00E62BD7
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00E62BEF
RegisterClassExW.USER32(?), ref: 00E62C40

Part of subcall function 00E62CD4: GetSysColorBrush.USER32(0000000F), ref: 00E62D07
Part of subcall function 00E62CD4: RegisterClassExW.USER32(00000030), ref: 00E62D31
Part of subcall function 00E62CD4: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00E62D42
Part of subcall function 00E62CD4: InitCommonControlsEx.COMCTL32(?), ref: 00E62D5F
Part of subcall function 00E62CD4: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00E62D6F
Part of subcall function 00E62CD4: LoadIconW.USER32(000000A9), ref: 00E62D85
Part of subcall function 00E62CD4: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00E62D94

Strings

#, xrefs: 00E62C16
AutoIt v3, xrefs: 00E62C2F
0, xrefs: 00E62C0F

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: 04dabdcf967b049b5cc809e087ae298fac309fb2adecc26a2b386b58610756fa
Instruction ID: 689906d08e27eee54b5113330b6df2456ae70a8fddd76aafa2b6245f95747869
Opcode Fuzzy Hash: 04dabdcf967b049b5cc809e087ae298fac309fb2adecc26a2b386b58610756fa
Instruction Fuzzy Hash: BC212C71E0031CAFDB109FA6ED55AAA7FB6FB48B60F10001AE600B67A0D7B11554EF90

Function 00E63170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,00E6316A,?,?), ref: 00E631D8
KillTimer.USER32(?,00000001,?,?,?,?,?,00E6316A,?,?), ref: 00E63204
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00E63227
RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,00E6316A,?,?), ref: 00E63232
CreatePopupMenu.USER32 ref: 00E63246
PostQuitMessage.USER32(00000000), ref: 00E63267

Strings

TaskbarCreated, xrefs: 00E6322D

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: c18ad7d4955eb5742855c82c8997399a5823b9acdcc01d4f332aaf061d92d1a0
Instruction ID: 36939157f9d2895540cfdbfa0f322bf9525a4202c402c7efe0fbae9b88d7d6f1
Opcode Fuzzy Hash: c18ad7d4955eb5742855c82c8997399a5823b9acdcc01d4f332aaf061d92d1a0
Instruction Fuzzy Hash: 51414B312C4208ABDB152B78BD1DBB93659F7463E8F24311AF601F61E3C7719A44E761

Function 00E61410 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00E61459
CoUninitialize.COMBASE ref: 00E614F8
UnregisterHotKey.USER32(?), ref: 00E616DD
DestroyWindow.USER32(?), ref: 00EA24B9
FreeLibrary.KERNEL32(?), ref: 00EA251E
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00EA254B

Strings

close all, xrefs: 00E61454

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: ad9dc14a644f14665859a82582df93f4aa9f316db6d39536d9c15088353bbf29
Instruction ID: ea701d87f49935295f5475736a938edf426fe9e6b65b2a6262a164c5f36443c0
Opcode Fuzzy Hash: ad9dc14a644f14665859a82582df93f4aa9f316db6d39536d9c15088353bbf29
Instruction Fuzzy Hash: 82D1AC30701212CFCB1AEF19D595A68F7A0FF49354F28A1ADE54A7B261DB30AC12CF51

Function 00E62C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00E62C91
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00E62CB2
ShowWindow.USER32(00000000,?,?,?,?,?,?,00E61CAD,?), ref: 00E62CC6
ShowWindow.USER32(00000000,?,?,?,?,?,?,00E61CAD,?), ref: 00E62CCF

Strings

AutoIt v3, xrefs: 00E62C89, 00E62C8E, 00E62C8F
edit, xrefs: 00E62CAC

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: ec0a4c2e04c2e62bc38266c998294b7709f266ca00da5047cbb830895c88fb5a
Instruction ID: 61efe818f8154aabce11b09ed2d8f8fcb1bb9d33da8f27e544ea75cf27e4d636
Opcode Fuzzy Hash: ec0a4c2e04c2e62bc38266c998294b7709f266ca00da5047cbb830895c88fb5a
Instruction Fuzzy Hash: 9FF0D07554029C7AE73117276C09E777EBEE7C6F60B20105AF900A35A0C6A21858EE70

Function 00ECE97B Relevance: 7.5, APIs: 5, Instructions: 47
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

QueryPerformanceCounter.KERNEL32(?), ref: 00ECE997
QueryPerformanceFrequency.KERNEL32(?), ref: 00ECE9A5
Sleep.KERNEL32(00000000), ref: 00ECE9AD
QueryPerformanceCounter.KERNEL32(?), ref: 00ECE9B7
Sleep.KERNELBASE ref: 00ECE9F3

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: 2bd5b240bc005c8a275d2197bcecec8d060cbbc4ca5483f8fb4dfaac5d63e8da
Instruction ID: 467930aa26d82d128afddbd263ea3d5115217415d49cb8ea01eb8b89ee0c6e5c
Opcode Fuzzy Hash: 2bd5b240bc005c8a275d2197bcecec8d060cbbc4ca5483f8fb4dfaac5d63e8da
Instruction Fuzzy Hash: D3016D31C0162DDBCF049FE5DE59AEDBB78FF89300F10158AE502B2240CB319556C7A1

Function 00E63B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,00E63B0F,SwapMouseButtons,00000004,?), ref: 00E63B40
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,00E63B0F,SwapMouseButtons,00000004,?), ref: 00E63B61
RegCloseKey.KERNELBASE(00000000,?,?,?,80000001,80000001,?,00E63B0F,SwapMouseButtons,00000004,?), ref: 00E63B83

Strings

Control Panel\Mouse, xrefs: 00E63B3E

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: 4de54b71f5f10f7c09d769dc8ce120352c288086c01f1ebfea66fc3e2e02ab02
Instruction ID: 14c7a739addf3426971fa551c3058df6e1932d126b73a20e2ae0f3a41da30be0
Opcode Fuzzy Hash: 4de54b71f5f10f7c09d769dc8ce120352c288086c01f1ebfea66fc3e2e02ab02
Instruction Fuzzy Hash: 34115AB1550208FFDB208FA5EC44EEEBBB8EF41794B205459A805E7110D6319E449760

Function 00E71310 Relevance: 5.8, APIs: 2, Strings: 1, Instructions: 531COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,00000001,?,?,?,?,?), ref: 00E71645
__Init_thread_footer.LIBCMT ref: 00E717F6

Strings

CALL, xrefs: 00E717C6

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: CallbackDispatcherInit_thread_footerUser
String ID: CALL
API String ID: 4084840411-4196123274
Opcode ID: 04d2d6ea99f47e54447a8e64a7c4b1971d92c5aad01b7c6366e38ac52e119246
Instruction ID: e746822c239d9234ec0a29bd647956599936f30790e8c9c01fc6391344f23067
Opcode Fuzzy Hash: 04d2d6ea99f47e54447a8e64a7c4b1971d92c5aad01b7c6366e38ac52e119246
Instruction Fuzzy Hash: 49228C706083419FC714DF18C480B6ABBF1BF85314F28A9ADF49AAB361D735E945CB52

Function 00E63923 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94windowCOMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 00EA33A2

Part of subcall function 00E66B57: _wcslen.LIBCMT ref: 00E66B6A

Shell_NotifyIconW.SHELL32(00000001,?), ref: 00E63A04

Strings

Line: , xrefs: 00EA33EB

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: IconLoadNotifyShell_String_wcslen
String ID: Line:
API String ID: 2289894680-1585850449
Opcode ID: 9515c30acb9d5079297af5837338713e7a297bf27616fc8d7f14e782c1b74ca1
Instruction ID: a1fe0f1e5db330481b4b3af9ac43294242dd9fc30fd1f5696861abdd15e15b33
Opcode Fuzzy Hash: 9515c30acb9d5079297af5837338713e7a297bf27616fc8d7f14e782c1b74ca1
Instruction Fuzzy Hash: BB31F671488304AAD724EB20EC45BEB77D8AF84764F14652AF599A31D1DB709648CBC2

Function 00E7FDDB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 00E80668

Part of subcall function 00E832A4: RaiseException.KERNEL32(?,?,?,00E8068A,?,00F31444,?,?,?,?,?,?,00E8068A,00E61129,00F28738,00E61129), ref: 00E83304

__CxxThrowException@8.LIBVCRUNTIME ref: 00E80685

Strings

Unknown exception, xrefs: 00E80692

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID: Unknown exception
API String ID: 3476068407-410509341
Opcode ID: 28c429a31c56e6dbb4319b6a643c2889ead41bf0968d84eb18a38189dfd2935c
Instruction ID: 4f24720836fb46708830ee014564cc9507464ca72941d632b48b1513c76a829c
Opcode Fuzzy Hash: 28c429a31c56e6dbb4319b6a643c2889ead41bf0968d84eb18a38189dfd2935c
Instruction Fuzzy Hash: CBF0223090020DB78B10BAB4E856D9E7BAC5E00354B60A130F92CB69E1EF31DA2AC781

Function 00E610F3 Relevance: 4.7, APIs: 3, Instructions: 153comCOMMON

Download Yara Rule

APIs

Part of subcall function 00E61BC3: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00E61BF4
Part of subcall function 00E61BC3: MapVirtualKeyW.USER32(00000010,00000000), ref: 00E61BFC
Part of subcall function 00E61BC3: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00E61C07
Part of subcall function 00E61BC3: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00E61C12
Part of subcall function 00E61BC3: MapVirtualKeyW.USER32(00000011,00000000), ref: 00E61C1A
Part of subcall function 00E61BC3: MapVirtualKeyW.USER32(00000012,00000000), ref: 00E61C22

Part of subcall function 00E61B4A: RegisterWindowMessageW.USER32(00000004,?,00E612C4), ref: 00E61BA2

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 00E6136A
OleInitialize.OLE32 ref: 00E61388
CloseHandle.KERNEL32(00000000,00000000), ref: 00EA24AB

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID:
API String ID: 1986988660-0
Opcode ID: 619f0fdada5e798b7a720b6180c840990201bb5f5cbea0e479c6ee258f46c72a
Instruction ID: 829475d04bdf0bc3baaae8ff99b95495de9f3fc1c3cac8f10518bb94669bb380
Opcode Fuzzy Hash: 619f0fdada5e798b7a720b6180c840990201bb5f5cbea0e479c6ee258f46c72a
Instruction Fuzzy Hash: 6D71BBB590120C8FC384DF79FD466653AE2FBC93B4728A22AD50AE7362EB304405EF54

Function 00ECC161 Relevance: 4.6, APIs: 3, Instructions: 74timewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00E63923: Shell_NotifyIconW.SHELL32(00000001,?), ref: 00E63A04

Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00ECC259
KillTimer.USER32(?,00000001,?,?), ref: 00ECC261
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00ECC270

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: IconNotifyShell_Timer$Kill
String ID:
API String ID: 3500052701-0
Opcode ID: 4aeed9763ef37402a1e5ae84eac784673e85fcbfcb1706d0a38885c01d592ff0
Instruction ID: 75b67556134d4cdae4d3e0a22cea8d8e75f0ac4de3b07ca847b3efcc8b5848b5
Opcode Fuzzy Hash: 4aeed9763ef37402a1e5ae84eac784673e85fcbfcb1706d0a38885c01d592ff0
Instruction Fuzzy Hash: D131E570900744AFEB329F748995BE7BBECAB06308F24109ED1DEB3251C3755A89CB51

Function 00E986AE Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE

Download Yara Rule

APIs

CloseHandle.KERNELBASE(00000000,00000000,?,?,00E985CC,?,00F28CC8,0000000C), ref: 00E98704
GetLastError.KERNEL32(?,00E985CC,?,00F28CC8,0000000C), ref: 00E9870E
__dosmaperr.LIBCMT ref: 00E98739

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: CloseErrorHandleLast__dosmaperr
String ID:
API String ID: 2583163307-0
Opcode ID: 37a7d8b32087a9c91d7803d3be2ca8d5f96ceb8f9d9e866ebc4bc3768694c810
Instruction ID: af07ecaf71b9c58d8388b6ce0340a8579392cbd5d408702357a584d25cef8170
Opcode Fuzzy Hash: 37a7d8b32087a9c91d7803d3be2ca8d5f96ceb8f9d9e866ebc4bc3768694c810
Instruction Fuzzy Hash: 42012B336056201ADE25A274AA45B7E67994BC377CF39215AFD18FF1F3DEA08C81C690

Function 00E6DB38 Relevance: 4.5, APIs: 3, Instructions: 29windowsleepCOMMON

Download Yara Rule

APIs

TranslateMessage.USER32(?), ref: 00E6DB7B
DispatchMessageW.USER32(?), ref: 00E6DB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00E6DB9F
Sleep.KERNELBASE(0000000A), ref: 00E6DBB1
TranslateAcceleratorW.USER32(?,?,?), ref: 00EB1CC9

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchPeekSleep
String ID:
API String ID: 3288985973-0
Opcode ID: 2e46a50c99e9186927362fa0b37028cf8b6baead88d593e7d1ae80c0e7641041
Instruction ID: 005537d17dd7dbd825fdb7a27417150ac2d661e1855cc56f97b647b9392d7ce9
Opcode Fuzzy Hash: 2e46a50c99e9186927362fa0b37028cf8b6baead88d593e7d1ae80c0e7641041
Instruction Fuzzy Hash: 20F05E306483489BE734DBB19C59FEA73A8EB84364F605919E61AA30D0DB30A448DB25

Function 00EF1EDA Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 166COMMON

Download Yara Rule

APIs

Part of subcall function 00E66B57: _wcslen.LIBCMT ref: 00E66B6A

GetWindowTextW.USER32(?,?,00007FFF), ref: 00EF2043

Part of subcall function 00E69CB3: _wcslen.LIBCMT ref: 00E69CBD

Strings

all, xrefs: 00EF1F09

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: _wcslen$TextWindow
String ID: all
API String ID: 4161112387-991457757
Opcode ID: 88ad9f95fddc96bd3d076195ec014c0bcc98724045598f19b131cb7c89e6fc46
Instruction ID: ece7410076d0ad02129baed049695cb756cf3b9976f164bbbd91faaff1c7c413
Opcode Fuzzy Hash: 88ad9f95fddc96bd3d076195ec014c0bcc98724045598f19b131cb7c89e6fc46
Instruction Fuzzy Hash: 0F51E371244305AFC304EF24D881E6AB7E5FF88314F44945DF99AAB292DB71ED44CB91

Function 00E62DE3 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 64COMMON

Download Yara Rule

APIs

GetOpenFileNameW.COMDLG32(?), ref: 00EA2C8C

Part of subcall function 00E63AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00E63A97,?,?,00E62E7F,?,?,?,00000000), ref: 00E63AC2

Part of subcall function 00E62DA5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00E62DC4

Strings

X, xrefs: 00EA2C5A

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen
String ID: X
API String ID: 779396738-3081909835
Opcode ID: 9cc279393e197fe0dccedbba6e32ef2bd682b6c255d6074cc1564426a714318c
Instruction ID: db44c0c2b7b6bb721f9cea8d5bd7e6add5e8e77308197ce6d6851482f7c2ff76
Opcode Fuzzy Hash: 9cc279393e197fe0dccedbba6e32ef2bd682b6c255d6074cc1564426a714318c
Instruction Fuzzy Hash: 4721A571A002989FDB01EF94D845BEE7BF9AF49314F009059E505FB241DBB45A898F61

Function 00E63837 Relevance: 3.1, APIs: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000000,?), ref: 00E63908

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: f5522605353eeb4c5eec2e81ee137310d925c16a5c2baa75ff278e3026391899
Instruction ID: 9e65520ce96d5222c8b775e0c39679ba47090ce20ae8924674750bf22742d830
Opcode Fuzzy Hash: f5522605353eeb4c5eec2e81ee137310d925c16a5c2baa75ff278e3026391899
Instruction Fuzzy Hash: BD31D5B05043018FD720DF34D8857D7BBE8FB49358F00092EF599A7280E771AA44CB52

Function 00E7F645 Relevance: 3.0, APIs: 2, Instructions: 29sleeptimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 00E7F661

Part of subcall function 00E6D730: GetInputState.USER32 ref: 00E6D807

Sleep.KERNEL32(00000000), ref: 00EBF2DE

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: InputSleepStateTimetime
String ID:
API String ID: 4149333218-0
Opcode ID: 58b712a12dec4f540f87e53fe163443682432881aceaadca3d322cc32c254bf4
Instruction ID: 0b76df242120dfad8f075735a5fd7d3eac386b9356cf78c4b37c98a9d4cb579d
Opcode Fuzzy Hash: 58b712a12dec4f540f87e53fe163443682432881aceaadca3d322cc32c254bf4
Instruction Fuzzy Hash: 60F082312802059FD310EF75E945BAAB7E9EF45760F10402AE85AE7360DB70A844CB91

Function 00E6B710 Relevance: 2.1, APIs: 1, Instructions: 587COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 00E6BB4E

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID:
API String ID: 1385522511-0
Opcode ID: 4aabf2ad60d9e52a4f5a0d122f909fb4288ab8732fe0da67158f47b0f2102c57
Instruction ID: 8f7e1023762b24ebe9c82d14b8ec37d12bcff59998bc5c8f06515a2f7447b6b7
Opcode Fuzzy Hash: 4aabf2ad60d9e52a4f5a0d122f909fb4288ab8732fe0da67158f47b0f2102c57
Instruction Fuzzy Hash: D1329B30A402099FDB24CF58D894AFFB7F9EF44398F18A059E905BB261D774AD81CB91

Function 00EB647C Relevance: 1.6, APIs: 1, Instructions: 108COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,00000001,?,?,?,?,?), ref: 00E71645

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: a31fe647232b588360f1823114ab54b34c0d050c0e8cd447f77f4a1f2bb36964
Instruction ID: 056fa88ec71ef6ddc08f13a8fbc71f956f58a4125dfbaf289c5f53c352e53e9c
Opcode Fuzzy Hash: a31fe647232b588360f1823114ab54b34c0d050c0e8cd447f77f4a1f2bb36964
Instruction Fuzzy Hash: 3241BD706043019FD720DF18D880B2ABBF1BF85318F14986DF999A7351D776E861CB52

Function 00EB644A Relevance: 1.6, APIs: 1, Instructions: 107COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,00000001,?,?,?,?,?), ref: 00E71645

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: dbab4f64356489fbea998dbb3b0f8cd70c2f9af8b16ccc967130a868f62cfcee
Instruction ID: 4a0e560596724eb1883f01a1476beb81660bdc84e0188d663a64207436549fb2
Opcode Fuzzy Hash: dbab4f64356489fbea998dbb3b0f8cd70c2f9af8b16ccc967130a868f62cfcee
Instruction Fuzzy Hash: 2941BA706083019FD720DF18C880B1ABBF1BF86328F14985DF999A7351D776E861CB62

Function 00EF13B7 Relevance: 1.6, APIs: 1, Instructions: 76COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000001,?), ref: 00EF1420

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: ForegroundWindow
String ID:
API String ID: 2020703349-0
Opcode ID: cbd5d5e3d19ce5db4cb4f1781a282d56ad1f54acd35a2631e44d707bfc2a6aaf
Instruction ID: f70d64027797e4c48dc7e319b9c65770a2e6e70c49664a3b322b74a9abe7cbc4
Opcode Fuzzy Hash: cbd5d5e3d19ce5db4cb4f1781a282d56ad1f54acd35a2631e44d707bfc2a6aaf
Instruction Fuzzy Hash: 15318D3020460AEFD714EF25C491B79B7E2BF85328F1491A8E9656B392DB71EC41CB90

Function 00E64ECB Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00E64E90: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00E64EDD,?,00F31418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00E64E9C
Part of subcall function 00E64E90: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00E64EAE
Part of subcall function 00E64E90: FreeLibrary.KERNEL32(00000000,?,?,00E64EDD,?,00F31418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00E64EC0

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,00F31418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00E64EFD

Part of subcall function 00E64E59: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00EA3CDE,?,00F31418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00E64E62
Part of subcall function 00E64E59: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00E64E74
Part of subcall function 00E64E59: FreeLibrary.KERNEL32(00000000,?,?,00EA3CDE,?,00F31418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00E64E87

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: Library$Load$AddressFreeProc
String ID:
API String ID: 2632591731-0
Opcode ID: 2c6d6eb586b4f51a3736e3e833af5e1d1b821be7f130905608207e4da11f037e
Instruction ID: 94fc307032614b0a6caa0deac7f6a3e9c9087209442abb67b148e2e44c7a570e
Opcode Fuzzy Hash: 2c6d6eb586b4f51a3736e3e833af5e1d1b821be7f130905608207e4da11f037e
Instruction Fuzzy Hash: A8112372780305AACB15BB70EC02FAD77E4AF54790F20A42EF542BA1C1EE71AA059790

Function 00EF2658 Relevance: 1.6, APIs: 1, Instructions: 60COMMON

Download Yara Rule

APIs

ShowWindow.USER32(?,00000000,00000001,?), ref: 00EF26E0

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 618718186b85afc25cb5cc1fe0313b428313796b86acf4107f232990d2a38d29
Instruction ID: 4a32e8723de66fa3d0e7a54047d22fe69318e96629f44896bc6c2b032a15d00f
Opcode Fuzzy Hash: 618718186b85afc25cb5cc1fe0313b428313796b86acf4107f232990d2a38d29
Instruction Fuzzy Hash: 3A11D03020024A9FD710EF24C891F7AB7D5FB40368F61A09DE646EB252C732EC81CB90

Function 00E98402 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT ref: 00E98440

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: 3efc5d9aa73374b20e59d4146ec217bec9bf2b2c7928ce2b456d946b5c7c8a81
Instruction ID: b7cc17255eb1b3bf0bf0d3536907ba0d6dae5b00f20b8196cff19733bdf245f2
Opcode Fuzzy Hash: 3efc5d9aa73374b20e59d4146ec217bec9bf2b2c7928ce2b456d946b5c7c8a81
Instruction Fuzzy Hash: 2A11187590410AAFCF05DF58E9419DE7BF5EF49314F104069F818AB312DA31EA11CBA5

Function 00E95000 Relevance: 1.6, APIs: 1, Instructions: 52COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00E94C7D: RtlAllocateHeap.NTDLL(00000008,00E61129,00000000,?,00E92E29,00000001,00000364,?,?,?,00E8F2DE,00E93863,00F31444,?,00E7FDF5,?), ref: 00E94CBE

_free.LIBCMT ref: 00E9506C

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
Instruction ID: cf5b756c62c1774f3922d62c0a171396af5755aac5b48c6a64975fd0ff220e34
Opcode Fuzzy Hash: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
Instruction Fuzzy Hash: D9014E732047056BEB32CF65D84195AFBECFB85370F25061DE594A32C0E6306905C7B4

Function 00EF29BF Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,?,?,?,00EF14B5,?), ref: 00EF2A01

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: ForegroundWindow
String ID:
API String ID: 2020703349-0
Opcode ID: aaefa717b7c4201f0bc8ff43bc4aebecfa9cf9f4104cdb8d7bfc282d8b2fd422
Instruction ID: 0969c4355a74173fdb79bbf84c3f9e9c8f9a81b423f257a44555e825e78131ea
Opcode Fuzzy Hash: aaefa717b7c4201f0bc8ff43bc4aebecfa9cf9f4104cdb8d7bfc282d8b2fd422
Instruction Fuzzy Hash: 85019E36300A459FD325CA2DC454B323792EBC5318F29E46DC347AB291DB32EC42C7A0

Function 00E8E602 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction ID: 916079a87ceafdeab4c5b2a1e0eddd43a6289c5a531f8de33bab7d4ad9100dec
Opcode Fuzzy Hash: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction Fuzzy Hash: 67F02832510A14AADF313A698C05B9A33D89F92334F142719F52DB33E2EB70D80297A5

Function 00E94C7D Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,00E61129,00000000,?,00E92E29,00000001,00000364,?,?,?,00E8F2DE,00E93863,00F31444,?,00E7FDF5,?), ref: 00E94CBE

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 4d04f65f3b6cf8d0f209061b1e8e8bd11aac40a26d7dcc2707f55c94678e9b8d
Instruction ID: 5f384a5d139d4e48c41818c38d27d4dbced28a17ffbfe33679f15ae30332f666
Opcode Fuzzy Hash: 4d04f65f3b6cf8d0f209061b1e8e8bd11aac40a26d7dcc2707f55c94678e9b8d
Instruction Fuzzy Hash: E3F0B4B16022246EFF216F629C05F9AB7C8BF417A5B286215B81DBA1D0CA30D80286A0

Function 00E93820 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,00F31444,?,00E7FDF5,?,?,00E6A976,00000010,00F31440,00E613FC,?,00E613C6,?,00E61129), ref: 00E93852

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 3d8931f84fb543e10135f6dd74ca432f9014297103b9c1a2ac9ff3d0323240c5
Instruction ID: 35c66326fbdca0c7431b951a519bfbb3aa920fb000f67003cef3ac0f95a3d7eb
Opcode Fuzzy Hash: 3d8931f84fb543e10135f6dd74ca432f9014297103b9c1a2ac9ff3d0323240c5
Instruction Fuzzy Hash: 83E0E53110122956DE3536779C04BDA36C9AF427B8F152221BC09B69D0CB10DD0192E0

Function 00ECDB6D Relevance: 1.5, APIs: 1, Instructions: 29COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,00000000,00010000), ref: 00ECDB88

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: ClassName
String ID:
API String ID: 1191326365-0
Opcode ID: 2d78b57bd62ff1ebaa7d40e658d588fc2037d70b85f8311209783c62429c7610
Instruction ID: 15d659cf1752b9a4149adc71da8399a5523c55f83ac4f7452f0164554b5a4c3f
Opcode Fuzzy Hash: 2d78b57bd62ff1ebaa7d40e658d588fc2037d70b85f8311209783c62429c7610
Instruction Fuzzy Hash: 96E092226491142782253B29AC05DBF7AD9DF813B0B196039F088B6292DFA40982C2E1

Function 00E64F39 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,00F31418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00E64F6D

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 19fe29fcb2c9596cd6cc5928184600bb2f8deff033bf91768471c114aae89dd0
Instruction ID: c9cfe92fc7e0d4fa623fe0257eeb84b24da28eb8ec34d448fcc66fdb02bffa4f
Opcode Fuzzy Hash: 19fe29fcb2c9596cd6cc5928184600bb2f8deff033bf91768471c114aae89dd0
Instruction Fuzzy Hash: 8EF030B1245751CFDB389F64E490862B7F4BF14359320A97EE1DAA2652C7319848DF10

Function 00EF2A55 Relevance: 1.5, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00EF2A66

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: Window
String ID:
API String ID: 2353593579-0
Opcode ID: b6fef06edc21edffe766d858934b2feae265b88bf8fdde8aa62f27f30927174c
Instruction ID: e4f2b36341501a7e02035652e3a4737ef6584017db0c5042e3be3d6262ca66b5
Opcode Fuzzy Hash: b6fef06edc21edffe766d858934b2feae265b88bf8fdde8aa62f27f30927174c
Instruction Fuzzy Hash: AEE04F7635451AAAC714EE30ED809FA739CEB50395710553EAE1AE2140EB309A96D6A0

Function 00E630F2 Relevance: 1.5, APIs: 1, Instructions: 24windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000002,?), ref: 00E6314E

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: 4004b2aef952be74fe5d0c087c315d4cc0bf0238c70a9fdea14973cf1d222083
Instruction ID: 90b121118e2ec5ecd1fa3c3500f17bfbcb1ab5d1a274bd60b7098ddc5964fe9c
Opcode Fuzzy Hash: 4004b2aef952be74fe5d0c087c315d4cc0bf0238c70a9fdea14973cf1d222083
Instruction Fuzzy Hash: 4FF030709143189FEB529F24DC8A7DA7BFCBB0171CF1001E9A688A7292DB745B88CF51

Function 00E62DA5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00E62DC4

Part of subcall function 00E66B57: _wcslen.LIBCMT ref: 00E66B6A

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: LongNamePath_wcslen
String ID:
API String ID: 541455249-0
Opcode ID: 5a524e347ff6d2e1a101db84258520a641453a555be745ceab6b5ab45bed8ade
Instruction ID: 2ac1443f7c362bc42dda3fd79bcb088c29ab50ac0bf48b87e530a70446acc6a8
Opcode Fuzzy Hash: 5a524e347ff6d2e1a101db84258520a641453a555be745ceab6b5ab45bed8ade
Instruction Fuzzy Hash: D2E0CD766001245FC71096589C05FEA77DDDFC87D0F0440B1FD09F7258D960BD84C550

Function 00E62B3D Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00E63837: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00E63908

Part of subcall function 00E6D730: GetInputState.USER32 ref: 00E6D807

SetCurrentDirectoryW.KERNEL32(?), ref: 00E62B6B

Part of subcall function 00E630F2: Shell_NotifyIconW.SHELL32(00000002,?), ref: 00E6314E

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: IconNotifyShell_$CurrentDirectoryInputState
String ID:
API String ID: 3667716007-0
Opcode ID: b561989d2323adf542ed8964be33b56e9e27bf5cea3cb655b5d472c7fc93a05e
Instruction ID: 6efec5315ef91a5ae521d88537d2f9e09bf7cfeca9aad4072a2f7d054cc9e256
Opcode Fuzzy Hash: b561989d2323adf542ed8964be33b56e9e27bf5cea3cb655b5d472c7fc93a05e
Instruction Fuzzy Hash: 2FE0862174424806C608BB75B8565BDF7D9DBE63E5F40353EF542B31A3CE2445499252

Function 00ECDB3C Relevance: 1.5, APIs: 1, Instructions: 21COMMON

Download Yara Rule

APIs

EnumChildWindows.USER32(?,Function_0006DB6D,00000000), ref: 00ECDB57

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: ChildEnumWindows
String ID:
API String ID: 3555792229-0
Opcode ID: 24e9f1ca206d045457c2a9caf9ecf947544acd1173bf856d4ce59ec9c2a3c902
Instruction ID: 5e2d00e66b085340f77320f3b08288f404563225b091ad09612bd7af0a9b039a
Opcode Fuzzy Hash: 24e9f1ca206d045457c2a9caf9ecf947544acd1173bf856d4ce59ec9c2a3c902
Instruction Fuzzy Hash: A2D0A73274411023C60C261DBCD1F7E82CE5BC5761B1E103EF106F31C10E520D031569

Function 00EA039A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,00000000,?,00EA0704,?,?,00000000,?,00EA0704,00000000,0000000C), ref: 00EA03B7

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 6e06db66dbf498d1ff4d2b88c1df48f9b9fb029734000eb3859c5b66925374ff
Instruction ID: cf4505c9ba2d9a22e0517310d5cb52ef6ce2bafb35e372ed95166a63438297a2
Opcode Fuzzy Hash: 6e06db66dbf498d1ff4d2b88c1df48f9b9fb029734000eb3859c5b66925374ff
Instruction Fuzzy Hash: 66D06C3204010DBFDF028F85DD06EDA3BAAFB88714F114000BE5866020C732E831EB90

Function 00E61CAD Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00002001,00000000,00000002), ref: 00E61CBC

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: InfoParametersSystem
String ID:
API String ID: 3098949447-0
Opcode ID: b012c9926ff27269296f040747505dcfeb8b8933bd216e0efb0c1c7346ea2bac
Instruction ID: f695165bfb17ac1ab3ea6892876d8b47f6ae73a57bfbd46ec7fa6f69d3861f16
Opcode Fuzzy Hash: b012c9926ff27269296f040747505dcfeb8b8933bd216e0efb0c1c7346ea2bac
Instruction Fuzzy Hash: F0C09B3528030CDFF2544780BD4AF107755B34CB11F144001F609655E3C3A11414F650

Non-executed Functions

Function 00EF9576 Relevance: 72.4, APIs: 39, Strings: 2, Instructions: 625windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00E79BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00E79BB2

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 00EF961A
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00EF965B
GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 00EF969F
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00EF96C9
SendMessageW.USER32 ref: 00EF96F2
GetKeyState.USER32(00000011), ref: 00EF978B
GetKeyState.USER32(00000009), ref: 00EF9798
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00EF97AE
GetKeyState.USER32(00000010), ref: 00EF97B8
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00EF97E9
SendMessageW.USER32 ref: 00EF9810
SendMessageW.USER32(?,00001030,?,00EF7E95), ref: 00EF9918
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 00EF992E
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 00EF9941
SetCapture.USER32(?), ref: 00EF994A
ClientToScreen.USER32(?,?), ref: 00EF99AF
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 00EF99BC
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00EF99D6
ReleaseCapture.USER32 ref: 00EF99E1
GetCursorPos.USER32(?), ref: 00EF9A19
ScreenToClient.USER32(?,?), ref: 00EF9A26
SendMessageW.USER32(?,00001012,00000000,?), ref: 00EF9A80
SendMessageW.USER32 ref: 00EF9AAE
SendMessageW.USER32(?,00001111,00000000,?), ref: 00EF9AEB
SendMessageW.USER32 ref: 00EF9B1A
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00EF9B3B
SendMessageW.USER32(?,0000110B,00000009,?), ref: 00EF9B4A
GetCursorPos.USER32(?), ref: 00EF9B68
ScreenToClient.USER32(?,?), ref: 00EF9B75
GetParent.USER32(?), ref: 00EF9B93
SendMessageW.USER32(?,00001012,00000000,?), ref: 00EF9BFA
SendMessageW.USER32 ref: 00EF9C2B
ClientToScreen.USER32(?,?), ref: 00EF9C84
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00EF9CB4
SendMessageW.USER32(?,00001111,00000000,?), ref: 00EF9CDE
SendMessageW.USER32 ref: 00EF9D01
ClientToScreen.USER32(?,?), ref: 00EF9D4E
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00EF9D82

Part of subcall function 00E79944: GetWindowLongW.USER32(?,000000EB), ref: 00E79952

GetWindowLongW.USER32(?,000000F0), ref: 00EF9E05

Strings

@GUI_DRAGID, xrefs: 00EF997D
F, xrefs: 00EF9D07

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease
String ID: @GUI_DRAGID$F
API String ID: 3429851547-4164748364
Opcode ID: 6247171cca338b601943927ad02fdbd6c25e6b7b38b6febb44da7f2c6a9f564d
Instruction ID: a6d99fe094aa400b4f0b8a7c941695cf47a31ab7a63b613c7d36f53a8612439e
Opcode Fuzzy Hash: 6247171cca338b601943927ad02fdbd6c25e6b7b38b6febb44da7f2c6a9f564d
Instruction Fuzzy Hash: 0A428D30204248AFD724CF24CC44BBABBE5FF88724F255619F699E72A2D7319854DF52

Function 00EF4873 Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 566windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000408,00000000,00000000), ref: 00EF48F3
SendMessageW.USER32(00000000,00000188,00000000,00000000), ref: 00EF4908
SendMessageW.USER32(00000000,0000018A,00000000,00000000), ref: 00EF4927
SendMessageW.USER32(?,00000148,00000000,00000000), ref: 00EF494B
SendMessageW.USER32(00000000,00000147,00000000,00000000), ref: 00EF495C
SendMessageW.USER32(00000000,00000149,00000000,00000000), ref: 00EF497B
SendMessageW.USER32(00000000,0000130B,00000000,00000000), ref: 00EF49AE
SendMessageW.USER32(00000000,0000133C,00000000,?), ref: 00EF49D4
SendMessageW.USER32(00000000,0000110A,00000009,00000000), ref: 00EF4A0F
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00EF4A56
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00EF4A7E
IsMenu.USER32(?), ref: 00EF4A97
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00EF4AF2
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00EF4B20
GetWindowLongW.USER32(?,000000F0), ref: 00EF4B94
SendMessageW.USER32(?,0000113E,00000000,00000008), ref: 00EF4BE3
SendMessageW.USER32(00000000,00001001,00000000,?), ref: 00EF4C82
wsprintfW.USER32 ref: 00EF4CAE
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00EF4CC9
GetWindowTextW.USER32(?,00000000,00000001), ref: 00EF4CF1
SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00EF4D13
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00EF4D33
GetWindowTextW.USER32(?,00000000,00000001), ref: 00EF4D5A

Strings

%d/%02d/%02d, xrefs: 00EF4CA8

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: MessageSend$MenuWindow$InfoItemText$Longwsprintf
String ID: %d/%02d/%02d
API String ID: 4054740463-328681919
Opcode ID: 3beeeb58f610b90db716aa8f9664aa09522a03d91f99602fc4ab87cb7ade025e
Instruction ID: 9b4e8dffb0cd18c58182aa65eab2ada02963114055bc6002c87f754af4cdad3a
Opcode Fuzzy Hash: 3beeeb58f610b90db716aa8f9664aa09522a03d91f99602fc4ab87cb7ade025e
Instruction Fuzzy Hash: 0B12E0B1600258ABEB248F29CC49FBF7BE8EF85714F206119F619FA1E1D7749A40CB50

Function 00EC1201 Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 241COMMON

Download Yara Rule

APIs

Part of subcall function 00EC16C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00EC170D
Part of subcall function 00EC16C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00EC173A
Part of subcall function 00EC16C3: GetLastError.KERNEL32 ref: 00EC174A

LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 00EC1286
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 00EC12A8
CloseHandle.KERNEL32(?), ref: 00EC12B9
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 00EC12D1
GetProcessWindowStation.USER32 ref: 00EC12EA
SetProcessWindowStation.USER32(00000000), ref: 00EC12F4
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00EC1310

Part of subcall function 00EC10BF: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00EC11FC), ref: 00EC10D4
Part of subcall function 00EC10BF: CloseHandle.KERNEL32(?,?,00EC11FC), ref: 00EC10E9

Strings

default, xrefs: 00EC130B
winsta0, xrefs: 00EC12CC
, xrefs: 00EC125A

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
String ID: $default$winsta0
API String ID: 22674027-1027155976
Opcode ID: a51c29a532d33a225d8cb143cdf258cc4abae9f3646703eb49ac3408d21dd029
Instruction ID: c6dcee78c0dd0023ebdafa8e6688e54912d2d16449b1e6883ff5fb4187647327
Opcode Fuzzy Hash: a51c29a532d33a225d8cb143cdf258cc4abae9f3646703eb49ac3408d21dd029
Instruction Fuzzy Hash: 7E81AD71900209AFDF259FA4DE49FEE7BB9FF45704F2451A9F920B21A1D7328946CB20

Function 00EC0B62 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00EC10F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00EC1114
Part of subcall function 00EC10F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00EC0B9B,?,?,?), ref: 00EC1120
Part of subcall function 00EC10F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00EC0B9B,?,?,?), ref: 00EC112F
Part of subcall function 00EC10F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00EC0B9B,?,?,?), ref: 00EC1136
Part of subcall function 00EC10F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00EC114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00EC0BCC
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00EC0C00
GetLengthSid.ADVAPI32(?), ref: 00EC0C17
GetAce.ADVAPI32(?,00000000,?), ref: 00EC0C51
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00EC0C6D
GetLengthSid.ADVAPI32(?), ref: 00EC0C84
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00EC0C8C
HeapAlloc.KERNEL32(00000000), ref: 00EC0C93
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00EC0CB4
CopySid.ADVAPI32(00000000), ref: 00EC0CBB
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00EC0CEA
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00EC0D0C
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00EC0D1E
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00EC0D45
HeapFree.KERNEL32(00000000), ref: 00EC0D4C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00EC0D55
HeapFree.KERNEL32(00000000), ref: 00EC0D5C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00EC0D65
HeapFree.KERNEL32(00000000), ref: 00EC0D6C
GetProcessHeap.KERNEL32(00000000,?), ref: 00EC0D78
HeapFree.KERNEL32(00000000), ref: 00EC0D7F

Part of subcall function 00EC1193: GetProcessHeap.KERNEL32(00000008,00EC0BB1,?,00000000,?,00EC0BB1,?), ref: 00EC11A1
Part of subcall function 00EC1193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00EC0BB1,?), ref: 00EC11A8
Part of subcall function 00EC1193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00EC0BB1,?), ref: 00EC11B7

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 35b1bbb922e3445ce29190c76a5fc97c87b0fb73118c483f1f4bf1ba1febfa12
Instruction ID: bd579a6c8e601698983cd62858e72b8bbf1c83855da41e53b41320807446433e
Opcode Fuzzy Hash: 35b1bbb922e3445ce29190c76a5fc97c87b0fb73118c483f1f4bf1ba1febfa12
Instruction Fuzzy Hash: B3719D7190020AEFDF10DFA5DE44FAEBBB8BF44704F244519E915B6291D772A906CB60

Function 00EDEAFF Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(00EFCC08), ref: 00EDEB29
IsClipboardFormatAvailable.USER32(0000000D), ref: 00EDEB37
GetClipboardData.USER32(0000000D), ref: 00EDEB43
CloseClipboard.USER32 ref: 00EDEB4F
GlobalLock.KERNEL32(00000000), ref: 00EDEB87
CloseClipboard.USER32 ref: 00EDEB91
GlobalUnlock.KERNEL32(00000000), ref: 00EDEBBC
IsClipboardFormatAvailable.USER32(00000001), ref: 00EDEBC9
GetClipboardData.USER32(00000001), ref: 00EDEBD1
GlobalLock.KERNEL32(00000000), ref: 00EDEBE2
GlobalUnlock.KERNEL32(00000000), ref: 00EDEC22
IsClipboardFormatAvailable.USER32(0000000F), ref: 00EDEC38
GetClipboardData.USER32(0000000F), ref: 00EDEC44
GlobalLock.KERNEL32(00000000), ref: 00EDEC55
DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 00EDEC77
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 00EDEC94
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 00EDECD2
GlobalUnlock.KERNEL32(00000000), ref: 00EDECF3
CountClipboardFormats.USER32 ref: 00EDED14
CloseClipboard.USER32 ref: 00EDED59

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
String ID:
API String ID: 420908878-0
Opcode ID: 70296211c3921224e58d6f0f5654c5e16e8de7323536e7fe137dd7fec0f4aac5
Instruction ID: 5b499ab15cf871314e96f5145b97aabaf052721469c1371cf2e3d36adefa5bd1
Opcode Fuzzy Hash: 70296211c3921224e58d6f0f5654c5e16e8de7323536e7fe137dd7fec0f4aac5
Instruction Fuzzy Hash: E061C2342042059FD310EF20D988F7A77E4EF84758F24655AF456BB3A2CB31E90ACB62

Function 00ED698F Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00ED69BE
FindClose.KERNEL32(00000000), ref: 00ED6A12
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00ED6A4E
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00ED6A75

Part of subcall function 00E69CB3: _wcslen.LIBCMT ref: 00E69CBD

FileTimeToSystemTime.KERNEL32(?,?), ref: 00ED6AB2
FileTimeToSystemTime.KERNEL32(?,?), ref: 00ED6ADF

Strings

%4d, xrefs: 00ED6BB1
%4d%02d%02d%02d%02d%02d, xrefs: 00ED6B6A
%02d, xrefs: 00ED6C00, 00ED6C0A, 00ED6C5A, 00ED6CAA, 00ED6CFA, 00ED6D4A
%03d, xrefs: 00ED6DA2
%4d%02d%02d%02d%02d%02d%03d, xrefs: 00ED6B32

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
API String ID: 3830820486-3289030164
Opcode ID: 9c7f83aed65039da6abd7a25d79d0f153df71e9e38a9b9b9ba9af1eeff74460f
Instruction ID: d83d89fd8ad352c8897410a359f09d8f452717c69a49e6992d26f6c74043a071
Opcode Fuzzy Hash: 9c7f83aed65039da6abd7a25d79d0f153df71e9e38a9b9b9ba9af1eeff74460f
Instruction Fuzzy Hash: E3D17171548300AFC314EBA0D991EABB7ECEF88704F04591EF585E7291EB74DA48CB62

Function 00ED9642 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 00ED9663
GetFileAttributesW.KERNEL32(?), ref: 00ED96A1
SetFileAttributesW.KERNEL32(?,?), ref: 00ED96BB
FindNextFileW.KERNEL32(00000000,?), ref: 00ED96D3
FindClose.KERNEL32(00000000), ref: 00ED96DE
FindFirstFileW.KERNEL32(*.*,?), ref: 00ED96FA
SetCurrentDirectoryW.KERNEL32(?), ref: 00ED974A
SetCurrentDirectoryW.KERNEL32(00F26B7C), ref: 00ED9768
FindNextFileW.KERNEL32(00000000,00000010), ref: 00ED9772
FindClose.KERNEL32(00000000), ref: 00ED977F
FindClose.KERNEL32(00000000), ref: 00ED978F

Strings

*.*, xrefs: 00ED96F5

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1409584000-438819550
Opcode ID: 503399fbfc1b1424c756a17525a94180ecad5232eaba34b12d177389602f435a
Instruction ID: 9c9a45da746bc64b234a60b7f03072424e56b2701581a13d8ad218929a5ca438
Opcode Fuzzy Hash: 503399fbfc1b1424c756a17525a94180ecad5232eaba34b12d177389602f435a
Instruction Fuzzy Hash: E631CE3254161D6EDB14AFB5ED08AEE77ACEF89324F205197E814F22B1DB30DA49CB10

Function 00ED979D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 00ED97BE
FindNextFileW.KERNEL32(00000000,?), ref: 00ED9819
FindClose.KERNEL32(00000000), ref: 00ED9824
FindFirstFileW.KERNEL32(*.*,?), ref: 00ED9840
SetCurrentDirectoryW.KERNEL32(?), ref: 00ED9890
SetCurrentDirectoryW.KERNEL32(00F26B7C), ref: 00ED98AE
FindNextFileW.KERNEL32(00000000,00000010), ref: 00ED98B8
FindClose.KERNEL32(00000000), ref: 00ED98C5
FindClose.KERNEL32(00000000), ref: 00ED98D5

Part of subcall function 00ECDAE5: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 00ECDB00

Strings

*.*, xrefs: 00ED983B

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 2640511053-438819550
Opcode ID: 277a02959a7c7ed204cc38ea9e25527ca691aaa5b515914c9087ab89dca9a535
Instruction ID: 7f4f68f794cd9501d26edad983df2ba26ab84846b18b12b59cfca28daf9711c0
Opcode Fuzzy Hash: 277a02959a7c7ed204cc38ea9e25527ca691aaa5b515914c9087ab89dca9a535
Instruction Fuzzy Hash: 9031053654061D6EEF14AFB5EC48AEE73ACDF46724F205156E804F22B1DB31D94ADB20

Function 00EEBE44 Relevance: 17.0, APIs: 11, Instructions: 456registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00EEC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00EEB6AE,?,?), ref: 00EEC9B5
Part of subcall function 00EEC998: _wcslen.LIBCMT ref: 00EEC9F1
Part of subcall function 00EEC998: _wcslen.LIBCMT ref: 00EECA68
Part of subcall function 00EEC998: _wcslen.LIBCMT ref: 00EECA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00EEBF3E
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?), ref: 00EEBFA9
RegCloseKey.ADVAPI32(00000000), ref: 00EEBFCD
RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 00EEC02C
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 00EEC0E7
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 00EEC154
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 00EEC1E9
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,?,?,?,00000000), ref: 00EEC23A
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 00EEC2E3
RegCloseKey.ADVAPI32(?,?,00000000), ref: 00EEC382
RegCloseKey.ADVAPI32(00000000), ref: 00EEC38F

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: QueryValue$Close_wcslen$BuffCharConnectOpenRegistryUpper
String ID:
API String ID: 3102970594-0
Opcode ID: 28661a3a5556c49f132a9ebce4e9cb7dda4ee0a9adbf76b10fbafd8b6116d135
Instruction ID: b613ddacb962c8f59dbb95b37bc95a2da25ec8ac8f714ac105fcb6b5565d9ef1
Opcode Fuzzy Hash: 28661a3a5556c49f132a9ebce4e9cb7dda4ee0a9adbf76b10fbafd8b6116d135
Instruction Fuzzy Hash: B50282716042449FC714CF25C895E2AB7E5EF89318F28D49DF84AEB2A2DB31EC46CB51

Function 00ED8195 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00ED8257
SystemTimeToFileTime.KERNEL32(?,?), ref: 00ED8267
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00ED8273
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00ED8310
SetCurrentDirectoryW.KERNEL32(?), ref: 00ED8324
SetCurrentDirectoryW.KERNEL32(?), ref: 00ED8356
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00ED838C
SetCurrentDirectoryW.KERNEL32(?), ref: 00ED8395

Strings

*.*, xrefs: 00ED839B

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local$System
String ID: *.*
API String ID: 1464919966-438819550
Opcode ID: 6ee72774031b538e8eb6960cc3245fc44467ce40144a49db6d134651e35db95c
Instruction ID: e46ec1deee45e6d6c7807630c0661fd3047cff56f37f55298a7a9224550817eb
Opcode Fuzzy Hash: 6ee72774031b538e8eb6960cc3245fc44467ce40144a49db6d134651e35db95c
Instruction Fuzzy Hash: DA618C725043459FC710EF60D9409AEB3E8FF89314F14591EF989E7261EB31E94ACB92

Function 00ECD076 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00E63AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00E63A97,?,?,00E62E7F,?,?,?,00000000), ref: 00E63AC2

Part of subcall function 00ECE199: GetFileAttributesW.KERNEL32(?,00ECCF95), ref: 00ECE19A

FindFirstFileW.KERNEL32(?,?), ref: 00ECD122
DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 00ECD1DD
MoveFileW.KERNEL32(?,?), ref: 00ECD1F0
DeleteFileW.KERNEL32(?,?,?,?), ref: 00ECD20D
FindNextFileW.KERNEL32(00000000,00000010), ref: 00ECD237

Part of subcall function 00ECD29C: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,00ECD21C,?,?), ref: 00ECD2B2

FindClose.KERNEL32(00000000,?,?,?), ref: 00ECD253
FindClose.KERNEL32(00000000), ref: 00ECD264

Strings

\*.*, xrefs: 00ECD0CD, 00ECD0D6, 00ECD0EB

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 1946585618-1173974218
Opcode ID: e767bdf453643b7f4ad39d6389d84fcbdf0969effafecda66d865adfbed219c0
Instruction ID: 4ce69c977e493edf2047480825a7503c14ddfa482bedfa2b5ef901844680c8f4
Opcode Fuzzy Hash: e767bdf453643b7f4ad39d6389d84fcbdf0969effafecda66d865adfbed219c0
Instruction Fuzzy Hash: 40617E3184510D9ECF09EBE0EE52EEDB7B9AF55344F246069E401771A2EB325F0ADB60

Function 00EDED6A Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00EDED91
EmptyClipboard.USER32 ref: 00EDED97
GlobalAlloc.KERNEL32(00000002,?), ref: 00EDEDAC
CloseClipboard.USER32 ref: 00EDEEA3

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: f7f2b7de22385f38541baeebb764567c85227974d310fdb32ee5b7c3b653d4d4
Instruction ID: 619343253a4ebed62ce3359a80b72a99f10ed559c0115eb75a0a9464428c76b5
Opcode Fuzzy Hash: f7f2b7de22385f38541baeebb764567c85227974d310fdb32ee5b7c3b653d4d4
Instruction Fuzzy Hash: ED419F352046119FE310DF15D888B29BBE1EF44318F25D09AE859AF762C775EC46CB90

Function 00ECE8F6 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 00EC16C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00EC170D
Part of subcall function 00EC16C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00EC173A
Part of subcall function 00EC16C3: GetLastError.KERNEL32 ref: 00EC174A

ExitWindowsEx.USER32(?,00000000), ref: 00ECE932

Strings

, xrefs: 00ECE920
, xrefs: 00ECE95C
SeShutdownPrivilege, xrefs: 00ECE902
@, xrefs: 00ECE925

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $ $@$SeShutdownPrivilege
API String ID: 2234035333-3163812486
Opcode ID: 864a011d041963d55d4caefdcd56be37a2a5ce12868c0ec14fb20f45fc915740
Instruction ID: 17b614b60374b872b8c489d6239e7fa0097a1a51c9dcf7db6c1efe6872bc918a
Opcode Fuzzy Hash: 864a011d041963d55d4caefdcd56be37a2a5ce12868c0ec14fb20f45fc915740
Instruction Fuzzy Hash: EA014E32610214AFFB5422759E86FFF729C9744744F241569FC03F32D2D5B25C46C290

Function 00EE1204 Relevance: 12.1, APIs: 8, Instructions: 113networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006), ref: 00EE1276
WSAGetLastError.WSOCK32 ref: 00EE1283
bind.WSOCK32(00000000,?,00000010), ref: 00EE12BA
WSAGetLastError.WSOCK32 ref: 00EE12C5
closesocket.WSOCK32(00000000), ref: 00EE12F4
listen.WSOCK32(00000000,00000005), ref: 00EE1303
WSAGetLastError.WSOCK32 ref: 00EE130D
closesocket.WSOCK32(00000000), ref: 00EE133C

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: ErrorLast$closesocket$bindlistensocket
String ID:
API String ID: 540024437-0
Opcode ID: b8828e3d6620b440a6bc686dd87e8e36b771e3069e5d7a324e731958d4d00b60
Instruction ID: e3aa0b0d8c804e41d96cb376a69d76953f60360f04478ebddf1224c0bd8c2857
Opcode Fuzzy Hash: b8828e3d6620b440a6bc686dd87e8e36b771e3069e5d7a324e731958d4d00b60
Instruction Fuzzy Hash: 5941C5306001849FD714DF65D984B69B7E5BF8A318F2890C8D956AF2A2C771ECC5CBE1

Function 00ECD3A9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00E63AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00E63A97,?,?,00E62E7F,?,?,?,00000000), ref: 00E63AC2

Part of subcall function 00ECE199: GetFileAttributesW.KERNEL32(?,00ECCF95), ref: 00ECE19A

FindFirstFileW.KERNEL32(?,?), ref: 00ECD420
DeleteFileW.KERNEL32(?,?,?,?), ref: 00ECD470
FindNextFileW.KERNEL32(00000000,00000010), ref: 00ECD481
FindClose.KERNEL32(00000000), ref: 00ECD498
FindClose.KERNEL32(00000000), ref: 00ECD4A1

Strings

\*.*, xrefs: 00ECD3F2

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: 297a312d8bd4ce4a2e014995aaafbb775de758b025085c382187f164ad80b0c2
Instruction ID: 9ae7c7b2eb29c9b72e9071379cdecd4b05d7a18908d863684d940e600e50e449
Opcode Fuzzy Hash: 297a312d8bd4ce4a2e014995aaafbb775de758b025085c382187f164ad80b0c2
Instruction Fuzzy Hash: D131AF3104C3449FC204EF60E9519AF77E8BE91354F546A2DF4E5A31A1EB31AA09CB63

Function 00E9E4FF Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 00E9E645

Strings

1#SNAN, xrefs: 00E9F844
1#INF, xrefs: 00E9F852
1#QNAN, xrefs: 00E9F84B
1#IND, xrefs: 00E9F83D

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: df56a21f5a5ed9001b4b0b4d21d0f5912a4ae071d73c6d2b4497a7be028b05ca
Instruction ID: 6e793025c89693e794410ee799189f369a7ab0646b3a378477c2fec2f4e9e4c9
Opcode Fuzzy Hash: df56a21f5a5ed9001b4b0b4d21d0f5912a4ae071d73c6d2b4497a7be028b05ca
Instruction Fuzzy Hash: 2DC23871E086288FDF29CE289D407EAB7B5EB48309F1551EAD94DF7241E774AE818F40

Function 00ED648E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00ED64DC
CoInitialize.OLE32(00000000), ref: 00ED6639
CoCreateInstance.OLE32(00EFFCF8,00000000,00000001,00EFFB68,?), ref: 00ED6650
CoUninitialize.OLE32 ref: 00ED68D4

Strings

.lnk, xrefs: 00ED64BA, 00ED6524, 00ED65E0

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_wcslen
String ID: .lnk
API String ID: 886957087-24824748
Opcode ID: 46ba3d199a09601027e5286b1a6469659e7f7712cc03eaa8924597c0304b35ca
Instruction ID: 2581eb9f3b12fbf7ad887d3fac529a81aaa61f3f56ce4ffa1f700685bf62d3b0
Opcode Fuzzy Hash: 46ba3d199a09601027e5286b1a6469659e7f7712cc03eaa8924597c0304b35ca
Instruction Fuzzy Hash: 63D18B71608301AFC304EF24D88196BB7E8FF94748F10592DF595AB292DB71ED46CB92

Function 00EE22DA Relevance: 9.1, APIs: 6, Instructions: 103COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,00000000), ref: 00EE22E8

Part of subcall function 00EDE4EC: GetWindowRect.USER32(?,?), ref: 00EDE504

GetDesktopWindow.USER32 ref: 00EE2312
GetWindowRect.USER32(00000000), ref: 00EE2319
mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 00EE2355
GetCursorPos.USER32(?), ref: 00EE2381
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00EE23DF

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForeground
String ID:
API String ID: 2387181109-0
Opcode ID: abf72349ab1c2c7bc80d1c1e810f57e210deb250ca07f536be3c85b0c19a1c84
Instruction ID: 0f40470f9505d2ff9879f3a5f3b097ebfb15ab0b6d45ab52cea7134872a72ca6
Opcode Fuzzy Hash: abf72349ab1c2c7bc80d1c1e810f57e210deb250ca07f536be3c85b0c19a1c84
Instruction Fuzzy Hash: 6531DE7210434AAFCB20DF16C808B6BB7AAFB84714F10191DF984A7281DA34E909CB92

Function 00ED9B2B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00E69CB3: _wcslen.LIBCMT ref: 00E69CBD

FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 00ED9B78
FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 00ED9C8B

Part of subcall function 00ED3874: GetInputState.USER32 ref: 00ED38CB
Part of subcall function 00ED3874: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00ED3966

Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 00ED9BA8
FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 00ED9C75

Strings

*.*, xrefs: 00ED9B5D

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
String ID: *.*
API String ID: 1972594611-438819550
Opcode ID: cb22d561c5b7e88e14d71534516b9c444328cff45ec0cfa637602ac71c9e3f94
Instruction ID: 1d02f7b0832c072b47da6ab6cd23ae33523febfb1b70bd486291f4e087671d46
Opcode Fuzzy Hash: cb22d561c5b7e88e14d71534516b9c444328cff45ec0cfa637602ac71c9e3f94
Instruction Fuzzy Hash: D6416D7194020AAFCF14DF64DD45AEEBBF8EF45354F245056E405B22A2EB309E45CF61

Function 00E7997D Relevance: 7.9, APIs: 5, Instructions: 375COMMON

Download Yara Rule

APIs

Part of subcall function 00E79BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00E79BB2

DefDlgProcW.USER32(?,?,?,?,?), ref: 00E79A4E
GetSysColor.USER32(0000000F), ref: 00E79B23
SetBkColor.GDI32(?,00000000), ref: 00E79B36

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: Color$LongProcWindow
String ID:
API String ID: 3131106179-0
Opcode ID: c62859efaa5421c58695c2bdbcb944e5a5f01a6d97c7fb743a53f7f38510a7c9
Instruction ID: 125729a4ce62d856a1a10b0a7d6d2e7d01fb633c13ecd09309451e1849f96a4c
Opcode Fuzzy Hash: c62859efaa5421c58695c2bdbcb944e5a5f01a6d97c7fb743a53f7f38510a7c9
Instruction Fuzzy Hash: CDA14C7010A418AEE7249A3C8C48EFB369DEFC2354F25A10AF546F6A97CA259D01D375

Function 00EE1806 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00EE304E: inet_addr.WSOCK32(?), ref: 00EE307A
Part of subcall function 00EE304E: _wcslen.LIBCMT ref: 00EE309B

socket.WSOCK32(00000002,00000002,00000011), ref: 00EE185D
WSAGetLastError.WSOCK32 ref: 00EE1884
bind.WSOCK32(00000000,?,00000010), ref: 00EE18DB
WSAGetLastError.WSOCK32 ref: 00EE18E6
closesocket.WSOCK32(00000000), ref: 00EE1915

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
String ID:
API String ID: 1601658205-0
Opcode ID: 0d113082b6d146c0089ec565e0176f0ca80bdafbc95a264af51587925d7ce004
Instruction ID: 6a8d81bb5e0e5aac8c133d23b754edc4bcd9f3189a7fe9541a8f3d3c31b6da26
Opcode Fuzzy Hash: 0d113082b6d146c0089ec565e0176f0ca80bdafbc95a264af51587925d7ce004
Instruction Fuzzy Hash: DB511670A402449FD710AF24D886F7A77E5AB84358F189088F95ABF3C3D771AD41CBA1

Function 00E68060 Relevance: 7.4, Strings: 5, Instructions: 1151COMMON

Download Yara Rule

Strings

VUUU, xrefs: 00E6843C
VUUU, xrefs: 00EA5DF0
VUUU, xrefs: 00E683E8
ERCP, xrefs: 00E6813C
VUUU, xrefs: 00E683FA

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID:
String ID: ERCP$VUUU$VUUU$VUUU$VUUU
API String ID: 0-1546025612
Opcode ID: 63dcead24255ab5544c2e3fb0e4075d7f6a5f60eba0b50793ae1bcb6d512c257
Instruction ID: e1dd76ab8d6454ca1da31c2db5d74927448f3326b3bf20b76226abffa0cf9cf0
Opcode Fuzzy Hash: 63dcead24255ab5544c2e3fb0e4075d7f6a5f60eba0b50793ae1bcb6d512c257
Instruction Fuzzy Hash: 06A29171E4021ACBDF24CF58D9407EEB7B1BF59354F24929AE815BB285DB30AD81CB50

Function 00EEA67C Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00EEA6AC
Process32FirstW.KERNEL32(00000000,?), ref: 00EEA6BA

Part of subcall function 00E69CB3: _wcslen.LIBCMT ref: 00E69CBD

Process32NextW.KERNEL32(00000000,?), ref: 00EEA79C
CloseHandle.KERNEL32(00000000), ref: 00EEA7AB

Part of subcall function 00E7CE60: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,00EA3303,?), ref: 00E7CE8A

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
String ID:
API String ID: 1991900642-0
Opcode ID: 75472c056c159159027e80c67045562f150e53109c329fcad5002abf915c4304
Instruction ID: 023f47497b9bf3f3163aaed6671447be8757f36d81df8b2dd6850412915324ca
Opcode Fuzzy Hash: 75472c056c159159027e80c67045562f150e53109c329fcad5002abf915c4304
Instruction Fuzzy Hash: EB517E715083009FD314DF25D886A6BBBE8FF89754F14992DF589A7292EB30E904CB92

Function 00ECAA57 Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 00ECAAAC
SetKeyboardState.USER32(00000080), ref: 00ECAAC8
PostMessageW.USER32(?,00000102,00000001,00000001), ref: 00ECAB36
SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 00ECAB88

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: cc0b1ae2f918fcd521a222d4744ceda08591ab42dd67288a521511f3adf0f284
Instruction ID: 9a3daea1d62e65a89ac91dc6793f6d82dd16f4748508801553128fe5277b8b38
Opcode Fuzzy Hash: cc0b1ae2f918fcd521a222d4744ceda08591ab42dd67288a521511f3adf0f284
Instruction Fuzzy Hash: D6310970A4020CAEEB358A65CE05FFA77B6AB44318F18522EF181B61D1D7768D86C752

Function 00E9BB6F Relevance: 6.1, APIs: 4, Instructions: 90timeCOMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00E9BB7F

Part of subcall function 00E929C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00E9D7D1,00000000,00000000,00000000,00000000,?,00E9D7F8,00000000,00000007,00000000,?,00E9DBF5,00000000), ref: 00E929DE
Part of subcall function 00E929C8: GetLastError.KERNEL32(00000000,?,00E9D7D1,00000000,00000000,00000000,00000000,?,00E9D7F8,00000000,00000007,00000000,?,00E9DBF5,00000000,00000000), ref: 00E929F0

GetTimeZoneInformation.KERNEL32 ref: 00E9BB91
WideCharToMultiByte.KERNEL32(00000000,?,00F3121C,000000FF,?,0000003F,?,?), ref: 00E9BC09
WideCharToMultiByte.KERNEL32(00000000,?,00F31270,000000FF,?,0000003F,?,?,?,00F3121C,000000FF,?,0000003F,?,?), ref: 00E9BC36

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorFreeHeapInformationLastTimeZone_free
String ID:
API String ID: 806657224-0
Opcode ID: ff4cb36236ab2d12565d526c18360a588c4b0c74a550cf0a4443793a4bb4c9f0
Instruction ID: 68cf2bb66d9f167f8362b9e1756ea8c286f3f414210b4212d49bfe5651bb87ba
Opcode Fuzzy Hash: ff4cb36236ab2d12565d526c18360a588c4b0c74a550cf0a4443793a4bb4c9f0
Instruction Fuzzy Hash: F931CF70904209DFCF10DF69ED8096EBBB9FF45320B2452AAE410EB2A1D770DD00DB90

Function 00EDCE44 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON

Download Yara Rule

APIs

InternetReadFile.WININET(?,?,00000400,?), ref: 00EDCE89
GetLastError.KERNEL32(?,00000000), ref: 00EDCEEA
SetEvent.KERNEL32(?,?,00000000), ref: 00EDCEFE

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: ErrorEventFileInternetLastRead
String ID:
API String ID: 234945975-0
Opcode ID: 9f7d0cb4faa38a0839f01ac8e570269804c2f110864725ec59cc484bc04edc4b
Instruction ID: 690f41f4830d8add39af0bdb55981d07f2ff0cb15f78f28a8305d2280dd8bd21
Opcode Fuzzy Hash: 9f7d0cb4faa38a0839f01ac8e570269804c2f110864725ec59cc484bc04edc4b
Instruction Fuzzy Hash: 3721AEB16007069FE7209FA5C944BAA77FCEB40398F30541AE946E2251E770E906DB50

Function 00EC8298 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 568stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 00EC82AA

Strings

|, xrefs: 00EC82DA
(, xrefs: 00EC82F0

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: lstrlen
String ID: ($|
API String ID: 1659193697-1631851259
Opcode ID: 03561b10b8115e6068f2e334a29cd8bc4b78c243a2c2916227f1380696bd6d4f
Instruction ID: 702695d572767705d4d0585fd9f1c08329c9659b6243782ccba979f086c62703
Opcode Fuzzy Hash: 03561b10b8115e6068f2e334a29cd8bc4b78c243a2c2916227f1380696bd6d4f
Instruction Fuzzy Hash: 59323775A006059FC728CF19C680E6AB7F0FF48714B11D56EE49AEB3A1EB70E942CB40

Function 00ED5C97 Relevance: 4.6, APIs: 3, Instructions: 138fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00ED5CC1
FindNextFileW.KERNEL32(00000000,?), ref: 00ED5D17
FindClose.KERNEL32(?), ref: 00ED5D5F

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: Find$File$CloseFirstNext
String ID:
API String ID: 3541575487-0
Opcode ID: d40833c93be04e3636c308281984925edf0121a9c42c1a5270164d3ccee8e4d2
Instruction ID: 00e1202570a7d8a2566354ea2ac028bc2307ef08b9f960ed08ac324bb31caa71
Opcode Fuzzy Hash: d40833c93be04e3636c308281984925edf0121a9c42c1a5270164d3ccee8e4d2
Instruction Fuzzy Hash: 6651BC35600A019FC714CF28D484EAAB7E4FF49318F24955EE99A9B3A1CB30EC05CFA1

Function 00E92622 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 00E9271A
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00E92724
UnhandledExceptionFilter.KERNEL32(?), ref: 00E92731

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 4a05f6da2069d2a9af996e462d20e3b10b6f59c39ac672301dc4631a217c8271
Instruction ID: 4b6dc396ed0472a0656a166667a9892714e90dbf7e05c96b5e62605dff873636
Opcode Fuzzy Hash: 4a05f6da2069d2a9af996e462d20e3b10b6f59c39ac672301dc4631a217c8271
Instruction Fuzzy Hash: 8131C27490121CABCB21DF68DD8879CBBB8AF08310F6051EAE91CB6261E7309F858F44

Function 00ED51CD Relevance: 4.6, APIs: 3, Instructions: 76COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00ED51DA
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00ED5238
SetErrorMode.KERNEL32(00000000), ref: 00ED52A1

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: 8a1b316e488fe564be680dc9661c854398901b7ed765d991d3bb227d561cf242
Instruction ID: 78260a372cc943ed6209634b35108419059adafbb5c3b0c8d7989cef2f5085d0
Opcode Fuzzy Hash: 8a1b316e488fe564be680dc9661c854398901b7ed765d991d3bb227d561cf242
Instruction Fuzzy Hash: 8C314175A00518DFDB00DF54D884EADBBF5FF49318F189099E845AB362DB31E85ACB90

Function 00EC16C3 Relevance: 4.6, APIs: 3, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 00E7FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00E80668
Part of subcall function 00E7FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00E80685

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00EC170D
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00EC173A
GetLastError.KERNEL32 ref: 00EC174A

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
String ID:
API String ID: 577356006-0
Opcode ID: 0b0302ca6935eb339ee6bc4ab126ac922ff6f79ae1d00efe28f8362a0110d476
Instruction ID: 673e55cec74472141419d18359a8b00737fb19785611e98f4a1c6600fa594d2b
Opcode Fuzzy Hash: 0b0302ca6935eb339ee6bc4ab126ac922ff6f79ae1d00efe28f8362a0110d476
Instruction Fuzzy Hash: E211C1B2500308FFD7289F54DD86E6AB7F9EB45714B20856EE05663241EB71BC42CB20

Function 00ECD5EB Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 00ECD608
DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 00ECD645
CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 00ECD650

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle
String ID:
API String ID: 33631002-0
Opcode ID: 5cb109242442644dc1a8a667c8f1b777967075c849776f22599de7845e3f9aa3
Instruction ID: d7bc84b850e40a0b2c1fafb6e0eab2b4e969e8c46bab279b42f5539516708c06
Opcode Fuzzy Hash: 5cb109242442644dc1a8a667c8f1b777967075c849776f22599de7845e3f9aa3
Instruction Fuzzy Hash: DF1170B1E05228BFDB108F959D44FAFBBBCEB45B50F208125F904F7290C2704A05CBA1

Function 00EC1663 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 00EC168C
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 00EC16A1
FreeSid.ADVAPI32(?), ref: 00EC16B1

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: b7faf7c8c31be8734794b2d06784e55342e991e1799fdad725b1801b4e3505a6
Instruction ID: 8dfad69924ef9bd31f366a544d7636960ccbb96eebefbdbbc5e66f36ffc032bd
Opcode Fuzzy Hash: b7faf7c8c31be8734794b2d06784e55342e991e1799fdad725b1801b4e3505a6
Instruction Fuzzy Hash: C6F0447194030CFFDB00CFE08D89EAEBBBCEB08204F2048A4E500E2181E730AA089A50

Function 00EBD27A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 00EBD28C

Strings

X64, xrefs: 00EBD2A8

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: NameUser
String ID: X64
API String ID: 2645101109-893830106
Opcode ID: 82adc534a6b1c07dd632f7998fdd969b3d901e18541168beb614a01e496b7059
Instruction ID: 63fb96c82167815865354720312c21e3cda7cdc5e5a87992783d43689d914299
Opcode Fuzzy Hash: 82adc534a6b1c07dd632f7998fdd969b3d901e18541168beb614a01e496b7059
Instruction Fuzzy Hash: 4AD0C9B480511DEECB94CB90DC88DDAB37CBF04305F205155F106B2000DB3095498F10

Function 00E8CAA0 Relevance: 3.5, APIs: 2, Instructions: 464COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction ID: 1d3f515b954367f98f020b4034e146007427142f817b9708040be8b7b94c9670
Opcode Fuzzy Hash: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction Fuzzy Hash: 8D020A71E002199BDF14DFA9C8806ADFBF1EF49314F25916AE91DFB280D731AA41CB94

Function 00ED68EE Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00ED6918
FindClose.KERNEL32(00000000), ref: 00ED6961

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 7cbb0d907bc0315d7758c77cbcd9d9ff19dbdbf16d581c472827cc22c3a1147e
Instruction ID: f9310921991fd1f0977cff7541c3ae7c4085a991381e480aa3d260272ce108a0
Opcode Fuzzy Hash: 7cbb0d907bc0315d7758c77cbcd9d9ff19dbdbf16d581c472827cc22c3a1147e
Instruction Fuzzy Hash: 1D1190316046409FD710DF69D488A26BBE5FFC9328F14D69AE4699F3A2C730EC06CB91

Function 00ED37B5 Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,00EE4891,?,?,00000035,?), ref: 00ED37E4
FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,00EE4891,?,?,00000035,?), ref: 00ED37F4

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 57b8fe6dd0288eff2ae01d5971cad666262c135064dcd03b9368150361e9450b
Instruction ID: 602decf2f53eaa1d5148a65d244519d0518143d128b93177547b524791dd2e04
Opcode Fuzzy Hash: 57b8fe6dd0288eff2ae01d5971cad666262c135064dcd03b9368150361e9450b
Instruction Fuzzy Hash: 69F055B07012292EE72013B68C4CFEB3AAEEFC47A0F100163F508F2281C9609908C6B0

Function 00EC10BF Relevance: 3.0, APIs: 2, Instructions: 24COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00EC11FC), ref: 00EC10D4
CloseHandle.KERNEL32(?,?,00EC11FC), ref: 00EC10E9

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: 664455621cec4d0a4358388a3cf581935b379dcdcd18e5e8223118501435c303
Instruction ID: 9bae42c26d9c5622317596ebeb48179f596bd2a34b65864b6b9701719e93aa6e
Opcode Fuzzy Hash: 664455621cec4d0a4358388a3cf581935b379dcdcd18e5e8223118501435c303
Instruction Fuzzy Hash: F5E0BF72018610AEE7252B51FD05F7777E9EF04320F24C86DF5A5904B1DB626C91DB54

Function 00E9676B Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00E96766,?,?,00000008,?,?,00E9FEFE,00000000), ref: 00E96998

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: f189e87bb20cdca1d2bef4820f5e0eb74bc39684f09368ea51746bc3fd3b23f6
Instruction ID: c1202090567a59d788eb06afab9280e2ac33faac2d8c4bbb740115cb4c9726d7
Opcode Fuzzy Hash: f189e87bb20cdca1d2bef4820f5e0eb74bc39684f09368ea51746bc3fd3b23f6
Instruction Fuzzy Hash: 82B16E71610608DFDB19CF28C48ABA57BE0FF45368F25D65AE899DF2A2C335D981CB40

Function 00E7B119 Relevance: 1.8, Strings: 1, Instructions: 511COMMON

Download Yara Rule

Strings

, xrefs: 00EB851F

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: e442fcc5ed1f06e4d9e128594baaf003e04884e4887b3508e2ab8657ab4173b3
Instruction ID: 6358c52ced5ebf56a086f5455d32c3219783edb6d7e81ba22a095604d565b086
Opcode Fuzzy Hash: e442fcc5ed1f06e4d9e128594baaf003e04884e4887b3508e2ab8657ab4173b3
Instruction Fuzzy Hash: 571251759002299BCB24CF58C9807EEB7F5FF48710F14919AE849FB255EB749E81CB90

Function 00EDEAA2 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 00EDEABD

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: e478783bff1138f96968e5738a87b594feb9158cc24992b251f03653ca44ab1a
Instruction ID: 0eb05a33525f4c267b5da3fb2801c86b1eb94fa3db1e19262394c8a6dc7db504
Opcode Fuzzy Hash: e478783bff1138f96968e5738a87b594feb9158cc24992b251f03653ca44ab1a
Instruction Fuzzy Hash: 5EE012312002059FC710EF59D404D9AB7D9EF987A4F109416FC45EB351D670A8458B90

Function 00E809D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_000209E1,00E803EE), ref: 00E809DA

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 6159c517cd0c9db8f6ef7c1f2b2b0b59a93ac4f9dac9e2b7f4e72d8281e55122
Instruction ID: 795ac02d112859ab49f89cd6b35c5d1af2194ac0ffc6cfe0f1dbb5874e89439d
Opcode Fuzzy Hash: 6159c517cd0c9db8f6ef7c1f2b2b0b59a93ac4f9dac9e2b7f4e72d8281e55122
Instruction Fuzzy Hash:

Function 00E8781B Relevance: 1.5, Strings: 1, Instructions: 214COMMON

Download Yara Rule

Strings

0, xrefs: 00E8798B

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction ID: 3cc61938671e0e47e1c351c395fc9144648bcb65c8698ea6c3444c813b15831b
Opcode Fuzzy Hash: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction Fuzzy Hash: E551A52160C7155BDB3CB968898E7FE27C99B82388F383409D8CEF7282DA11DE41D352

Function 00E96DD9 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a87a5b14680cb9a8ba19fdbbe71be3e1b284a1bdafa6ecc61fec7e553ab58f0
Instruction ID: 61173f0c2c2152437657e228ec1ae1dd6c805f8f36930d0e37eae45b1e50fe61
Opcode Fuzzy Hash: 4a87a5b14680cb9a8ba19fdbbe71be3e1b284a1bdafa6ecc61fec7e553ab58f0
Instruction Fuzzy Hash: 29323322D79F014DDB639634CC26336A289BFB73C5F15E737E85AB59A6EB28C4835100

Function 00E7CC39 Relevance: .6, Instructions: 635COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 835ea0966c74a1fff0c55d924643937ca9ded9cb430b7b30c6e684c05c69c134
Instruction ID: cfbbc8c06dc705886feb8a7bf491e87a51febef7ca1a3f958237d2318702e7d7
Opcode Fuzzy Hash: 835ea0966c74a1fff0c55d924643937ca9ded9cb430b7b30c6e684c05c69c134
Instruction Fuzzy Hash: D6322731A081198BDF39CF28C4D06FEBBA5EB45308F38A56AD45AFB291D634DD81DB41

Function 00E67920 Relevance: .6, Instructions: 563COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c67aaf38360ba84321d7c447f3456a6590799b4eeafaa27002df1f8b4cc4b88f
Instruction ID: aa00d89a1333e055b055289d945c1d55a8316cd72481e8618961decd82cce70f
Opcode Fuzzy Hash: c67aaf38360ba84321d7c447f3456a6590799b4eeafaa27002df1f8b4cc4b88f
Instruction Fuzzy Hash: 5D22DFB1A006099FDF14CFA4D841AEEB3F6FF49344F206129E856BB291EB35AD15CB50

Function 00E691C0 Relevance: .5, Instructions: 475COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43d81e72615ba9709bde5a0cfac7cd28c7447aebef03ff179d7c52de4b29c422
Instruction ID: c39a5938b4e75b46bd14e11db490089a1e2a70046019e01c2d1fd3feb85f1c82
Opcode Fuzzy Hash: 43d81e72615ba9709bde5a0cfac7cd28c7447aebef03ff179d7c52de4b29c422
Instruction Fuzzy Hash: F902B7B0A00109EBDB14DF64D881AAEB7F5FF49354F119169E80ABB391E731AE11CB91

Function 00E99EEE Relevance: .3, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ad09b276d87a16badc7d040b69f40ffb7d35b1e0d77753b5056367fd2a750eb
Instruction ID: 25717555a3555b38bafc081529887ef82dc874baaf187572c5ac77679844e949
Opcode Fuzzy Hash: 7ad09b276d87a16badc7d040b69f40ffb7d35b1e0d77753b5056367fd2a750eb
Instruction Fuzzy Hash: 16B11220E2AF444DD72396398871336B65CBFBB6D5F92D31BFC2674D62EB2286835140

Function 00E81C77 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction ID: 717e4b2752974680626d48df1b347c922d85aca2ea0675de94ff754345913232
Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction Fuzzy Hash: 6291A9722080A34ADB2D563E843417DFFE55A923A631A27DED4FEEA1C1FE20C955D720

Function 00E81F32 Relevance: .2, Instructions: 244COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
Instruction ID: 7cda0cbbf877617672d8b443b11a13ee22e3a16b4f2dc11d707e1f74fb99e64a
Opcode Fuzzy Hash: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
Instruction Fuzzy Hash: 6591B6722090A30EDB2D5239853807EFFE15A923A531A27DDD5FEEB1C5EE24C954E720

Function 00E819B0 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction ID: 356964031cf59ee82049e91c22c04b27002e6fb1044ecd7628be87f48c043280
Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction Fuzzy Hash: 4391C2722090A34ADB2D527A857407DFFE94A923A630A17DED4FEEA1C1FE10C5569720

Function 00E87A4A Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d42b98b104c7d552bd3ab179e8297668bd99fa33a079a05f8fd984374424545
Instruction ID: 1fb7e82ada5dd29181a2ec6349b5a89d927538a6623c6586a580c277a61038cf
Opcode Fuzzy Hash: 5d42b98b104c7d552bd3ab179e8297668bd99fa33a079a05f8fd984374424545
Instruction Fuzzy Hash: DE61893124870956DA38BA288D95BFEA3D7DF51708F343959E8CEFB281D611DE42C315

Function 00E87CA7 Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 310e6d1c1d4c583c71df8e7d14d6b096fa629cd1f9c312969011f8910c7c1490
Instruction ID: d693e5a83c45788380df43f0351c34566f1f6a51a128465ab413ff4ba3ff63d2
Opcode Fuzzy Hash: 310e6d1c1d4c583c71df8e7d14d6b096fa629cd1f9c312969011f8910c7c1490
Instruction Fuzzy Hash: 5661473160C70996DA38BA284955BBE6384AF43748F30395DE8CEFB2C1EA12ED428355

Function 00E81706 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction ID: 925d44c7cbef1ff0b601408b87db0cac3dfd44581623eb3ed2b7e7b39e659584
Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction Fuzzy Hash: 4D81C3326080A30EDB2D523A853407EFFE55A923A531A27DED4FEEB1C1EE24C555E720

Function 00E7D063 Relevance: .2, Instructions: 173COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f9928efed8c0635a7325ea99df355544910aaab824386effac2a8e66a3a10f8
Instruction ID: a5e8ff2bba1807284984226036939af4cf020450a5a85c97009b88bb0def16e8
Opcode Fuzzy Hash: 8f9928efed8c0635a7325ea99df355544910aaab824386effac2a8e66a3a10f8
Instruction Fuzzy Hash: A551808694EFC65FD30382748CAA4E5AF758C471303ACE7DF8189166CBE689050BD786

Function 00ED2046 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f98c7f8ac2f996c05fb8adcb95aa740c9edd7e6bd27971725bd9e05a91e3d660
Instruction ID: 74799fc568e47eed03a4456237650c697bf7b66aea861b64c496204be1fa5573
Opcode Fuzzy Hash: f98c7f8ac2f996c05fb8adcb95aa740c9edd7e6bd27971725bd9e05a91e3d660
Instruction Fuzzy Hash: 9D21D5323206158BDB28CE79C82367A73E5EB64320F14862EE4A7D33D0DE35A904DB80

Function 00EE2ADE Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 486filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00EE2B30
DeleteObject.GDI32(00000000), ref: 00EE2B43
DestroyWindow.USER32 ref: 00EE2B52
GetDesktopWindow.USER32 ref: 00EE2B6D
GetWindowRect.USER32(00000000), ref: 00EE2B74
SetRect.USER32(?,00000000,00000000,00000007,00000002), ref: 00EE2CA3
AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 00EE2CB1
CreateWindowExW.USER32(?,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00EE2CF8
GetClientRect.USER32(00000000,?), ref: 00EE2D04
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00EE2D40
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00EE2D62
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00EE2D75
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00EE2D80
GlobalLock.KERNEL32(00000000), ref: 00EE2D89
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00EE2D98
GlobalUnlock.KERNEL32(00000000), ref: 00EE2DA1
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00EE2DA8
GlobalFree.KERNEL32(00000000), ref: 00EE2DB3
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00EE2DC5
OleLoadPicture.OLEAUT32(?,00000000,00000000,00EFFC38,00000000), ref: 00EE2DDB
GlobalFree.KERNEL32(00000000), ref: 00EE2DEB
CopyImage.USER32(00000007,00000000,00000000,00000000,00002000), ref: 00EE2E11
SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 00EE2E30
SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00EE2E52
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00EE303F

Strings

AutoIt v3, xrefs: 00EE2CF2
static, xrefs: 00EE2D3A, 00EE2E91
DISPLAY, xrefs: 00EE2EA2
, xrefs: 00EE2FC5

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: 1e5b20307d995bef1d05d336b79caa2dd18ec57c609a9a2b2a77a39e41968186
Instruction ID: d7b0e332e65107315e7d42124c84823cc3ab9fb99008c26570c7273f60cbefa0
Opcode Fuzzy Hash: 1e5b20307d995bef1d05d336b79caa2dd18ec57c609a9a2b2a77a39e41968186
Instruction Fuzzy Hash: 65029D71A00208AFDB14DF65CD89EAE7BB9FF48714F208158F915BB2A1DB70AD05CB60

Function 00EF70D5 Relevance: 49.8, APIs: 33, Instructions: 273COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 00EF712F
GetSysColorBrush.USER32(0000000F), ref: 00EF7160
GetSysColor.USER32(0000000F), ref: 00EF716C
SetBkColor.GDI32(?,000000FF), ref: 00EF7186
SelectObject.GDI32(?,?), ref: 00EF7195
InflateRect.USER32(?,000000FF,000000FF), ref: 00EF71C0
GetSysColor.USER32(00000010), ref: 00EF71C8
CreateSolidBrush.GDI32(00000000), ref: 00EF71CF
FrameRect.USER32(?,?,00000000), ref: 00EF71DE
DeleteObject.GDI32(00000000), ref: 00EF71E5
InflateRect.USER32(?,000000FE,000000FE), ref: 00EF7230
FillRect.USER32(?,?,?), ref: 00EF7262
GetWindowLongW.USER32(?,000000F0), ref: 00EF7284

Part of subcall function 00EF73E8: GetSysColor.USER32(00000012), ref: 00EF7421
Part of subcall function 00EF73E8: SetTextColor.GDI32(?,?), ref: 00EF7425
Part of subcall function 00EF73E8: GetSysColorBrush.USER32(0000000F), ref: 00EF743B
Part of subcall function 00EF73E8: GetSysColor.USER32(0000000F), ref: 00EF7446
Part of subcall function 00EF73E8: GetSysColor.USER32(00000011), ref: 00EF7463
Part of subcall function 00EF73E8: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00EF7471
Part of subcall function 00EF73E8: SelectObject.GDI32(?,00000000), ref: 00EF7482
Part of subcall function 00EF73E8: SetBkColor.GDI32(?,00000000), ref: 00EF748B
Part of subcall function 00EF73E8: SelectObject.GDI32(?,?), ref: 00EF7498
Part of subcall function 00EF73E8: InflateRect.USER32(?,000000FF,000000FF), ref: 00EF74B7
Part of subcall function 00EF73E8: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00EF74CE
Part of subcall function 00EF73E8: GetWindowLongW.USER32(00000000,000000F0), ref: 00EF74DB

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
String ID:
API String ID: 4124339563-0
Opcode ID: b5571d2c8e5f6b8e00a160e0101b82578fb2113e792047902e266c2957453bad
Instruction ID: d399d539852f9b4b563ff356342a4726569c4030706c4de78ff937ef802c5b4a
Opcode Fuzzy Hash: b5571d2c8e5f6b8e00a160e0101b82578fb2113e792047902e266c2957453bad
Instruction Fuzzy Hash: AFA19571009309AFD7009F61DD48EBB77A9FB89320F301A19F6A2A61E1D771D949CB51

Function 00E78D85 Relevance: 47.7, APIs: 26, Strings: 1, Instructions: 480windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?), ref: 00E78E14
SendMessageW.USER32(?,00001308,?,00000000), ref: 00EB6AC5
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 00EB6AFE
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00EB6F43

Part of subcall function 00E78F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00E78BE8,?,00000000,?,?,?,?,00E78BBA,00000000,?), ref: 00E78FC5

SendMessageW.USER32(?,00001053), ref: 00EB6F7F
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00EB6F96
ImageList_Destroy.COMCTL32(00000000,?), ref: 00EB6FAC
ImageList_Destroy.COMCTL32(00000000,?), ref: 00EB6FB7

Strings

0, xrefs: 00EB6DCF

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: DestroyImageList_MessageSend$Window$InvalidateMoveRectRemove
String ID: 0
API String ID: 2760611726-4108050209
Opcode ID: 2ed147a75ac6a06ed24f4276eff72fead140cdf3296cd8b7e1f739d357595dca
Instruction ID: 1f71da76bba30c4cca81b0ca4d61f50f4e5667a753b9a46005dc2f61e3edbfa4
Opcode Fuzzy Hash: 2ed147a75ac6a06ed24f4276eff72fead140cdf3296cd8b7e1f739d357595dca
Instruction Fuzzy Hash: C712BD30601205DFDB25DF24CA88BFABBF1FB54314F24A469E489AB261CB35E852DF51

Function 00EE2711 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 330windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 00EE273E
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00EE286A
SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 00EE28A9
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 00EE28B9
CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 00EE2900
GetClientRect.USER32(00000000,?), ref: 00EE290C
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 00EE2955
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00EE2964
GetStockObject.GDI32(00000011), ref: 00EE2974
SelectObject.GDI32(00000000,00000000), ref: 00EE2978
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 00EE2988
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00EE2991
DeleteDC.GDI32(00000000), ref: 00EE299A
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 00EE29C6
SendMessageW.USER32(00000030,00000000,00000001), ref: 00EE29DD
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 00EE2A1D
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00EE2A31
SendMessageW.USER32(00000404,00000001,00000000), ref: 00EE2A42
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 00EE2A77
GetStockObject.GDI32(00000011), ref: 00EE2A82
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00EE2A8D
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 00EE2A97

Strings

AutoIt v3, xrefs: 00EE28F8
static, xrefs: 00EE294F, 00EE2A71
DISPLAY, xrefs: 00EE295A
msctls_progress32, xrefs: 00EE2A13

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: 43050a47629c090540b32f08fa9e29b28290448a7482314d2d1b707b71d51091
Instruction ID: 2cd574395ebe07bbbd7aa2f5724ae9e893e83142b7f7c9b3c50bc720fec6b029
Opcode Fuzzy Hash: 43050a47629c090540b32f08fa9e29b28290448a7482314d2d1b707b71d51091
Instruction Fuzzy Hash: 73B17B71A40209AFEB14DFA9DD49EAE7BA9FB48710F104119FA15E7290D770ED44CBA0

Function 00ED4ADF Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00ED4AED
GetDriveTypeW.KERNEL32(?,00EFCB68,?,\\.\,00EFCC08), ref: 00ED4BCA
SetErrorMode.KERNEL32(00000000,00EFCB68,?,\\.\,00EFCC08), ref: 00ED4D36

Strings

MMC, xrefs: 00ED4CDE
FileBackedVirtual, xrefs: 00ED4CEC
iSCSI, xrefs: 00ED4CC2
SSD, xrefs: 00ED4C4A
Fibre, xrefs: 00ED4CAD
\\.\, xrefs: 00ED4B3F
SSA, xrefs: 00ED4CA6
Network, xrefs: 00ED4C02
RAID, xrefs: 00ED4CBB
1394, xrefs: 00ED4C9F
RAMDisk, xrefs: 00ED4BF4
Removable, xrefs: 00ED4C10, 00ED4C15
SAS, xrefs: 00ED4CC9
ATA, xrefs: 00ED4C98
Fixed, xrefs: 00ED4C09
Unknown, xrefs: 00ED4BED, 00ED4C83
ATAPI, xrefs: 00ED4C91
SCSI, xrefs: 00ED4C8A
SATA, xrefs: 00ED4CD0
CDROM, xrefs: 00ED4BFB
Virtual, xrefs: 00ED4CE5
USB, xrefs: 00ED4CB4
PhysicalDrive, xrefs: 00ED4B76

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: 0f0f1da964be8c267a5b4fe5de7b656cfc234202d1d46124cbb3c0cd2053fdf8
Instruction ID: abacd1f1d405acf23b3f0b3e4fc5ae54d43cce10ca156ad2e122d3bb15881b9f
Opcode Fuzzy Hash: 0f0f1da964be8c267a5b4fe5de7b656cfc234202d1d46124cbb3c0cd2053fdf8
Instruction Fuzzy Hash: 2661D5B1656109DBDB04DF14DA81AB8B7B1EB64344B206417F806FB3D2DB32ED42EB42

Function 00EF73E8 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 00EF7421
SetTextColor.GDI32(?,?), ref: 00EF7425
GetSysColorBrush.USER32(0000000F), ref: 00EF743B
GetSysColor.USER32(0000000F), ref: 00EF7446
CreateSolidBrush.GDI32(?), ref: 00EF744B
GetSysColor.USER32(00000011), ref: 00EF7463
CreatePen.GDI32(00000000,00000001,00743C00), ref: 00EF7471
SelectObject.GDI32(?,00000000), ref: 00EF7482
SetBkColor.GDI32(?,00000000), ref: 00EF748B
SelectObject.GDI32(?,?), ref: 00EF7498
InflateRect.USER32(?,000000FF,000000FF), ref: 00EF74B7
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00EF74CE
GetWindowLongW.USER32(00000000,000000F0), ref: 00EF74DB
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00EF752A
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00EF7554
InflateRect.USER32(?,000000FD,000000FD), ref: 00EF7572
DrawFocusRect.USER32(?,?), ref: 00EF757D
GetSysColor.USER32(00000011), ref: 00EF758E
SetTextColor.GDI32(?,00000000), ref: 00EF7596
DrawTextW.USER32(?,00EF70F5,000000FF,?,00000000), ref: 00EF75A8
SelectObject.GDI32(?,?), ref: 00EF75BF
DeleteObject.GDI32(?), ref: 00EF75CA
SelectObject.GDI32(?,?), ref: 00EF75D0
DeleteObject.GDI32(?), ref: 00EF75D5
SetTextColor.GDI32(?,?), ref: 00EF75DB
SetBkColor.GDI32(?,?), ref: 00EF75E5

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: abbafbec0ed8a05c6314b313d757c955995425c3aa0de028941f6db0483a7b72
Instruction ID: 5daf5c41c3d0950a2cf074a708539f19b37f2298922d5d0ce6de532f2ce472ef
Opcode Fuzzy Hash: abbafbec0ed8a05c6314b313d757c955995425c3aa0de028941f6db0483a7b72
Instruction Fuzzy Hash: 72615A7290421CAFDF019FA5DD49EEEBFB9EB48320F214115FA15BB2A1D7709944CB90

Function 00EF0FF3 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00EF1128
GetDesktopWindow.USER32 ref: 00EF113D
GetWindowRect.USER32(00000000), ref: 00EF1144
GetWindowLongW.USER32(?,000000F0), ref: 00EF1199
DestroyWindow.USER32(?), ref: 00EF11B9
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00EF11ED
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00EF120B
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00EF121D
SendMessageW.USER32(00000000,00000421,?,?), ref: 00EF1232
SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 00EF1245
IsWindowVisible.USER32(00000000), ref: 00EF12A1
SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 00EF12BC
SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 00EF12D0
GetWindowRect.USER32(00000000,?), ref: 00EF12E8
MonitorFromPoint.USER32(?,?,00000002), ref: 00EF130E
GetMonitorInfoW.USER32(00000000,?), ref: 00EF1328
CopyRect.USER32(?,?), ref: 00EF133F
SendMessageW.USER32(00000000,00000412,00000000), ref: 00EF13AA

Strings

tooltips_class32, xrefs: 00EF11E6
(, xrefs: 00EF131B
0, xrefs: 00EF10D3

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: a8e2e981d31e538a218d093205b638d606eb83c7b121b324931f8f08d3552c56
Instruction ID: fa087b2544b23cf9abf033995201b0eedfe3083dcdc368e7f57e2836330a9a35
Opcode Fuzzy Hash: a8e2e981d31e538a218d093205b638d606eb83c7b121b324931f8f08d3552c56
Instruction Fuzzy Hash: C5B1B071608349EFD700DF64C884BAABBE4FF84754F10995CFA99AB261D770D844CB51

Function 00E78891 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 282windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00E78968
GetSystemMetrics.USER32(00000007), ref: 00E78970
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00E7899B
GetSystemMetrics.USER32(00000008), ref: 00E789A3
GetSystemMetrics.USER32(00000004), ref: 00E789C8
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00E789E5
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00E789F5
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00E78A28
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00E78A3C
GetClientRect.USER32(00000000,000000FF), ref: 00E78A5A
GetStockObject.GDI32(00000011), ref: 00E78A76
SendMessageW.USER32(00000000,00000030,00000000), ref: 00E78A81

Part of subcall function 00E7912D: GetCursorPos.USER32(?), ref: 00E79141
Part of subcall function 00E7912D: ScreenToClient.USER32(00000000,?), ref: 00E7915E
Part of subcall function 00E7912D: GetAsyncKeyState.USER32(00000001), ref: 00E79183
Part of subcall function 00E7912D: GetAsyncKeyState.USER32(00000002), ref: 00E7919D

SetTimer.USER32(00000000,00000000,00000028,00E790FC), ref: 00E78AA8

Strings

AutoIt v3 GUI, xrefs: 00E78A20

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: e1a2d9e4e5ca1a37f13081fa2aa21b2161278d16cc9a31da144526e873095a27
Instruction ID: bf57b0b5eaf42b4e2cb49aaec69041b76fc2340f8ade5e96dfc3d60bc9037fd4
Opcode Fuzzy Hash: e1a2d9e4e5ca1a37f13081fa2aa21b2161278d16cc9a31da144526e873095a27
Instruction Fuzzy Hash: F4B17D71A002099FDB14DF68CD59BEE3BB5FB48314F21922AFA19B7290DB74E840CB51

Function 00EC0D8B Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00EC10F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00EC1114
Part of subcall function 00EC10F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00EC0B9B,?,?,?), ref: 00EC1120
Part of subcall function 00EC10F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00EC0B9B,?,?,?), ref: 00EC112F
Part of subcall function 00EC10F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00EC0B9B,?,?,?), ref: 00EC1136
Part of subcall function 00EC10F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00EC114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00EC0DF5
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00EC0E29
GetLengthSid.ADVAPI32(?), ref: 00EC0E40
GetAce.ADVAPI32(?,00000000,?), ref: 00EC0E7A
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00EC0E96
GetLengthSid.ADVAPI32(?), ref: 00EC0EAD
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00EC0EB5
HeapAlloc.KERNEL32(00000000), ref: 00EC0EBC
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00EC0EDD
CopySid.ADVAPI32(00000000), ref: 00EC0EE4
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00EC0F13
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00EC0F35
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00EC0F47
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00EC0F6E
HeapFree.KERNEL32(00000000), ref: 00EC0F75
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00EC0F7E
HeapFree.KERNEL32(00000000), ref: 00EC0F85
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00EC0F8E
HeapFree.KERNEL32(00000000), ref: 00EC0F95
GetProcessHeap.KERNEL32(00000000,?), ref: 00EC0FA1
HeapFree.KERNEL32(00000000), ref: 00EC0FA8

Part of subcall function 00EC1193: GetProcessHeap.KERNEL32(00000008,00EC0BB1,?,00000000,?,00EC0BB1,?), ref: 00EC11A1
Part of subcall function 00EC1193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00EC0BB1,?), ref: 00EC11A8
Part of subcall function 00EC1193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00EC0BB1,?), ref: 00EC11B7

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: ec8b93969d03b8389d4298de4256761f7b8a0d4c6a98b1ac0158b07ad4b73e2c
Instruction ID: ad3ad353b4e4cdee058b7f36171a211e5168e3fbb85565cb3ed350f63fe330d5
Opcode Fuzzy Hash: ec8b93969d03b8389d4298de4256761f7b8a0d4c6a98b1ac0158b07ad4b73e2c
Instruction Fuzzy Hash: 02716F71A0020AEFDF209FA5DE44FAEBBB8BF45304F244119F919F6151D7319A5ACB60

Function 00EEC3B7 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00EEC4BD
RegCreateKeyExW.ADVAPI32(?,?,00000000,00EFCC08,00000000,?,00000000,?,?), ref: 00EEC544
RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 00EEC5A4
_wcslen.LIBCMT ref: 00EEC5F4
_wcslen.LIBCMT ref: 00EEC66F
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 00EEC6B2
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 00EEC7C1
RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 00EEC84D
RegCloseKey.ADVAPI32(?), ref: 00EEC881
RegCloseKey.ADVAPI32(00000000), ref: 00EEC88E
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 00EEC960

Strings

REG_EXPAND_SZ, xrefs: 00EEC5CD
REG_QWORD, xrefs: 00EEC8C3
REG_MULTI_SZ, xrefs: 00EEC6F5
REG_BINARY, xrefs: 00EEC913
REG_SZ, xrefs: 00EEC644
REG_DWORD, xrefs: 00EEC804

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: Value$Close$_wcslen$ConnectCreateRegistry
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 9721498-966354055
Opcode ID: b86e0c4c12db36c54667281224e620068b6ecbc70c55de581a822ec465871ee2
Instruction ID: ba300756bb25d11908ca1e5b36945eafd196087720f4e1601149b76d1cc8e5b8
Opcode Fuzzy Hash: b86e0c4c12db36c54667281224e620068b6ecbc70c55de581a822ec465871ee2
Instruction Fuzzy Hash: 55128D356042419FC714DF15D881A2AB7E5FF88754F24989DF88AAB3A2DB31FC42CB81

Function 00EF091E Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 372windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00EF09C6
_wcslen.LIBCMT ref: 00EF0A01
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00EF0A54
_wcslen.LIBCMT ref: 00EF0A8A
_wcslen.LIBCMT ref: 00EF0B06
_wcslen.LIBCMT ref: 00EF0B81

Part of subcall function 00E7F9F2: _wcslen.LIBCMT ref: 00E7F9FD

Part of subcall function 00EC2BE8: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00EC2BFA

Strings

EXPAND, xrefs: 00EF0BF8
ISCHECKED, xrefs: 00EF0CE1
COLLAPSE, xrefs: 00EF0B01, 00EF0B1C
GETTEXT, xrefs: 00EF0C97
GETITEMCOUNT, xrefs: 00EF0C1E
SELECT, xrefs: 00EF0D11
GETSELECTED, xrefs: 00EF0C4E
UNCHECK, xrefs: 00EF0D3E
GETTOTALCOUNT, xrefs: 00EF09F2, 00EF0A17
EXISTS, xrefs: 00EF0B7C, 00EF0B97
CHECK, xrefs: 00EF0A85, 00EF0AA0

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 1103490817-4258414348
Opcode ID: 22de28d1d26802a76d22ef82b42823f709f01fa89d4356aaabab9824aaea7110
Instruction ID: 37c41d06d97670cd44c78957028af8a360c16d1e2eca9ddadf25e13a9d599143
Opcode Fuzzy Hash: 22de28d1d26802a76d22ef82b42823f709f01fa89d4356aaabab9824aaea7110
Instruction Fuzzy Hash: 4BE1DA312087058FC714EF24C45097AB7E2BF88358B50A99DF99ABB3A2D731ED45CB81

Function 00EEC998 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,00EEB6AE,?,?), ref: 00EEC9B5
_wcslen.LIBCMT ref: 00EEC9F1
_wcslen.LIBCMT ref: 00EECA68
_wcslen.LIBCMT ref: 00EECA9E
_wcslen.LIBCMT ref: 00EECAF9
_wcslen.LIBCMT ref: 00EECB2F
_wcslen.LIBCMT ref: 00EECB7F

Strings

HKCC, xrefs: 00EECBAC
HKCR, xrefs: 00EECB29, 00EECB2E
HKEY_USERS, xrefs: 00EECBDF
HKEY_CLASSES_ROOT, xrefs: 00EECAF3, 00EECAF8
HKU, xrefs: 00EECBF0
HKEY_CURRENT_USER, xrefs: 00EECBBD
HKCU, xrefs: 00EECBCE
HKEY_CURRENT_CONFIG, xrefs: 00EECB79, 00EECB7E
HKEY_LOCAL_MACHINE, xrefs: 00EECA62, 00EECA67
HKLM, xrefs: 00EECA98, 00EECA9D

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 1256254125-909552448
Opcode ID: 8731913019e0136a952b55b3c9b4523c5115010b692e068bd2bdfd5b9abe1e0e
Instruction ID: 0b9b13fd5c170c9986e0649b38991c606902b2b18d4752016d9ba2b2dd9a5970
Opcode Fuzzy Hash: 8731913019e0136a952b55b3c9b4523c5115010b692e068bd2bdfd5b9abe1e0e
Instruction Fuzzy Hash: 597119326001AE8BCB20EE7ED9415FF3395ABA0758B312534F86EB7285E631CD42D390

Function 00EF833C Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 196windowlibraryCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00EF835A
_wcslen.LIBCMT ref: 00EF836E
_wcslen.LIBCMT ref: 00EF8391
_wcslen.LIBCMT ref: 00EF83B4
LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 00EF83F2
LoadLibraryExW.KERNEL32(?,00000000,00000032,?,?,00000001,?,?,?,00EF361A,?), ref: 00EF844E
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00EF8487
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 00EF84CA
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00EF8501
FreeLibrary.KERNEL32(?), ref: 00EF850D
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00EF851D
DestroyIcon.USER32(?), ref: 00EF852C
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00EF8549
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00EF8555

Strings

.dll, xrefs: 00EF83AB
.exe, xrefs: 00EF8388
.icl, xrefs: 00EF8368

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
String ID: .dll$.exe$.icl
API String ID: 799131459-1154884017
Opcode ID: 79beb862002d83bc705e7b28414e7cccec8490c02a13b97c8856995332529360
Instruction ID: 0c6b54eb3efc4ea4347a5d6d04c957beefbd5497809ec5ee1cd5bc5665ad35a5
Opcode Fuzzy Hash: 79beb862002d83bc705e7b28414e7cccec8490c02a13b97c8856995332529360
Instruction Fuzzy Hash: F661F07150021ABFEB14DF64CD41BBE77A8FB44710F20560AF919F60D0EB74A984C7A0

Function 00E67778 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 273COMMON

Download Yara Rule

Strings

#include-once, xrefs: 00E6782F
#notrayicon, xrefs: 00E677E7
#ce, xrefs: 00E678ED
", xrefs: 00EA5153
Cannot parse #include, xrefs: 00EA5279
#cs, xrefs: 00E67873, 00E678C5
#OnAutoItStartRegister, xrefs: 00E67817
', xrefs: 00EA5169
Unterminated group of comments, xrefs: 00EA528C
#comments-start, xrefs: 00E6785F, 00E678B1
#include, xrefs: 00E67847
Bad directive syntax error, xrefs: 00EA519A
#requireadmin, xrefs: 00E677FF
#pragma compile, xrefs: 00E677D3
#comments-end, xrefs: 00E678D9

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID:
String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 0-1645009161
Opcode ID: 923f7e2d230b11d16f3d266d6d0e5d15dfdd04bd5b681bd375e98d67ecf00a7b
Instruction ID: 53bc45d08b1ac1c328ecb43ac1f920046e647461981c5e05b72de5a551d0bd6b
Opcode Fuzzy Hash: 923f7e2d230b11d16f3d266d6d0e5d15dfdd04bd5b681bd375e98d67ecf00a7b
Instruction Fuzzy Hash: 6A811571684605BBDB20AF60ED42FBE37E8AF15348F106025FD48BB192EB70E901C7A1

Function 00ED3E79 Relevance: 28.2, APIs: 8, Strings: 8, Instructions: 205COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 00ED3EF8
_wcslen.LIBCMT ref: 00ED3F03
_wcslen.LIBCMT ref: 00ED3F5A
_wcslen.LIBCMT ref: 00ED3F98
GetDriveTypeW.KERNEL32(?), ref: 00ED3FD6
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00ED401E
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00ED4059
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00ED4087

Strings

closed, xrefs: 00ED3F08, 00ED3F2D, 00ED3F46, 00ED3F7E, 00ED3F97
open, xrefs: 00ED3F54, 00ED3F59
set cd door , xrefs: 00ED4028
type cdaudio alias cd wait, xrefs: 00ED4001
close cd wait, xrefs: 00ED4072
wait, xrefs: 00ED4044
open , xrefs: 00ED3FE5
close, xrefs: 00ED3EFE, 00ED3F18

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: SendString_wcslen$BuffCharDriveLowerType
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 1839972693-4113822522
Opcode ID: 00403314949de6ee408bd7ababfbc8b17c4e4e78375c7e4b0cfd4aa0cff6d47a
Instruction ID: f21a0b5f97a7e717eedbd55f1dcfacf6f2ef51a1b6cfc23a430ec432e94cec48
Opcode Fuzzy Hash: 00403314949de6ee408bd7ababfbc8b17c4e4e78375c7e4b0cfd4aa0cff6d47a
Instruction Fuzzy Hash: 8D71D3726042169FC310EF34D8818AAB7F4EF94798F10592EF495A7391EB31ED46CB92

Function 00EC5A1B Relevance: 27.2, APIs: 18, Instructions: 198windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 00EC5A2E
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00EC5A40
SetWindowTextW.USER32(?,?), ref: 00EC5A57
GetDlgItem.USER32(?,000003EA), ref: 00EC5A6C
SetWindowTextW.USER32(00000000,?), ref: 00EC5A72
GetDlgItem.USER32(?,000003E9), ref: 00EC5A82
SetWindowTextW.USER32(00000000,?), ref: 00EC5A88
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00EC5AA9
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00EC5AC3
GetWindowRect.USER32(?,?), ref: 00EC5ACC
_wcslen.LIBCMT ref: 00EC5B33
SetWindowTextW.USER32(?,?), ref: 00EC5B6F
GetDesktopWindow.USER32 ref: 00EC5B75
GetWindowRect.USER32(00000000), ref: 00EC5B7C
MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 00EC5BD3
GetClientRect.USER32(?,?), ref: 00EC5BE0
PostMessageW.USER32(?,00000005,00000000,?), ref: 00EC5C05
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00EC5C2F

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
String ID:
API String ID: 895679908-0
Opcode ID: d0036a1c83ef1fc90d7e9654ace034669d042f682a729687014a9b7c40d86a28
Instruction ID: 189030cc0c3e5386ea38c95578734d71be51627cc06709b2d6102c8101fc6e13
Opcode Fuzzy Hash: d0036a1c83ef1fc90d7e9654ace034669d042f682a729687014a9b7c40d86a28
Instruction Fuzzy Hash: F2715A32900A09AFDB20DFA9CE85FAEBBF5FB48704F20551DE146B25A0D776B945CB10

Function 00EDFE0E Relevance: 27.1, APIs: 18, Instructions: 128COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F89), ref: 00EDFE27
LoadCursorW.USER32(00000000,00007F8A), ref: 00EDFE32
LoadCursorW.USER32(00000000,00007F00), ref: 00EDFE3D
LoadCursorW.USER32(00000000,00007F03), ref: 00EDFE48
LoadCursorW.USER32(00000000,00007F8B), ref: 00EDFE53
LoadCursorW.USER32(00000000,00007F01), ref: 00EDFE5E
LoadCursorW.USER32(00000000,00007F81), ref: 00EDFE69
LoadCursorW.USER32(00000000,00007F88), ref: 00EDFE74
LoadCursorW.USER32(00000000,00007F80), ref: 00EDFE7F
LoadCursorW.USER32(00000000,00007F86), ref: 00EDFE8A
LoadCursorW.USER32(00000000,00007F83), ref: 00EDFE95
LoadCursorW.USER32(00000000,00007F85), ref: 00EDFEA0
LoadCursorW.USER32(00000000,00007F82), ref: 00EDFEAB
LoadCursorW.USER32(00000000,00007F84), ref: 00EDFEB6
LoadCursorW.USER32(00000000,00007F04), ref: 00EDFEC1
LoadCursorW.USER32(00000000,00007F02), ref: 00EDFECC
GetCursorInfo.USER32(?), ref: 00EDFEDC
GetLastError.KERNEL32 ref: 00EDFF1E

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: Cursor$Load$ErrorInfoLast
String ID:
API String ID: 3215588206-0
Opcode ID: d8809abe726599eb24cb78dadff4d63d3b7328bb52c76b9e0fdb020f0c88f7fe
Instruction ID: d5f74a26e403379521ce4d80b74edb9d67e73f36b4dabab111f9b1d94ea850a1
Opcode Fuzzy Hash: d8809abe726599eb24cb78dadff4d63d3b7328bb52c76b9e0fdb020f0c88f7fe
Instruction Fuzzy Hash: C94154B0E44319AEDB10DFBA9C8586EBFE8FF04754B50452AE11DE7281DB78D901CE91

Function 00E800C6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON

Download Yara Rule

APIs

__scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 00E800C6

Part of subcall function 00E800ED: InitializeCriticalSectionAndSpinCount.KERNEL32(00F3070C,00000FA0,B537B448,?,?,?,?,00EA23B3,000000FF), ref: 00E8011C
Part of subcall function 00E800ED: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,00EA23B3,000000FF), ref: 00E80127
Part of subcall function 00E800ED: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,00EA23B3,000000FF), ref: 00E80138
Part of subcall function 00E800ED: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 00E8014E
Part of subcall function 00E800ED: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 00E8015C
Part of subcall function 00E800ED: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 00E8016A
Part of subcall function 00E800ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00E80195
Part of subcall function 00E800ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00E801A0

___scrt_fastfail.LIBCMT ref: 00E800E7

Part of subcall function 00E800A3: __onexit.LIBCMT ref: 00E800A9

Strings

api-ms-win-core-synch-l1-2-0.dll, xrefs: 00E80122
kernel32.dll, xrefs: 00E80133
SleepConditionVariableCS, xrefs: 00E80154
WakeAllConditionVariable, xrefs: 00E80162
InitializeConditionVariable, xrefs: 00E80148

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 66158676-1714406822
Opcode ID: 2883600416176e4abcef9f675b668af27d80c32fac24793dc3ed03ab540ff787
Instruction ID: f22d6df708702cb370d9eb73c762812cc81a960f1e464fe2829118e31e3a00d2
Opcode Fuzzy Hash: 2883600416176e4abcef9f675b668af27d80c32fac24793dc3ed03ab540ff787
Instruction Fuzzy Hash: 3D2107326427196FE7506B64AD09B3933E4DF45B71F20112AF90DB3291DF619808CB91

Function 00EC30F7 Relevance: 24.9, APIs: 8, Strings: 6, Instructions: 400COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00EC318D
_wcslen.LIBCMT ref: 00EC31F8

Strings

CLASS, xrefs: 00EC3188, 00EC31A5
INSTANCE, xrefs: 00EC3453
REGEXPCLASS, xrefs: 00EC3255, 00EC3266
NAME, xrefs: 00EC3335, 00EC3346
CLASSNN, xrefs: 00EC31F3, 00EC3204
TEXT, xrefs: 00EC347C

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: _wcslen
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 176396367-1603158881
Opcode ID: e6ec44e63b8fdb35d546521fe6b254fd991c627c3d6dc54bfbb15235ea778e67
Instruction ID: 680eefe2b2f32c64010690df3711005d695439e30360555637c1913b620f472a
Opcode Fuzzy Hash: e6ec44e63b8fdb35d546521fe6b254fd991c627c3d6dc54bfbb15235ea778e67
Instruction Fuzzy Hash: 24E1E431A006269BCB189FB8C541FEDFBB0BF54714F64E11EE46AB7240DB31AE469790

Function 00ED44C0 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(00000000,00000000,00EFCC08), ref: 00ED4527
_wcslen.LIBCMT ref: 00ED453B
_wcslen.LIBCMT ref: 00ED4599
_wcslen.LIBCMT ref: 00ED45F4
_wcslen.LIBCMT ref: 00ED463F
_wcslen.LIBCMT ref: 00ED46A7

Part of subcall function 00E7F9F2: _wcslen.LIBCMT ref: 00E7F9FD

GetDriveTypeW.KERNEL32(?,00F26BF0,00000061), ref: 00ED4743

Strings

network, xrefs: 00ED469D, 00ED46A2
ramdisk, xrefs: 00ED46F1
removable, xrefs: 00ED45EA, 00ED45EF
all, xrefs: 00ED4531, 00ED4536
cdrom, xrefs: 00ED458F, 00ED4594
unknown, xrefs: 00ED4708
fixed, xrefs: 00ED4635, 00ED463A

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: _wcslen$BuffCharDriveLowerType
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2055661098-1000479233
Opcode ID: 0a4296babc225d9bc212c07fbc82affa944aeb1f42b6cbbc258cd5b970350378
Instruction ID: 7e24b7b6671c38e647f4bc9c38a50db4ebc3859cda4f74992665cef95bf8b0b8
Opcode Fuzzy Hash: 0a4296babc225d9bc212c07fbc82affa944aeb1f42b6cbbc258cd5b970350378
Instruction Fuzzy Hash: 1AB102B16083029FC710DF28D890A6AB7E5EFA5764F10691EF4AAE73D1D730D846CB52

Function 00EE3FE9 Relevance: 23.2, APIs: 11, Strings: 2, Instructions: 478libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00EFCC08), ref: 00EE40BB
GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 00EE40CD
GetModuleFileNameW.KERNEL32(?,?,00000104,?,?,?,00EFCC08), ref: 00EE40F2
FreeLibrary.KERNEL32(00000000,?,00EFCC08), ref: 00EE413E
StringFromGUID2.OLE32(?,?,00000028,?,00EFCC08), ref: 00EE41A8
SysFreeString.OLEAUT32(00000009), ref: 00EE4262
QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 00EE42C8
SysFreeString.OLEAUT32(?), ref: 00EE42F2

Strings

GetModuleHandleExW, xrefs: 00EE40C7
kernel32.dll, xrefs: 00EE40B6

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: FreeString$Library$AddressFileFromLoadModuleNamePathProcQueryType
String ID: GetModuleHandleExW$kernel32.dll
API String ID: 354098117-199464113
Opcode ID: ae88a5e1ef9555b58a3fea567f47b6c467ac2ea8bc6adb0cb22246e539ef83c6
Instruction ID: 9bc150191f486e0083a2ac5eb3d04680a2d5af95f99d61ceb51064e4bff0c890
Opcode Fuzzy Hash: ae88a5e1ef9555b58a3fea567f47b6c467ac2ea8bc6adb0cb22246e539ef83c6
Instruction Fuzzy Hash: F2126EB1A00149EFDB14DF95C884EAEB7B5FF85318F249098F905AB291D731ED46CBA0

Function 00E6326F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(00F31990), ref: 00EA2F8D
GetMenuItemCount.USER32(00F31990), ref: 00EA303D
GetCursorPos.USER32(?), ref: 00EA3081
SetForegroundWindow.USER32(00000000), ref: 00EA308A
TrackPopupMenuEx.USER32(00F31990,00000000,?,00000000,00000000,00000000), ref: 00EA309D
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00EA30A9

Strings

0, xrefs: 00E6327D

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
String ID: 0
API String ID: 36266755-4108050209
Opcode ID: a6650721fae1a959478fdcedbcc36e3cc40f3b34d51ee3e081f1c1b666e03bf7
Instruction ID: 09f1af3609c9de54acc9f05ed49914247d48d4d6a66f442e813e6036ae960470
Opcode Fuzzy Hash: a6650721fae1a959478fdcedbcc36e3cc40f3b34d51ee3e081f1c1b666e03bf7
Instruction Fuzzy Hash: B8712930644209BEEB218F39DD49FAABF68FF05368F20520AF6157A1E0C7B1B954D750

Function 00EF6CD9 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 194windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,?), ref: 00EF6DEB

Part of subcall function 00E66B57: _wcslen.LIBCMT ref: 00E66B6A

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00EF6E5F
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00EF6E81
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00EF6E94
DestroyWindow.USER32(?), ref: 00EF6EB5
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00E60000,00000000), ref: 00EF6EE4
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00EF6EFD
GetDesktopWindow.USER32 ref: 00EF6F16
GetWindowRect.USER32(00000000), ref: 00EF6F1D
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00EF6F35
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00EF6F4D

Part of subcall function 00E79944: GetWindowLongW.USER32(?,000000EB), ref: 00E79952

Strings

tooltips_class32, xrefs: 00EF6E58, 00EF6EDD
0, xrefs: 00EF6D98

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
String ID: 0$tooltips_class32
API String ID: 2429346358-3619404913
Opcode ID: 0aa3fcf9e187f6ba9053e813b0888f4365b4d63e8019f8ab1896ac9dae3ff943
Instruction ID: 73b1595168c2b51dc26ffff1ac12e20fffea7bbaf7779074bf044e720d659b21
Opcode Fuzzy Hash: 0aa3fcf9e187f6ba9053e813b0888f4365b4d63e8019f8ab1896ac9dae3ff943
Instruction Fuzzy Hash: C5716C71104248AFDB21DF18D844BBABBE9FB89708F14541DF689A7261C770ED0ADB12

Function 00EF911E Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00E79BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00E79BB2

DragQueryPoint.SHELL32(?,?), ref: 00EF9147

Part of subcall function 00EF7674: ClientToScreen.USER32(?,?), ref: 00EF769A
Part of subcall function 00EF7674: GetWindowRect.USER32(?,?), ref: 00EF7710
Part of subcall function 00EF7674: PtInRect.USER32(?,?,00EF8B89), ref: 00EF7720

SendMessageW.USER32(?,000000B0,?,?), ref: 00EF91B0
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 00EF91BB
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 00EF91DE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 00EF9225
SendMessageW.USER32(?,000000B0,?,?), ref: 00EF923E
SendMessageW.USER32(?,000000B1,?,?), ref: 00EF9255
SendMessageW.USER32(?,000000B1,?,?), ref: 00EF9277
DragFinish.SHELL32(?), ref: 00EF927E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 00EF9371

Strings

@GUI_DROPID, xrefs: 00EF929E
@GUI_DRAGFILE, xrefs: 00EF9320
@GUI_DRAGID, xrefs: 00EF92E9

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
API String ID: 221274066-3440237614
Opcode ID: 226fff89bbac76ccfd0d38c38389e012789f526d62082ddae6cf4c627b33f72b
Instruction ID: 1fc75f693f912862d000da59c42b7916f31b2db899972bbb7235f241087637da
Opcode Fuzzy Hash: 226fff89bbac76ccfd0d38c38389e012789f526d62082ddae6cf4c627b33f72b
Instruction Fuzzy Hash: 2E616A71108305AFD701EF60ED85EAFBBE8EFC8790F10192DF595A21A1DB309A49CB52

Function 00EDC476 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00EDC4B0
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 00EDC4C3
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 00EDC4D7
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 00EDC4F0
InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 00EDC533
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 00EDC549
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00EDC554
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00EDC584
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 00EDC5DC
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 00EDC5F0
InternetCloseHandle.WININET(00000000), ref: 00EDC5FB

Strings

, xrefs: 00EDC575

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
String ID:
API String ID: 3800310941-3916222277
Opcode ID: cfbe1445f9756c5520edd74589b7c8ec674ad6108ac5fe3ebfd58363f0e6fb00
Instruction ID: c275191be1f7ea5c58456b4f10d7d08b9d4111a9b8c430653abb8db0c55461f9
Opcode Fuzzy Hash: cfbe1445f9756c5520edd74589b7c8ec674ad6108ac5fe3ebfd58363f0e6fb00
Instruction Fuzzy Hash: 1E517FB150060ABFDB219F61D948ABB7BFCFF48788F20541AF945E6250DB30E949DB60

Function 00EF856F Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,00000000,?), ref: 00EF8592
GetFileSize.KERNEL32(00000000,00000000), ref: 00EF85A2
GlobalAlloc.KERNEL32(00000002,00000000), ref: 00EF85AD
CloseHandle.KERNEL32(00000000), ref: 00EF85BA
GlobalLock.KERNEL32(00000000), ref: 00EF85C8
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00EF85D7
GlobalUnlock.KERNEL32(00000000), ref: 00EF85E0
CloseHandle.KERNEL32(00000000), ref: 00EF85E7
CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 00EF85F8
OleLoadPicture.OLEAUT32(?,00000000,00000000,00EFFC38,?), ref: 00EF8611
GlobalFree.KERNEL32(00000000), ref: 00EF8621
GetObjectW.GDI32(?,00000018,000000FF), ref: 00EF8641
CopyImage.USER32(?,00000000,00000000,?,00002000), ref: 00EF8671
DeleteObject.GDI32(00000000), ref: 00EF8699
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 00EF86AF

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: 8ece81a2ab9a89a62308893eda1318e596cade621bbfa1afa6957b54c39f3220
Instruction ID: 1ee1a4fa9047984f702ab89567054c68542a472f62347215fe7f2cad8925fb49
Opcode Fuzzy Hash: 8ece81a2ab9a89a62308893eda1318e596cade621bbfa1afa6957b54c39f3220
Instruction Fuzzy Hash: 7D410A75600208AFDB11DFA6DE48EBA7BB8FF89B55F214058F905E72A0DB309D05DB60

Function 00ED14BD Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 360timeCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000000), ref: 00ED1502
VariantCopy.OLEAUT32(?,?), ref: 00ED150B
VariantClear.OLEAUT32(?), ref: 00ED1517
VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 00ED15FB
VarR8FromDec.OLEAUT32(?,?), ref: 00ED1657
VariantInit.OLEAUT32(?), ref: 00ED1708
SysFreeString.OLEAUT32(?), ref: 00ED178C
VariantClear.OLEAUT32(?), ref: 00ED17D8
VariantClear.OLEAUT32(?), ref: 00ED17E7
VariantInit.OLEAUT32(00000000), ref: 00ED1823

Strings

Default, xrefs: 00ED16AF
%4d%02d%02d%02d%02d%02d, xrefs: 00ED1625

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem
String ID: %4d%02d%02d%02d%02d%02d$Default
API String ID: 1234038744-3931177956
Opcode ID: 67c5c6b3421210a200980ce4ac42e8ba3382832a7c80fef42e48724b890b4569
Instruction ID: 2382d8a8bd884abf69166512ce5986bd7151cf8a908d19c09bc27ad8fdc78330
Opcode Fuzzy Hash: 67c5c6b3421210a200980ce4ac42e8ba3382832a7c80fef42e48724b890b4569
Instruction Fuzzy Hash: 88D1DE71A00205EBDB109F65E885BBDB7F5FF85700F24909BE406BB291DB38D846DB62

Function 00EEB60E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00E69CB3: _wcslen.LIBCMT ref: 00E69CBD

Part of subcall function 00EEC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00EEB6AE,?,?), ref: 00EEC9B5
Part of subcall function 00EEC998: _wcslen.LIBCMT ref: 00EEC9F1
Part of subcall function 00EEC998: _wcslen.LIBCMT ref: 00EECA68
Part of subcall function 00EEC998: _wcslen.LIBCMT ref: 00EECA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00EEB6F4
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00EEB772
RegDeleteValueW.ADVAPI32(?,?), ref: 00EEB80A
RegCloseKey.ADVAPI32(?), ref: 00EEB87E
RegCloseKey.ADVAPI32(?), ref: 00EEB89C
LoadLibraryA.KERNEL32(advapi32.dll), ref: 00EEB8F2
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00EEB904
RegDeleteKeyW.ADVAPI32(?,?), ref: 00EEB922
FreeLibrary.KERNEL32(00000000), ref: 00EEB983
RegCloseKey.ADVAPI32(00000000), ref: 00EEB994

Strings

advapi32.dll, xrefs: 00EEB8ED
RegDeleteKeyExW, xrefs: 00EEB8FE

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 146587525-4033151799
Opcode ID: b6c5d99ab9e321ff3d3742afe31037b50c000b126418430b9a696788dc48baad
Instruction ID: f206ef7a2dce0826bd36b2ec360e80a3b39c87e9bfc800d468872867a3a9d2d2
Opcode Fuzzy Hash: b6c5d99ab9e321ff3d3742afe31037b50c000b126418430b9a696788dc48baad
Instruction Fuzzy Hash: 17C19D30204245AFD714DF15C495F2ABBE5BF84348F24A55CF49AAB3A2CB71EC46CB91

Function 00EE255C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00EE25D8
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 00EE25E8
CreateCompatibleDC.GDI32(?), ref: 00EE25F4
SelectObject.GDI32(00000000,?), ref: 00EE2601
StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 00EE266D
GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 00EE26AC
GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 00EE26D0
SelectObject.GDI32(?,?), ref: 00EE26D8
DeleteObject.GDI32(?), ref: 00EE26E1
DeleteDC.GDI32(?), ref: 00EE26E8
ReleaseDC.USER32(00000000,?), ref: 00EE26F3

Strings

(, xrefs: 00EE268D

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: 2895b7dab25e906bc8df3ea36e4ab36479083ed969cb95d469b3d1c105a119e8
Instruction ID: 4b34b796dffe09e9540cdecde3daa2b95bf408b46d77d1dae56c8454e2f86ea2
Opcode Fuzzy Hash: 2895b7dab25e906bc8df3ea36e4ab36479083ed969cb95d469b3d1c105a119e8
Instruction Fuzzy Hash: 4561D175D00219EFCB04CFA9D984AAEBBF9FF48310F20852AEA55B7250D770A955CF90

Function 00E9DA5D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 00E9DAA1

Part of subcall function 00E9D63C: _free.LIBCMT ref: 00E9D659
Part of subcall function 00E9D63C: _free.LIBCMT ref: 00E9D66B
Part of subcall function 00E9D63C: _free.LIBCMT ref: 00E9D67D
Part of subcall function 00E9D63C: _free.LIBCMT ref: 00E9D68F
Part of subcall function 00E9D63C: _free.LIBCMT ref: 00E9D6A1
Part of subcall function 00E9D63C: _free.LIBCMT ref: 00E9D6B3
Part of subcall function 00E9D63C: _free.LIBCMT ref: 00E9D6C5
Part of subcall function 00E9D63C: _free.LIBCMT ref: 00E9D6D7
Part of subcall function 00E9D63C: _free.LIBCMT ref: 00E9D6E9
Part of subcall function 00E9D63C: _free.LIBCMT ref: 00E9D6FB
Part of subcall function 00E9D63C: _free.LIBCMT ref: 00E9D70D
Part of subcall function 00E9D63C: _free.LIBCMT ref: 00E9D71F
Part of subcall function 00E9D63C: _free.LIBCMT ref: 00E9D731

_free.LIBCMT ref: 00E9DA96

Part of subcall function 00E929C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00E9D7D1,00000000,00000000,00000000,00000000,?,00E9D7F8,00000000,00000007,00000000,?,00E9DBF5,00000000), ref: 00E929DE
Part of subcall function 00E929C8: GetLastError.KERNEL32(00000000,?,00E9D7D1,00000000,00000000,00000000,00000000,?,00E9D7F8,00000000,00000007,00000000,?,00E9DBF5,00000000,00000000), ref: 00E929F0

_free.LIBCMT ref: 00E9DAB8
_free.LIBCMT ref: 00E9DACD
_free.LIBCMT ref: 00E9DAD8
_free.LIBCMT ref: 00E9DAFA
_free.LIBCMT ref: 00E9DB0D
_free.LIBCMT ref: 00E9DB1B
_free.LIBCMT ref: 00E9DB26
_free.LIBCMT ref: 00E9DB5E
_free.LIBCMT ref: 00E9DB65
_free.LIBCMT ref: 00E9DB82
_free.LIBCMT ref: 00E9DB9A

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: cc40270b5b1446514bd5f3ec637d8578c0e4a18b73ca600a35bbe765c1b39b9a
Instruction ID: d270f3b9fd587b295aa8531a34875fb8635c5b0e758b15dfb91fc83e49a139ff
Opcode Fuzzy Hash: cc40270b5b1446514bd5f3ec637d8578c0e4a18b73ca600a35bbe765c1b39b9a
Instruction Fuzzy Hash: 01318B31608714AFEF21AA38EC41B9AB7E9FF40324F106419E548F7192EF71AC50C760

Function 00EC365B Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 267windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 00EC369C
_wcslen.LIBCMT ref: 00EC36A7
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00EC3797
GetClassNameW.USER32(?,?,00000400), ref: 00EC380C
GetDlgCtrlID.USER32(?), ref: 00EC385D
GetWindowRect.USER32(?,?), ref: 00EC3882
GetParent.USER32(?), ref: 00EC38A0
ScreenToClient.USER32(00000000), ref: 00EC38A7
GetClassNameW.USER32(?,?,00000100), ref: 00EC3921
GetWindowTextW.USER32(?,?,00000400), ref: 00EC395D

Strings

%s%u, xrefs: 00EC3734

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout_wcslen
String ID: %s%u
API String ID: 4010501982-679674701
Opcode ID: 7844f973614e90e640c13fd57d2cccbdc0f71acde95f8cb978a8194a81f5218e
Instruction ID: c680489570dba980fe1fbcdde793c2b5caaeb3b1a6111cad7895b198439e44ff
Opcode Fuzzy Hash: 7844f973614e90e640c13fd57d2cccbdc0f71acde95f8cb978a8194a81f5218e
Instruction Fuzzy Hash: EB91C071204606AFD718DF34C985FAAB7E8FF84314F10952DF999E2190DB31EA4ACB91

Function 00EC4954 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 253COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000400), ref: 00EC4994
GetWindowTextW.USER32(?,?,00000400), ref: 00EC49DA
_wcslen.LIBCMT ref: 00EC49EB
CharUpperBuffW.USER32(?,00000000), ref: 00EC49F7
_wcsstr.LIBVCRUNTIME ref: 00EC4A2C
GetClassNameW.USER32(00000018,?,00000400), ref: 00EC4A64
GetWindowTextW.USER32(?,?,00000400), ref: 00EC4A9D
GetClassNameW.USER32(00000018,?,00000400), ref: 00EC4AE6
GetClassNameW.USER32(?,?,00000400), ref: 00EC4B20
GetWindowRect.USER32(?,?), ref: 00EC4B8B

Strings

ThumbnailClass, xrefs: 00EC4A6F, 00EC4AF1

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
String ID: ThumbnailClass
API String ID: 1311036022-1241985126
Opcode ID: 5c48670fabaa112c758fe014c4d0b6ee3aacecbca909b48a9818a056bb00f44c
Instruction ID: 85787b594a7b5eb5b2b19d4bde5876ac05364c510c3a0852e2ab8dc8ac889bde
Opcode Fuzzy Hash: 5c48670fabaa112c758fe014c4d0b6ee3aacecbca909b48a9818a056bb00f44c
Instruction Fuzzy Hash: D191B0B10042059FDB04DE14CA95FAA77E8EF84718F04646DFD89A60D6DB31ED46CBA1

Function 00ECBF30 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 190windowsleepCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00F31990,000000FF,00000000,00000030), ref: 00ECBFAC
SetMenuItemInfoW.USER32(00F31990,00000004,00000000,00000030), ref: 00ECBFE1
Sleep.KERNEL32(000001F4), ref: 00ECBFF3
GetMenuItemCount.USER32(?), ref: 00ECC039
GetMenuItemID.USER32(?,00000000), ref: 00ECC056
GetMenuItemID.USER32(?,-00000001), ref: 00ECC082
GetMenuItemID.USER32(?,?), ref: 00ECC0C9
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00ECC10F
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00ECC124
SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00ECC145

Strings

0, xrefs: 00ECBF3D

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep
String ID: 0
API String ID: 1460738036-4108050209
Opcode ID: 2b248d09fc772904cf2d97e35c171d28fbce25d68f17f86d1b3c2ec2a877db74
Instruction ID: 68c617537008eee571d48d783d7535487b56d7e65698e35ba59192dc7df002b0
Opcode Fuzzy Hash: 2b248d09fc772904cf2d97e35c171d28fbce25d68f17f86d1b3c2ec2a877db74
Instruction Fuzzy Hash: 5F617FB090024AAFDF11CF65CE89FEE7BB9EB45348F241059E815B3291C732AD46CB61

Function 00EECC34 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 00EECC64
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 00EECC8D
FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 00EECD48

Part of subcall function 00EECC34: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 00EECCAA
Part of subcall function 00EECC34: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 00EECCBD
Part of subcall function 00EECC34: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00EECCCF
Part of subcall function 00EECC34: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 00EECD05
Part of subcall function 00EECC34: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 00EECD28

RegDeleteKeyW.ADVAPI32(?,?), ref: 00EECCF3

Strings

advapi32.dll, xrefs: 00EECCB8
RegDeleteKeyExW, xrefs: 00EECCC9

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2734957052-4033151799
Opcode ID: aa4272d3ce60e6b019b9800b0f17e2eee2cb979bc20e690673078633e55e7b88
Instruction ID: f8022400c250de8c1c8124351fa6a006cf046e0b32676ed4604d4b6fd22fcb63
Opcode Fuzzy Hash: aa4272d3ce60e6b019b9800b0f17e2eee2cb979bc20e690673078633e55e7b88
Instruction Fuzzy Hash: 31318E7190112DBFDB209B96DC88EFFBB7CEF45744F300165A905F2240DA309A4ADAA1

Function 00ED3D1E Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 101fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00ED3D40
_wcslen.LIBCMT ref: 00ED3D6D
CreateDirectoryW.KERNEL32(?,00000000), ref: 00ED3D9D
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00ED3DBE
RemoveDirectoryW.KERNEL32(?), ref: 00ED3DCE
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 00ED3E55
CloseHandle.KERNEL32(00000000), ref: 00ED3E60
CloseHandle.KERNEL32(00000000), ref: 00ED3E6B

Strings

\??\%s, xrefs: 00ED3D5B
:, xrefs: 00ED3D82
\, xrefs: 00ED3D77

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove_wcslen
String ID: :$\$\??\%s
API String ID: 1149970189-3457252023
Opcode ID: 54bbf7c209cb2c6ba17dc87deb1891fd1bc678067ce22c3117a787a12e42f0a3
Instruction ID: 5a4b85586aad92f7abf620676aec57443f539a92753e04a336697507bacc36bb
Opcode Fuzzy Hash: 54bbf7c209cb2c6ba17dc87deb1891fd1bc678067ce22c3117a787a12e42f0a3
Instruction Fuzzy Hash: 9131A17190020AABDB209BA1DC49FEB37BDEF88744F2050B6F509E6160E7749749CB25

Function 00ECE6B0 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 00ECE6B4

Part of subcall function 00E7E551: timeGetTime.WINMM(?,?,00ECE6D4), ref: 00E7E555

Sleep.KERNEL32(0000000A), ref: 00ECE6E1
EnumThreadWindows.USER32(?,Function_0006E665,00000000), ref: 00ECE705
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 00ECE727
SetActiveWindow.USER32 ref: 00ECE746
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00ECE754
SendMessageW.USER32(00000010,00000000,00000000), ref: 00ECE773
Sleep.KERNEL32(000000FA), ref: 00ECE77E
IsWindow.USER32 ref: 00ECE78A
EndDialog.USER32(00000000), ref: 00ECE79B

Strings

BUTTON, xrefs: 00ECE719

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: 09dd6b99e4c52815b2fd1d8729034a36ad8473b30cab268fddc5daedf2062218
Instruction ID: 8b2f3677b47471c3d2de9a97b2c00c2a1c499550be68107866c52dfad27c2fae
Opcode Fuzzy Hash: 09dd6b99e4c52815b2fd1d8729034a36ad8473b30cab268fddc5daedf2062218
Instruction Fuzzy Hash: 9421997120060CAFEB005F32EE8AF353B6AFB94758F306429F505F12A1DB72AC15EA15

Function 00ECE9FC Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 00E69CB3: _wcslen.LIBCMT ref: 00E69CBD

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00ECEA5D
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00ECEA73
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00ECEA84
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00ECEA96
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 00ECEAA7

Strings

close PlayMe, xrefs: 00ECEA6E, 00ECEA9B
play PlayMe wait, xrefs: 00ECEA91
play PlayMe, xrefs: 00ECEAA2
status PlayMe mode, xrefs: 00ECEA58
alias PlayMe, xrefs: 00ECEA36
open , xrefs: 00ECEA0C

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: SendString$_wcslen
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2420728520-1007645807
Opcode ID: c13cd868cf149e13fe5f224dc2385d175301d5c80ffd05071fa2fc69078780c7
Instruction ID: a98a00f36c9b216b9ef68be8a9da4bcd5102add7ff0afdacb7ba4813854af62b
Opcode Fuzzy Hash: c13cd868cf149e13fe5f224dc2385d175301d5c80ffd05071fa2fc69078780c7
Instruction Fuzzy Hash: 5511A331AD02697DD720A7A1ED4AEFF7ABCEBD2B44F001429B411F21D1EE704945C9B1

Function 00EC9F91 Relevance: 18.2, APIs: 12, Instructions: 188keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00ECA012
SetKeyboardState.USER32(?), ref: 00ECA07D
GetAsyncKeyState.USER32(000000A0), ref: 00ECA09D
GetKeyState.USER32(000000A0), ref: 00ECA0B4
GetAsyncKeyState.USER32(000000A1), ref: 00ECA0E3
GetKeyState.USER32(000000A1), ref: 00ECA0F4
GetAsyncKeyState.USER32(00000011), ref: 00ECA120
GetKeyState.USER32(00000011), ref: 00ECA12E
GetAsyncKeyState.USER32(00000012), ref: 00ECA157
GetKeyState.USER32(00000012), ref: 00ECA165
GetAsyncKeyState.USER32(0000005B), ref: 00ECA18E
GetKeyState.USER32(0000005B), ref: 00ECA19C

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 8693d938d4b182532f31c1ed43620bc7bf8f6da82f82a47a0845aef58e96f336
Instruction ID: 0454973cb3d7cf4176751989e85ee4fa537ef941e05fc8be027681863eb583c1
Opcode Fuzzy Hash: 8693d938d4b182532f31c1ed43620bc7bf8f6da82f82a47a0845aef58e96f336
Instruction Fuzzy Hash: 3451D560A0438829FB35DA708615FEAAFF49F01388F0C55AD95C2671C3DA55AA4DC762

Function 00EC5CC6 Relevance: 18.2, APIs: 12, Instructions: 173COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 00EC5CE2
GetWindowRect.USER32(00000000,?), ref: 00EC5CFB
MoveWindow.USER32(?,0000000A,00000004,?,?,00000004,00000000), ref: 00EC5D59
GetDlgItem.USER32(?,00000002), ref: 00EC5D69
GetWindowRect.USER32(00000000,?), ref: 00EC5D7B
MoveWindow.USER32(?,?,00000004,00000000,?,00000004,00000000), ref: 00EC5DCF
GetDlgItem.USER32(?,000003E9), ref: 00EC5DDD
GetWindowRect.USER32(00000000,?), ref: 00EC5DEF
MoveWindow.USER32(?,0000000A,00000000,?,00000004,00000000), ref: 00EC5E31
GetDlgItem.USER32(?,000003EA), ref: 00EC5E44
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00EC5E5A
InvalidateRect.USER32(?,00000000,00000001), ref: 00EC5E67

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: b607acbc8df5d73918f997b0e7e89cc6a5d5f0263d22032b6262ef2f842768c1
Instruction ID: e62856757cbe055700f03707e39adf1487dfb6234c6ffa97c0a50aaef31d0297
Opcode Fuzzy Hash: b607acbc8df5d73918f997b0e7e89cc6a5d5f0263d22032b6262ef2f842768c1
Instruction Fuzzy Hash: 9C511071A00609AFDF18CF69DE89EAE7BB5EB88700F209129F516F6290D770AD45CB50

Function 00E78BCD Relevance: 18.2, APIs: 12, Instructions: 168timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00E78F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00E78BE8,?,00000000,?,?,?,?,00E78BBA,00000000,?), ref: 00E78FC5

DestroyWindow.USER32(?), ref: 00E78C81
KillTimer.USER32(00000000,?,?,?,?,00E78BBA,00000000,?), ref: 00E78D1B
DestroyAcceleratorTable.USER32(00000000), ref: 00EB6973
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,00E78BBA,00000000,?), ref: 00EB69A1
ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,00E78BBA,00000000,?), ref: 00EB69B8
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,00E78BBA,00000000), ref: 00EB69D4
DeleteObject.GDI32(00000000), ref: 00EB69E6

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: 7c4aae759601d2f632a641ab58705adf2f6328298f52b551885741f53a03c0ad
Instruction ID: 9abbd6ce533902d6c812ce9fadc989648e33d1b023257540df2c5c028077db97
Opcode Fuzzy Hash: 7c4aae759601d2f632a641ab58705adf2f6328298f52b551885741f53a03c0ad
Instruction Fuzzy Hash: 0E61C230102608DFDB269F15DB4CB66B7F2FB9032AF24A529E046B65A0CB35AD84DF51

Function 00E79838 Relevance: 18.1, APIs: 12, Instructions: 137COMMON

Download Yara Rule

APIs

Part of subcall function 00E79944: GetWindowLongW.USER32(?,000000EB), ref: 00E79952

GetSysColor.USER32(0000000F), ref: 00E79862

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: 694e7ebe0e5f602b35f3c12ee238e3a717d93aaa91a3796cb89d702e7589dc41
Instruction ID: 4d59da423eba33c1511f8835fc63a209eaa84dfa20ce4e08ba2a33c581dc73f1
Opcode Fuzzy Hash: 694e7ebe0e5f602b35f3c12ee238e3a717d93aaa91a3796cb89d702e7589dc41
Instruction Fuzzy Hash: C641E7311056049FEB249F39DC44BBA3B65EF87335F249645F9A6A71E2C7309C42DB11

Function 00E98D45 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 300COMMONLIBRARYCODE

Download Yara Rule

Strings

., xrefs: 00E9903A, 00E98FD0, 00E98FF2

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID:
String ID: .
API String ID: 0-3963672497
Opcode ID: 7b5e62d9b4a05bdd3dbc23c6e119f83383e1d81c92c75bdc810ece86a9074121
Instruction ID: f3d862c6ae415e36c18c56e48b17558aca4f05878490a14dcd8f6b35d3872282
Opcode Fuzzy Hash: 7b5e62d9b4a05bdd3dbc23c6e119f83383e1d81c92c75bdc810ece86a9074121
Instruction Fuzzy Hash: DBC1D374A04249AFCF11EFACC841BADBBF1AF4A314F146199E528B73A2C7309941CB61

Function 00EC96E2 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,?,?,00EAF7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?), ref: 00EC9717
LoadStringW.USER32(00000000,?,00EAF7F8,00000001), ref: 00EC9720

Part of subcall function 00E69CB3: _wcslen.LIBCMT ref: 00E69CBD

GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,00EAF7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?,00000000), ref: 00EC9742
LoadStringW.USER32(00000000,?,00EAF7F8,00000001), ref: 00EC9745
MessageBoxW.USER32(00000000,00000000,?,00011010), ref: 00EC9866

Strings

Line %d (File "%s"):, xrefs: 00EC978F
%s (%d) : ==> %s: %s %s, xrefs: 00EC984A
^ ERROR, xrefs: 00EC97FB
Line %d:, xrefs: 00EC97A0
Error: , xrefs: 00EC981D

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wcslen
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 747408836-2268648507
Opcode ID: 5b3a96c41fbfa9e1942c5cb95170991dbe563f9b51db78d055b32adbb790865b
Instruction ID: af40483280b38a0c6457d33088a8bc56a949b635cd98f6bfc0a93318b8967a1b
Opcode Fuzzy Hash: 5b3a96c41fbfa9e1942c5cb95170991dbe563f9b51db78d055b32adbb790865b
Instruction Fuzzy Hash: 5B413072840119AACB04FBE0EE46EEEB7BCAF55340F202065F50573192EB356F49DB61

Function 00EC06DE Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 00E66B57: _wcslen.LIBCMT ref: 00E66B6A

WNetAddConnection2W.MPR(?,?,?,00000000), ref: 00EC07A2
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 00EC07BE
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 00EC07DA
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00EC0804
CLSIDFromString.OLE32(?,000001FE,?,SOFTWARE\Classes\), ref: 00EC082C
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00EC0837
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00EC083C

Strings

SOFTWARE\Classes\, xrefs: 00EC070E
\IPC$, xrefs: 00EC0784
\CLSID, xrefs: 00EC0724

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 323675364-22481851
Opcode ID: 035bec7890b90699452ec4382e16e9f79fa4154e302e7d11bb8b357e1cfdb54b
Instruction ID: 4183efefb3b46b6626217af8514d86f50075ac519c2202e48e092205682bc259
Opcode Fuzzy Hash: 035bec7890b90699452ec4382e16e9f79fa4154e302e7d11bb8b357e1cfdb54b
Instruction Fuzzy Hash: 42412872C50229EFDF15EBA4ED85DEDB7B8BF44790B145129E901B3161EB309E05CBA0

Function 00EF3F98 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 00EF403B
CreateCompatibleDC.GDI32(00000000), ref: 00EF4042
SendMessageW.USER32(?,00000173,00000000,00000000), ref: 00EF4055
SelectObject.GDI32(00000000,00000000), ref: 00EF405D
GetPixel.GDI32(00000000,00000000,00000000), ref: 00EF4068
DeleteDC.GDI32(00000000), ref: 00EF4072
GetWindowLongW.USER32(?,000000EC), ref: 00EF407C
SetLayeredWindowAttributes.USER32(?,?,00000000,00000001,?,00000000,?), ref: 00EF4092
DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?), ref: 00EF409E

Strings

static, xrefs: 00EF3FD3

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
String ID: static
API String ID: 2559357485-2160076837
Opcode ID: a5436019918d4680be60236c06fdbd498459fc4520e43ce928cd542188bdcae3
Instruction ID: 6ecd015e197890d446d383f1a2b15fe77506e167cdb60a309649e732db945c29
Opcode Fuzzy Hash: a5436019918d4680be60236c06fdbd498459fc4520e43ce928cd542188bdcae3
Instruction Fuzzy Hash: 3D315872101219AFDF229FA5CD08FEA3BA9EF4D724F211211FA14B61A0CB35D824DB50

Function 00EE3C30 Relevance: 16.8, APIs: 11, Instructions: 344fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00EE3C5C
CoInitialize.OLE32(00000000), ref: 00EE3C8A
CoUninitialize.OLE32 ref: 00EE3C94
_wcslen.LIBCMT ref: 00EE3D2D
GetRunningObjectTable.OLE32(00000000,?), ref: 00EE3DB1
SetErrorMode.KERNEL32(00000001,00000029), ref: 00EE3ED5
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,?), ref: 00EE3F0E
CoGetObject.OLE32(?,00000000,00EFFB98,?), ref: 00EE3F2D
SetErrorMode.KERNEL32(00000000), ref: 00EE3F40
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00EE3FC4
VariantClear.OLEAUT32(?), ref: 00EE3FD8

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize_wcslen
String ID:
API String ID: 429561992-0
Opcode ID: 86ec6f53db09face6387c4531e85272c1e1e67b510b3fd449a40b7de2e48e3ee
Instruction ID: 832d6c50ccd17dbb2e4af3583787e727c7abe6c8a6abc58a9efe5627cc8b123b
Opcode Fuzzy Hash: 86ec6f53db09face6387c4531e85272c1e1e67b510b3fd449a40b7de2e48e3ee
Instruction Fuzzy Hash: 6FC168716083499FC700DF69C88896BB7E9FF89748F10591DF98AAB221D731EE05CB52

Function 00ED7A96 Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00ED7AF3
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00ED7B8F
SHGetDesktopFolder.SHELL32(?), ref: 00ED7BA3
CoCreateInstance.OLE32(00EFFD08,00000000,00000001,00F26E6C,?), ref: 00ED7BEF
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00ED7C74
CoTaskMemFree.OLE32(?,?), ref: 00ED7CCC
SHBrowseForFolderW.SHELL32(?), ref: 00ED7D57
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00ED7D7A
CoTaskMemFree.OLE32(00000000), ref: 00ED7D81
CoTaskMemFree.OLE32(00000000), ref: 00ED7DD6
CoUninitialize.OLE32 ref: 00ED7DDC

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
String ID:
API String ID: 2762341140-0
Opcode ID: 22158a46376c0c56eaed72ca38a53fd755c8f295deafc129512a934abd6d65bb
Instruction ID: d82a4a10321511ab51e71eadfc1a8c54859bb43da9613c11a4fae82cf3a3d505
Opcode Fuzzy Hash: 22158a46376c0c56eaed72ca38a53fd755c8f295deafc129512a934abd6d65bb
Instruction Fuzzy Hash: 87C13C75A04109AFCB14DF64C884DAEBBF9FF48344B149499E85AEB361D730ED46CB90

Function 00EF541D Relevance: 16.7, APIs: 11, Instructions: 191windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00EF5504
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00EF5515
CharNextW.USER32(00000158), ref: 00EF5544
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00EF5585
SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 00EF559B
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00EF55AC

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: MessageSend$CharNext
String ID:
API String ID: 1350042424-0
Opcode ID: e31f380583eef441348c7b4e6dc85dd205020a0f294c3920875ad5a9b8fd8d7f
Instruction ID: 7ee7dac894986a0d168008a6adf055ba8effc6d1116e4fd9a54e99d88e7741f8
Opcode Fuzzy Hash: e31f380583eef441348c7b4e6dc85dd205020a0f294c3920875ad5a9b8fd8d7f
Instruction Fuzzy Hash: B761BE3290460CEFDF108F50CC84AFE7BB9EB55724F209049FB25B6290D7708A84DB61

Function 00EBFA88 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 00EBFAAF
SafeArrayAllocData.OLEAUT32(?), ref: 00EBFB08
VariantInit.OLEAUT32(?), ref: 00EBFB1A
SafeArrayAccessData.OLEAUT32(?,?), ref: 00EBFB3A
VariantCopy.OLEAUT32(?,?), ref: 00EBFB8D
SafeArrayUnaccessData.OLEAUT32(?), ref: 00EBFBA1
VariantClear.OLEAUT32(?), ref: 00EBFBB6
SafeArrayDestroyData.OLEAUT32(?), ref: 00EBFBC3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00EBFBCC
VariantClear.OLEAUT32(?), ref: 00EBFBDE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00EBFBE9

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: bc99c58073ea3494540a393c839781a0b8021835bc3e60eaaae621ed9dc2ffb0
Instruction ID: 5a739e5f045a45d80c8e66066a18e2b6b349936268678068e4a56b52b29e52d5
Opcode Fuzzy Hash: bc99c58073ea3494540a393c839781a0b8021835bc3e60eaaae621ed9dc2ffb0
Instruction Fuzzy Hash: 58413E35A002199FCB04DF65DCA49FEBBB9EF48344F209469E955B7261CB30A945CBA0

Function 00EC9C79 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00EC9CA1
GetAsyncKeyState.USER32(000000A0), ref: 00EC9D22
GetKeyState.USER32(000000A0), ref: 00EC9D3D
GetAsyncKeyState.USER32(000000A1), ref: 00EC9D57
GetKeyState.USER32(000000A1), ref: 00EC9D6C
GetAsyncKeyState.USER32(00000011), ref: 00EC9D84
GetKeyState.USER32(00000011), ref: 00EC9D96
GetAsyncKeyState.USER32(00000012), ref: 00EC9DAE
GetKeyState.USER32(00000012), ref: 00EC9DC0
GetAsyncKeyState.USER32(0000005B), ref: 00EC9DD8
GetKeyState.USER32(0000005B), ref: 00EC9DEA

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: d2e3bbc8fd7b419d35d4c3a4a4efb6131dfc983f7e8cd88caeed81b1b0fac088
Instruction ID: c3a36a0f41aa94f4a9bb52f3572218f33bab4d7878d9036b33560c67e4651aba
Opcode Fuzzy Hash: d2e3bbc8fd7b419d35d4c3a4a4efb6131dfc983f7e8cd88caeed81b1b0fac088
Instruction Fuzzy Hash: 1A41E8305047C96DFF308660860CBB5FEE06B21348F08A05EDAC7761C3DBA699C9C7A2

Function 00EE055B Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00EE05BC
inet_addr.WSOCK32(?), ref: 00EE061C
gethostbyname.WSOCK32(?), ref: 00EE0628
IcmpCreateFile.IPHLPAPI ref: 00EE0636
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00EE06C6
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00EE06E5
IcmpCloseHandle.IPHLPAPI(?), ref: 00EE07B9
WSACleanup.WSOCK32 ref: 00EE07BF

Strings

Ping, xrefs: 00EE0676

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: dddb1bc3552099286ee1951b8ff3c78a84e5e65b5222226ce1428b3a745626be
Instruction ID: b3b49766a645c076a31165b0d767c3abfaf9c7c645b9a8d9e958f20e40838d35
Opcode Fuzzy Hash: dddb1bc3552099286ee1951b8ff3c78a84e5e65b5222226ce1428b3a745626be
Instruction Fuzzy Hash: 3391C1356042459FD320DF16D488F16BBE0AF84318F149599F469AB7A2C7B0FC85CF91

Function 00EE8CD3 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,00000000,?), ref: 00EE8CF3

Part of subcall function 00EC8E54: _wcslen.LIBCMT ref: 00EC8E77

_wcslen.LIBCMT ref: 00EE8D4E
_wcslen.LIBCMT ref: 00EE8D9C
_wcslen.LIBCMT ref: 00EE8DDC
_wcslen.LIBCMT ref: 00EE8E6E

Strings

stdcall, xrefs: 00EE8DD6, 00EE8DDB
winapi, xrefs: 00EE8D96, 00EE8D9B
cdecl, xrefs: 00EE8D48, 00EE8D4D
none, xrefs: 00EE8E65, 00EE8E6A

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: _wcslen$BuffCharLower
String ID: cdecl$none$stdcall$winapi
API String ID: 707087890-567219261
Opcode ID: ed41117483597d52f417bfc82397f69c38860fe311cff9dc67b49c033218efd9
Instruction ID: 36d8d57562372445eb766fc68ae1d0c02ac2483adceb4adc19683d00687242e3
Opcode Fuzzy Hash: ed41117483597d52f417bfc82397f69c38860fe311cff9dc67b49c033218efd9
Instruction Fuzzy Hash: DB51C031A0055A9BCB24DF69CE508BEB7E5BF64328B205229E82AF72D5DB31DD40D790

Function 00EE372C Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32 ref: 00EE3774
CoUninitialize.OLE32 ref: 00EE377F
CoCreateInstance.OLE32(?,00000000,00000017,00EFFB78,?), ref: 00EE37D9
IIDFromString.OLE32(?,?), ref: 00EE384C
VariantInit.OLEAUT32(?), ref: 00EE38E4
VariantClear.OLEAUT32(?), ref: 00EE3936

Strings

NULL Pointer assignment, xrefs: 00EE381E
Invalid parameter, xrefs: 00EE3865
Failed to create object, xrefs: 00EE37E4, 00EE389A

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 636576611-1287834457
Opcode ID: e473d70d8bd6647b9bff0e4f694a98c1d036804b7f8fdb0db4c4492e3d7ac93b
Instruction ID: 438a70560c98b000da3fc6521889948631a50abcfb0cef4048e190075bd7a6d7
Opcode Fuzzy Hash: e473d70d8bd6647b9bff0e4f694a98c1d036804b7f8fdb0db4c4492e3d7ac93b
Instruction Fuzzy Hash: F761E170608345AFD314DF66D849F6ABBE8EF88714F10180EF885A7291D770EE48CB96

Function 00ED3388 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 149COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,?), ref: 00ED33CF

Part of subcall function 00E69CB3: _wcslen.LIBCMT ref: 00E69CBD

LoadStringW.USER32(00000072,?,00000FFF,?), ref: 00ED33F0

Strings

Line %d (File "%s"):, xrefs: 00ED3443, 00ED345C
Incorrect parameters to object property !, xrefs: 00ED34AB
^ ERROR , xrefs: 00ED349E
"%s" (%d) : ==> %s:%s%s, xrefs: 00ED3504
Error: , xrefs: 00ED34D1
"%s" (%d) : ==> %s:, xrefs: 00ED3522

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-3080491070
Opcode ID: f02c975a70fe75ebed32c52bfd0fddd4777d76ed049d991a09ffbad3f80391c0
Instruction ID: dabf17fc97203cf4e6c0aad97c2f69c5dc9ae099aa8f1471d6f987623f351a09
Opcode Fuzzy Hash: f02c975a70fe75ebed32c52bfd0fddd4777d76ed049d991a09ffbad3f80391c0
Instruction Fuzzy Hash: 4C51B131940209AADF14EBA0EE46EEEB3B9EF14380F205065F40573192EB356F59DB61

Function 00ECB5C8 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 142COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00ECB5FC
_wcslen.LIBCMT ref: 00ECB608
_wcslen.LIBCMT ref: 00ECB64D
_wcslen.LIBCMT ref: 00ECB68C
_wcslen.LIBCMT ref: 00ECB6C7

Strings

REMOVE, xrefs: 00ECB602, 00ECB607
KEYS, xrefs: 00ECB647, 00ECB64C
EXISTS, xrefs: 00ECB686, 00ECB68B
APPEND, xrefs: 00ECB6C1, 00ECB6C6

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 1256254125-769500911
Opcode ID: 5ab707dbf9f93da893da3bdb9ee3dc57a1395e4c64fe43b44c5041c1be8195eb
Instruction ID: 7abcb534be4a5d0b58eee820de8452572ed8f7373760c93d02e1912dafc636ea
Opcode Fuzzy Hash: 5ab707dbf9f93da893da3bdb9ee3dc57a1395e4c64fe43b44c5041c1be8195eb
Instruction Fuzzy Hash: 7A41CC32A001279ACB105F7DCA92BBE77A5AFA0758F24512DE465F7284E732CD42C790

Function 00ED5393 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 103COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00ED53A0
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00ED5416
GetLastError.KERNEL32 ref: 00ED5420
SetErrorMode.KERNEL32(00000000,READY), ref: 00ED54A7

Strings

INVALID, xrefs: 00ED5459
READY, xrefs: 00ED5460, 00ED5468
UNKNOWN, xrefs: 00ED5444
NOTREADY, xrefs: 00ED544B
READONLY, xrefs: 00ED5452

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: 678bee369235fb6099cfec4343956c1e8193a2f67a525e497814d536fcaa1416
Instruction ID: 1f213dedbe0d9fb4e2c0148c9855fb3fa3ada4cf9a5414d6ced83b5ec438496d
Opcode Fuzzy Hash: 678bee369235fb6099cfec4343956c1e8193a2f67a525e497814d536fcaa1416
Instruction Fuzzy Hash: 0E31D236A005089FD710DF68D584AEABBF4EF44309F24906AE412EB392D731DD87CB92

Function 00EF3C46 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON

Download Yara Rule

APIs

CreateMenu.USER32 ref: 00EF3C79
SetMenu.USER32(?,00000000), ref: 00EF3C88
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00EF3D10
IsMenu.USER32(?), ref: 00EF3D24
CreatePopupMenu.USER32 ref: 00EF3D2E
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00EF3D5B
DrawMenuBar.USER32 ref: 00EF3D63

Strings

F, xrefs: 00EF3D4E
0, xrefs: 00EF3C54

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup
String ID: 0$F
API String ID: 161812096-3044882817
Opcode ID: 32cb6426920f497d722618c906624e8818e07e8561ea319aa1f7edf69fdedc47
Instruction ID: 11460a0eb09bf0d1ce6faa03eab81135bc536f0ff64d8c2375566c2fc8af1e7a
Opcode Fuzzy Hash: 32cb6426920f497d722618c906624e8818e07e8561ea319aa1f7edf69fdedc47
Instruction Fuzzy Hash: 08418974A0120DEFDB14CF65D844AEA7BB5FF89354F240028FA06A7360D731AA14CF90

Function 00EC1EDF Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00E69CB3: _wcslen.LIBCMT ref: 00E69CBD

Part of subcall function 00EC3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00EC3CCA

SendMessageW.USER32(?,0000018C,000000FF,00020000), ref: 00EC1F64
GetDlgCtrlID.USER32 ref: 00EC1F6F
GetParent.USER32 ref: 00EC1F8B
SendMessageW.USER32(00000000,?,00000111,?), ref: 00EC1F8E
GetDlgCtrlID.USER32(?), ref: 00EC1F97
GetParent.USER32(?), ref: 00EC1FAB
SendMessageW.USER32(00000000,?,00000111,?), ref: 00EC1FAE

Strings

ComboBox, xrefs: 00EC1EEC
ListBox, xrefs: 00EC1F21

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_wcslen
String ID: ComboBox$ListBox
API String ID: 711023334-1403004172
Opcode ID: 349956dd31620ebbaea4af4a8660e6769bce143f82e7aa94a91fc4fb15c64f29
Instruction ID: 468c33cd564e46dd03cbe8e411d4ec45865da8e14efaa65919144f13c545b8d6
Opcode Fuzzy Hash: 349956dd31620ebbaea4af4a8660e6769bce143f82e7aa94a91fc4fb15c64f29
Instruction Fuzzy Hash: 0D21F570A00118BFCF04AFA0DD44EFEBBB8EF46350B201149F961B3292DB358919DB61

Function 00EC1FC0 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00E69CB3: _wcslen.LIBCMT ref: 00E69CBD

Part of subcall function 00EC3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00EC3CCA

SendMessageW.USER32(?,00000186,00020000,00000000), ref: 00EC2043
GetDlgCtrlID.USER32 ref: 00EC204E
GetParent.USER32 ref: 00EC206A
SendMessageW.USER32(00000000,?,00000111,?), ref: 00EC206D
GetDlgCtrlID.USER32(?), ref: 00EC2076
GetParent.USER32(?), ref: 00EC208A
SendMessageW.USER32(00000000,?,00000111,?), ref: 00EC208D

Strings

ComboBox, xrefs: 00EC1FCD
ListBox, xrefs: 00EC2002

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_wcslen
String ID: ComboBox$ListBox
API String ID: 711023334-1403004172
Opcode ID: cbcca3a0977cee82e6eac82eaffd0b6f8345dbd6dcf2beb62a4fa07778bc93ab
Instruction ID: 58359050da497715c5deb60856eb321207ecb3e02801372b2c837afc26381466
Opcode Fuzzy Hash: cbcca3a0977cee82e6eac82eaffd0b6f8345dbd6dcf2beb62a4fa07778bc93ab
Instruction Fuzzy Hash: 5921F671900218BFCF14AFA0DD45EFEBBB8EF15340F20500AF951B71A1DA768919DB61

Function 00EF3A23 Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00EF3A9D
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00EF3AA0
GetWindowLongW.USER32(?,000000F0), ref: 00EF3AC7
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00EF3AEA
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00EF3B62
SendMessageW.USER32(?,00001074,00000000,00000007), ref: 00EF3BAC
SendMessageW.USER32(?,00001057,00000000,00000000), ref: 00EF3BC7
SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 00EF3BE2
SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 00EF3BF6
SendMessageW.USER32(?,00001008,00000000,00000007), ref: 00EF3C13

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: MessageSend$LongWindow
String ID:
API String ID: 312131281-0
Opcode ID: d0708dffe0a8b3927f4e914ab86e0b059e9a33fece27bc2d0cbddf80fc74ade4
Instruction ID: a7ce7fd5bc44748250730113ba63a82060c113f58d35810ece035492f1a43d8e
Opcode Fuzzy Hash: d0708dffe0a8b3927f4e914ab86e0b059e9a33fece27bc2d0cbddf80fc74ade4
Instruction Fuzzy Hash: C8615A75900248AFDB10DFA8CC81EFEB7F8EB49714F104199FA15A72A1D770AE45DB60

Function 00ECB12F Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00ECB151
GetForegroundWindow.USER32(00000000,?,?,?,?,?,00ECA1E1,?,00000001), ref: 00ECB165
GetWindowThreadProcessId.USER32(00000000), ref: 00ECB16C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00ECA1E1,?,00000001), ref: 00ECB17B
GetWindowThreadProcessId.USER32(?,00000000), ref: 00ECB18D
AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,00ECA1E1,?,00000001), ref: 00ECB1A6
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00ECA1E1,?,00000001), ref: 00ECB1B8
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,00ECA1E1,?,00000001), ref: 00ECB1FD
AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,00ECA1E1,?,00000001), ref: 00ECB212
AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,00ECA1E1,?,00000001), ref: 00ECB21D

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: 7d49741ab55256523800a90cc1890af0d7ac9e78cd38941f9a4ddeea9f39345e
Instruction ID: c5c983f5d40b955eca88bc6aad81df10ef886590b6299d3bbc995835098f4381
Opcode Fuzzy Hash: 7d49741ab55256523800a90cc1890af0d7ac9e78cd38941f9a4ddeea9f39345e
Instruction Fuzzy Hash: 5931A0B1500208AFDB24DF25DE4AF7D7BAABB51329F205009F901E61A0D7B59E41DF60

Function 00E92C80 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00E92C94

Part of subcall function 00E929C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00E9D7D1,00000000,00000000,00000000,00000000,?,00E9D7F8,00000000,00000007,00000000,?,00E9DBF5,00000000), ref: 00E929DE
Part of subcall function 00E929C8: GetLastError.KERNEL32(00000000,?,00E9D7D1,00000000,00000000,00000000,00000000,?,00E9D7F8,00000000,00000007,00000000,?,00E9DBF5,00000000,00000000), ref: 00E929F0

_free.LIBCMT ref: 00E92CA0
_free.LIBCMT ref: 00E92CAB
_free.LIBCMT ref: 00E92CB6
_free.LIBCMT ref: 00E92CC1
_free.LIBCMT ref: 00E92CCC
_free.LIBCMT ref: 00E92CD7
_free.LIBCMT ref: 00E92CE2
_free.LIBCMT ref: 00E92CED
_free.LIBCMT ref: 00E92CFB

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 4eabae7e7e4fa110150639090299747e8efd49d5a8781fee7514f3365264ce68
Instruction ID: b39173dc6a7cf45f9b3be3d9f47a470a6d620c0f302f9a30ab48ea8ad5a12014
Opcode Fuzzy Hash: 4eabae7e7e4fa110150639090299747e8efd49d5a8781fee7514f3365264ce68
Instruction Fuzzy Hash: BB117276500108BFCF02EF94D982CDD3BA9FF45350F9155A9FA48AF222DA31EE509B90

Function 00ED7DF0 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00ED7FAD
SetCurrentDirectoryW.KERNEL32(?), ref: 00ED7FC1
GetFileAttributesW.KERNEL32(?), ref: 00ED7FEB
SetFileAttributesW.KERNEL32(?,00000000), ref: 00ED8005
SetCurrentDirectoryW.KERNEL32(?), ref: 00ED8017
SetCurrentDirectoryW.KERNEL32(?), ref: 00ED8060
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00ED80B0

Strings

*.*, xrefs: 00ED8066

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile
String ID: *.*
API String ID: 769691225-438819550
Opcode ID: fc9a821645ecd74a9b2c10819e5f40790909b89cd34864c31c6c590748e3c3dd
Instruction ID: 8abbea836690c3548ad819eaf807c75646301e30ee69859a5ad3a6c89131c3cf
Opcode Fuzzy Hash: fc9a821645ecd74a9b2c10819e5f40790909b89cd34864c31c6c590748e3c3dd
Instruction Fuzzy Hash: C9819F715082419BDB20EF15C8449AEB3E8EB88354F14685FF8C9E7351EB35DD4ACB52

Function 00E65BEA Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 00E65C7A

Part of subcall function 00E65D0A: GetClientRect.USER32(?,?), ref: 00E65D30
Part of subcall function 00E65D0A: GetWindowRect.USER32(?,?), ref: 00E65D71
Part of subcall function 00E65D0A: ScreenToClient.USER32(?,?), ref: 00E65D99

GetDC.USER32 ref: 00EA46F5
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00EA4708
SelectObject.GDI32(00000000,00000000), ref: 00EA4716
SelectObject.GDI32(00000000,00000000), ref: 00EA472B
ReleaseDC.USER32(?,00000000), ref: 00EA4733
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 00EA47C4

Strings

U, xrefs: 00EA4693

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: 4c5bb1763a6853647cb758db748e6e393833fbf78d4f9e9bd90833afcaf8e516
Instruction ID: 57e30a55012d7c8800c95522fabddf306d2ab27075b386609182101966926ef8
Opcode Fuzzy Hash: 4c5bb1763a6853647cb758db748e6e393833fbf78d4f9e9bd90833afcaf8e516
Instruction Fuzzy Hash: 0A710071500208DFCF218F64C984AFA7BB1FFCA368F24626AF9517A1A6C770A841DF50

Function 00ED359C Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 150COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 00ED35E4

Part of subcall function 00E69CB3: _wcslen.LIBCMT ref: 00E69CBD

LoadStringW.USER32(00F32390,?,00000FFF,?), ref: 00ED360A

Strings

Line %d (File "%s"):, xrefs: 00ED366B
^ ERROR, xrefs: 00ED36C9
"%s" (%d) : ==> %s:%s%s, xrefs: 00ED3724
Error: , xrefs: 00ED36EF
"%s" (%d) : ==> %s:, xrefs: 00ED3742

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-2391861430
Opcode ID: 263893f4a13c444ee6f7e44a833a3842e39c43bab493ba76afc80823e3aea81b
Instruction ID: 73410c6f584134dde55fc1b4503d90975eedd7737086257ee143b262c8df9473
Opcode Fuzzy Hash: 263893f4a13c444ee6f7e44a833a3842e39c43bab493ba76afc80823e3aea81b
Instruction Fuzzy Hash: F051C271840209BBCF14EBA0ED42EEEBBB8EF14350F146126F105721A2DB315B99DF61

Function 00EDC253 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00EDC272
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00EDC29A
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00EDC2CA
GetLastError.KERNEL32 ref: 00EDC322
SetEvent.KERNEL32(?), ref: 00EDC336
InternetCloseHandle.WININET(00000000), ref: 00EDC341

Strings

, xrefs: 00EDC2BB

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: 6a66612165b8fadcf7c0f17f6e7614fb9850b01d796262b02f229dbd0779885c
Instruction ID: 0510e5ba1e1c0f43df988666e96793a8b7089dc96fab58fc81526fb2a89db498
Opcode Fuzzy Hash: 6a66612165b8fadcf7c0f17f6e7614fb9850b01d796262b02f229dbd0779885c
Instruction Fuzzy Hash: 16318DB1600609AFD7219F658D88ABB7BFCEB49784B30951FF446A2350DB30DD0ADB60

Function 00EC989B Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00EA3AAF,?,?,Bad directive syntax error,00EFCC08,00000000,00000010,?,?,>>>AUTOIT SCRIPT<<<), ref: 00EC98BC
LoadStringW.USER32(00000000,?,00EA3AAF,?), ref: 00EC98C3

Part of subcall function 00E69CB3: _wcslen.LIBCMT ref: 00E69CBD

MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 00EC9987

Strings

Line %d (File "%s"):, xrefs: 00EC992D
%s (%d) : ==> %s.: %s %s, xrefs: 00EC98F1
Error: , xrefs: 00EC9955
Line %d:, xrefs: 00EC9912
., xrefs: 00EC996D

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: HandleLoadMessageModuleString_wcslen
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 858772685-4153970271
Opcode ID: a450229681c8fafdf5d85fbc7a2c9538be02ff3be4039ff15913478d1ecad901
Instruction ID: e1c711ec29c8c3311100909aea47f1d45e485bba593ae945d7f2ea39d20ee197
Opcode Fuzzy Hash: a450229681c8fafdf5d85fbc7a2c9538be02ff3be4039ff15913478d1ecad901
Instruction Fuzzy Hash: FA217E3188021EABCF15EF90DD0AEFE77B9BF18740F046469F515760A2EB31AA18DB11

Function 00EC209F Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 00EC20AB
GetClassNameW.USER32(00000000,?,00000100), ref: 00EC20C0
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00EC214D

Strings

SHELLDLL_DefView, xrefs: 00EC20CC
details, xrefs: 00EC20FB
largeicons, xrefs: 00EC20E1
smallicons, xrefs: 00EC2115
list, xrefs: 00EC212F

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: ClassMessageNameParentSend
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1290815626-3381328864
Opcode ID: 6be9eb1c254d7d8d640b15c2e6c6e013fce93edea9149ef460bcd554fa379193
Instruction ID: fa543a60aa56d36342ed7531562266276cd641c6702b655b06a032e4ac2be0c9
Opcode Fuzzy Hash: 6be9eb1c254d7d8d640b15c2e6c6e013fce93edea9149ef460bcd554fa379193
Instruction Fuzzy Hash: 1611E776688717B9F6052620AD06EE6379CCB04B24B20206EFB08B50E1FE7298066A15

Function 00E9CE90 Relevance: 13.7, APIs: 9, Instructions: 209COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 00E9CEB7
_free.LIBCMT ref: 00E9CF22
_free.LIBCMT ref: 00E9CF48
_free.LIBCMT ref: 00E9CF71
_free.LIBCMT ref: 00E9CFA9
_free.LIBCMT ref: 00E9CFDA
_free.LIBCMT ref: 00E9D01B
SetEnvironmentVariableA.KERNEL32(00000000,00000000), ref: 00E9D09C
_free.LIBCMT ref: 00E9D0B5

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: _free$EnvironmentVariable___from_strstr_to_strchr
String ID:
API String ID: 1282221369-0
Opcode ID: 9562a8cd904f2a6e082b1a31cf57bfc9884352b90c1bb0986d0e73844dff8294
Instruction ID: ea125274322296895b425c43b5f70c17fc2dbba26f17759371dea81f2f11df13
Opcode Fuzzy Hash: 9562a8cd904f2a6e082b1a31cf57bfc9884352b90c1bb0986d0e73844dff8294
Instruction Fuzzy Hash: D8617871A04314AFDF21BFB49C91AA97BE6EF05364F24116EF909B7281DB319D018790

Function 00EF50D4 Relevance: 13.7, APIs: 9, Instructions: 162windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00002001,00000000,00000000), ref: 00EF5186
ShowWindow.USER32(?,00000000), ref: 00EF51C7
ShowWindow.USER32(?,00000005,?,00000000), ref: 00EF51CD
SetFocus.USER32(?,?,00000005,?,00000000), ref: 00EF51D1

Part of subcall function 00EF6FBA: DeleteObject.GDI32(00000000), ref: 00EF6FE6

GetWindowLongW.USER32(?,000000F0), ref: 00EF520D
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00EF521A
InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 00EF524D
SendMessageW.USER32(?,00001001,00000000,000000FE), ref: 00EF5287
SendMessageW.USER32(?,00001026,00000000,000000FE), ref: 00EF5296

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: Window$MessageSend$LongShow$DeleteFocusInvalidateObjectRect
String ID:
API String ID: 3210457359-0
Opcode ID: 5e666bd0744f72d7fa61f42d14bece35ac8b05551d8ab8e3718e53ffcee3423a
Instruction ID: 266e186d620eabfbb96cefd4f2528ce61c8aa131dc6a4803e8a25b6b3019c20a
Opcode Fuzzy Hash: 5e666bd0744f72d7fa61f42d14bece35ac8b05551d8ab8e3718e53ffcee3423a
Instruction Fuzzy Hash: 6D518232A41A0CBEEF249F24CC45BF83BB5AF15325F246212F719B62E1C375A944DB41

Function 00E78B06 Relevance: 13.7, APIs: 9, Instructions: 155windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 00EB6890
ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 00EB68A9
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 00EB68B9
ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 00EB68D1
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 00EB68F2
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00E78874,00000000,00000000,00000000,000000FF,00000000), ref: 00EB6901
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 00EB691E
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00E78874,00000000,00000000,00000000,000000FF,00000000), ref: 00EB692D

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend
String ID:
API String ID: 1268354404-0
Opcode ID: 8adc81a9f172bf1ddf5329e679b8bdc5e3b941c6b3d270b1c1d17e12dba6e489
Instruction ID: 05172463764e742ec7e5c4563b915b65496285703c3dd4235471530ae809a378
Opcode Fuzzy Hash: 8adc81a9f172bf1ddf5329e679b8bdc5e3b941c6b3d270b1c1d17e12dba6e489
Instruction Fuzzy Hash: 3751BC74600209EFDB20CF25CD55FAA7BB5FF98764F209518F90AA72A0DB70E950DB40

Function 00EDC143 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00EDC182
GetLastError.KERNEL32 ref: 00EDC195
SetEvent.KERNEL32(?), ref: 00EDC1A9

Part of subcall function 00EDC253: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00EDC272
Part of subcall function 00EDC253: GetLastError.KERNEL32 ref: 00EDC322
Part of subcall function 00EDC253: SetEvent.KERNEL32(?), ref: 00EDC336
Part of subcall function 00EDC253: InternetCloseHandle.WININET(00000000), ref: 00EDC341

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
String ID:
API String ID: 337547030-0
Opcode ID: ca1742675156ff5ceba820cca9e21467021e929d0454e647eb6314446ca31d01
Instruction ID: d1ac295deeead0a9b2ff85bcfd127c4a22f2ce8ecd1d4fb5656cbdd1ec1ef7e6
Opcode Fuzzy Hash: ca1742675156ff5ceba820cca9e21467021e929d0454e647eb6314446ca31d01
Instruction Fuzzy Hash: CC31A071201A06AFDB219FB5DD44AB6BBF8FF58384B30541EF956A2720D730E816DB60

Function 00EC25A2 Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00EC3A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00EC3A57
Part of subcall function 00EC3A3D: GetCurrentThreadId.KERNEL32 ref: 00EC3A5E
Part of subcall function 00EC3A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00EC25B3), ref: 00EC3A65

MapVirtualKeyW.USER32(00000025,00000000), ref: 00EC25BD
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 00EC25DB
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 00EC25DF
MapVirtualKeyW.USER32(00000025,00000000), ref: 00EC25E9
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00EC2601
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 00EC2605
MapVirtualKeyW.USER32(00000025,00000000), ref: 00EC260F
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00EC2623
Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 00EC2627

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: cd7e3a21ec67723eccd1c5ed814e11a2cbee7ceabf42f8e29df171ae716a42a7
Instruction ID: 34ce8476cd8e9c07fddf6c778e740af58c91c8c6972bed9dfccdde2c61b17304
Opcode Fuzzy Hash: cd7e3a21ec67723eccd1c5ed814e11a2cbee7ceabf42f8e29df171ae716a42a7
Instruction Fuzzy Hash: BC01D830394214BBFB1067699C8AF697FA9DF8EB11F701005F314BE1D1C9F25459CA6A

Function 00EC1803 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,00EC1449,?,?,00000000), ref: 00EC180C
HeapAlloc.KERNEL32(00000000,?,00EC1449,?,?,00000000), ref: 00EC1813
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00EC1449,?,?,00000000), ref: 00EC1828
GetCurrentProcess.KERNEL32(?,00000000,?,00EC1449,?,?,00000000), ref: 00EC1830
DuplicateHandle.KERNEL32(00000000,?,00EC1449,?,?,00000000), ref: 00EC1833
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00EC1449,?,?,00000000), ref: 00EC1843
GetCurrentProcess.KERNEL32(00EC1449,00000000,?,00EC1449,?,?,00000000), ref: 00EC184B
DuplicateHandle.KERNEL32(00000000,?,00EC1449,?,?,00000000), ref: 00EC184E
CreateThread.KERNEL32(00000000,00000000,00EC1874,00000000,00000000,00000000), ref: 00EC1868

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: 2d214299d5cfad202b52f48b9a3e3fb451b90111d0f5a709dca0c0f038d52f29
Instruction ID: dffa5d2f6aef0419b2b1a3f4dd0eb75961c520ecd22645cab2857f3a5201e102
Opcode Fuzzy Hash: 2d214299d5cfad202b52f48b9a3e3fb451b90111d0f5a709dca0c0f038d52f29
Instruction Fuzzy Hash: 4A01C275241308BFE710AF75DD4DF673B6CEB89B11F604451FA05EB192C6719814DB60

Function 00E93E80 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 305COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 00E93F0B
__alldvrm.LIBCMT ref: 00E9410C
__alldvrm.LIBCMT ref: 00E9412E

Strings

}}, xrefs: 00E93E8A
}}, xrefs: 00E940CD
}}, xrefs: 00E93E96, 00E93EF1, 00E93F0A, 00E94090

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: __alldvrm$_strrchr
String ID: }}$}}$}}
API String ID: 1036877536-1495402609
Opcode ID: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
Instruction ID: bfe25145c75e5eaa18489f7f81ec8506ae5037b3839af7528ab921ed679d6ee0
Opcode Fuzzy Hash: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
Instruction Fuzzy Hash: CEA167B2E003869FDF25CF28C881BEEBBE5EF65354F1451ADE585BB281C2349982C751

Function 00EEA0E2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON

Download Yara Rule

APIs

Part of subcall function 00ECD4DC: CreateToolhelp32Snapshot.KERNEL32 ref: 00ECD501
Part of subcall function 00ECD4DC: Process32FirstW.KERNEL32(00000000,?), ref: 00ECD50F
Part of subcall function 00ECD4DC: CloseHandle.KERNEL32(00000000), ref: 00ECD5DC

OpenProcess.KERNEL32(00000001,00000000,?), ref: 00EEA16D
GetLastError.KERNEL32 ref: 00EEA180
OpenProcess.KERNEL32(00000001,00000000,?), ref: 00EEA1B3
TerminateProcess.KERNEL32(00000000,00000000), ref: 00EEA268
GetLastError.KERNEL32(00000000), ref: 00EEA273
CloseHandle.KERNEL32(00000000), ref: 00EEA2C4

Strings

SeDebugPrivilege, xrefs: 00EEA18F

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: d43e01637359fa986d3f893a21ab16bac236e83155bb123be4508397480a7a13
Instruction ID: 5c0754c90cdf511407b0c6b1563357fe2ea904e380170711d4222a44fcc092a5
Opcode Fuzzy Hash: d43e01637359fa986d3f893a21ab16bac236e83155bb123be4508397480a7a13
Instruction Fuzzy Hash: 8661BE702052829FD710DF16C494F25BBE1AF44318F28949CE566AB7A3C772FC49CB92

Function 00EF3886 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00EF3925
SendMessageW.USER32(00000000,00001036,00000000,?), ref: 00EF393A
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00EF3954
_wcslen.LIBCMT ref: 00EF3999
SendMessageW.USER32(?,00001057,00000000,?), ref: 00EF39C6
SendMessageW.USER32(?,00001061,?,0000000F), ref: 00EF39F4

Strings

SysListView32, xrefs: 00EF38F7

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: MessageSend$Window_wcslen
String ID: SysListView32
API String ID: 2147712094-78025650
Opcode ID: afe0000e2d906ab0b391a97127369cecde7f9ec2052ca8e2b351cd395a4f92c5
Instruction ID: 6adfe5ec6962de130669e661a77559fb457e68b310b07b8dc5ef4884d06826bb
Opcode Fuzzy Hash: afe0000e2d906ab0b391a97127369cecde7f9ec2052ca8e2b351cd395a4f92c5
Instruction Fuzzy Hash: C541B271A0021DABDF219F64CC45BFA77A9EF48354F201526FA58F7281D7B1D984CB90

Function 00ECBC5E Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00ECBCFD
IsMenu.USER32(00000000), ref: 00ECBD1D
CreatePopupMenu.USER32 ref: 00ECBD53
GetMenuItemCount.USER32(010A5698), ref: 00ECBDA4
InsertMenuItemW.USER32(010A5698,?,00000001,00000030), ref: 00ECBDCC

Strings

0, xrefs: 00ECBCA8
2, xrefs: 00ECBD37

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup
String ID: 0$2
API String ID: 93392585-3793063076
Opcode ID: ba7c9d3df044c409a63c9b814c0e3706a66adbecd64f245c6e9d9269e2d38480
Instruction ID: fd4852b427ff14d8685897f0963d6f0882615b33a12f1cc849fca79db201157d
Opcode Fuzzy Hash: ba7c9d3df044c409a63c9b814c0e3706a66adbecd64f245c6e9d9269e2d38480
Instruction Fuzzy Hash: 2651AE70A003099BDB10CFA9DA86FAEBFF8AF85318F24515DE402F7290D7729946CB51

Function 00E82D20 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00E82D4B
___except_validate_context_record.LIBVCRUNTIME ref: 00E82D53
_ValidateLocalCookies.LIBCMT ref: 00E82DE1
__IsNonwritableInCurrentImage.LIBCMT ref: 00E82E0C
_ValidateLocalCookies.LIBCMT ref: 00E82E61

Strings

csm, xrefs: 00E82DF6
&H, xrefs: 00E82DFE, 00E82E07, 00E82E18

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: &H$csm
API String ID: 1170836740-1242228090
Opcode ID: a2d2aeb984bc61e78bd82160df27def4fe2df01e9bde2ebd465e304c4a4854c7
Instruction ID: 1906d687d6c23007b16a98a9a678e6883e7512a9eafd409c3125e8b1c001a1de
Opcode Fuzzy Hash: a2d2aeb984bc61e78bd82160df27def4fe2df01e9bde2ebd465e304c4a4854c7
Instruction Fuzzy Hash: 8C419434A002099BCF14EF68C845A9EBFF5BF44318F149159E91DBB392D731AA05CBD1

Function 00ECC874 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 00ECC913

Strings

warning, xrefs: 00ECC8FC
info, xrefs: 00ECC8B4
blank, xrefs: 00ECC895
question, xrefs: 00ECC8CC
stop, xrefs: 00ECC8E4

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: 420a58f45bd4b484dcdbbcbae1081c27167e05b087ee35ab8431fee01fd61a78
Instruction ID: 273edc55029bdf55dad7c05354f198f9cb6879ab809365665adbfc34ea8a1c94
Opcode Fuzzy Hash: 420a58f45bd4b484dcdbbcbae1081c27167e05b087ee35ab8431fee01fd61a78
Instruction Fuzzy Hash: FA112E32689317BEA704A714AD82EEB67DCDF55358B30102EF50CF52C1E772AD025365

Function 00ECDE27 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 70networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00ECDE42
gethostname.WSOCK32(?,00000100), ref: 00ECDE5C
gethostbyname.WSOCK32(?), ref: 00ECDE69
inet_ntoa.WSOCK32(?), ref: 00ECDEAB
_strcat.LIBCMT ref: 00ECDEB9
WSACleanup.WSOCK32 ref: 00ECDEDE

Strings

0.0.0.0, xrefs: 00ECDE87

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: CleanupStartup_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 642191829-3771769585
Opcode ID: 41a9383d8740a6bb9b48a4e9b8b7cbb3377c5b8206cb2f1a16770a86dd9f2fe6
Instruction ID: 7daf12d1fbd22e595eb88c3e1e76ba08416e5307223476304c7fcd825f1dbd22
Opcode Fuzzy Hash: 41a9383d8740a6bb9b48a4e9b8b7cbb3377c5b8206cb2f1a16770a86dd9f2fe6
Instruction Fuzzy Hash: 52110271808109AFCB20BB209E0AEEA77ACDB54314F20117AF00DB6091EF728A86CB50

Function 00EF9F86 Relevance: 12.3, APIs: 8, Instructions: 260windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00E79BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00E79BB2

GetSystemMetrics.USER32(0000000F), ref: 00EF9FC7
GetSystemMetrics.USER32(0000000F), ref: 00EF9FE7
MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 00EFA224
SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 00EFA242
SendMessageW.USER32(00000003,00000469,?,00000000), ref: 00EFA263
ShowWindow.USER32(00000003,00000000), ref: 00EFA282
InvalidateRect.USER32(?,00000000,00000001), ref: 00EFA2A7
DefDlgProcW.USER32(?,00000005,?,?), ref: 00EFA2CA

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
String ID:
API String ID: 1211466189-0
Opcode ID: a206fc67abec34840d1dc8d2abc5e566b6f517bacfbb5b0dda154ce11d24d5cf
Instruction ID: baac4a50ebc38aebed7345ddcfcb6d1085a71bfc8bedceb6e8bf5c75fc7ce0e0
Opcode Fuzzy Hash: a206fc67abec34840d1dc8d2abc5e566b6f517bacfbb5b0dda154ce11d24d5cf
Instruction Fuzzy Hash: 65B1B9B1600219DFDF14CF68C9847BA3BB2BF44705F19907AEE89AF295D731AA40CB51

Function 00ECED19 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 00ECED2A
_wcslen.LIBCMT ref: 00ECED3B
_wcslen.LIBCMT ref: 00ECED79
_wcslen.LIBCMT ref: 00ECEDAF
_wcslen.LIBCMT ref: 00ECEDDF
_wcslen.LIBCMT ref: 00ECEDEF
_wcslen.LIBCMT ref: 00ECEE2B
_wcslen.LIBCMT ref: 00ECEE5A

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: _wcslen$LocalTime
String ID:
API String ID: 952045576-0
Opcode ID: a1747db5d5547bb787c000de6e5d8fc0bca37a8bb2193813b5959fb3a64127a7
Instruction ID: 9597a1353c39f1b471002c0f4c88f858265cbd2e193456e56e732962152ee121
Opcode Fuzzy Hash: a1747db5d5547bb787c000de6e5d8fc0bca37a8bb2193813b5959fb3a64127a7
Instruction Fuzzy Hash: AF417E65C1021966CB21FBB48C8AACFB7E8EF45710F50A466E51CF3262EB34E255C3A5

Function 00E7F8D8 Relevance: 12.1, APIs: 8, Instructions: 124COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,00EB682C,00000004,00000000,00000000), ref: 00E7F953
ShowWindow.USER32(FFFFFFFF,00000006,?,00000000,?,00EB682C,00000004,00000000,00000000), ref: 00EBF3D1
ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,00EB682C,00000004,00000000,00000000), ref: 00EBF454

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 6f8ff228ee24eeb353d053edf2f90d0442e66e7652614c8d0c546944fe20f7da
Instruction ID: 0d810ac0f22005ffdcbfb031569431891e02555cda9dc15d93b41deabe6ec3d4
Opcode Fuzzy Hash: 6f8ff228ee24eeb353d053edf2f90d0442e66e7652614c8d0c546944fe20f7da
Instruction Fuzzy Hash: 07412B31508680BEC7349B6D8D887BB7BE2ABD5318F24E03DE25F76561D671D884CB11

Function 00EF2D03 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00EF2D1B
GetDC.USER32(00000000), ref: 00EF2D23
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00EF2D2E
ReleaseDC.USER32(00000000,00000000), ref: 00EF2D3A
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00EF2D76
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00EF2D87
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00EF5A65,?,?,000000FF,00000000,?,000000FF,?), ref: 00EF2DC2
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00EF2DE1

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: 595770cdaf00baec60147133031dfae2fab83625943a182a257c3d8820f2a7f1
Instruction ID: d093a6348e5516e1bf6d9f0d30070e282cc01860cf12d397f02d2b6b9736dce8
Opcode Fuzzy Hash: 595770cdaf00baec60147133031dfae2fab83625943a182a257c3d8820f2a7f1
Instruction Fuzzy Hash: A6319872201218AFEB208F11CC8AFBB3BA9EB49715F244055FF08EA291C6758845CBA1

Function 00EC5622 Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00EC5637
_memcmp.LIBVCRUNTIME ref: 00EC5659
_memcmp.LIBVCRUNTIME ref: 00EC5671
_memcmp.LIBVCRUNTIME ref: 00EC5684
_memcmp.LIBVCRUNTIME ref: 00EC569E
_memcmp.LIBVCRUNTIME ref: 00EC56B1
_memcmp.LIBVCRUNTIME ref: 00EC56C9
_memcmp.LIBVCRUNTIME ref: 00EC56E4

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: b37d69ee2572b8182082392133d8d6fa8ff8ad6d41158a870c6eab6e9cb8e08f
Instruction ID: 771a42eafc265e784f044350f5b991ae323ccaec9e99bb02b8bc681c52276819
Opcode Fuzzy Hash: b37d69ee2572b8182082392133d8d6fa8ff8ad6d41158a870c6eab6e9cb8e08f
Instruction Fuzzy Hash: BE21AA63640B1977D61465108F82FFA739CAF11388F542029FE0C7A541F722FD9382A9

Function 00EE4FAE Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON

Download Yara Rule

Strings

NULL Pointer assignment, xrefs: 00EE502E, 00EE5383
Not an Object type, xrefs: 00EE5007

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: cb1a77c6af870fa418a313e3d4cdcc2491d30d09a795c1ccf2cc1720d9c18c94
Instruction ID: 9d4693819ab57eeb302abe85a689295d9b5b5bd0baa32d63b358ec1c3dc2b9f6
Opcode Fuzzy Hash: cb1a77c6af870fa418a313e3d4cdcc2491d30d09a795c1ccf2cc1720d9c18c94
Instruction Fuzzy Hash: 27D1B072A0064E9FDF10CFA9C881BAEB7B5BF48358F149069E915BB281E770DD45CB90

Function 00EA1522 Relevance: 10.8, APIs: 7, Instructions: 268COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(?,?), ref: 00EA15CE
MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 00EA1651
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00EA16E4
MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 00EA16FB

Part of subcall function 00E93820: RtlAllocateHeap.NTDLL(00000000,?,00F31444,?,00E7FDF5,?,?,00E6A976,00000010,00F31440,00E613FC,?,00E613C6,?,00E61129), ref: 00E93852

MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00EA1777
__freea.LIBCMT ref: 00EA17A2
__freea.LIBCMT ref: 00EA17AE

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
String ID:
API String ID: 2829977744-0
Opcode ID: 7e4ed822ca9c5a7e5012e2c9bf7bd0917f181f96246504446be69ac82c3a1985
Instruction ID: ef40a0fef5eb6ba84278eb0a1bd4462256d6ec665568a9f69b7cebb4d266ac4d
Opcode Fuzzy Hash: 7e4ed822ca9c5a7e5012e2c9bf7bd0917f181f96246504446be69ac82c3a1985
Instruction Fuzzy Hash: F091A371E002169ADF248E74C881AEE7BF5AF8F714F186599F801FB181D725ED44CB60

Function 00EE4523 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00EE4648
VariantInit.OLEAUT32(?), ref: 00EE4749
VariantClear.OLEAUT32(?), ref: 00EE4753
VariantClear.OLEAUT32(?), ref: 00EE47B0

Strings

Incorrect Object type in FOR..IN loop, xrefs: 00EE472C
Null Object assignment in FOR..IN loop, xrefs: 00EE45D8, 00EE4706, 00EE47BE

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: Variant$ClearInit
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2610073882-625585964
Opcode ID: d95a8c385abcd4678f2f8e17233c9a265d4add72c47644678f28b1745ad08237
Instruction ID: c74589dcd5cf62b9e061c9f43543685c1e1193cd4eab88ec19ce05f83eac0417
Opcode Fuzzy Hash: d95a8c385abcd4678f2f8e17233c9a265d4add72c47644678f28b1745ad08237
Instruction Fuzzy Hash: 4D91B2B1A00259AFDF20CFA6D844FAEBBB8EF46714F10955AF505BB280D7709945CFA0

Function 00ED1187 Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000001,?), ref: 00ED125C
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00ED1284
SafeArrayUnaccessData.OLEAUT32(00000001), ref: 00ED12A8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00ED12D8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00ED135F
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00ED13C4
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00ED1430

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: ArraySafe$Data$Access$UnaccessVartype
String ID:
API String ID: 2550207440-0
Opcode ID: e2e06562acb8505ce07e4b29765c1a53d5983d1de449c506947e5b83486c7348
Instruction ID: a3550bdf2126fa44a298ab9475540aa685e473475e3107ece826d149480e1766
Opcode Fuzzy Hash: e2e06562acb8505ce07e4b29765c1a53d5983d1de449c506947e5b83486c7348
Instruction Fuzzy Hash: 6891BF71A00218AFDB009F98C884BBEB7B5FF45315F24606AE950FB3A1D775A946CB90

Function 00E7948A Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: ca463150d3d86d51c543fc0de6d62fa25f927720636dcaa6f61c69ebe86b36a4
Instruction ID: 703728c5a3a5b4fc36686e69cfe15e041339132315d92fcc37e084448aabe1bb
Opcode Fuzzy Hash: ca463150d3d86d51c543fc0de6d62fa25f927720636dcaa6f61c69ebe86b36a4
Instruction Fuzzy Hash: 07914971D00219EFCB10CFA9CC84AEEBBB8FF89324F249155E515B7252D774A942CB60

Function 00EE3947 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00EE396B
CharUpperBuffW.USER32(?,?), ref: 00EE3A7A
_wcslen.LIBCMT ref: 00EE3A8A
VariantClear.OLEAUT32(?), ref: 00EE3C1F

Part of subcall function 00ED0CDF: VariantInit.OLEAUT32(00000000), ref: 00ED0D1F
Part of subcall function 00ED0CDF: VariantCopy.OLEAUT32(?,?), ref: 00ED0D28
Part of subcall function 00ED0CDF: VariantClear.OLEAUT32(?), ref: 00ED0D34

Strings

Incorrect Parameter format, xrefs: 00EE39A6, 00EE3BA1
AUTOIT.ERROR, xrefs: 00EE3A80, 00EE3A85

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4137639002-1221869570
Opcode ID: 5fd0bc751f3c58012cd06a24d0d0c0d8b49a71548f9f7b0ee6295c8f8309ec84
Instruction ID: 9b3c23634c753df715a6d1f27eb241fa137df2265b2f6ec2e11cddfc4a6c48e7
Opcode Fuzzy Hash: 5fd0bc751f3c58012cd06a24d0d0c0d8b49a71548f9f7b0ee6295c8f8309ec84
Instruction Fuzzy Hash: 7E919D746083459FC704EF25C48496AB7E5FF88318F14986EF88AA7351DB31EE45CB92

Function 00EE4BAD Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

APIs

Part of subcall function 00EC000E: CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,00EBFF41,80070057,?,?,?,00EC035E), ref: 00EC002B
Part of subcall function 00EC000E: ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00EBFF41,80070057,?,?), ref: 00EC0046
Part of subcall function 00EC000E: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00EBFF41,80070057,?,?), ref: 00EC0054
Part of subcall function 00EC000E: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00EBFF41,80070057,?), ref: 00EC0064

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,00000001,?,?), ref: 00EE4C51
_wcslen.LIBCMT ref: 00EE4D59
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 00EE4DCF
CoTaskMemFree.OLE32(?), ref: 00EE4DDA

Strings

NULL Pointer assignment, xrefs: 00EE4E23, 00EE4E52

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
String ID: NULL Pointer assignment
API String ID: 614568839-2785691316
Opcode ID: 768a8689a5500f8e37728572483f6e4a98121913c9d50408f1e3e98e72fc0973
Instruction ID: 6426916c3d04c87654c50986f4010fc6d75a9217aaf14d68faec031df9da14c3
Opcode Fuzzy Hash: 768a8689a5500f8e37728572483f6e4a98121913c9d50408f1e3e98e72fc0973
Instruction Fuzzy Hash: 819148B1D0025D9FDF14DFA5D881AEEB7B8BF08314F205169E915BB291DB305A45CF60

Function 00EF20FD Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 00EF2183
GetMenuItemCount.USER32(00000000), ref: 00EF21B5
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 00EF21DD
_wcslen.LIBCMT ref: 00EF2213
GetMenuItemID.USER32(?,?), ref: 00EF224D
GetSubMenu.USER32(?,?), ref: 00EF225B

Part of subcall function 00EC3A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00EC3A57
Part of subcall function 00EC3A3D: GetCurrentThreadId.KERNEL32 ref: 00EC3A5E
Part of subcall function 00EC3A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00EC25B3), ref: 00EC3A65

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00EF22E3

Part of subcall function 00ECE97B: Sleep.KERNELBASE ref: 00ECE9F3

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
String ID:
API String ID: 4196846111-0
Opcode ID: 3991b0b9b2b5091710ef5d5db551ca909a08d5c84de83d14e29c3c9a48818b86
Instruction ID: 7ff58647eb638ace7b33bab3969530d3209a3430521c18e412fe651a16265858
Opcode Fuzzy Hash: 3991b0b9b2b5091710ef5d5db551ca909a08d5c84de83d14e29c3c9a48818b86
Instruction Fuzzy Hash: 1B718C75A00209AFCB10DFA4C841ABEB7F1EF88314F249459EA56BB351DB34AD418B90

Function 00EF7E9E Relevance: 10.7, APIs: 7, Instructions: 193windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(010A53A0), ref: 00EF7F37
IsWindowEnabled.USER32(010A53A0), ref: 00EF7F43
SendMessageW.USER32(00000000,0000041C,00000000,00000000), ref: 00EF801E
SendMessageW.USER32(010A53A0,000000B0,?,?), ref: 00EF8051
IsDlgButtonChecked.USER32(?,?), ref: 00EF8089
GetWindowLongW.USER32(010A53A0,000000EC), ref: 00EF80AB
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 00EF80C3

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID:
API String ID: 4072528602-0
Opcode ID: 4a24010110f85835300d2c06a635530c5b48c114e4433e49f57d0963d373c1d8
Instruction ID: 0623410c3575b18af8d4efebc1037f3df409967bcd4b3eb59161f9ec270b39ee
Opcode Fuzzy Hash: 4a24010110f85835300d2c06a635530c5b48c114e4433e49f57d0963d373c1d8
Instruction Fuzzy Hash: 2B719E3560820CAFEB219F64C984FFA7BB9FF49304F245499EA85B7261CB31A845DB10

Function 00ECAEBA Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 00ECAEF9
GetKeyboardState.USER32(?), ref: 00ECAF0E
SetKeyboardState.USER32(?), ref: 00ECAF6F
PostMessageW.USER32(?,00000101,00000010,?), ref: 00ECAF9D
PostMessageW.USER32(?,00000101,00000011,?), ref: 00ECAFBC
PostMessageW.USER32(?,00000101,00000012,?), ref: 00ECAFFD
PostMessageW.USER32(?,00000101,0000005B,?), ref: 00ECB020

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 3c2a704f09cdff2d59e472424f59d0113bee84f8be97e92b3f77d451ba37453c
Instruction ID: 7505b1f416d15e16d7e6e7e73c117772cc92a63b291caae42ba58a710fcf32e6
Opcode Fuzzy Hash: 3c2a704f09cdff2d59e472424f59d0113bee84f8be97e92b3f77d451ba37453c
Instruction Fuzzy Hash: 6F51D1A06043D93DFB364234C946FBA7EE95B06308F0C949DE1D5A54C2C3AAA8CAD752

Function 00ECACDA Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 00ECAD19
GetKeyboardState.USER32(?), ref: 00ECAD2E
SetKeyboardState.USER32(?), ref: 00ECAD8F
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00ECADBB
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00ECADD8
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 00ECAE17
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 00ECAE38

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 0f83c8cabe86367269bb6cb0eaf758f56b2a3a7df04f13b44de9ea18c284c88c
Instruction ID: dc3df3d51e82030471dcf703e1f8c561cdef9f34cd1de50e6c16b17c29fac34e
Opcode Fuzzy Hash: 0f83c8cabe86367269bb6cb0eaf758f56b2a3a7df04f13b44de9ea18c284c88c
Instruction Fuzzy Hash: CB51E5A05047D93DFB3682348D45FBA7EA85B4530CF0C949CE1D6A68C3C296ECCAD792

Function 00E9542E Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(00EA3CD6,?,?,?,?,?,?,?,?,00E95BA3,?,?,00EA3CD6,?,?), ref: 00E95470
__fassign.LIBCMT ref: 00E954EB
__fassign.LIBCMT ref: 00E95506
WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,00EA3CD6,00000005,00000000,00000000), ref: 00E9552C
WriteFile.KERNEL32(?,00EA3CD6,00000000,00E95BA3,00000000,?,?,?,?,?,?,?,?,?,00E95BA3,?), ref: 00E9554B
WriteFile.KERNEL32(?,?,00000001,00E95BA3,00000000,?,?,?,?,?,?,?,?,?,00E95BA3,?), ref: 00E95584

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: 13ec6b41dbe737c07891dc9093c0cdb883786d449c993acb6460b97a8c990e34
Instruction ID: b4a23eaa8fd98e1904ccfacd1a5c3237db9dfaca4e34624dba93d81a9aac56f1
Opcode Fuzzy Hash: 13ec6b41dbe737c07891dc9093c0cdb883786d449c993acb6460b97a8c990e34
Instruction Fuzzy Hash: 5B51C171A006099FDF11CFA8D841AEEBBF9EF49300F25515AE555F7292D6309A41CF60

Function 00EE10B8 Relevance: 10.6, APIs: 7, Instructions: 110networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00EE304E: inet_addr.WSOCK32(?), ref: 00EE307A
Part of subcall function 00EE304E: _wcslen.LIBCMT ref: 00EE309B

socket.WSOCK32(00000002,00000001,00000006), ref: 00EE1112
WSAGetLastError.WSOCK32 ref: 00EE1121
WSAGetLastError.WSOCK32 ref: 00EE11C9
closesocket.WSOCK32(00000000), ref: 00EE11F9

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: ErrorLast$_wcslenclosesocketinet_addrsocket
String ID:
API String ID: 2675159561-0
Opcode ID: e2fee7b216aa195e4ad52f121cb6209e36c617eb5a75472b019da131d324ea13
Instruction ID: 01862202e01e51d8d20a4d33257998d883fe6e5d8e6ed8b9ce9b529fb712c633
Opcode Fuzzy Hash: e2fee7b216aa195e4ad52f121cb6209e36c617eb5a75472b019da131d324ea13
Instruction Fuzzy Hash: 2E411631200248AFDB109F65C844BA9B7E9EF84368F249099F905BB291C770AD85CBA0

Function 00ECCF00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00ECDDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00ECCF22,?), ref: 00ECDDFD

Part of subcall function 00ECDDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00ECCF22,?), ref: 00ECDE16

lstrcmpiW.KERNEL32(?,?), ref: 00ECCF45
MoveFileW.KERNEL32(?,?), ref: 00ECCF7F
_wcslen.LIBCMT ref: 00ECD005
_wcslen.LIBCMT ref: 00ECD01B
SHFileOperationW.SHELL32(?), ref: 00ECD061

Strings

\*.*, xrefs: 00ECCFF3

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
String ID: \*.*
API String ID: 3164238972-1173974218
Opcode ID: e72d9968e1f5fc6c480d7d8b224687781edfe59cf67bc54b8755a16cb92862c9
Instruction ID: e1fd6b46aebb625ae3762ec0b8343fd00a8187975d36570fc5e0175c61ae2b3e
Opcode Fuzzy Hash: e72d9968e1f5fc6c480d7d8b224687781edfe59cf67bc54b8755a16cb92862c9
Instruction Fuzzy Hash: 8D4184719052185EDF12EBA4DA81FDDB7F8AF48380F1410EAE509FB142EA35A649CB10

Function 00EF2DFD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 00EF2E1C
GetWindowLongW.USER32(?,000000F0), ref: 00EF2E4F
GetWindowLongW.USER32(?,000000F0), ref: 00EF2E84
SendMessageW.USER32(?,000000F1,00000000,00000000), ref: 00EF2EB6
SendMessageW.USER32(?,000000F1,00000001,00000000), ref: 00EF2EE0
GetWindowLongW.USER32(?,000000F0), ref: 00EF2EF1
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00EF2F0B

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: d4aec245ffe05c6c154872a732152be4acde3ca340f14375d8fd210a037d5526
Instruction ID: 1cecbc066608f13ce097cb26aa2a5a782e224155e4512f43a1b7aec3e6e120d4
Opcode Fuzzy Hash: d4aec245ffe05c6c154872a732152be4acde3ca340f14375d8fd210a037d5526
Instruction Fuzzy Hash: 043114316451489FEB228F18DD84FA537E1FB8AB24F251168FB00EF2B1CB71A844EB01

Function 00EC7726 Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00EC7769
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00EC778F
SysAllocString.OLEAUT32(00000000), ref: 00EC7792
SysAllocString.OLEAUT32(?), ref: 00EC77B0
SysFreeString.OLEAUT32(?), ref: 00EC77B9
StringFromGUID2.OLE32(?,?,00000028), ref: 00EC77DE
SysAllocString.OLEAUT32(?), ref: 00EC77EC

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 67eff7ec5d7e5760f4f66b596a459c233ede3153ed9ecda9d859fe0035f6f914
Instruction ID: 97263008ef181429e66b9369a36f5cd54163f1e02814bf0d9851480806693aee
Opcode Fuzzy Hash: 67eff7ec5d7e5760f4f66b596a459c233ede3153ed9ecda9d859fe0035f6f914
Instruction Fuzzy Hash: 4821B27660421DAFDB10DFA9DD88DBB73ACEB09364720802AF954EB150D670DC46CB64

Function 00EC77FD Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00EC7842
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00EC7868
SysAllocString.OLEAUT32(00000000), ref: 00EC786B
SysAllocString.OLEAUT32 ref: 00EC788C
SysFreeString.OLEAUT32 ref: 00EC7895
StringFromGUID2.OLE32(?,?,00000028), ref: 00EC78AF
SysAllocString.OLEAUT32(?), ref: 00EC78BD

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 34aa0c5f26179b34d236e3d90082aa313d160e1530b1f1987f15da0534322792
Instruction ID: d25a2151624408391cc853a86ff0ac5b2b5ff22f3a9ee67830a1c3606d969070
Opcode Fuzzy Hash: 34aa0c5f26179b34d236e3d90082aa313d160e1530b1f1987f15da0534322792
Instruction Fuzzy Hash: 8B21C732604118AFDB149FA9DD89EBA77ECEB083607208029FA54EB1A0D670DC45CB64

Function 00ED04D2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 00ED04F2
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00ED052E

Strings

nul, xrefs: 00ED0567

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 2d7bb1bedf95241da1242bf70871904d2c1bf19c2e427722b10086b05854eeb1
Instruction ID: d71b156a8360c3524ce621ffab63e238fd11cb9db36e8531dea28b7ef30d9c2e
Opcode Fuzzy Hash: 2d7bb1bedf95241da1242bf70871904d2c1bf19c2e427722b10086b05854eeb1
Instruction Fuzzy Hash: 7D215175500305DFDB309F29E845B9A77A4EF84728F244A1AECA1F72E0D7709955DF20

Function 00ED05A7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 00ED05C6
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00ED0601

Strings

nul, xrefs: 00ED0639

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 7d75950b22c1631dbc5698154abc507f2a562847df60c83cda01fec499385a54
Instruction ID: 544cf8c594a4eb0cfafb6e0ec1d4c21b97093a9111312ce40066896e829daec9
Opcode Fuzzy Hash: 7d75950b22c1631dbc5698154abc507f2a562847df60c83cda01fec499385a54
Instruction Fuzzy Hash: F6216D755002059FDB209F699804BAA77E4EF95724F341A1AE8B1F73E0D670D866CB20

Function 00EF40AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00E6600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00E6604C
Part of subcall function 00E6600E: GetStockObject.GDI32(00000011), ref: 00E66060
Part of subcall function 00E6600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 00E6606A

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00EF4112
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 00EF411F
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 00EF412A
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00EF4139
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00EF4145

Strings

Msctls_Progress32, xrefs: 00EF40E3

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: ea825db03b69bcb0ede87ab0f80bf6e71adccde0e0ed056be5fd239903a42789
Instruction ID: fbba94df989d817b8da9026390b531720a0b0d2052bc6a4f273c4bdde8cddee4
Opcode Fuzzy Hash: ea825db03b69bcb0ede87ab0f80bf6e71adccde0e0ed056be5fd239903a42789
Instruction Fuzzy Hash: BF1190B215021DBEEF219E64CC85EF77F9DEF087A8F115110BB18A6090CB729C21DBA4

Function 00E9D7DF Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00E9D7A3: _free.LIBCMT ref: 00E9D7CC

_free.LIBCMT ref: 00E9D82D

Part of subcall function 00E929C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00E9D7D1,00000000,00000000,00000000,00000000,?,00E9D7F8,00000000,00000007,00000000,?,00E9DBF5,00000000), ref: 00E929DE
Part of subcall function 00E929C8: GetLastError.KERNEL32(00000000,?,00E9D7D1,00000000,00000000,00000000,00000000,?,00E9D7F8,00000000,00000007,00000000,?,00E9DBF5,00000000,00000000), ref: 00E929F0

_free.LIBCMT ref: 00E9D838
_free.LIBCMT ref: 00E9D843
_free.LIBCMT ref: 00E9D897
_free.LIBCMT ref: 00E9D8A2
_free.LIBCMT ref: 00E9D8AD
_free.LIBCMT ref: 00E9D8B8

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction ID: 56205070649f9be39d8a1a57515a991b723a88cffbc0ba816131ea7c71b84064
Opcode Fuzzy Hash: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction Fuzzy Hash: 5C111971944B14BADE21FFF0CC47FCB7BDCAF44700F40682AB29DB6492DA65B50586A0

Function 00ECDA5A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00ECDA74
LoadStringW.USER32(00000000), ref: 00ECDA7B
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 00ECDA91
LoadStringW.USER32(00000000), ref: 00ECDA98
MessageBoxW.USER32(00000000,?,?,00011010), ref: 00ECDADC

Strings

%s (%d) : ==> %s: %s %s, xrefs: 00ECDAB9

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: HandleLoadModuleString$Message
String ID: %s (%d) : ==> %s: %s %s
API String ID: 4072794657-3128320259
Opcode ID: c4c3262002de077d9e95409f9eed972e288d3780dace64140a8828f853256f1e
Instruction ID: f39c16874bdfeb51915b0dd32e84d7377edb245f36dcbe0c412eb9798bedc3e6
Opcode Fuzzy Hash: c4c3262002de077d9e95409f9eed972e288d3780dace64140a8828f853256f1e
Instruction Fuzzy Hash: 170162F250420C7FE710ABA19E89EF7726CE748701F6004A6B746F2041E6759E898F74

Function 00ED096B Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(0109E380,0109E380), ref: 00ED097B
EnterCriticalSection.KERNEL32(0109E360,00000000), ref: 00ED098D
TerminateThread.KERNEL32(?,000001F6), ref: 00ED099B
WaitForSingleObject.KERNEL32(?,000003E8), ref: 00ED09A9
CloseHandle.KERNEL32(?), ref: 00ED09B8
InterlockedExchange.KERNEL32(0109E380,000001F6), ref: 00ED09C8
LeaveCriticalSection.KERNEL32(0109E360), ref: 00ED09CF

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: 4fb3d71190ad8f7463267837f3b40d5ffa04a395f9fa3d07a731b5586d55153b
Instruction ID: 850d92a125b33ebb6e65e3976bbf46e95e644f10d394c224eda82c102e42603a
Opcode Fuzzy Hash: 4fb3d71190ad8f7463267837f3b40d5ffa04a395f9fa3d07a731b5586d55153b
Instruction Fuzzy Hash: 7AF01D31442906AFE7415B95EF88BE67A35FF81702FA42016F101A08B1C7759469DF90

Function 00E65D0A Relevance: 9.3, APIs: 6, Instructions: 276COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 00E65D30
GetWindowRect.USER32(?,?), ref: 00E65D71
ScreenToClient.USER32(?,?), ref: 00E65D99
GetClientRect.USER32(?,?), ref: 00E65ED7
GetWindowRect.USER32(?,?), ref: 00E65EF8

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: Rect$Client$Window$Screen
String ID:
API String ID: 1296646539-0
Opcode ID: 7a5713d6706b89bb84333e35b6ed4d12d4c31f09da4b00633209421a3bb039bb
Instruction ID: 4b7aca032b67583cb4b7a1c8798c99099d85fff4506efee16b269defbb335da0
Opcode Fuzzy Hash: 7a5713d6706b89bb84333e35b6ed4d12d4c31f09da4b00633209421a3bb039bb
Instruction Fuzzy Hash: 03B18C75A0074ADBDB14CFA9D4407EEB7F1FF88314F14A41AE8A9E7290D734AA51CB50

Function 00E901B7 Relevance: 9.3, APIs: 6, Instructions: 269COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 00E900BA
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00E900D6
__allrem.LIBCMT ref: 00E900ED
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00E9010B
__allrem.LIBCMT ref: 00E90122
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00E90140

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: c0aa086816e9a6b10c8594d9af3fc1b6618250ddc70608c46d0048b3e4fbc764
Instruction ID: 8e4a3dd71e9d4122ed0fa8883d6f05114c0824f040099617651b1bcd6a04aeb5
Opcode Fuzzy Hash: c0aa086816e9a6b10c8594d9af3fc1b6618250ddc70608c46d0048b3e4fbc764
Instruction Fuzzy Hash: 31811672B00706AFEB24AF69CC41B6B73E9AF45728F24653EF559F6281E770E9008750

Function 00EE1D10 Relevance: 9.3, APIs: 6, Instructions: 254networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00EE3149: select.WSOCK32(00000000,?,00000000,00000000,?), ref: 00EE3195

__WSAFDIsSet.WSOCK32(00000000,?), ref: 00EE1DC0
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00EE1DE1
WSAGetLastError.WSOCK32 ref: 00EE1DF2
inet_ntoa.WSOCK32(?), ref: 00EE1E8C
htons.WSOCK32(?), ref: 00EE1EDB
_strlen.LIBCMT ref: 00EE1F35

Part of subcall function 00EC39E8: _strlen.LIBCMT ref: 00EC39F2

Part of subcall function 00E66D9E: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000002,?,?,?,?,00E7CF58,?,?,?), ref: 00E66DBA
Part of subcall function 00E66D9E: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,?,?,?,00E7CF58,?,?,?), ref: 00E66DED

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: ByteCharMultiWide_strlen$ErrorLasthtonsinet_ntoaselect
String ID:
API String ID: 1923757996-0
Opcode ID: 4a1bd30992ae1c81167bd959a4c3f67c6983a829eb79b546f61d26510ae4c0aa
Instruction ID: 4e250443f7088fe8171739fd7281e9e403bd887ff9da1ae27991ed93ddf97a3f
Opcode Fuzzy Hash: 4a1bd30992ae1c81167bd959a4c3f67c6983a829eb79b546f61d26510ae4c0aa
Instruction Fuzzy Hash: 12A1E531204384AFC314DF21C895F6A77E5AF84358F54A98CF45A7B2A2DB31ED85CB91

Function 00E961FE Relevance: 9.2, APIs: 6, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,00E882D9,00E882D9,?,?,?,00E9644F,00000001,00000001,?), ref: 00E96258
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,00E9644F,00000001,00000001,?,?,?,?), ref: 00E962DE
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,?,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00E963D8
__freea.LIBCMT ref: 00E963E5

Part of subcall function 00E93820: RtlAllocateHeap.NTDLL(00000000,?,00F31444,?,00E7FDF5,?,?,00E6A976,00000010,00F31440,00E613FC,?,00E613C6,?,00E61129), ref: 00E93852

__freea.LIBCMT ref: 00E963EE
__freea.LIBCMT ref: 00E96413

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: 2b55dbf9741fec7032046c476d55214a91f85a4b88ef95eb529e8a77726a5a01
Instruction ID: 5033beea37a42f12633d7eeddeea512d1485edb4ba26e9d4fe35d9de7b3281bf
Opcode Fuzzy Hash: 2b55dbf9741fec7032046c476d55214a91f85a4b88ef95eb529e8a77726a5a01
Instruction Fuzzy Hash: 0B51F372A00216AFDF268F64CC81EBF77A9EB94754F25526AFC05F6190EB34DC50C660

Function 00EEBBDB Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00E69CB3: _wcslen.LIBCMT ref: 00E69CBD

Part of subcall function 00EEC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00EEB6AE,?,?), ref: 00EEC9B5
Part of subcall function 00EEC998: _wcslen.LIBCMT ref: 00EEC9F1
Part of subcall function 00EEC998: _wcslen.LIBCMT ref: 00EECA68
Part of subcall function 00EEC998: _wcslen.LIBCMT ref: 00EECA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00EEBCCA
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00EEBD25
RegCloseKey.ADVAPI32(00000000), ref: 00EEBD6A
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 00EEBD99
RegCloseKey.ADVAPI32(?,?,00000000), ref: 00EEBDF3
RegCloseKey.ADVAPI32(?), ref: 00EEBDFF

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
String ID:
API String ID: 1120388591-0
Opcode ID: 2ee257fca56a409b528c2ec12b150b0d2490f6712a1a17c89b701116ef2ae0c6
Instruction ID: 73a2fecdf0ad29636661e35efc317ed9469633791fe565d794ac8448aec64353
Opcode Fuzzy Hash: 2ee257fca56a409b528c2ec12b150b0d2490f6712a1a17c89b701116ef2ae0c6
Instruction Fuzzy Hash: 3781B030208245AFD714DF25C881E2BBBE5FF84348F24995CF459AB2A2DB31ED45CB92

Function 00EBF7AD Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000035), ref: 00EBF7B9
SysAllocString.OLEAUT32(00000001), ref: 00EBF860
VariantCopy.OLEAUT32(00EBFA64,00000000), ref: 00EBF889
VariantClear.OLEAUT32(00EBFA64), ref: 00EBF8AD
VariantCopy.OLEAUT32(00EBFA64,00000000), ref: 00EBF8B1
VariantClear.OLEAUT32(?), ref: 00EBF8BB

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: Variant$ClearCopy$AllocInitString
String ID:
API String ID: 3859894641-0
Opcode ID: fc5260aa3b5c0f4721279b68c3a23151f402b9ec4ae8d96924d38c2e3fdd93c1
Instruction ID: 25e5ddcda5d5ac12ddf7dee45764540cab60d8d36e236d456fab0bf05bc4cd34
Opcode Fuzzy Hash: fc5260aa3b5c0f4721279b68c3a23151f402b9ec4ae8d96924d38c2e3fdd93c1
Instruction Fuzzy Hash: 4651A731500310BACF24ABA5DC95BAAB3E9EF85714B24B477E905FF295DB708C40CB96

Function 00ED910C Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 383COMMON

Download Yara Rule

APIs

Part of subcall function 00E67620: _wcslen.LIBCMT ref: 00E67625

Part of subcall function 00E66B57: _wcslen.LIBCMT ref: 00E66B6A

GetOpenFileNameW.COMDLG32(00000058), ref: 00ED94E5
_wcslen.LIBCMT ref: 00ED9506
_wcslen.LIBCMT ref: 00ED952D
GetSaveFileNameW.COMDLG32(00000058), ref: 00ED9585

Strings

X, xrefs: 00ED9412

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: _wcslen$FileName$OpenSave
String ID: X
API String ID: 83654149-3081909835
Opcode ID: 917018ab7816bab13dfb08c6222589660ee53249fe6689c7b13110b78514be56
Instruction ID: 77d1ebf7838ee6f02a60f71e6561c0b710e153a7613f5e761ddb9c093e8c0a79
Opcode Fuzzy Hash: 917018ab7816bab13dfb08c6222589660ee53249fe6689c7b13110b78514be56
Instruction Fuzzy Hash: E4E1A2315083009FD724EF24D881A6AB7E4FF85354F14996EF899AB3A2DB31DD05CB92

Function 00E7920C Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00E79BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00E79BB2

BeginPaint.USER32(?,?,?), ref: 00E79241
GetWindowRect.USER32(?,?), ref: 00E792A5
ScreenToClient.USER32(?,?), ref: 00E792C2
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00E792D3
EndPaint.USER32(?,?,?,?,?), ref: 00E79321
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 00EB71EA

Part of subcall function 00E79339: BeginPath.GDI32(00000000), ref: 00E79357

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
String ID:
API String ID: 3050599898-0
Opcode ID: 4a6abfaf845756f43975d142e5331d9f58f40984760042f6d2a2b7664cec7f5a
Instruction ID: 8fe7024b2abb5d9a049ea8bec5b80eb0bac612b611e9942261af09863b838613
Opcode Fuzzy Hash: 4a6abfaf845756f43975d142e5331d9f58f40984760042f6d2a2b7664cec7f5a
Instruction Fuzzy Hash: 5C41CF30109204AFD710DF25DC84FBA7BF9FF85724F104229F9A9A72A2C7319849DB61

Function 00ED07EF Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 00ED080C
ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 00ED0847
EnterCriticalSection.KERNEL32(?), ref: 00ED0863
LeaveCriticalSection.KERNEL32(?), ref: 00ED08DC
ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 00ED08F3
InterlockedExchange.KERNEL32(?,000001F6), ref: 00ED0921

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
String ID:
API String ID: 3368777196-0
Opcode ID: 6c4283c931c584f271616fa03f8ee929b9d5c805300eb78851b7e7932349240e
Instruction ID: 4346a92912ffbeba493be060cc52139601ffed7c1570746c63c7b3e557e1300b
Opcode Fuzzy Hash: 6c4283c931c584f271616fa03f8ee929b9d5c805300eb78851b7e7932349240e
Instruction Fuzzy Hash: F3415B71900209EFDF14AF54DC85A6A77B8FF44314F2480A9ED04AA297D730EE65DBA4

Function 00EF81DB Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,00EBF3AB,00000000,?,?,00000000,?,00EB682C,00000004,00000000,00000000), ref: 00EF824C
EnableWindow.USER32(?,00000000), ref: 00EF8272
ShowWindow.USER32(FFFFFFFF,00000000), ref: 00EF82D1
ShowWindow.USER32(?,00000004), ref: 00EF82E5
EnableWindow.USER32(?,00000001), ref: 00EF830B
SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 00EF832F

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: f534d463a529a9e7f8c6654111603242c35e3b98d7758ebb9ae73e0a1ba76c5e
Instruction ID: b9fa7dc028494ada147dff06839f5ea50ab75d66c9e2a2db7d7cd589d0168b7e
Opcode Fuzzy Hash: f534d463a529a9e7f8c6654111603242c35e3b98d7758ebb9ae73e0a1ba76c5e
Instruction Fuzzy Hash: A241B73060264CEFEB11CF15CA95BF87BE1BB45718F186165E6486F2B2CB31A845CF50

Function 00EC4C7D Relevance: 9.1, APIs: 6, Instructions: 87windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00EC4C95
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00EC4CB2
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00EC4CEA
_wcslen.LIBCMT ref: 00EC4D08
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00EC4D10
_wcsstr.LIBVCRUNTIME ref: 00EC4D1A

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
String ID:
API String ID: 72514467-0
Opcode ID: cab5eb87353fd992bd3090971fdaf9eb46e942448fdbdac7af0ba5e35a79ba10
Instruction ID: 5cefb48ebf62c76b897ffe26f1c5224c1b1e4373f8127f13eda0e1a624ffd9d5
Opcode Fuzzy Hash: cab5eb87353fd992bd3090971fdaf9eb46e942448fdbdac7af0ba5e35a79ba10
Instruction Fuzzy Hash: 9E210AB12042047BEB256B259D15F7B7FD8DF45750F20902DF809EA1D1EA62CC01C361

Function 00ED581E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON

Download Yara Rule

APIs

Part of subcall function 00E63AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00E63A97,?,?,00E62E7F,?,?,?,00000000), ref: 00E63AC2

_wcslen.LIBCMT ref: 00ED587B
CoInitialize.OLE32(00000000), ref: 00ED5995
CoCreateInstance.OLE32(00EFFCF8,00000000,00000001,00EFFB68,?), ref: 00ED59AE
CoUninitialize.OLE32 ref: 00ED59CC

Strings

.lnk, xrefs: 00ED5876, 00ED58C1, 00ED5985

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
String ID: .lnk
API String ID: 3172280962-24824748
Opcode ID: ab7cd6fb888d9c1fabd43d11979e8fa65a6aa537658c7fb1f8efa32f2e0e6d15
Instruction ID: 66430bc7d75420528b64fb515cc20fa681056b9d639c4b9a336ac0cf38d981c4
Opcode Fuzzy Hash: ab7cd6fb888d9c1fabd43d11979e8fa65a6aa537658c7fb1f8efa32f2e0e6d15
Instruction Fuzzy Hash: A8D175726047019FC714DF24C49492ABBE5EF89314F14985EF88AAB361DB31EC46CB92

Function 00EC175D Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00EC0FB4: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00EC0FCA
Part of subcall function 00EC0FB4: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00EC0FD6
Part of subcall function 00EC0FB4: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00EC0FE5
Part of subcall function 00EC0FB4: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00EC0FEC
Part of subcall function 00EC0FB4: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00EC1002

GetLengthSid.ADVAPI32(?,00000000,00EC1335), ref: 00EC17AE
GetProcessHeap.KERNEL32(00000008,00000000), ref: 00EC17BA
HeapAlloc.KERNEL32(00000000), ref: 00EC17C1
CopySid.ADVAPI32(00000000,00000000,?), ref: 00EC17DA
GetProcessHeap.KERNEL32(00000000,00000000,00EC1335), ref: 00EC17EE
HeapFree.KERNEL32(00000000), ref: 00EC17F5

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: 286b176c2fabfd0ea7e6314885417103f7c2c3e0f436d2ead658193a9b70c723
Instruction ID: 0230c966f646bbc01598c48bf2bf6e8ee243ea094cd3820f643be73d3b87716d
Opcode Fuzzy Hash: 286b176c2fabfd0ea7e6314885417103f7c2c3e0f436d2ead658193a9b70c723
Instruction Fuzzy Hash: BD11AC31501208EFDB108BA4CE48FAE7BB8EF82319F20405DF441A7211C7369956CB60

Function 00EC14CE Relevance: 9.1, APIs: 6, Instructions: 64processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 00EC14FF
OpenProcessToken.ADVAPI32(00000000), ref: 00EC1506
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00EC1515
CloseHandle.KERNEL32(00000004), ref: 00EC1520
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00EC154F
DestroyEnvironmentBlock.USERENV(00000000), ref: 00EC1563

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: 7f2f32052d5448fcba4a17bb51d7fad4e4b379d649309bfbf24e0d6833a537a3
Instruction ID: 44e64dca3ebed09f262d8d5ce80e938e35c18a5cc7c2b98e62cfe5f57a664ec0
Opcode Fuzzy Hash: 7f2f32052d5448fcba4a17bb51d7fad4e4b379d649309bfbf24e0d6833a537a3
Instruction Fuzzy Hash: 34114D7250120DAFDB118F94DE49FDE7BA9EF45748F244059FA05B2160C3728D55EB60

Function 00E83382 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00E83379,00E82FE5), ref: 00E83390
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00E8339E
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00E833B7
SetLastError.KERNEL32(00000000,?,00E83379,00E82FE5), ref: 00E83409

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 7108ea596be4bbd1a4af26cce0e830e7ea3f1e268908098b29fc96ae6be21c47
Instruction ID: db5c5146c21a1548b0d06ef1b4df72bdf7a1068b7dc7fabbe06771d01c7caab3
Opcode Fuzzy Hash: 7108ea596be4bbd1a4af26cce0e830e7ea3f1e268908098b29fc96ae6be21c47
Instruction Fuzzy Hash: 42012832609315BEAA2477787C8596A2ED4EB05F793302229F42CF01F0EF114E0663C4

Function 00E92D74 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00E95686,00EA3CD6,?,00000000,?,00E95B6A,?,?,?,?,?,00E8E6D1,?,00F28A48), ref: 00E92D78
_free.LIBCMT ref: 00E92DAB
_free.LIBCMT ref: 00E92DD3
SetLastError.KERNEL32(00000000,?,?,?,?,00E8E6D1,?,00F28A48,00000010,00E64F4A,?,?,00000000,00EA3CD6), ref: 00E92DE0
SetLastError.KERNEL32(00000000,?,?,?,?,00E8E6D1,?,00F28A48,00000010,00E64F4A,?,?,00000000,00EA3CD6), ref: 00E92DEC
_abort.LIBCMT ref: 00E92DF2

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: c89bb5acf9d1742a06138a9d950098733aeab85bbd3f010c73477669795994fa
Instruction ID: ec3211c45cdba0379f626e9c2a0cf42e1429e5f616d4797e53ccb57f26e18a34
Opcode Fuzzy Hash: c89bb5acf9d1742a06138a9d950098733aeab85bbd3f010c73477669795994fa
Instruction Fuzzy Hash: D7F0C8355056003BCE226735BC06E6F25D9AFC17A5F35241DFA24F21E2EF24880251A0

Function 00EF8A24 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 00E79639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00E79693
Part of subcall function 00E79639: SelectObject.GDI32(?,00000000), ref: 00E796A2
Part of subcall function 00E79639: BeginPath.GDI32(?), ref: 00E796B9
Part of subcall function 00E79639: SelectObject.GDI32(?,00000000), ref: 00E796E2

MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 00EF8A4E
LineTo.GDI32(?,00000003,00000000), ref: 00EF8A62
MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 00EF8A70
LineTo.GDI32(?,00000000,00000003), ref: 00EF8A80
EndPath.GDI32(?), ref: 00EF8A90
StrokePath.GDI32(?), ref: 00EF8AA0

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: 42d0cf64246a0336a445803709aa3df3d81f76e4d078400f80a7e76b801b8d40
Instruction ID: ae2789ac4bde8edc3c8bdf94c7deae8832d9284673a9b7a3812c25d324d675bd
Opcode Fuzzy Hash: 42d0cf64246a0336a445803709aa3df3d81f76e4d078400f80a7e76b801b8d40
Instruction Fuzzy Hash: F211097600010DFFDB129F91DD88EAA7F6DEB08364F108052BA19AA1A1DB719D55DBA0

Function 00EC51FD Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00EC5218
GetDeviceCaps.GDI32(00000000,00000058), ref: 00EC5229
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00EC5230
ReleaseDC.USER32(00000000,00000000), ref: 00EC5238
MulDiv.KERNEL32(000009EC,?,00000000), ref: 00EC524F
MulDiv.KERNEL32(000009EC,00000001,?), ref: 00EC5261

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: b97b6ac9a73e94fc435772f59a716f6420fd3976f3da788954228632d0224589
Instruction ID: c35134e0fa0e7c5e4dcc04761e7141cad904fc37064ec9767ef3d8bd43b9e095
Opcode Fuzzy Hash: b97b6ac9a73e94fc435772f59a716f6420fd3976f3da788954228632d0224589
Instruction Fuzzy Hash: 0C018475A00708BFEB105BA69D49F5EBFB8EB44751F244065FA04F7390DA709805CBA0

Function 00E61BC3 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 00E61BF4
MapVirtualKeyW.USER32(00000010,00000000), ref: 00E61BFC
MapVirtualKeyW.USER32(000000A0,00000000), ref: 00E61C07
MapVirtualKeyW.USER32(000000A1,00000000), ref: 00E61C12
MapVirtualKeyW.USER32(00000011,00000000), ref: 00E61C1A
MapVirtualKeyW.USER32(00000012,00000000), ref: 00E61C22

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: cf392c8bc69ecd161bd88bf27caa2ca3008411dcbcd3231cf8d6a230bc361bb3
Instruction ID: 222a4970a7780f0ee1adf1c4a14cf20ffecac5a339b4b7d6ada94182b02af4ef
Opcode Fuzzy Hash: cf392c8bc69ecd161bd88bf27caa2ca3008411dcbcd3231cf8d6a230bc361bb3
Instruction Fuzzy Hash: 6F016CB09027597DE3008F5A8C85B52FFA8FF59754F10411B915C47941C7F5A868CBE5

Function 00ECEB20 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00ECEB30
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 00ECEB46
GetWindowThreadProcessId.USER32(?,?), ref: 00ECEB55
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00ECEB64
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00ECEB6E
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00ECEB75

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: 557f7a6313909e2ee91d0b33a245f10ba27183ea729ed56acb1e6651a219db2d
Instruction ID: 388bc0e0509296394fc5f3cc5e3ccb6cd2fec27eefe976956f324d2a85ecb6d9
Opcode Fuzzy Hash: 557f7a6313909e2ee91d0b33a245f10ba27183ea729ed56acb1e6651a219db2d
Instruction Fuzzy Hash: 95F06772201118BFE7205B639E0EEFB3A7CEFCAF11F200158F601E1090AAA01A05C6B5

Function 00EB7439 Relevance: 9.0, APIs: 6, Instructions: 37windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?), ref: 00EB7452
SendMessageW.USER32(?,00001328,00000000,?), ref: 00EB7469
GetWindowDC.USER32(?), ref: 00EB7475
GetPixel.GDI32(00000000,?,?), ref: 00EB7484
ReleaseDC.USER32(?,00000000), ref: 00EB7496
GetSysColor.USER32(00000005), ref: 00EB74B0

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: ClientColorMessagePixelRectReleaseSendWindow
String ID:
API String ID: 272304278-0
Opcode ID: f87be6edc01ad24b4d72383fd07d83fbe9e8c0a8c7027b0b9629673a262a05a0
Instruction ID: 1cfbd4b5201941e33afd921ad84c31c07a3e6b0a79d6ed83b2407c6e8f885264
Opcode Fuzzy Hash: f87be6edc01ad24b4d72383fd07d83fbe9e8c0a8c7027b0b9629673a262a05a0
Instruction Fuzzy Hash: 68017431404219EFEB105FA5DE08BFA7BB6FB84322F314060F92AB21A1CB311E55EB51

Function 00EC1874 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 00EC187F
UnloadUserProfile.USERENV(?,?), ref: 00EC188B
CloseHandle.KERNEL32(?), ref: 00EC1894
CloseHandle.KERNEL32(?), ref: 00EC189C
GetProcessHeap.KERNEL32(00000000,?), ref: 00EC18A5
HeapFree.KERNEL32(00000000), ref: 00EC18AC

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: 46b001cfd96797740dc5dd23c5582dee587d73a01a10abf3ab285571c5596507
Instruction ID: 1951220b9ce44bcd5541faf3e98baaaac40dfb259e8059f41503bef663ffd1c9
Opcode Fuzzy Hash: 46b001cfd96797740dc5dd23c5582dee587d73a01a10abf3ab285571c5596507
Instruction Fuzzy Hash: D6E0C936005109BFD6015BA2EE0CD15BF39FF897217708221F225A1071CB325474EB50

Function 00EE7B7E Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 230COMMON

Download Yara Rule

APIs

Part of subcall function 00E80242: EnterCriticalSection.KERNEL32(00F3070C,00F31884,?,?,00E7198B,00F32518,?,?,?,00E612F9,00000000), ref: 00E8024D
Part of subcall function 00E80242: LeaveCriticalSection.KERNEL32(00F3070C,?,00E7198B,00F32518,?,?,?,00E612F9,00000000), ref: 00E8028A

Part of subcall function 00E69CB3: _wcslen.LIBCMT ref: 00E69CBD

Part of subcall function 00E800A3: __onexit.LIBCMT ref: 00E800A9

__Init_thread_footer.LIBCMT ref: 00EE7BFB

Part of subcall function 00E801F8: EnterCriticalSection.KERNEL32(00F3070C,?,?,00E78747,00F32514), ref: 00E80202
Part of subcall function 00E801F8: LeaveCriticalSection.KERNEL32(00F3070C,?,00E78747,00F32514), ref: 00E80235

Strings

5, xrefs: 00EE7C78
+T, xrefs: 00EE7E2E
G, xrefs: 00EE7C7F
Variable must be of type 'Object'., xrefs: 00EE7C3A

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit_wcslen
String ID: +T$5$G$Variable must be of type 'Object'.
API String ID: 535116098-4125810065
Opcode ID: 5efa44d73a933b8ce64ad747044013d19dc19f05b5c4eba1e31e9a96af74a1ed
Instruction ID: 0c042f1b274efa7823260e353193b978649c87ce5b5a3d920472c8a43d603944
Opcode Fuzzy Hash: 5efa44d73a933b8ce64ad747044013d19dc19f05b5c4eba1e31e9a96af74a1ed
Instruction Fuzzy Hash: 0791AB70A0424CEFCB04EF55D9809ADB7B1FF49308F249059F886BB292DB71AE45CB51

Function 00ECC5D0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00E67620: _wcslen.LIBCMT ref: 00E67625

GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00ECC6EE
_wcslen.LIBCMT ref: 00ECC735
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00ECC79C
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00ECC7CA

Strings

0, xrefs: 00ECC6AF

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: ItemMenu$Info_wcslen$Default
String ID: 0
API String ID: 1227352736-4108050209
Opcode ID: 6a2455fda3d05240cc83a1d57c8e9688ee46aad7ddce3ac1f9669958005e0641
Instruction ID: 2bbbf0ea3cfa4b7f41400dde68bb9a59b7869a49b1346d1bb168cd5b09730066
Opcode Fuzzy Hash: 6a2455fda3d05240cc83a1d57c8e9688ee46aad7ddce3ac1f9669958005e0641
Instruction Fuzzy Hash: 3251D0716043009BD7149F38CA44FAB77E4EB89318F242A2EF999F2190DB62D806DB52

Function 00EEAD64 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(0000003C), ref: 00EEAEA3

Part of subcall function 00E67620: _wcslen.LIBCMT ref: 00E67625

GetProcessId.KERNEL32(00000000), ref: 00EEAF38
CloseHandle.KERNEL32(00000000), ref: 00EEAF67

Strings

@, xrefs: 00EEAE72
<, xrefs: 00EEAE6B

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: CloseExecuteHandleProcessShell_wcslen
String ID: <$@
API String ID: 146682121-1426351568
Opcode ID: 9981a5a7513bc67247cc17a4aecaf790cf17da70551a2b7555670453e82cab09
Instruction ID: 87205f3354c0960bf0a65804c58b51e16bbfc08e678500381dcfd314ec4f693e
Opcode Fuzzy Hash: 9981a5a7513bc67247cc17a4aecaf790cf17da70551a2b7555670453e82cab09
Instruction Fuzzy Hash: B7716770A00259DFCB14DF55D484A9EBBF0EF08318F1894ADE85ABB262C770ED45CB91

Function 00EC719E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00EC7206
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 00EC723C
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 00EC724D
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00EC72CF

Strings

DllGetClassObject, xrefs: 00EC7242

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: 4e56a42e964cfd49438ae43cc535cb09d2d1e0b5be1eec14ecda6b89014e83b7
Instruction ID: 0d113f1cb359510c73b93743f48d1ba2469a3696dfa7366807e65ead7f7ef117
Opcode Fuzzy Hash: 4e56a42e964cfd49438ae43cc535cb09d2d1e0b5be1eec14ecda6b89014e83b7
Instruction Fuzzy Hash: 8D4190B16042049FDB19CF54CA84F9A7BB9EF44314F2090ADBD45AF21AD7B2D946CFA0

Function 00EF3D7C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00EF3E35
IsMenu.USER32(?), ref: 00EF3E4A
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00EF3E92
DrawMenuBar.USER32 ref: 00EF3EA5

Strings

0, xrefs: 00EF3D89

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert
String ID: 0
API String ID: 3076010158-4108050209
Opcode ID: fdd591a2d905c05e80cf9a65daca403f5611ae67e9492951805c1ee6d330a06f
Instruction ID: 3f393174164b3e5d72448ba53dfdbfbfa06d5430a69ebff982958b36bc4bfd8c
Opcode Fuzzy Hash: fdd591a2d905c05e80cf9a65daca403f5611ae67e9492951805c1ee6d330a06f
Instruction Fuzzy Hash: 06413375A0130DAFDF10DF60D884AEABBB9FF48368F145129EA05AB250D730AE45DF60

Function 00EC1DE2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00E69CB3: _wcslen.LIBCMT ref: 00E69CBD

Part of subcall function 00EC3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00EC3CCA

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00EC1E66
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00EC1E79
SendMessageW.USER32(?,00000189,?,00000000), ref: 00EC1EA9

Part of subcall function 00E66B57: _wcslen.LIBCMT ref: 00E66B6A

Strings

ComboBox, xrefs: 00EC1DF0
ListBox, xrefs: 00EC1E25

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: MessageSend$_wcslen$ClassName
String ID: ComboBox$ListBox
API String ID: 2081771294-1403004172
Opcode ID: fcb761321103c7ebb66c601338179e63d4a3f63a97792ef586a66c25cf7c7ecc
Instruction ID: 533ce618d6c5e1739437e9af0ee936d1bacb8aad901214c23bb2eef20b8bec00
Opcode Fuzzy Hash: fcb761321103c7ebb66c601338179e63d4a3f63a97792ef586a66c25cf7c7ecc
Instruction Fuzzy Hash: 55212671A40108AEDB14AB64EE45DFFB7B8DF423A4B20A11DF815F31E2DB35490AD620

Function 00EEC9EA Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 91COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00EEC9F1
_wcslen.LIBCMT ref: 00EECA68
_wcslen.LIBCMT ref: 00EECA9E
_wcslen.LIBCMT ref: 00EECAF9
_wcslen.LIBCMT ref: 00EECB2F
_wcslen.LIBCMT ref: 00EECB7F

Strings

HKEY_LOCAL_MACHINE, xrefs: 00EECA62, 00EECA67
HKLM, xrefs: 00EECA98, 00EECA9D

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: _wcslen
String ID: HKEY_LOCAL_MACHINE$HKLM
API String ID: 176396367-4004644295
Opcode ID: d3d441449cda74d17da675e81b775086e332efd92a23ec572e690335472b8dda
Instruction ID: b29c19b5b449518df9c25c6ba457710379e996e7f98b467e0e2ca71fa324a6c1
Opcode Fuzzy Hash: d3d441449cda74d17da675e81b775086e332efd92a23ec572e690335472b8dda
Instruction Fuzzy Hash: 6931F7736005EE4BCB20EE6ED9404BE37919BA1798B256039E85F7B245E670CD4293A0

Function 00EF2F17 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00EF2F8D
LoadLibraryW.KERNEL32(?), ref: 00EF2F94
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00EF2FA9
DestroyWindow.USER32(?), ref: 00EF2FB1

Strings

SysAnimate32, xrefs: 00EF2F68

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: MessageSend$DestroyLibraryLoadWindow
String ID: SysAnimate32
API String ID: 3529120543-1011021900
Opcode ID: d6886f981ba83a3c8a938a662d6eff111fd4623770aa3af8440e888af445853b
Instruction ID: c0dc3d157a5c7d826d6cc7d5e9eb1b6e932b2d3483edc8eef00f772d46ee4b8b
Opcode Fuzzy Hash: d6886f981ba83a3c8a938a662d6eff111fd4623770aa3af8440e888af445853b
Instruction Fuzzy Hash: 4F218B72224209ABEB204F64DC80EBB37B9EB59368F20661CFB50F21A0D771DC519760

Function 00E84D6D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00E84D1E,00E928E9,(,00E84CBE,00000000,00F288B8,0000000C,00E84E15,(,00000002), ref: 00E84D8D
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00E84DA0
FreeLibrary.KERNEL32(00000000,?,?,?,00E84D1E,00E928E9,(,00E84CBE,00000000,00F288B8,0000000C,00E84E15,(,00000002,00000000), ref: 00E84DC3

Strings

CorExitProcess, xrefs: 00E84D98
mscoree.dll, xrefs: 00E84D86

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: bf49a78fc8cb776ac2ac79f849825606dd1fbf2eec0e167033f9dbce91094af8
Instruction ID: 661bedfaee07cb0b6740a5b2df9f40e0368edc11d79bfb81048dd4694cefc593
Opcode Fuzzy Hash: bf49a78fc8cb776ac2ac79f849825606dd1fbf2eec0e167033f9dbce91094af8
Instruction Fuzzy Hash: 83F0AF30A0020DBFDB10AF91DC09BADBBB5EF44755F2000A4F80DB22A0DF309944DB92

Function 00E64E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00E64EDD,?,00F31418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00E64E9C
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00E64EAE
FreeLibrary.KERNEL32(00000000,?,?,00E64EDD,?,00F31418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00E64EC0

Strings

Wow64DisableWow64FsRedirection, xrefs: 00E64EA8
kernel32.dll, xrefs: 00E64E94

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 145871493-3689287502
Opcode ID: 06556feda67fedb6c282aa7f3575b74cddf284162a6beb1f040e5195a79e6821
Instruction ID: 5f14ab84bd25fa2c61cd94d7845ffb5f8a0f18c2f3605120b4e4204940f926f7
Opcode Fuzzy Hash: 06556feda67fedb6c282aa7f3575b74cddf284162a6beb1f040e5195a79e6821
Instruction Fuzzy Hash: FBE02635A026225F822107267C18A3B6164AFC1BA27241011FC00F2140DB60CC0580A2

Function 00E64E59 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00EA3CDE,?,00F31418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00E64E62
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00E64E74
FreeLibrary.KERNEL32(00000000,?,?,00EA3CDE,?,00F31418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00E64E87

Strings

Wow64RevertWow64FsRedirection, xrefs: 00E64E6E
kernel32.dll, xrefs: 00E64E5B

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 145871493-1355242751
Opcode ID: 53f62c917349a8b23c4d90d70cb7880445e53f277d0da13625382c944aac69e1
Instruction ID: 4cf0fdacfdd83edd5b3aaad2190f1f5994af293e191c2fb226490df3b12db707
Opcode Fuzzy Hash: 53f62c917349a8b23c4d90d70cb7880445e53f277d0da13625382c944aac69e1
Instruction Fuzzy Hash: 75D0C2395436365F47221B267C08DAB2A28AFC1BA53351511B904B6154DF21CD15C1D1

Function 00ED2947 Relevance: 7.8, APIs: 5, Instructions: 313fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00ED2C05
DeleteFileW.KERNEL32(?), ref: 00ED2C87
CopyFileW.KERNEL32(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00ED2C9D
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00ED2CAE
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00ED2CC0

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: File$Delete$Copy
String ID:
API String ID: 3226157194-0
Opcode ID: b83a61f6aa2c2f76ad467a296049648670156eace7b5e134538423e8b59cba99
Instruction ID: 8baed1e63b9a45ab7674411d0146b86861fef738b2f6303278910ee36f8940cd
Opcode Fuzzy Hash: b83a61f6aa2c2f76ad467a296049648670156eace7b5e134538423e8b59cba99
Instruction Fuzzy Hash: 3AB17072E00119ABDF11EBA4CC85EDEB7BCEF58350F1050AAF609F6251EA309E458F61

Function 00EEA387 Relevance: 7.8, APIs: 5, Instructions: 256COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 00EEA427
OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 00EEA435
GetProcessIoCounters.KERNEL32(00000000,?), ref: 00EEA468
CloseHandle.KERNEL32(?), ref: 00EEA63D

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: Process$CloseCountersCurrentHandleOpen
String ID:
API String ID: 3488606520-0
Opcode ID: 66d6cb9a3075331f59e59c95edc631dac6d8d70bd30e39e64ca52f182a57a9e0
Instruction ID: 78ad88b74042c61a01bf43ec15206c220d41ccaf66056892a5eca627ce64567b
Opcode Fuzzy Hash: 66d6cb9a3075331f59e59c95edc631dac6d8d70bd30e39e64ca52f182a57a9e0
Instruction Fuzzy Hash: E4A1C2716043019FD720DF15D886F2AB7E1AF84714F18985DF5AAAB392D7B0EC40CB92

Function 00ECE3FB Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00ECDDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00ECCF22,?), ref: 00ECDDFD

Part of subcall function 00ECDDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00ECCF22,?), ref: 00ECDE16

Part of subcall function 00ECE199: GetFileAttributesW.KERNEL32(?,00ECCF95), ref: 00ECE19A

lstrcmpiW.KERNEL32(?,?), ref: 00ECE473
MoveFileW.KERNEL32(?,?), ref: 00ECE4AC
_wcslen.LIBCMT ref: 00ECE5EB
_wcslen.LIBCMT ref: 00ECE603
SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 00ECE650

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
String ID:
API String ID: 3183298772-0
Opcode ID: 5e87acdd5591a159083e1ed2a6baf37deb63209d5b85ac6e0657821d810ff005
Instruction ID: f308bdb1d2d6cb63f90310f34ee451491ca1c6d38b02e7ca544bf0e06b63b9f5
Opcode Fuzzy Hash: 5e87acdd5591a159083e1ed2a6baf37deb63209d5b85ac6e0657821d810ff005
Instruction Fuzzy Hash: 8851A4B24087455BC724EB90DD81EDFB3ECAF84344F10191EF589E3192EF35A5898766

Function 00EEB9C9 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00E69CB3: _wcslen.LIBCMT ref: 00E69CBD

Part of subcall function 00EEC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00EEB6AE,?,?), ref: 00EEC9B5
Part of subcall function 00EEC998: _wcslen.LIBCMT ref: 00EEC9F1
Part of subcall function 00EEC998: _wcslen.LIBCMT ref: 00EECA68
Part of subcall function 00EEC998: _wcslen.LIBCMT ref: 00EECA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00EEBAA5
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00EEBB00
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00EEBB63
RegCloseKey.ADVAPI32(?,?), ref: 00EEBBA6
RegCloseKey.ADVAPI32(00000000), ref: 00EEBBB3

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
String ID:
API String ID: 826366716-0
Opcode ID: 69b16078db05d950cc54857a0fa03cf60fbb688a780e3044201bf0733348143f
Instruction ID: e7ee08454d471c28e7583f88ad37d85d0b2ed2043dbcba52ab8c020d1379f0e7
Opcode Fuzzy Hash: 69b16078db05d950cc54857a0fa03cf60fbb688a780e3044201bf0733348143f
Instruction Fuzzy Hash: E561C331208245AFD714DF15C490E2BBBE5FF84348F24956CF4999B2A2DB31ED45CB92

Function 00EC8BB0 Relevance: 7.7, APIs: 5, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00EC8BCD
VariantClear.OLEAUT32 ref: 00EC8C3E
VariantClear.OLEAUT32 ref: 00EC8C9D
VariantClear.OLEAUT32(?), ref: 00EC8D10
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00EC8D3B

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType
String ID:
API String ID: 4136290138-0
Opcode ID: 48779758ca0618ded4870d2c2ac008662056c19d0161b210b4dbffacf3ddb551
Instruction ID: ac5957706525ac3bde6d48303bc5679a52c323546abaec74af5bddad8658d073
Opcode Fuzzy Hash: 48779758ca0618ded4870d2c2ac008662056c19d0161b210b4dbffacf3ddb551
Instruction Fuzzy Hash: 00517C71A00219DFCB14CF18D994EAABBF8FF89314B118559F915EB350D731E911CB90

Function 00ED8AFB Relevance: 7.6, APIs: 5, Instructions: 143COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00ED8BAE
GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 00ED8BDA
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00ED8C32
WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00ED8C57
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00ED8C5F

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String
String ID:
API String ID: 2832842796-0
Opcode ID: 156bdd84bb17e0aeb5170c38a736255b2772e483e5ec8c1c52eb595311919782
Instruction ID: 2e89f55a0bf23b7b3b81282b1bb71c06d91d014f20bf71d3ac021a5719a46fff
Opcode Fuzzy Hash: 156bdd84bb17e0aeb5170c38a736255b2772e483e5ec8c1c52eb595311919782
Instruction Fuzzy Hash: 71516C35A00218DFCB04DF65C884A6DBBF5FF48358F188499E84AAB362DB31ED51CB91

Function 00EE8EE4 Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(?,00000000,?), ref: 00EE8F40
GetProcAddress.KERNEL32(00000000,?), ref: 00EE8FD0
GetProcAddress.KERNEL32(00000000,00000000), ref: 00EE8FEC
GetProcAddress.KERNEL32(00000000,?), ref: 00EE9032
FreeLibrary.KERNEL32(00000000), ref: 00EE9052

Part of subcall function 00E7F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,00ED1043,?,753CE610), ref: 00E7F6E6
Part of subcall function 00E7F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00EBFA64,00000000,00000000,?,?,00ED1043,?,753CE610,?,00EBFA64), ref: 00E7F70D

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
String ID:
API String ID: 666041331-0
Opcode ID: 316b68c9e53652972ecc7613e3a95a56ce70762431c5709d685b584a98d8038b
Instruction ID: a9c8913a53f439a4d1aaa6f8f0d4396d299ec100d1f7e3514cceda0c1d9da2b9
Opcode Fuzzy Hash: 316b68c9e53652972ecc7613e3a95a56ce70762431c5709d685b584a98d8038b
Instruction Fuzzy Hash: 8B516C34600249DFC714DF59C5848ADBBF1FF49328B1490A8E80ABB362DB31ED85CB90

Function 00EF6B76 Relevance: 7.6, APIs: 5, Instructions: 131windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(00000002,000000F0,?), ref: 00EF6C33
SetWindowLongW.USER32(?,000000EC,?), ref: 00EF6C4A
SendMessageW.USER32(00000002,00001036,00000000,?), ref: 00EF6C73
ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,00EDAB79,00000000,00000000), ref: 00EF6C98
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 00EF6CC7

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: Window$Long$MessageSendShow
String ID:
API String ID: 3688381893-0
Opcode ID: 4cfbd70cceffe8002003da5dfe9da151fca6e9e1b618cd228b2995133ba4d63d
Instruction ID: 837abd4883e4fee24cdf055ad19ba071a24cd563d201f0a4a95007af32ccbb69
Opcode Fuzzy Hash: 4cfbd70cceffe8002003da5dfe9da151fca6e9e1b618cd228b2995133ba4d63d
Instruction Fuzzy Hash: 5A41CF35A0410CAFDB24CF28CD58FB9BBA5EB49364F251268EA95F72E1C371AD41DA40

Function 00E92051 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00E920C3
_free.LIBCMT ref: 00E920E3

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 5f51f82b13c9bd552a6fd62ffe8e1b844a9672a50e7c5217f7ce951aef1ce8e6
Instruction ID: f7d5c4fc0b6014081fbcbf4fcafb39274e80f3463fe538a5bb21027c57625f0e
Opcode Fuzzy Hash: 5f51f82b13c9bd552a6fd62ffe8e1b844a9672a50e7c5217f7ce951aef1ce8e6
Instruction Fuzzy Hash: 9541D232A00204AFCF24DF79C881A9EB7E5EF89714F1555ACE619FB391D631AD01DB81

Function 00E7912D Relevance: 7.6, APIs: 5, Instructions: 121keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00E79141
ScreenToClient.USER32(00000000,?), ref: 00E7915E
GetAsyncKeyState.USER32(00000001), ref: 00E79183
GetAsyncKeyState.USER32(00000002), ref: 00E7919D

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: f1d66160120552cff2d964840d6704f5ce10685a259c2799db79da3832cfe363
Instruction ID: 8a40949aa9cabe8fb4d00b3a28db8094949695826560a7a956d42577302ba3dd
Opcode Fuzzy Hash: f1d66160120552cff2d964840d6704f5ce10685a259c2799db79da3832cfe363
Instruction Fuzzy Hash: 1B41AF31A0960ABBCF059F68C848BFEB7B4FF45324F209219E469B32D1C7306954CBA1

Function 00ED3874 Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 00ED38CB
TranslateAcceleratorW.USER32(?,00000000,?), ref: 00ED3922
TranslateMessage.USER32(?), ref: 00ED394B
DispatchMessageW.USER32(?), ref: 00ED3955
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00ED3966

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchInputPeekState
String ID:
API String ID: 2256411358-0
Opcode ID: bb8608865a6b2e30aaf493dc014f4bbb97a803af8418de92614585bb032808e2
Instruction ID: e99a0f8aa64aaf04e4f0d49877200f46c13019a3568a917ae77bd231c189b3d5
Opcode Fuzzy Hash: bb8608865a6b2e30aaf493dc014f4bbb97a803af8418de92614585bb032808e2
Instruction Fuzzy Hash: AE3139705043499EEB34CB35DC58BB637A8EB45318F14142FE462A22E4E3F09686EB23

Function 00EDCF1A Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,00000000,?,?,?,00EDC21E,00000000), ref: 00EDCF38
InternetReadFile.WININET(?,00000000,?,?), ref: 00EDCF6F
GetLastError.KERNEL32(?,00000000,?,?,?,00EDC21E,00000000), ref: 00EDCFB4
SetEvent.KERNEL32(?,?,00000000,?,?,?,00EDC21E,00000000), ref: 00EDCFC8
SetEvent.KERNEL32(?,?,00000000,?,?,?,00EDC21E,00000000), ref: 00EDCFF2

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: EventInternet$AvailableDataErrorFileLastQueryRead
String ID:
API String ID: 3191363074-0
Opcode ID: 88a227d72ae15888d9645ba43c2fcc834826d3ad93e2ea940839712262ddd4ed
Instruction ID: 515812b45bbfa60255e85278b34fd3c47b025a4bb5c00bd2213db5771933c9e3
Opcode Fuzzy Hash: 88a227d72ae15888d9645ba43c2fcc834826d3ad93e2ea940839712262ddd4ed
Instruction Fuzzy Hash: BF314F71604606AFDB20DFA5C984AEBBBF9EB54394B30542FF506F2250DB30AD46DB60

Function 00EC1901 Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00EC1915
PostMessageW.USER32(00000001,00000201,00000001), ref: 00EC19C1
Sleep.KERNEL32(00000000,?,?,?), ref: 00EC19C9
PostMessageW.USER32(00000001,00000202,00000000), ref: 00EC19DA
Sleep.KERNEL32(00000000,?,?,?,?), ref: 00EC19E2

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: b1cb1b49b3325d292b1b56299a1a366761a8134637876d447cd3c46dd17cfaad
Instruction ID: 8a84131f52250e9b14915e06f1ba59064240c42ee9a463fd1be62b3a4dde7d1a
Opcode Fuzzy Hash: b1cb1b49b3325d292b1b56299a1a366761a8134637876d447cd3c46dd17cfaad
Instruction Fuzzy Hash: 8031CF71900219EFCB00CFA8CA98BEE3BB5EB85314F205269F921A72D1C3709955CB91

Function 00EF5706 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001053,000000FF,?), ref: 00EF5745
SendMessageW.USER32(?,00001074,?,00000001), ref: 00EF579D
_wcslen.LIBCMT ref: 00EF57AF
_wcslen.LIBCMT ref: 00EF57BA
SendMessageW.USER32(?,00001002,00000000,?), ref: 00EF5816

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: MessageSend$_wcslen
String ID:
API String ID: 763830540-0
Opcode ID: 1d5fc661c7119d5f77cba712805963079caeed0803802ff7c193510083a0082a
Instruction ID: 64c4b4a4fb88ebadd87c0b9e428d1968166ad07094ff6533e486418e1b7ca6f1
Opcode Fuzzy Hash: 1d5fc661c7119d5f77cba712805963079caeed0803802ff7c193510083a0082a
Instruction Fuzzy Hash: F9214F7290461CDADB209F60CC85AFD77B8FB54724F109216EB29FA1C0E7708985CF51

Function 00EE0930 Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00EE0951
GetForegroundWindow.USER32 ref: 00EE0968
GetDC.USER32(00000000), ref: 00EE09A4
GetPixel.GDI32(00000000,?,00000003), ref: 00EE09B0
ReleaseDC.USER32(00000000,00000003), ref: 00EE09E8

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: 23e7a0bbb1ece3938c0960572715217e72585ff976f31119cbe4cdc0970d7f6c
Instruction ID: 10ff066022a7f8a5539263cafb23af9cfc7690aac30b87bff32055bf1d10e221
Opcode Fuzzy Hash: 23e7a0bbb1ece3938c0960572715217e72585ff976f31119cbe4cdc0970d7f6c
Instruction Fuzzy Hash: DF219635600208AFD704EF65E944AAEB7F9EF84740F148469F84AF7362DB70AC45CB50

Function 00E9CDBD Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 00E9CDC6
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00E9CDE9

Part of subcall function 00E93820: RtlAllocateHeap.NTDLL(00000000,?,00F31444,?,00E7FDF5,?,?,00E6A976,00000010,00F31440,00E613FC,?,00E613C6,?,00E61129), ref: 00E93852

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 00E9CE0F
_free.LIBCMT ref: 00E9CE22
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00E9CE31

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: 0f950f62c573318a6b9c573456e3b8f31a3f68c772302cc61105de4787517f7f
Instruction ID: 0bd50e018ac26e4649dbc4bb07d7550deffdfcb77b7e77043de4683df3cca77f
Opcode Fuzzy Hash: 0f950f62c573318a6b9c573456e3b8f31a3f68c772302cc61105de4787517f7f
Instruction Fuzzy Hash: 3D0184726022157F2B2166B76C88D7B6A6DDFC6BA53351129FD06F7201EA618D01C2B0

Function 00E79639 Relevance: 7.6, APIs: 5, Instructions: 66COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00E79693
SelectObject.GDI32(?,00000000), ref: 00E796A2
BeginPath.GDI32(?), ref: 00E796B9
SelectObject.GDI32(?,00000000), ref: 00E796E2

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 09ea2f51bd4ae6e52e576c1db1ad95dd3b32cddf3763a4d2df9f83d168e9071c
Instruction ID: e3d43ff579f7ec412ca0cc69c84b93725581cb3e38fd8c725a75d10db211c809
Opcode Fuzzy Hash: 09ea2f51bd4ae6e52e576c1db1ad95dd3b32cddf3763a4d2df9f83d168e9071c
Instruction Fuzzy Hash: 5A216D30803209EFDB119FA5ED04BAD3BBABF40779F208316F414B61A1D3709899EB94

Function 00EC5711 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00EC5726
_memcmp.LIBVCRUNTIME ref: 00EC5744
_memcmp.LIBVCRUNTIME ref: 00EC5757
_memcmp.LIBVCRUNTIME ref: 00EC576F
_memcmp.LIBVCRUNTIME ref: 00EC5787

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: b35cd05b9c35773ca2b1ed1cc62552c2a030fda0aa949c4a4a44718f25498d8c
Instruction ID: 9dcb87f8c8d64679746de1782385b3c1fad72a70156794213dfa061168e4ab8c
Opcode Fuzzy Hash: b35cd05b9c35773ca2b1ed1cc62552c2a030fda0aa949c4a4a44718f25498d8c
Instruction Fuzzy Hash: D2019B63641719BAD21856109F41FFA639C9F21358B006026FD0C7A241F662FDA282A4

Function 00E92DF8 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,00E8F2DE,00E93863,00F31444,?,00E7FDF5,?,?,00E6A976,00000010,00F31440,00E613FC,?,00E613C6), ref: 00E92DFD
_free.LIBCMT ref: 00E92E32
_free.LIBCMT ref: 00E92E59
SetLastError.KERNEL32(00000000,00E61129), ref: 00E92E66
SetLastError.KERNEL32(00000000,00E61129), ref: 00E92E6F

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 403e666e212a1778012d0e7894ece18e02ed072be2cbd6e6535b6e45e01a913b
Instruction ID: c8312ebfa9fd5ff42cffcdb1036bf936df51e07540f0eb6ba482281f52a3d036
Opcode Fuzzy Hash: 403e666e212a1778012d0e7894ece18e02ed072be2cbd6e6535b6e45e01a913b
Instruction Fuzzy Hash: B901F4326056047BCE1367356CC6D6B26DDAFC17B9B31602DFA25B22D2EE608C0651A0

Function 00EC000E Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,00EBFF41,80070057,?,?,?,00EC035E), ref: 00EC002B
ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00EBFF41,80070057,?,?), ref: 00EC0046
lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00EBFF41,80070057,?,?), ref: 00EC0054
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00EBFF41,80070057,?), ref: 00EC0064
CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00EBFF41,80070057,?,?), ref: 00EC0070

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: 1f58be2a8132a93a27cdd5b8485dfc50998dd78c33a609dfdf3d485088dab6b3
Instruction ID: a496e9e3cd4329dde93c921f4c2c4bd80d41a01723ef4ea7dfc14ce2a7016be7
Opcode Fuzzy Hash: 1f58be2a8132a93a27cdd5b8485dfc50998dd78c33a609dfdf3d485088dab6b3
Instruction Fuzzy Hash: 9601DF72600208FFDB114F69DE05FAA7AADEB84791F215428F801F2210D772DD05DBA0

Function 00EC10F9 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00EC1114
GetLastError.KERNEL32(?,00000000,00000000,?,?,00EC0B9B,?,?,?), ref: 00EC1120
GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00EC0B9B,?,?,?), ref: 00EC112F
HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00EC0B9B,?,?,?), ref: 00EC1136
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00EC114D

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: 0ce3f8a4752707fd2081b83e51107e3ceeef69e5499d3b1e34eb59a8cbdf001f
Instruction ID: 231c4ee0c2163b1cea8e3a5b9520e794fec630631428976a9276a69f64a17c7d
Opcode Fuzzy Hash: 0ce3f8a4752707fd2081b83e51107e3ceeef69e5499d3b1e34eb59a8cbdf001f
Instruction Fuzzy Hash: F5016975201209BFDB115FA6DD49E6A3B6EEFCA3A4B340459FA41E3360DB31DC51CA60

Function 00EC0FB4 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00EC0FCA
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00EC0FD6
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00EC0FE5
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00EC0FEC
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00EC1002

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 1b954b639bb84bf3cfdd56d3415b974d16d92867838df4071d68d24392d2ac5d
Instruction ID: 6a486f90515e12332f28fc2d43ef4521342ba6aef7e8165717a3ab9784cfc410
Opcode Fuzzy Hash: 1b954b639bb84bf3cfdd56d3415b974d16d92867838df4071d68d24392d2ac5d
Instruction Fuzzy Hash: 03F0AF35201305AFD7210FA59E4AF663B6EEFCA761F300459F905E6251CA31DC51CA60

Function 00EC1014 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00EC102A
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00EC1036
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00EC1045
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00EC104C
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00EC1062

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: a7f82df0f50b1eb00d35c050de2b37756d93ecb520ccb99062dc2a031277e500
Instruction ID: 3e00dd7b7c26b1f53bcf0bd32ea1ee5641ecb842323e9011dd830d2f08afb384
Opcode Fuzzy Hash: a7f82df0f50b1eb00d35c050de2b37756d93ecb520ccb99062dc2a031277e500
Instruction Fuzzy Hash: 12F0AF35201305AFD7211FA5EE4AF6A3B6DEFCA7A1F300414F905E6251CA31D851DA60

Function 00ED030F Relevance: 7.5, APIs: 6, Instructions: 41COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,?,?,00ED017D,?,00ED32FC,?,00000001,00EA2592,?), ref: 00ED0324
CloseHandle.KERNEL32(?,?,?,?,00ED017D,?,00ED32FC,?,00000001,00EA2592,?), ref: 00ED0331
CloseHandle.KERNEL32(?,?,?,?,00ED017D,?,00ED32FC,?,00000001,00EA2592,?), ref: 00ED033E
CloseHandle.KERNEL32(?,?,?,?,00ED017D,?,00ED32FC,?,00000001,00EA2592,?), ref: 00ED034B
CloseHandle.KERNEL32(?,?,?,?,00ED017D,?,00ED32FC,?,00000001,00EA2592,?), ref: 00ED0358
CloseHandle.KERNEL32(?,?,?,?,00ED017D,?,00ED32FC,?,00000001,00EA2592,?), ref: 00ED0365

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: fc3deaa4cc0e1b237c00bde58e0b949952eead2eace10897f7ae48cc37775bc1
Instruction ID: 7228ca28a64f9a640affce0a8dafbd5d3901a01d2e063867d5000b6f4ca1fc35
Opcode Fuzzy Hash: fc3deaa4cc0e1b237c00bde58e0b949952eead2eace10897f7ae48cc37775bc1
Instruction Fuzzy Hash: 5E01E272800B058FC7309F66D880812F7F5FF503193199A3FD19262A30C3B0A959CF80

Function 00E9D73A Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00E9D752

Part of subcall function 00E929C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00E9D7D1,00000000,00000000,00000000,00000000,?,00E9D7F8,00000000,00000007,00000000,?,00E9DBF5,00000000), ref: 00E929DE
Part of subcall function 00E929C8: GetLastError.KERNEL32(00000000,?,00E9D7D1,00000000,00000000,00000000,00000000,?,00E9D7F8,00000000,00000007,00000000,?,00E9DBF5,00000000,00000000), ref: 00E929F0

_free.LIBCMT ref: 00E9D764
_free.LIBCMT ref: 00E9D776
_free.LIBCMT ref: 00E9D788
_free.LIBCMT ref: 00E9D79A

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: a5a7b9d36e294cd68e9cab3ea7c4285c455833f524312fbbcb742789857a2703
Instruction ID: 744843ef7eb222b73f8281533018c5b1ab703863466f7e48e03744e1d9e0bb45
Opcode Fuzzy Hash: a5a7b9d36e294cd68e9cab3ea7c4285c455833f524312fbbcb742789857a2703
Instruction Fuzzy Hash: 59F0FF32548218BB8E21EBA4FDC5C5A7BDDBB447147A4280AF14CF7501C720FC8086E4

Function 00EC5C44 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 00EC5C58
GetWindowTextW.USER32(00000000,?,00000100), ref: 00EC5C6F
MessageBeep.USER32(00000000), ref: 00EC5C87
KillTimer.USER32(?,0000040A), ref: 00EC5CA3
EndDialog.USER32(?,00000001), ref: 00EC5CBD

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: 7d45c7dbd2a039f34e9c98aa4bf7b3ad7f56e4ea25c7a2b19e3df437af7fb275
Instruction ID: da67cb889e0d782839e7e5e1ddb45ca9702fdc53de64782526420bdd78fbae62
Opcode Fuzzy Hash: 7d45c7dbd2a039f34e9c98aa4bf7b3ad7f56e4ea25c7a2b19e3df437af7fb275
Instruction Fuzzy Hash: FD016231500B08AFEB205B11DF4EFA6B7B8BB40B05F15155DA593B10E1DBF1B989CA90

Function 00E922A0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00E922BE

Part of subcall function 00E929C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00E9D7D1,00000000,00000000,00000000,00000000,?,00E9D7F8,00000000,00000007,00000000,?,00E9DBF5,00000000), ref: 00E929DE
Part of subcall function 00E929C8: GetLastError.KERNEL32(00000000,?,00E9D7D1,00000000,00000000,00000000,00000000,?,00E9D7F8,00000000,00000007,00000000,?,00E9DBF5,00000000,00000000), ref: 00E929F0

_free.LIBCMT ref: 00E922D0
_free.LIBCMT ref: 00E922E3
_free.LIBCMT ref: 00E922F4
_free.LIBCMT ref: 00E92305

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 96dc814ca571be3aa6b8e34b248448af77a22d40cc109019b2a0e213f61ff589
Instruction ID: 7e76f67bd2ad7992e469e5c3883f1c50883fd1b8a7c8384416664f16482d21e9
Opcode Fuzzy Hash: 96dc814ca571be3aa6b8e34b248448af77a22d40cc109019b2a0e213f61ff589
Instruction Fuzzy Hash: AFF05E70801528AB8E22EF64BC0184E3BA6F758770700150FF518E23B1CB304912FFE4

Function 00E795C5 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 00E795D4
StrokeAndFillPath.GDI32(?,?,00EB71F7,00000000,?,?,?), ref: 00E795F0
SelectObject.GDI32(?,00000000), ref: 00E79603
DeleteObject.GDI32 ref: 00E79616
StrokePath.GDI32(?), ref: 00E79631

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: c0809e7558e67fc5bcb2ae4a21ac5388d9473e748dae8ff8b40b481ad8b239b4
Instruction ID: d625613ccf40a0ec9d47c1c6a51690ac579176f59ce06766c9b44bffe2180ce8
Opcode Fuzzy Hash: c0809e7558e67fc5bcb2ae4a21ac5388d9473e748dae8ff8b40b481ad8b239b4
Instruction Fuzzy Hash: D4F0C93500660CEFDB169F66EE18BA43B66BB41376F248354F469650F1CB3089A9EF20

Function 00E90F47 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE

Download Yara Rule

APIs

__freea.LIBCMT ref: 00E910F9
__freea.LIBCMT ref: 00E91117

Part of subcall function 00E91537: _free.LIBCMT ref: 00E9154F

Strings

a/p, xrefs: 00E911DE
am/pm, xrefs: 00E9117A

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: __freea$_free
String ID: a/p$am/pm
API String ID: 3432400110-3206640213
Opcode ID: 7a592608741aa7357d76950a1c0aeed0e6da1eb32bbcdd4d6407269e2a0b7601
Instruction ID: f5494a9a49eb3708029c1d186766050422e072e688998616e1dd0ddea7876622
Opcode Fuzzy Hash: 7a592608741aa7357d76950a1c0aeed0e6da1eb32bbcdd4d6407269e2a0b7601
Instruction Fuzzy Hash: 24D1FF31A00207DADF29DF68C885BFEB7B1EF06704F292199E915BBA50D3759D80CB91

Function 00E95AA9 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 186COMMONLIBRARYCODE

Download Yara Rule

Strings

JO, xrefs: 00E95BA8, 00E95C6C

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID:
String ID: JO
API String ID: 0-1663374661
Opcode ID: 3291df8d66367ea643a18341a44b736b19cdd462eb1fff557747ce1dfa71d266
Instruction ID: 87d233b239aa3e66a2688a06e00e2130a25617b6b6028ac6cb803dc9c9bea0b3
Opcode Fuzzy Hash: 3291df8d66367ea643a18341a44b736b19cdd462eb1fff557747ce1dfa71d266
Instruction Fuzzy Hash: 15518F72900609AFCF22AFA4C945EEEBBF8AF45314F14215AF409B72A1D7719901DB61

Function 00E98A61 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 124COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,00000002,00000000,?,?,?,00000000,?,?,?,?), ref: 00E98B6E
GetLastError.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,00000000,00001000,?), ref: 00E98B7A
__dosmaperr.LIBCMT ref: 00E98B81

Strings

., xrefs: 00E98A63

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: ByteCharErrorLastMultiWide__dosmaperr
String ID: .
API String ID: 2434981716-3963672497
Opcode ID: e324e3d0ab81519cb2a8f97b2f5d41b9f24cb78b00ee5e0268af1ef6ee8ca926
Instruction ID: b480a65855b1575ae645e811e0fa46ed00c4bdc4a598f6af06c9bab2b5fe5857
Opcode Fuzzy Hash: e324e3d0ab81519cb2a8f97b2f5d41b9f24cb78b00ee5e0268af1ef6ee8ca926
Instruction Fuzzy Hash: F4416EB4604145AFDF249F24C990ABD7FE6DB87314F2C519AF485A7262EE318C02D790

Function 00EC2716 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00ECB403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00EC21D0,?,?,00000034,00000800,?,00000034), ref: 00ECB42D

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00EC2760

Part of subcall function 00ECB3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00EC21FF,?,?,00000800,?,00001073,00000000,?,?), ref: 00ECB3F8

Part of subcall function 00ECB32A: GetWindowThreadProcessId.USER32(?,?), ref: 00ECB355
Part of subcall function 00ECB32A: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00EC2194,00000034,?,?,00001004,00000000,00000000), ref: 00ECB365
Part of subcall function 00ECB32A: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00EC2194,00000034,?,?,00001004,00000000,00000000), ref: 00ECB37B

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00EC27CD
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00EC281A

Strings

@, xrefs: 00EC2832

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: 722d80576718938f1aac238cda0a4c0a8f7292bc3bed5cb985d4f924982ccb42
Instruction ID: b3d4ae1a908226b0758c5908d37b6cf05bee38efb527945e0eb61937fc04c403
Opcode Fuzzy Hash: 722d80576718938f1aac238cda0a4c0a8f7292bc3bed5cb985d4f924982ccb42
Instruction Fuzzy Hash: C0412D72900218AFDB14DBA4CD86FEEBBB8AF09700F105099FA55B7181DB716E46CB61

Function 00E9172E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\file.exe,00000104), ref: 00E91769
_free.LIBCMT ref: 00E91834
_free.LIBCMT ref: 00E9183E

Strings

C:\Users\user\Desktop\file.exe, xrefs: 00E91760, 00E91767, 00E91796, 00E917CE

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\file.exe
API String ID: 2506810119-1957095476
Opcode ID: 42eef6957b9a7d78d7a39a32ea7c551e1c60d5f9ace449ed4d2c7b6cb13e43ce
Instruction ID: 6c41b8b5e512a36b9f8f0071fe601b10c9fdce77edc73223bbe24a96e2e1cfd9
Opcode Fuzzy Hash: 42eef6957b9a7d78d7a39a32ea7c551e1c60d5f9ace449ed4d2c7b6cb13e43ce
Instruction Fuzzy Hash: F4317075A0021AAFDF25DF99D885D9FBBFCEB85324B1451ABF804E7211D6708E40DBA0

Function 00ECC27D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 00ECC306
DeleteMenu.USER32(?,00000007,00000000), ref: 00ECC34C
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00F31990,010A5698), ref: 00ECC395

Strings

0, xrefs: 00ECC2DF

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: Menu$Delete$InfoItem
String ID: 0
API String ID: 135850232-4108050209
Opcode ID: 985db7535f4d2ac5fa02810e5b822d4c955f3f746ddaafdb5b99c72b6a085fa0
Instruction ID: ccef9b41ab721aae675438b352ae1c252f9a57e8192ba3f220e0a514afa267a3
Opcode Fuzzy Hash: 985db7535f4d2ac5fa02810e5b822d4c955f3f746ddaafdb5b99c72b6a085fa0
Instruction Fuzzy Hash: 3C41E5312043419FD720DF29E944F5ABBE4AF85314F20966DF869E72D1C731E806CB52

Function 00EF4416 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,00EFCC08,00000000,?,?,?,?), ref: 00EF44AA
GetWindowLongW.USER32 ref: 00EF44C7
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00EF44D7

Strings

SysTreeView32, xrefs: 00EF447C

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: a4ec385970f0f4454b1c69d75bf411b0a8424d1afcc617aa521a8dad61e25a3a
Instruction ID: 06a03c4d9219a1919c47b3e32da6a6b6273903f90960e3fde0c0535ce1b1dcbe
Opcode Fuzzy Hash: a4ec385970f0f4454b1c69d75bf411b0a8424d1afcc617aa521a8dad61e25a3a
Instruction Fuzzy Hash: 5F317C71214209AFDB219E38DC45BEB77A9EB48338F205725FA79B21E0D770EC549B50

Function 00EC6E71 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 92memoryCOMMON

Download Yara Rule

APIs

SysReAllocString.OLEAUT32(?,?), ref: 00EC6EED
VariantCopyInd.OLEAUT32(?,?), ref: 00EC6F08
VariantClear.OLEAUT32(?), ref: 00EC6F12

Strings

*j, xrefs: 00EC6E8B, 00EC6E90, 00EC6EF8

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: Variant$AllocClearCopyString
String ID: *j
API String ID: 2173805711-1845181700
Opcode ID: 20dc98d40b192abb7913a2bbaa1cd13eace2992ed146fe330366713deed7d4b9
Instruction ID: 0dc86766741cb40885883b101845451bf0df8b8abc0566dc860756ab4b7de871
Opcode Fuzzy Hash: 20dc98d40b192abb7913a2bbaa1cd13eace2992ed146fe330366713deed7d4b9
Instruction Fuzzy Hash: 0E31B071704385DFCB05AFA4E950EBE37B6EF8A344B10149CFA02AB2A1C7719912DB90

Function 00EE304E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00EE335B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,00EE3077,?,?), ref: 00EE3378

inet_addr.WSOCK32(?), ref: 00EE307A
_wcslen.LIBCMT ref: 00EE309B
htons.WSOCK32(00000000), ref: 00EE3106

Strings

255.255.255.255, xrefs: 00EE3095, 00EE309A

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: ByteCharMultiWide_wcslenhtonsinet_addr
String ID: 255.255.255.255
API String ID: 946324512-2422070025
Opcode ID: 3e9369124838481d47fa942df5f90b1b84139b0400563794df0d36f9159b956a
Instruction ID: a94a1eadad32bb88bb94c2e8b7ca419cc6205fd640de400f239514f1959642b8
Opcode Fuzzy Hash: 3e9369124838481d47fa942df5f90b1b84139b0400563794df0d36f9159b956a
Instruction Fuzzy Hash: 5A31E7352042899FCB20CF7AC589EAA77E0EF54318F259059E815AB393D732EF45C760

Function 00EF3EB8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00EF3F40
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00EF3F54
SendMessageW.USER32(?,00001002,00000000,?), ref: 00EF3F78

Strings

SysMonthCal32, xrefs: 00EF3F0B

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: 6ca875f40b1ce33de7dab9359dba56784ffefbc6dd7df6d8dd09b7888ddfd0d7
Instruction ID: 5f6809da089aa5574e08121f99b4d2db9f6f65b983922b8b8e57670744b3ab01
Opcode Fuzzy Hash: 6ca875f40b1ce33de7dab9359dba56784ffefbc6dd7df6d8dd09b7888ddfd0d7
Instruction Fuzzy Hash: D621AD32600219BFDF218F60DC46FEA3BB6EF48728F111214FA15BB190D6B1A954CB90

Function 00EF4653 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00EF4705
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00EF4713
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00EF471A

Strings

msctls_updown32, xrefs: 00EF4684

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: 2b7bbe738b81c507afeaea08a224f3106a75a0f390a1a2d2a77f058f22bdf596
Instruction ID: 147519f02d05b130f0e6450d972b09f0ea5cd7cb75a63ce246c23172f986c16a
Opcode Fuzzy Hash: 2b7bbe738b81c507afeaea08a224f3106a75a0f390a1a2d2a77f058f22bdf596
Instruction Fuzzy Hash: 71214FF5601208AFEB10DF64DC81DB737EDEB8A3A8B151059F600AB291C770EC11DA60

Function 00EC95AD Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 85COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00EC961D

Strings

#notrayicon, xrefs: 00EC95B7
#requireadmin, xrefs: 00EC95D9
#OnAutoItStartRegister, xrefs: 00EC95F3

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: _wcslen
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 176396367-2734436370
Opcode ID: 4a011485193ff7bbe73ed1281c20c4bb99d37cf0ad9ab70f028c15bd2ec56add
Instruction ID: 3851c420745eee5d8e75f7e9dfed6ad0be81073a13110f552e0c0415dcef8ee6
Opcode Fuzzy Hash: 4a011485193ff7bbe73ed1281c20c4bb99d37cf0ad9ab70f028c15bd2ec56add
Instruction Fuzzy Hash: AD21297220461166D331AB249E0AFBB73D8AF95318F50602EF94DB7082EB529D42C3A5

Function 00EF37B7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00EF3840
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00EF3850
MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00EF3876

Strings

Listbox, xrefs: 00EF380F

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: a9104eac551e597cdc936d462ff2007be3e827377f8966c3404c67ec65da28ae
Instruction ID: e0a88ab03612c95bf70c92d5f5a9c5464ff3c74674396e1a5873545e99e0c82d
Opcode Fuzzy Hash: a9104eac551e597cdc936d462ff2007be3e827377f8966c3404c67ec65da28ae
Instruction Fuzzy Hash: 9821BE7261021CBBEF219F64DC81EBB376AEF897A4F119125FA04AB1D0C675DC52C7A0

Function 00ED49F4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00ED4A08
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00ED4A5C
SetErrorMode.KERNEL32(00000000,?,?,00EFCC08), ref: 00ED4AD0

Strings

%lu, xrefs: 00ED4A6F

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: ErrorMode$InformationVolume
String ID: %lu
API String ID: 2507767853-685833217
Opcode ID: 9c354edb556a51621c5f0128b141ed51a7c0cc9a08b15ff211c3e49a46fb2488
Instruction ID: 3476dc44e43831ea2be18b58b25a01d21cd16b821c32fc9c9a06d367dd700161
Opcode Fuzzy Hash: 9c354edb556a51621c5f0128b141ed51a7c0cc9a08b15ff211c3e49a46fb2488
Instruction Fuzzy Hash: 45319174A00108AFDB10DF54C985EAABBF8EF48308F1490A9F809EB352D771ED46CB61

Function 00EF41EB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00EF424F
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00EF4264
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00EF4271

Strings

msctls_trackbar32, xrefs: 00EF4226

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: 02f466199ab17588b2d08057793ca48fddcb782433dd78735d80ac7c49dea10b
Instruction ID: 34a089ece2ba1a0e52055e384553cd8277409570c115bf33cb154d4c4d8bfd4f
Opcode Fuzzy Hash: 02f466199ab17588b2d08057793ca48fddcb782433dd78735d80ac7c49dea10b
Instruction Fuzzy Hash: 1B11CE7124024CBEEF205E69CC06FBB3BA8EB85B68F111524FA55F20E0D271D8119B20

Function 00EC2F52 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00E66B57: _wcslen.LIBCMT ref: 00E66B6A

Part of subcall function 00EC2DA7: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00EC2DC5
Part of subcall function 00EC2DA7: GetWindowThreadProcessId.USER32(?,00000000), ref: 00EC2DD6
Part of subcall function 00EC2DA7: GetCurrentThreadId.KERNEL32 ref: 00EC2DDD
Part of subcall function 00EC2DA7: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00EC2DE4

GetFocus.USER32 ref: 00EC2F78

Part of subcall function 00EC2DEE: GetParent.USER32(00000000), ref: 00EC2DF9

GetClassNameW.USER32(?,?,00000100), ref: 00EC2FC3
EnumChildWindows.USER32(?,00EC303B), ref: 00EC2FEB

Strings

%s%d, xrefs: 00EC2FFF

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
String ID: %s%d
API String ID: 1272988791-1110647743
Opcode ID: ee61e124e69147686b7d9737e39c16a5c7e6e68033825e6813ec36b49c557636
Instruction ID: 1bd3f209c8d18f955306dcfdc5486cacb1cfcf6944dab7c0518ff7aa0cbf6693
Opcode Fuzzy Hash: ee61e124e69147686b7d9737e39c16a5c7e6e68033825e6813ec36b49c557636
Instruction Fuzzy Hash: 2B11C6712002099BCF106F709D86FED77A99F94304F149079B909B7292DE71594ACB60

Function 00EF5882 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 00EF58C1
SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 00EF58EE
DrawMenuBar.USER32(?), ref: 00EF58FD

Strings

0, xrefs: 00EF588F

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: Menu$InfoItem$Draw
String ID: 0
API String ID: 3227129158-4108050209
Opcode ID: 38375a5336b796012d568740e49e9a3d94a1424a80277abf7c6c5f56385a7d0f
Instruction ID: d463034ccc4a97fd4018f0004a60ef17c8b46ea4a154187085893c086517634a
Opcode Fuzzy Hash: 38375a5336b796012d568740e49e9a3d94a1424a80277abf7c6c5f56385a7d0f
Instruction Fuzzy Hash: 48015E3250021CEEDB219F11DC44BBEBBB4FF85364F208099EA59E6151EB708A84DF21

Function 00EBD3A0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 30libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,GetSystemWow64DirectoryW), ref: 00EBD3BF
FreeLibrary.KERNEL32 ref: 00EBD3E5

Strings

GetSystemWow64DirectoryW, xrefs: 00EBD3B9
X64, xrefs: 00EBD2A8

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: AddressFreeLibraryProc
String ID: GetSystemWow64DirectoryW$X64
API String ID: 3013587201-2590602151
Opcode ID: 62753dd600b339f3a288fd7be197059f90f89cf1403e5a4a4b9142b463e1b051
Instruction ID: d353490d7aa2f8cbe9ed506b6e43104ec5659737e46c145933fbb2b82ab5b72b
Opcode Fuzzy Hash: 62753dd600b339f3a288fd7be197059f90f89cf1403e5a4a4b9142b463e1b051
Instruction Fuzzy Hash: B0F0553180E66A8BD73112114C249FB3370AF50705B78B578E402F101AFB28CC888292

Function 00EC007F Relevance: 6.3, APIs: 4, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a6b3ed5c8f956fb917b0130e621a8ee4ccaf3892b232e87f9c2d4931ac3ac99
Instruction ID: 9034c68e8b78b92075d845c3edd4fe7a1c861c1ff1e21bea75af1f21afed90c3
Opcode Fuzzy Hash: 3a6b3ed5c8f956fb917b0130e621a8ee4ccaf3892b232e87f9c2d4931ac3ac99
Instruction Fuzzy Hash: C1C13875A0021AEFDB14CF98C994FAEB7B5FF48304F249598E505AB251D732DD42CB90

Function 00EE342E Relevance: 6.3, APIs: 4, Instructions: 257COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00EE3459
CoUninitialize.OLE32 ref: 00EE3463
VariantInit.OLEAUT32(?), ref: 00EE346E
VariantClear.OLEAUT32(?), ref: 00EE371B

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: Variant$ClearInitInitializeUninitialize
String ID:
API String ID: 1998397398-0
Opcode ID: da5b8eeca59d1d52d06571c3421023751d9730e41d7917a07f35a8b74eb01f99
Instruction ID: e870932ecf0b54f003f9f2dc3e4daa309af5546733091012754c2d8573f94a65
Opcode Fuzzy Hash: da5b8eeca59d1d52d06571c3421023751d9730e41d7917a07f35a8b74eb01f99
Instruction Fuzzy Hash: 05A16A752043059FC700DF29C589A2AB7E5FF88754F14985EF98AAB362DB30EE05CB91

Function 00EC0436 Relevance: 6.2, APIs: 4, Instructions: 230COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,00EFFC08,?), ref: 00EC05F0
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,00EFFC08,?), ref: 00EC0608
CLSIDFromProgID.OLE32(?,?,00000000,00EFCC40,000000FF,?,00000000,00000800,00000000,?,00EFFC08,?), ref: 00EC062D
_memcmp.LIBVCRUNTIME ref: 00EC064E

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: 5e9d3d79dce81bd8d9d72557f1af9e28e48404d3596edd9a16b8a08109846d66
Instruction ID: 984f79549d55c471e4ba13af5a69166f3363eec0c9abe60f909b5bd13e475db5
Opcode Fuzzy Hash: 5e9d3d79dce81bd8d9d72557f1af9e28e48404d3596edd9a16b8a08109846d66
Instruction Fuzzy Hash: DF81E975A00109EFCB04DF94CA84EEEB7B9FF89315F205558E516BB250DB72AE06CB60

Function 00EA1391 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00EA14C0

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 390f9ae97074a2838b6fa0ef1381555b95e609b884695957e2cba801724286ce
Instruction ID: c19322788d1a4bb5fb398256053f6b5de504c53976b963b440e08b7ac38745f8
Opcode Fuzzy Hash: 390f9ae97074a2838b6fa0ef1381555b95e609b884695957e2cba801724286ce
Instruction Fuzzy Hash: 13413B31A00114ABDF267BBD8C45ABE3AE5EF4F374F2422A5F43CFA192E634584153A1

Function 00EF6278 Relevance: 6.1, APIs: 4, Instructions: 138COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00EF62E2
ScreenToClient.USER32(?,?), ref: 00EF6315
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 00EF6382

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: c2b3b3649b83b472ede1b4167a530b24b7cfcfa0fd28ca90d2505533a282e163
Instruction ID: 1ba1c5b40bcdf7467268c8de6622889bec7ed9bd73201a40f2d2d4fb55531fd2
Opcode Fuzzy Hash: c2b3b3649b83b472ede1b4167a530b24b7cfcfa0fd28ca90d2505533a282e163
Instruction Fuzzy Hash: 71513974A01209EFDB10DF68D880ABE7BB6FB95364F209169F915AB2A0D730ED41CB50

Function 00EE1AD6 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 00EE1AFD
WSAGetLastError.WSOCK32 ref: 00EE1B0B
#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00EE1B8A
WSAGetLastError.WSOCK32 ref: 00EE1B94

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: ErrorLast$socket
String ID:
API String ID: 1881357543-0
Opcode ID: 8711677a1bf47da66079d246ed0100fb0dbe83ba8b63d6ea63c9ef688be81c43
Instruction ID: 0e50b22168626ddf60f6d0af9efb96e59642e8e66c3484fc44717625092377ac
Opcode Fuzzy Hash: 8711677a1bf47da66079d246ed0100fb0dbe83ba8b63d6ea63c9ef688be81c43
Instruction Fuzzy Hash: 4341D334640200AFE720AF25D886F2677E5AB44718F54D488F95AAF3D2E772ED81CB90

Function 00E9B41F Relevance: 6.1, APIs: 4, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f7078422d4c9c25d277e49cc5a796b50f0ed3348e16519fd625039448963760e
Instruction ID: b2f69c7aa8477e125e8358909947977c7ec1053de9405b4a928affee86bd6011
Opcode Fuzzy Hash: f7078422d4c9c25d277e49cc5a796b50f0ed3348e16519fd625039448963760e
Instruction Fuzzy Hash: 1C414075A00304BFDB24AF78DD41B9A7BE9EF88710F10552EF115FB291E37199019780

Function 00ED56D9 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00ED5783
GetLastError.KERNEL32(?,00000000), ref: 00ED57A9
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 00ED57CE
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 00ED57FA

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: 7895fa0debe966d849e3caaeff4f55aa3e93d47e5c44ad0986990195e0359174
Instruction ID: 8338e4144c751cf2a75e46dc41fcc9388acfc899db273b22bc62a8b477aed3f3
Opcode Fuzzy Hash: 7895fa0debe966d849e3caaeff4f55aa3e93d47e5c44ad0986990195e0359174
Instruction Fuzzy Hash: BD414E39600A10DFCB11DF15D544A5EBBF2EF89364B299499E84ABB362CB30FD41CB91

Function 00E9D8C3 Relevance: 6.1, APIs: 4, Instructions: 110COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,00E882D9,?,00E882D9,?,00000001,?,?,00000001,00E882D9,00E882D9), ref: 00E9D910
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00E9D999
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 00E9D9AB
__freea.LIBCMT ref: 00E9D9B4

Part of subcall function 00E93820: RtlAllocateHeap.NTDLL(00000000,?,00F31444,?,00E7FDF5,?,?,00E6A976,00000010,00F31440,00E613FC,?,00E613C6,?,00E61129), ref: 00E93852

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: edde0db4d1acbbbad365edfbac398cf0f9194b2a3efcdeff33cf68e7196e9414
Instruction ID: bc2c30b748ad7309a5d1c0d107f8adc0acb44fe2195c45861db883e5ec2a88be
Opcode Fuzzy Hash: edde0db4d1acbbbad365edfbac398cf0f9194b2a3efcdeff33cf68e7196e9414
Instruction Fuzzy Hash: BC31EF72A0021AABDF24EFA5DC41EAE7BA5EB80314F150169FC08F7290EB75CD54CB90

Function 00EF52C1 Relevance: 6.1, APIs: 4, Instructions: 104windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001024,00000000,?), ref: 00EF5352
GetWindowLongW.USER32(?,000000F0), ref: 00EF5375
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00EF5382
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00EF53A8

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: LongWindow$InvalidateMessageRectSend
String ID:
API String ID: 3340791633-0
Opcode ID: aaac3aca062c773bdc04a2063adf699a38e49717d8d3cfa28c6b8acd620d07d8
Instruction ID: 15d291ab4833ee5e0e1b75e23b5fa6ff151c83920e5a6bc4c2f43b743be2eb20
Opcode Fuzzy Hash: aaac3aca062c773bdc04a2063adf699a38e49717d8d3cfa28c6b8acd620d07d8
Instruction Fuzzy Hash: 3131A136A57A0CEFEB209A1CCC05BF877A6AB25394F586111FB10B61E5C7B09940EB42

Function 00ECAB9C Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,75C0C0D0,?,00008000), ref: 00ECABF1
SetKeyboardState.USER32(00000080,?,00008000), ref: 00ECAC0D
PostMessageW.USER32(00000000,00000101,00000000), ref: 00ECAC74
SendInput.USER32(00000001,?,0000001C,75C0C0D0,?,00008000), ref: 00ECACC6

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: c6c19bba2ee97fa1a498a664eb7553687968bde37fd47f5e6b33d6d459cf2189
Instruction ID: 232264d93960c3380e3a72b21b5cba752499a1bf68b07b199f02fc467cbb25d3
Opcode Fuzzy Hash: c6c19bba2ee97fa1a498a664eb7553687968bde37fd47f5e6b33d6d459cf2189
Instruction Fuzzy Hash: C1311A3094431C6FEB34CB658904FFEB6A56B8531CF1C622EE481B21D1C37689568752

Function 00EF7674 Relevance: 6.1, APIs: 4, Instructions: 102windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 00EF769A
GetWindowRect.USER32(?,?), ref: 00EF7710
PtInRect.USER32(?,?,00EF8B89), ref: 00EF7720
MessageBeep.USER32(00000000), ref: 00EF778C

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: 1cbc3953f008a34055697cf4993d4161603f869e704709c6ac923d41eb9a8f6e
Instruction ID: 85b986e892a169766d4d18b189de1b41550f2fd41c8c0e128538033d3cd17b06
Opcode Fuzzy Hash: 1cbc3953f008a34055697cf4993d4161603f869e704709c6ac923d41eb9a8f6e
Instruction Fuzzy Hash: 03419E3461921CDFDB01EF59C894EB977F5BB48315F2550AAE694AB2A1C330E941CB90

Function 00EF16DA Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 00EF16EB

Part of subcall function 00EC3A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00EC3A57
Part of subcall function 00EC3A3D: GetCurrentThreadId.KERNEL32 ref: 00EC3A5E
Part of subcall function 00EC3A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00EC25B3), ref: 00EC3A65

GetCaretPos.USER32(?), ref: 00EF16FF
ClientToScreen.USER32(00000000,?), ref: 00EF174C
GetForegroundWindow.USER32 ref: 00EF1752

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: 3cf063eb0d1cd477cd9a9ec2ca568b7694ea199ddff8a91e22f9a2fd4aac8866
Instruction ID: 96a2ce4eed4aecc60f4c69195b860209d166926068f351dc3a2d16d2f22daaff
Opcode Fuzzy Hash: 3cf063eb0d1cd477cd9a9ec2ca568b7694ea199ddff8a91e22f9a2fd4aac8866
Instruction Fuzzy Hash: 99315275D00149AFC700EFA5D981CBEBBF9EF48308B6490AAE455F7251D6319E45CBA0

Function 00ECDF95 Relevance: 6.1, APIs: 4, Instructions: 87COMMON

Download Yara Rule

APIs

Part of subcall function 00E67620: _wcslen.LIBCMT ref: 00E67625

_wcslen.LIBCMT ref: 00ECDFCB
_wcslen.LIBCMT ref: 00ECDFE2
_wcslen.LIBCMT ref: 00ECE00D
GetTextExtentPoint32W.GDI32(?,00000000,00000000,?), ref: 00ECE018

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: _wcslen$ExtentPoint32Text
String ID:
API String ID: 3763101759-0
Opcode ID: fe657e6fc21efdd195d7b64b560ca2e55dc9e5db0dcd331da35a5db53e418df3
Instruction ID: 60e47b64ac4821d30084826ac93a70232348d49e2866eb64b2822696e2c949e0
Opcode Fuzzy Hash: fe657e6fc21efdd195d7b64b560ca2e55dc9e5db0dcd331da35a5db53e418df3
Instruction Fuzzy Hash: 5E21A671900215AFCB20EF64DD82B6EB7F8EF85760F145069E809BB381D6719D41CBA1

Function 00ECD4DC Relevance: 6.1, APIs: 4, Instructions: 86processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00ECD501
Process32FirstW.KERNEL32(00000000,?), ref: 00ECD50F
Process32NextW.KERNEL32(00000000,?), ref: 00ECD52F
CloseHandle.KERNEL32(00000000), ref: 00ECD5DC

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: c6ba6ebaa2c874349c6a1ada1e0cbe4a4f8c542b091cda2a24e8ca185c867246
Instruction ID: 80565d4bc74b217e3d09fb86ee31d40304d6b9eaea9f4e9c763dfe6d4a24fb65
Opcode Fuzzy Hash: c6ba6ebaa2c874349c6a1ada1e0cbe4a4f8c542b091cda2a24e8ca185c867246
Instruction Fuzzy Hash: D5318F711082009FD304EF54DD81EABBBF8AFD9394F24152DF581A31A2EB729949CB92

Function 00EF8FC9 Relevance: 6.1, APIs: 4, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00E79BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00E79BB2

GetCursorPos.USER32(?), ref: 00EF9001
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00EB7711,?,?,?,?,?), ref: 00EF9016
GetCursorPos.USER32(?), ref: 00EF905E
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00EB7711,?,?,?), ref: 00EF9094

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: 38a29480140310c553fe3a0722c6eaa91641b4e2ad1c201b44f65196922770db
Instruction ID: a9f446d2ba5d2fdc97bc8891528dcf9e5a1b1ceb5b11c1372fb69298bacfb6ec
Opcode Fuzzy Hash: 38a29480140310c553fe3a0722c6eaa91641b4e2ad1c201b44f65196922770db
Instruction Fuzzy Hash: 4F218D3160001CAFDB258F95C858FFA3BB9EB89360F104065FA456B2A2C7759A90EB60

Function 00ECD2C1 Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,00EFCB68), ref: 00ECD2FB
GetLastError.KERNEL32 ref: 00ECD30A
CreateDirectoryW.KERNEL32(?,00000000), ref: 00ECD319
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,00EFCB68), ref: 00ECD376

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: 1da45d3487e40d2460e8329af32181ba04c2d8784f1724442b097029b64a3c85
Instruction ID: c2dd301c50ed8d562c180fcef43c9b4bf1d142dfa9d28f64f9abb3766183e96e
Opcode Fuzzy Hash: 1da45d3487e40d2460e8329af32181ba04c2d8784f1724442b097029b64a3c85
Instruction Fuzzy Hash: 7B21D8705083059F8300DF28DE819AE77E4EF95364F205A2DF495E72A1D732D90ACB53

Function 00EC1571 Relevance: 6.1, APIs: 4, Instructions: 78memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00EC1014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00EC102A
Part of subcall function 00EC1014: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00EC1036
Part of subcall function 00EC1014: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00EC1045
Part of subcall function 00EC1014: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00EC104C
Part of subcall function 00EC1014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00EC1062

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 00EC15BE
_memcmp.LIBVCRUNTIME ref: 00EC15E1
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00EC1617
HeapFree.KERNEL32(00000000), ref: 00EC161E

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: b247d43992ed6d0e9d26f0c9b34592212981776298a09ab2489aee79d2da4569
Instruction ID: 165eaef5e740f0723d78fb44ddca7d3c345fba49e10f8f527624418e4bb5a29e
Opcode Fuzzy Hash: b247d43992ed6d0e9d26f0c9b34592212981776298a09ab2489aee79d2da4569
Instruction Fuzzy Hash: A7217C71E00108AFDB00DFA4CA45FEEB7B8EF85344F284499E445B7242D732AA46DB50

Function 00EF2782 Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 00EF280A
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00EF2824
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00EF2832
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 00EF2840

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: 6a5638da61a0b5351fc17d572e393104f0425e95783a9461e4fe2a7fa8de1a4e
Instruction ID: e8c96e4a0783c8fcedfb066b637a9a87060a4487c310abf81558c343a5456efb
Opcode Fuzzy Hash: 6a5638da61a0b5351fc17d572e393104f0425e95783a9461e4fe2a7fa8de1a4e
Instruction Fuzzy Hash: 9C21F131204559AFD7149B24C844FBA7B99EF85324F24915CF626EB2E2C771FC82C790

Function 00EC78F5 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00EC8D7D: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,00EC790A,?,000000FF,?,00EC8754,00000000,?,0000001C,?,?), ref: 00EC8D8C
Part of subcall function 00EC8D7D: lstrcpyW.KERNEL32(00000000,?,?,00EC790A,?,000000FF,?,00EC8754,00000000,?,0000001C,?,?,00000000), ref: 00EC8DB2
Part of subcall function 00EC8D7D: lstrcmpiW.KERNEL32(00000000,?,00EC790A,?,000000FF,?,00EC8754,00000000,?,0000001C,?,?), ref: 00EC8DE3

lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,00EC8754,00000000,?,0000001C,?,?,00000000), ref: 00EC7923
lstrcpyW.KERNEL32(00000000,?,?,00EC8754,00000000,?,0000001C,?,?,00000000), ref: 00EC7949
lstrcmpiW.KERNEL32(00000002,cdecl,?,00EC8754,00000000,?,0000001C,?,?,00000000), ref: 00EC7984

Strings

cdecl, xrefs: 00EC797B

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: 8c566321608f99e81957db2c9bf978a162cc3821a84a378eef91d5d4f44fa74e
Instruction ID: 24f9efc61a5dc40153d84f39801bdc0447b8449b9db72457ad95effac927a1b3
Opcode Fuzzy Hash: 8c566321608f99e81957db2c9bf978a162cc3821a84a378eef91d5d4f44fa74e
Instruction Fuzzy Hash: 8B11063A200201AFCB159F35D944E7A77E9FF85354B10502EF986D7264EB329812CB61

Function 00EF7CC2 Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 00EF7D0B
SetWindowLongW.USER32(00000000,000000F0,?), ref: 00EF7D2A
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 00EF7D42
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,00EDB7AD,00000000), ref: 00EF7D6B

Part of subcall function 00E79BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00E79BB2

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: Window$Long
String ID:
API String ID: 847901565-0
Opcode ID: d81650bcbe5522d0f0d8ce3dcb16e052282bf8b313c8f84a1669266893c3bb35
Instruction ID: 1cd555d7302c823159f701539ad89f84149764a7fbbf360afb9b7719be273740
Opcode Fuzzy Hash: d81650bcbe5522d0f0d8ce3dcb16e052282bf8b313c8f84a1669266893c3bb35
Instruction Fuzzy Hash: FF11D23120561DAFCB108F29CC04AB63BA5BF86374B619324F979EB2F0D7318951DB40

Function 00EF5660 Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001060,?,00000004), ref: 00EF56BB
_wcslen.LIBCMT ref: 00EF56CD
_wcslen.LIBCMT ref: 00EF56D8
SendMessageW.USER32(?,00001002,00000000,?), ref: 00EF5816

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: MessageSend_wcslen
String ID:
API String ID: 455545452-0
Opcode ID: b5ddc812aecff91a7101043d1b9df6b14cf464a2eb6e729bef6de6b4748dbc85
Instruction ID: 9fbefe0bd05640276d8534da3fae1439dfcc6105222c598c99b556a6641955d5
Opcode Fuzzy Hash: b5ddc812aecff91a7101043d1b9df6b14cf464a2eb6e729bef6de6b4748dbc85
Instruction Fuzzy Hash: AD11D67260060D96DB209F61CC85AFE77BCEF61764F10902AFB2AF6081E770C984CB61

Function 00E91D09 Relevance: 6.1, APIs: 4, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c9327c41487761cafd91e00e2ec3e10787364b283c780b08fad9bcb59d11d30
Instruction ID: 56928664ecb133fb951ea81433ace9127010ad0735299835e1fd150e2d4d7490
Opcode Fuzzy Hash: 3c9327c41487761cafd91e00e2ec3e10787364b283c780b08fad9bcb59d11d30
Instruction Fuzzy Hash: E2016DF220A71B7EFE2126796CC1F67666DDF813B9B352369F631B11D2DB608C009160

Function 00EC1A27 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00EC1A47
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00EC1A59
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00EC1A6F
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00EC1A8A

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: def05be0b22db8b234876082315033e302d954ff9f27e0e57412b263c5d95faa
Instruction ID: ee403ab5bd6888e1b6efbee2e53354fd246c755b15622496c3f2af8576f87e06
Opcode Fuzzy Hash: def05be0b22db8b234876082315033e302d954ff9f27e0e57412b263c5d95faa
Instruction Fuzzy Hash: 1E11393AD01219FFEB10DBA5CD85FADBB78EB08750F200095EA00B7290D6716E51DB94

Function 00ECE1D6 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00ECE1FD
MessageBoxW.USER32(?,?,?,?), ref: 00ECE230
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00ECE246
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00ECE24D

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait
String ID:
API String ID: 2880819207-0
Opcode ID: cf08a91690d1cd0d09ee07b4f08ef4f33260483d142ce4dd7fe3a52f72a93519
Instruction ID: 1933f778703494bcb5be8c276e932a9941f6aaff0757dbca04fff4509005722d
Opcode Fuzzy Hash: cf08a91690d1cd0d09ee07b4f08ef4f33260483d142ce4dd7fe3a52f72a93519
Instruction Fuzzy Hash: 3911087290521CBFC7059BA89D05FAE7FADAB85324F204259F824F3391D271CD0487A0

Function 00E8D1CC Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,?,00E8CFF9,00000000,00000004,00000000), ref: 00E8D218
GetLastError.KERNEL32 ref: 00E8D224
__dosmaperr.LIBCMT ref: 00E8D22B
ResumeThread.KERNEL32(00000000), ref: 00E8D249

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: Thread$CreateErrorLastResume__dosmaperr
String ID:
API String ID: 173952441-0
Opcode ID: f316738cf2351f0404bf58e0ac77a9cffad0380c9dc05a7ca54d35ee964cd4cc
Instruction ID: 1a118a67076742c7a9304b33d26478d4f984ba0358f52d9a4a048355865b9eb2
Opcode Fuzzy Hash: f316738cf2351f0404bf58e0ac77a9cffad0380c9dc05a7ca54d35ee964cd4cc
Instruction Fuzzy Hash: 9F01D636409208BFDB117BA5DC09BAE7BA9EF81730F201259F92DB21F0CB708905C7A0

Function 00EF9EF3 Relevance: 6.1, APIs: 4, Instructions: 55COMMON

Download Yara Rule

APIs

Part of subcall function 00E79BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00E79BB2

GetClientRect.USER32(?,?), ref: 00EF9F31
GetCursorPos.USER32(?), ref: 00EF9F3B
ScreenToClient.USER32(?,?), ref: 00EF9F46
DefDlgProcW.USER32(?,00000020,?,00000000,?,?,?), ref: 00EF9F7A

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID:
API String ID: 4127811313-0
Opcode ID: 8c2534c0415d4fa1829ad2f9b0ff6e699710c7972d6ac4307a652e41ccba40d1
Instruction ID: d2f1391bc1cc6bcccddd7f328846caa9c863d2d2c239cc15be7610c8c9561079
Opcode Fuzzy Hash: 8c2534c0415d4fa1829ad2f9b0ff6e699710c7972d6ac4307a652e41ccba40d1
Instruction Fuzzy Hash: 6F112532A0011EABDB10DF69C849AFE77B9FB45311F204451FA51F7142D730AA85CBA1

Function 00E6600E Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00E6604C
GetStockObject.GDI32(00000011), ref: 00E66060
SendMessageW.USER32(00000000,00000030,00000000), ref: 00E6606A

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID:
API String ID: 3970641297-0
Opcode ID: 130041926f5b3f37cff945bbca058dbeffde79f02d293e82a75fe09c7d3ce606
Instruction ID: e89556b58fd36df9afb37d1b332a828ef2245dc6ecce0906ba838312559e35e7
Opcode Fuzzy Hash: 130041926f5b3f37cff945bbca058dbeffde79f02d293e82a75fe09c7d3ce606
Instruction Fuzzy Hash: D7118E72101508BFEF625FA49C44AEABF69EF483A4F101116FA0466050D772DC60DB90

Function 00E83B3C Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 00E83B56

Part of subcall function 00E83AA3: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 00E83AD2
Part of subcall function 00E83AA3: ___AdjustPointer.LIBCMT ref: 00E83AED

_UnwindNestedFrames.LIBCMT ref: 00E83B6B
__FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 00E83B7C
CallCatchBlock.LIBVCRUNTIME ref: 00E83BA4

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
String ID:
API String ID: 737400349-0
Opcode ID: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction ID: 7ae86b8f66f9b4d4c218ffe7e59f868d7b54156177a2b3104daa18e17e7ea620
Opcode Fuzzy Hash: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction Fuzzy Hash: CF0129B2100149BBDF126EA5CC42EEB7FA9EF48B58F045014FE4C66121D732E961EBA0

Function 00E93073 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00E613C6,00000000,00000000,?,00E9301A,00E613C6,00000000,00000000,00000000,?,00E9328B,00000006,FlsSetValue), ref: 00E930A5
GetLastError.KERNEL32(?,00E9301A,00E613C6,00000000,00000000,00000000,?,00E9328B,00000006,FlsSetValue,00F02290,FlsSetValue,00000000,00000364,?,00E92E46), ref: 00E930B1
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,00E9301A,00E613C6,00000000,00000000,00000000,?,00E9328B,00000006,FlsSetValue,00F02290,FlsSetValue,00000000), ref: 00E930BF

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: f3845d7a78cfb7c8171685455f5d2f2a355ce16b545fff3d7dc4789144577487
Instruction ID: 5905f76ad6173c06a50fbdda4835b69a7ffe38466d931b5562eaf952a543f933
Opcode Fuzzy Hash: f3845d7a78cfb7c8171685455f5d2f2a355ce16b545fff3d7dc4789144577487
Instruction Fuzzy Hash: 9A01F232302726ABDF314B79AC44AAB7B99EF45BA5B314620F916F3150DB21DD09C6E0

Function 00EC7464 Relevance: 6.1, APIs: 4, Instructions: 51registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000), ref: 00EC747F
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 00EC7497
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 00EC74AC
RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 00EC74CA

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: 5388b656015e84b692b1f62c17c091af270c77d97ed49d9a972de5f8b0aa398d
Instruction ID: 8f78469130953977ea9900a6929e8b94e9080b0bdd398da1c081adfb8b114aee
Opcode Fuzzy Hash: 5388b656015e84b692b1f62c17c091af270c77d97ed49d9a972de5f8b0aa398d
Instruction Fuzzy Hash: 57117CB12053149FE7248F14DE09FA2BBB8FB40B04F20856DA6B6E6151D771E909DF50

Function 00ECB0A8 Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,00ECACD3,?,00008000), ref: 00ECB0C4
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,00ECACD3,?,00008000), ref: 00ECB0E9
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,00ECACD3,?,00008000), ref: 00ECB0F3
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,00ECACD3,?,00008000), ref: 00ECB126

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: fe46abf3e55da658b5fccea143b4e18980a2f57b3a1def19fc3bdf9a31ff6eb3
Instruction ID: 98141121cf50c4028a809f5c71d8ca38f8e182c8dc1d787194fe6f66c7f3a402
Opcode Fuzzy Hash: fe46abf3e55da658b5fccea143b4e18980a2f57b3a1def19fc3bdf9a31ff6eb3
Instruction Fuzzy Hash: C9112A31C0251CEBCF049FA5DA5ABEEBB78FF49711F205089D941B2181CB315552CB52

Function 00EF7E14 Relevance: 6.0, APIs: 4, Instructions: 46COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00EF7E33
ScreenToClient.USER32(?,?), ref: 00EF7E4B
ScreenToClient.USER32(?,?), ref: 00EF7E6F
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00EF7E8A

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: 97f2378979fd75269a60841b4749b9d7f893771a231bdad25fc90b597cf2a1e2
Instruction ID: 973ec7d558bd7d6a1d3b9cb5f95736b590c6556552e23bf803a40f99e411d9ae
Opcode Fuzzy Hash: 97f2378979fd75269a60841b4749b9d7f893771a231bdad25fc90b597cf2a1e2
Instruction Fuzzy Hash: 821143B9D0420EAFDB41DFA9C9849EEBBF5FB48310F505066E915E2210D735AA54CF50

Function 00EC2DA7 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00EC2DC5
GetWindowThreadProcessId.USER32(?,00000000), ref: 00EC2DD6
GetCurrentThreadId.KERNEL32 ref: 00EC2DDD
AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00EC2DE4

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: 1d4459fe1154616ea893395003d9d9a5cec17f220092eba942bbabab168ceb76
Instruction ID: f7f28e72d71f3113a223d21d2b6911e351a18e8a461193fa78a921b54334a41f
Opcode Fuzzy Hash: 1d4459fe1154616ea893395003d9d9a5cec17f220092eba942bbabab168ceb76
Instruction Fuzzy Hash: 2FE06D711052287BD7201B639E0DFFB3E6CEF92FA1F61101DB206F10809AA18985C6B0

Function 00EF8863 Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00E79639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00E79693
Part of subcall function 00E79639: SelectObject.GDI32(?,00000000), ref: 00E796A2
Part of subcall function 00E79639: BeginPath.GDI32(?), ref: 00E796B9
Part of subcall function 00E79639: SelectObject.GDI32(?,00000000), ref: 00E796E2

MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 00EF8887
LineTo.GDI32(?,?,?), ref: 00EF8894
EndPath.GDI32(?), ref: 00EF88A4
StrokePath.GDI32(?), ref: 00EF88B2

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: d17b62a5f251a68c38a9f4c6e0f0fac8f743f409d6928eb8804123875a42330b
Instruction ID: 93d3a766fd58ae21300e2eb041ae76b697ada62aa03bc91f46ca6781f867ca5e
Opcode Fuzzy Hash: d17b62a5f251a68c38a9f4c6e0f0fac8f743f409d6928eb8804123875a42330b
Instruction Fuzzy Hash: 58F09A3600225CBADB125F95AD09FEA3E69AF46324F608000FA01710E2CB740525DBE5

Function 00E798B0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 00E798CC
SetTextColor.GDI32(?,?), ref: 00E798D6
SetBkMode.GDI32(?,00000001), ref: 00E798E9
GetStockObject.GDI32(00000005), ref: 00E798F1

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: Color$ModeObjectStockText
String ID:
API String ID: 4037423528-0
Opcode ID: 4d9fbd0125f266b6af22f389ad49b180ae5c153219a8d160bea6a099991e8f46
Instruction ID: e40e8542bc5f7eb6b6d0bb34cef268b69de7b704055e0374f85aaef92438db8a
Opcode Fuzzy Hash: 4d9fbd0125f266b6af22f389ad49b180ae5c153219a8d160bea6a099991e8f46
Instruction Fuzzy Hash: D1E06531245244AEDB215B75BD09BF93F21EB91336F348219F6F9680E1C3714654DB10

Function 00EC162B Relevance: 6.0, APIs: 4, Instructions: 22threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 00EC1634
OpenThreadToken.ADVAPI32(00000000,?,?,?,00EC11D9), ref: 00EC163B
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,00EC11D9), ref: 00EC1648
OpenProcessToken.ADVAPI32(00000000,?,?,?,00EC11D9), ref: 00EC164F

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: 87d51e64d14c0110367ca8a009999324d3fdb72e6c3db4f16de5261bb1cb2745
Instruction ID: 18d6354980e346dc7ca2756f833eae65a0ea6dae41ca631633a2f9e9293ec7b1
Opcode Fuzzy Hash: 87d51e64d14c0110367ca8a009999324d3fdb72e6c3db4f16de5261bb1cb2745
Instruction Fuzzy Hash: D4E08632602215DFD7201FB29F0DF663B7CEF85795F344848F245E9090EA35444AC750

Function 00EBD858 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00EBD858
GetDC.USER32(00000000), ref: 00EBD862
GetDeviceCaps.GDI32(00000000,0000000C), ref: 00EBD882
ReleaseDC.USER32(?), ref: 00EBD8A3

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 926f3a78b261c1571143871e3d86af4c68b66e87fbf866b36850ba9f93d6c140
Instruction ID: 9f687f295aa8e860b572a047957c1d34557fdf464ecab1b3bc73ea5c6af0fdc3
Opcode Fuzzy Hash: 926f3a78b261c1571143871e3d86af4c68b66e87fbf866b36850ba9f93d6c140
Instruction Fuzzy Hash: 44E0ED70904208DFCB419FA1990867DBBB1AB48711B359405E846F7350CB344506DF40

Function 00EBD86C Relevance: 6.0, APIs: 4, Instructions: 18COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00EBD86C
GetDC.USER32(00000000), ref: 00EBD876
GetDeviceCaps.GDI32(00000000,0000000C), ref: 00EBD882
ReleaseDC.USER32(?), ref: 00EBD8A3

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 0fc22298b96b82ce398078684c89add597d262d9f522ad7703658f25ef430b1c
Instruction ID: f33eaa02f141e09ef910c3cbe107a49a60cfca34926d17a0170002cbd1fae124
Opcode Fuzzy Hash: 0fc22298b96b82ce398078684c89add597d262d9f522ad7703658f25ef430b1c
Instruction Fuzzy Hash: 7BE01A70904208DFCB409FA1D90867DBBF1BB48710B359408E84AF7350CB38590ADF40

Function 00ED4D87 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON

Download Yara Rule

APIs

Part of subcall function 00E67620: _wcslen.LIBCMT ref: 00E67625

WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 00ED4ED4

Strings

*, xrefs: 00ED4E10
LPT, xrefs: 00ED4DFB

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: Connection_wcslen
String ID: *$LPT
API String ID: 1725874428-3443410124
Opcode ID: d1f81c08d46f29236255672eb29ac830ce79159c159315f895778f9f866638e8
Instruction ID: 6b21725fb5aaaa7f5d9c7f895244a38e96db1e6bb93e33fe165cc80b16234f8d
Opcode Fuzzy Hash: d1f81c08d46f29236255672eb29ac830ce79159c159315f895778f9f866638e8
Instruction Fuzzy Hash: EB9176B5A002449FCB14DF54C484EA9BBF5FF54308F14A09AE84AAF3A2D731ED46CB51

Function 00E8E27D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 00E8E30D

Strings

pow, xrefs: 00E8E2E5, 00E8E302

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: 0dcf7bc4b112c38c16574d3689ce3e76bd212904e27929bd851e79df58072d0a
Instruction ID: 2ccc24f0b851db15b874a4aaa96cc880c2305df9b5ae448a2a5ddca28ae6922f
Opcode Fuzzy Hash: 0dcf7bc4b112c38c16574d3689ce3e76bd212904e27929bd851e79df58072d0a
Instruction Fuzzy Hash: 8F516C61A2C20696CF157714CD013BA3BE4FB41B85F306958E0DE723F9EB348C899B46

Function 00E7E187 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON

Download Yara Rule

Strings

#, xrefs: 00E7E1B1

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: 4eddde027e735cd8403489c014450723b62a1f24db785753c9468d30892b2672
Instruction ID: b7c3a4ed198095a2055c406f65cab71f65044d282482435e5774be3be25f96f1
Opcode Fuzzy Hash: 4eddde027e735cd8403489c014450723b62a1f24db785753c9468d30892b2672
Instruction Fuzzy Hash: 16514635504296EFDB19DF68C0416FA7BA8EF19314F24A096E891BB3E1DA309D42DB90

Function 00E7F291 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 00E7F2A2
GlobalMemoryStatusEx.KERNEL32(?), ref: 00E7F2BB

Strings

@, xrefs: 00E7F2AF

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: 2b039d1505a0bff3146ed4d3169ab0eee25c37000ac11e1f3d415979eed3c627
Instruction ID: 4aa50218cb42df343aa6d151583e81f840340f7e48f407b578d91875e733798e
Opcode Fuzzy Hash: 2b039d1505a0bff3146ed4d3169ab0eee25c37000ac11e1f3d415979eed3c627
Instruction Fuzzy Hash: 3051777141C7499BD320AF50E886BABBBF8FB84344F91884CF1D9510A5EB718529CB66

Function 00EE5745 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,00000003,?,?), ref: 00EE57E0
_wcslen.LIBCMT ref: 00EE57EC

Strings

CALLARGARRAY, xrefs: 00EE57E6, 00EE57EB

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: BuffCharUpper_wcslen
String ID: CALLARGARRAY
API String ID: 157775604-1150593374
Opcode ID: baed649f448199b9886dca85b80c4ff28ac959776335404e97e0a9e748adcc9a
Instruction ID: 5085cbee03702cbb2b319b70913cac9c0ea68a2286beb5188663b6a92a9af93e
Opcode Fuzzy Hash: baed649f448199b9886dca85b80c4ff28ac959776335404e97e0a9e748adcc9a
Instruction Fuzzy Hash: 4241C232A001099FCB08DFA9C8829BEBBF5FF59328F10602DE505B7251E7309D81CB50

Function 00EDD0F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98networkCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00EDD130
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 00EDD13A

Strings

|, xrefs: 00EDD10B

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: CrackInternet_wcslen
String ID: |
API String ID: 596671847-2343686810
Opcode ID: b2feed8ed6e184aa9e0696431e66c919d4f5cbfcea83b574c77950501f2a6f0e
Instruction ID: 45c731082d55ac9d15e122059eacad202f2b7e1f82c5ff5cced49d2c66064c43
Opcode Fuzzy Hash: b2feed8ed6e184aa9e0696431e66c919d4f5cbfcea83b574c77950501f2a6f0e
Instruction Fuzzy Hash: 44313E71D01119ABCF15EFA4DC85AEE7FB9FF04344F101119F819B6261E731AA06DB90

Function 00EF356C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 00EF3621
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 00EF365C

Strings

static, xrefs: 00EF35BC

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: 9eb67adf50c6c6eb5eb734b2ea32ada3693051c44cef5f84967578f1cc8caac5
Instruction ID: 8f15a57bc2a3e6087cd29c6fe39b53f4a3d02eacdcbd89fed4b54e30b0a9a133
Opcode Fuzzy Hash: 9eb67adf50c6c6eb5eb734b2ea32ada3693051c44cef5f84967578f1cc8caac5
Instruction Fuzzy Hash: 49318E71110208AEDB20DF78DC40ABB73A9FF88764F11A619F9A5E7290DA30ED81D760

Function 00EF4537 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000027,00001132,00000000,?), ref: 00EF461F
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00EF4634

Strings

', xrefs: 00EF458E

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: e09f63194cfe0faf95de0dd3838610d49409d11c57a4b28280c76e00960587e2
Instruction ID: d11408ebaabbc465db7aba58d2c2ef8825cbe7b944a71251d8c44139bf047919
Opcode Fuzzy Hash: e09f63194cfe0faf95de0dd3838610d49409d11c57a4b28280c76e00960587e2
Instruction Fuzzy Hash: 043138B5A0120D9FDB14DFA9C980BEA7BB5FF49304F15506AEA04EB391E770A941CF90

Function 00EF31EF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00EF327C
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00EF3287

Strings

Combobox, xrefs: 00EF3249

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: 0ce39ff817cf60d24e248c68ba112061ce35eac148f1546449b1f5e50ca1fe08
Instruction ID: 1c5139acb789b632778abc764d0e14a361e71c8bcd99b9fddf1c2b3c162f18f3
Opcode Fuzzy Hash: 0ce39ff817cf60d24e248c68ba112061ce35eac148f1546449b1f5e50ca1fe08
Instruction Fuzzy Hash: C511B27130020C7FFF259EA4DC80EBB37ABEB943A8F205525FA18A72A0D631DD519760

Function 00EF3710 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 00E6600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00E6604C
Part of subcall function 00E6600E: GetStockObject.GDI32(00000011), ref: 00E66060
Part of subcall function 00E6600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 00E6606A

GetWindowRect.USER32(00000000,?), ref: 00EF377A
GetSysColor.USER32(00000012), ref: 00EF3794

Strings

static, xrefs: 00EF3757

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: 5f63d5b9b0e83078a4dd181119e6f328c6da409fee4066f1a148fa48d3f846f4
Instruction ID: c6a195a8d9aca6bb7a3dc127e14002c2d79495a170de7cf6034dbb0a14f0ef45
Opcode Fuzzy Hash: 5f63d5b9b0e83078a4dd181119e6f328c6da409fee4066f1a148fa48d3f846f4
Instruction Fuzzy Hash: DB1147B261020DAFDB00EFB8CC45AFA7BB9EB08314F105925FA55E2250E734E810DB50

Function 00EDCD1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00EDCD7D
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00EDCDA6

Strings

<local>, xrefs: 00EDCD66

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: 1d0ec27b6d4d35e9592e6a48df19e9145927eb787d71a562dbad2f82b0dae9f5
Instruction ID: 453dd7ec1faebe2069865ab0d84efb3ab306af533224bd22b9ded519fd4c090f
Opcode Fuzzy Hash: 1d0ec27b6d4d35e9592e6a48df19e9145927eb787d71a562dbad2f82b0dae9f5
Instruction Fuzzy Hash: AC11A3712056367ED7284A668C45EF7BE6AEF527E8F205227B109A3280D6709846D6F0

Function 00EF3429 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 00EF34AB
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 00EF34BA

Strings

edit, xrefs: 00EF348F

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: a4ee1d4c8636ca2e2f9f368000ffafb0fc5b10fb7d0d1721cf881ed7c73cc29a
Instruction ID: 9a1767c435b1e6c8f9381c82731f272ddf34ca17aac8b2198941ba9b2ee7aa64
Opcode Fuzzy Hash: a4ee1d4c8636ca2e2f9f368000ffafb0fc5b10fb7d0d1721cf881ed7c73cc29a
Instruction Fuzzy Hash: 76116D7110020CAEEB218E74DC44AFA37AAEB45778F606724FA71A31D0C771DC519B60

Function 00EC6C86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 00E69CB3: _wcslen.LIBCMT ref: 00E69CBD

CharUpperBuffW.USER32(?,?,?), ref: 00EC6CB6
_wcslen.LIBCMT ref: 00EC6CC2

Strings

STOP, xrefs: 00EC6CBC, 00EC6CC1

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: STOP
API String ID: 1256254125-2411985666
Opcode ID: 4c886c675ecd49685b588706942f3e5dee338da04ce9222d328fda14fedc3d1e
Instruction ID: 60582c35400b001204d237ab5a6b927f040ca487d4a991860ac57a18327d5f1b
Opcode Fuzzy Hash: 4c886c675ecd49685b588706942f3e5dee338da04ce9222d328fda14fedc3d1e
Instruction Fuzzy Hash: F601C8326005278BCB20AFBDDE80EBF77F5EB61754710192CE462B7195EA32D941C650

Function 00EC1CDE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00E69CB3: _wcslen.LIBCMT ref: 00E69CBD

Part of subcall function 00EC3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00EC3CCA

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00EC1D4C

Strings

ComboBox, xrefs: 00EC1CEB
ListBox, xrefs: 00EC1D16

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 1f7395703b4154546ffe1b0af1e82fb603f3bca7a7a741d4694a0c7deeeeec17
Instruction ID: 68a69fd382bb3088b557367f25a1e1f6517706412c33c45404e7bef005e9cbd4
Opcode Fuzzy Hash: 1f7395703b4154546ffe1b0af1e82fb603f3bca7a7a741d4694a0c7deeeeec17
Instruction Fuzzy Hash: 63012D716401146BCB08EBA0DE11DFE77A8EB53390B10190DF823772C2EA31991DD661

Function 00EC1BD8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00E69CB3: _wcslen.LIBCMT ref: 00E69CBD

Part of subcall function 00EC3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00EC3CCA

SendMessageW.USER32(?,00000180,00000000,?), ref: 00EC1C46

Strings

ComboBox, xrefs: 00EC1BE5
ListBox, xrefs: 00EC1C10

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 99612bab837aa8ac9d17d9341680d38b8509a346ba691b4a7aa579153a577886
Instruction ID: 46f254f4d269d76f0282dab2789c3f89ea740bbff60df24026901d6f1e98f285
Opcode Fuzzy Hash: 99612bab837aa8ac9d17d9341680d38b8509a346ba691b4a7aa579153a577886
Instruction Fuzzy Hash: A501887568110467CB08E7A0DB51FFFB7EC9B52780F14105DB40677283EA359A1DE672

Function 00EC1C5C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00E69CB3: _wcslen.LIBCMT ref: 00E69CBD

Part of subcall function 00EC3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00EC3CCA

SendMessageW.USER32(?,00000182,?,00000000), ref: 00EC1CC8

Strings

ComboBox, xrefs: 00EC1C69
ListBox, xrefs: 00EC1C94

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: cbe51e55f77727ee382b73e4e23dfdf93af37b4cf0b7bfe29edbbed514ff385b
Instruction ID: ce8776ae50046f7ca2dae322f17e2e61fbc834590dcde0a3ca9e507b085e2048
Opcode Fuzzy Hash: cbe51e55f77727ee382b73e4e23dfdf93af37b4cf0b7bfe29edbbed514ff385b
Instruction Fuzzy Hash: A901A77168011867CB08E7A0DB11FFEB3EC9B12780F242019B80173283EA369F1AD672

Function 00EC1D68 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00E69CB3: _wcslen.LIBCMT ref: 00E69CBD

Part of subcall function 00EC3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00EC3CCA

SendMessageW.USER32(?,0000018B,00000000,00000000), ref: 00EC1DD3

Strings

ComboBox, xrefs: 00EC1D75
ListBox, xrefs: 00EC1DA0

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: c3e281c329159c50047a5806c60e229f95893cc85c13c36bd48abec7ddbeb9ed
Instruction ID: f8601b9c9676d67fdb609aa2c80a2d7a82eb4994bb52fb4d5824666e2465d4eb
Opcode Fuzzy Hash: c3e281c329159c50047a5806c60e229f95893cc85c13c36bd48abec7ddbeb9ed
Instruction Fuzzy Hash: 70F0F971A4021467C704F7A4DE51FFEB7ACAB02790F141919B422732C3DA71991D8271

Function 00EE747E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00EE7493
_wcslen.LIBCMT ref: 00EE74B9

Strings

3, 3, 16, 1, xrefs: 00EE7483

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: _wcslen
String ID: 3, 3, 16, 1
API String ID: 176396367-3042988571
Opcode ID: b1489c2e7390d7975fd3b016dcd48b2e892eec923d87a438afa90ca4dd976d14
Instruction ID: fff57d82c5a48ef1bcab021d8c5cae2741583c27254abbf4e3337451a71458b8
Opcode Fuzzy Hash: b1489c2e7390d7975fd3b016dcd48b2e892eec923d87a438afa90ca4dd976d14
Instruction Fuzzy Hash: 37E02B42205362109331327BACC197F5AC9CFC9750710382BF9DDF22E6EA94CD9193A1

Function 00EC0B15 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00EC0B23

Strings

AutoIt, xrefs: 00EC0B17
Error allocating memory., xrefs: 00EC0B1C

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: Message
String ID: AutoIt$Error allocating memory.
API String ID: 2030045667-4017498283
Opcode ID: 82f44772052fe63958d0de3862bd7d946c4b04459f074602969f8d8ccc8af1e2
Instruction ID: 433498443dc57f445583d4c0372d79334014cafce7216932cd78b5900b997839
Opcode Fuzzy Hash: 82f44772052fe63958d0de3862bd7d946c4b04459f074602969f8d8ccc8af1e2
Instruction Fuzzy Hash: 8CE0D83128431C2AD21036957D03F997AC4CF05F60F30542BF75CB54C38AE2649087E9

Function 00E80D42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00E7F7C9: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00E80D71,?,?,?,00E6100A), ref: 00E7F7CE

IsDebuggerPresent.KERNEL32(?,?,?,00E6100A), ref: 00E80D75
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,00E6100A), ref: 00E80D84

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00E80D7F

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 55579361-631824599
Opcode ID: b609f9239e3c20e20ccb513182ed5a6f3d576f1ccd60a581a9f2dc429ba2fbfb
Instruction ID: e68328a383d090033efc70fd351b1dd060854c515e535712f059fcac0a0d85b1
Opcode Fuzzy Hash: b609f9239e3c20e20ccb513182ed5a6f3d576f1ccd60a581a9f2dc429ba2fbfb
Instruction Fuzzy Hash: 90E06D702007118FE3A0AFB9E5043527BE4AF40754F10992DE48EE66A1DBB0E448CB91

Function 00ED3017 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?,00000001), ref: 00ED302F
GetTempFileNameW.KERNEL32(?,aut,00000000,?), ref: 00ED3044

Strings

aut, xrefs: 00ED3038

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: c4912a55b55b5952b94e5ecab6115a060ff772058f46286b0bbb90af3ef082ce
Instruction ID: a9ec6038ae60b77e78e4963c78355a2357255921f0d738319cf12c50770f1c86
Opcode Fuzzy Hash: c4912a55b55b5952b94e5ecab6115a060ff772058f46286b0bbb90af3ef082ce
Instruction Fuzzy Hash: 8DD05B71500328ABDA209795AD0DFD73A6CD744750F1001517655E20A1DAB4D548CAD0

Function 00EBD21C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00EBD220

Strings

X64, xrefs: 00EBD2A8
%.3d, xrefs: 00EBD22B

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: LocalTime
String ID: %.3d$X64
API String ID: 481472006-1077770165
Opcode ID: 84bfe9d92bfe89372cb14b194af0cabfd3f0ad0b06f5a7774b916e410f7c34e2
Instruction ID: 738b074474c6c66fb57f9ecac541c6bec4f6089ea6a85407b0b556cc54b86092
Opcode Fuzzy Hash: 84bfe9d92bfe89372cb14b194af0cabfd3f0ad0b06f5a7774b916e410f7c34e2
Instruction Fuzzy Hash: 72D01271C0D158E9CB5096D0DC458FBB3BCEB48301F60A462F90AB1060F624C908AB61

Function 00EF2356 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00EF236C
PostMessageW.USER32(00000000), ref: 00EF2373

Part of subcall function 00ECE97B: Sleep.KERNELBASE ref: 00ECE9F3

Strings

Shell_TrayWnd, xrefs: 00EF2365

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 068cf6914bc5219e5526023d8a09fc4dab67db270c529ad5377617d91ad326ff
Instruction ID: 20dfa903c509f8f041db51c1c829566853baa92b9443e5fa380ce4f3f57ac645
Opcode Fuzzy Hash: 068cf6914bc5219e5526023d8a09fc4dab67db270c529ad5377617d91ad326ff
Instruction Fuzzy Hash: D8D0A9323803107AE264A331AD0FFC666149B80B00F2009167201FA1D0C8B0A805CA05

Function 00EF2322 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00EF232C
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 00EF233F

Part of subcall function 00ECE97B: Sleep.KERNELBASE ref: 00ECE9F3

Strings

Shell_TrayWnd, xrefs: 00EF2325

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 0f96e2f5d1bc6667d0336dd73789b48d395f9bf5fd482ec4323bbf118d6af05b
Instruction ID: 4babdb658e45ae115ea9a7fc0ac4bc19ee8047d130ca5af95f474d7d84535741
Opcode Fuzzy Hash: 0f96e2f5d1bc6667d0336dd73789b48d395f9bf5fd482ec4323bbf118d6af05b
Instruction Fuzzy Hash: 30D02232384310BBE264B331ED0FFD67A149B80B00F2009167305FA1D0C8F0A805CA00

Function 00E9BDFD Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,?,?,00000000,?,?,?,?,?,00000000,?), ref: 00E9BE93
GetLastError.KERNEL32 ref: 00E9BEA1
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00E9BEFC

Memory Dump Source

Source File: 00000000.00000002.2083739100.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2083723509.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083791399.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083840737.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083865299.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: f63307a895b039d90631045b57bae02a262c41af14b4f05ad9f55c9924cf188f
Instruction ID: 3ca102dbad09f69ad41849d1107957297942cd0c0e6d365429192c96eb4c8d25
Opcode Fuzzy Hash: f63307a895b039d90631045b57bae02a262c41af14b4f05ad9f55c9924cf188f
Instruction Fuzzy Hash: F341D43470020AAFCF219F65EE44ABE7BA9EF41714F246169F959B71A1DB308D01CB50

Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /account?=https://accounts.google.com/v3/signin/challenge/pwd HTTP/1.1Host: youtube.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7X-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiSocsBCJz+zAEIhaDNAQjcvc0BCI/KzQEIucrNAQii0c0BCIrTzQEIntbNAQin2M0BCPnA1BUY9snNARi60s0BGOuNpRc=Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /account?=https%3A%2F%2Faccounts.google.com%2Fv3%2Fsignin%2Fchallenge%2Fpwd HTTP/1.1Host: www.youtube.comConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7X-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiSocsBCJz+zAEIhaDNAQjcvc0BCI/KzQEIucrNAQii0c0BCIrTzQEIntbNAQin2M0BCPnA1BUY9snNARi60s0BGOuNpRc=Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentsec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /fs/windows/config.json HTTP/1.1Connection: Keep-AliveAccept: /Accept-Encoding: identityIf-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMTRange: bytes=0-2147483646User-Agent: Microsoft BITS/7.8Host: fs.microsoft.com
Source: global traffic	HTTP traffic detected: GET /accounts/CheckConnection?pmpo=https%3A%2F%2Faccounts.google.com&v=-988342958&timestamp=1727888886778 HTTP/1.1Host: accounts.youtube.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-full-version: "117.0.5938.132"sec-ch-ua-arch: "x86"sec-ch-ua-platform: "Windows"sec-ch-ua-platform-version: "10.0.0"sec-ch-ua-model: ""sec-ch-ua-bitness: "64"sec-ch-ua-wow64: ?0sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7X-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiSocsBCJz+zAEIhaDNAQjcvc0BCI/KzQEIucrNAQii0c0BCIrTzQEIntbNAQin2M0BCPnA1BUY9snNARi60s0BGOuNpRc=Sec-Fetch-Site: cross-siteSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: iframeReferer: https://accounts.google.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /favicon.ico HTTP/1.1Host: www.google.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-arch: "x86"sec-ch-ua-full-version: "117.0.5938.132"sec-ch-ua-platform-version: "10.0.0"sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132"sec-ch-ua-bitness: "64"sec-ch-ua-model: ""sec-ch-ua-wow64: ?0sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8X-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiSocsBCJz+zAEIhaDNAQjcvc0BCI/KzQEIucrNAQii0c0BCIrTzQEIntbNAQin2M0BCPnA1BUY9snNARi60s0BGOuNpRc=Sec-Fetch-Site: same-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://accounts.google.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: NID=518=e18Ty73cNctU-x-JfN4SojX4PcnEo1Dct535sF23s5zGil8NI1Ieor1cshi73dBRsUZOWYv9o3px5TxTrnfZcfGOT54v28QW9Wuh8Qt5KH0IYa4hQPLbP4CtCFQTD3hIojucazjRTAwZ6Qt5GxWUHWpvIST0Ru38iFyVDG4fqL48Fu4Pz0g
Source: global traffic	HTTP traffic detected: GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=N8RZGtEacBEtvUL&MD=sR+8pM3y HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic	HTTP traffic detected: GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=N8RZGtEacBEtvUL&MD=sR+8pM3y HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Chrome Cache Entry: 76

Chrome Cache Entry: 77

Chrome Cache Entry: 78

Chrome Cache Entry: 79

Chrome Cache Entry: 80

Chrome Cache Entry: 81

Chrome Cache Entry: 82

Chrome Cache Entry: 83

Chrome Cache Entry: 84

Chrome Cache Entry: 85

Chrome Cache Entry: 86

Chrome Cache Entry: 87

Chrome Cache Entry: 88

Chrome Cache Entry: 89

Chrome Cache Entry: 90

Static File Info

General

File Icon

Windows Analysis Report
file.exe

Function 00E7F98E Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130
keyboardthreadwindowCOMMON

Function 00E642DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Function 00E642A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Function 00ECDBBE Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 29
filestringCOMMON

Function 00EF1C41 Relevance: 7.6, APIs: 5, Instructions: 83
windowCOMMON

Function 00EEAFF9 Relevance: 24.4, APIs: 16, Instructions: 418
processCOMMON

Function 00E62CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Function 00EA065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre