Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1524530
MD5:	015f30ab4a592ca2cfcd7419793a0974
SHA1:	b483c989c924e274e920a41a2283422bb7b9a62c
SHA256:	bd70def4378a1772742bf8943b919e5faed5b8c3bb08f9fff4f8bfdcf3da7ee6
Tags:	exeuser-Bitsight
Infos:

Detection

Credential Flusher

Score:	64
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Yara detected Credential Flusher

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Found API chain indicative of sandbox detection

Machine Learning detection for sample

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected potential crypto function

Enables debug privileges

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

OS version to string mapping found (often used in BOTs)

Potential key logger detected (key state polling based)

Sample execution stops while process was sleeping (likely an evasion)

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Uses taskkill to terminate processes

Classification

Process Tree

System is w10x64

file.exe (PID: 7140 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 015F30AB4A592CA2CFCD7419793A0974)

taskkill.exe (PID: 6196 cmdline: taskkill /F /IM chrome.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 6176 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 5968 cmdline: taskkill /F /IM msedge.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 3716 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 5596 cmdline: taskkill /F /IM firefox.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 4928 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 2924 cmdline: taskkill /F /IM opera.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 6156 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 5480 cmdline: taskkill /F /IM brave.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 3704 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

chrome.exe (PID: 6160 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --start-fullscreen --no-first-run --disable-session-crashed-bubble --disable-infobars MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 2668 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2056 --field-trial-handle=1988,i,2714495616838969432,12383058553963551388,262144 /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 7940 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5320 --field-trial-handle=1988,i,2714495616838969432,12383058553963551388,262144 /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 7948 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5480 --field-trial-handle=1988,i,2714495616838969432,12383058553963551388,262144 /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
Process Memory Space: file.exe PID: 7140	JoeSecurity_CredentialFlusher	Yara detected Credential Flusher	Joe Security

String found in binary or memory: _.fq(p)+"/familylink/privacy/notice/embedded?langCountry="+_.fq(p);break;case "PuZJUb":a+="https://www.youtube.com/t/terms?chromeless=1&hl="+_.fq(m);break;case "fxTQxb":a+="https://youtube.com/t/terms?gl="+_.fq(_.oq(c))+"&hl="+_.fq(d)+"&override_hl=1"+(f?"&linkless=1":"");break;case "prAmvd":a+="https://www.google.com/intl/"+_.fq(m)+"/chromebook/termsofservice.html?languageCode="+_.fq(d)+"&regionCode="+_.fq(c);break;case "NfnTze":a+="https://policies.google.com/privacy/google-partners"+(f?"/embedded": equals www.youtube.com (Youtube)

Source: global traffic	DNS traffic detected: DNS query: youtube.com
Source: global traffic	DNS traffic detected: DNS query: www.youtube.com
Source: global traffic	DNS traffic detected: DNS query: www.google.com
Source: global traffic	DNS traffic detected: DNS query: accounts.youtube.com
Source: global traffic	DNS traffic detected: DNS query: play.google.com

Source: unknown

HTTP traffic detected: POST /log?format=json&hasfast=true&authuser=0 HTTP/1.1Host: play.google.comConnection: keep-aliveContent-Length: 519sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-arch: "x86"Content-Type: application/x-www-form-urlencoded;charset=UTF-8sec-ch-ua-full-version: "117.0.5938.132"sec-ch-ua-platform-version: "10.0.0"X-Goog-AuthUser: 0sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132"sec-ch-ua-bitness: "64"sec-ch-ua-model: ""sec-ch-ua-wow64: ?0sec-ch-ua-platform: "Windows"Accept: */*Origin: https://accounts.google.comX-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiUocsBCJz+zAEIhaDNAQjcvc0BCLnKzQEIotHNAQiK080BCJ7WzQEIp9jNAQj5wNQVGPbJzQEYutLNARjrjaUXSec-Fetch-Site: same-siteSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: https://accounts.google.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9

Source: chromecache_74.13.dr	String found in binary or memory: https://accounts.google.com
Source: chromecache_74.13.dr	String found in binary or memory: https://accounts.google.com/TOS?loc=
Source: chromecache_82.13.dr	String found in binary or memory: https://apis.google.com/js/api.js
Source: chromecache_74.13.dr	String found in binary or memory: https://apis.google.com/js/rpc:shindig_random.js?onload=credentialservice.postMessage
Source: chromecache_74.13.dr	String found in binary or memory: https://families.google.com/intl/
Source: chromecache_82.13.dr	String found in binary or memory: https://fonts.gstatic.com/s/i/productlogos/drive_2020q4/v10/192px.svg
Source: chromecache_82.13.dr	String found in binary or memory: https://fonts.gstatic.com/s/i/productlogos/gmail_2020q4/v10/web-48dp/logo_gmail_2020q4_color_2x_web_
Source: chromecache_82.13.dr	String found in binary or memory: https://fonts.gstatic.com/s/i/productlogos/maps/v7/192px.svg
Source: chromecache_74.13.dr	String found in binary or memory: https://g.co/recover
Source: chromecache_74.13.dr	String found in binary or memory: https://play.google.com/log?format=json&hasfast=true
Source: chromecache_74.13.dr	String found in binary or memory: https://play.google.com/work/enroll?identifier=
Source: chromecache_74.13.dr	String found in binary or memory: https://play.google/intl/
Source: chromecache_74.13.dr	String found in binary or memory: https://policies.google.com/privacy
Source: chromecache_74.13.dr	String found in binary or memory: https://policies.google.com/privacy/additional
Source: chromecache_74.13.dr	String found in binary or memory: https://policies.google.com/privacy/google-partners
Source: chromecache_74.13.dr	String found in binary or memory: https://policies.google.com/technologies/cookies
Source: chromecache_74.13.dr	String found in binary or memory: https://policies.google.com/technologies/location-data
Source: chromecache_74.13.dr	String found in binary or memory: https://policies.google.com/terms
Source: chromecache_74.13.dr	String found in binary or memory: https://policies.google.com/terms/location
Source: chromecache_74.13.dr	String found in binary or memory: https://policies.google.com/terms/service-specific
Source: chromecache_82.13.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/account-recovery-email-pin.gif
Source: chromecache_82.13.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/account-recovery-password.svg
Source: chromecache_82.13.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/account-recovery-sms-or-voice-pin.gif
Source: chromecache_82.13.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/account-recovery-sms-pin.gif
Source: chromecache_82.13.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/account-recovery-stop-go-landing-page_1x.png
Source: chromecache_82.13.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/animation/
Source: chromecache_82.13.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/ble_device.png
Source: chromecache_82.13.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/ble_pin.png
Source: chromecache_82.13.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/contacts_backup_sync.png
Source: chromecache_82.13.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/contacts_backup_sync_1x.png
Source: chromecache_82.13.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/contacts_backup_sync_2x.png
Source: chromecache_82.13.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/contacts_backup_sync_darkmode_1x.png
Source: chromecache_82.13.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/continue_on_your_phone.png
Source: chromecache_82.13.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/device_phone_number_verification.png
Source: chromecache_82.13.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/device_prompt_silent_tap_yes_darkmode.gif
Source: chromecache_82.13.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/device_prompt_tap_yes.gif
Source: chromecache_82.13.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/device_prompt_tap_yes_darkmode.gif
Source: chromecache_82.13.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kid_success.svg
Source: chromecache_82.13.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kid_success_darkmode.svg
Source: chromecache_82.13.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidfork_who_will_use_dark_v2.svg
Source: chromecache_82.13.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidfork_who_will_use_updated.svg
Source: chromecache_82.13.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidfork_who_will_use_updated_darkmode.svg
Source: chromecache_82.13.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidfork_who_will_use_v2.svg
Source: chromecache_82.13.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignin_not_ready.png
Source: chromecache_82.13.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignin_stick_around_1.svg
Source: chromecache_82.13.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignin_stick_around_dark_1.svg
Source: chromecache_82.13.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_child_account_1.svg
Source: chromecache_82.13.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_child_account_darkmode_1.svg
Source: chromecache_82.13.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_child_privacy_1.svg
Source: chromecache_82.13.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_child_privacy_darkmode_1.svg
Source: chromecache_82.13.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_created.png
Source: chromecache_82.13.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_double_device.svg
Source: chromecache_82.13.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_double_device_darkmode.svg
Source: chromecache_82.13.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_full_house.png
Source: chromecache_82.13.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_link_accounts_1.svg
Source: chromecache_82.13.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_link_accounts_darkmode_1.svg
Source: chromecache_82.13.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_parent_app_decision.svg
Source: chromecache_82.13.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_parent_app_decision_darkmode.svg
Source: chromecache_82.13.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_parent_supervision_1.svg
Source: chromecache_82.13.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_parent_supervision_darkmode_1.svg
Source: chromecache_82.13.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_respect_others_1.svg
Source: chromecache_82.13.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_respect_others_darkmode_1.svg
Source: chromecache_82.13.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_single_device.svg
Source: chromecache_82.13.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_single_device_darkmode.svg
Source: chromecache_82.13.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_stop.png
Source: chromecache_82.13.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/personalization_reminders.svg
Source: chromecache_82.13.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/phone_number_sign_in_2x.png
Source: chromecache_82.13.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/return_to_desktop.svg
Source: chromecache_82.13.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/return_to_desktop_darkmode.svg
Source: chromecache_82.13.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/security_key.gif
Source: chromecache_82.13.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/security_key_ios_center.png
Source: chromecache_82.13.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/security_key_laptop.gif
Source: chromecache_82.13.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/security_key_nfc_discovered.gif
Source: chromecache_82.13.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/security_key_nfc_discovered_darkmode.gif
Source: chromecache_82.13.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/security_key_phone.gif
Source: chromecache_82.13.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/signin_googleapp_ios.gif
Source: chromecache_82.13.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/signin_googleapp_pulldown.gif
Source: chromecache_82.13.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/signin_tapyes.gif
Source: chromecache_82.13.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/smart_lock_2x.png
Source: chromecache_82.13.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/usb_key.svg
Source: chromecache_82.13.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/web_and_app_activity.svg
Source: chromecache_82.13.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/who_will_be_using_this_device.svg
Source: chromecache_82.13.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/you_tube_history.svg
Source: chromecache_82.13.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/feature_not_available.svg
Source: chromecache_82.13.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/feature_not_available_dark.svg
Source: chromecache_82.13.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/gmail_ios_authzen.gif
Source: chromecache_82.13.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/paaskey.svg
Source: chromecache_82.13.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_challenge.svg
Source: chromecache_82.13.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_challenge_darkmode.svg
Source: chromecache_82.13.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_darkmode.svg
Source: chromecache_82.13.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_enrollment.svg
Source: chromecache_82.13.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_enrollment_cross_device.svg
Source: chromecache_82.13.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_enrollment_cross_device_darkmode.svg
Source: chromecache_82.13.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_enrollment_darkmode.svg
Source: chromecache_82.13.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_enrollment_error.svg
Source: chromecache_82.13.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_enrollment_error_darkmode.svg
Source: chromecache_82.13.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_enrollment_reauth.svg
Source: chromecache_82.13.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_enrollment_reauth_darkmode.svg
Source: chromecache_82.13.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_success.svg
Source: chromecache_82.13.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_success_darkmode.svg
Source: chromecache_82.13.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkeyerror.svg
Source: chromecache_82.13.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkeyerror_darkmode.svg
Source: chromecache_82.13.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/red_globe_dark.svg
Source: chromecache_82.13.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/red_globe_light.svg
Source: chromecache_82.13.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/screenlock.png
Source: chromecache_82.13.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/security_key_ipad.gif
Source: chromecache_82.13.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/security_key_iphone.gif
Source: chromecache_82.13.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/security_key_iphone_nfc.gif
Source: chromecache_82.13.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/security_key_iphone_usb.gif
Source: chromecache_82.13.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/security_key_phone.svg
Source: chromecache_82.13.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/security_keys.svg
Source: chromecache_82.13.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/success_checkmark_2.svg
Source: chromecache_82.13.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/success_checkmark_2_darkmode.svg
Source: chromecache_82.13.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/ui/loading_spinner_gm.gif
Source: chromecache_82.13.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/ui/progress_spinner_color_20dp_4x.gif
Source: chromecache_82.13.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/ui/success-gm-default_2x.png
Source: chromecache_82.13.dr	String found in binary or memory: https://ssl.gstatic.com/apps/signup/resources/custom-email-address.svg
Source: chromecache_82.13.dr	String found in binary or memory: https://ssl.gstatic.com/images/hpp/shield_security_checkup_green_2x_web_96dp.png
Source: chromecache_82.13.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/chaptering/account_setup_chapter_dark_1.svg
Source: chromecache_82.13.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/chaptering/account_setup_chapter_v1.svg
Source: chromecache_82.13.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/chaptering/device_setup_chapter_dark_v1.svg
Source: chromecache_82.13.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/chaptering/device_setup_chapter_v1.svg
Source: chromecache_82.13.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/chaptering/parental_control_chapter_dark_v1.svg
Source: chromecache_82.13.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/chaptering/parental_control_chapter_v1.svg
Source: chromecache_82.13.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/conversion/conversion_accountslinked.svg
Source: chromecache_82.13.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/conversion/conversion_accountslinked_dark.svg
Source: chromecache_82.13.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/conversion/conversion_childneedshelp.svg
Source: chromecache_82.13.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/conversion/conversion_childneedshelp_dark.svg
Source: chromecache_82.13.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/conversion/conversion_nextstepsforparents.svg
Source: chromecache_82.13.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/conversion/conversion_nextstepsforparents_dark.svg
Source: chromecache_82.13.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_allset.svg
Source: chromecache_82.13.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_allset_dark.svg
Source: chromecache_82.13.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_apps_devices.svg
Source: chromecache_82.13.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_apps_devices_darkmode.svg
Source: chromecache_82.13.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_areyousurekid.svg
Source: chromecache_82.13.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_areyousurekid_dark.svg
Source: chromecache_82.13.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_birthdayemail.svg
Source: chromecache_82.13.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_birthdayemail_dark.svg
Source: chromecache_82.13.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_choose_apps.svg
Source: chromecache_82.13.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_choose_apps_darkmode.svg
Source: chromecache_82.13.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_confirmation.svg
Source: chromecache_82.13.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_exploremore.svg
Source: chromecache_82.13.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_exploremore_dark.svg
Source: chromecache_82.13.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_intro.svg
Source: chromecache_82.13.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_intro_darkmode.svg
Source: chromecache_82.13.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_privacy_terms_a18.svg
Source: chromecache_82.13.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_privacy_terms_a18_darkmode.svg
Source: chromecache_82.13.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_privacyterms.svg
Source: chromecache_82.13.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_privacyterms_dark.svg
Source: chromecache_82.13.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_review_settings.svg
Source: chromecache_82.13.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_review_settings_darkmode.svg
Source: chromecache_82.13.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_safe_search.svg
Source: chromecache_82.13.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_safe_search_darkmode.svg
Source: chromecache_82.13.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_success_unchanged_a18.svg
Source: chromecache_82.13.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_success_unchanged_a18_darkmode.svg
Source: chromecache_82.13.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_success_update_a18.svg
Source: chromecache_82.13.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_success_update_a18_darkmode.svg
Source: chromecache_82.13.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_supervision_choice.svg
Source: chromecache_82.13.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_supervision_choice_a18.svg
Source: chromecache_82.13.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_supervision_choice_a18_darkmode.svg
Source: chromecache_82.13.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_supervision_choice_darkmode.svg
Source: chromecache_82.13.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_supervisiongrad.svg
Source: chromecache_82.13.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_supervisiongrad_dark.svg
Source: chromecache_82.13.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/guardianlinking/linking_complete_0.svg
Source: chromecache_82.13.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/guardianlinking/linking_complete_dark_0.svg
Source: chromecache_82.13.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/ads_personalization.svg
Source: chromecache_82.13.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/ads_personalization_darkmode.svg
Source: chromecache_82.13.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/confirmation.svg
Source: chromecache_82.13.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/confirmation_darkmode.svg
Source: chromecache_82.13.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/eligibility_error.svg
Source: chromecache_82.13.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/eligibility_error_darkmode.svg
Source: chromecache_82.13.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/fork.svg
Source: chromecache_82.13.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/fork_darkmode.svg
Source: chromecache_82.13.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/intro.svg
Source: chromecache_82.13.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/intro_darkmode.svg
Source: chromecache_82.13.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/personal_results.svg
Source: chromecache_82.13.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/personal_results_darkmode.svg
Source: chromecache_82.13.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/safe_search.svg
Source: chromecache_82.13.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/safe_search_darkmode.svg
Source: chromecache_82.13.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/check_notifications.svg
Source: chromecache_82.13.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/check_notifications_dark.svg
Source: chromecache_82.13.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/kid_watch_installing_family_link_2.svg
Source: chromecache_82.13.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/kid_watch_installing_family_link_dark_2.svg
Source: chromecache_82.13.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/kid_watch_set_up_location_sharing_2.svg
Source: chromecache_82.13.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/kid_watch_set_up_location_sharing_dark_2.svg
Source: chromecache_82.13.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/kid_watch_set_up_parental_controls_2.svg
Source: chromecache_82.13.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/kid_watch_set_up_parental_controls_dark_2.svg
Source: chromecache_82.13.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/kid_watch_set_up_school_time_2.svg
Source: chromecache_82.13.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/kid_watch_set_up_school_time_dark_2.svg
Source: chromecache_82.13.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/location_sharing_enabled_2.svg
Source: chromecache_82.13.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/location_sharing_enabled_dark_3.svg
Source: chromecache_82.13.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/parent_sign_in_prologue_1.svg
Source: chromecache_82.13.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/parent_sign_in_prologue_dark_1.svg
Source: chromecache_82.13.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/set_up_complete_1.svg
Source: chromecache_82.13.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/set_up_complete_dark_1.svg
Source: chromecache_82.13.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/set_up_contacts_2.svg
Source: chromecache_82.13.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/set_up_contacts_dark_2.svg
Source: chromecache_82.13.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/set_up_family_link_boy_1.svg
Source: chromecache_82.13.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/set_up_family_link_boy_dark_1.svg
Source: chromecache_82.13.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/set_up_family_link_girl_2.svg
Source: chromecache_82.13.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/set_up_family_link_girl_dark_2.svg
Source: chromecache_82.13.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/ulp_continue_without_gmail_dark_v2.svg
Source: chromecache_82.13.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/ulp_continue_without_gmail_v2.svg
Source: chromecache_82.13.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/all_set.svg
Source: chromecache_82.13.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/all_set_dark.svg
Source: chromecache_82.13.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/are_you_sure_parent.svg
Source: chromecache_82.13.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/are_you_sure_parent_dark.svg
Source: chromecache_82.13.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/content_restriction.svg
Source: chromecache_82.13.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/content_restriction_dark.svg
Source: chromecache_82.13.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/error.svg
Source: chromecache_82.13.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/error_dark.svg
Source: chromecache_82.13.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/how_controls_work.svg
Source: chromecache_82.13.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/how_controls_work_dark.svg
Source: chromecache_82.13.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/next_steps.svg
Source: chromecache_82.13.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/next_steps_dark.svg
Source: chromecache_82.13.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/setup_controls.svg
Source: chromecache_82.13.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/setup_controls_dark.svg
Source: chromecache_82.13.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/who_parent.svg
Source: chromecache_82.13.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/who_parent_dark.svg
Source: chromecache_82.13.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/who_teen.svg
Source: chromecache_82.13.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/who_teen_dark.svg
Source: chromecache_82.13.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teentoadultgraduation/supervision_choice.svg
Source: chromecache_82.13.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teentoadultgraduation/supervision_choice_darkmode.svg
Source: chromecache_82.13.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/ulp_appblock/kid_setup_parent_escalation.svg
Source: chromecache_82.13.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/ulp_appblock/kid_setup_parent_escalation_dark.svg
Source: chromecache_82.13.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/ulp_appblock/send_email_confirmation.svg
Source: chromecache_82.13.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/ulp_appblock/send_email_confirmation_dark.svg
Source: chromecache_82.13.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/ulp_appblock/success_sent_email.svg
Source: chromecache_82.13.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/ulp_appblock/success_sent_email_dark.svg
Source: chromecache_82.13.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/ulpupgrade/kidprofileupgrade_all_set.svg
Source: chromecache_82.13.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/ulpupgrade/kidprofileupgrade_all_set_darkmode.svg
Source: chromecache_82.13.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/all_set.svg
Source: chromecache_82.13.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/all_set_dark.svg
Source: chromecache_82.13.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/almost_done_kids_space_dark.svg
Source: chromecache_82.13.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/almost_done_kids_space_v2.svg
Source: chromecache_82.13.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/devices_connected_tablet_v2.svg
Source: chromecache_82.13.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/devices_connected_tablet_v2_dark.svg
Source: chromecache_82.13.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/devices_connected_v2.svg
Source: chromecache_82.13.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/devices_connected_v2_dark.svg
Source: chromecache_82.13.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/emailinstallfamilylink.svg
Source: chromecache_82.13.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/emailinstallfamilylink_dark.svg
Source: chromecache_82.13.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/familylinkinstalling.svg
Source: chromecache_82.13.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/familylinkinstalling_dark.svg
Source: chromecache_82.13.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/hand_over_device_dark_v2.svg
Source: chromecache_82.13.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/hand_over_device_v2.svg
Source: chromecache_82.13.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/linking_accounts_v2.svg
Source: chromecache_82.13.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/linking_accounts_v2_dark.svg
Source: chromecache_82.13.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/locationsetup.svg
Source: chromecache_82.13.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/locationsetup_dark.svg
Source: chromecache_82.13.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/manage_parental_controls_email.svg
Source: chromecache_82.13.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/manage_parental_controls_email_v2.svg
Source: chromecache_82.13.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/manage_parental_controls_email_v2_dark.svg
Source: chromecache_82.13.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/manage_parental_controls_v2.svg
Source: chromecache_82.13.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/manage_parental_controls_v2_dark.svg
Source: chromecache_82.13.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/open_family_link_v2.svg
Source: chromecache_82.13.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/open_family_link_v2_dark.svg
Source: chromecache_82.13.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/parents_help.svg
Source: chromecache_82.13.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/parents_help_dark.svg
Source: chromecache_82.13.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/set_up_kids_space.png
Source: chromecache_82.13.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/set_up_kids_space_dark.png
Source: chromecache_82.13.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/setupcontrol.svg
Source: chromecache_82.13.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/setupcontrol_dark.svg
Source: chromecache_82.13.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/setuplocation.svg
Source: chromecache_82.13.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/setuplocation_dark.svg
Source: chromecache_82.13.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/setuptimelimits.svg
Source: chromecache_82.13.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/setuptimelimits_dark.svg
Source: chromecache_82.13.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/supervision_ready_v2.svg
Source: chromecache_82.13.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/supervision_ready_v2_dark.svg
Source: chromecache_82.13.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/youtubeaccess.svg
Source: chromecache_82.13.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/youtubeaccess_dark.svg
Source: chromecache_74.13.dr	String found in binary or memory: https://support.google.com/accounts?hl=
Source: chromecache_74.13.dr	String found in binary or memory: https://support.google.com/accounts?p=new-si-ui
Source: chromecache_74.13.dr	String found in binary or memory: https://support.google.com/websearch/answer/4358949?hl=ko&ref_topic=3285072
Source: chromecache_82.13.dr	String found in binary or memory: https://uberproxy-pen-redirect.corp.google.com/uberproxy/pen?url=
Source: chromecache_74.13.dr	String found in binary or memory: https://www.google.com
Source: chromecache_74.13.dr	String found in binary or memory: https://www.google.com/intl/
Source: chromecache_82.13.dr	String found in binary or memory: https://www.gstatic.com/accounts/speedbump/authzen_optin_illustration.gif
Source: chromecache_82.13.dr	String found in binary or memory: https://www.gstatic.com/images/branding/product/2x/chrome_48dp.png
Source: chromecache_82.13.dr	String found in binary or memory: https://www.gstatic.com/images/branding/product/2x/googleg_48dp.png
Source: chromecache_82.13.dr	String found in binary or memory: https://www.gstatic.com/images/branding/product/2x/gsa_48dp.png
Source: chromecache_82.13.dr	String found in binary or memory: https://www.gstatic.com/images/branding/product/2x/play_prism_48dp.png
Source: chromecache_82.13.dr	String found in binary or memory: https://www.gstatic.com/images/branding/product/2x/youtube_48dp.png
Source: chromecache_74.13.dr	String found in binary or memory: https://www.gstatic.com/images/branding/productlogos/googleg/v6/36px.svg
Source: chromecache_74.13.dr	String found in binary or memory: https://www.youtube.com/t/terms?chromeless=1&hl=
Source: file.exe, 00000000.00000002.1712554326.0000000000EC0000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1711487191.0000000000EBE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1711308627.0000000000EBB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/
Source: file.exe, 00000000.00000003.1690590163.00000000007B4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd
Source: chromecache_74.13.dr	String found in binary or memory: https://youtube.com/t/terms?gl=

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49766
Source: unknown	Network traffic detected: HTTP traffic on port 49783 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49787
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49764
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49785
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49784
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49783
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49782
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49781
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49789 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49787 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49766 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49785 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49762 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49764 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49781 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49793 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49757
Source: unknown	Network traffic detected: HTTP traffic on port 49772 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49782 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49772
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49793
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49792
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49790
Source: unknown	Network traffic detected: HTTP traffic on port 49761 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49784 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49792 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49790 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49789

Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.4:49742 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.4:49745 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 4.175.87.197:443 -> 192.168.2.4:49772 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 4.175.87.197:443 -> 192.168.2.4:49785 version: TLS 1.2

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0087EAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_0087EAFF

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0087ED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_0087ED6A

Source: C:\Users\user\Desktop\file.exe

0_2_0087EAFF

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0086AA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,

0_2_0086AA57

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00899576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_00899576

System Summary

Binary is likely a compiled AutoIt script file

Source: file.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: file.exe, 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_40f243c8-4
Source: file.exe, 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_b71be217-7
Source: file.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_415e04af-e
Source: file.exe	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_06f69019-3

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0086D5EB: CreateFileW,DeviceIoControl,CloseHandle,

0_2_0086D5EB

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00861201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_00861201

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0086E8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_0086E8F6

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0080BF40	0_2_0080BF40
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00872046	0_2_00872046
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00808060	0_2_00808060
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00868298	0_2_00868298
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0083E4FF	0_2_0083E4FF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0083676B	0_2_0083676B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00894873	0_2_00894873
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0082CAA0	0_2_0082CAA0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0080CAF0	0_2_0080CAF0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0081CC39	0_2_0081CC39
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00836DD9	0_2_00836DD9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008091C0	0_2_008091C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0081B119	0_2_0081B119
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00821394	0_2_00821394
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00821706	0_2_00821706
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0082781B	0_2_0082781B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008219B0	0_2_008219B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00807920	0_2_00807920
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0081997D	0_2_0081997D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00827A4A	0_2_00827A4A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00827CA7	0_2_00827CA7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00821C77	0_2_00821C77
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00839EEE	0_2_00839EEE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0088BE44	0_2_0088BE44
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00821F32	0_2_00821F32

Source: C:\Users\user\Desktop\file.exe	Code function: String function: 0081F9F2 appears 31 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00820A30 appears 46 times

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: classification engine

Classification label: mal64.troj.evad.winEXE@46/32@12/8

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_008737B5 GetLastError,FormatMessageW,

0_2_008737B5

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008610BF AdjustTokenPrivileges,CloseHandle,		0_2_008610BF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008616C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_008616C3

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_008751CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_008751CD

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0088A67C CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_0088A67C

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0087648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize,

0_2_0087648E

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_008042A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_008042A2

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3716:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3704:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4928:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6156:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6176:120:WilError_03

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --start-fullscreen --no-first-run --disable-session-crashed-bubble --disable-infobars
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2056 --field-trial-handle=1988,i,2714495616838969432,12383058553963551388,262144 /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5320 --field-trial-handle=1988,i,2714495616838969432,12383058553963551388,262144 /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5480 --field-trial-handle=1988,i,2714495616838969432,12383058553963551388,262144 /prefetch:8
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --start-fullscreen --no-first-run --disable-session-crashed-bubble --disable-infobars	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2056 --field-trial-handle=1988,i,2714495616838969432,12383058553963551388,262144 /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5320 --field-trial-handle=1988,i,2714495616838969432,12383058553963551388,262144 /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5480 --field-trial-handle=1988,i,2714495616838969432,12383058553963551388,262144 /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_008042DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_008042DE

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00820A76 push ecx; ret

0_2_00820A89

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0081F98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_0081F98E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00891C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_00891C41

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Found API chain indicative of sandbox detection

Source: C:\Users\user\Desktop\file.exe

Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep

graph_0-96445

Source: C:\Users\user\Desktop\file.exe

API coverage: 3.6 %

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0086DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	0_2_0086DBBE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008768EE FindFirstFileW,FindClose,	0_2_008768EE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0087698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	0_2_0087698F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0086D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0086D076
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0086D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0086D3A9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00879642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00879642
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0087979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0087979D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00879B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_00879B2B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00875C97 FindFirstFileW,FindNextFileW,FindClose,	0_2_00875C97

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_008042DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_008042DE

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0087EAA2 BlockInput,

0_2_0087EAA2

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00832622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00832622

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_008042DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_008042DE

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00824CE8 mov eax, dword ptr fs:[00000030h]

0_2_00824CE8

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00860B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

0_2_00860B62

Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00832622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00832622
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0082083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0082083F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008209D5 SetUnhandledExceptionFilter,	0_2_008209D5
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00820C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00820C21

Source: C:\Users\user\Desktop\file.exe

0_2_00861201

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00842BA5 KiUserCallbackDispatcher,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00842BA5

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0086B226 SendInput,keybd_event,

0_2_0086B226

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_008822DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event,

0_2_008822DA

Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

0_2_00860B62

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00861663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_00861663

Source: file.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: file.exe	Binary or memory string: Shell_TrayWnd

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00820698 cpuid

0_2_00820698

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00878195 GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,

0_2_00878195

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0085D27A GetUserNameW,

0_2_0085D27A

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0083BB6F _free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

0_2_0083BB6F

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_008042DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_008042DE

Stealing of Sensitive Information

Yara detected Credential Flusher

Source: Yara match

File source: Process Memory Space: file.exe PID: 7140, type: MEMORYSTR

Source: file.exe	Binary or memory string: WIN_81
Source: file.exe	Binary or memory string: WIN_XP
Source: file.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]\|%%\|%[-+ 0#]?([0-9]\|\)?(\.[0-9]\|\.\)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: file.exe	Binary or memory string: WIN_XPe
Source: file.exe	Binary or memory string: WIN_VISTA
Source: file.exe	Binary or memory string: WIN_7
Source: file.exe	Binary or memory string: WIN_8

Remote Access Functionality

Yara detected Credential Flusher

Source: Yara match

File source: Process Memory Space: file.exe PID: 7140, type: MEMORYSTR

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00881204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,		0_2_00881204
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00881806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_00881806

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	2 Disable or Modify Tools	21 Input Capture	2 System Time Discovery	Remote Services	1 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Native API	2 Valid Accounts	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	21 Input Capture	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	2 Valid Accounts	2 Obfuscated Files or Information	Security Account Manager	1 File and Directory Discovery	SMB/Windows Admin Shares	3 Clipboard Data	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	21 Access Token Manipulation	1 DLL Side-Loading	NTDS	16 System Information Discovery	Distributed Component Object Model	Input Capture	4 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	2 Process Injection	2 Valid Accounts	LSA Secrets	12 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Virtualization/Sandbox Evasion	Cached Domain Credentials	1 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	21 Access Token Manipulation	DCSync	3 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	2 Process Injection	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	HTML Smuggling	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
file.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
https://play.google/intl/	0%	URL Reputation	safe
https://families.google.com/intl/	0%	URL Reputation	safe
https://policies.google.com/technologies/location-data	0%	URL Reputation	safe
https://apis.google.com/js/api.js	0%	URL Reputation	safe
https://policies.google.com/privacy/google-partners	0%	URL Reputation	safe
https://policies.google.com/terms/service-specific	0%	URL Reputation	safe
https://g.co/recover	0%	URL Reputation	safe
https://policies.google.com/privacy/additional	0%	URL Reputation	safe
https://support.google.com/websearch/answer/4358949?hl=ko&ref_topic=3285072	0%	URL Reputation	safe
https://policies.google.com/technologies/cookies	0%	URL Reputation	safe
https://policies.google.com/terms	0%	URL Reputation	safe
https://uberproxy-pen-redirect.corp.google.com/uberproxy/pen?url=	0%	URL Reputation	safe
https://support.google.com/accounts?hl=	0%	URL Reputation	safe
https://policies.google.com/terms/location	0%	URL Reputation	safe
https://policies.google.com/privacy	0%	URL Reputation	safe
https://support.google.com/accounts?p=new-si-ui	0%	URL Reputation	safe
https://apis.google.com/js/rpc:shindig_random.js?onload=credentialservice.postMessage	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
youtube-ui.l.google.com	142.250.186.110	true	false	unknown
www3.l.google.com	142.250.186.174	true	false	unknown
play.google.com	142.250.185.174	true	false	unknown
www.google.com	142.250.184.228	true	false	unknown
youtube.com	142.250.185.142	true	false	unknown
accounts.youtube.com	unknown	unknown	false	unknown
www.youtube.com	unknown	unknown	false	unknown

Contacted URLs

Name	Malicious	Reputation
https://play.google.com/log?format=json&hasfast=true&authuser=0	false	unknown
https://www.google.com/favicon.ico	false	unknown
https://play.google.com/log?hasfast=true&authuser=0&format=json	false	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://play.google/intl/	chromecache_74.13.dr	false	URL Reputation: safe	unknown
https://families.google.com/intl/	chromecache_74.13.dr	false	URL Reputation: safe	unknown
https://youtube.com/t/terms?gl=	chromecache_74.13.dr	false		unknown
https://policies.google.com/technologies/location-data	chromecache_74.13.dr	false	URL Reputation: safe	unknown
https://www.google.com/intl/	chromecache_74.13.dr	false		unknown
https://apis.google.com/js/api.js	chromecache_82.13.dr	false	URL Reputation: safe	unknown
https://policies.google.com/privacy/google-partners	chromecache_74.13.dr	false	URL Reputation: safe	unknown
https://play.google.com/work/enroll?identifier=	chromecache_74.13.dr	false		unknown
https://policies.google.com/terms/service-specific	chromecache_74.13.dr	false	URL Reputation: safe	unknown
https://g.co/recover	chromecache_74.13.dr	false	URL Reputation: safe	unknown
https://policies.google.com/privacy/additional	chromecache_74.13.dr	false	URL Reputation: safe	unknown
https://support.google.com/websearch/answer/4358949?hl=ko&ref_topic=3285072	chromecache_74.13.dr	false	URL Reputation: safe	unknown
https://policies.google.com/technologies/cookies	chromecache_74.13.dr	false	URL Reputation: safe	unknown
https://policies.google.com/terms	chromecache_74.13.dr	false	URL Reputation: safe	unknown
https://uberproxy-pen-redirect.corp.google.com/uberproxy/pen?url=	chromecache_82.13.dr	false	URL Reputation: safe	unknown
https://www.google.com	chromecache_74.13.dr	false		unknown
https://play.google.com/log?format=json&hasfast=true	chromecache_74.13.dr	false		unknown
https://www.youtube.com/t/terms?chromeless=1&hl=	chromecache_74.13.dr	false		unknown
https://support.google.com/accounts?hl=	chromecache_74.13.dr	false	URL Reputation: safe	unknown
https://policies.google.com/terms/location	chromecache_74.13.dr	false	URL Reputation: safe	unknown
https://policies.google.com/privacy	chromecache_74.13.dr	false	URL Reputation: safe	unknown
https://support.google.com/accounts?p=new-si-ui	chromecache_74.13.dr	false	URL Reputation: safe	unknown
https://apis.google.com/js/rpc:shindig_random.js?onload=credentialservice.postMessage	chromecache_74.13.dr	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
142.250.186.174	www3.l.google.com	United States	15169	GOOGLEUS	false
172.217.18.14	unknown	United States	15169	GOOGLEUS	false
239.255.255.250	unknown	Reserved	unknown	unknown	false
142.250.185.174	play.google.com	United States	15169	GOOGLEUS	false
142.250.185.142	youtube.com	United States	15169	GOOGLEUS	false
142.250.186.110	youtube-ui.l.google.com	United States	15169	GOOGLEUS	false
142.250.184.228	www.google.com	United States	15169	GOOGLEUS	false

Private

IP
192.168.2.4

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1524530
Start date and time:	2024-10-02 23:03:05 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 8s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	21
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal64.troj.evad.winEXE@46/32@12/8
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 95% Number of executed functions: 38 Number of non-executed functions: 316
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 172.217.18.3, 142.250.185.206, 64.233.184.84, 34.104.35.123, 142.250.184.227, 142.250.186.163, 216.58.212.138, 142.250.184.234, 172.217.23.106, 142.250.181.234, 142.250.184.202, 142.250.185.170, 216.58.206.42, 142.250.186.138, 216.58.206.74, 142.250.185.234, 142.250.185.202, 142.250.185.138, 142.250.186.170, 142.250.74.202, 142.250.185.106, 142.250.185.74, 142.250.186.106, 142.250.186.42, 172.217.16.202, 142.250.186.74, 216.58.212.170, 172.217.18.10, 172.217.16.138, 88.221.110.91, 192.229.221.95, 216.58.206.35, 74.125.71.84, 142.250.186.78
Excluded domains from analysis (whitelisted): clients1.google.com, fs.microsoft.com, accounts.google.com, content-autofill.googleapis.com, slscr.update.microsoft.com, fonts.gstatic.com, ctldl.windowsupdate.com, clientservices.googleapis.com, fe3cr.delivery.mp.microsoft.com, clients2.google.com, ocsp.digicert.com, edgedl.me.gvt1.com, update.googleapis.com, clients.l.google.com, www.gstatic.com, optimizationguide-pa.googleapis.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing disassembly code.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: file.exe

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
239.255.255.250	kUiqbpzmbo.exe	Get hash	malicious	XWorm	Browse
	PwjUL1lEEC.exe	Get hash	malicious	Amadey, Credential Flusher, Stealc	Browse
	Play_VM-NowCWhiteAudiowav012.html	Get hash	malicious	Tycoon2FA	Browse
	deveba=.html	Get hash	malicious	Unknown	Browse
	https://orv-moers.powerappsportals.com/	Get hash	malicious	HtmlDropper	Browse
	voicemai____Now_AUD__autoresponse(9.htm	Get hash	malicious	Phisher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	https://www.kisa.link/dANpz	Get hash	malicious	Phisher	Browse
	https://ca.docusign.net/Signing/EmailStart.aspx?a=ef028e9a-a228-415f-bf68-f187538d8e48&etti=24&acct=5c5d7412-9cb5-4dbf-8a78-52c1b2a30ce5&er=96c6e932-7bdc-4ccf-8eb1-c3c23bac63dc	Get hash	malicious	Unknown	Browse
	Remittance_10_0224.html	Get hash	malicious	HTMLPhisher	Browse

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
28a2c9bd18a11de089ef85a160da29e4	kUiqbpzmbo.exe	Get hash	malicious	XWorm	Browse	4.175.87.197 184.28.90.27
	PwjUL1lEEC.exe	Get hash	malicious	Amadey, Credential Flusher, Stealc	Browse	4.175.87.197 184.28.90.27
	deveba=.html	Get hash	malicious	Unknown	Browse	4.175.87.197 184.28.90.27
	voicemai____Now_AUD__autoresponse(9.htm	Get hash	malicious	Phisher	Browse	4.175.87.197 184.28.90.27
	file.exe	Get hash	malicious	Credential Flusher	Browse	4.175.87.197 184.28.90.27
	https://www.kisa.link/dANpz	Get hash	malicious	Phisher	Browse	4.175.87.197 184.28.90.27
	https://ca.docusign.net/Signing/EmailStart.aspx?a=ef028e9a-a228-415f-bf68-f187538d8e48&etti=24&acct=5c5d7412-9cb5-4dbf-8a78-52c1b2a30ce5&er=96c6e932-7bdc-4ccf-8eb1-c3c23bac63dc	Get hash	malicious	Unknown	Browse	4.175.87.197 184.28.90.27
	Remittance_10_0224.html	Get hash	malicious	HTMLPhisher	Browse	4.175.87.197 184.28.90.27
	http://allstatelock.com	Get hash	malicious	Unknown	Browse	4.175.87.197 184.28.90.27
	https://app.useberry.com/t/BzWnZbSjHzChdj/	Get hash	malicious	HtmlDropper	Browse	4.175.87.197 184.28.90.27

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (5693)
Category:	downloaded
Size (bytes):	652451
Entropy (8bit):	5.599799481050377
Encrypted:	false
SSDEEP:	6144:T9vbKtSfcxene0F2HZPM8RGYcBlKmM5r6bISxiDlnc0pYMSrBg5X3O4mAEzD7:T9jKtqIcP8XgISxEd0b
MD5:	FCEEAAAD0B59B9E3EE242C8A7D2F70AC
SHA1:	3CE31E474F797B2619836FCF342FE7BE0C64AD44
SHA-256:	A95E47E1246A54C9FC3E6D84DCBB85E3E6EFC454DBD2F0AE85DAD72A0EDC4A5C
SHA-512:	0AF4011AEC6BE19B7B5596708B02A39BEA02DE20D8835E33A7E709EB38D63275483F4CB402B3A4D5520363F2539E66AA921F7E437A85C7D3334D4497939D2D4F
Malicious:	false
URL:	"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en.RgRbaBHDctU.es5.O/ck=boq-identity.AccountsSignInUi.gAiX_O5afVA.L.B1.O/am=xIFgKBi2EQjEE54DekBRIOQAAAAAAAAAAKANAAB0DA/d=1/exm=LEikZe,_b,_tp,byfTOb,lsjVmc,soHxf/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlG_aYNE-Dz95N0OV63231Yfi4Jf5g/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:GwYlN;EmZ2Bf:zr1jrb;JsbNhc:Xd8iUd;K5nYTd:ZDZcre;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;ScI3Yc:e7Hzgb;UpnZUd:nnwwYc;Uvc8o:VDovNc;XdiAjb:NLiXbe;YIZmRd:A1yn5d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;dowIGb:ebZ3mb;eBAeSb:zbML3c;iFQyKf:vfuNJf;lOO0Vd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qafBPd:yDVVkb;qddgKe:xQtZb;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=n73qwf,SCuOPb,IZT63,vfuNJf,UUJqVe,ws9Tlc,siKnQd,XVq9Qb,STuCOe,njlZCf,m9oV,vjKJJ,y5vRwf,iyZMqd,NTMZac,mzzZzc,rCcCxc,vvMGie,K1ZKnb,ziZ8Mc,b3kMqb,mvkUhe,CMcBD,Fndnac,t2srLd,EN3i8d,z0u0L,xiZRqc,NOeYWe,O6y8ed,L9OGUe,PrPYRd,MpJwZc,qPfo0c,cYShmd,hc6Ubd,Rkm0ef,KUM7Z,oLggrd,inNHtf,L1AAkb,WpP9Yc,lwddkf,gJzDyc,SpsfSb,aC1iue,tUnxGc,aW3pY,ZakeSe,EFQ78c,xQtZb,I6YDgd,zbML3c,zr1jrb,vHEMJe,YHI3We,YTxL4,bSspM,Uas9Hd,zy0vNb,K0PMbc,AvtSve,qmdT9,MY7mZe,xBaz7b,GwYlN,eVCnO,EIOG1e,LDQI"
Preview:	"use strict";_F_installCss(".r4WGQb{position:relative}.Dl08I>:first-child{margin-top:0}.Dl08I>:last-child{margin-bottom:0}.IzwVE{color:#1f1f1f;color:var(--gm3-sys-color-on-surface,#1f1f1f);font-family:\"Google Sans\",roboto,\"Noto Sans Myanmar UI\",arial,sans-serif;font-size:1.25rem;font-weight:400;letter-spacing:0rem;line-height:1.2}.l5PPKe{color:#1f1f1f;color:var(--gm3-sys-color-on-surface,#1f1f1f);font-size:1rem}.l5PPKe .dMNVAe{margin:0;padding:0}.l5PPKe>:first-child{margin-top:0;padding-top:0}.l5PPKe>:last-child{margin-bottom:0;padding-bottom:0}.Dl08I{margin:0;padding:0;position:relative}.Dl08I>.SmR8:only-child{padding-top:1px}.Dl08I>.SmR8:only-child::before{top:0}.Dl08I>.SmR8:not(first-child){padding-bottom:1px}.Dl08I>.SmR8::after{bottom:0}.Dl08I>.SmR8:only-child::before,.Dl08I>.SmR8::after{border-bottom:1px solid #c4c7c5;border-bottom:1px solid var(--gm3-sys-color-outline-variant,#c4c7c5);content:\"\";height:0;left:0;position:absolute;width:100%}.aZvCDf{margin-top:8px;margin-left

Chrome Cache Entry: 75

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (468)
Category:	downloaded
Size (bytes):	1858
Entropy (8bit):	5.298162049824456
Encrypted:	false
SSDEEP:	48:o7vGoolL3ALFKphnpiu7xOKAcfO/3d/rYh4vZorw:o/QLUFUL4KA+2y0Mw
MD5:	CE055F881BDAB4EF6C1C8AA4B3890348
SHA1:	2671741A70E9F5B608F690AAEEA4972003747654
SHA-256:	9B91C23691D6032CDFE28863E369624B2EDB033E1487A1D1BB0977E3590E5462
SHA-512:	8A22250628985C2E570E6FBADFC0D5CB6753F0735130F9E74962A409476C2859C5C81F8A0F5C427A9F13ED399C8E251FA43FF67AD5F16860640D45E7A538E857
Malicious:	false
URL:	"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en.RgRbaBHDctU.es5.O/ck=boq-identity.AccountsSignInUi.gAiX_O5afVA.L.B1.O/am=xIFgKBi2EQjEE54DekBRIOQAAAAAAAAAAKANAAB0DA/d=1/exm=A7fCU,AvtSve,CMcBD,E87wgc,EFQ78c,EIOG1e,EN3i8d,Fndnac,GwYlN,I6YDgd,IZT63,K0PMbc,K1ZKnb,KUM7Z,L1AAkb,L9OGUe,LDQI,LEikZe,MY7mZe,MpJwZc,NOeYWe,NTMZac,O6y8ed,P6sQOc,PHUIyb,PrPYRd,RMhBfe,Rkm0ef,RqjULd,SCuOPb,SD8Jgb,STuCOe,SpsfSb,Tbb4sb,UUJqVe,Uas9Hd,WpP9Yc,XVq9Qb,YHI3We,YTxL4,YgOFye,ZDZcre,ZZ4WUe,ZakeSe,ZwDk9d,_b,_tp,aC1iue,aW3pY,b3kMqb,bSspM,bTi8wc,byfTOb,cYShmd,eVCnO,f8Gu1e,gJzDyc,hc6Ubd,inNHtf,iyZMqd,lsjVmc,ltDFwf,lwddkf,m9oV,mvkUhe,mzzZzc,n73qwf,njlZCf,oLggrd,pxq3x,q0xTif,qPYxq,qPfo0c,qmdT9,rCcCxc,rmumx,sOXFj,siKnQd,soHxf,t2srLd,tUnxGc,vHEMJe,vfuNJf,vjKJJ,vvMGie,w9hDv,ws9Tlc,xBaz7b,xQtZb,xiZRqc,y5vRwf,yRXbo,ywOR5c,z0u0L,zbML3c,ziZ8Mc,zr1jrb,zy0vNb/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlG_aYNE-Dz95N0OV63231Yfi4Jf5g/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:GwYlN;EmZ2Bf:zr1jrb;JsbNhc:Xd8iUd;K5nYTd:ZDZcre;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;ScI3Yc:e7Hzgb;UpnZUd:nnwwYc;Uvc8o:VDovNc;XdiAjb:NLiXbe;YIZmRd:A1yn5d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;dowIGb:ebZ3mb;eBAeSb:zbML3c;iFQyKf:vfuNJf;lOO0Vd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qafBPd:yDVVkb;qddgKe:xQtZb;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=iAskyc,ziXSP"
Preview:	"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi\|\|{};(function(_){var window=this;.try{._.k("iAskyc");._.QZ=function(a){_.W.call(this,a.Fa);this.window=a.Ea.window.get();this.Nc=a.Ea.Nc};_.J(_.QZ,_.W);_.QZ.Ba=function(){return{Ea:{window:_.qu,Nc:_.DE}}};_.QZ.prototype.Po=function(){};_.QZ.prototype.addEncryptionRecoveryMethod=function(){};_.RZ=function(a){return(a==null?void 0:a.Jo)\|\|function(){}};_.SZ=function(a){return(a==null?void 0:a.m3)\|\|function(){}};_.GPb=function(a){return(a==null?void 0:a.Op)\|\|function(){}};._.HPb=function(a){return new Map(Array.from(a,function(b){var c=_.n(b);b=c.next().value;c=c.next().value;return[b,c.map(function(d){return{epoch:d.epoch,key:new Uint8Array(d.key)}})]}))};_.IPb=function(a){setTimeout(function(){throw a;},0)};_.QZ.prototype.kO=function(){return!0};_.nu(_.An,_.QZ);._.l();._.k("ziXSP");.var j_=function(a){_.QZ.call(this,a.Fa)};_.J(j_,_.QZ);j_.Ba=_.QZ.Ba;j_.prototype.Po=function(a,b,c){var d;if((d=this.window.chrome)==nu

Chrome Cache Entry: 76

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (683)
Category:	downloaded
Size (bytes):	3131
Entropy (8bit):	5.355381206612617
Encrypted:	false
SSDEEP:	48:o7FEEM3MtH15jNQ8jsK3rnw0dkckTrKEp/OqLE9xz0W5Bzv3M6hIHYA+JITbwrF8:oq675jOArwoAmI/DLaxNPL5m+m6w
MD5:	E2A7251AD83A0D0634FEA2703D10ED07
SHA1:	90D72011F31FC40D3DA3748F2817F90A29EB5C01
SHA-256:	1079B49C4AAF5C10E4F2E6A086623F40D200A71FF2A1F64E88AA6C91E4BE7A6F
SHA-512:	CD6D75580EA8BD97CF7C7C0E0BD9D9A54FB6EA7DF1DDB5A95E94D38B260F9EE1425C640839ECD229B8D01E145CF2786CA374D31EC537EB8FE17FF415D5B985F5
Malicious:	false
URL:	"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en.RgRbaBHDctU.es5.O/ck=boq-identity.AccountsSignInUi.gAiX_O5afVA.L.B1.O/am=xIFgKBi2EQjEE54DekBRIOQAAAAAAAAAAKANAAB0DA/d=1/exm=AvtSve,CMcBD,E87wgc,EFQ78c,EIOG1e,EN3i8d,Fndnac,GwYlN,I6YDgd,IZT63,K0PMbc,K1ZKnb,KUM7Z,L1AAkb,L9OGUe,LDQI,LEikZe,MY7mZe,MpJwZc,NOeYWe,NTMZac,O6y8ed,PHUIyb,PrPYRd,Rkm0ef,RqjULd,SCuOPb,SD8Jgb,STuCOe,SpsfSb,Tbb4sb,UUJqVe,Uas9Hd,WpP9Yc,XVq9Qb,YHI3We,YTxL4,YgOFye,ZakeSe,_b,_tp,aC1iue,aW3pY,b3kMqb,bSspM,bTi8wc,byfTOb,cYShmd,eVCnO,f8Gu1e,gJzDyc,hc6Ubd,inNHtf,iyZMqd,lsjVmc,ltDFwf,lwddkf,m9oV,mvkUhe,mzzZzc,n73qwf,njlZCf,oLggrd,pxq3x,qPYxq,qPfo0c,qmdT9,rCcCxc,rmumx,siKnQd,soHxf,t2srLd,tUnxGc,vHEMJe,vfuNJf,vjKJJ,vvMGie,ws9Tlc,xBaz7b,xQtZb,xiZRqc,y5vRwf,yRXbo,ywOR5c,z0u0L,zbML3c,ziZ8Mc,zr1jrb,zy0vNb/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlG_aYNE-Dz95N0OV63231Yfi4Jf5g/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:GwYlN;EmZ2Bf:zr1jrb;JsbNhc:Xd8iUd;K5nYTd:ZDZcre;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;ScI3Yc:e7Hzgb;UpnZUd:nnwwYc;Uvc8o:VDovNc;XdiAjb:NLiXbe;YIZmRd:A1yn5d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;dowIGb:ebZ3mb;eBAeSb:zbML3c;iFQyKf:vfuNJf;lOO0Vd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qafBPd:yDVVkb;qddgKe:xQtZb;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=ZwDk9d,RMhBfe"
Preview:	"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi\|\|{};(function(_){var window=this;.try{._.k("ZwDk9d");.var gA=function(a){_.W.call(this,a.Fa)};_.J(gA,_.W);gA.Ba=_.W.Ba;gA.prototype.eS=function(a){return _.Xe(this,{Xa:{gT:_.ll}}).then(function(b){var c=window._wjdd,d=window._wjdc;return!c&&d?new _.li(function(e){window._wjdc=function(f){d(f);e(ZJa(f,b,a))}}):ZJa(c,b,a)})};var ZJa=function(a,b,c){return(a=a&&a[c])?a:b.Xa.gT.eS(c)};.gA.prototype.aa=function(a,b){var c=_.Zra(b).Rj;if(c.startsWith("$")){var d=_.gm.get(a);_.uq[b]&&(d\|\|(d={},_.gm.set(a,d)),d[c]=_.uq[b],delete _.uq[b],_.vq--);if(d)if(a=d[c])b=_.af(a);else throw Error("Jb`"+b);else b=null}else b=null;return b};_.nu(_.Lfa,gA);._.l();._.k("SNUn3");._.YJa=new _.pf(_.wg);._.l();._.k("RMhBfe");.var $Ja=function(a){var b=_.tq(a);return b?new _.li(function(c,d){var e=function(){b=_.tq(a);var f=_.Sfa(a,b);f?c(f.getAttribute("jsdata")):window.document.readyState=="complete"?(f=["Unable to find deferred jsdata wit

Chrome Cache Entry: 77

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows icon resource - 2 icons, 16x16, 32 bits/pixel, 32x32, 32 bits/pixel
Category:	downloaded
Size (bytes):	5430
Entropy (8bit):	3.6534652184263736
Encrypted:	false
SSDEEP:	48:wIJct3xIAxG/7nvWDtZcdYLtX7B6QXL3aqG8Q:wIJct+A47v+rcqlBPG9B
MD5:	F3418A443E7D841097C714D69EC4BCB8
SHA1:	49263695F6B0CDD72F45CF1B775E660FDC36C606
SHA-256:	6DA5620880159634213E197FAFCA1DDE0272153BE3E4590818533FAB8D040770
SHA-512:	82D017C4B7EC8E0C46E8B75DA0CA6A52FD8BCE7FCF4E556CBDF16B49FC81BE9953FE7E25A05F63ECD41C7272E8BB0A9FD9AEDF0AC06CB6032330B096B3702563
Malicious:	false
URL:	https://www.google.com/favicon.ico
Preview:	............ .h...&... .... .........(....... ..... ............................................0...................................................................................................................................v.].X.:.X.:.r.Y........................................q.X.S.4.S.4.S.4.S.4.S.4.S.4...X....................0........q.W.S.4.X.:.................J...A...g.........................K.H.V.8..........................F..B.....................,.......................................B..............................................B..B..B..B..B...u..........................................B..B..B..B..B...{.................5.......k...........................................................7R..8F.................................................2........Vb..5C..;I..................R^.....................0................Xc..5C..5C..5C..5C..5C..5C..lv..........................................]i..<J..:G..Zf....................................................

Chrome Cache Entry: 78

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (2907)
Category:	downloaded
Size (bytes):	22833
Entropy (8bit):	5.425034548615223
Encrypted:	false
SSDEEP:	384:7lFo6ZEdpgtmyiPixV9OX9gMBpHkHnfst9lZulagGcwYHiRFjJzN7:77o6ZviPixV8xpEHn89l4IgGcwYCRtb7
MD5:	749B18538FE32BFE0815D75F899F5B21
SHA1:	AF95A019211AF69F752A43CAA54A83C2AFD41D28
SHA-256:	116B2687C1D5E00DB56A79894AB0C12D4E2E000B9379B7E7AD751B84DF611F3F
SHA-512:	E4B6F4556AA0FD9979BB52681508F5E26FFB256473803F74F7F5C8D93FA3636D7D0A5835618FBC6123022805CE0D9616A7451A0F302C665E28A6090B5D588505
Malicious:	false
URL:	"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en.RgRbaBHDctU.es5.O/ck=boq-identity.AccountsSignInUi.gAiX_O5afVA.L.B1.O/am=xIFgKBi2EQjEE54DekBRIOQAAAAAAAAAAKANAAB0DA/d=1/exm=AvtSve,CMcBD,E87wgc,EFQ78c,EIOG1e,EN3i8d,Fndnac,GwYlN,I6YDgd,IZT63,K0PMbc,K1ZKnb,KUM7Z,L1AAkb,L9OGUe,LDQI,LEikZe,MY7mZe,MpJwZc,NOeYWe,NTMZac,O6y8ed,PHUIyb,PrPYRd,Rkm0ef,SCuOPb,SD8Jgb,STuCOe,SpsfSb,Tbb4sb,UUJqVe,Uas9Hd,WpP9Yc,XVq9Qb,YHI3We,YTxL4,YgOFye,ZakeSe,_b,_tp,aC1iue,aW3pY,b3kMqb,bSspM,bTi8wc,byfTOb,cYShmd,eVCnO,f8Gu1e,gJzDyc,hc6Ubd,inNHtf,iyZMqd,lsjVmc,ltDFwf,lwddkf,m9oV,mvkUhe,mzzZzc,n73qwf,njlZCf,oLggrd,pxq3x,qPYxq,qPfo0c,qmdT9,rCcCxc,rmumx,siKnQd,soHxf,t2srLd,tUnxGc,vHEMJe,vfuNJf,vjKJJ,vvMGie,ws9Tlc,xBaz7b,xQtZb,xiZRqc,y5vRwf,yRXbo,ywOR5c,z0u0L,zbML3c,ziZ8Mc,zr1jrb,zy0vNb/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlG_aYNE-Dz95N0OV63231Yfi4Jf5g/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:GwYlN;EmZ2Bf:zr1jrb;JsbNhc:Xd8iUd;K5nYTd:ZDZcre;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;ScI3Yc:e7Hzgb;UpnZUd:nnwwYc;Uvc8o:VDovNc;XdiAjb:NLiXbe;YIZmRd:A1yn5d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;dowIGb:ebZ3mb;eBAeSb:zbML3c;iFQyKf:vfuNJf;lOO0Vd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qafBPd:yDVVkb;qddgKe:xQtZb;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=RqjULd"
Preview:	"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi\|\|{};(function(_){var window=this;.try{._.uu.prototype.da=_.ca(40,function(){return _.rj(this,3)});_.$y=function(a,b){this.key=a;this.defaultValue=!1;this.flagName=b};_.$y.prototype.ctor=function(a){return typeof a==="boolean"?a:this.defaultValue};_.az=function(){this.ka=!0;var a=_.vj(_.dk(_.Be("TSDtV",window),_.zya),_.uu,1,_.qj())[0];if(a){var b={};for(var c=_.n(_.vj(a,_.Aya,2,_.qj())),d=c.next();!d.done;d=c.next()){d=d.value;var e=_.Jj(d,1).toString();switch(_.tj(d,_.vu)){case 3:b[e]=_.Hj(d,_.lj(d,_.vu,3));break;case 2:b[e]=_.Jj(d,_.lj(d,_.vu,2));break;case 4:b[e]=_.Kj(d,_.lj(d,_.vu,4));break;case 5:b[e]=_.Lj(d,_.lj(d,_.vu,5));break;case 6:b[e]=_.Pj(d,_.ff,6,_.vu);break;default:throw Error("jd`"+_.tj(d,_.vu));}}}else b={};this.ea=b;this.token=.a?a.da():null};_.az.prototype.aa=function(a){if(!this.ka\|\|a.key in this.ea)a=a.ctor(this.ea[a.key]);else if(_.Be("nQyAE",window)){var b=_.Cya(a.flagName);if(b===null)a=a.de

Chrome Cache Entry: 79

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	HTML document, ASCII text, with very long lines (681)
Category:	downloaded
Size (bytes):	4066
Entropy (8bit):	5.363016925556486
Encrypted:	false
SSDEEP:	96:G2CiFZX5BReR68ujioIRVrqtyzBeTV6SfyAKLif9c7w:bCMZXVeR6jiosVrqtyzBaImyAKw9x
MD5:	FC5E597D923838E10390DADD12651A81
SHA1:	C9959F8D539DB5DF07B8246EC12539B6A9CC101F
SHA-256:	A7EBD5280C50AE93C061EAE1E9727329E015E97531F8F2D82D0E3EA76ADB37B4
SHA-512:	784CA572808F184A849388723FBB3701E6981D885BBA8A330A933F90BF0B36A2E4A491D4463A27911B1D9F7A7134F23E15F187FC7CB4554EAE9BC252513EED7C
Malicious:	false
URL:	"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en.RgRbaBHDctU.es5.O/ck=boq-identity.AccountsSignInUi.gAiX_O5afVA.L.B1.O/am=xIFgKBi2EQjEE54DekBRIOQAAAAAAAAAAKANAAB0DA/d=1/exm=A7fCU,AvtSve,CMcBD,E87wgc,EFQ78c,EIOG1e,EN3i8d,Fndnac,GwYlN,I6YDgd,IZT63,K0PMbc,K1ZKnb,KUM7Z,L1AAkb,L9OGUe,LDQI,LEikZe,MY7mZe,MpJwZc,NOeYWe,NTMZac,O6y8ed,P6sQOc,PHUIyb,PrPYRd,RMhBfe,Rkm0ef,RqjULd,SCuOPb,SD8Jgb,STuCOe,SpsfSb,Tbb4sb,UUJqVe,Uas9Hd,WpP9Yc,XVq9Qb,YHI3We,YTxL4,YgOFye,ZDZcre,ZakeSe,ZwDk9d,_b,_tp,aC1iue,aW3pY,b3kMqb,bSspM,bTi8wc,byfTOb,cYShmd,eVCnO,f8Gu1e,gJzDyc,hc6Ubd,inNHtf,iyZMqd,lsjVmc,ltDFwf,lwddkf,m9oV,mvkUhe,mzzZzc,n73qwf,njlZCf,oLggrd,pxq3x,qPYxq,qPfo0c,qmdT9,rCcCxc,rmumx,siKnQd,soHxf,t2srLd,tUnxGc,vHEMJe,vfuNJf,vjKJJ,vvMGie,w9hDv,ws9Tlc,xBaz7b,xQtZb,xiZRqc,y5vRwf,yRXbo,ywOR5c,z0u0L,zbML3c,ziZ8Mc,zr1jrb,zy0vNb/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlG_aYNE-Dz95N0OV63231Yfi4Jf5g/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:GwYlN;EmZ2Bf:zr1jrb;JsbNhc:Xd8iUd;K5nYTd:ZDZcre;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;ScI3Yc:e7Hzgb;UpnZUd:nnwwYc;Uvc8o:VDovNc;XdiAjb:NLiXbe;YIZmRd:A1yn5d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;dowIGb:ebZ3mb;eBAeSb:zbML3c;iFQyKf:vfuNJf;lOO0Vd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qafBPd:yDVVkb;qddgKe:xQtZb;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=sOXFj,q0xTif,ZZ4WUe"
Preview:	"use strict";_F_installCss(".N7rBcd{overflow-x:auto}sentinel{}");.this.default_AccountsSignInUi=this.default_AccountsSignInUi\|\|{};(function(_){var window=this;.try{._.vg(_.aqa);._.k("sOXFj");.var tu=function(a){_.W.call(this,a.Fa)};_.J(tu,_.W);tu.Ba=_.W.Ba;tu.prototype.aa=function(a){return a()};_.nu(_.$pa,tu);._.l();._.k("oGtAuc");._.yya=new _.pf(_.aqa);._.l();._.k("q0xTif");.var sza=function(a){var b=function(d){_.Sn(d)&&(_.Sn(d).Jc=null,_.Du(d,null));d.XyHi9&&(d.XyHi9=null)};b(a);a=a.querySelectorAll("[c-wiz]");for(var c=0;c<a.length;c++)b(a[c])},Pu=function(a){_.kt.call(this,a.Fa);this.Qa=this.dom=null;if(this.kl()){var b=_.zm(this.Ug(),[_.Em,_.Dm]);b=_.ni([b[_.Em],b[_.Dm]]).then(function(c){this.Qa=c[0];this.dom=c[1]},null,this);_.hu(this,b)}this.Ra=a.lm.zea};_.J(Pu,_.kt);Pu.Ba=function(){return{lm:{zea:function(a){return _.Ue(a)}}}};Pu.prototype.zp=function(a){return this.Ra.zp(a)};.Pu.prototype.getData=function(a){return this.Ra.getData(a)};Pu.prototype.qo=function(){_.Kt(this.d

Chrome Cache Entry: 80

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	Web Open Font Format (Version 2), TrueType, length 52280, version 1.0
Category:	downloaded
Size (bytes):	52280
Entropy (8bit):	7.995413196679271
Encrypted:	true
SSDEEP:	1536:1rvqtK8DZilXxwJ8mMwAZy7phqsFLdG3B4d:xytBZits8bw4wzbFxG3B4d
MD5:	F61F0D4D0F968D5BBA39A84C76277E1A
SHA1:	AA3693EA140ECA418B4B2A30F6A68F6F43B4BEB2
SHA-256:	57147F08949ABABE7DEEF611435AE418475A693E3823769A25C2A39B6EAD9CCC
SHA-512:	6C3BD90F709BCF9151C9ED9FFEA55C4F6883E7FDA2A4E26BF018C83FE1CFBE4F4AA0DB080D6D024070D53B2257472C399C8AC44EEFD38B9445640EFA85D5C487
Malicious:	false
URL:	https://fonts.gstatic.com/s/googlesans/v58/4UaRrENHsxJlGDuGo1OIlJfC6l_24rlCK1Yo_Iq2vgCI.woff2
Preview:	wOF2.......8.....................................^...$..4?HVAR..?MVAR9.`?STAT.',..J/.......`..(..Z.0..R.6.$.... .....K..[..q..c..T.....>.P.j.`.w..#...%......N.".....$..3.0.6......... .L.rX/r[j.y.\|(.4.%#.....2.v.m..-..%.....;-.Y.{..&..O=#l@...k..7g..ZI...#.Z./+T..r7...M..3).Z%.x....s..sL..[A!.51w'/.8V..2Z..%.X.h.o.).]..9..Q`.$.....7..kZ.~O........d..g.n.d.Rw+&....Cz..uy#..fz,(.J....v.%..`..9.....h...?O..:...c%.....6s....xl..#...5..._......1.>.)"U.4 W....?%......6//!$...!.n9C@n...........!""^.....W..Z<.7.x.."UT.T....E.."R>.R..t.....H d..e_.K../.+8.Q.P.ZQ....;...U....]......._.e......71.?.7.ORv.?...l...G\|.P...\|:...I.X..2.,.L........d.g.]}W#uW]QnuP-s.;.-Y.....].......C..j_.M0...y.......J..........NY..@A...,....-.F......'..w./j5g.vUS...U..0.&...y7.LP.....%.....Y......Y..D. e.A..G.?.$.......6...eaK.n5.m...N...,...+BCl..L> .E9~.b[.w.x....6<...}.e...%V....O.......*.?...a..#[eE.4..p..$...].....%......o._......N.._~..El....b..A.0.r8.....\|..D.d..

Chrome Cache Entry: 81

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (755)
Category:	downloaded
Size (bytes):	1460
Entropy (8bit):	5.291808298251231
Encrypted:	false
SSDEEP:	24:kMYD7DuZvuhqCsNRxoYTY9/qoVk7hz1l2p6vDMW94uEQOeGbCx4VGbgCSFBV87OU:o7DuZWhv6oy12kvwKEeGbC6GbHSh/Hrw
MD5:	4CA7ADFE744A690411EA4D3EA8DB9E4B
SHA1:	2CF1777A199E25378D330DA68BED1871B5C5BC32
SHA-256:	128129BA736B3094323499B0498A5B3A909C1529717461C34B70080A5B1603BD
SHA-512:	8BD3477AF41D1F0FE74AFFCB177BEC0F5F4FDCBBA6BD29D9C2567E6FFDEF5DEB7FF74BF348F33209C39D7BB4958E748DF6731D3DC8F6947352276BC92EAF9E79
Malicious:	false
URL:	"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en.RgRbaBHDctU.es5.O/ck=boq-identity.AccountsSignInUi.gAiX_O5afVA.L.B1.O/am=xIFgKBi2EQjEE54DekBRIOQAAAAAAAAAAKANAAB0DA/d=1/exm=AvtSve,CMcBD,E87wgc,EFQ78c,EIOG1e,EN3i8d,Fndnac,GwYlN,I6YDgd,IZT63,K0PMbc,K1ZKnb,KUM7Z,L1AAkb,L9OGUe,LDQI,LEikZe,MY7mZe,MpJwZc,NOeYWe,NTMZac,O6y8ed,PHUIyb,PrPYRd,RMhBfe,Rkm0ef,RqjULd,SCuOPb,SD8Jgb,STuCOe,SpsfSb,Tbb4sb,UUJqVe,Uas9Hd,WpP9Yc,XVq9Qb,YHI3We,YTxL4,YgOFye,ZakeSe,ZwDk9d,_b,_tp,aC1iue,aW3pY,b3kMqb,bSspM,bTi8wc,byfTOb,cYShmd,eVCnO,f8Gu1e,gJzDyc,hc6Ubd,inNHtf,iyZMqd,lsjVmc,ltDFwf,lwddkf,m9oV,mvkUhe,mzzZzc,n73qwf,njlZCf,oLggrd,pxq3x,qPYxq,qPfo0c,qmdT9,rCcCxc,rmumx,siKnQd,soHxf,t2srLd,tUnxGc,vHEMJe,vfuNJf,vjKJJ,vvMGie,ws9Tlc,xBaz7b,xQtZb,xiZRqc,y5vRwf,yRXbo,ywOR5c,z0u0L,zbML3c,ziZ8Mc,zr1jrb,zy0vNb/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlG_aYNE-Dz95N0OV63231Yfi4Jf5g/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:GwYlN;EmZ2Bf:zr1jrb;JsbNhc:Xd8iUd;K5nYTd:ZDZcre;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;ScI3Yc:e7Hzgb;UpnZUd:nnwwYc;Uvc8o:VDovNc;XdiAjb:NLiXbe;YIZmRd:A1yn5d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;dowIGb:ebZ3mb;eBAeSb:zbML3c;iFQyKf:vfuNJf;lOO0Vd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qafBPd:yDVVkb;qddgKe:xQtZb;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=P6sQOc"
Preview:	"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi\|\|{};(function(_){var window=this;.try{._.k("lOO0Vd");._.VZa=new _.pf(_.Am);._.l();._.k("P6sQOc");.var $Za=!!(_.Kh[1]&16);var b_a=function(a,b,c,d,e){this.ea=a;this.wa=b;this.ka=c;this.Ca=d;this.Ga=e;this.aa=0;this.da=a_a(this)},c_a=function(a){var b={};_.La(a.yS(),function(e){b[e]=!0});var c=a.pS(),d=a.tS();return new b_a(a.qP(),c.aa()1E3,a.WR(),d.aa()1E3,b)},a_a=function(a){return Math.random()Math.min(a.waMath.pow(a.ka,a.aa),a.Ca)},OG=function(a,b){return a.aa>=a.ea?!1:b!=null?!!a.Ga[b]:!0};var PG=function(a){_.W.call(this,a.Fa);this.da=a.Ea.EV;this.ea=a.Ea.metadata;a=a.Ea.Xga;this.fetch=a.fetch.bind(a)};_.J(PG,_.W);PG.Ba=function(){return{Ea:{EV:_.YZa,metadata:_.VZa,Xga:_.OZa}}};PG.prototype.aa=function(a,b){if(this.ea.getType(a.Od())!==1)return _.Sm(a);var c=this.da.eV;return(c=c?c_a(c):null)&&OG(c)?_.wya(a,d_a(this,a,b,c)):_.Sm(a)};.var d_a=function(a,b,c,d){return c.then(function(e){return e},function(e)

Chrome Cache Entry: 82

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (553)
Category:	downloaded
Size (bytes):	743936
Entropy (8bit):	5.791086230020914
Encrypted:	false
SSDEEP:	6144:YVXWBQkPdzg5pTX1ROv/duPzd8C3s891/N:Nfd8j91/N
MD5:	1A3606C746E7B1C949D9078E8E8C1244
SHA1:	56A3EB1E93E61ACD7AAD39DC3526CB60E23651B1
SHA-256:	5F49AE5162183E2EF6F082B29EC99F18DB0212B8ADDB03699B1BFB0AC7869742
SHA-512:	F2D15243311C472331C5F3F083BB6C18D38EC0247A3F3CBAFD96DBA40E4EAE489CDA04176672E39FE3760EF7347596B2A5EAB0FB0125E881EF514475C99863B9
Malicious:	false
URL:	"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en.RgRbaBHDctU.es5.O/am=xIFgKBi2EQjEE54DekBRIOQAAAAAAAAAAKANAAB0DA/d=1/excm=_b,_tp,identifierview/ed=1/dg=0/wt=2/ujg=1/rs=AOaEmlE6O04h0gj7Nu50q-nmaRKM6WWcJw/m=_b,_tp"
Preview:	"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi\|\|{};(function(_){var window=this;.try{._._F_toggles_initialize=function(a){(typeof globalThis!=="undefined"?globalThis:typeof self!=="undefined"?self:this)._F_toggles=a\|\|[]};(0,_._F_toggles_initialize)([0x286081c4, 0x2046d860, 0x39e13c40, 0x14501e80, 0xe420, 0x0, 0x1a000000, 0x1d000003, 0xc, ]);./.. Copyright The Closure Library Authors.. SPDX-License-Identifier: Apache-2.0././.. Copyright Google LLC. SPDX-License-Identifier: Apache-2.0././.. Copyright 2024 Google, Inc. SPDX-License-Identifier: MIT././. SPDX-License-Identifier: Apache-2.0././. Copyright The Closure Library Authors.. SPDX-License-Identifier: Apache-2.0./.var baa,daa,Ma,Sa,gaa,iaa,jb,qaa,waa,Caa,Haa,Kaa,Jb,Laa,Ob,Qb,Rb,Maa,Naa,Sb,Oaa,Paa,Qaa,Yb,Vaa,Xaa,ec,fc,gc,bba,cba,gba,jba,lba,mba,qba,tba,nba,sba,rba,pba,oba,uba,yba,Cba,Dba,Aba,Hc,Ic,Gba,Iba,Mba,Nba,Oba,Pba,Lba,Qba,Sba,dd,Uba,Vba,Xba,Zba,Yba,aca,bca,cca,dca,fca,eca,hca,ica,jca,kca,nca,

Chrome Cache Entry: 83

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (533)
Category:	downloaded
Size (bytes):	8053
Entropy (8bit):	5.39187659584276
Encrypted:	false
SSDEEP:	96:oxxRcFgkRCIPpAgTr7fhT5rbEb9PdimzZlY0If0Ma23jcUdZl6rhCXKMikrw:EEFZpeip4HzZlY0If0Ma23jcUcrhC6i8
MD5:	5261AFCC98EB0E51A8B63EE51C4C789E
SHA1:	D97390439B8378F68DF22FE7443981ED02D4068B
SHA-256:	9238373DF26FE8EFCC95DDCE9828630D15FAB5C9B321C36CC1726A6248A75C36
SHA-512:	F6E408B551EEB504EA6C7F981B05AD9297A7FAD1746C0E6D3D6F367C43F36A4A96896BC4B9F60C163F4B84FDD57DD2A39CB3BC6990B6319FF3AA069AC41B9495
Malicious:	false
URL:	"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en.RgRbaBHDctU.es5.O/ck=boq-identity.AccountsSignInUi.gAiX_O5afVA.L.B1.O/am=xIFgKBi2EQjEE54DekBRIOQAAAAAAAAAAKANAAB0DA/d=1/exm=AvtSve,CMcBD,EFQ78c,EIOG1e,EN3i8d,Fndnac,GwYlN,I6YDgd,IZT63,K0PMbc,K1ZKnb,KUM7Z,L1AAkb,L9OGUe,LDQI,LEikZe,MY7mZe,MpJwZc,NOeYWe,NTMZac,O6y8ed,PrPYRd,Rkm0ef,SCuOPb,STuCOe,SpsfSb,UUJqVe,Uas9Hd,WpP9Yc,XVq9Qb,YHI3We,YTxL4,ZakeSe,_b,_tp,aC1iue,aW3pY,b3kMqb,bSspM,byfTOb,cYShmd,eVCnO,gJzDyc,hc6Ubd,inNHtf,iyZMqd,lsjVmc,lwddkf,m9oV,mvkUhe,mzzZzc,n73qwf,njlZCf,oLggrd,qPfo0c,qmdT9,rCcCxc,siKnQd,soHxf,t2srLd,tUnxGc,vHEMJe,vfuNJf,vjKJJ,vvMGie,ws9Tlc,xBaz7b,xQtZb,xiZRqc,y5vRwf,z0u0L,zbML3c,ziZ8Mc,zr1jrb,zy0vNb/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlG_aYNE-Dz95N0OV63231Yfi4Jf5g/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:GwYlN;EmZ2Bf:zr1jrb;JsbNhc:Xd8iUd;K5nYTd:ZDZcre;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;ScI3Yc:e7Hzgb;UpnZUd:nnwwYc;Uvc8o:VDovNc;XdiAjb:NLiXbe;YIZmRd:A1yn5d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;dowIGb:ebZ3mb;eBAeSb:zbML3c;iFQyKf:vfuNJf;lOO0Vd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qafBPd:yDVVkb;qddgKe:xQtZb;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=ltDFwf,SD8Jgb,rmumx,E87wgc,qPYxq,Tbb4sb,pxq3x,f8Gu1e,YgOFye,yRXbo,bTi8wc,ywOR5c,PHUIyb"
Preview:	"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi\|\|{};(function(_){var window=this;.try{._.qNa=_.y("SD8Jgb",[]);._.GX=function(a,b){if(typeof b==="string")a.Lc(b);else if(b instanceof _.Fp&&b.ia&&b.ia===_.A)b=_.Ya(b.Lw()),a.empty().append(b);else if(b instanceof _.Ua)b=_.Ya(b),a.empty().append(b);else if(b instanceof Node)a.empty().append(b);else throw Error("Vf");};_.HX=function(a){var b=_.Io(a,"[jsslot]");if(b.size()>0)return b;b=new _.Go([_.Kk("span")]);_.Jo(b,"jsslot","");a.empty().append(b);return b};_.NLb=function(a){return a===null\|\|typeof a==="string"&&_.Hi(a)};._.k("SD8Jgb");._.MX=function(a){_.X.call(this,a.Fa);this.Ua=a.controller.Ua;this.od=a.controllers.od[0]\|\|null;this.header=a.controller.header;this.nav=a.controller.nav;var b;(b=this.oa().find("button:not([type])").el())==null\|\|b.setAttribute("type","button")};_.J(_.MX,_.X);_.MX.Ba=function(){return{controller:{Ua:{jsname:"n7vHCb",ctor:_.mv},header:{jsname:"tJHJj",ctor:_.mv},nav:{jsname:"DH6Rkf",ct

Chrome Cache Entry: 84

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (1307)
Category:	downloaded
Size (bytes):	47223
Entropy (8bit):	5.485255863863186
Encrypted:	false
SSDEEP:	768:OxTAxQeYbC7ZwD1HqN9/aOlmkq6qdCPR9zwhBFi5fcjWFkazh/vdsth3Hywh6Ri1:4AhNW/QqXywxVkYWcAPqBDnDj
MD5:	EEF69871228E244E61EF87034AE72B27
SHA1:	EB660C1B7F4E0F5378D169B9B4205253E8CCA82D
SHA-256:	D747A90E5298CA64C986B75CC01656FD9AE3D6B02289E392A59EA2D29B0A7936
SHA-512:	8389B7C9D03218F5BF4099A2A8EBE3D53194B944FF8DCD7B02DDE04296B099F08AA2B86E0D437D48C8597C305C966CA5F9A69E081D7DBF17129FF2C515FD02D5
Malicious:	false
URL:	"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en.RgRbaBHDctU.es5.O/ck=boq-identity.AccountsSignInUi.gAiX_O5afVA.L.B1.O/am=xIFgKBi2EQjEE54DekBRIOQAAAAAAAAAAKANAAB0DA/d=1/exm=LEikZe,_b,_tp,byfTOb,lsjVmc/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlG_aYNE-Dz95N0OV63231Yfi4Jf5g/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:GwYlN;EmZ2Bf:zr1jrb;JsbNhc:Xd8iUd;K5nYTd:ZDZcre;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;ScI3Yc:e7Hzgb;UpnZUd:nnwwYc;Uvc8o:VDovNc;XdiAjb:NLiXbe;YIZmRd:A1yn5d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;dowIGb:ebZ3mb;eBAeSb:zbML3c;iFQyKf:vfuNJf;lOO0Vd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qafBPd:yDVVkb;qddgKe:xQtZb;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=soHxf"
Preview:	"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi\|\|{};(function(_){var window=this;.try{.var axa,bxa;axa=function(a){return a.hasOwnProperty("Ba")?a.Ba:function(){return{}}};.bxa=function(a,b,c){if(!a\|\|a===_.Qh)return _.Ue({});var d=axa(a).call(a,c),e=_.$da(b,d!=null?d:{});d=Object.getPrototypeOf(a);return bxa(d,b,c).flatMap(function(f){return e.map(function(g){g.Fa=f;return g})}).map(function(f){return f},function(f){a:{var g,m;var p=(m=(g=a.displayName)!=null?g:c.toString())!=null?m:a.name;if(f==null)f=Error("Bc`"+p+"`"+f);else if(typeof f==="string")f=Error("Cc`"+p+"`"+f);else if(f.message){p="Failed to retrieve dependencies of service "+p+": "+f.message;try{f.message=.p}catch(q){p=Error("Dc`"+p+"`"+q);break a}}else f=Error("Cc`"+p+"`"+JSON.stringify(f));p=f}return p})};_.jt=function(a,b,c){return b.ctor?b.Uq?b.AN(a,b.ctor,b.ii,c,void 0,!0):b.AN(a,b.ctor,b.ii,c,!0):b.Uq?b.AN(a,b.ii,c,void 0,!0):b.AN(a,b.ii,c,!0)};_.kt=function(a){_.Qh.call(this);var b,c;this.k

Chrome Cache Entry: 85

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (570)
Category:	downloaded
Size (bytes):	3467
Entropy (8bit):	5.514745431912774
Encrypted:	false
SSDEEP:	96:ozbld2fNUmeqJNizhNtt1W8t//loyIpXmdVE2w:onSKE8PWe/Cy4X3j
MD5:	8DEF399E8355ABC23E64505281005099
SHA1:	24FF74C3AEFD7696D84FF148465DF4B1B60B1696
SHA-256:	F128D7218E1286B05DF11310AD3C8F4CF781402698E45448850D2A3A22F5F185
SHA-512:	33721DD47658D8E12ADF6BD9E9316EB89F5B6297927F7FD60F954E04B829DCBF0E1AE6DDD9A3401F45E0011AE4B1397B960C218238A3D0F633A2173D8E604082
Malicious:	false
URL:	"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en.RgRbaBHDctU.es5.O/ck=boq-identity.AccountsSignInUi.gAiX_O5afVA.L.B1.O/am=xIFgKBi2EQjEE54DekBRIOQAAAAAAAAAAKANAAB0DA/d=1/exm=A7fCU,AvtSve,CMcBD,E87wgc,EFQ78c,EIOG1e,EN3i8d,Fndnac,GwYlN,I6YDgd,IZT63,K0PMbc,K1ZKnb,KUM7Z,L1AAkb,L9OGUe,LDQI,LEikZe,MY7mZe,MpJwZc,NOeYWe,NTMZac,O6y8ed,P6sQOc,PHUIyb,PrPYRd,RMhBfe,Rkm0ef,RqjULd,SCuOPb,SD8Jgb,STuCOe,SpsfSb,Tbb4sb,UUJqVe,Uas9Hd,WpP9Yc,XVq9Qb,YHI3We,YTxL4,YgOFye,ZDZcre,ZZ4WUe,ZakeSe,ZwDk9d,_b,_tp,aC1iue,aW3pY,b3kMqb,bSspM,bTi8wc,byfTOb,cYShmd,eVCnO,f8Gu1e,gJzDyc,hc6Ubd,iAskyc,inNHtf,iyZMqd,lsjVmc,ltDFwf,lwddkf,m9oV,mvkUhe,mzzZzc,n73qwf,njlZCf,oLggrd,pxq3x,q0xTif,qPYxq,qPfo0c,qmdT9,rCcCxc,rmumx,sOXFj,siKnQd,soHxf,t2srLd,tUnxGc,vHEMJe,vfuNJf,vjKJJ,vvMGie,w9hDv,wg1P6b,ws9Tlc,xBaz7b,xQtZb,xiZRqc,y5vRwf,yRXbo,ywOR5c,z0u0L,zbML3c,ziXSP,ziZ8Mc,zr1jrb,zy0vNb/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlG_aYNE-Dz95N0OV63231Yfi4Jf5g/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:GwYlN;EmZ2Bf:zr1jrb;JsbNhc:Xd8iUd;K5nYTd:ZDZcre;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;ScI3Yc:e7Hzgb;UpnZUd:nnwwYc;Uvc8o:VDovNc;XdiAjb:NLiXbe;YIZmRd:A1yn5d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;dowIGb:ebZ3mb;eBAeSb:zbML3c;iFQyKf:vfuNJf;lOO0Vd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qafBPd:yDVVkb;qddgKe:xQtZb;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=Wt6vjf,hhhU8,FCpbqb,WhJNk"
Preview:	"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi\|\|{};(function(_){var window=this;.try{._.k("Wt6vjf");.var cya=function(){var a=_.He();return _.Lj(a,1)},Yt=function(a){this.Da=_.t(a,0,Yt.messageId)};_.J(Yt,_.w);Yt.prototype.Ha=function(){return _.Dj(this,1)};Yt.prototype.Va=function(a){return _.Vj(this,1,a)};Yt.messageId="f.bo";var Zt=function(){_.hm.call(this)};_.J(Zt,_.hm);Zt.prototype.xd=function(){this.CT=!1;dya(this);_.hm.prototype.xd.call(this)};Zt.prototype.aa=function(){eya(this);if(this.wC)return fya(this),!1;if(!this.KV)return $t(this),!0;this.dispatchEvent("p");if(!this.zP)return $t(this),!0;this.wM?(this.dispatchEvent("r"),$t(this)):fya(this);return!1};.var gya=function(a){var b=new _.ap(a.W4);a.qQ!=null&&_.Jn(b,"authuser",a.qQ);return b},fya=function(a){a.wC=!0;var b=gya(a),c="rt=r&f_uid="+_.pk(a.zP);_.cn(b,(0,_.bg)(a.ea,a),"POST",c)};.Zt.prototype.ea=function(a){a=a.target;eya(this);if(_.fn(a)){this.cK=0;if(this.wM)this.wC=!1,this.dispatchEvent("r"

Chrome Cache Entry: 86

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with no line terminators
Category:	downloaded
Size (bytes):	84
Entropy (8bit):	4.875266466142591
Encrypted:	false
SSDEEP:	3:DZFJu0+WVTBCq2Bjdw2KsJJuYHSKnZ:lFJuuVTBudw29nu4SKZ
MD5:	87B6333E98B7620EA1FF98D1A837A39E
SHA1:	105DE6815B0885357DE1414BFC0D77FCC9E924EF
SHA-256:	DCD3C133C5C40BECD4100BBE6EDAE84C9735E778E4234A5E8395C56FF8A733BA
SHA-512:	867D7943D813685FAA76394E53199750C55817E836FD19C933F74D11E9657CE66719A6D6B2E39EE1DE62358BCE364E38A55F4E138DF92337DE6985DDCD5D0994
Malicious:	false
URL:	https://content-autofill.googleapis.com/v1/pages/ChVDaHJvbWUvMTE3LjAuNTkzOC4xMzISHgmA6QC9dWevzxIFDRkBE_oSBQ3oIX6GEgUN05ioBw==?alt=proto
Preview:	Cj0KBw0ZARP6GgAKKQ3oIX6GGgQISxgCKhwIClIYCg5AIS4jJF8qLSY/Ky8lLBABGP////8PCgcN05ioBxoA

Chrome Cache Entry: 87

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (395)
Category:	downloaded
Size (bytes):	1608
Entropy (8bit):	5.257113147606035
Encrypted:	false
SSDEEP:	48:o72ZrNZ4yNAbU+15fMxIdf5WENoBCbw7DbG2bEJrw:oyNNAY+1i4HoBNG2Ilw
MD5:	F06E2DC5CC446B39F878B5F8E4D78418
SHA1:	9F1F34FDD8F8DAB942A9B95D9F720587B6F6AD48
SHA-256:	118E4D2FE7CEF205F9AFC87636554C6D8220882B158333EE3D1990282D158B8F
SHA-512:	893C4F883CD1C88C6AAF5A6E7F232D62823A53E1FFDE5C1C52BB066D75781DD041F4D281CDBF18070D921CE862652D8863E2B9D5E0190CFA4128890D62C44168
Malicious:	false
URL:	"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en.RgRbaBHDctU.es5.O/ck=boq-identity.AccountsSignInUi.gAiX_O5afVA.L.B1.O/am=xIFgKBi2EQjEE54DekBRIOQAAAAAAAAAAKANAAB0DA/d=1/exm=AvtSve,CMcBD,E87wgc,EFQ78c,EIOG1e,EN3i8d,Fndnac,GwYlN,I6YDgd,IZT63,K0PMbc,K1ZKnb,KUM7Z,L1AAkb,L9OGUe,LDQI,LEikZe,MY7mZe,MpJwZc,NOeYWe,NTMZac,O6y8ed,P6sQOc,PHUIyb,PrPYRd,RMhBfe,Rkm0ef,RqjULd,SCuOPb,SD8Jgb,STuCOe,SpsfSb,Tbb4sb,UUJqVe,Uas9Hd,WpP9Yc,XVq9Qb,YHI3We,YTxL4,YgOFye,ZakeSe,ZwDk9d,_b,_tp,aC1iue,aW3pY,b3kMqb,bSspM,bTi8wc,byfTOb,cYShmd,eVCnO,f8Gu1e,gJzDyc,hc6Ubd,inNHtf,iyZMqd,lsjVmc,ltDFwf,lwddkf,m9oV,mvkUhe,mzzZzc,n73qwf,njlZCf,oLggrd,pxq3x,qPYxq,qPfo0c,qmdT9,rCcCxc,rmumx,siKnQd,soHxf,t2srLd,tUnxGc,vHEMJe,vfuNJf,vjKJJ,vvMGie,ws9Tlc,xBaz7b,xQtZb,xiZRqc,y5vRwf,yRXbo,ywOR5c,z0u0L,zbML3c,ziZ8Mc,zr1jrb,zy0vNb/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlG_aYNE-Dz95N0OV63231Yfi4Jf5g/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:GwYlN;EmZ2Bf:zr1jrb;JsbNhc:Xd8iUd;K5nYTd:ZDZcre;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;ScI3Yc:e7Hzgb;UpnZUd:nnwwYc;Uvc8o:VDovNc;XdiAjb:NLiXbe;YIZmRd:A1yn5d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;dowIGb:ebZ3mb;eBAeSb:zbML3c;iFQyKf:vfuNJf;lOO0Vd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qafBPd:yDVVkb;qddgKe:xQtZb;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=w9hDv,ZDZcre,A7fCU"
Preview:	"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi\|\|{};(function(_){var window=this;.try{._.k("w9hDv");._.vg(_.Hla);_.eA=function(a){_.W.call(this,a.Fa);this.aa=a.Xa.cache};_.J(_.eA,_.W);_.eA.Ba=function(){return{Xa:{cache:_.dt}}};_.eA.prototype.execute=function(a){_.Bb(a,function(b){var c;_.$e(b)&&(c=b.eb.kc(b.kb));c&&this.aa.xG(c)},this);return{}};_.nu(_.Nla,_.eA);._.l();._.k("ZDZcre");.var fH=function(a){_.W.call(this,a.Fa);this.Wl=a.Ea.Wl;this.d4=a.Ea.metadata;this.aa=a.Ea.ot};_.J(fH,_.W);fH.Ba=function(){return{Ea:{Wl:_.KG,metadata:_.VZa,ot:_.HG}}};fH.prototype.execute=function(a){var b=this;a=this.aa.create(a);return _.Bb(a,function(c){var d=b.d4.getType(c.Od())===2?b.Wl.Rb(c):b.Wl.fetch(c);return _.yl(c,_.LG)?d.then(function(e){return _.Dd(e)}):d},this)};_.nu(_.Sla,fH);._.l();._.k("K5nYTd");._.UZa=new _.pf(_.Ola);._.l();._.k("sP4Vbe");.._.l();._.k("kMFpHd");.._.l();._.k("A7fCU");.var NG=function(a){_.W.call(this,a.Fa);this.aa=a.Ea.tQ};_.J(NG,_.W);NG.Ba=func

Chrome Cache Entry: 88

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (522)
Category:	downloaded
Size (bytes):	5050
Entropy (8bit):	5.289052544075544
Encrypted:	false
SSDEEP:	96:o4We0hP7OBFXYvB1sig3Fd8HkaXzLmUrv8Vh1WJlLQXT2v2gqw:655758Fd8HkaPZ0GmAD
MD5:	26E26FD11772DFF5C7004BEA334289CC
SHA1:	638DAAF541BDE31E95AEE4F8ADA677434D7051DB
SHA-256:	ADFE3E4960982F5EF4C043052A9990D8683C5FC2B590E817B6B1A5774DDE2CE3
SHA-512:	C31929EB6D1C60D6A84A2574FF60490394A6D6F9B354972F3328952F570D80B3F2AEC916B0E1B66DDB1AC056EB75BFAC477E7AF631D0AD1810EDBAF025465D66
Malicious:	false
URL:	"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en.RgRbaBHDctU.es5.O/ck=boq-identity.AccountsSignInUi.gAiX_O5afVA.L.B1.O/am=xIFgKBi2EQjEE54DekBRIOQAAAAAAAAAAKANAAB0DA/d=1/exm=A7fCU,AvtSve,CMcBD,E87wgc,EFQ78c,EIOG1e,EN3i8d,Fndnac,GwYlN,I6YDgd,IZT63,K0PMbc,K1ZKnb,KUM7Z,L1AAkb,L9OGUe,LDQI,LEikZe,MY7mZe,MpJwZc,NOeYWe,NTMZac,O6y8ed,P6sQOc,PHUIyb,PrPYRd,RMhBfe,Rkm0ef,RqjULd,SCuOPb,SD8Jgb,STuCOe,SpsfSb,Tbb4sb,UUJqVe,Uas9Hd,WpP9Yc,XVq9Qb,YHI3We,YTxL4,YgOFye,ZDZcre,ZZ4WUe,ZakeSe,ZwDk9d,_b,_tp,aC1iue,aW3pY,b3kMqb,bSspM,bTi8wc,byfTOb,cYShmd,eVCnO,f8Gu1e,gJzDyc,hc6Ubd,iAskyc,inNHtf,iyZMqd,lsjVmc,ltDFwf,lwddkf,m9oV,mvkUhe,mzzZzc,n73qwf,njlZCf,oLggrd,pxq3x,q0xTif,qPYxq,qPfo0c,qmdT9,rCcCxc,rmumx,sOXFj,siKnQd,soHxf,t2srLd,tUnxGc,vHEMJe,vfuNJf,vjKJJ,vvMGie,w9hDv,ws9Tlc,xBaz7b,xQtZb,xiZRqc,y5vRwf,yRXbo,ywOR5c,z0u0L,zbML3c,ziXSP,ziZ8Mc,zr1jrb,zy0vNb/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlG_aYNE-Dz95N0OV63231Yfi4Jf5g/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:GwYlN;EmZ2Bf:zr1jrb;JsbNhc:Xd8iUd;K5nYTd:ZDZcre;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;ScI3Yc:e7Hzgb;UpnZUd:nnwwYc;Uvc8o:VDovNc;XdiAjb:NLiXbe;YIZmRd:A1yn5d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;dowIGb:ebZ3mb;eBAeSb:zbML3c;iFQyKf:vfuNJf;lOO0Vd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qafBPd:yDVVkb;qddgKe:xQtZb;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=wg1P6b"
Preview:	"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi\|\|{};(function(_){var window=this;.try{._.jNa=_.y("wg1P6b",[_.TA,_.Cn,_.Kn]);._.k("wg1P6b");.var Z5a;Z5a=_.mh(["aria-"]);._.uJ=function(a){_.X.call(this,a.Fa);this.Ka=this.wa=this.aa=this.viewportElement=this.Na=null;this.Hc=a.Ea.ff;this.ab=a.Ea.focus;this.Fc=a.Ea.Fc;this.ea=this.Pi();a=-1*parseInt(_.Co(this.Pi().el(),"marginTop")\|\|"0",10);var b=parseInt(_.Co(this.Pi().el(),"marginBottom")\|\|"0",10);this.Ta={top:a,right:0,bottom:b,left:0};a=_.cf(this.getData("isMenuDynamic"),!1);b=_.cf(this.getData("isMenuHoisted"),!1);this.Ga=a?1:b?2:0;this.ka=!1;this.Ca=1;this.Ga!==1&&(this.aa=this.Sa("U0exHf").children().Wc(0),_.ku(this,.$5a(this,this.aa.el())));_.kF(this.oa())&&(a=this.oa().el(),b=this.we.bind(this),a.__soy_skip_handler=b)};_.J(_.uJ,_.X);_.uJ.Ba=function(){return{Ea:{ff:_.ZE,focus:_.KE,Fc:_.ru}}};_.uJ.prototype.xF=function(a){var b=a.source;this.Na=b;var c;((c=a.data)==null?0:c.fz)?(a=a.data.fz,this.Ca=a==="MOUS

Chrome Cache Entry: 89

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (1694)
Category:	downloaded
Size (bytes):	32500
Entropy (8bit):	5.378903546681047
Encrypted:	false
SSDEEP:	768:zYlbuROstb0e39nKGrkysU0smpu4OLOdzIf1p/5GeSsngurz6aKEEEGo/:zYl61Cysbu4OLOdzIfrIen72ZFo/
MD5:	BF4BF9728A7C302FBA5B14F3D0F1878B
SHA1:	2607CA7A93710D629400077FF3602CB207E6F53D
SHA-256:	8981E7B228DF7D6A8797C0CD1E9B0F1F88337D5F0E1C27A04E7A57D2C4309798
SHA-512:	AC9E170FC3AFDC0CF6BB8E926B93EF129A5FAD1BBA51B60BABCF3555E9B652E98F86A00FB099879DED35DD3FFE72ECFA597E20E6CA8CF402BEDEC40F78412EDA
Malicious:	false
URL:	"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en.RgRbaBHDctU.es5.O/ck=boq-identity.AccountsSignInUi.gAiX_O5afVA.L.B1.O/am=xIFgKBi2EQjEE54DekBRIOQAAAAAAAAAAKANAAB0DA/d=1/exm=_b,_tp/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlG_aYNE-Dz95N0OV63231Yfi4Jf5g/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:GwYlN;EmZ2Bf:zr1jrb;JsbNhc:Xd8iUd;K5nYTd:ZDZcre;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;ScI3Yc:e7Hzgb;UpnZUd:nnwwYc;Uvc8o:VDovNc;XdiAjb:NLiXbe;YIZmRd:A1yn5d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;dowIGb:ebZ3mb;eBAeSb:zbML3c;iFQyKf:vfuNJf;lOO0Vd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qafBPd:yDVVkb;qddgKe:xQtZb;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=byfTOb,lsjVmc,LEikZe"
Preview:	"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi\|\|{};(function(_){var window=this;.try{.var Aua=function(a,b){this.da=a;this.ea=b;if(!c){var c=new _.ap("//www.google.com/images/cleardot.gif");_.op(c)}this.ka=c};_.h=Aua.prototype;_.h.Zc=null;_.h.lZ=1E4;_.h.bA=!1;_.h.nQ=0;_.h.zJ=null;_.h.bV=null;_.h.setTimeout=function(a){this.lZ=a};_.h.start=function(){if(this.bA)throw Error("dc");this.bA=!0;this.nQ=0;Bua(this)};_.h.stop=function(){Cua(this);this.bA=!1};.var Bua=function(a){a.nQ++;navigator!==null&&"onLine"in navigator&&!navigator.onLine?_.km((0,_.bg)(a.aH,a,!1),0):(a.aa=new Image,a.aa.onload=(0,_.bg)(a.Fja,a),a.aa.onerror=(0,_.bg)(a.Eja,a),a.aa.onabort=(0,_.bg)(a.Dja,a),a.zJ=_.km(a.Gja,a.lZ,a),a.aa.src=String(a.ka))};_.h=Aua.prototype;_.h.Fja=function(){this.aH(!0)};_.h.Eja=function(){this.aH(!1)};_.h.Dja=function(){this.aH(!1)};_.h.Gja=function(){this.aH(!1)};._.h.aH=function(a){Cua(this);a?(this.bA=!1,this.da.call(this.ea,!0)):this.nQ<=0?Bua(this):(this.bA=!1,

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.583306698690746
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	919'040 bytes
MD5:	015f30ab4a592ca2cfcd7419793a0974
SHA1:	b483c989c924e274e920a41a2283422bb7b9a62c
SHA256:	bd70def4378a1772742bf8943b919e5faed5b8c3bb08f9fff4f8bfdcf3da7ee6
SHA512:	7ba7bc07ae65a835fd6a52a0b744d755d5e1acab37622960ce3753a5c4d568c644ab37ecfbc51186f12b1313bd535c897d0287e955dcce6fc47c535de2762f3d
SSDEEP:	12288:gqDEvFo+yo4DdbbMWu/jrQu4M9lBAlKhQcDGB3cuBNGE6iOrpfe4JdaDgalTy:gqDEvCTbMWu7rQYlBQcBiT6rprG8aRy
TLSH:	AB159E0273D1C062FFAB92334B5AF6515BBC69260123E61F13981DB9BE701B1563E7A3
File Content Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......................j:......j:..C...j:......@.*...............................n.......~.............{.......{.......{.........z....

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x420577
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x66FDB4C8 [Wed Oct 2 21:02:00 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	948cc502fe9226992dce9417f952fce3

Entrypoint Preview

Instruction
call 00007F9C7CFD90C3h
jmp 00007F9C7CFD89CFh
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F9C7CFD8BADh
mov dword ptr [esi], 0049FDF0h
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FDF8h
mov dword ptr [ecx], 0049FDF0h
ret
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F9C7CFD8B7Ah
mov dword ptr [esi], 0049FE0Ch
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FE14h
mov dword ptr [ecx], 0049FE0Ch
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
and dword ptr [eax], 00000000h
and dword ptr [eax+04h], 00000000h
push eax
mov eax, dword ptr [ebp+08h]
add eax, 04h
push eax
call 00007F9C7CFDB76Dh
pop ecx
pop ecx
mov eax, esi
pop esi
pop ebp
retn 0004h
lea eax, dword ptr [ecx+04h]
mov dword ptr [ecx], 0049FDD0h
push eax
call 00007F9C7CFDB7B8h
pop ecx
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
push eax
call 00007F9C7CFDB7A1h
test byte ptr [ebp+08h], 00000001h
pop ecx

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc8e64	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xd4000	0x9a10	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xde000	0x7594	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xb0ff0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xc3400	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xb1010	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x9c000	0x894	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x9ab1d	0x9ac00	0a1473f3064dcbc32ef93c5c8a90f3a6	False	0.565500681542811	data	6.668273581389308	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x9c000	0x2fb82	0x2fc00	c9cf2468b60bf4f80f136ed54b3989fb	False	0.35289185209424084	data	5.691811547483722	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xcc000	0x706c	0x4800	53b9025d545d65e23295e30afdbd16d9	False	0.04356553819444445	DOS executable (block device driver @\273\)	0.5846666986982398	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xd4000	0x9a10	0x9c00	5f7b793ce474177a4f4fbee156c72c2d	False	0.3053385416666667	data	5.32540113626387	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xde000	0x7594	0x7600	c68ee8931a32d45eb82dc450ee40efc3	False	0.7628111758474576	data	6.7972128181359786	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xd45a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xd46d0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xd47f8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xd4920	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xd4c08	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xd4d30	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xd5bd8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xd6480	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xd69e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xd8f90	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xda038	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xda4a0	0x50	data	English	Great Britain	0.9
RT_STRING	0xda4f0	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xdaa84	0x68a	data	English	Great Britain	0.2735961768219833
RT_STRING	0xdb110	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xdb5a0	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xdbb9c	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xdc1f8	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xdc660	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xdc7b8	0xcd8	data			1.003345498783455
RT_GROUP_ICON	0xdd490	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0xdd508	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0xdd51c	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0xdd530	0x14	data	English	Great Britain	1.25
RT_VERSION	0xdd544	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0xdd620	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	gethostbyname, recv, send, socket, inet_ntoa, setsockopt, ntohs, WSACleanup, WSAStartup, sendto, htons, __WSAFDIsSet, select, accept, listen, bind, inet_addr, ioctlsocket, recvfrom, WSAGetLastError, closesocket, gethostname, connect
VERSION.dll	GetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetGetConnectionW, WNetCancelConnection2W, WNetUseConnectionW, WNetAddConnection2W
WININET.dll	HttpOpenRequestW, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, InternetConnectW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetQueryDataAvailable
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpSendEcho, IcmpCloseHandle, IcmpCreateFile
USERENV.dll	DestroyEnvironmentBlock, LoadUserProfileW, CreateEnvironmentBlock, UnloadUserProfile
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetShortPathNameW, DeleteFileW, IsDebuggerPresent, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, LoadResource, LockResource, SizeofResource, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, LoadLibraryW, GetLocalTime, CompareStringW, GetCurrentThread, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, VirtualAlloc, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, ResetEvent, WaitForSingleObjectEx, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, CloseHandle, GetFullPathNameW, GetStartupInfoW, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, SetLastError, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, ResumeThread, FreeLibraryAndExitThread, GetACP, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetStringTypeW, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, ReadConsoleW, GetTimeZoneInformation, FindFirstFileExW, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableA, SetCurrentDirectoryW, FindNextFileW, WriteConsoleW
USER32.dll	GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, PeekMessageW, GetInputState, UnregisterHotKey, CharLowerBuffW, MonitorFromPoint, MonitorFromRect, LoadImageW, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, ClientToScreen, GetCursorPos, DeleteMenu, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, LockWindowUpdate, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, RegisterHotKey, GetCursorInfo, SetWindowPos, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, TrackPopupMenuEx, GetMessageW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, DispatchMessageW, keybd_event, TranslateMessage, ScreenToClient
GDI32.dll	EndPath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, GetDeviceCaps, SetPixel, CloseFigure, LineTo, AngleArc, MoveToEx, Ellipse, CreateCompatibleBitmap, CreateCompatibleDC, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, SelectObject, StretchBlt, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, GetDIBits, StrokePath
COMDLG32.dll	GetSaveFileNameW, GetOpenFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, RegCreateKeyExW, GetSecurityDescriptorDacl, GetAclInformation, GetUserNameW, AddAce, SetSecurityDescriptorDacl, InitiateSystemShutdownExW
SHELL32.dll	DragFinish, DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
OLEAUT32.dll	CreateStdDispatch, CreateDispTypeInfo, UnRegisterTypeLib, UnRegisterTypeLibForUser, RegisterTypeLibForUser, RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, VariantChangeType, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysStringLen, QueryPathOfRegTypeLib, SysAllocString, VariantInit, VariantClear, DispCallFunc, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, SafeArrayDestroyDescriptor, VariantCopy, OleLoadPicture

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 2, 2024 23:04:00.281747103 CEST	49730	443	192.168.2.4	142.250.185.142
Oct 2, 2024 23:04:00.281810045 CEST	443	49730	142.250.185.142	192.168.2.4
Oct 2, 2024 23:04:00.281891108 CEST	49730	443	192.168.2.4	142.250.185.142
Oct 2, 2024 23:04:00.283267975 CEST	49730	443	192.168.2.4	142.250.185.142
Oct 2, 2024 23:04:00.283289909 CEST	443	49730	142.250.185.142	192.168.2.4
Oct 2, 2024 23:04:00.506000996 CEST	49675	443	192.168.2.4	173.222.162.32
Oct 2, 2024 23:04:00.928704023 CEST	443	49730	142.250.185.142	192.168.2.4
Oct 2, 2024 23:04:00.929198980 CEST	49730	443	192.168.2.4	142.250.185.142
Oct 2, 2024 23:04:00.929230928 CEST	443	49730	142.250.185.142	192.168.2.4
Oct 2, 2024 23:04:00.929779053 CEST	443	49730	142.250.185.142	192.168.2.4
Oct 2, 2024 23:04:00.929856062 CEST	49730	443	192.168.2.4	142.250.185.142
Oct 2, 2024 23:04:00.931217909 CEST	443	49730	142.250.185.142	192.168.2.4
Oct 2, 2024 23:04:00.931265116 CEST	49730	443	192.168.2.4	142.250.185.142
Oct 2, 2024 23:04:00.932924032 CEST	49730	443	192.168.2.4	142.250.185.142
Oct 2, 2024 23:04:00.932993889 CEST	443	49730	142.250.185.142	192.168.2.4
Oct 2, 2024 23:04:00.934128046 CEST	49730	443	192.168.2.4	142.250.185.142
Oct 2, 2024 23:04:00.934135914 CEST	443	49730	142.250.185.142	192.168.2.4
Oct 2, 2024 23:04:00.974745035 CEST	49730	443	192.168.2.4	142.250.185.142
Oct 2, 2024 23:04:01.206677914 CEST	443	49730	142.250.185.142	192.168.2.4
Oct 2, 2024 23:04:01.206831932 CEST	443	49730	142.250.185.142	192.168.2.4
Oct 2, 2024 23:04:01.206882000 CEST	49730	443	192.168.2.4	142.250.185.142
Oct 2, 2024 23:04:01.214287996 CEST	49730	443	192.168.2.4	142.250.185.142
Oct 2, 2024 23:04:01.214320898 CEST	443	49730	142.250.185.142	192.168.2.4
Oct 2, 2024 23:04:01.228442907 CEST	49736	443	192.168.2.4	142.250.186.110
Oct 2, 2024 23:04:01.228501081 CEST	443	49736	142.250.186.110	192.168.2.4
Oct 2, 2024 23:04:01.228560925 CEST	49736	443	192.168.2.4	142.250.186.110
Oct 2, 2024 23:04:01.229017019 CEST	49736	443	192.168.2.4	142.250.186.110
Oct 2, 2024 23:04:01.229032993 CEST	443	49736	142.250.186.110	192.168.2.4
Oct 2, 2024 23:04:01.874026060 CEST	443	49736	142.250.186.110	192.168.2.4
Oct 2, 2024 23:04:01.874402046 CEST	49736	443	192.168.2.4	142.250.186.110
Oct 2, 2024 23:04:01.874427080 CEST	443	49736	142.250.186.110	192.168.2.4
Oct 2, 2024 23:04:01.875165939 CEST	443	49736	142.250.186.110	192.168.2.4
Oct 2, 2024 23:04:01.875231028 CEST	49736	443	192.168.2.4	142.250.186.110
Oct 2, 2024 23:04:01.876194000 CEST	443	49736	142.250.186.110	192.168.2.4
Oct 2, 2024 23:04:01.876240969 CEST	49736	443	192.168.2.4	142.250.186.110
Oct 2, 2024 23:04:01.877605915 CEST	49736	443	192.168.2.4	142.250.186.110
Oct 2, 2024 23:04:01.877685070 CEST	443	49736	142.250.186.110	192.168.2.4
Oct 2, 2024 23:04:01.877898932 CEST	49736	443	192.168.2.4	142.250.186.110
Oct 2, 2024 23:04:01.877906084 CEST	443	49736	142.250.186.110	192.168.2.4
Oct 2, 2024 23:04:01.927851915 CEST	49736	443	192.168.2.4	142.250.186.110
Oct 2, 2024 23:04:02.191418886 CEST	443	49736	142.250.186.110	192.168.2.4
Oct 2, 2024 23:04:02.191447020 CEST	443	49736	142.250.186.110	192.168.2.4
Oct 2, 2024 23:04:02.191526890 CEST	49736	443	192.168.2.4	142.250.186.110
Oct 2, 2024 23:04:02.191574097 CEST	443	49736	142.250.186.110	192.168.2.4
Oct 2, 2024 23:04:02.192125082 CEST	443	49736	142.250.186.110	192.168.2.4
Oct 2, 2024 23:04:02.192188025 CEST	49736	443	192.168.2.4	142.250.186.110
Oct 2, 2024 23:04:02.194370985 CEST	49736	443	192.168.2.4	142.250.186.110
Oct 2, 2024 23:04:02.194402933 CEST	443	49736	142.250.186.110	192.168.2.4
Oct 2, 2024 23:04:02.194443941 CEST	49736	443	192.168.2.4	142.250.186.110
Oct 2, 2024 23:04:02.194468021 CEST	49736	443	192.168.2.4	142.250.186.110
Oct 2, 2024 23:04:04.548825979 CEST	49741	443	192.168.2.4	142.250.184.228
Oct 2, 2024 23:04:04.548877954 CEST	443	49741	142.250.184.228	192.168.2.4
Oct 2, 2024 23:04:04.548969984 CEST	49741	443	192.168.2.4	142.250.184.228
Oct 2, 2024 23:04:04.549120903 CEST	49741	443	192.168.2.4	142.250.184.228
Oct 2, 2024 23:04:04.549137115 CEST	443	49741	142.250.184.228	192.168.2.4
Oct 2, 2024 23:04:04.863094091 CEST	49742	443	192.168.2.4	184.28.90.27
Oct 2, 2024 23:04:04.863153934 CEST	443	49742	184.28.90.27	192.168.2.4
Oct 2, 2024 23:04:04.863250017 CEST	49742	443	192.168.2.4	184.28.90.27
Oct 2, 2024 23:04:04.864702940 CEST	49742	443	192.168.2.4	184.28.90.27
Oct 2, 2024 23:04:04.864722013 CEST	443	49742	184.28.90.27	192.168.2.4
Oct 2, 2024 23:04:05.185885906 CEST	443	49741	142.250.184.228	192.168.2.4
Oct 2, 2024 23:04:05.186113119 CEST	49741	443	192.168.2.4	142.250.184.228
Oct 2, 2024 23:04:05.186124086 CEST	443	49741	142.250.184.228	192.168.2.4
Oct 2, 2024 23:04:05.187562943 CEST	443	49741	142.250.184.228	192.168.2.4
Oct 2, 2024 23:04:05.187632084 CEST	49741	443	192.168.2.4	142.250.184.228
Oct 2, 2024 23:04:05.188730955 CEST	49741	443	192.168.2.4	142.250.184.228
Oct 2, 2024 23:04:05.188813925 CEST	443	49741	142.250.184.228	192.168.2.4
Oct 2, 2024 23:04:05.242463112 CEST	49741	443	192.168.2.4	142.250.184.228
Oct 2, 2024 23:04:05.242477894 CEST	443	49741	142.250.184.228	192.168.2.4
Oct 2, 2024 23:04:05.289393902 CEST	49741	443	192.168.2.4	142.250.184.228
Oct 2, 2024 23:04:05.511727095 CEST	443	49742	184.28.90.27	192.168.2.4
Oct 2, 2024 23:04:05.511786938 CEST	49742	443	192.168.2.4	184.28.90.27
Oct 2, 2024 23:04:05.518433094 CEST	49742	443	192.168.2.4	184.28.90.27
Oct 2, 2024 23:04:05.518450975 CEST	443	49742	184.28.90.27	192.168.2.4
Oct 2, 2024 23:04:05.518666983 CEST	443	49742	184.28.90.27	192.168.2.4
Oct 2, 2024 23:04:05.560260057 CEST	49742	443	192.168.2.4	184.28.90.27
Oct 2, 2024 23:04:05.607400894 CEST	443	49742	184.28.90.27	192.168.2.4
Oct 2, 2024 23:04:06.739980936 CEST	443	49742	184.28.90.27	192.168.2.4
Oct 2, 2024 23:04:06.740165949 CEST	49742	443	192.168.2.4	184.28.90.27
Oct 2, 2024 23:04:06.740197897 CEST	443	49742	184.28.90.27	192.168.2.4
Oct 2, 2024 23:04:06.740211964 CEST	443	49742	184.28.90.27	192.168.2.4
Oct 2, 2024 23:04:06.740214109 CEST	49742	443	192.168.2.4	184.28.90.27
Oct 2, 2024 23:04:06.740248919 CEST	443	49742	184.28.90.27	192.168.2.4
Oct 2, 2024 23:04:06.763309956 CEST	49745	443	192.168.2.4	184.28.90.27
Oct 2, 2024 23:04:06.763410091 CEST	443	49745	184.28.90.27	192.168.2.4
Oct 2, 2024 23:04:06.763623953 CEST	49745	443	192.168.2.4	184.28.90.27
Oct 2, 2024 23:04:06.763813019 CEST	49745	443	192.168.2.4	184.28.90.27
Oct 2, 2024 23:04:06.763849020 CEST	443	49745	184.28.90.27	192.168.2.4
Oct 2, 2024 23:04:07.423015118 CEST	443	49745	184.28.90.27	192.168.2.4
Oct 2, 2024 23:04:07.423084021 CEST	49745	443	192.168.2.4	184.28.90.27
Oct 2, 2024 23:04:07.431123972 CEST	49745	443	192.168.2.4	184.28.90.27
Oct 2, 2024 23:04:07.431173086 CEST	443	49745	184.28.90.27	192.168.2.4
Oct 2, 2024 23:04:07.431416988 CEST	443	49745	184.28.90.27	192.168.2.4
Oct 2, 2024 23:04:07.433289051 CEST	49745	443	192.168.2.4	184.28.90.27
Oct 2, 2024 23:04:07.475441933 CEST	443	49745	184.28.90.27	192.168.2.4
Oct 2, 2024 23:04:07.699394941 CEST	443	49745	184.28.90.27	192.168.2.4
Oct 2, 2024 23:04:07.699449062 CEST	443	49745	184.28.90.27	192.168.2.4
Oct 2, 2024 23:04:07.699498892 CEST	49745	443	192.168.2.4	184.28.90.27
Oct 2, 2024 23:04:07.700176001 CEST	49745	443	192.168.2.4	184.28.90.27
Oct 2, 2024 23:04:07.700200081 CEST	443	49745	184.28.90.27	192.168.2.4
Oct 2, 2024 23:04:07.700213909 CEST	49745	443	192.168.2.4	184.28.90.27
Oct 2, 2024 23:04:07.700221062 CEST	443	49745	184.28.90.27	192.168.2.4
Oct 2, 2024 23:04:10.132621050 CEST	49757	443	192.168.2.4	142.250.186.174
Oct 2, 2024 23:04:10.132680893 CEST	443	49757	142.250.186.174	192.168.2.4
Oct 2, 2024 23:04:10.132873058 CEST	49757	443	192.168.2.4	142.250.186.174
Oct 2, 2024 23:04:10.133073092 CEST	49757	443	192.168.2.4	142.250.186.174
Oct 2, 2024 23:04:10.133091927 CEST	443	49757	142.250.186.174	192.168.2.4
Oct 2, 2024 23:04:10.771420956 CEST	443	49757	142.250.186.174	192.168.2.4
Oct 2, 2024 23:04:10.773364067 CEST	49757	443	192.168.2.4	142.250.186.174
Oct 2, 2024 23:04:10.773400068 CEST	443	49757	142.250.186.174	192.168.2.4
Oct 2, 2024 23:04:10.773771048 CEST	443	49757	142.250.186.174	192.168.2.4
Oct 2, 2024 23:04:10.773833990 CEST	49757	443	192.168.2.4	142.250.186.174
Oct 2, 2024 23:04:10.774369001 CEST	443	49757	142.250.186.174	192.168.2.4
Oct 2, 2024 23:04:10.774420023 CEST	49757	443	192.168.2.4	142.250.186.174
Oct 2, 2024 23:04:10.775413990 CEST	49757	443	192.168.2.4	142.250.186.174
Oct 2, 2024 23:04:10.775473118 CEST	443	49757	142.250.186.174	192.168.2.4
Oct 2, 2024 23:04:10.775547981 CEST	49757	443	192.168.2.4	142.250.186.174
Oct 2, 2024 23:04:10.775561094 CEST	443	49757	142.250.186.174	192.168.2.4
Oct 2, 2024 23:04:10.818569899 CEST	49757	443	192.168.2.4	142.250.186.174
Oct 2, 2024 23:04:11.092629910 CEST	443	49757	142.250.186.174	192.168.2.4
Oct 2, 2024 23:04:11.092762947 CEST	443	49757	142.250.186.174	192.168.2.4
Oct 2, 2024 23:04:11.092839956 CEST	443	49757	142.250.186.174	192.168.2.4
Oct 2, 2024 23:04:11.092844009 CEST	49757	443	192.168.2.4	142.250.186.174
Oct 2, 2024 23:04:11.092886925 CEST	443	49757	142.250.186.174	192.168.2.4
Oct 2, 2024 23:04:11.092928886 CEST	49757	443	192.168.2.4	142.250.186.174
Oct 2, 2024 23:04:11.098177910 CEST	443	49757	142.250.186.174	192.168.2.4
Oct 2, 2024 23:04:11.098244905 CEST	49757	443	192.168.2.4	142.250.186.174
Oct 2, 2024 23:04:11.098262072 CEST	443	49757	142.250.186.174	192.168.2.4
Oct 2, 2024 23:04:11.104587078 CEST	443	49757	142.250.186.174	192.168.2.4
Oct 2, 2024 23:04:11.104605913 CEST	443	49757	142.250.186.174	192.168.2.4
Oct 2, 2024 23:04:11.104635954 CEST	49757	443	192.168.2.4	142.250.186.174
Oct 2, 2024 23:04:11.104651928 CEST	443	49757	142.250.186.174	192.168.2.4
Oct 2, 2024 23:04:11.104712009 CEST	49757	443	192.168.2.4	142.250.186.174
Oct 2, 2024 23:04:11.110841036 CEST	443	49757	142.250.186.174	192.168.2.4
Oct 2, 2024 23:04:11.110909939 CEST	49757	443	192.168.2.4	142.250.186.174
Oct 2, 2024 23:04:11.117696047 CEST	443	49757	142.250.186.174	192.168.2.4
Oct 2, 2024 23:04:11.117775917 CEST	443	49757	142.250.186.174	192.168.2.4
Oct 2, 2024 23:04:11.117780924 CEST	49757	443	192.168.2.4	142.250.186.174
Oct 2, 2024 23:04:11.117794991 CEST	443	49757	142.250.186.174	192.168.2.4
Oct 2, 2024 23:04:11.117851973 CEST	49757	443	192.168.2.4	142.250.186.174
Oct 2, 2024 23:04:11.180840969 CEST	443	49757	142.250.186.174	192.168.2.4
Oct 2, 2024 23:04:11.180913925 CEST	49757	443	192.168.2.4	142.250.186.174
Oct 2, 2024 23:04:11.180948019 CEST	443	49757	142.250.186.174	192.168.2.4
Oct 2, 2024 23:04:11.181010008 CEST	443	49757	142.250.186.174	192.168.2.4
Oct 2, 2024 23:04:11.181055069 CEST	49757	443	192.168.2.4	142.250.186.174
Oct 2, 2024 23:04:11.181540966 CEST	443	49757	142.250.186.174	192.168.2.4
Oct 2, 2024 23:04:11.181588888 CEST	49757	443	192.168.2.4	142.250.186.174
Oct 2, 2024 23:04:11.187725067 CEST	443	49757	142.250.186.174	192.168.2.4
Oct 2, 2024 23:04:11.187777042 CEST	49757	443	192.168.2.4	142.250.186.174
Oct 2, 2024 23:04:11.188184977 CEST	443	49757	142.250.186.174	192.168.2.4
Oct 2, 2024 23:04:11.188235044 CEST	49757	443	192.168.2.4	142.250.186.174
Oct 2, 2024 23:04:11.193886995 CEST	443	49757	142.250.186.174	192.168.2.4
Oct 2, 2024 23:04:11.193936110 CEST	49757	443	192.168.2.4	142.250.186.174
Oct 2, 2024 23:04:11.200215101 CEST	443	49757	142.250.186.174	192.168.2.4
Oct 2, 2024 23:04:11.200261116 CEST	49757	443	192.168.2.4	142.250.186.174
Oct 2, 2024 23:04:11.200275898 CEST	443	49757	142.250.186.174	192.168.2.4
Oct 2, 2024 23:04:11.206513882 CEST	443	49757	142.250.186.174	192.168.2.4
Oct 2, 2024 23:04:11.206554890 CEST	49757	443	192.168.2.4	142.250.186.174
Oct 2, 2024 23:04:11.206571102 CEST	443	49757	142.250.186.174	192.168.2.4
Oct 2, 2024 23:04:11.216394901 CEST	443	49757	142.250.186.174	192.168.2.4
Oct 2, 2024 23:04:11.216464043 CEST	49757	443	192.168.2.4	142.250.186.174
Oct 2, 2024 23:04:11.216481924 CEST	443	49757	142.250.186.174	192.168.2.4
Oct 2, 2024 23:04:11.216514111 CEST	443	49757	142.250.186.174	192.168.2.4
Oct 2, 2024 23:04:11.216590881 CEST	49757	443	192.168.2.4	142.250.186.174
Oct 2, 2024 23:04:11.230294943 CEST	49757	443	192.168.2.4	142.250.186.174
Oct 2, 2024 23:04:11.230321884 CEST	443	49757	142.250.186.174	192.168.2.4
Oct 2, 2024 23:04:11.235641956 CEST	49761	443	192.168.2.4	142.250.185.174
Oct 2, 2024 23:04:11.235682011 CEST	443	49761	142.250.185.174	192.168.2.4
Oct 2, 2024 23:04:11.235924959 CEST	49761	443	192.168.2.4	142.250.185.174
Oct 2, 2024 23:04:11.236274004 CEST	49761	443	192.168.2.4	142.250.185.174
Oct 2, 2024 23:04:11.236285925 CEST	443	49761	142.250.185.174	192.168.2.4
Oct 2, 2024 23:04:11.452661991 CEST	49762	443	192.168.2.4	142.250.185.174
Oct 2, 2024 23:04:11.452708006 CEST	443	49762	142.250.185.174	192.168.2.4
Oct 2, 2024 23:04:11.452783108 CEST	49762	443	192.168.2.4	142.250.185.174
Oct 2, 2024 23:04:11.455702066 CEST	49762	443	192.168.2.4	142.250.185.174
Oct 2, 2024 23:04:11.455718040 CEST	443	49762	142.250.185.174	192.168.2.4
Oct 2, 2024 23:04:11.872028112 CEST	443	49761	142.250.185.174	192.168.2.4
Oct 2, 2024 23:04:11.872354984 CEST	49761	443	192.168.2.4	142.250.185.174
Oct 2, 2024 23:04:11.872380018 CEST	443	49761	142.250.185.174	192.168.2.4
Oct 2, 2024 23:04:11.872692108 CEST	443	49761	142.250.185.174	192.168.2.4
Oct 2, 2024 23:04:11.872750044 CEST	49761	443	192.168.2.4	142.250.185.174
Oct 2, 2024 23:04:11.873289108 CEST	443	49761	142.250.185.174	192.168.2.4
Oct 2, 2024 23:04:11.873333931 CEST	49761	443	192.168.2.4	142.250.185.174
Oct 2, 2024 23:04:11.874177933 CEST	49761	443	192.168.2.4	142.250.185.174
Oct 2, 2024 23:04:11.874232054 CEST	443	49761	142.250.185.174	192.168.2.4
Oct 2, 2024 23:04:11.874378920 CEST	49761	443	192.168.2.4	142.250.185.174
Oct 2, 2024 23:04:11.874387980 CEST	443	49761	142.250.185.174	192.168.2.4
Oct 2, 2024 23:04:11.927160025 CEST	49761	443	192.168.2.4	142.250.185.174
Oct 2, 2024 23:04:12.090143919 CEST	443	49762	142.250.185.174	192.168.2.4
Oct 2, 2024 23:04:12.090495110 CEST	49762	443	192.168.2.4	142.250.185.174
Oct 2, 2024 23:04:12.090524912 CEST	443	49762	142.250.185.174	192.168.2.4
Oct 2, 2024 23:04:12.091046095 CEST	443	49762	142.250.185.174	192.168.2.4
Oct 2, 2024 23:04:12.091123104 CEST	49762	443	192.168.2.4	142.250.185.174
Oct 2, 2024 23:04:12.092067957 CEST	443	49762	142.250.185.174	192.168.2.4
Oct 2, 2024 23:04:12.092134953 CEST	49762	443	192.168.2.4	142.250.185.174
Oct 2, 2024 23:04:12.092286110 CEST	49762	443	192.168.2.4	142.250.185.174
Oct 2, 2024 23:04:12.092366934 CEST	443	49762	142.250.185.174	192.168.2.4
Oct 2, 2024 23:04:12.092485905 CEST	49762	443	192.168.2.4	142.250.185.174
Oct 2, 2024 23:04:12.092495918 CEST	443	49762	142.250.185.174	192.168.2.4
Oct 2, 2024 23:04:12.144125938 CEST	49762	443	192.168.2.4	142.250.185.174
Oct 2, 2024 23:04:12.172399044 CEST	443	49761	142.250.185.174	192.168.2.4
Oct 2, 2024 23:04:12.172864914 CEST	443	49761	142.250.185.174	192.168.2.4
Oct 2, 2024 23:04:12.173145056 CEST	49761	443	192.168.2.4	142.250.185.174
Oct 2, 2024 23:04:12.173203945 CEST	49761	443	192.168.2.4	142.250.185.174
Oct 2, 2024 23:04:12.173203945 CEST	49761	443	192.168.2.4	142.250.185.174
Oct 2, 2024 23:04:12.173234940 CEST	443	49761	142.250.185.174	192.168.2.4
Oct 2, 2024 23:04:12.173286915 CEST	49761	443	192.168.2.4	142.250.185.174
Oct 2, 2024 23:04:12.174415112 CEST	49764	443	192.168.2.4	142.250.185.174
Oct 2, 2024 23:04:12.174458981 CEST	443	49764	142.250.185.174	192.168.2.4
Oct 2, 2024 23:04:12.174534082 CEST	49764	443	192.168.2.4	142.250.185.174
Oct 2, 2024 23:04:12.174810886 CEST	49764	443	192.168.2.4	142.250.185.174
Oct 2, 2024 23:04:12.174829006 CEST	443	49764	142.250.185.174	192.168.2.4
Oct 2, 2024 23:04:12.389219046 CEST	443	49762	142.250.185.174	192.168.2.4
Oct 2, 2024 23:04:12.389520884 CEST	443	49762	142.250.185.174	192.168.2.4
Oct 2, 2024 23:04:12.389580965 CEST	49762	443	192.168.2.4	142.250.185.174
Oct 2, 2024 23:04:12.389954090 CEST	49762	443	192.168.2.4	142.250.185.174
Oct 2, 2024 23:04:12.389970064 CEST	443	49762	142.250.185.174	192.168.2.4
Oct 2, 2024 23:04:12.389978886 CEST	49762	443	192.168.2.4	142.250.185.174
Oct 2, 2024 23:04:12.390022039 CEST	49762	443	192.168.2.4	142.250.185.174
Oct 2, 2024 23:04:12.391408920 CEST	49766	443	192.168.2.4	142.250.185.174
Oct 2, 2024 23:04:12.391444921 CEST	443	49766	142.250.185.174	192.168.2.4
Oct 2, 2024 23:04:12.391510963 CEST	49766	443	192.168.2.4	142.250.185.174
Oct 2, 2024 23:04:12.392281055 CEST	49766	443	192.168.2.4	142.250.185.174
Oct 2, 2024 23:04:12.392296076 CEST	443	49766	142.250.185.174	192.168.2.4
Oct 2, 2024 23:04:12.836657047 CEST	443	49764	142.250.185.174	192.168.2.4
Oct 2, 2024 23:04:12.836970091 CEST	49764	443	192.168.2.4	142.250.185.174
Oct 2, 2024 23:04:12.836987972 CEST	443	49764	142.250.185.174	192.168.2.4
Oct 2, 2024 23:04:12.838257074 CEST	443	49764	142.250.185.174	192.168.2.4
Oct 2, 2024 23:04:12.838340998 CEST	49764	443	192.168.2.4	142.250.185.174
Oct 2, 2024 23:04:12.839207888 CEST	443	49764	142.250.185.174	192.168.2.4
Oct 2, 2024 23:04:12.839265108 CEST	49764	443	192.168.2.4	142.250.185.174
Oct 2, 2024 23:04:12.839565039 CEST	49764	443	192.168.2.4	142.250.185.174
Oct 2, 2024 23:04:12.839637041 CEST	443	49764	142.250.185.174	192.168.2.4
Oct 2, 2024 23:04:12.839870930 CEST	49764	443	192.168.2.4	142.250.185.174
Oct 2, 2024 23:04:12.839879990 CEST	443	49764	142.250.185.174	192.168.2.4
Oct 2, 2024 23:04:12.839906931 CEST	49764	443	192.168.2.4	142.250.185.174
Oct 2, 2024 23:04:12.881728888 CEST	49764	443	192.168.2.4	142.250.185.174
Oct 2, 2024 23:04:12.881736994 CEST	443	49764	142.250.185.174	192.168.2.4
Oct 2, 2024 23:04:13.059070110 CEST	443	49766	142.250.185.174	192.168.2.4
Oct 2, 2024 23:04:13.059488058 CEST	49766	443	192.168.2.4	142.250.185.174
Oct 2, 2024 23:04:13.059513092 CEST	443	49766	142.250.185.174	192.168.2.4
Oct 2, 2024 23:04:13.060036898 CEST	443	49766	142.250.185.174	192.168.2.4
Oct 2, 2024 23:04:13.060110092 CEST	49766	443	192.168.2.4	142.250.185.174
Oct 2, 2024 23:04:13.061111927 CEST	443	49766	142.250.185.174	192.168.2.4
Oct 2, 2024 23:04:13.061180115 CEST	49766	443	192.168.2.4	142.250.185.174
Oct 2, 2024 23:04:13.061403036 CEST	49766	443	192.168.2.4	142.250.185.174
Oct 2, 2024 23:04:13.061484098 CEST	443	49766	142.250.185.174	192.168.2.4
Oct 2, 2024 23:04:13.061745882 CEST	49766	443	192.168.2.4	142.250.185.174
Oct 2, 2024 23:04:13.061755896 CEST	443	49766	142.250.185.174	192.168.2.4
Oct 2, 2024 23:04:13.062006950 CEST	49766	443	192.168.2.4	142.250.185.174
Oct 2, 2024 23:04:13.073236942 CEST	443	49764	142.250.185.174	192.168.2.4
Oct 2, 2024 23:04:13.074870110 CEST	443	49764	142.250.185.174	192.168.2.4
Oct 2, 2024 23:04:13.074949026 CEST	49764	443	192.168.2.4	142.250.185.174
Oct 2, 2024 23:04:13.075794935 CEST	49764	443	192.168.2.4	142.250.185.174
Oct 2, 2024 23:04:13.075820923 CEST	443	49764	142.250.185.174	192.168.2.4
Oct 2, 2024 23:04:13.107397079 CEST	443	49766	142.250.185.174	192.168.2.4
Oct 2, 2024 23:04:13.287611008 CEST	443	49766	142.250.185.174	192.168.2.4
Oct 2, 2024 23:04:13.287977934 CEST	443	49766	142.250.185.174	192.168.2.4
Oct 2, 2024 23:04:13.288055897 CEST	49766	443	192.168.2.4	142.250.185.174
Oct 2, 2024 23:04:13.293596029 CEST	49766	443	192.168.2.4	142.250.185.174
Oct 2, 2024 23:04:13.293617964 CEST	443	49766	142.250.185.174	192.168.2.4
Oct 2, 2024 23:04:13.442744970 CEST	49741	443	192.168.2.4	142.250.184.228
Oct 2, 2024 23:04:13.455559015 CEST	49772	443	192.168.2.4	4.175.87.197
Oct 2, 2024 23:04:13.455591917 CEST	443	49772	4.175.87.197	192.168.2.4
Oct 2, 2024 23:04:13.455670118 CEST	49772	443	192.168.2.4	4.175.87.197
Oct 2, 2024 23:04:13.458774090 CEST	49772	443	192.168.2.4	4.175.87.197
Oct 2, 2024 23:04:13.458786964 CEST	443	49772	4.175.87.197	192.168.2.4
Oct 2, 2024 23:04:13.487396955 CEST	443	49741	142.250.184.228	192.168.2.4
Oct 2, 2024 23:04:13.708985090 CEST	443	49741	142.250.184.228	192.168.2.4
Oct 2, 2024 23:04:13.709121943 CEST	443	49741	142.250.184.228	192.168.2.4
Oct 2, 2024 23:04:13.709217072 CEST	443	49741	142.250.184.228	192.168.2.4
Oct 2, 2024 23:04:13.709320068 CEST	443	49741	142.250.184.228	192.168.2.4
Oct 2, 2024 23:04:13.709372997 CEST	49741	443	192.168.2.4	142.250.184.228
Oct 2, 2024 23:04:13.709453106 CEST	443	49741	142.250.184.228	192.168.2.4
Oct 2, 2024 23:04:13.709516048 CEST	49741	443	192.168.2.4	142.250.184.228
Oct 2, 2024 23:04:13.709830999 CEST	443	49741	142.250.184.228	192.168.2.4
Oct 2, 2024 23:04:13.709891081 CEST	49741	443	192.168.2.4	142.250.184.228
Oct 2, 2024 23:04:13.732901096 CEST	49741	443	192.168.2.4	142.250.184.228
Oct 2, 2024 23:04:13.732945919 CEST	443	49741	142.250.184.228	192.168.2.4
Oct 2, 2024 23:04:14.253295898 CEST	443	49772	4.175.87.197	192.168.2.4
Oct 2, 2024 23:04:14.254051924 CEST	49772	443	192.168.2.4	4.175.87.197
Oct 2, 2024 23:04:14.256036043 CEST	49772	443	192.168.2.4	4.175.87.197
Oct 2, 2024 23:04:14.256047964 CEST	443	49772	4.175.87.197	192.168.2.4
Oct 2, 2024 23:04:14.256448030 CEST	443	49772	4.175.87.197	192.168.2.4
Oct 2, 2024 23:04:14.303554058 CEST	49772	443	192.168.2.4	4.175.87.197
Oct 2, 2024 23:04:14.946283102 CEST	49772	443	192.168.2.4	4.175.87.197
Oct 2, 2024 23:04:14.991401911 CEST	443	49772	4.175.87.197	192.168.2.4
Oct 2, 2024 23:04:15.202923059 CEST	443	49772	4.175.87.197	192.168.2.4
Oct 2, 2024 23:04:15.202955961 CEST	443	49772	4.175.87.197	192.168.2.4
Oct 2, 2024 23:04:15.202965975 CEST	443	49772	4.175.87.197	192.168.2.4
Oct 2, 2024 23:04:15.202979088 CEST	443	49772	4.175.87.197	192.168.2.4
Oct 2, 2024 23:04:15.203052998 CEST	443	49772	4.175.87.197	192.168.2.4
Oct 2, 2024 23:04:15.203066111 CEST	49772	443	192.168.2.4	4.175.87.197
Oct 2, 2024 23:04:15.203074932 CEST	443	49772	4.175.87.197	192.168.2.4
Oct 2, 2024 23:04:15.203083992 CEST	49772	443	192.168.2.4	4.175.87.197
Oct 2, 2024 23:04:15.203109980 CEST	49772	443	192.168.2.4	4.175.87.197
Oct 2, 2024 23:04:15.203119993 CEST	49772	443	192.168.2.4	4.175.87.197
Oct 2, 2024 23:04:15.203623056 CEST	443	49772	4.175.87.197	192.168.2.4
Oct 2, 2024 23:04:15.203685045 CEST	49772	443	192.168.2.4	4.175.87.197
Oct 2, 2024 23:04:15.203687906 CEST	443	49772	4.175.87.197	192.168.2.4
Oct 2, 2024 23:04:15.203720093 CEST	443	49772	4.175.87.197	192.168.2.4
Oct 2, 2024 23:04:15.206068039 CEST	49772	443	192.168.2.4	4.175.87.197
Oct 2, 2024 23:04:15.847114086 CEST	49772	443	192.168.2.4	4.175.87.197
Oct 2, 2024 23:04:15.847114086 CEST	49772	443	192.168.2.4	4.175.87.197
Oct 2, 2024 23:04:15.847156048 CEST	443	49772	4.175.87.197	192.168.2.4
Oct 2, 2024 23:04:15.847168922 CEST	443	49772	4.175.87.197	192.168.2.4
Oct 2, 2024 23:04:18.005381107 CEST	49723	80	192.168.2.4	199.232.214.172
Oct 2, 2024 23:04:18.011591911 CEST	80	49723	199.232.214.172	192.168.2.4
Oct 2, 2024 23:04:18.011653900 CEST	49723	80	192.168.2.4	199.232.214.172
Oct 2, 2024 23:04:19.275791883 CEST	49781	443	192.168.2.4	142.250.185.174
Oct 2, 2024 23:04:19.275892019 CEST	443	49781	142.250.185.174	192.168.2.4
Oct 2, 2024 23:04:19.275993109 CEST	49781	443	192.168.2.4	142.250.185.174
Oct 2, 2024 23:04:19.276377916 CEST	49781	443	192.168.2.4	142.250.185.174
Oct 2, 2024 23:04:19.276416063 CEST	443	49781	142.250.185.174	192.168.2.4
Oct 2, 2024 23:04:19.939618111 CEST	443	49781	142.250.185.174	192.168.2.4
Oct 2, 2024 23:04:19.940187931 CEST	49781	443	192.168.2.4	142.250.185.174
Oct 2, 2024 23:04:19.940256119 CEST	443	49781	142.250.185.174	192.168.2.4
Oct 2, 2024 23:04:19.940789938 CEST	443	49781	142.250.185.174	192.168.2.4
Oct 2, 2024 23:04:19.941124916 CEST	49781	443	192.168.2.4	142.250.185.174
Oct 2, 2024 23:04:19.941219091 CEST	443	49781	142.250.185.174	192.168.2.4
Oct 2, 2024 23:04:19.941296101 CEST	49781	443	192.168.2.4	142.250.185.174
Oct 2, 2024 23:04:19.941488028 CEST	49781	443	192.168.2.4	142.250.185.174
Oct 2, 2024 23:04:19.941517115 CEST	443	49781	142.250.185.174	192.168.2.4
Oct 2, 2024 23:04:20.272171974 CEST	443	49781	142.250.185.174	192.168.2.4
Oct 2, 2024 23:04:20.273190975 CEST	443	49781	142.250.185.174	192.168.2.4
Oct 2, 2024 23:04:20.273339987 CEST	49781	443	192.168.2.4	142.250.185.174
Oct 2, 2024 23:04:20.275131941 CEST	49781	443	192.168.2.4	142.250.185.174
Oct 2, 2024 23:04:20.275176048 CEST	443	49781	142.250.185.174	192.168.2.4
Oct 2, 2024 23:04:42.369533062 CEST	49782	443	192.168.2.4	142.250.185.174
Oct 2, 2024 23:04:42.369626999 CEST	443	49782	142.250.185.174	192.168.2.4
Oct 2, 2024 23:04:42.369750977 CEST	49782	443	192.168.2.4	142.250.185.174
Oct 2, 2024 23:04:42.369986057 CEST	49782	443	192.168.2.4	142.250.185.174
Oct 2, 2024 23:04:42.370027065 CEST	443	49782	142.250.185.174	192.168.2.4
Oct 2, 2024 23:04:42.572761059 CEST	49783	443	192.168.2.4	142.250.185.174
Oct 2, 2024 23:04:42.572832108 CEST	443	49783	142.250.185.174	192.168.2.4
Oct 2, 2024 23:04:42.573160887 CEST	49783	443	192.168.2.4	142.250.185.174
Oct 2, 2024 23:04:42.581461906 CEST	49783	443	192.168.2.4	142.250.185.174
Oct 2, 2024 23:04:42.581475019 CEST	443	49783	142.250.185.174	192.168.2.4
Oct 2, 2024 23:04:43.227560997 CEST	443	49782	142.250.185.174	192.168.2.4
Oct 2, 2024 23:04:43.228009939 CEST	49782	443	192.168.2.4	142.250.185.174
Oct 2, 2024 23:04:43.228080988 CEST	443	49782	142.250.185.174	192.168.2.4
Oct 2, 2024 23:04:43.228576899 CEST	443	49782	142.250.185.174	192.168.2.4
Oct 2, 2024 23:04:43.228888035 CEST	49782	443	192.168.2.4	142.250.185.174
Oct 2, 2024 23:04:43.228974104 CEST	443	49782	142.250.185.174	192.168.2.4
Oct 2, 2024 23:04:43.229077101 CEST	49782	443	192.168.2.4	142.250.185.174
Oct 2, 2024 23:04:43.229077101 CEST	49782	443	192.168.2.4	142.250.185.174
Oct 2, 2024 23:04:43.229125023 CEST	443	49782	142.250.185.174	192.168.2.4
Oct 2, 2024 23:04:43.337440014 CEST	49784	443	192.168.2.4	142.250.185.174
Oct 2, 2024 23:04:43.337539911 CEST	443	49784	142.250.185.174	192.168.2.4
Oct 2, 2024 23:04:43.337639093 CEST	49784	443	192.168.2.4	142.250.185.174
Oct 2, 2024 23:04:43.337910891 CEST	49784	443	192.168.2.4	142.250.185.174
Oct 2, 2024 23:04:43.337948084 CEST	443	49784	142.250.185.174	192.168.2.4
Oct 2, 2024 23:04:43.348936081 CEST	443	49783	142.250.185.174	192.168.2.4
Oct 2, 2024 23:04:43.349167109 CEST	49783	443	192.168.2.4	142.250.185.174
Oct 2, 2024 23:04:43.349189043 CEST	443	49783	142.250.185.174	192.168.2.4
Oct 2, 2024 23:04:43.349701881 CEST	443	49783	142.250.185.174	192.168.2.4
Oct 2, 2024 23:04:43.349989891 CEST	49783	443	192.168.2.4	142.250.185.174
Oct 2, 2024 23:04:43.350064993 CEST	443	49783	142.250.185.174	192.168.2.4
Oct 2, 2024 23:04:43.350148916 CEST	49783	443	192.168.2.4	142.250.185.174
Oct 2, 2024 23:04:43.350174904 CEST	49783	443	192.168.2.4	142.250.185.174
Oct 2, 2024 23:04:43.350276947 CEST	443	49783	142.250.185.174	192.168.2.4
Oct 2, 2024 23:04:43.622138023 CEST	443	49782	142.250.185.174	192.168.2.4
Oct 2, 2024 23:04:43.622459888 CEST	443	49782	142.250.185.174	192.168.2.4
Oct 2, 2024 23:04:43.622654915 CEST	49782	443	192.168.2.4	142.250.185.174
Oct 2, 2024 23:04:43.623047113 CEST	49782	443	192.168.2.4	142.250.185.174
Oct 2, 2024 23:04:43.623075008 CEST	443	49782	142.250.185.174	192.168.2.4
Oct 2, 2024 23:04:43.655659914 CEST	443	49783	142.250.185.174	192.168.2.4
Oct 2, 2024 23:04:43.656918049 CEST	443	49783	142.250.185.174	192.168.2.4
Oct 2, 2024 23:04:43.657007933 CEST	49783	443	192.168.2.4	142.250.185.174
Oct 2, 2024 23:04:43.657099962 CEST	49783	443	192.168.2.4	142.250.185.174
Oct 2, 2024 23:04:43.657123089 CEST	443	49783	142.250.185.174	192.168.2.4
Oct 2, 2024 23:04:43.974678040 CEST	443	49784	142.250.185.174	192.168.2.4
Oct 2, 2024 23:04:43.974977016 CEST	49784	443	192.168.2.4	142.250.185.174
Oct 2, 2024 23:04:43.975039959 CEST	443	49784	142.250.185.174	192.168.2.4
Oct 2, 2024 23:04:43.976330996 CEST	443	49784	142.250.185.174	192.168.2.4
Oct 2, 2024 23:04:43.976660013 CEST	49784	443	192.168.2.4	142.250.185.174
Oct 2, 2024 23:04:43.976831913 CEST	49784	443	192.168.2.4	142.250.185.174
Oct 2, 2024 23:04:43.976850986 CEST	443	49784	142.250.185.174	192.168.2.4
Oct 2, 2024 23:04:43.976876020 CEST	49784	443	192.168.2.4	142.250.185.174
Oct 2, 2024 23:04:43.976876020 CEST	443	49784	142.250.185.174	192.168.2.4
Oct 2, 2024 23:04:44.022058010 CEST	49784	443	192.168.2.4	142.250.185.174
Oct 2, 2024 23:04:44.022074938 CEST	443	49784	142.250.185.174	192.168.2.4
Oct 2, 2024 23:04:44.276010036 CEST	443	49784	142.250.185.174	192.168.2.4
Oct 2, 2024 23:04:44.276706934 CEST	443	49784	142.250.185.174	192.168.2.4
Oct 2, 2024 23:04:44.276787996 CEST	49784	443	192.168.2.4	142.250.185.174
Oct 2, 2024 23:04:44.276946068 CEST	49784	443	192.168.2.4	142.250.185.174
Oct 2, 2024 23:04:44.276979923 CEST	443	49784	142.250.185.174	192.168.2.4
Oct 2, 2024 23:04:52.316869974 CEST	49785	443	192.168.2.4	4.175.87.197
Oct 2, 2024 23:04:52.316915989 CEST	443	49785	4.175.87.197	192.168.2.4
Oct 2, 2024 23:04:52.316994905 CEST	49785	443	192.168.2.4	4.175.87.197
Oct 2, 2024 23:04:52.317339897 CEST	49785	443	192.168.2.4	4.175.87.197
Oct 2, 2024 23:04:52.317353964 CEST	443	49785	4.175.87.197	192.168.2.4
Oct 2, 2024 23:04:53.110162020 CEST	443	49785	4.175.87.197	192.168.2.4
Oct 2, 2024 23:04:53.110244989 CEST	49785	443	192.168.2.4	4.175.87.197
Oct 2, 2024 23:04:53.115539074 CEST	49785	443	192.168.2.4	4.175.87.197
Oct 2, 2024 23:04:53.115555048 CEST	443	49785	4.175.87.197	192.168.2.4
Oct 2, 2024 23:04:53.115803957 CEST	443	49785	4.175.87.197	192.168.2.4
Oct 2, 2024 23:04:53.130255938 CEST	49785	443	192.168.2.4	4.175.87.197
Oct 2, 2024 23:04:53.175403118 CEST	443	49785	4.175.87.197	192.168.2.4
Oct 2, 2024 23:04:53.442313910 CEST	443	49785	4.175.87.197	192.168.2.4
Oct 2, 2024 23:04:53.442368984 CEST	443	49785	4.175.87.197	192.168.2.4
Oct 2, 2024 23:04:53.442411900 CEST	443	49785	4.175.87.197	192.168.2.4
Oct 2, 2024 23:04:53.442573071 CEST	49785	443	192.168.2.4	4.175.87.197
Oct 2, 2024 23:04:53.442573071 CEST	49785	443	192.168.2.4	4.175.87.197
Oct 2, 2024 23:04:53.442599058 CEST	443	49785	4.175.87.197	192.168.2.4
Oct 2, 2024 23:04:53.442663908 CEST	49785	443	192.168.2.4	4.175.87.197
Oct 2, 2024 23:04:53.443150043 CEST	443	49785	4.175.87.197	192.168.2.4
Oct 2, 2024 23:04:53.443195105 CEST	443	49785	4.175.87.197	192.168.2.4
Oct 2, 2024 23:04:53.443223000 CEST	49785	443	192.168.2.4	4.175.87.197
Oct 2, 2024 23:04:53.443229914 CEST	443	49785	4.175.87.197	192.168.2.4
Oct 2, 2024 23:04:53.443247080 CEST	49785	443	192.168.2.4	4.175.87.197
Oct 2, 2024 23:04:53.443367958 CEST	443	49785	4.175.87.197	192.168.2.4
Oct 2, 2024 23:04:53.443428040 CEST	49785	443	192.168.2.4	4.175.87.197
Oct 2, 2024 23:04:53.448466063 CEST	49785	443	192.168.2.4	4.175.87.197
Oct 2, 2024 23:04:53.448481083 CEST	443	49785	4.175.87.197	192.168.2.4
Oct 2, 2024 23:04:53.448514938 CEST	49785	443	192.168.2.4	4.175.87.197
Oct 2, 2024 23:04:53.448519945 CEST	443	49785	4.175.87.197	192.168.2.4
Oct 2, 2024 23:05:04.594790936 CEST	49787	443	192.168.2.4	142.250.184.228
Oct 2, 2024 23:05:04.594849110 CEST	443	49787	142.250.184.228	192.168.2.4
Oct 2, 2024 23:05:04.595022917 CEST	49787	443	192.168.2.4	142.250.184.228
Oct 2, 2024 23:05:04.595320940 CEST	49787	443	192.168.2.4	142.250.184.228
Oct 2, 2024 23:05:04.595334053 CEST	443	49787	142.250.184.228	192.168.2.4
Oct 2, 2024 23:05:05.244635105 CEST	443	49787	142.250.184.228	192.168.2.4
Oct 2, 2024 23:05:05.244951963 CEST	49787	443	192.168.2.4	142.250.184.228
Oct 2, 2024 23:05:05.245018005 CEST	443	49787	142.250.184.228	192.168.2.4
Oct 2, 2024 23:05:05.246174097 CEST	443	49787	142.250.184.228	192.168.2.4
Oct 2, 2024 23:05:05.246454954 CEST	49787	443	192.168.2.4	142.250.184.228
Oct 2, 2024 23:05:05.246642113 CEST	443	49787	142.250.184.228	192.168.2.4
Oct 2, 2024 23:05:05.287499905 CEST	49787	443	192.168.2.4	142.250.184.228
Oct 2, 2024 23:05:06.943614960 CEST	49724	80	192.168.2.4	199.232.214.172
Oct 2, 2024 23:05:06.949151039 CEST	80	49724	199.232.214.172	192.168.2.4
Oct 2, 2024 23:05:06.949445009 CEST	49724	80	192.168.2.4	199.232.214.172
Oct 2, 2024 23:05:13.456995010 CEST	49789	443	192.168.2.4	172.217.18.14
Oct 2, 2024 23:05:13.457048893 CEST	443	49789	172.217.18.14	192.168.2.4
Oct 2, 2024 23:05:13.457151890 CEST	49789	443	192.168.2.4	172.217.18.14
Oct 2, 2024 23:05:13.457410097 CEST	49789	443	192.168.2.4	172.217.18.14
Oct 2, 2024 23:05:13.457427979 CEST	443	49789	172.217.18.14	192.168.2.4
Oct 2, 2024 23:05:13.698959112 CEST	49790	443	192.168.2.4	172.217.18.14
Oct 2, 2024 23:05:13.699027061 CEST	443	49790	172.217.18.14	192.168.2.4
Oct 2, 2024 23:05:13.699152946 CEST	49790	443	192.168.2.4	172.217.18.14
Oct 2, 2024 23:05:13.699604034 CEST	49790	443	192.168.2.4	172.217.18.14
Oct 2, 2024 23:05:13.699637890 CEST	443	49790	172.217.18.14	192.168.2.4
Oct 2, 2024 23:05:14.115775108 CEST	443	49789	172.217.18.14	192.168.2.4
Oct 2, 2024 23:05:14.116415024 CEST	49789	443	192.168.2.4	172.217.18.14
Oct 2, 2024 23:05:14.116436958 CEST	443	49789	172.217.18.14	192.168.2.4
Oct 2, 2024 23:05:14.117630005 CEST	443	49789	172.217.18.14	192.168.2.4
Oct 2, 2024 23:05:14.117943048 CEST	49789	443	192.168.2.4	172.217.18.14
Oct 2, 2024 23:05:14.118103981 CEST	49789	443	192.168.2.4	172.217.18.14
Oct 2, 2024 23:05:14.118103981 CEST	443	49789	172.217.18.14	192.168.2.4
Oct 2, 2024 23:05:14.118123055 CEST	49789	443	192.168.2.4	172.217.18.14
Oct 2, 2024 23:05:14.118201971 CEST	443	49789	172.217.18.14	192.168.2.4
Oct 2, 2024 23:05:14.162565947 CEST	49789	443	192.168.2.4	172.217.18.14
Oct 2, 2024 23:05:14.339096069 CEST	443	49790	172.217.18.14	192.168.2.4
Oct 2, 2024 23:05:14.344129086 CEST	49790	443	192.168.2.4	172.217.18.14
Oct 2, 2024 23:05:14.344152927 CEST	443	49790	172.217.18.14	192.168.2.4
Oct 2, 2024 23:05:14.344674110 CEST	443	49790	172.217.18.14	192.168.2.4
Oct 2, 2024 23:05:14.345143080 CEST	49790	443	192.168.2.4	172.217.18.14
Oct 2, 2024 23:05:14.345232964 CEST	443	49790	172.217.18.14	192.168.2.4
Oct 2, 2024 23:05:14.345381975 CEST	49790	443	192.168.2.4	172.217.18.14
Oct 2, 2024 23:05:14.345412016 CEST	49790	443	192.168.2.4	172.217.18.14
Oct 2, 2024 23:05:14.345424891 CEST	443	49790	172.217.18.14	192.168.2.4
Oct 2, 2024 23:05:14.415868998 CEST	443	49789	172.217.18.14	192.168.2.4
Oct 2, 2024 23:05:14.416826010 CEST	443	49789	172.217.18.14	192.168.2.4
Oct 2, 2024 23:05:14.417006969 CEST	49789	443	192.168.2.4	172.217.18.14
Oct 2, 2024 23:05:14.417045116 CEST	49789	443	192.168.2.4	172.217.18.14
Oct 2, 2024 23:05:14.417073011 CEST	443	49789	172.217.18.14	192.168.2.4
Oct 2, 2024 23:05:14.640192032 CEST	443	49790	172.217.18.14	192.168.2.4
Oct 2, 2024 23:05:14.640948057 CEST	443	49790	172.217.18.14	192.168.2.4
Oct 2, 2024 23:05:14.641159058 CEST	49790	443	192.168.2.4	172.217.18.14
Oct 2, 2024 23:05:14.684915066 CEST	49790	443	192.168.2.4	172.217.18.14
Oct 2, 2024 23:05:14.684950113 CEST	443	49790	172.217.18.14	192.168.2.4
Oct 2, 2024 23:05:15.162516117 CEST	443	49787	142.250.184.228	192.168.2.4
Oct 2, 2024 23:05:15.162610054 CEST	443	49787	142.250.184.228	192.168.2.4
Oct 2, 2024 23:05:15.162981987 CEST	49787	443	192.168.2.4	142.250.184.228
Oct 2, 2024 23:05:27.273175955 CEST	49787	443	192.168.2.4	142.250.184.228
Oct 2, 2024 23:05:27.273219109 CEST	443	49787	142.250.184.228	192.168.2.4
Oct 2, 2024 23:05:43.534053087 CEST	49792	443	192.168.2.4	172.217.18.14
Oct 2, 2024 23:05:43.534143925 CEST	443	49792	172.217.18.14	192.168.2.4
Oct 2, 2024 23:05:43.534277916 CEST	49792	443	192.168.2.4	172.217.18.14
Oct 2, 2024 23:05:43.534672022 CEST	49792	443	192.168.2.4	172.217.18.14
Oct 2, 2024 23:05:43.534704924 CEST	443	49792	172.217.18.14	192.168.2.4
Oct 2, 2024 23:05:44.204514980 CEST	443	49792	172.217.18.14	192.168.2.4
Oct 2, 2024 23:05:44.205202103 CEST	49792	443	192.168.2.4	172.217.18.14
Oct 2, 2024 23:05:44.205226898 CEST	443	49792	172.217.18.14	192.168.2.4
Oct 2, 2024 23:05:44.208085060 CEST	443	49792	172.217.18.14	192.168.2.4
Oct 2, 2024 23:05:44.208867073 CEST	49792	443	192.168.2.4	172.217.18.14
Oct 2, 2024 23:05:44.209033012 CEST	443	49792	172.217.18.14	192.168.2.4
Oct 2, 2024 23:05:44.209115028 CEST	49792	443	192.168.2.4	172.217.18.14
Oct 2, 2024 23:05:44.209141970 CEST	49792	443	192.168.2.4	172.217.18.14
Oct 2, 2024 23:05:44.209146976 CEST	443	49792	172.217.18.14	192.168.2.4
Oct 2, 2024 23:05:44.523756981 CEST	443	49792	172.217.18.14	192.168.2.4
Oct 2, 2024 23:05:44.529819965 CEST	443	49792	172.217.18.14	192.168.2.4
Oct 2, 2024 23:05:44.529908895 CEST	49792	443	192.168.2.4	172.217.18.14
Oct 2, 2024 23:05:44.530002117 CEST	49792	443	192.168.2.4	172.217.18.14
Oct 2, 2024 23:05:44.530024052 CEST	443	49792	172.217.18.14	192.168.2.4
Oct 2, 2024 23:05:45.825851917 CEST	49793	443	192.168.2.4	172.217.18.14
Oct 2, 2024 23:05:45.825921059 CEST	443	49793	172.217.18.14	192.168.2.4
Oct 2, 2024 23:05:45.826091051 CEST	49793	443	192.168.2.4	172.217.18.14
Oct 2, 2024 23:05:45.826492071 CEST	49793	443	192.168.2.4	172.217.18.14
Oct 2, 2024 23:05:45.826508045 CEST	443	49793	172.217.18.14	192.168.2.4
Oct 2, 2024 23:05:46.497572899 CEST	443	49793	172.217.18.14	192.168.2.4
Oct 2, 2024 23:05:46.497951984 CEST	49793	443	192.168.2.4	172.217.18.14
Oct 2, 2024 23:05:46.497983932 CEST	443	49793	172.217.18.14	192.168.2.4
Oct 2, 2024 23:05:46.498594999 CEST	443	49793	172.217.18.14	192.168.2.4
Oct 2, 2024 23:05:46.498851061 CEST	49793	443	192.168.2.4	172.217.18.14
Oct 2, 2024 23:05:46.498927116 CEST	443	49793	172.217.18.14	192.168.2.4
Oct 2, 2024 23:05:46.499006033 CEST	49793	443	192.168.2.4	172.217.18.14
Oct 2, 2024 23:05:46.499020100 CEST	49793	443	192.168.2.4	172.217.18.14
Oct 2, 2024 23:05:46.499037027 CEST	443	49793	172.217.18.14	192.168.2.4
Oct 2, 2024 23:05:46.813985109 CEST	443	49793	172.217.18.14	192.168.2.4
Oct 2, 2024 23:05:46.814560890 CEST	443	49793	172.217.18.14	192.168.2.4
Oct 2, 2024 23:05:46.814610958 CEST	49793	443	192.168.2.4	172.217.18.14
Oct 2, 2024 23:05:46.814688921 CEST	49793	443	192.168.2.4	172.217.18.14
Oct 2, 2024 23:05:46.814703941 CEST	443	49793	172.217.18.14	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 2, 2024 23:04:00.251230001 CEST	55279	53	192.168.2.4	1.1.1.1
Oct 2, 2024 23:04:00.251631975 CEST	62878	53	192.168.2.4	1.1.1.1
Oct 2, 2024 23:04:00.259574890 CEST	53	60634	1.1.1.1	192.168.2.4
Oct 2, 2024 23:04:00.259654045 CEST	53	62878	1.1.1.1	192.168.2.4
Oct 2, 2024 23:04:00.259691000 CEST	53	55279	1.1.1.1	192.168.2.4
Oct 2, 2024 23:04:00.302149057 CEST	53	63016	1.1.1.1	192.168.2.4
Oct 2, 2024 23:04:01.218239069 CEST	51564	53	192.168.2.4	1.1.1.1
Oct 2, 2024 23:04:01.218583107 CEST	63256	53	192.168.2.4	1.1.1.1
Oct 2, 2024 23:04:01.226655960 CEST	53	63256	1.1.1.1	192.168.2.4
Oct 2, 2024 23:04:01.227796078 CEST	53	51564	1.1.1.1	192.168.2.4
Oct 2, 2024 23:04:01.468046904 CEST	53	49543	1.1.1.1	192.168.2.4
Oct 2, 2024 23:04:04.540512085 CEST	65035	53	192.168.2.4	1.1.1.1
Oct 2, 2024 23:04:04.540854931 CEST	56217	53	192.168.2.4	1.1.1.1
Oct 2, 2024 23:04:04.547617912 CEST	53	65035	1.1.1.1	192.168.2.4
Oct 2, 2024 23:04:04.547878027 CEST	53	56217	1.1.1.1	192.168.2.4
Oct 2, 2024 23:04:07.649677992 CEST	53	62012	1.1.1.1	192.168.2.4
Oct 2, 2024 23:04:10.106193066 CEST	62806	53	192.168.2.4	1.1.1.1
Oct 2, 2024 23:04:10.106376886 CEST	50045	53	192.168.2.4	1.1.1.1
Oct 2, 2024 23:04:10.113301039 CEST	53	62806	1.1.1.1	192.168.2.4
Oct 2, 2024 23:04:10.113972902 CEST	53	50045	1.1.1.1	192.168.2.4
Oct 2, 2024 23:04:11.150007010 CEST	58977	53	192.168.2.4	1.1.1.1
Oct 2, 2024 23:04:11.150572062 CEST	61683	53	192.168.2.4	1.1.1.1
Oct 2, 2024 23:04:11.157416105 CEST	53	58977	1.1.1.1	192.168.2.4
Oct 2, 2024 23:04:11.158200026 CEST	53	61683	1.1.1.1	192.168.2.4
Oct 2, 2024 23:04:12.428210974 CEST	53	52633	1.1.1.1	192.168.2.4
Oct 2, 2024 23:04:18.525789976 CEST	53	57677	1.1.1.1	192.168.2.4
Oct 2, 2024 23:04:18.635691881 CEST	138	138	192.168.2.4	192.168.2.255
Oct 2, 2024 23:04:37.311717987 CEST	53	54340	1.1.1.1	192.168.2.4
Oct 2, 2024 23:04:59.770596981 CEST	53	55580	1.1.1.1	192.168.2.4
Oct 2, 2024 23:04:59.787590981 CEST	53	63295	1.1.1.1	192.168.2.4
Oct 2, 2024 23:05:12.277290106 CEST	53	65196	1.1.1.1	192.168.2.4
Oct 2, 2024 23:05:13.449323893 CEST	57686	53	192.168.2.4	1.1.1.1
Oct 2, 2024 23:05:13.449462891 CEST	54207	53	192.168.2.4	1.1.1.1
Oct 2, 2024 23:05:13.456233025 CEST	53	57686	1.1.1.1	192.168.2.4
Oct 2, 2024 23:05:13.456402063 CEST	53	54207	1.1.1.1	192.168.2.4
Oct 2, 2024 23:05:27.281743050 CEST	53	59234	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 2, 2024 23:04:00.251230001 CEST	192.168.2.4	1.1.1.1	0x426	Standard query (0)	youtube.com	A (IP address)	IN (0x0001)	false
Oct 2, 2024 23:04:00.251631975 CEST	192.168.2.4	1.1.1.1	0x9c2a	Standard query (0)	youtube.com	65	IN (0x0001)	false
Oct 2, 2024 23:04:01.218239069 CEST	192.168.2.4	1.1.1.1	0x7044	Standard query (0)	www.youtube.com	A (IP address)	IN (0x0001)	false
Oct 2, 2024 23:04:01.218583107 CEST	192.168.2.4	1.1.1.1	0x9b67	Standard query (0)	www.youtube.com	65	IN (0x0001)	false
Oct 2, 2024 23:04:04.540512085 CEST	192.168.2.4	1.1.1.1	0xc7e7	Standard query (0)	www.google.com	A (IP address)	IN (0x0001)	false
Oct 2, 2024 23:04:04.540854931 CEST	192.168.2.4	1.1.1.1	0x3f6d	Standard query (0)	www.google.com	65	IN (0x0001)	false
Oct 2, 2024 23:04:10.106193066 CEST	192.168.2.4	1.1.1.1	0x633d	Standard query (0)	accounts.youtube.com	A (IP address)	IN (0x0001)	false
Oct 2, 2024 23:04:10.106376886 CEST	192.168.2.4	1.1.1.1	0xf02	Standard query (0)	accounts.youtube.com	65	IN (0x0001)	false
Oct 2, 2024 23:04:11.150007010 CEST	192.168.2.4	1.1.1.1	0x16b	Standard query (0)	play.google.com	A (IP address)	IN (0x0001)	false
Oct 2, 2024 23:04:11.150572062 CEST	192.168.2.4	1.1.1.1	0xf75a	Standard query (0)	play.google.com	65	IN (0x0001)	false
Oct 2, 2024 23:05:13.449323893 CEST	192.168.2.4	1.1.1.1	0x5bb	Standard query (0)	play.google.com	A (IP address)	IN (0x0001)	false
Oct 2, 2024 23:05:13.449462891 CEST	192.168.2.4	1.1.1.1	0x926b	Standard query (0)	play.google.com	65	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 2, 2024 23:04:00.259654045 CEST	1.1.1.1	192.168.2.4	0x9c2a	No error (0)	youtube.com			65	IN (0x0001)	false
Oct 2, 2024 23:04:00.259691000 CEST	1.1.1.1	192.168.2.4	0x426	No error (0)	youtube.com		142.250.185.142	A (IP address)	IN (0x0001)	false
Oct 2, 2024 23:04:01.226655960 CEST	1.1.1.1	192.168.2.4	0x9b67	No error (0)	www.youtube.com	youtube-ui.l.google.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 2, 2024 23:04:01.226655960 CEST	1.1.1.1	192.168.2.4	0x9b67	No error (0)	youtube-ui.l.google.com			65	IN (0x0001)	false
Oct 2, 2024 23:04:01.227796078 CEST	1.1.1.1	192.168.2.4	0x7044	No error (0)	www.youtube.com	youtube-ui.l.google.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 2, 2024 23:04:01.227796078 CEST	1.1.1.1	192.168.2.4	0x7044	No error (0)	youtube-ui.l.google.com		142.250.186.110	A (IP address)	IN (0x0001)	false
Oct 2, 2024 23:04:01.227796078 CEST	1.1.1.1	192.168.2.4	0x7044	No error (0)	youtube-ui.l.google.com		142.250.186.46	A (IP address)	IN (0x0001)	false
Oct 2, 2024 23:04:01.227796078 CEST	1.1.1.1	192.168.2.4	0x7044	No error (0)	youtube-ui.l.google.com		142.250.186.78	A (IP address)	IN (0x0001)	false
Oct 2, 2024 23:04:01.227796078 CEST	1.1.1.1	192.168.2.4	0x7044	No error (0)	youtube-ui.l.google.com		172.217.16.206	A (IP address)	IN (0x0001)	false
Oct 2, 2024 23:04:01.227796078 CEST	1.1.1.1	192.168.2.4	0x7044	No error (0)	youtube-ui.l.google.com		172.217.18.110	A (IP address)	IN (0x0001)	false
Oct 2, 2024 23:04:01.227796078 CEST	1.1.1.1	192.168.2.4	0x7044	No error (0)	youtube-ui.l.google.com		216.58.212.142	A (IP address)	IN (0x0001)	false
Oct 2, 2024 23:04:01.227796078 CEST	1.1.1.1	192.168.2.4	0x7044	No error (0)	youtube-ui.l.google.com		142.250.181.238	A (IP address)	IN (0x0001)	false
Oct 2, 2024 23:04:01.227796078 CEST	1.1.1.1	192.168.2.4	0x7044	No error (0)	youtube-ui.l.google.com		142.250.185.110	A (IP address)	IN (0x0001)	false
Oct 2, 2024 23:04:01.227796078 CEST	1.1.1.1	192.168.2.4	0x7044	No error (0)	youtube-ui.l.google.com		142.250.185.78	A (IP address)	IN (0x0001)	false
Oct 2, 2024 23:04:01.227796078 CEST	1.1.1.1	192.168.2.4	0x7044	No error (0)	youtube-ui.l.google.com		142.250.186.174	A (IP address)	IN (0x0001)	false
Oct 2, 2024 23:04:01.227796078 CEST	1.1.1.1	192.168.2.4	0x7044	No error (0)	youtube-ui.l.google.com		142.250.74.206	A (IP address)	IN (0x0001)	false
Oct 2, 2024 23:04:01.227796078 CEST	1.1.1.1	192.168.2.4	0x7044	No error (0)	youtube-ui.l.google.com		172.217.23.110	A (IP address)	IN (0x0001)	false
Oct 2, 2024 23:04:01.227796078 CEST	1.1.1.1	192.168.2.4	0x7044	No error (0)	youtube-ui.l.google.com		216.58.206.46	A (IP address)	IN (0x0001)	false
Oct 2, 2024 23:04:01.227796078 CEST	1.1.1.1	192.168.2.4	0x7044	No error (0)	youtube-ui.l.google.com		172.217.18.14	A (IP address)	IN (0x0001)	false
Oct 2, 2024 23:04:01.227796078 CEST	1.1.1.1	192.168.2.4	0x7044	No error (0)	youtube-ui.l.google.com		142.250.186.142	A (IP address)	IN (0x0001)	false
Oct 2, 2024 23:04:01.227796078 CEST	1.1.1.1	192.168.2.4	0x7044	No error (0)	youtube-ui.l.google.com		216.58.206.78	A (IP address)	IN (0x0001)	false
Oct 2, 2024 23:04:04.547617912 CEST	1.1.1.1	192.168.2.4	0xc7e7	No error (0)	www.google.com		142.250.184.228	A (IP address)	IN (0x0001)	false
Oct 2, 2024 23:04:04.547878027 CEST	1.1.1.1	192.168.2.4	0x3f6d	No error (0)	www.google.com			65	IN (0x0001)	false
Oct 2, 2024 23:04:10.113301039 CEST	1.1.1.1	192.168.2.4	0x633d	No error (0)	accounts.youtube.com	www3.l.google.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 2, 2024 23:04:10.113301039 CEST	1.1.1.1	192.168.2.4	0x633d	No error (0)	www3.l.google.com		142.250.186.174	A (IP address)	IN (0x0001)	false
Oct 2, 2024 23:04:10.113972902 CEST	1.1.1.1	192.168.2.4	0xf02	No error (0)	accounts.youtube.com	www3.l.google.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 2, 2024 23:04:11.157416105 CEST	1.1.1.1	192.168.2.4	0x16b	No error (0)	play.google.com		142.250.185.174	A (IP address)	IN (0x0001)	false
Oct 2, 2024 23:05:13.456233025 CEST	1.1.1.1	192.168.2.4	0x5bb	No error (0)	play.google.com		172.217.18.14	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

youtube.com

www.youtube.com

fs.microsoft.com

https:

accounts.youtube.com

play.google.com

www.google.com

slscr.update.microsoft.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49730	142.250.185.142	443	2668	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-02 21:04:00 UTC	851	OUT	GET /account?=https://accounts.google.com/v3/signin/challenge/pwd HTTP/1.1 Host: youtube.com Connection: keep-alive sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "Windows" Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 X-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiUocsBCJz+zAEIhaDNAQjcvc0BCLnKzQEIotHNAQiK080BCJ7WzQEIp9jNAQj5wNQVGPbJzQEYutLNARjrjaUX Sec-Fetch-Site: none Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-10-02 21:04:01 UTC	1919	IN	HTTP/1.1 301 Moved Permanently Content-Type: application/binary X-Content-Type-Options: nosniff Expires: Wed, 02 Oct 2024 21:04:01 GMT Date: Wed, 02 Oct 2024 21:04:01 GMT Cache-Control: private, max-age=31536000 Location: https://www.youtube.com/account?=https%3A%2F%2Faccounts.google.com%2Fv3%2Fsignin%2Fchallenge%2Fpwd Strict-Transport-Security: max-age=31536000; includeSubDomains; preload X-Frame-Options: SAMEORIGIN Report-To: {"group":"youtube_main","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/youtube_main"}]} Content-Security-Policy: require-trusted-types-for 'script' Origin-Trial: AmhMBR6zCLzDDxpW+HfpP67BqwIknWnyMOXOQGfzYswFmJe+fgaI6XZgAzcxOrzNtP7hEDsOo1jdjFnVr2IdxQ4AAAB4eyJvcmlnaW4iOiJodHRwczovL3lvdXR1YmUuY29tOjQ0MyIsImZlYXR1cmUiOiJXZWJWaWV3WFJlcXVlc3RlZFdpdGhEZXByZWNhdGlvbiIsImV4cGlyeSI6MTc1ODA2NzE5OSwiaXNTdWJkb21haW4iOnRydWV9 Cross-Origin-Opener-Policy: same-origin-allow-popups; report-to="youtube_main" Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Vary: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version P3P: CP="This is not a P3P policy! See http://support.google.com/accounts/answer/151657?hl=en for more info." Server: ESF Content-Length: 0 X-XSS-Protection: 0 Set-Cookie: YSC=kv2mQAOd_S4; Domain=.youtube.com; Path=/; Secure; HttpOnly; SameSite=none; Partitioned Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49736	142.250.186.110	443	2668	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-02 21:04:01 UTC	894	OUT	GET /account?=https%3A%2F%2Faccounts.google.com%2Fv3%2Fsignin%2Fchallenge%2Fpwd HTTP/1.1 Host: www.youtube.com Connection: keep-alive Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 X-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiUocsBCJz+zAEIhaDNAQjcvc0BCLnKzQEIotHNAQiK080BCJ7WzQEIp9jNAQj5wNQVGPbJzQEYutLNARjrjaUX Sec-Fetch-Site: none Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "Windows" Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: YSC=kv2mQAOd_S4
2024-10-02 21:04:02 UTC	2530	IN	HTTP/1.1 303 See Other Content-Type: application/binary X-Content-Type-Options: nosniff Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Wed, 02 Oct 2024 21:04:02 GMT Location: https://accounts.google.com/ServiceLogin?service=youtube&uilel=3&passive=true&continue=https%3A%2F%2Fwww.youtube.com%2Fsignin%3Faction_handle_signin%3Dtrue%26app%3Ddesktop%26hl%3Den%26next%3Dhttps%253A%252F%252Fwww.youtube.com%252Faccount%253F%253Dhttps%25253A%25252F%25252Faccounts.google.com%25252Fv3%25252Fsignin%25252Fchallenge%25252Fpwd%26feature%3Dredirect_login&hl=en Strict-Transport-Security: max-age=31536000 X-Frame-Options: SAMEORIGIN Report-To: {"group":"youtube_main","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/youtube_main"}]} Content-Security-Policy: require-trusted-types-for 'script' Origin-Trial: AmhMBR6zCLzDDxpW+HfpP67BqwIknWnyMOXOQGfzYswFmJe+fgaI6XZgAzcxOrzNtP7hEDsOo1jdjFnVr2IdxQ4AAAB4eyJvcmlnaW4iOiJodHRwczovL3lvdXR1YmUuY29tOjQ0MyIsImZlYXR1cmUiOiJXZWJWaWV3WFJlcXVlc3RlZFdpdGhEZXByZWNhdGlvbiIsImV4cGlyeSI6MTc1ODA2NzE5OSwiaXNTdWJkb21haW4iOnRydWV9 Cross-Origin-Opener-Policy: same-origin-allow-popups; report-to="youtube_main" Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Vary: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version P3P: CP="This is not a P3P policy! See http://support.google.com/accounts/answer/151657?hl=en for more info." Server: ESF Content-Length: 0 X-XSS-Protection: 0 Set-Cookie: GPS=1; Domain=.youtube.com; Expires=Wed, 02-Oct-2024 21:34:02 GMT; Path=/; Secure; HttpOnly Set-Cookie: VISITOR_INFO1_LIVE=j8BFoEDKNNU; Domain=.youtube.com; Expires=Mon, 31-Mar-2025 21:04:02 GMT; Path=/; Secure; HttpOnly; SameSite=none; Partitioned Set-Cookie: VISITOR_PRIVACY_METADATA=CgJVUxIEGgAgDA%3D%3D; Domain=.youtube.com; Expires=Mon, 31-Mar-2025 21:04:02 GMT; Path=/; Secure; HttpOnly; SameSite=none; Partitioned Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49742	184.28.90.27	443

Timestamp	Bytes transferred	Direction	Data
2024-10-02 21:04:05 UTC	161	OUT	HEAD /fs/windows/config.json HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Encoding: identity User-Agent: Microsoft BITS/7.8 Host: fs.microsoft.com
2024-10-02 21:04:06 UTC	466	IN	HTTP/1.1 200 OK Content-Disposition: attachment; filename=config.json; filename*=UTF-8''config.json Content-Type: application/octet-stream ETag: "0x64667F707FF07D62B733DBCB79EFE3855E6886C9975B0C0B467D46231B3FA5E7" Last-Modified: Tue, 16 May 2017 22:58:00 GMT Server: ECAcc (lpl/EF06) X-CID: 11 X-Ms-ApiVersion: Distribute 1.2 X-Ms-Region: prod-neu-z1 Cache-Control: public, max-age=70904 Date: Wed, 02 Oct 2024 21:04:06 GMT Connection: close X-CID: 2

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49745	184.28.90.27	443

Timestamp	Bytes transferred	Direction	Data
2024-10-02 21:04:07 UTC	239	OUT	GET /fs/windows/config.json HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Encoding: identity If-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMT Range: bytes=0-2147483646 User-Agent: Microsoft BITS/7.8 Host: fs.microsoft.com
2024-10-02 21:04:07 UTC	514	IN	HTTP/1.1 200 OK ApiVersion: Distribute 1.1 Content-Disposition: attachment; filename=config.json; filename*=UTF-8''config.json Content-Type: application/octet-stream ETag: "0x64667F707FF07D62B733DBCB79EFE3855E6886C9975B0C0B467D46231B3FA5E7" Last-Modified: Tue, 16 May 2017 22:58:00 GMT Server: ECAcc (lpl/EF06) X-CID: 11 X-Ms-ApiVersion: Distribute 1.2 X-Ms-Region: prod-weu-z1 Cache-Control: public, max-age=70847 Date: Wed, 02 Oct 2024 21:04:07 GMT Content-Length: 55 Connection: close X-CID: 2
2024-10-02 21:04:07 UTC	55	IN	Data Raw: 7b 22 66 6f 6e 74 53 65 74 55 72 69 22 3a 22 66 6f 6e 74 73 65 74 2d 32 30 31 37 2d 30 34 2e 6a 73 6f 6e 22 2c 22 62 61 73 65 55 72 69 22 3a 22 66 6f 6e 74 73 22 7d Data Ascii: {"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49757	142.250.186.174	443	2668	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-02 21:04:10 UTC	1216	OUT	GET /accounts/CheckConnection?pmpo=https%3A%2F%2Faccounts.google.com&v=1351726012&timestamp=1727903049136 HTTP/1.1 Host: accounts.youtube.com Connection: keep-alive sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 sec-ch-ua-full-version: "117.0.5938.132" sec-ch-ua-arch: "x86" sec-ch-ua-platform: "Windows" sec-ch-ua-platform-version: "10.0.0" sec-ch-ua-model: "" sec-ch-ua-bitness: "64" sec-ch-ua-wow64: ?0 sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132" Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 X-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiUocsBCJz+zAEIhaDNAQjcvc0BCLnKzQEIotHNAQiK080BCJ7WzQEIp9jNAQj5wNQVGPbJzQEYutLNARjrjaUX Sec-Fetch-Site: cross-site Sec-Fetch-Mode: navigate Sec-Fetch-Dest: iframe Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-10-02 21:04:11 UTC	1966	IN	HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 X-Frame-Options: ALLOW-FROM https://accounts.google.com Content-Security-Policy: frame-ancestors https://accounts.google.com Content-Security-Policy: script-src 'report-sample' 'nonce-hLmxxA3svz6kK2v-tUY-9Q' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/AccountsDomainCookiesCheckConnectionHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/AccountsDomainCookiesCheckConnectionHttp/cspreport/allowlist Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/AccountsDomainCookiesCheckConnectionHttp/cspreport Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Wed, 02 Oct 2024 21:04:10 GMT Cross-Origin-Resource-Policy: cross-origin Cross-Origin-Opener-Policy: same-origin Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* reporting-endpoints: default="/_/AccountsDomainCookiesCheckConnectionHttp/web-reports?context=eJzjMtHikmLw0JBiWMy_i0ni60smLSB2Sp_BGgLESf_Os5YA8eXuS6zXgbhI4gprCxAL8XCcevVtO5vAhMmXLzIr6SXlF8ZnpqTmlWSWVKbk5yZm5iXn52dnphYXpxaVpRbFGxkYmRhYGhnpGVjEFxgAACCLLCw" Server: ESF X-XSS-Protection: 0 X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2024-10-02 21:04:11 UTC	1966	IN	Data Raw: 37 36 32 30 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 20 6e 6f 6e 63 65 3d 22 68 4c 6d 78 78 41 33 73 76 7a 36 6b 4b 32 76 2d 74 55 59 2d 39 51 22 3e 22 75 73 65 20 73 74 72 69 63 74 22 3b 74 68 69 73 2e 64 65 66 61 75 6c 74 5f 41 63 63 6f 75 6e 74 73 44 6f 6d 61 69 6e 63 6f 6f 6b 69 65 73 43 68 65 63 6b 63 6f 6e 6e 65 63 74 69 6f 6e 4a 73 3d 74 68 69 73 2e 64 65 66 61 75 6c 74 5f 41 63 63 6f 75 6e 74 73 44 6f 6d 61 69 6e 63 6f 6f 6b 69 65 73 43 68 65 63 6b 63 6f 6e 6e 65 63 74 69 6f 6e 4a 73 7c 7c 7b 7d 3b 28 66 75 6e 63 74 69 6f 6e 28 5f 29 7b 76 61 72 20 77 69 6e 64 6f 77 3d 74 68 69 73 3b 0a 74 72 79 7b 0a 5f 2e 5f 46 5f 74 6f 67 67 6c 65 73 5f 69 6e 69 74 69 61 6c 69 7a 65 3d 66 75 6e 63 74 69 6f 6e 28 61 29 7b 28 74 79 70 65 6f Data Ascii: 7620<html><head><script nonce="hLmxxA3svz6kK2v-tUY-9Q">"use strict";this.default_AccountsDomaincookiesCheckconnectionJs=this.default_AccountsDomaincookiesCheckconnectionJs\|\|{};(function(_){var window=this;try{_._F_toggles_initialize=function(a){(typeo
2024-10-02 21:04:11 UTC	1966	IN	Data Raw: 62 3d 2f 54 72 69 64 65 6e 74 5c 2f 28 5c 64 2e 5c 64 29 2f 2e 65 78 65 63 28 62 29 2c 0a 63 5b 31 5d 3d 3d 22 37 2e 30 22 29 69 66 28 62 26 26 62 5b 31 5d 29 73 77 69 74 63 68 28 62 5b 31 5d 29 7b 63 61 73 65 20 22 34 2e 30 22 3a 61 3d 22 38 2e 30 22 3b 62 72 65 61 6b 3b 63 61 73 65 20 22 35 2e 30 22 3a 61 3d 22 39 2e 30 22 3b 62 72 65 61 6b 3b 63 61 73 65 20 22 36 2e 30 22 3a 61 3d 22 31 30 2e 30 22 3b 62 72 65 61 6b 3b 63 61 73 65 20 22 37 2e 30 22 3a 61 3d 22 31 31 2e 30 22 7d 65 6c 73 65 20 61 3d 22 37 2e 30 22 3b 65 6c 73 65 20 61 3d 63 5b 31 5d 3b 62 3d 61 7d 65 6c 73 65 20 62 3d 22 22 3b 72 65 74 75 72 6e 20 62 7d 76 61 72 20 64 3d 52 65 67 45 78 70 28 22 28 5b 41 2d 5a 5d 5b 5c 5c 77 20 5d 2b 29 2f 28 5b 5e 5c 5c 73 5d 2b 29 5c 5c 73 2a 28 3f 3a Data Ascii: b=/Trident\/(\d.\d)/.exec(b),c[1]=="7.0")if(b&&b[1])switch(b[1]){case "4.0":a="8.0";break;case "5.0":a="9.0";break;case "6.0":a="10.0";break;case "7.0":a="11.0"}else a="7.0";else a=c[1];b=a}else b="";return b}var d=RegExp("([A-Z][\\w ]+)/([^\\s]+)\\s*(?:
2024-10-02 21:04:11 UTC	1966	IN	Data Raw: 61 29 7b 73 77 69 74 63 68 28 74 79 70 65 6f 66 20 61 29 7b 63 61 73 65 20 22 6e 75 6d 62 65 72 22 3a 72 65 74 75 72 6e 20 69 73 46 69 6e 69 74 65 28 61 29 3f 61 3a 53 74 72 69 6e 67 28 61 29 3b 63 61 73 65 20 22 62 69 67 69 6e 74 22 3a 72 65 74 75 72 6e 28 41 61 3f 0a 61 3e 3d 42 61 26 26 61 3c 3d 43 61 3a 61 5b 30 5d 3d 3d 3d 22 2d 22 3f 75 61 28 61 2c 44 61 29 3a 75 61 28 61 2c 45 61 29 29 3f 4e 75 6d 62 65 72 28 61 29 3a 53 74 72 69 6e 67 28 61 29 3b 63 61 73 65 20 22 62 6f 6f 6c 65 61 6e 22 3a 72 65 74 75 72 6e 20 61 3f 31 3a 30 3b 63 61 73 65 20 22 6f 62 6a 65 63 74 22 3a 69 66 28 61 29 69 66 28 41 72 72 61 79 2e 69 73 41 72 72 61 79 28 61 29 29 7b 69 66 28 43 28 61 29 29 72 65 74 75 72 6e 7d 65 6c 73 65 20 69 66 28 46 61 26 26 61 21 3d 6e 75 6c 6c Data Ascii: a){switch(typeof a){case "number":return isFinite(a)?a:String(a);case "bigint":return(Aa?a>=Ba&&a<=Ca:a[0]==="-"?ua(a,Da):ua(a,Ea))?Number(a):String(a);case "boolean":return a?1:0;case "object":if(a)if(Array.isArray(a)){if(C(a))return}else if(Fa&&a!=null
2024-10-02 21:04:11 UTC	1966	IN	Data Raw: 6e 63 74 69 6f 6e 28 61 29 7b 76 61 72 20 62 3b 69 66 28 61 26 26 28 62 3d 51 61 29 21 3d 6e 75 6c 6c 26 26 62 2e 68 61 73 28 61 29 26 26 28 62 3d 61 2e 43 29 29 66 6f 72 28 76 61 72 20 63 3d 30 3b 63 3c 62 2e 6c 65 6e 67 74 68 3b 63 2b 2b 29 7b 76 61 72 20 64 3d 62 5b 63 5d 3b 69 66 28 63 3d 3d 3d 62 2e 6c 65 6e 67 74 68 2d 31 26 26 41 28 64 29 29 66 6f 72 28 76 61 72 20 65 20 69 6e 20 64 29 7b 76 61 72 20 66 3d 64 5b 65 5d 3b 41 72 72 61 79 2e 69 73 41 72 72 61 79 28 66 29 26 26 0a 52 61 28 66 2c 61 29 7d 65 6c 73 65 20 41 72 72 61 79 2e 69 73 41 72 72 61 79 28 64 29 26 26 52 61 28 64 2c 61 29 7d 61 3d 45 3f 61 2e 43 3a 4d 61 28 61 2e 43 2c 50 61 2c 76 6f 69 64 20 30 2c 76 6f 69 64 20 30 2c 21 31 29 3b 65 3d 21 45 3b 69 66 28 62 3d 61 2e 6c 65 6e 67 74 Data Ascii: nction(a){var b;if(a&&(b=Qa)!=null&&b.has(a)&&(b=a.C))for(var c=0;c<b.length;c++){var d=b[c];if(c===b.length-1&&A(d))for(var e in d){var f=d[e];Array.isArray(f)&&Ra(f,a)}else Array.isArray(d)&&Ra(d,a)}a=E?a.C:Ma(a.C,Pa,void 0,void 0,!1);e=!E;if(b=a.lengt
2024-10-02 21:04:11 UTC	1966	IN	Data Raw: 65 7d 29 3b 0a 47 28 22 53 79 6d 62 6f 6c 2e 69 74 65 72 61 74 6f 72 22 2c 66 75 6e 63 74 69 6f 6e 28 61 29 7b 69 66 28 61 29 72 65 74 75 72 6e 20 61 3b 61 3d 53 79 6d 62 6f 6c 28 22 63 22 29 3b 66 6f 72 28 76 61 72 20 62 3d 22 41 72 72 61 79 20 49 6e 74 38 41 72 72 61 79 20 55 69 6e 74 38 41 72 72 61 79 20 55 69 6e 74 38 43 6c 61 6d 70 65 64 41 72 72 61 79 20 49 6e 74 31 36 41 72 72 61 79 20 55 69 6e 74 31 36 41 72 72 61 79 20 49 6e 74 33 32 41 72 72 61 79 20 55 69 6e 74 33 32 41 72 72 61 79 20 46 6c 6f 61 74 33 32 41 72 72 61 79 20 46 6c 6f 61 74 36 34 41 72 72 61 79 22 2e 73 70 6c 69 74 28 22 20 22 29 2c 63 3d 30 3b 63 3c 62 2e 6c 65 6e 67 74 68 3b 63 2b 2b 29 7b 76 61 72 20 64 3d 57 61 5b 62 5b 63 5d 5d 3b 74 79 70 65 6f 66 20 64 3d 3d 3d 22 66 75 6e Data Ascii: e});G("Symbol.iterator",function(a){if(a)return a;a=Symbol("c");for(var b="Array Int8Array Uint8Array Uint8ClampedArray Int16Array Uint16Array Int32Array Uint32Array Float32Array Float64Array".split(" "),c=0;c<b.length;c++){var d=Wa[b[c]];typeof d==="fun
2024-10-02 21:04:11 UTC	1966	IN	Data Raw: 5f 22 2b 4d 61 74 68 2e 72 61 6e 64 6f 6d 28 29 3b 65 28 22 66 72 65 65 7a 65 22 29 3b 65 28 22 70 72 65 76 65 6e 74 45 78 74 65 6e 73 69 6f 6e 73 22 29 3b 65 28 22 73 65 61 6c 22 29 3b 76 61 72 20 68 3d 30 2c 67 3d 66 75 6e 63 74 69 6f 6e 28 6b 29 7b 74 68 69 73 2e 67 3d 28 68 2b 3d 4d 61 74 68 2e 72 61 6e 64 6f 6d 28 29 2b 31 29 2e 74 6f 53 74 72 69 6e 67 28 29 3b 69 66 28 6b 29 7b 6b 3d 48 28 6b 29 3b 66 6f 72 28 76 61 72 20 6c 3b 21 28 6c 3d 6b 2e 6e 65 78 74 28 29 29 2e 64 6f 6e 65 3b 29 6c 3d 6c 2e 76 61 6c 75 65 2c 74 68 69 73 2e 73 65 74 28 6c 5b 30 5d 2c 6c 5b 31 5d 29 7d 7d 3b 67 2e 70 72 6f 74 6f 74 79 70 65 2e 73 65 74 3d 66 75 6e 63 74 69 6f 6e 28 6b 2c 6c 29 7b 69 66 28 21 63 28 6b 29 29 74 68 72 6f 77 20 45 72 72 6f 72 28 22 69 22 29 3b 64 Data Ascii: _"+Math.random();e("freeze");e("preventExtensions");e("seal");var h=0,g=function(k){this.g=(h+=Math.random()+1).toString();if(k){k=H(k);for(var l;!(l=k.next()).done;)l=l.value,this.set(l[0],l[1])}};g.prototype.set=function(k,l){if(!c(k))throw Error("i");d
2024-10-02 21:04:11 UTC	1966	IN	Data Raw: 69 73 2c 66 75 6e 63 74 69 6f 6e 28 67 29 7b 72 65 74 75 72 6e 20 67 2e 76 61 6c 75 65 7d 29 7d 3b 63 2e 70 72 6f 74 6f 74 79 70 65 2e 66 6f 72 45 61 63 68 3d 66 75 6e 63 74 69 6f 6e 28 67 2c 6b 29 7b 66 6f 72 28 76 61 72 20 6c 3d 74 68 69 73 2e 65 6e 74 72 69 65 73 28 29 2c 6d 3b 21 28 6d 3d 6c 2e 6e 65 78 74 28 29 29 2e 64 6f 6e 65 3b 29 6d 3d 0a 6d 2e 76 61 6c 75 65 2c 67 2e 63 61 6c 6c 28 6b 2c 6d 5b 31 5d 2c 6d 5b 30 5d 2c 74 68 69 73 29 7d 3b 63 2e 70 72 6f 74 6f 74 79 70 65 5b 53 79 6d 62 6f 6c 2e 69 74 65 72 61 74 6f 72 5d 3d 63 2e 70 72 6f 74 6f 74 79 70 65 2e 65 6e 74 72 69 65 73 3b 76 61 72 20 64 3d 66 75 6e 63 74 69 6f 6e 28 67 2c 6b 29 7b 76 61 72 20 6c 3d 6b 26 26 74 79 70 65 6f 66 20 6b 3b 6c 3d 3d 22 6f 62 6a 65 63 74 22 7c 7c 6c 3d 3d 22 Data Ascii: is,function(g){return g.value})};c.prototype.forEach=function(g,k){for(var l=this.entries(),m;!(m=l.next()).done;)m=m.value,g.call(k,m[1],m[0],this)};c.prototype[Symbol.iterator]=c.prototype.entries;var d=function(g,k){var l=k&&typeof k;l=="object"\|\|l=="
2024-10-02 21:04:11 UTC	1966	IN	Data Raw: 22 4e 75 6d 62 65 72 2e 69 73 4e 61 4e 22 2c 66 75 6e 63 74 69 6f 6e 28 61 29 7b 72 65 74 75 72 6e 20 61 3f 61 3a 66 75 6e 63 74 69 6f 6e 28 62 29 7b 72 65 74 75 72 6e 20 74 79 70 65 6f 66 20 62 3d 3d 3d 22 6e 75 6d 62 65 72 22 26 26 69 73 4e 61 4e 28 62 29 7d 7d 29 3b 76 61 72 20 66 62 3d 66 62 7c 7c 7b 7d 2c 71 3d 74 68 69 73 7c 7c 73 65 6c 66 2c 67 62 3d 71 2e 5f 46 5f 74 6f 67 67 6c 65 73 7c 7c 5b 5d 2c 68 62 3d 66 75 6e 63 74 69 6f 6e 28 61 29 7b 61 3d 61 2e 73 70 6c 69 74 28 22 2e 22 29 3b 66 6f 72 28 76 61 72 20 62 3d 71 2c 63 3d 30 3b 63 3c 61 2e 6c 65 6e 67 74 68 3b 63 2b 2b 29 69 66 28 62 3d 62 5b 61 5b 63 5d 5d 2c 62 3d 3d 6e 75 6c 6c 29 72 65 74 75 72 6e 20 6e 75 6c 6c 3b 72 65 74 75 72 6e 20 62 7d 2c 69 62 3d 22 63 6c 6f 73 75 72 65 5f 75 69 Data Ascii: "Number.isNaN",function(a){return a?a:function(b){return typeof b==="number"&&isNaN(b)}});var fb=fb\|\|{},q=this\|\|self,gb=q._F_toggles\|\|[],hb=function(a){a=a.split(".");for(var b=q,c=0;c<a.length;c++)if(b=b[a[c]],b==null)return null;return b},ib="closure_ui
2024-10-02 21:04:11 UTC	1966	IN	Data Raw: 28 61 2e 5f 5f 63 6c 6f 73 75 72 65 5f 5f 65 72 72 6f 72 5f 5f 63 6f 6e 74 65 78 74 5f 5f 39 38 34 33 38 32 3d 7b 7d 29 3b 61 2e 5f 5f 63 6c 6f 73 75 72 65 5f 5f 65 72 72 6f 72 5f 5f 63 6f 6e 74 65 78 74 5f 5f 39 38 34 33 38 32 2e 73 65 76 65 72 69 74 79 3d 62 7d 3b 76 61 72 20 71 62 3d 66 75 6e 63 74 69 6f 6e 28 61 2c 62 2c 63 29 7b 63 3d 63 7c 7c 71 3b 76 61 72 20 64 3d 63 2e 6f 6e 65 72 72 6f 72 2c 65 3d 21 21 62 3b 63 2e 6f 6e 65 72 72 6f 72 3d 66 75 6e 63 74 69 6f 6e 28 66 2c 68 2c 67 2c 6b 2c 6c 29 7b 64 26 26 64 28 66 2c 68 2c 67 2c 6b 2c 6c 29 3b 61 28 7b 6d 65 73 73 61 67 65 3a 66 2c 66 69 6c 65 4e 61 6d 65 3a 68 2c 6c 69 6e 65 3a 67 2c 6c 69 6e 65 4e 75 6d 62 65 72 3a 67 2c 63 61 3a 6b 2c 65 72 72 6f 72 3a 6c 7d 29 3b 72 65 74 75 72 6e 20 65 7d Data Ascii: (a.__closure__error__context__984382={});a.__closure__error__context__984382.severity=b};var qb=function(a,b,c){c=c\|\|q;var d=c.onerror,e=!!b;c.onerror=function(f,h,g,k,l){d&&d(f,h,g,k,l);a({message:f,fileName:h,line:g,lineNumber:g,ca:k,error:l});return e}
2024-10-02 21:04:11 UTC	1966	IN	Data Raw: 6b 3b 63 61 73 65 20 22 73 74 72 69 6e 67 22 3a 62 72 65 61 6b 3b 63 61 73 65 20 22 6e 75 6d 62 65 72 22 3a 66 3d 53 74 72 69 6e 67 28 66 29 3b 62 72 65 61 6b 3b 63 61 73 65 20 22 62 6f 6f 6c 65 61 6e 22 3a 66 3d 66 3f 22 74 72 75 65 22 3a 22 66 61 6c 73 65 22 3b 62 72 65 61 6b 3b 63 61 73 65 20 22 66 75 6e 63 74 69 6f 6e 22 3a 66 3d 28 66 3d 73 62 28 66 29 29 3f 66 3a 22 5b 66 6e 5d 22 3b 62 72 65 61 6b 3b 64 65 66 61 75 6c 74 3a 66 3d 0a 74 79 70 65 6f 66 20 66 7d 66 2e 6c 65 6e 67 74 68 3e 34 30 26 26 28 66 3d 66 2e 73 6c 69 63 65 28 30 2c 34 30 29 2b 22 2e 2e 2e 22 29 3b 63 2e 70 75 73 68 28 66 29 7d 62 2e 70 75 73 68 28 61 29 3b 63 2e 70 75 73 68 28 22 29 5c 6e 22 29 3b 74 72 79 7b 63 2e 70 75 73 68 28 77 62 28 61 2e 63 61 6c 6c 65 72 2c 62 29 29 7d Data Ascii: k;case "string":break;case "number":f=String(f);break;case "boolean":f=f?"true":"false";break;case "function":f=(f=sb(f))?f:"[fn]";break;default:f=typeof f}f.length>40&&(f=f.slice(0,40)+"...");c.push(f)}b.push(a);c.push(")\n");try{c.push(wb(a.caller,b))}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49761	142.250.185.174	443	2668	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-02 21:04:11 UTC	549	OUT	OPTIONS /log?format=json&hasfast=true&authuser=0 HTTP/1.1 Host: play.google.com Connection: keep-alive Accept: / Access-Control-Request-Method: POST Access-Control-Request-Headers: x-goog-authuser Origin: https://accounts.google.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Sec-Fetch-Mode: cors Sec-Fetch-Site: same-site Sec-Fetch-Dest: empty Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-10-02 21:04:12 UTC	520	IN	HTTP/1.1 200 OK Access-Control-Allow-Origin: https://accounts.google.com Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Max-Age: 86400 Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: X-Playlog-Web,authorization,origin,x-goog-authuser Content-Type: text/plain; charset=UTF-8 Date: Wed, 02 Oct 2024 21:04:12 GMT Server: Playlog Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	49762	142.250.185.174	443	2668	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-02 21:04:12 UTC	549	OUT	OPTIONS /log?format=json&hasfast=true&authuser=0 HTTP/1.1 Host: play.google.com Connection: keep-alive Accept: / Access-Control-Request-Method: POST Access-Control-Request-Headers: x-goog-authuser Origin: https://accounts.google.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Sec-Fetch-Mode: cors Sec-Fetch-Site: same-site Sec-Fetch-Dest: empty Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-10-02 21:04:12 UTC	520	IN	HTTP/1.1 200 OK Access-Control-Allow-Origin: https://accounts.google.com Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Max-Age: 86400 Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: X-Playlog-Web,authorization,origin,x-goog-authuser Content-Type: text/plain; charset=UTF-8 Date: Wed, 02 Oct 2024 21:04:12 GMT Server: Playlog Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.4	49764	142.250.185.174	443	2668	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-02 21:04:12 UTC	1124	OUT	POST /log?format=json&hasfast=true&authuser=0 HTTP/1.1 Host: play.google.com Connection: keep-alive Content-Length: 519 sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-arch: "x86" Content-Type: application/x-www-form-urlencoded;charset=UTF-8 sec-ch-ua-full-version: "117.0.5938.132" sec-ch-ua-platform-version: "10.0.0" X-Goog-AuthUser: 0 sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132" sec-ch-ua-bitness: "64" sec-ch-ua-model: "" sec-ch-ua-wow64: ?0 sec-ch-ua-platform: "Windows" Accept: / Origin: https://accounts.google.com X-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiUocsBCJz+zAEIhaDNAQjcvc0BCLnKzQEIotHNAQiK080BCJ7WzQEIp9jNAQj5wNQVGPbJzQEYutLNARjrjaUX Sec-Fetch-Site: same-site Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-10-02 21:04:12 UTC	519	OUT	Data Raw: 5b 5b 31 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 5b 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 22 65 6e 22 2c 6e 75 6c 6c 2c 22 33 30 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 47 6f 6f 67 6c 65 20 43 68 72 6f 6d 65 22 2c 22 31 31 37 22 5d 2c 5b 22 4e 6f 74 3b 41 3d 42 72 61 6e 64 22 2c 22 38 22 5d 2c 5b 22 43 68 72 6f 6d 69 75 6d 22 2c 22 31 31 37 22 5d 5d 2c 30 2c 22 57 69 6e 64 6f 77 73 22 2c 22 31 30 2e 30 2e 30 22 2c 22 78 38 36 22 2c 22 22 2c 22 31 31 37 2e 30 2e 35 39 33 38 2e 31 33 32 22 5d 2c 5b 31 2c 30 2c 30 2c 30 2c 30 5d 5d 5d 2c 31 38 32 38 2c 5b 5b 22 31 37 32 37 39 30 33 30 35 30 31 38 31 22 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c Data Ascii: [[1,null,null,null,null,null,null,null,null,null,[null,null,null,null,"en",null,"30",null,[[["Google Chrome","117"],["Not;A=Brand","8"],["Chromium","117"]],0,"Windows","10.0.0","x86","","117.0.5938.132"],[1,0,0,0,0]]],1828,[["1727903050181",null,null,null
2024-10-02 21:04:13 UTC	933	IN	HTTP/1.1 200 OK Access-Control-Allow-Origin: https://accounts.google.com Cross-Origin-Resource-Policy: cross-origin Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: X-Playlog-Web Set-Cookie: NID=518=Kck_jIgNhVG7jEQX2SbqhGHvwtYdBP55C_C9iXuloSlD49w-S_x7gmn0AtWo_Xr60zQGYh3QNHKxO3sWWco72wx_x_2uyFVCjFNC8ddgRPQUiRkxJzY4UfGxJout-VUAHHy3FCr5yZXIDSOqICAITCQsu2UzW5dMf_NfSiU3WxISmvoBxac; expires=Thu, 03-Apr-2025 21:04:12 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=none P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info." Content-Type: text/plain; charset=UTF-8 Date: Wed, 02 Oct 2024 21:04:12 GMT Server: Playlog Cache-Control: private X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Expires: Wed, 02 Oct 2024 21:04:12 GMT Connection: close Transfer-Encoding: chunked
2024-10-02 21:04:13 UTC	137	IN	Data Raw: 38 33 0d 0a 5b 22 2d 31 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 41 4e 44 52 4f 49 44 5f 42 41 43 4b 55 50 22 2c 30 5d 2c 5b 22 42 41 54 54 45 52 59 5f 53 54 41 54 53 22 2c 30 5d 2c 5b 22 53 4d 41 52 54 5f 53 45 54 55 50 22 2c 30 5d 2c 5b 22 54 52 4f 4e 22 2c 30 5d 5d 2c 2d 33 33 33 34 37 33 37 35 39 34 30 32 34 39 37 31 32 32 35 5d 2c 5b 5d 2c 7b 22 31 37 35 32 33 37 33 37 35 22 3a 5b 31 30 30 30 30 5d 7d 5d 0d 0a Data Ascii: 83["-1",null,[[["ANDROID_BACKUP",0],["BATTERY_STATS",0],["SMART_SETUP",0],["TRON",0]],-3334737594024971225],[],{"175237375":[10000]}]
2024-10-02 21:04:13 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.4	49766	142.250.185.174	443	2668	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-02 21:04:13 UTC	1124	OUT	POST /log?format=json&hasfast=true&authuser=0 HTTP/1.1 Host: play.google.com Connection: keep-alive Content-Length: 519 sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-arch: "x86" Content-Type: application/x-www-form-urlencoded;charset=UTF-8 sec-ch-ua-full-version: "117.0.5938.132" sec-ch-ua-platform-version: "10.0.0" X-Goog-AuthUser: 0 sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132" sec-ch-ua-bitness: "64" sec-ch-ua-model: "" sec-ch-ua-wow64: ?0 sec-ch-ua-platform: "Windows" Accept: / Origin: https://accounts.google.com X-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiUocsBCJz+zAEIhaDNAQjcvc0BCLnKzQEIotHNAQiK080BCJ7WzQEIp9jNAQj5wNQVGPbJzQEYutLNARjrjaUX Sec-Fetch-Site: same-site Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-10-02 21:04:13 UTC	519	OUT	Data Raw: 5b 5b 31 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 5b 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 22 65 6e 22 2c 6e 75 6c 6c 2c 22 33 30 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 47 6f 6f 67 6c 65 20 43 68 72 6f 6d 65 22 2c 22 31 31 37 22 5d 2c 5b 22 4e 6f 74 3b 41 3d 42 72 61 6e 64 22 2c 22 38 22 5d 2c 5b 22 43 68 72 6f 6d 69 75 6d 22 2c 22 31 31 37 22 5d 5d 2c 30 2c 22 57 69 6e 64 6f 77 73 22 2c 22 31 30 2e 30 2e 30 22 2c 22 78 38 36 22 2c 22 22 2c 22 31 31 37 2e 30 2e 35 39 33 38 2e 31 33 32 22 5d 2c 5b 31 2c 30 2c 30 2c 30 2c 30 5d 5d 5d 2c 31 38 32 38 2c 5b 5b 22 31 37 32 37 39 30 33 30 35 30 33 33 32 22 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c Data Ascii: [[1,null,null,null,null,null,null,null,null,null,[null,null,null,null,"en",null,"30",null,[[["Google Chrome","117"],["Not;A=Brand","8"],["Chromium","117"]],0,"Windows","10.0.0","x86","","117.0.5938.132"],[1,0,0,0,0]]],1828,[["1727903050332",null,null,null
2024-10-02 21:04:13 UTC	932	IN	HTTP/1.1 200 OK Access-Control-Allow-Origin: https://accounts.google.com Cross-Origin-Resource-Policy: cross-origin Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: X-Playlog-Web Set-Cookie: NID=518=nVB3bI8VyUEdTEPtQxeZH1YDnBZr1h4MvQMo98hYTmmd_C4e6GcEgpm-6XLAANgikEHryIW7ro_4RQzJaLTwR2okQF0CJ45YV0Jd5zQUKUVWgdQxJhDEq0nPpkeviapAnV8kYtxKljxENLtHGlJ47NUsbTvRDT4gakOctITmfnOJDXHPUA; expires=Thu, 03-Apr-2025 21:04:13 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=none P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info." Content-Type: text/plain; charset=UTF-8 Date: Wed, 02 Oct 2024 21:04:13 GMT Server: Playlog Cache-Control: private X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Expires: Wed, 02 Oct 2024 21:04:13 GMT Connection: close Transfer-Encoding: chunked
2024-10-02 21:04:13 UTC	137	IN	Data Raw: 38 33 0d 0a 5b 22 2d 31 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 41 4e 44 52 4f 49 44 5f 42 41 43 4b 55 50 22 2c 30 5d 2c 5b 22 42 41 54 54 45 52 59 5f 53 54 41 54 53 22 2c 30 5d 2c 5b 22 53 4d 41 52 54 5f 53 45 54 55 50 22 2c 30 5d 2c 5b 22 54 52 4f 4e 22 2c 30 5d 5d 2c 2d 33 33 33 34 37 33 37 35 39 34 30 32 34 39 37 31 32 32 35 5d 2c 5b 5d 2c 7b 22 31 37 35 32 33 37 33 37 35 22 3a 5b 31 30 30 30 30 5d 7d 5d 0d 0a Data Ascii: 83["-1",null,[[["ANDROID_BACKUP",0],["BATTERY_STATS",0],["SMART_SETUP",0],["TRON",0]],-3334737594024971225],[],{"175237375":[10000]}]
2024-10-02 21:04:13 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.4	49741	142.250.184.228	443	2668	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-02 21:04:13 UTC	1213	OUT	GET /favicon.ico HTTP/1.1 Host: www.google.com Connection: keep-alive sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-arch: "x86" sec-ch-ua-full-version: "117.0.5938.132" sec-ch-ua-platform-version: "10.0.0" sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132" sec-ch-ua-bitness: "64" sec-ch-ua-model: "" sec-ch-ua-wow64: ?0 sec-ch-ua-platform: "Windows" Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8 X-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiUocsBCJz+zAEIhaDNAQjcvc0BCLnKzQEIotHNAQiK080BCJ7WzQEIp9jNAQj5wNQVGPbJzQEYutLNARjrjaUX Sec-Fetch-Site: same-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: image Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: NID=518=nVB3bI8VyUEdTEPtQxeZH1YDnBZr1h4MvQMo98hYTmmd_C4e6GcEgpm-6XLAANgikEHryIW7ro_4RQzJaLTwR2okQF0CJ45YV0Jd5zQUKUVWgdQxJhDEq0nPpkeviapAnV8kYtxKljxENLtHGlJ47NUsbTvRDT4gakOctITmfnOJDXHPUA
2024-10-02 21:04:13 UTC	704	IN	HTTP/1.1 200 OK Accept-Ranges: bytes Cross-Origin-Resource-Policy: cross-origin Cross-Origin-Opener-Policy-Report-Only: same-origin; report-to="static-on-bigtable" Report-To: {"group":"static-on-bigtable","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/static-on-bigtable"}]} Content-Length: 5430 X-Content-Type-Options: nosniff Server: sffe X-XSS-Protection: 0 Date: Wed, 02 Oct 2024 20:56:02 GMT Expires: Thu, 10 Oct 2024 20:56:02 GMT Cache-Control: public, max-age=691200 Last-Modified: Tue, 22 Oct 2019 18:30:00 GMT Content-Type: image/x-icon Vary: Accept-Encoding Age: 491 Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-10-02 21:04:13 UTC	686	IN	Data Raw: 00 00 01 00 02 00 10 10 00 00 01 00 20 00 68 04 00 00 26 00 00 00 20 20 00 00 01 00 20 00 a8 10 00 00 8e 04 00 00 28 00 00 00 10 00 00 00 20 00 00 00 01 00 20 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff ff ff 30 fd fd fd 96 fd fd fd d8 fd fd fd f9 fd fd fd f9 fd fd fd d7 fd fd fd 94 fe fe fe 2e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fe fe fe 09 fd fd fd 99 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd 95 ff ff ff 08 00 00 00 00 00 00 00 00 00 00 00 00 fe fe fe 09 fd fd fd c1 ff ff ff ff fa fd f9 ff b4 d9 a7 ff 76 ba 5d ff 58 ab 3a ff 58 aa 3a ff 72 b8 59 ff ac d5 9d ff f8 fb f6 ff ff Data Ascii: h& ( 0.v]X:X:rY
2024-10-02 21:04:13 UTC	1390	IN	Data Raw: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd d8 fd fd fd 99 ff ff ff ff 92 cf fb ff 37 52 ec ff 38 46 ea ff d0 d4 fa ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd 96 fe fe fe 32 ff ff ff ff f9 f9 fe ff 56 62 ed ff 35 43 ea ff 3b 49 eb ff 95 9c f4 ff cf d2 fa ff d1 d4 fa ff 96 9d f4 ff 52 5e ed ff e1 e3 fc ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 30 00 00 00 00 fd fd fd 9d ff ff ff ff e8 ea fd ff 58 63 ee ff 35 43 ea ff 35 43 ea ff 35 43 ea ff 35 43 ea ff 35 43 ea ff 35 43 ea ff 6c 76 f0 ff ff ff ff ff ff ff ff ff fd fd fd 98 00 00 00 00 00 00 00 00 ff ff ff 0a fd fd fd c3 ff ff ff ff f9 f9 fe ff a5 ac f6 ff 5d 69 ee ff 3c 4a eb Data Ascii: 7R8F2Vb5C;IR^0Xc5C5C5C5C5C5Clv]i<J
2024-10-02 21:04:13 UTC	1390	IN	Data Raw: ff ff ff ff ff ff ff ff ff ff fd fd fd d0 ff ff ff 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fd fd fd 8b ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff b1 d8 a3 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 60 a5 35 ff ca 8e 3e ff f9 c1 9f ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd 87 00 00 00 00 00 00 00 00 00 00 00 00 fe fe fe 25 fd fd fd fb ff ff ff ff ff ff ff ff ff ff ff ff c2 e0 b7 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 6e b6 54 ff 9f ce 8d ff b7 da aa ff b8 db ab ff a5 d2 95 ff 7b bc 64 ff 54 a8 35 ff 53 a8 34 ff 77 a0 37 ff e3 89 41 ff f4 85 42 ff f4 85 42 ff fc Data Ascii: S4S4S4S4S4S4S4S4S4S4S4S4S4S4`5>%S4S4S4S4S4S4nT{dT5S4w7ABB
2024-10-02 21:04:13 UTC	1390	IN	Data Raw: f4 85 42 ff f4 85 42 ff f4 85 42 ff f4 85 42 ff f4 85 42 ff f4 85 42 ff fb d5 bf ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd ea fd fd fd cb ff ff ff ff ff ff ff ff ff ff ff ff 46 cd fc ff 05 bc fb ff 05 bc fb ff 05 bc fb ff 21 ae f9 ff fb fb ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd c8 fd fd fd 9c ff ff ff ff ff ff ff ff ff ff ff ff 86 df fd ff 05 bc fb ff 05 bc fb ff 15 93 f5 ff 34 49 eb ff b3 b8 f7 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff Data Ascii: BBBBBBF!4I
2024-10-02 21:04:13 UTC	574	IN	Data Raw: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd d2 fe fe fe 24 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff ff ff 0a fd fd fd 8d fd fd fd fc ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd fb fd fd fd 8b fe fe fe 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fe fe fe 27 fd fd fd 9f fd fd fd f7 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff Data Ascii: $'

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.4	49772	4.175.87.197	443

Timestamp	Bytes transferred	Direction	Data
2024-10-02 21:04:14 UTC	306	OUT	GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=rcEZevvxWwmovel&MD=GzkgClcm HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33 Host: slscr.update.microsoft.com
2024-10-02 21:04:15 UTC	560	IN	HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Type: application/octet-stream Expires: -1 Last-Modified: Mon, 01 Jan 0001 00:00:00 GMT ETag: "XAopazV00XDWnJCwkmEWRv6JkbjRA9QSSZ2+e/3MzEk=_2880" MS-CorrelationId: adeb2103-d9c7-41d2-ac03-2219ebcc3893 MS-RequestId: dec4d0e6-89da-46a1-97b0-9618a7bd38f8 MS-CV: MqH3Jt+WhEWDdtSi.0 X-Microsoft-SLSClientCache: 2880 Content-Disposition: attachment; filename=environment.cab X-Content-Type-Options: nosniff Date: Wed, 02 Oct 2024 21:04:14 GMT Connection: close Content-Length: 24490
2024-10-02 21:04:15 UTC	15824	IN	Data Raw: 4d 53 43 46 00 00 00 00 92 1e 00 00 00 00 00 00 44 00 00 00 00 00 00 00 03 01 01 00 01 00 04 00 23 d0 00 00 14 00 00 00 00 00 10 00 92 1e 00 00 18 41 00 00 00 00 00 00 00 00 00 00 64 00 00 00 01 00 01 00 e6 42 00 00 00 00 00 00 00 00 00 00 00 00 80 00 65 6e 76 69 72 6f 6e 6d 65 6e 74 2e 63 61 62 00 78 cf 8d 5c 26 1e e6 42 43 4b ed 5c 07 54 13 db d6 4e a3 f7 2e d5 d0 3b 4c 42 af 4a 57 10 e9 20 bd 77 21 94 80 88 08 24 2a 02 02 d2 55 10 a4 a8 88 97 22 8a 0a d2 11 04 95 ae d2 8b 20 28 0a 88 20 45 05 f4 9f 80 05 bd ed dd f7 ff 77 dd f7 bf 65 d6 4a 66 ce 99 33 67 4e d9 7b 7f fb db 7b 56 f4 4d 34 b4 21 e0 a7 03 0a d9 fc 68 6e 1d 20 70 28 14 02 85 20 20 ad 61 10 08 e3 66 0d ed 66 9b 1d 6a 90 af 1f 17 f0 4b 68 35 01 83 6c fb 44 42 5c 7d 83 3d 03 30 be 3e ae be 58 Data Ascii: MSCFD#AdBenvironment.cabx\&BCK\TN.;LBJW w!$*U" ( EweJf3gN{{VM4!hn p( affjKh5lDB\}=0>X
2024-10-02 21:04:15 UTC	8666	IN	Data Raw: 04 01 31 2f 30 2d 30 0a 02 05 00 e1 2b 8a 50 02 01 00 30 0a 02 01 00 02 02 12 fe 02 01 ff 30 07 02 01 00 02 02 11 e6 30 0a 02 05 00 e1 2c db d0 02 01 00 30 36 06 0a 2b 06 01 04 01 84 59 0a 04 02 31 28 30 26 30 0c 06 0a 2b 06 01 04 01 84 59 0a 03 02 a0 0a 30 08 02 01 00 02 03 07 a1 20 a1 0a 30 08 02 01 00 02 03 01 86 a0 30 0d 06 09 2a 86 48 86 f7 0d 01 01 05 05 00 03 81 81 00 0c d9 08 df 48 94 57 65 3e ad e7 f2 17 9c 1f ca 3d 4d 6c cd 51 e1 ed 9c 17 a5 52 35 0f fd de 4b bd 22 92 c5 69 e5 d7 9f 29 23 72 40 7a ca 55 9d 8d 11 ad d5 54 00 bb 53 b4 87 7b 72 84 da 2d f6 e3 2c 4f 7e ba 1a 58 88 6e d6 b9 6d 16 ae 85 5b b5 c2 81 a8 e0 ee 0a 9c 60 51 3a 7b e4 61 f8 c3 e4 38 bd 7d 28 17 d6 79 f0 c8 58 c6 ef 1f f7 88 65 b1 ea 0a c0 df f7 ee 5c 23 c2 27 fd 98 63 08 31 Data Ascii: 1/0-0+P000,06+Y1(0&0+Y0 00*HHWe>=MlQR5K"i)#r@zUTS{r-,O~Xnm[`Q:{a8}(yXe\#'c1

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.4	49781	142.250.185.174	443	2668	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-02 21:04:19 UTC	1298	OUT	POST /log?format=json&hasfast=true&authuser=0 HTTP/1.1 Host: play.google.com Connection: keep-alive Content-Length: 1224 sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-arch: "x86" Content-Type: text/plain;charset=UTF-8 sec-ch-ua-full-version: "117.0.5938.132" sec-ch-ua-platform-version: "10.0.0" X-Goog-AuthUser: 0 sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132" sec-ch-ua-bitness: "64" sec-ch-ua-model: "" sec-ch-ua-wow64: ?0 sec-ch-ua-platform: "Windows" Accept: / Origin: https://accounts.google.com X-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiUocsBCJz+zAEIhaDNAQjcvc0BCLnKzQEIotHNAQiK080BCJ7WzQEIp9jNAQj5wNQVGPbJzQEYutLNARjrjaUX Sec-Fetch-Site: same-site Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: NID=518=nVB3bI8VyUEdTEPtQxeZH1YDnBZr1h4MvQMo98hYTmmd_C4e6GcEgpm-6XLAANgikEHryIW7ro_4RQzJaLTwR2okQF0CJ45YV0Jd5zQUKUVWgdQxJhDEq0nPpkeviapAnV8kYtxKljxENLtHGlJ47NUsbTvRDT4gakOctITmfnOJDXHPUA
2024-10-02 21:04:19 UTC	1224	OUT	Data Raw: 5b 5b 31 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 5b 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 22 65 6e 22 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 5b 5b 5b 22 47 6f 6f 67 6c 65 20 43 68 72 6f 6d 65 22 2c 22 31 31 37 22 5d 2c 5b 22 4e 6f 74 3b 41 3d 42 72 61 6e 64 22 2c 22 38 22 5d 2c 5b 22 43 68 72 6f 6d 69 75 6d 22 2c 22 31 31 37 22 5d 5d 2c 30 2c 22 57 69 6e 64 6f 77 73 22 2c 22 31 30 2e 30 2e 30 22 2c 22 78 38 36 22 2c 22 22 2c 22 31 31 37 2e 30 2e 35 39 33 38 2e 31 33 32 22 5d 2c 5b 34 2c 30 2c 30 2c 30 2c 30 5d 5d 5d 2c 35 35 38 2c 5b 5b 22 31 37 32 37 39 30 33 30 34 38 30 30 30 22 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c Data Ascii: [[1,null,null,null,null,null,null,null,null,null,[null,null,null,null,"en",null,null,null,[[["Google Chrome","117"],["Not;A=Brand","8"],["Chromium","117"]],0,"Windows","10.0.0","x86","","117.0.5938.132"],[4,0,0,0,0]]],558,[["1727903048000",null,null,null,
2024-10-02 21:04:20 UTC	940	IN	HTTP/1.1 200 OK Access-Control-Allow-Origin: https://accounts.google.com Cross-Origin-Resource-Policy: cross-origin Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: X-Playlog-Web Set-Cookie: NID=518=EAct83JT8gM828qhaDq4e6wR5AhM_UwDbxT9OLDenczl8KNOFRrEYQSeI9KF4t6aaNNqGxI0TI9QGMHEOIkcPo2F4X72WMPN9icOcH0_oGxpsWgj31gIBjqH4xvgn8rMPAtSrFn45zFqleop_ZggXwikUZrEILxD2tkCqEYx5Irxuh_rE-B-svmKoA; expires=Thu, 03-Apr-2025 21:04:20 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=none P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info." Content-Type: text/plain; charset=UTF-8 Date: Wed, 02 Oct 2024 21:04:20 GMT Server: Playlog Cache-Control: private X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Expires: Wed, 02 Oct 2024 21:04:20 GMT Connection: close Transfer-Encoding: chunked
2024-10-02 21:04:20 UTC	137	IN	Data Raw: 38 33 0d 0a 5b 22 2d 31 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 41 4e 44 52 4f 49 44 5f 42 41 43 4b 55 50 22 2c 30 5d 2c 5b 22 42 41 54 54 45 52 59 5f 53 54 41 54 53 22 2c 30 5d 2c 5b 22 53 4d 41 52 54 5f 53 45 54 55 50 22 2c 30 5d 2c 5b 22 54 52 4f 4e 22 2c 30 5d 5d 2c 2d 33 33 33 34 37 33 37 35 39 34 30 32 34 39 37 31 32 32 35 5d 2c 5b 5d 2c 7b 22 31 37 35 32 33 37 33 37 35 22 3a 5b 31 30 30 30 30 5d 7d 5d 0d 0a Data Ascii: 83["-1",null,[[["ANDROID_BACKUP",0],["BATTERY_STATS",0],["SMART_SETUP",0],["TRON",0]],-3334737594024971225],[],{"175237375":[10000]}]
2024-10-02 21:04:20 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.4	49782	142.250.185.174	443	2668	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-02 21:04:43 UTC	1329	OUT	POST /log?format=json&hasfast=true&authuser=0 HTTP/1.1 Host: play.google.com Connection: keep-alive Content-Length: 1312 sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-arch: "x86" Content-Type: application/x-www-form-urlencoded;charset=UTF-8 sec-ch-ua-full-version: "117.0.5938.132" sec-ch-ua-platform-version: "10.0.0" X-Goog-AuthUser: 0 sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132" sec-ch-ua-bitness: "64" sec-ch-ua-model: "" sec-ch-ua-wow64: ?0 sec-ch-ua-platform: "Windows" Accept: / Origin: https://accounts.google.com X-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiUocsBCJz+zAEIhaDNAQjcvc0BCLnKzQEIotHNAQiK080BCJ7WzQEIp9jNAQj5wNQVGPbJzQEYutLNARjrjaUX Sec-Fetch-Site: same-site Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: NID=518=EAct83JT8gM828qhaDq4e6wR5AhM_UwDbxT9OLDenczl8KNOFRrEYQSeI9KF4t6aaNNqGxI0TI9QGMHEOIkcPo2F4X72WMPN9icOcH0_oGxpsWgj31gIBjqH4xvgn8rMPAtSrFn45zFqleop_ZggXwikUZrEILxD2tkCqEYx5Irxuh_rE-B-svmKoA
2024-10-02 21:04:43 UTC	1312	OUT	Data Raw: 5b 5b 31 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 5b 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 22 65 6e 22 2c 6e 75 6c 6c 2c 22 33 30 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 47 6f 6f 67 6c 65 20 43 68 72 6f 6d 65 22 2c 22 31 31 37 22 5d 2c 5b 22 4e 6f 74 3b 41 3d 42 72 61 6e 64 22 2c 22 38 22 5d 2c 5b 22 43 68 72 6f 6d 69 75 6d 22 2c 22 31 31 37 22 5d 5d 2c 30 2c 22 57 69 6e 64 6f 77 73 22 2c 22 31 30 2e 30 2e 30 22 2c 22 78 38 36 22 2c 22 22 2c 22 31 31 37 2e 30 2e 35 39 33 38 2e 31 33 32 22 5d 2c 5b 31 2c 30 2c 30 2c 30 2c 30 5d 5d 5d 2c 31 38 32 38 2c 5b 5b 22 31 37 32 37 39 30 33 30 38 31 34 30 37 22 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c Data Ascii: [[1,null,null,null,null,null,null,null,null,null,[null,null,null,null,"en",null,"30",null,[[["Google Chrome","117"],["Not;A=Brand","8"],["Chromium","117"]],0,"Windows","10.0.0","x86","","117.0.5938.132"],[1,0,0,0,0]]],1828,[["1727903081407",null,null,null
2024-10-02 21:04:43 UTC	523	IN	HTTP/1.1 200 OK Access-Control-Allow-Origin: https://accounts.google.com Cross-Origin-Resource-Policy: cross-origin Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: X-Playlog-Web Content-Type: text/plain; charset=UTF-8 Date: Wed, 02 Oct 2024 21:04:43 GMT Server: Playlog Cache-Control: private X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2024-10-02 21:04:43 UTC	137	IN	Data Raw: 38 33 0d 0a 5b 22 2d 31 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 41 4e 44 52 4f 49 44 5f 42 41 43 4b 55 50 22 2c 30 5d 2c 5b 22 42 41 54 54 45 52 59 5f 53 54 41 54 53 22 2c 30 5d 2c 5b 22 53 4d 41 52 54 5f 53 45 54 55 50 22 2c 30 5d 2c 5b 22 54 52 4f 4e 22 2c 30 5d 5d 2c 2d 33 33 33 34 37 33 37 35 39 34 30 32 34 39 37 31 32 32 35 5d 2c 5b 5d 2c 7b 22 31 37 35 32 33 37 33 37 35 22 3a 5b 31 30 30 30 30 5d 7d 5d 0d 0a Data Ascii: 83["-1",null,[[["ANDROID_BACKUP",0],["BATTERY_STATS",0],["SMART_SETUP",0],["TRON",0]],-3334737594024971225],[],{"175237375":[10000]}]
2024-10-02 21:04:43 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.4	49783	142.250.185.174	443	2668	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-02 21:04:43 UTC	1329	OUT	POST /log?format=json&hasfast=true&authuser=0 HTTP/1.1 Host: play.google.com Connection: keep-alive Content-Length: 1236 sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-arch: "x86" Content-Type: application/x-www-form-urlencoded;charset=UTF-8 sec-ch-ua-full-version: "117.0.5938.132" sec-ch-ua-platform-version: "10.0.0" X-Goog-AuthUser: 0 sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132" sec-ch-ua-bitness: "64" sec-ch-ua-model: "" sec-ch-ua-wow64: ?0 sec-ch-ua-platform: "Windows" Accept: / Origin: https://accounts.google.com X-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiUocsBCJz+zAEIhaDNAQjcvc0BCLnKzQEIotHNAQiK080BCJ7WzQEIp9jNAQj5wNQVGPbJzQEYutLNARjrjaUX Sec-Fetch-Site: same-site Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: NID=518=EAct83JT8gM828qhaDq4e6wR5AhM_UwDbxT9OLDenczl8KNOFRrEYQSeI9KF4t6aaNNqGxI0TI9QGMHEOIkcPo2F4X72WMPN9icOcH0_oGxpsWgj31gIBjqH4xvgn8rMPAtSrFn45zFqleop_ZggXwikUZrEILxD2tkCqEYx5Irxuh_rE-B-svmKoA
2024-10-02 21:04:43 UTC	1236	OUT	Data Raw: 5b 5b 31 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 5b 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 22 65 6e 22 2c 6e 75 6c 6c 2c 22 33 30 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 47 6f 6f 67 6c 65 20 43 68 72 6f 6d 65 22 2c 22 31 31 37 22 5d 2c 5b 22 4e 6f 74 3b 41 3d 42 72 61 6e 64 22 2c 22 38 22 5d 2c 5b 22 43 68 72 6f 6d 69 75 6d 22 2c 22 31 31 37 22 5d 5d 2c 30 2c 22 57 69 6e 64 6f 77 73 22 2c 22 31 30 2e 30 2e 30 22 2c 22 78 38 36 22 2c 22 22 2c 22 31 31 37 2e 30 2e 35 39 33 38 2e 31 33 32 22 5d 2c 5b 31 2c 30 2c 30 2c 30 2c 30 5d 5d 5d 2c 31 38 32 38 2c 5b 5b 22 31 37 32 37 39 30 33 30 38 32 33 37 35 22 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c Data Ascii: [[1,null,null,null,null,null,null,null,null,null,[null,null,null,null,"en",null,"30",null,[[["Google Chrome","117"],["Not;A=Brand","8"],["Chromium","117"]],0,"Windows","10.0.0","x86","","117.0.5938.132"],[1,0,0,0,0]]],1828,[["1727903082375",null,null,null
2024-10-02 21:04:43 UTC	523	IN	HTTP/1.1 200 OK Access-Control-Allow-Origin: https://accounts.google.com Cross-Origin-Resource-Policy: cross-origin Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: X-Playlog-Web Content-Type: text/plain; charset=UTF-8 Date: Wed, 02 Oct 2024 21:04:43 GMT Server: Playlog Cache-Control: private X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2024-10-02 21:04:43 UTC	137	IN	Data Raw: 38 33 0d 0a 5b 22 2d 31 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 41 4e 44 52 4f 49 44 5f 42 41 43 4b 55 50 22 2c 30 5d 2c 5b 22 42 41 54 54 45 52 59 5f 53 54 41 54 53 22 2c 30 5d 2c 5b 22 53 4d 41 52 54 5f 53 45 54 55 50 22 2c 30 5d 2c 5b 22 54 52 4f 4e 22 2c 30 5d 5d 2c 2d 33 33 33 34 37 33 37 35 39 34 30 32 34 39 37 31 32 32 35 5d 2c 5b 5d 2c 7b 22 31 37 35 32 33 37 33 37 35 22 3a 5b 31 30 30 30 30 5d 7d 5d 0d 0a Data Ascii: 83["-1",null,[[["ANDROID_BACKUP",0],["BATTERY_STATS",0],["SMART_SETUP",0],["TRON",0]],-3334737594024971225],[],{"175237375":[10000]}]
2024-10-02 21:04:43 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.4	49784	142.250.185.174	443	2668	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-02 21:04:43 UTC	1289	OUT	POST /log?hasfast=true&authuser=0&format=json HTTP/1.1 Host: play.google.com Connection: keep-alive Content-Length: 1041 sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-arch: "x86" sec-ch-ua-full-version: "117.0.5938.132" Content-Type: text/plain;charset=UTF-8 sec-ch-ua-platform-version: "10.0.0" sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132" sec-ch-ua-bitness: "64" sec-ch-ua-model: "" sec-ch-ua-wow64: ?0 sec-ch-ua-platform: "Windows" Accept: / Origin: https://accounts.google.com X-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiUocsBCJz+zAEIhaDNAQjcvc0BCLnKzQEIotHNAQiK080BCJ7WzQEIp9jNAQj5wNQVGPbJzQEYutLNARjrjaUX Sec-Fetch-Site: same-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: NID=518=EAct83JT8gM828qhaDq4e6wR5AhM_UwDbxT9OLDenczl8KNOFRrEYQSeI9KF4t6aaNNqGxI0TI9QGMHEOIkcPo2F4X72WMPN9icOcH0_oGxpsWgj31gIBjqH4xvgn8rMPAtSrFn45zFqleop_ZggXwikUZrEILxD2tkCqEYx5Irxuh_rE-B-svmKoA
2024-10-02 21:04:43 UTC	1041	OUT	Data Raw: 5b 5b 31 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 5b 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 22 65 6e 22 2c 6e 75 6c 6c 2c 22 62 6f 71 5f 69 64 65 6e 74 69 74 79 66 72 6f 6e 74 65 6e 64 61 75 74 68 75 69 73 65 72 76 65 72 5f 32 30 32 34 30 39 32 39 2e 30 37 5f 70 30 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 47 6f 6f 67 6c 65 20 43 68 72 6f 6d 65 22 2c 22 31 31 37 22 5d 2c 5b 22 4e 6f 74 3b 41 3d 42 72 61 6e 64 22 2c 22 38 22 5d 2c 5b 22 43 68 72 6f 6d 69 75 6d 22 2c 22 31 31 37 22 5d 5d 2c 30 2c 22 57 69 6e 64 6f 77 73 22 2c 22 31 30 2e 30 2e 30 22 2c 22 78 38 36 22 2c 22 22 2c 22 31 31 37 2e 30 2e 35 39 33 38 2e 31 33 32 22 5d 2c 5b 33 2c 30 2c 30 Data Ascii: [[1,null,null,null,null,null,null,null,null,null,[null,null,null,null,"en",null,"boq_identityfrontendauthuiserver_20240929.07_p0",null,[[["Google Chrome","117"],["Not;A=Brand","8"],["Chromium","117"]],0,"Windows","10.0.0","x86","","117.0.5938.132"],[3,0,0
2024-10-02 21:04:44 UTC	523	IN	HTTP/1.1 200 OK Access-Control-Allow-Origin: https://accounts.google.com Cross-Origin-Resource-Policy: cross-origin Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: X-Playlog-Web Content-Type: text/plain; charset=UTF-8 Date: Wed, 02 Oct 2024 21:04:44 GMT Server: Playlog Cache-Control: private X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2024-10-02 21:04:44 UTC	137	IN	Data Raw: 38 33 0d 0a 5b 22 2d 31 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 41 4e 44 52 4f 49 44 5f 42 41 43 4b 55 50 22 2c 30 5d 2c 5b 22 42 41 54 54 45 52 59 5f 53 54 41 54 53 22 2c 30 5d 2c 5b 22 53 4d 41 52 54 5f 53 45 54 55 50 22 2c 30 5d 2c 5b 22 54 52 4f 4e 22 2c 30 5d 5d 2c 2d 33 33 33 34 37 33 37 35 39 34 30 32 34 39 37 31 32 32 35 5d 2c 5b 5d 2c 7b 22 31 37 35 32 33 37 33 37 35 22 3a 5b 31 30 30 30 30 5d 7d 5d 0d 0a Data Ascii: 83["-1",null,[[["ANDROID_BACKUP",0],["BATTERY_STATS",0],["SMART_SETUP",0],["TRON",0]],-3334737594024971225],[],{"175237375":[10000]}]
2024-10-02 21:04:44 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.4	49785	4.175.87.197	443

Timestamp	Bytes transferred	Direction	Data
2024-10-02 21:04:53 UTC	306	OUT	GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=rcEZevvxWwmovel&MD=GzkgClcm HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33 Host: slscr.update.microsoft.com
2024-10-02 21:04:53 UTC	560	IN	HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Type: application/octet-stream Expires: -1 Last-Modified: Mon, 01 Jan 0001 00:00:00 GMT ETag: "vic+p1MiJJ+/WMnK08jaWnCBGDfvkGRzPk9f8ZadQHg=_1440" MS-CorrelationId: 9e1fba46-44a3-4c3a-9fe2-eec8da2f1347 MS-RequestId: 816ccdff-667a-4883-9c8b-aa6731d16156 MS-CV: hl3xLx5wHUaDt8FQ.0 X-Microsoft-SLSClientCache: 1440 Content-Disposition: attachment; filename=environment.cab X-Content-Type-Options: nosniff Date: Wed, 02 Oct 2024 21:04:52 GMT Connection: close Content-Length: 30005
2024-10-02 21:04:53 UTC	15824	IN	Data Raw: 4d 53 43 46 00 00 00 00 8d 2b 00 00 00 00 00 00 44 00 00 00 00 00 00 00 03 01 01 00 01 00 04 00 5b 49 00 00 14 00 00 00 00 00 10 00 8d 2b 00 00 a8 49 00 00 00 00 00 00 00 00 00 00 64 00 00 00 01 00 01 00 72 4d 00 00 00 00 00 00 00 00 00 00 00 00 80 00 65 6e 76 69 72 6f 6e 6d 65 6e 74 2e 63 61 62 00 fe f6 51 be 21 2b 72 4d 43 4b ed 7c 05 58 54 eb da f6 14 43 49 37 0a 02 d2 b9 86 0e 41 52 a4 1b 24 a5 bb 43 24 44 18 94 90 92 52 41 3a 05 09 95 ee 54 b0 00 91 2e e9 12 10 04 11 c9 6f 10 b7 a2 67 9f bd cf 3e ff b7 ff b3 bf 73 ed e1 9a 99 f5 c6 7a d7 bb de f5 3e cf fd 3c f7 dc 17 4a 1a 52 e7 41 a8 97 1e 14 f4 e5 25 7d f4 05 82 82 c1 20 30 08 06 ba c3 05 02 11 7f a9 c1 ff d2 87 5c 1e f4 ed 65 8e 7a 1f f6 0a 40 03 1d 7b f9 83 2c 1c 2f db b8 3a 39 3a 58 38 ba 73 5e Data Ascii: MSCF+D[I+IdrMenvironment.cabQ!+rMCK\|XTCI7AR$C$DRA:T.og>sz><JRA%} 0\ez@{,/:9:X8s^
2024-10-02 21:04:53 UTC	14181	IN	Data Raw: 06 03 55 04 06 13 02 55 53 31 13 30 11 06 03 55 04 08 13 0a 57 61 73 68 69 6e 67 74 6f 6e 31 10 30 0e 06 03 55 04 07 13 07 52 65 64 6d 6f 6e 64 31 1e 30 1c 06 03 55 04 0a 13 15 4d 69 63 72 6f 73 6f 66 74 20 43 6f 72 70 6f 72 61 74 69 6f 6e 31 26 30 24 06 03 55 04 03 13 1d 4d 69 63 72 6f 73 6f 66 74 20 54 69 6d 65 2d 53 74 61 6d 70 20 50 43 41 20 32 30 31 30 30 1e 17 0d 32 33 31 30 31 32 31 39 30 37 32 35 5a 17 0d 32 35 30 31 31 30 31 39 30 37 32 35 5a 30 81 d2 31 0b 30 09 06 03 55 04 06 13 02 55 53 31 13 30 11 06 03 55 04 08 13 0a 57 61 73 68 69 6e 67 74 6f 6e 31 10 30 0e 06 03 55 04 07 13 07 52 65 64 6d 6f 6e 64 31 1e 30 1c 06 03 55 04 0a 13 15 4d 69 63 72 6f 73 6f 66 74 20 43 6f 72 70 6f 72 61 74 69 6f 6e 31 2d 30 2b 06 03 55 04 0b 13 24 4d 69 63 72 6f Data Ascii: UUS10UWashington10URedmond10UMicrosoft Corporation1&0$UMicrosoft Time-Stamp PCA 20100231012190725Z250110190725Z010UUS10UWashington10URedmond10UMicrosoft Corporation1-0+U$Micro

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.4	49789	172.217.18.14	443	2668	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-02 21:05:14 UTC	1329	OUT	POST /log?format=json&hasfast=true&authuser=0 HTTP/1.1 Host: play.google.com Connection: keep-alive Content-Length: 1190 sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-arch: "x86" Content-Type: application/x-www-form-urlencoded;charset=UTF-8 sec-ch-ua-full-version: "117.0.5938.132" sec-ch-ua-platform-version: "10.0.0" X-Goog-AuthUser: 0 sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132" sec-ch-ua-bitness: "64" sec-ch-ua-model: "" sec-ch-ua-wow64: ?0 sec-ch-ua-platform: "Windows" Accept: / Origin: https://accounts.google.com X-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiUocsBCJz+zAEIhaDNAQjcvc0BCLnKzQEIotHNAQiK080BCJ7WzQEIp9jNAQj5wNQVGPbJzQEYutLNARjrjaUX Sec-Fetch-Site: same-site Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: NID=518=EAct83JT8gM828qhaDq4e6wR5AhM_UwDbxT9OLDenczl8KNOFRrEYQSeI9KF4t6aaNNqGxI0TI9QGMHEOIkcPo2F4X72WMPN9icOcH0_oGxpsWgj31gIBjqH4xvgn8rMPAtSrFn45zFqleop_ZggXwikUZrEILxD2tkCqEYx5Irxuh_rE-B-svmKoA
2024-10-02 21:05:14 UTC	1190	OUT	Data Raw: 5b 5b 31 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 5b 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 22 65 6e 22 2c 6e 75 6c 6c 2c 22 33 30 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 47 6f 6f 67 6c 65 20 43 68 72 6f 6d 65 22 2c 22 31 31 37 22 5d 2c 5b 22 4e 6f 74 3b 41 3d 42 72 61 6e 64 22 2c 22 38 22 5d 2c 5b 22 43 68 72 6f 6d 69 75 6d 22 2c 22 31 31 37 22 5d 5d 2c 30 2c 22 57 69 6e 64 6f 77 73 22 2c 22 31 30 2e 30 2e 30 22 2c 22 78 38 36 22 2c 22 22 2c 22 31 31 37 2e 30 2e 35 39 33 38 2e 31 33 32 22 5d 2c 5b 31 2c 30 2c 30 2c 30 2c 30 5d 5d 5d 2c 31 38 32 38 2c 5b 5b 22 31 37 32 37 39 30 33 31 31 32 34 38 37 22 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c Data Ascii: [[1,null,null,null,null,null,null,null,null,null,[null,null,null,null,"en",null,"30",null,[[["Google Chrome","117"],["Not;A=Brand","8"],["Chromium","117"]],0,"Windows","10.0.0","x86","","117.0.5938.132"],[1,0,0,0,0]]],1828,[["1727903112487",null,null,null
2024-10-02 21:05:14 UTC	523	IN	HTTP/1.1 200 OK Access-Control-Allow-Origin: https://accounts.google.com Cross-Origin-Resource-Policy: cross-origin Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: X-Playlog-Web Content-Type: text/plain; charset=UTF-8 Date: Wed, 02 Oct 2024 21:05:14 GMT Server: Playlog Cache-Control: private X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2024-10-02 21:05:14 UTC	137	IN	Data Raw: 38 33 0d 0a 5b 22 2d 31 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 41 4e 44 52 4f 49 44 5f 42 41 43 4b 55 50 22 2c 30 5d 2c 5b 22 42 41 54 54 45 52 59 5f 53 54 41 54 53 22 2c 30 5d 2c 5b 22 53 4d 41 52 54 5f 53 45 54 55 50 22 2c 30 5d 2c 5b 22 54 52 4f 4e 22 2c 30 5d 5d 2c 2d 33 33 33 34 37 33 37 35 39 34 30 32 34 39 37 31 32 32 35 5d 2c 5b 5d 2c 7b 22 31 37 35 32 33 37 33 37 35 22 3a 5b 31 30 30 30 30 5d 7d 5d 0d 0a Data Ascii: 83["-1",null,[[["ANDROID_BACKUP",0],["BATTERY_STATS",0],["SMART_SETUP",0],["TRON",0]],-3334737594024971225],[],{"175237375":[10000]}]
2024-10-02 21:05:14 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.4	49790	172.217.18.14	443	2668	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-02 21:05:14 UTC	1329	OUT	POST /log?format=json&hasfast=true&authuser=0 HTTP/1.1 Host: play.google.com Connection: keep-alive Content-Length: 1299 sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-arch: "x86" Content-Type: application/x-www-form-urlencoded;charset=UTF-8 sec-ch-ua-full-version: "117.0.5938.132" sec-ch-ua-platform-version: "10.0.0" X-Goog-AuthUser: 0 sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132" sec-ch-ua-bitness: "64" sec-ch-ua-model: "" sec-ch-ua-wow64: ?0 sec-ch-ua-platform: "Windows" Accept: / Origin: https://accounts.google.com X-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiUocsBCJz+zAEIhaDNAQjcvc0BCLnKzQEIotHNAQiK080BCJ7WzQEIp9jNAQj5wNQVGPbJzQEYutLNARjrjaUX Sec-Fetch-Site: same-site Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: NID=518=EAct83JT8gM828qhaDq4e6wR5AhM_UwDbxT9OLDenczl8KNOFRrEYQSeI9KF4t6aaNNqGxI0TI9QGMHEOIkcPo2F4X72WMPN9icOcH0_oGxpsWgj31gIBjqH4xvgn8rMPAtSrFn45zFqleop_ZggXwikUZrEILxD2tkCqEYx5Irxuh_rE-B-svmKoA
2024-10-02 21:05:14 UTC	1299	OUT	Data Raw: 5b 5b 31 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 5b 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 22 65 6e 22 2c 6e 75 6c 6c 2c 22 33 30 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 47 6f 6f 67 6c 65 20 43 68 72 6f 6d 65 22 2c 22 31 31 37 22 5d 2c 5b 22 4e 6f 74 3b 41 3d 42 72 61 6e 64 22 2c 22 38 22 5d 2c 5b 22 43 68 72 6f 6d 69 75 6d 22 2c 22 31 31 37 22 5d 5d 2c 30 2c 22 57 69 6e 64 6f 77 73 22 2c 22 31 30 2e 30 2e 30 22 2c 22 78 38 36 22 2c 22 22 2c 22 31 31 37 2e 30 2e 35 39 33 38 2e 31 33 32 22 5d 2c 5b 31 2c 30 2c 30 2c 30 2c 30 5d 5d 5d 2c 31 38 32 38 2c 5b 5b 22 31 37 32 37 39 30 33 31 31 32 37 33 37 22 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c Data Ascii: [[1,null,null,null,null,null,null,null,null,null,[null,null,null,null,"en",null,"30",null,[[["Google Chrome","117"],["Not;A=Brand","8"],["Chromium","117"]],0,"Windows","10.0.0","x86","","117.0.5938.132"],[1,0,0,0,0]]],1828,[["1727903112737",null,null,null
2024-10-02 21:05:14 UTC	523	IN	HTTP/1.1 200 OK Access-Control-Allow-Origin: https://accounts.google.com Cross-Origin-Resource-Policy: cross-origin Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: X-Playlog-Web Content-Type: text/plain; charset=UTF-8 Date: Wed, 02 Oct 2024 21:05:14 GMT Server: Playlog Cache-Control: private X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2024-10-02 21:05:14 UTC	137	IN	Data Raw: 38 33 0d 0a 5b 22 2d 31 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 41 4e 44 52 4f 49 44 5f 42 41 43 4b 55 50 22 2c 30 5d 2c 5b 22 42 41 54 54 45 52 59 5f 53 54 41 54 53 22 2c 30 5d 2c 5b 22 53 4d 41 52 54 5f 53 45 54 55 50 22 2c 30 5d 2c 5b 22 54 52 4f 4e 22 2c 30 5d 5d 2c 2d 33 33 33 34 37 33 37 35 39 34 30 32 34 39 37 31 32 32 35 5d 2c 5b 5d 2c 7b 22 31 37 35 32 33 37 33 37 35 22 3a 5b 31 30 30 30 30 5d 7d 5d 0d 0a Data Ascii: 83["-1",null,[[["ANDROID_BACKUP",0],["BATTERY_STATS",0],["SMART_SETUP",0],["TRON",0]],-3334737594024971225],[],{"175237375":[10000]}]
2024-10-02 21:05:14 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.4	49792	172.217.18.14	443	2668	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-02 21:05:44 UTC	1329	OUT	POST /log?format=json&hasfast=true&authuser=0 HTTP/1.1 Host: play.google.com Connection: keep-alive Content-Length: 1488 sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-arch: "x86" Content-Type: application/x-www-form-urlencoded;charset=UTF-8 sec-ch-ua-full-version: "117.0.5938.132" sec-ch-ua-platform-version: "10.0.0" X-Goog-AuthUser: 0 sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132" sec-ch-ua-bitness: "64" sec-ch-ua-model: "" sec-ch-ua-wow64: ?0 sec-ch-ua-platform: "Windows" Accept: / Origin: https://accounts.google.com X-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiUocsBCJz+zAEIhaDNAQjcvc0BCLnKzQEIotHNAQiK080BCJ7WzQEIp9jNAQj5wNQVGPbJzQEYutLNARjrjaUX Sec-Fetch-Site: same-site Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: NID=518=EAct83JT8gM828qhaDq4e6wR5AhM_UwDbxT9OLDenczl8KNOFRrEYQSeI9KF4t6aaNNqGxI0TI9QGMHEOIkcPo2F4X72WMPN9icOcH0_oGxpsWgj31gIBjqH4xvgn8rMPAtSrFn45zFqleop_ZggXwikUZrEILxD2tkCqEYx5Irxuh_rE-B-svmKoA
2024-10-02 21:05:44 UTC	1488	OUT	Data Raw: 5b 5b 31 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 5b 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 22 65 6e 22 2c 6e 75 6c 6c 2c 22 33 30 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 47 6f 6f 67 6c 65 20 43 68 72 6f 6d 65 22 2c 22 31 31 37 22 5d 2c 5b 22 4e 6f 74 3b 41 3d 42 72 61 6e 64 22 2c 22 38 22 5d 2c 5b 22 43 68 72 6f 6d 69 75 6d 22 2c 22 31 31 37 22 5d 5d 2c 30 2c 22 57 69 6e 64 6f 77 73 22 2c 22 31 30 2e 30 2e 30 22 2c 22 78 38 36 22 2c 22 22 2c 22 31 31 37 2e 30 2e 35 39 33 38 2e 31 33 32 22 5d 2c 5b 31 2c 30 2c 30 2c 30 2c 30 5d 5d 5d 2c 31 38 32 38 2c 5b 5b 22 31 37 32 37 39 30 33 31 34 32 35 37 32 22 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c Data Ascii: [[1,null,null,null,null,null,null,null,null,null,[null,null,null,null,"en",null,"30",null,[[["Google Chrome","117"],["Not;A=Brand","8"],["Chromium","117"]],0,"Windows","10.0.0","x86","","117.0.5938.132"],[1,0,0,0,0]]],1828,[["1727903142572",null,null,null
2024-10-02 21:05:44 UTC	523	IN	HTTP/1.1 200 OK Access-Control-Allow-Origin: https://accounts.google.com Cross-Origin-Resource-Policy: cross-origin Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: X-Playlog-Web Content-Type: text/plain; charset=UTF-8 Date: Wed, 02 Oct 2024 21:05:44 GMT Server: Playlog Cache-Control: private X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2024-10-02 21:05:44 UTC	137	IN	Data Raw: 38 33 0d 0a 5b 22 2d 31 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 41 4e 44 52 4f 49 44 5f 42 41 43 4b 55 50 22 2c 30 5d 2c 5b 22 42 41 54 54 45 52 59 5f 53 54 41 54 53 22 2c 30 5d 2c 5b 22 53 4d 41 52 54 5f 53 45 54 55 50 22 2c 30 5d 2c 5b 22 54 52 4f 4e 22 2c 30 5d 5d 2c 2d 33 33 33 34 37 33 37 35 39 34 30 32 34 39 37 31 32 32 35 5d 2c 5b 5d 2c 7b 22 31 37 35 32 33 37 33 37 35 22 3a 5b 31 30 30 30 30 5d 7d 5d 0d 0a Data Ascii: 83["-1",null,[[["ANDROID_BACKUP",0],["BATTERY_STATS",0],["SMART_SETUP",0],["TRON",0]],-3334737594024971225],[],{"175237375":[10000]}]
2024-10-02 21:05:44 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.4	49793	172.217.18.14	443	2668	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-02 21:05:46 UTC	1329	OUT	POST /log?format=json&hasfast=true&authuser=0 HTTP/1.1 Host: play.google.com Connection: keep-alive Content-Length: 1139 sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-arch: "x86" Content-Type: application/x-www-form-urlencoded;charset=UTF-8 sec-ch-ua-full-version: "117.0.5938.132" sec-ch-ua-platform-version: "10.0.0" X-Goog-AuthUser: 0 sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132" sec-ch-ua-bitness: "64" sec-ch-ua-model: "" sec-ch-ua-wow64: ?0 sec-ch-ua-platform: "Windows" Accept: / Origin: https://accounts.google.com X-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiUocsBCJz+zAEIhaDNAQjcvc0BCLnKzQEIotHNAQiK080BCJ7WzQEIp9jNAQj5wNQVGPbJzQEYutLNARjrjaUX Sec-Fetch-Site: same-site Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: NID=518=EAct83JT8gM828qhaDq4e6wR5AhM_UwDbxT9OLDenczl8KNOFRrEYQSeI9KF4t6aaNNqGxI0TI9QGMHEOIkcPo2F4X72WMPN9icOcH0_oGxpsWgj31gIBjqH4xvgn8rMPAtSrFn45zFqleop_ZggXwikUZrEILxD2tkCqEYx5Irxuh_rE-B-svmKoA
2024-10-02 21:05:46 UTC	1139	OUT	Data Raw: 5b 5b 31 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 5b 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 22 65 6e 22 2c 6e 75 6c 6c 2c 22 33 30 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 47 6f 6f 67 6c 65 20 43 68 72 6f 6d 65 22 2c 22 31 31 37 22 5d 2c 5b 22 4e 6f 74 3b 41 3d 42 72 61 6e 64 22 2c 22 38 22 5d 2c 5b 22 43 68 72 6f 6d 69 75 6d 22 2c 22 31 31 37 22 5d 5d 2c 30 2c 22 57 69 6e 64 6f 77 73 22 2c 22 31 30 2e 30 2e 30 22 2c 22 78 38 36 22 2c 22 22 2c 22 31 31 37 2e 30 2e 35 39 33 38 2e 31 33 32 22 5d 2c 5b 31 2c 30 2c 30 2c 30 2c 30 5d 5d 5d 2c 31 38 32 38 2c 5b 5b 22 31 37 32 37 39 30 33 31 34 34 38 36 32 22 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c Data Ascii: [[1,null,null,null,null,null,null,null,null,null,[null,null,null,null,"en",null,"30",null,[[["Google Chrome","117"],["Not;A=Brand","8"],["Chromium","117"]],0,"Windows","10.0.0","x86","","117.0.5938.132"],[1,0,0,0,0]]],1828,[["1727903144862",null,null,null
2024-10-02 21:05:46 UTC	523	IN	HTTP/1.1 200 OK Access-Control-Allow-Origin: https://accounts.google.com Cross-Origin-Resource-Policy: cross-origin Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: X-Playlog-Web Content-Type: text/plain; charset=UTF-8 Date: Wed, 02 Oct 2024 21:05:46 GMT Server: Playlog Cache-Control: private X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2024-10-02 21:05:46 UTC	137	IN	Data Raw: 38 33 0d 0a 5b 22 2d 31 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 41 4e 44 52 4f 49 44 5f 42 41 43 4b 55 50 22 2c 30 5d 2c 5b 22 42 41 54 54 45 52 59 5f 53 54 41 54 53 22 2c 30 5d 2c 5b 22 53 4d 41 52 54 5f 53 45 54 55 50 22 2c 30 5d 2c 5b 22 54 52 4f 4e 22 2c 30 5d 5d 2c 2d 33 33 33 34 37 33 37 35 39 34 30 32 34 39 37 31 32 32 35 5d 2c 5b 5d 2c 7b 22 31 37 35 32 33 37 33 37 35 22 3a 5b 31 30 30 30 30 5d 7d 5d 0d 0a Data Ascii: 83["-1",null,[[["ANDROID_BACKUP",0],["BATTERY_STATS",0],["SMART_SETUP",0],["TRON",0]],-3334737594024971225],[],{"175237375":[10000]}]
2024-10-02 21:05:46 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Target ID:	0
Start time:	17:03:55
Start date:	02/10/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0x800000
File size:	919'040 bytes
MD5 hash:	015F30AB4A592CA2CFCD7419793A0974
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	17:03:55
Start date:	02/10/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM chrome.exe /T
Imagebase:	0xf0000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	17:03:55
Start date:	02/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	17:03:55
Start date:	02/10/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM msedge.exe /T
Imagebase:	0xf0000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	17:03:55
Start date:	02/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	17:03:56
Start date:	02/10/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM firefox.exe /T
Imagebase:	0xf0000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	17:03:56
Start date:	02/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	17:03:56
Start date:	02/10/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM opera.exe /T
Imagebase:	0xf0000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	17:03:56
Start date:	02/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	17:03:56
Start date:	02/10/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM brave.exe /T
Imagebase:	0xf0000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	17:03:56
Start date:	02/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	17:03:57
Start date:	02/10/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --start-fullscreen --no-first-run --disable-session-crashed-bubble --disable-infobars
Imagebase:	0x7ff76e190000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	13
Start time:	17:03:58
Start date:	02/10/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2056 --field-trial-handle=1988,i,2714495616838969432,12383058553963551388,262144 /prefetch:8
Imagebase:	0x7ff76e190000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	14
Start time:	17:04:10
Start date:	02/10/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5320 --field-trial-handle=1988,i,2714495616838969432,12383058553963551388,262144 /prefetch:8
Imagebase:	0x7ff76e190000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	15
Start time:	17:04:10
Start date:	02/10/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5480 --field-trial-handle=1988,i,2714495616838969432,12383058553963551388,262144 /prefetch:8
Imagebase:	0x7ff76e190000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	2.1%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	6.9%
Total number of Nodes:	1578
Total number of Limit Nodes:	51

Executed Functions

Function 008042DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 0080430D

Part of subcall function 00806B57: _wcslen.LIBCMT ref: 00806B6A

GetCurrentProcess.KERNEL32(?,0089CB64,00000000,?,?), ref: 00804422
IsWow64Process.KERNEL32(00000000,?,?), ref: 00804429
LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 00804454
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00804466
GetNativeSystemInfo.KERNELBASE(?,?,?), ref: 00804474
FreeLibrary.KERNEL32(00000000,?,?), ref: 0080447B
GetSystemInfo.KERNEL32(?,?,?), ref: 008044A0

Strings

kernel32.dll, xrefs: 0080444F
GetNativeSystemInfo, xrefs: 00804460
|O, xrefs: 008436F8

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
String ID: GetNativeSystemInfo$kernel32.dll$|O
API String ID: 3290436268-3101561225
Opcode ID: bbca0355d8f7c273a56c356c637808a1adb54821b64df1b41161735767f7c367
Instruction ID: f329c84199354af2a60285fbdb99c8b3c8eb84952a86b822589fce43d9c30b15
Opcode Fuzzy Hash: bbca0355d8f7c273a56c356c637808a1adb54821b64df1b41161735767f7c367
Instruction Fuzzy Hash: C7A1C5A190B7C4FFCF19D769BC491967FA5FF26304B085AABE081D3B62D2384508CB25

Function 008042A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,008050AA,?,?,00000000,00000000), ref: 008042B2
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,008050AA,?,?,00000000,00000000), ref: 008042C9
LoadResource.KERNEL32(?,00000000,?,?,008050AA,?,?,00000000,00000000,?,?,?,?,?,?,00804F20), ref: 008435BE
SizeofResource.KERNEL32(?,00000000,?,?,008050AA,?,?,00000000,00000000,?,?,?,?,?,?,00804F20), ref: 008435D3
LockResource.KERNEL32(008050AA,?,?,008050AA,?,?,00000000,00000000,?,?,?,?,?,?,00804F20,?), ref: 008435E6

Strings

SCRIPT, xrefs: 008042BF

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: 654b4a078150d70d248763fe40da1ffb74e28eb41c28825172f6f531ad3b9819
Instruction ID: c9af704d2635dff017b091eec1734176d7d85ec35c3431d55387d4fdb02fa784
Opcode Fuzzy Hash: 654b4a078150d70d248763fe40da1ffb74e28eb41c28825172f6f531ad3b9819
Instruction Fuzzy Hash: 1D117CB0240701BFDB219BA5DC48F277BB9FBC5B51F14416AB512D6290DBB2D8008630

Function 00842BA5 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetCurrentDirectoryW.KERNEL32(?), ref: 00802B6B

Part of subcall function 00803A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,@b,?,00802E7F,?,?,?,00000000), ref: 00803A78

Part of subcall function 00809CB3: _wcslen.LIBCMT ref: 00809CBD

GetForegroundWindow.USER32(runas,?,?,?,?,?,008C2224), ref: 00842C10
ShellExecuteW.SHELL32(00000000,?,?,008C2224), ref: 00842C17

Strings

runas, xrefs: 00842C0B
@b, xrefs: 00842BD9

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: CurrentDirectoryExecuteFileForegroundModuleNameShellWindow_wcslen
String ID: @b$runas
API String ID: 448630720-2001461364
Opcode ID: 19647ff7a8d4cdfa3bc90c3a5a8f0e735ce21a6b40bbf764d8bd5cbddc1cc79a
Instruction ID: 9196b3ecaa36445f24c782043721f103306d3afc0f634998123c580b544ac370
Opcode Fuzzy Hash: 19647ff7a8d4cdfa3bc90c3a5a8f0e735ce21a6b40bbf764d8bd5cbddc1cc79a
Instruction Fuzzy Hash: FB11C331208245AACB54FF68DC56A6E77A9FF90710F44052EF182C21E3CF6185498713

Function 0088A67C Relevance: 6.2, APIs: 4, Instructions: 175
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0088A6AC
Process32FirstW.KERNEL32(00000000,?), ref: 0088A6BA

Part of subcall function 00809CB3: _wcslen.LIBCMT ref: 00809CBD

Process32NextW.KERNEL32(00000000,?), ref: 0088A79C
CloseHandle.KERNELBASE(00000000), ref: 0088A7AB

Part of subcall function 0081CE60: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,00843303,?), ref: 0081CE8A

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
String ID:
API String ID: 1991900642-0
Opcode ID: 52e81d604ecd912b7eb46072ad406330666dfca0d62d7ad6b82a5ade3aa584a2
Instruction ID: ba083f29aab7e8c95c1382f5c5d8a38e215a94b948e723975d3fecd015b91d1b
Opcode Fuzzy Hash: 52e81d604ecd912b7eb46072ad406330666dfca0d62d7ad6b82a5ade3aa584a2
Instruction Fuzzy Hash: 965118715083019FD754EF28C886A6BBBE8FF89754F00892DF585D7292EB70D904CB92

Function 0086DBBE Relevance: 6.0, APIs: 4, Instructions: 29filestringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,00845222), ref: 0086DBCE
GetFileAttributesW.KERNELBASE(?), ref: 0086DBDD
FindFirstFileW.KERNEL32(?,?), ref: 0086DBEE
FindClose.KERNEL32(00000000), ref: 0086DBFA

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: FileFind$AttributesCloseFirstlstrlen
String ID:
API String ID: 2695905019-0
Opcode ID: c6789ca95c53bec43d94937e8816003ffe08bfd47821872a93f617d577291cdc
Instruction ID: d1865f2d52c12536042ecdae446e20da388d7512629ecd88f17f6e871a805e43
Opcode Fuzzy Hash: c6789ca95c53bec43d94937e8816003ffe08bfd47821872a93f617d577291cdc
Instruction Fuzzy Hash: 8BF0A030810A1857C220BBB8AC0D8AA376CFF41334F584703F836C22E0EBB2599486D9

Function 00824CE8 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(008328E9,?,00824CBE,008328E9,008C88B8,0000000C,00824E15,008328E9,00000002,00000000,?,008328E9), ref: 00824D09
TerminateProcess.KERNEL32(00000000,?,00824CBE,008328E9,008C88B8,0000000C,00824E15,008328E9,00000002,00000000,?,008328E9), ref: 00824D10
ExitProcess.KERNEL32 ref: 00824D22

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 6f7fec4d84d3118d402d89501b6db590fee2f2e4dd7685c3a305e9a438f9df88
Instruction ID: 3034148376c99c869a87218ae51fba2d51a89c8c322925dfb1c2c8a4230e3ec9
Opcode Fuzzy Hash: 6f7fec4d84d3118d402d89501b6db590fee2f2e4dd7685c3a305e9a438f9df88
Instruction Fuzzy Hash: A7E0B631000158AFCF11BF54EE0AA583B69FB41B81F144015FC09CB222DB36DD82DAA0

Function 0080BF40 Relevance: 2.4, Strings: 1, Instructions: 1178COMMON

Download Yara Rule

Strings

x, xrefs: 008507CE

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: BuffCharUpper
String ID: x
API String ID: 3964851224-2890206012
Opcode ID: deeff573a55d27f39aa0f1fe6c70dd97d0b726fcc41caae6b89f291ded76f96a
Instruction ID: 9c6e56841f266ff892086f6f2158c1e1f11a58aa76afe5c6bf322b98ea53894a
Opcode Fuzzy Hash: deeff573a55d27f39aa0f1fe6c70dd97d0b726fcc41caae6b89f291ded76f96a
Instruction Fuzzy Hash: EFA238706083419FD764CF18C880A6ABBE1FF99304F14896DE99ADB392D771E845CF92

Function 0088AFF9 Relevance: 24.4, APIs: 16, Instructions: 418
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_wcslen.LIBCMT ref: 0088B198
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0088B1B0
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0088B1D4
_wcslen.LIBCMT ref: 0088B200
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0088B214
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0088B236
_wcslen.LIBCMT ref: 0088B332

Part of subcall function 008705A7: GetStdHandle.KERNEL32(000000F6), ref: 008705C6

_wcslen.LIBCMT ref: 0088B34B
_wcslen.LIBCMT ref: 0088B366
CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0088B3B6
GetLastError.KERNEL32(00000000), ref: 0088B407
CloseHandle.KERNEL32(?), ref: 0088B439
CloseHandle.KERNEL32(00000000), ref: 0088B44A
CloseHandle.KERNEL32(00000000), ref: 0088B45C
CloseHandle.KERNEL32(00000000), ref: 0088B46E
CloseHandle.KERNEL32(?), ref: 0088B4E3

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
String ID:
API String ID: 2178637699-0
Opcode ID: 6de5dc8f3cd9fe10eed1a1368feaef8e6ec82e3c7e94148aade30224bc238df5
Instruction ID: 08c62094ad9b498b75586de95bc3612b1613181c395253b9807713f1a29b8c88
Opcode Fuzzy Hash: 6de5dc8f3cd9fe10eed1a1368feaef8e6ec82e3c7e94148aade30224bc238df5
Instruction Fuzzy Hash: F4F159316082409FDB14EF28C891B6ABBE5FF85314F18855DF899DB2A2DB31EC45CB52

Function 0080D730 Relevance: 21.6, APIs: 14, Instructions: 618windowsleeptimeCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 0080D807
timeGetTime.WINMM ref: 0080DA07
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0080DB28
TranslateMessage.USER32(?), ref: 0080DB7B
DispatchMessageW.USER32(?), ref: 0080DB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0080DB9F
Sleep.KERNELBASE(0000000A), ref: 0080DBB1

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Message$Peek$DispatchInputSleepStateTimeTranslatetime
String ID:
API String ID: 2189390790-0
Opcode ID: 8bdc763d5ca902c1e85be23c4d2dc39093340636187deb891791e0865f2a1c27
Instruction ID: 494a858bb849e4e40eebacc1ebde2272fc3866ad984dff2ffad9317f40e0587e
Opcode Fuzzy Hash: 8bdc763d5ca902c1e85be23c4d2dc39093340636187deb891791e0865f2a1c27
Instruction Fuzzy Hash: CE42EF30608345EFDB69DB68CC44BAABBE4FF46314F14865AE855C72D1DB70E848CB92

Function 00802CD4 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 53
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00802D07
RegisterClassExW.USER32(00000030), ref: 00802D31
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00802D42
InitCommonControlsEx.COMCTL32(?), ref: 00802D5F
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00802D6F
LoadIconW.USER32(000000A9), ref: 00802D85
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00802D94

Strings

p/, xrefs: 00802D80, 00802D8E
+, xrefs: 00802CF0
0, xrefs: 00802CE9
TaskbarCreated, xrefs: 00802D37
AutoIt v3 GUI, xrefs: 00802D23

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated$p/
API String ID: 2914291525-2381562920
Opcode ID: 9bee8c2309d32dc8a723a1441730b7d00e6e929c6165bfb4ce90161d07ee97f0
Instruction ID: df3db50f055d3b99cfb7b96d9ae8a5f2df3a49b760856df81af58cad61b356b1
Opcode Fuzzy Hash: 9bee8c2309d32dc8a723a1441730b7d00e6e929c6165bfb4ce90161d07ee97f0
Instruction Fuzzy Hash: 0F21B2B5902218BFDF00EFE4E859ADDBFB8FB08700F44821BE611A62A0D7B645448F91

Function 0080344D Relevance: 19.5, APIs: 6, Strings: 5, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00803A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,@b,?,00802E7F,?,?,?,00000000), ref: 00803A78

Part of subcall function 00803357: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00803379

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 0080356A
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 0084318D
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 008431CE
RegCloseKey.ADVAPI32(?), ref: 00843210
_wcslen.LIBCMT ref: 00843277
_wcslen.LIBCMT ref: 00843286

Strings

\, xrefs: 0084328C
XT, xrefs: 0080349D
Software\AutoIt v3\AutoIt, xrefs: 00803560
Include, xrefs: 00843184, 008431C5
\Include\, xrefs: 00803527

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
String ID: Include$Software\AutoIt v3\AutoIt$XT$\$\Include\
API String ID: 98802146-714123913
Opcode ID: a42413c27906075c509c71101cd347497f2e8cadd2cfb42762576b291c9384e6
Instruction ID: 893ee9e31a07382066c4631eb20e21af922257337beae35ede56a17b1148b438
Opcode Fuzzy Hash: a42413c27906075c509c71101cd347497f2e8cadd2cfb42762576b291c9384e6
Instruction Fuzzy Hash: 36717D715053059EC708EF69EC8296BBBE8FFA5340F40062EF555C32B1EB759A48CB62

Function 0084065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0084039A: CreateFileW.KERNELBASE(00000000,00000000,?,00840704,?,?,00000000,?,00840704,00000000,0000000C), ref: 008403B7

GetLastError.KERNEL32 ref: 0084076F
__dosmaperr.LIBCMT ref: 00840776
GetFileType.KERNELBASE(00000000), ref: 00840782
GetLastError.KERNEL32 ref: 0084078C
__dosmaperr.LIBCMT ref: 00840795
CloseHandle.KERNEL32(00000000), ref: 008407B5
CloseHandle.KERNEL32(?), ref: 008408FF
GetLastError.KERNEL32 ref: 00840931
__dosmaperr.LIBCMT ref: 00840938

Strings

H, xrefs: 008408BD

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: 1d9362f0844e668fc375580547bac65ee41d61c80f265b9731a64bd836cb5001
Instruction ID: 6fc4ce6580266b2c815bd44000edc5743c418e8db57cb6b33cf86b47c9c8e583
Opcode Fuzzy Hash: 1d9362f0844e668fc375580547bac65ee41d61c80f265b9731a64bd836cb5001
Instruction Fuzzy Hash: 20A10432A041188FDF19AF68D851BAE7BA0FB46324F24015AF915DB3D2DB359812CF92

Function 00802B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00802B8E
LoadCursorW.USER32(00000000,00007F00), ref: 00802B9D
LoadIconW.USER32(00000063), ref: 00802BB3
LoadIconW.USER32(000000A4), ref: 00802BC5
LoadIconW.USER32(000000A2), ref: 00802BD7
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00802BEF
RegisterClassExW.USER32(?), ref: 00802C40

Part of subcall function 00802CD4: GetSysColorBrush.USER32(0000000F), ref: 00802D07
Part of subcall function 00802CD4: RegisterClassExW.USER32(00000030), ref: 00802D31
Part of subcall function 00802CD4: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00802D42
Part of subcall function 00802CD4: InitCommonControlsEx.COMCTL32(?), ref: 00802D5F
Part of subcall function 00802CD4: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00802D6F
Part of subcall function 00802CD4: LoadIconW.USER32(000000A9), ref: 00802D85
Part of subcall function 00802CD4: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00802D94

Strings

#, xrefs: 00802C16
AutoIt v3, xrefs: 00802C2F
0, xrefs: 00802C0F

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: f8044e34056d028948a556ce0dc0362133e23b67fe73bcdd79f30e8bb8674104
Instruction ID: f55872ac8698dee07965db42e0b70d3fe34a6d2b860c801ead410785b884de64
Opcode Fuzzy Hash: f8044e34056d028948a556ce0dc0362133e23b67fe73bcdd79f30e8bb8674104
Instruction Fuzzy Hash: 9C21F570A02318BBDF149FE9EC59AA97FB4FF48B50F44421BE604A67A0D7BA05408F90

Function 00803170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,0080316A,?,?), ref: 008031D8
KillTimer.USER32(?,00000001,?,?,?,?,?,0080316A,?,?), ref: 00803204
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00803227
RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,0080316A,?,?), ref: 00803232
CreatePopupMenu.USER32 ref: 00803246
PostQuitMessage.USER32(00000000), ref: 00803267

Strings

TaskbarCreated, xrefs: 0080322D

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: 4aac73e553e460ba11f172d02924ed5f59cab35bfb01a3df77be2b5814fb67dd
Instruction ID: 38f8e2aec67ed97606c0d76ba8f067471299283932bb78e5dbbd2d852525b570
Opcode Fuzzy Hash: 4aac73e553e460ba11f172d02924ed5f59cab35bfb01a3df77be2b5814fb67dd
Instruction Fuzzy Hash: 14412635244208BBDF556BBC9D2DB793B5DFF0A345F480227F902C62E1CB759A8097A2

Function 00801410 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00801459
CoUninitialize.COMBASE ref: 008014F8
UnregisterHotKey.USER32(?), ref: 008016DD
DestroyWindow.USER32(?), ref: 008424B9
FreeLibrary.KERNEL32(?), ref: 0084251E
VirtualFree.KERNEL32(?,00000000,00008000), ref: 0084254B

Strings

close all, xrefs: 00801454

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: 9b28cfe246599b25a29e5cfd7848413a627686fa74612d123bb93437b1a4ac5c
Instruction ID: b283cd2e03e50bc79f42c6d1ed1a00f4aa240776d90164d8992a03f264b907c5
Opcode Fuzzy Hash: 9b28cfe246599b25a29e5cfd7848413a627686fa74612d123bb93437b1a4ac5c
Instruction Fuzzy Hash: 6AD19B30705212CFCB69EF18C899A29F7A4FF04714F5541ADE54AEB2A2DB31AC12CF51

Function 008010F3 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 153
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00801BC3: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00801BF4
Part of subcall function 00801BC3: MapVirtualKeyW.USER32(00000010,00000000), ref: 00801BFC
Part of subcall function 00801BC3: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00801C07
Part of subcall function 00801BC3: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00801C12
Part of subcall function 00801BC3: MapVirtualKeyW.USER32(00000011,00000000), ref: 00801C1A
Part of subcall function 00801BC3: MapVirtualKeyW.USER32(00000012,00000000), ref: 00801C22

Part of subcall function 00801B4A: RegisterWindowMessageW.USER32(00000004,?,008012C4), ref: 00801BA2

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 0080136A
OleInitialize.OLE32 ref: 00801388
CloseHandle.KERNEL32(00000000,00000000), ref: 008424AB

Strings

8m, xrefs: 00801174
(, xrefs: 008011D2
h, xrefs: 008012A8

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID: ($8m$h
API String ID: 1986988660-1030522071
Opcode ID: 86ac691611fa658be3a7f54ed461e07f4acb96345998f818e464420cff46134a
Instruction ID: 62c053fbaa498c22c967736a51d5f3170d64f3c78805b9d86a5d442e76b34cb8
Opcode Fuzzy Hash: 86ac691611fa658be3a7f54ed461e07f4acb96345998f818e464420cff46134a
Instruction Fuzzy Hash: 037187B4A12200AECF84EFA9B94D6593BF6FF88354744832BD11AC72A2EB384444CF45

Function 00802C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00802C91
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00802CB2
ShowWindow.USER32(00000000,?,?,?,?,?,?,00801CAD,?), ref: 00802CC6
ShowWindow.USER32(00000000,?,?,?,?,?,?,00801CAD,?), ref: 00802CCF

Strings

edit, xrefs: 00802CAC
AutoIt v3, xrefs: 00802C89, 00802C8E, 00802C8F

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: d906b69c6e79fbe2441b948d14a1e498dac6e11923b5ea00e23d8b40d68d2189
Instruction ID: e6c95941ec7491ce14f366181bda6ae87b1ea91f1e5401d054c67e5c12176d2f
Opcode Fuzzy Hash: d906b69c6e79fbe2441b948d14a1e498dac6e11923b5ea00e23d8b40d68d2189
Instruction Fuzzy Hash: FDF0DA756412907BEF35175BAC0CE772FBDFBC6F60B04015BF904A26A0C66A1850DAB0

Function 00803B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,00803B0F,SwapMouseButtons,00000004,?), ref: 00803B40
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,00803B0F,SwapMouseButtons,00000004,?), ref: 00803B61
RegCloseKey.KERNELBASE(00000000,?,?,?,80000001,80000001,?,00803B0F,SwapMouseButtons,00000004,?), ref: 00803B83

Strings

Control Panel\Mouse, xrefs: 00803B3E

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: 8387b6d54281ee9edf4f51090876f6d7c7c78ea482ca1ab88598e85a3e8f65fe
Instruction ID: 31d3b99abb07cd05d85d3ae7d287de5ae419290bd85404e2ef2cafef4ed5511c
Opcode Fuzzy Hash: 8387b6d54281ee9edf4f51090876f6d7c7c78ea482ca1ab88598e85a3e8f65fe
Instruction Fuzzy Hash: 261127B5611208FFDB609FA5DC95AAEBBBCFF04768B10846AA805D7150E3319E449BA0

Function 00803923 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94windowCOMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 008433A2

Part of subcall function 00806B57: _wcslen.LIBCMT ref: 00806B6A

Shell_NotifyIconW.SHELL32(00000001,?), ref: 00803A04

Strings

Line: , xrefs: 008433EB

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: IconLoadNotifyShell_String_wcslen
String ID: Line:
API String ID: 2289894680-1585850449
Opcode ID: ecb6f14db0628872de36ba330db151cffd712fc4b6b1c70c2c08a57d2933cabf
Instruction ID: cd53ddb2646827d7abb12137d815533da8ab92d2a11ea3ae3a99134aa95cd498
Opcode Fuzzy Hash: ecb6f14db0628872de36ba330db151cffd712fc4b6b1c70c2c08a57d2933cabf
Instruction Fuzzy Hash: 25319E71509304AAC765EB28EC49BEBB7ACFF40714F00462AF599C22D1EB749659C7C3

Function 0081FDDB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 00820668

Part of subcall function 008232A4: RaiseException.KERNEL32(?,?,?,0082068A,?,008D1444,?,?,?,?,?,?,0082068A,00801129,008C8738,00801129), ref: 00823304

__CxxThrowException@8.LIBVCRUNTIME ref: 00820685

Strings

Unknown exception, xrefs: 00820692

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID: Unknown exception
API String ID: 3476068407-410509341
Opcode ID: 54f7112472c2c33793ab24844eb404bf55dea68cbe2745d57f4bde1d6c244617
Instruction ID: 89637452946456fafae98775fce12132d324648d7ef0c9529e51c28d5a8f61b9
Opcode Fuzzy Hash: 54f7112472c2c33793ab24844eb404bf55dea68cbe2745d57f4bde1d6c244617
Instruction Fuzzy Hash: 8BF0AF2490031DA7CB00B6A8F856DAE7B6CFE10310B604535BA24D6593EF71DAE98982

Function 0086C161 Relevance: 4.6, APIs: 3, Instructions: 74timewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00803923: Shell_NotifyIconW.SHELL32(00000001,?), ref: 00803A04

Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 0086C259
KillTimer.USER32(?,00000001,?,?), ref: 0086C261
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 0086C270

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: IconNotifyShell_Timer$Kill
String ID:
API String ID: 3500052701-0
Opcode ID: 13814ad846350d14d3e01af308a80383a92d67cdee6c1ad746176a0ac16342ff
Instruction ID: 4d921400b69d4f6fd7d02e110b93c162a6f87889c6490365e6d47badf3786ea2
Opcode Fuzzy Hash: 13814ad846350d14d3e01af308a80383a92d67cdee6c1ad746176a0ac16342ff
Instruction Fuzzy Hash: 40317370904354AFEB229F649895BE7BBECFF06308F05049AD6DAE7241C7745A84CB51

Function 008386AE Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE

Download Yara Rule

APIs

CloseHandle.KERNELBASE(00000000,00000000,?,?,008385CC,?,008C8CC8,0000000C), ref: 00838704
GetLastError.KERNEL32(?,008385CC,?,008C8CC8,0000000C), ref: 0083870E
__dosmaperr.LIBCMT ref: 00838739

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: CloseErrorHandleLast__dosmaperr
String ID:
API String ID: 2583163307-0
Opcode ID: 21309dbe6dca1ae4e4102069e98f4c453672324aaad13dd10268e1ee61547072
Instruction ID: f0885a963a080055d05a60c6c3498d49ef7968c0b0763da95a441824c0ec279c
Opcode Fuzzy Hash: 21309dbe6dca1ae4e4102069e98f4c453672324aaad13dd10268e1ee61547072
Instruction Fuzzy Hash: C0012B3260572097D6246338694A77E6759FBD2778F39021EF815CB2D2EEA18C8181D1

Function 0080DB38 Relevance: 4.5, APIs: 3, Instructions: 29windowsleepCOMMON

Download Yara Rule

APIs

TranslateMessage.USER32(?), ref: 0080DB7B
DispatchMessageW.USER32(?), ref: 0080DB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0080DB9F
Sleep.KERNELBASE(0000000A), ref: 0080DBB1
TranslateAcceleratorW.USER32(?,?,?), ref: 00851CC9

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchPeekSleep
String ID:
API String ID: 3288985973-0
Opcode ID: 06a05c2dae178bb6d1111eaeb21bdc19206b2b841cf06b682827c9775ebc1dfc
Instruction ID: ec411767df4fc7244570706bf412f2cc5cca364a82466a9981ea089c9b6cad3e
Opcode Fuzzy Hash: 06a05c2dae178bb6d1111eaeb21bdc19206b2b841cf06b682827c9775ebc1dfc
Instruction Fuzzy Hash: 5CF05430604344ABEB70D7E48C59FEA73ACFF44311F144625E619C30C0DB319448DB15

Function 0080B710 Relevance: 4.1, APIs: 1, Strings: 1, Instructions: 587COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 0080BB4E

Strings

x, xrefs: 0080BA72, 0080BB6B, 0085024F, 00850263

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID: x
API String ID: 1385522511-2890206012
Opcode ID: 56209421562b8a8fbac8d8d6c9602ddb9527dc3649236b6f41cd00c58426b01e
Instruction ID: b23a9e2d8d1a7c623f4f16f34d9dca8b66303632c263ef9e7cffe0fa640ffa39
Opcode Fuzzy Hash: 56209421562b8a8fbac8d8d6c9602ddb9527dc3649236b6f41cd00c58426b01e
Instruction Fuzzy Hash: C332AD31A002099FDB24CF58C894ABAB7B9FF44354F14806AED15EB3A1D774ED85CB52

Function 00811310 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 008117F6

Strings

CALL, xrefs: 008117C6

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID: CALL
API String ID: 1385522511-4196123274
Opcode ID: 1ca44769795ea8562de6fd567caef0d5116a8fce684980e89ebe3d4fda0d6496
Instruction ID: 9868fa37f90d6841fdd3669ee0d46e6c3ed874c22d7e9ae8ab0515bd073cec81
Opcode Fuzzy Hash: 1ca44769795ea8562de6fd567caef0d5116a8fce684980e89ebe3d4fda0d6496
Instruction Fuzzy Hash: 3F228D706082019FCB14DF18C484AAABBF6FF95314F54896DF996CB3A2D731E895CB42

Function 00804ECB Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00804E90: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00804EDD,?,@b,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00804E9C
Part of subcall function 00804E90: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00804EAE
Part of subcall function 00804E90: FreeLibrary.KERNEL32(00000000,?,?,00804EDD,?,@b,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00804EC0

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,@b,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00804EFD

Part of subcall function 00804E59: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00843CDE,?,@b,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00804E62
Part of subcall function 00804E59: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00804E74
Part of subcall function 00804E59: FreeLibrary.KERNEL32(00000000,?,?,00843CDE,?,@b,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00804E87

Strings

@b, xrefs: 00804ED1

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Library$Load$AddressFreeProc
String ID: @b
API String ID: 2632591731-2077063687
Opcode ID: e3f93ca5fbeff3a724c9f63929a43d1cf516271c9ca1bdfe460d024ae6886496
Instruction ID: d38c14d517267b7300559f5c2ac08fea5fdae2bfdf3748b07cb449f584851da8
Opcode Fuzzy Hash: e3f93ca5fbeff3a724c9f63929a43d1cf516271c9ca1bdfe460d024ae6886496
Instruction Fuzzy Hash: DB1123B2640206AACF20BB68DC03FAD77A5FF40711F10842EF642E61C1EEB19A049B52

Function 00802DE3 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 64COMMON

Download Yara Rule

APIs

GetOpenFileNameW.COMDLG32(?), ref: 00842C8C

Part of subcall function 00803AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00803A97,?,?,00802E7F,?,?,?,00000000), ref: 00803AC2

Part of subcall function 00802DA5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00802DC4

Strings

X, xrefs: 00842C5A

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen
String ID: X
API String ID: 779396738-3081909835
Opcode ID: ce6e067db539c5657cd144fc15c87f1502aa9ccafb65463d04e9e09ce6bcea27
Instruction ID: 657a949650e6b9a07b9e89d19888cb7476467baa411abfc62a6e88b36d5fbdee
Opcode Fuzzy Hash: ce6e067db539c5657cd144fc15c87f1502aa9ccafb65463d04e9e09ce6bcea27
Instruction Fuzzy Hash: AB218471A0025C9ADB45EF98CC49BDE7BB8FF49314F00405AE505E7281DBB499998B61

Function 00803837 Relevance: 3.1, APIs: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000000,?), ref: 00803908

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: 6f05aed33059bec3cc3b049dfa6284592dd6b61976aed1f7d528db3b04ff4fa6
Instruction ID: c20cf37dd8f66fe58e95674bc7b76054eaabd340bfa437d5d3ab82625db6c552
Opcode Fuzzy Hash: 6f05aed33059bec3cc3b049dfa6284592dd6b61976aed1f7d528db3b04ff4fa6
Instruction Fuzzy Hash: D3317C706057019FD760DF24D888797BBE8FB49708F000A6EF59AC3390E775AA44CB52

Function 0081F645 Relevance: 3.0, APIs: 2, Instructions: 29sleeptimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 0081F661

Part of subcall function 0080D730: GetInputState.USER32 ref: 0080D807

Sleep.KERNEL32(00000000), ref: 0085F2DE

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: InputSleepStateTimetime
String ID:
API String ID: 4149333218-0
Opcode ID: 10d35a0785a306a4af7e216dc1ce67300e643d9a9960b2e10a3d8437284135ee
Instruction ID: ff47775cdeee85e1e4db5ff9c95332c2723e9bcc165af3a88bf0988aa738ec2b
Opcode Fuzzy Hash: 10d35a0785a306a4af7e216dc1ce67300e643d9a9960b2e10a3d8437284135ee
Instruction Fuzzy Hash: E8F08C71240205AFD350FF69D849B6AB7E8FF49761F00006AE85DC73A1DB70AC00CB91

Function 00838402 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT ref: 00838440

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: 23706d2a297f3054b8549b17d697751e836af98166d6b4cd67e14e08a24c0a23
Instruction ID: ee36ca4796ca84cd5fd59d3020713b597c47fa7d0358672cb5abb6f49d926f20
Opcode Fuzzy Hash: 23706d2a297f3054b8549b17d697751e836af98166d6b4cd67e14e08a24c0a23
Instruction Fuzzy Hash: 5711067590420AEFCF15DF58E94199A7BF9FF88314F104059F808EB312DA31DA118BA5

Function 0082E602 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction ID: 851a8655385276aef9014ca9ce64b1e2fe5f639e1a4de4827b2490e01f03d140
Opcode Fuzzy Hash: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction Fuzzy Hash: 8DF0D132510A34A6C6313E6DAC15B5A3798FFA2335F100725F821D22D2DA74A881C6EA

Function 00833820 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,008D1444,?,0081FDF5,?,?,0080A976,00000010,008D1440,008013FC,?,008013C6,?,00801129), ref: 00833852

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 56d55048caafc8db54be9552bb9301890e2d316415faa0e301810620c93acae8
Instruction ID: ade356c16376ee50ecaadcf1537fccf20bfd578f0ce23805217619a57c4369bf
Opcode Fuzzy Hash: 56d55048caafc8db54be9552bb9301890e2d316415faa0e301810620c93acae8
Instruction Fuzzy Hash: 06E0E531101234A7EA212AAAAC04B9A3748FFC27B0F050131BD14D25A1CB61DE0181E5

Function 00804F39 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,@b,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00804F6D

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: b0e4c6d1fa0a2395400e2e887635ccf2422077867cfcc4acf2937a3a59b3e05c
Instruction ID: c35af79f8ac3e735dea3417aff2224d6032f1dfb26fe883ad36175beb715972c
Opcode Fuzzy Hash: b0e4c6d1fa0a2395400e2e887635ccf2422077867cfcc4acf2937a3a59b3e05c
Instruction Fuzzy Hash: 02F039B1145752CFDB749F64E890822BBE4FF14329324997EE3EAC2661CB329884DF10

Function 008030F2 Relevance: 1.5, APIs: 1, Instructions: 24windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000002,?), ref: 0080314E

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: b529ff287568d5dd85abaf739331581522f65a099f799e06fddbdeb53eba6e2c
Instruction ID: b072315c2716c10c96f63da866f502b2f2b74f40f035ce41a88a95f6fe2df49e
Opcode Fuzzy Hash: b529ff287568d5dd85abaf739331581522f65a099f799e06fddbdeb53eba6e2c
Instruction Fuzzy Hash: 97F03770A14314AFEB56DB24DC497D57BBCBB05708F0401E6E548D6291D7745788CF51

Function 00802DA5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00802DC4

Part of subcall function 00806B57: _wcslen.LIBCMT ref: 00806B6A

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: LongNamePath_wcslen
String ID:
API String ID: 541455249-0
Opcode ID: fd9e3334b28eb8db331c67e95b5d439942c68ca17e72d7b68a4adad76397c1cb
Instruction ID: 858986f5f442de7eb73410e9bfff685936a779b7384f81cf979899d16d2aa7b8
Opcode Fuzzy Hash: fd9e3334b28eb8db331c67e95b5d439942c68ca17e72d7b68a4adad76397c1cb
Instruction Fuzzy Hash: 72E0CD726001245BCB10E79C9C05FDA77DDFFC8790F040071FD09D7248DE60AD848551

Function 00802B3D Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00803837: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00803908

Part of subcall function 0080D730: GetInputState.USER32 ref: 0080D807

SetCurrentDirectoryW.KERNEL32(?), ref: 00802B6B

Part of subcall function 008030F2: Shell_NotifyIconW.SHELL32(00000002,?), ref: 0080314E

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: IconNotifyShell_$CurrentDirectoryInputState
String ID:
API String ID: 3667716007-0
Opcode ID: f13a2bab8090b92138c915b30f968fa9d90ed55c0323cb25ec8249f670abcecf
Instruction ID: d85155a290440a413154086bf87ec154194f5424e485b5572ed7ecf39822d219
Opcode Fuzzy Hash: f13a2bab8090b92138c915b30f968fa9d90ed55c0323cb25ec8249f670abcecf
Instruction Fuzzy Hash: DEE04F2120424416CA44BBA89C5656DA75AFF95351F40563FF142C22E3CE6545494253

Function 0084039A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,00000000,?,00840704,?,?,00000000,?,00840704,00000000,0000000C), ref: 008403B7

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 28f5b7073634626168d1ec16c08f0a2673901c4679c8af837fba16f76b82ff53
Instruction ID: f542be9cb611d7b903a5267135741704c902b5721b6b4d412979159f1caed584
Opcode Fuzzy Hash: 28f5b7073634626168d1ec16c08f0a2673901c4679c8af837fba16f76b82ff53
Instruction Fuzzy Hash: 74D06C3204010DBBDF029F84DD06EDA3BAAFB48714F014000BE1856020C732E821AB94

Function 00801CAD Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00002001,00000000,00000002), ref: 00801CBC

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: InfoParametersSystem
String ID:
API String ID: 3098949447-0
Opcode ID: b9bb6e47159819e35484c1c813c1d92e16a87c426a3aee45bdde00d31f55fc3d
Instruction ID: ef5b4b9eb0b2dccfee2f2b68eaf0e31366e84edc7afcb3ac560b13a00a23b26f
Opcode Fuzzy Hash: b9bb6e47159819e35484c1c813c1d92e16a87c426a3aee45bdde00d31f55fc3d
Instruction Fuzzy Hash: E2C09236281304AFF6189B84BC4EF107764B758B00F488203F609A96E3C3A22820EA50

Non-executed Functions

Function 00899576 Relevance: 75.9, APIs: 39, Strings: 4, Instructions: 625windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00819BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00819BB2

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 0089961A
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0089965B
GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 0089969F
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 008996C9
SendMessageW.USER32 ref: 008996F2
GetKeyState.USER32(00000011), ref: 0089978B
GetKeyState.USER32(00000009), ref: 00899798
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 008997AE
GetKeyState.USER32(00000010), ref: 008997B8
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 008997E9
SendMessageW.USER32 ref: 00899810
SendMessageW.USER32(?,00001030,?,00897E95), ref: 00899918
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 0089992E
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 00899941
SetCapture.USER32(?), ref: 0089994A
ClientToScreen.USER32(?,?), ref: 008999AF
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 008999BC
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 008999D6
ReleaseCapture.USER32 ref: 008999E1
GetCursorPos.USER32(?), ref: 00899A19
ScreenToClient.USER32(?,?), ref: 00899A26
SendMessageW.USER32(?,00001012,00000000,?), ref: 00899A80
SendMessageW.USER32 ref: 00899AAE
SendMessageW.USER32(?,00001111,00000000,?), ref: 00899AEB
SendMessageW.USER32 ref: 00899B1A
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00899B3B
SendMessageW.USER32(?,0000110B,00000009,?), ref: 00899B4A
GetCursorPos.USER32(?), ref: 00899B68
ScreenToClient.USER32(?,?), ref: 00899B75
GetParent.USER32(?), ref: 00899B93
SendMessageW.USER32(?,00001012,00000000,?), ref: 00899BFA
SendMessageW.USER32 ref: 00899C2B
ClientToScreen.USER32(?,?), ref: 00899C84
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00899CB4
SendMessageW.USER32(?,00001111,00000000,?), ref: 00899CDE
SendMessageW.USER32 ref: 00899D01
ClientToScreen.USER32(?,?), ref: 00899D4E
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00899D82

Part of subcall function 00819944: GetWindowLongW.USER32(?,000000EB), ref: 00819952

GetWindowLongW.USER32(?,000000F0), ref: 00899E05

Strings

@GUI_DRAGID, xrefs: 0089997D
U, xrefs: 00899728, 00899894, 008998B7, 008998EF, 00899A3C, 00899BB7, 00899C5E, 00899C8E, 00899D2C, 00899D58, 00899DA1, 00899DF2, 00899E16, 00899E40
F, xrefs: 00899D07
x, xrefs: 00899990

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease
String ID: U$@GUI_DRAGID$F$x
API String ID: 3429851547-196350754
Opcode ID: 621e95c1e8588867a217cee80fc642b7ca3ac2ba02599fd8a2a5764f0ab8dff9
Instruction ID: 4dfad334bc93eb3ba9dd3ee529ce6535f040f422421d5450656af47f70d62004
Opcode Fuzzy Hash: 621e95c1e8588867a217cee80fc642b7ca3ac2ba02599fd8a2a5764f0ab8dff9
Instruction Fuzzy Hash: E4429F35204201AFDB25EF68CC58EAABBE5FF59314F18061EF599C72A1E731E850CB52

Function 00894873 Relevance: 61.8, APIs: 33, Strings: 2, Instructions: 566windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000408,00000000,00000000), ref: 008948F3
SendMessageW.USER32(00000000,00000188,00000000,00000000), ref: 00894908
SendMessageW.USER32(00000000,0000018A,00000000,00000000), ref: 00894927
SendMessageW.USER32(?,00000148,00000000,00000000), ref: 0089494B
SendMessageW.USER32(00000000,00000147,00000000,00000000), ref: 0089495C
SendMessageW.USER32(00000000,00000149,00000000,00000000), ref: 0089497B
SendMessageW.USER32(00000000,0000130B,00000000,00000000), ref: 008949AE
SendMessageW.USER32(00000000,0000133C,00000000,?), ref: 008949D4
SendMessageW.USER32(00000000,0000110A,00000009,00000000), ref: 00894A0F
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00894A56
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00894A7E
IsMenu.USER32(?), ref: 00894A97
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00894AF2
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00894B20
GetWindowLongW.USER32(?,000000F0), ref: 00894B94
SendMessageW.USER32(?,0000113E,00000000,00000008), ref: 00894BE3
SendMessageW.USER32(00000000,00001001,00000000,?), ref: 00894C82
wsprintfW.USER32 ref: 00894CAE
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00894CC9
GetWindowTextW.USER32(?,00000000,00000001), ref: 00894CF1
SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00894D13
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00894D33
GetWindowTextW.USER32(?,00000000,00000001), ref: 00894D5A

Strings

U, xrefs: 0089489F
%d/%02d/%02d, xrefs: 00894CA8

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: MessageSend$MenuWindow$InfoItemText$Longwsprintf
String ID: U$%d/%02d/%02d
API String ID: 4054740463-1036027768
Opcode ID: fac5591cfa35e02d860d9cd9b0175a16a9a2dc1b8374225118b04bc1868ac1d1
Instruction ID: 16b06ea0a39e2583efc46c3c182997a1da7e3fcbf883a6743c7f9008560b14ff
Opcode Fuzzy Hash: fac5591cfa35e02d860d9cd9b0175a16a9a2dc1b8374225118b04bc1868ac1d1
Instruction Fuzzy Hash: 2812EE71600218AFEF25AF28CC49FAE7BE8FF45314F185129F516EA2E1DB749942CB50

Function 0081F98E Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,00000000,00000000), ref: 0081F998
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0085F474
IsIconic.USER32(00000000), ref: 0085F47D
ShowWindow.USER32(00000000,00000009), ref: 0085F48A
SetForegroundWindow.USER32(00000000), ref: 0085F494
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0085F4AA
GetCurrentThreadId.KERNEL32 ref: 0085F4B1
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0085F4BD
AttachThreadInput.USER32(?,00000000,00000001), ref: 0085F4CE
AttachThreadInput.USER32(?,00000000,00000001), ref: 0085F4D6
AttachThreadInput.USER32(00000000,000000FF,00000001), ref: 0085F4DE
SetForegroundWindow.USER32(00000000), ref: 0085F4E1
MapVirtualKeyW.USER32(00000012,00000000), ref: 0085F4F6
keybd_event.USER32(00000012,00000000), ref: 0085F501
MapVirtualKeyW.USER32(00000012,00000000), ref: 0085F50B
keybd_event.USER32(00000012,00000000), ref: 0085F510
MapVirtualKeyW.USER32(00000012,00000000), ref: 0085F519
keybd_event.USER32(00000012,00000000), ref: 0085F51E
MapVirtualKeyW.USER32(00000012,00000000), ref: 0085F528
keybd_event.USER32(00000012,00000000), ref: 0085F52D
SetForegroundWindow.USER32(00000000), ref: 0085F530
AttachThreadInput.USER32(?,000000FF,00000000), ref: 0085F557

Strings

Shell_TrayWnd, xrefs: 0085F46F

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: 103f0fa4a5e4cf637bd3ea3fd194522977abf9fc27ac0430a3edf67059e447bb
Instruction ID: b88f8e8369836293d9da5d45806ea2b2605b04fc6c010d4c4076a08355d9d8ed
Opcode Fuzzy Hash: 103f0fa4a5e4cf637bd3ea3fd194522977abf9fc27ac0430a3edf67059e447bb
Instruction Fuzzy Hash: DE317071A40218BBEB217BB55C4AFBF7E6CFB44B50F14002AFB00E61D1D6B15D00AA60

Function 00861201 Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 241COMMON

Download Yara Rule

APIs

Part of subcall function 008616C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0086170D
Part of subcall function 008616C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0086173A
Part of subcall function 008616C3: GetLastError.KERNEL32 ref: 0086174A

LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 00861286
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 008612A8
CloseHandle.KERNEL32(?), ref: 008612B9
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 008612D1
GetProcessWindowStation.USER32 ref: 008612EA
SetProcessWindowStation.USER32(00000000), ref: 008612F4
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00861310

Part of subcall function 008610BF: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,008611FC), ref: 008610D4
Part of subcall function 008610BF: CloseHandle.KERNEL32(?,?,008611FC), ref: 008610E9

Strings

default, xrefs: 0086130B
winsta0, xrefs: 008612CC
, xrefs: 0086125A

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
String ID: $default$winsta0
API String ID: 22674027-1027155976
Opcode ID: 1acfce8194e503c1eccdda11c3dd936c929080abd064d97bbb46ac6178be27a4
Instruction ID: 20d807c726f754ab3af709cdc21bdc003827019392754ae8ae500f6c51e125b0
Opcode Fuzzy Hash: 1acfce8194e503c1eccdda11c3dd936c929080abd064d97bbb46ac6178be27a4
Instruction Fuzzy Hash: D0819E71900208AFDF119FA8DC49FEE7BBAFF04704F19412AF910E62A2DB758944CB25

Function 00860B62 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 008610F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00861114
Part of subcall function 008610F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00860B9B,?,?,?), ref: 00861120
Part of subcall function 008610F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00860B9B,?,?,?), ref: 0086112F
Part of subcall function 008610F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00860B9B,?,?,?), ref: 00861136
Part of subcall function 008610F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0086114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00860BCC
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00860C00
GetLengthSid.ADVAPI32(?), ref: 00860C17
GetAce.ADVAPI32(?,00000000,?), ref: 00860C51
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00860C6D
GetLengthSid.ADVAPI32(?), ref: 00860C84
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00860C8C
HeapAlloc.KERNEL32(00000000), ref: 00860C93
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00860CB4
CopySid.ADVAPI32(00000000), ref: 00860CBB
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00860CEA
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00860D0C
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00860D1E
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00860D45
HeapFree.KERNEL32(00000000), ref: 00860D4C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00860D55
HeapFree.KERNEL32(00000000), ref: 00860D5C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00860D65
HeapFree.KERNEL32(00000000), ref: 00860D6C
GetProcessHeap.KERNEL32(00000000,?), ref: 00860D78
HeapFree.KERNEL32(00000000), ref: 00860D7F

Part of subcall function 00861193: GetProcessHeap.KERNEL32(00000008,00860BB1,?,00000000,?,00860BB1,?), ref: 008611A1
Part of subcall function 00861193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00860BB1,?), ref: 008611A8
Part of subcall function 00861193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00860BB1,?), ref: 008611B7

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: d62433effb1e3cd9bdc2f06102b299e1ec4c6d3dd7fa41bf73ada5e3aec13518
Instruction ID: 4f21c75884f1662eec6cdec0b87f786238c84454a043411ce855ed22a990479f
Opcode Fuzzy Hash: d62433effb1e3cd9bdc2f06102b299e1ec4c6d3dd7fa41bf73ada5e3aec13518
Instruction Fuzzy Hash: 81715A7290020AAFEF10EFA4DC48BAFBBB8FF05300F194616E915E6191D776A905CF64

Function 0087EAFF Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(0089CC08), ref: 0087EB29
IsClipboardFormatAvailable.USER32(0000000D), ref: 0087EB37
GetClipboardData.USER32(0000000D), ref: 0087EB43
CloseClipboard.USER32 ref: 0087EB4F
GlobalLock.KERNEL32(00000000), ref: 0087EB87
CloseClipboard.USER32 ref: 0087EB91
GlobalUnlock.KERNEL32(00000000), ref: 0087EBBC
IsClipboardFormatAvailable.USER32(00000001), ref: 0087EBC9
GetClipboardData.USER32(00000001), ref: 0087EBD1
GlobalLock.KERNEL32(00000000), ref: 0087EBE2
GlobalUnlock.KERNEL32(00000000), ref: 0087EC22
IsClipboardFormatAvailable.USER32(0000000F), ref: 0087EC38
GetClipboardData.USER32(0000000F), ref: 0087EC44
GlobalLock.KERNEL32(00000000), ref: 0087EC55
DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 0087EC77
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 0087EC94
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 0087ECD2
GlobalUnlock.KERNEL32(00000000), ref: 0087ECF3
CountClipboardFormats.USER32 ref: 0087ED14
CloseClipboard.USER32 ref: 0087ED59

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
String ID:
API String ID: 420908878-0
Opcode ID: d319918019aaf93f46c68259479b6f5c07b8d6bbecea400324c32835f9950f57
Instruction ID: 584cc4240ac48c75bc97515683dc6f219c7169ab2060fb24c4c4ce5acd7d4e88
Opcode Fuzzy Hash: d319918019aaf93f46c68259479b6f5c07b8d6bbecea400324c32835f9950f57
Instruction Fuzzy Hash: F661BF342042059FD311EF68DC85F2A7BA4FF88714F18859EF45AD72A6DB32D905CBA2

Function 0087698F Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 008769BE
FindClose.KERNEL32(00000000), ref: 00876A12
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00876A4E
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00876A75

Part of subcall function 00809CB3: _wcslen.LIBCMT ref: 00809CBD

FileTimeToSystemTime.KERNEL32(?,?), ref: 00876AB2
FileTimeToSystemTime.KERNEL32(?,?), ref: 00876ADF

Strings

%4d%02d%02d%02d%02d%02d%03d, xrefs: 00876B32
%4d, xrefs: 00876BB1
%02d, xrefs: 00876C00, 00876C0A, 00876C5A, 00876CAA, 00876CFA, 00876D4A
%03d, xrefs: 00876DA2
%4d%02d%02d%02d%02d%02d, xrefs: 00876B6A

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
API String ID: 3830820486-3289030164
Opcode ID: e9f85cce75af134d9433014a4055c05bc23cc539c5d258a64670b55d291dca0e
Instruction ID: 01f899b47229a9465e70ad03e6996172ef875e3ab2ae5a43bc91c12ab1417b37
Opcode Fuzzy Hash: e9f85cce75af134d9433014a4055c05bc23cc539c5d258a64670b55d291dca0e
Instruction Fuzzy Hash: 9DD12E72908340AEC754EBA4CC81EABB7ECFF88704F444919F589D6192EB74DA44CB63

Function 00879642 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 00879663
GetFileAttributesW.KERNEL32(?), ref: 008796A1
SetFileAttributesW.KERNEL32(?,?), ref: 008796BB
FindNextFileW.KERNEL32(00000000,?), ref: 008796D3
FindClose.KERNEL32(00000000), ref: 008796DE
FindFirstFileW.KERNEL32(*.*,?), ref: 008796FA
SetCurrentDirectoryW.KERNEL32(?), ref: 0087974A
SetCurrentDirectoryW.KERNEL32(008C6B7C), ref: 00879768
FindNextFileW.KERNEL32(00000000,00000010), ref: 00879772
FindClose.KERNEL32(00000000), ref: 0087977F
FindClose.KERNEL32(00000000), ref: 0087978F

Strings

*.*, xrefs: 008796F5

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1409584000-438819550
Opcode ID: 97f6999149a66f7aa26954e3f87959b7f1006e0086646ae05b6d2007d7aa216d
Instruction ID: e26f1727d1113ee532d5dc55384c92dfddf102de5e4d7384dbc3f200c1e00477
Opcode Fuzzy Hash: 97f6999149a66f7aa26954e3f87959b7f1006e0086646ae05b6d2007d7aa216d
Instruction Fuzzy Hash: AB31D3325412196BDF14EFB4EC48EDE77ACFF09360F148166F859E21A0EB35DE808A20

Function 0087979D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 008797BE
FindNextFileW.KERNEL32(00000000,?), ref: 00879819
FindClose.KERNEL32(00000000), ref: 00879824
FindFirstFileW.KERNEL32(*.*,?), ref: 00879840
SetCurrentDirectoryW.KERNEL32(?), ref: 00879890
SetCurrentDirectoryW.KERNEL32(008C6B7C), ref: 008798AE
FindNextFileW.KERNEL32(00000000,00000010), ref: 008798B8
FindClose.KERNEL32(00000000), ref: 008798C5
FindClose.KERNEL32(00000000), ref: 008798D5

Part of subcall function 0086DAE5: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 0086DB00

Strings

*.*, xrefs: 0087983B

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 2640511053-438819550
Opcode ID: 02f78ecf8d91d72c9300791b7d3e34b91198291bd2be9348986e5b6ca8995586
Instruction ID: c9ea57fd90de20aa36d714c4557ac3170f9bbf10353c9eb3438b5d16ef087184
Opcode Fuzzy Hash: 02f78ecf8d91d72c9300791b7d3e34b91198291bd2be9348986e5b6ca8995586
Instruction Fuzzy Hash: 5231A3315416196ADF10EFB4EC48EDE77BCFF06324F1481A6E898E21D4EB35DD848A61

Function 0088BE44 Relevance: 17.0, APIs: 11, Instructions: 456registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0088C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0088B6AE,?,?), ref: 0088C9B5
Part of subcall function 0088C998: _wcslen.LIBCMT ref: 0088C9F1
Part of subcall function 0088C998: _wcslen.LIBCMT ref: 0088CA68
Part of subcall function 0088C998: _wcslen.LIBCMT ref: 0088CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0088BF3E
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?), ref: 0088BFA9
RegCloseKey.ADVAPI32(00000000), ref: 0088BFCD
RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 0088C02C
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 0088C0E7
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 0088C154
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 0088C1E9
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,?,?,?,00000000), ref: 0088C23A
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 0088C2E3
RegCloseKey.ADVAPI32(?,?,00000000), ref: 0088C382
RegCloseKey.ADVAPI32(00000000), ref: 0088C38F

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: QueryValue$Close_wcslen$BuffCharConnectOpenRegistryUpper
String ID:
API String ID: 3102970594-0
Opcode ID: 76f4afc8d27afd3cdb0f462bad237337b6384ac2f4aa8f3246316aec061b399a
Instruction ID: af881848d26e516d9987a1cd957ccc207116f09a4ea467637697ea57727a2d1f
Opcode Fuzzy Hash: 76f4afc8d27afd3cdb0f462bad237337b6384ac2f4aa8f3246316aec061b399a
Instruction Fuzzy Hash: AD024D716042009FD754DF28C895E2ABBE5FF89318F18849DF449DB2A6DB31EC46CB62

Function 00878195 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00878257
SystemTimeToFileTime.KERNEL32(?,?), ref: 00878267
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00878273
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00878310
SetCurrentDirectoryW.KERNEL32(?), ref: 00878324
SetCurrentDirectoryW.KERNEL32(?), ref: 00878356
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 0087838C
SetCurrentDirectoryW.KERNEL32(?), ref: 00878395

Strings

*.*, xrefs: 0087839B

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local$System
String ID: *.*
API String ID: 1464919966-438819550
Opcode ID: b4db26b6674af27a51b59523c90cada6380395e80388b71a646350d83b836d5a
Instruction ID: 4b1c08d9d7f97117a60d3819a1482d3300d11a6ced6e2e1622792a6909759033
Opcode Fuzzy Hash: b4db26b6674af27a51b59523c90cada6380395e80388b71a646350d83b836d5a
Instruction Fuzzy Hash: B5616CB25043059FDB10EF68C8849AEB3E8FF89314F04891EF999C7251DB31E945CB92

Function 0086D076 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00803AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00803A97,?,?,00802E7F,?,?,?,00000000), ref: 00803AC2

Part of subcall function 0086E199: GetFileAttributesW.KERNEL32(?,0086CF95), ref: 0086E19A

FindFirstFileW.KERNEL32(?,?), ref: 0086D122
DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 0086D1DD
MoveFileW.KERNEL32(?,?), ref: 0086D1F0
DeleteFileW.KERNEL32(?,?,?,?), ref: 0086D20D
FindNextFileW.KERNEL32(00000000,00000010), ref: 0086D237

Part of subcall function 0086D29C: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,0086D21C,?,?), ref: 0086D2B2

FindClose.KERNEL32(00000000,?,?,?), ref: 0086D253
FindClose.KERNEL32(00000000), ref: 0086D264

Strings

\*.*, xrefs: 0086D0CD, 0086D0D6, 0086D0EB

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 1946585618-1173974218
Opcode ID: 3f9f78df43a4669556f4633f822f6b6197779dcbde995f3016d41a0bf61da60b
Instruction ID: ebd2419785aef5cff6586c502c42717395fefe43213c40d5450c9b27066eb28f
Opcode Fuzzy Hash: 3f9f78df43a4669556f4633f822f6b6197779dcbde995f3016d41a0bf61da60b
Instruction Fuzzy Hash: 5B613931D012099ACF05EBA4DD929EEB779FF55300F254165E402B7292EB31AF09CB62

Function 0087ED6A Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 0087ED91
EmptyClipboard.USER32 ref: 0087ED97
GlobalAlloc.KERNEL32(00000002,?), ref: 0087EDAC
CloseClipboard.USER32 ref: 0087EEA3

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: 45e87235d99f52ab67207674e6946b8fcd36e4878bd630c041b6868821130c48
Instruction ID: 0d7789358ef6ffc6912ae414466614b86d8f998b65973685f21bfba5c858854d
Opcode Fuzzy Hash: 45e87235d99f52ab67207674e6946b8fcd36e4878bd630c041b6868821130c48
Instruction Fuzzy Hash: D0418035604611AFE721DF19D888B19BBE5FF48318F18C49EE419CB6A2CB76EC41CB91

Function 0086E8F6 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 008616C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0086170D
Part of subcall function 008616C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0086173A
Part of subcall function 008616C3: GetLastError.KERNEL32 ref: 0086174A

ExitWindowsEx.USER32(?,00000000), ref: 0086E932

Strings

, xrefs: 0086E95C
@, xrefs: 0086E925
, xrefs: 0086E920
SeShutdownPrivilege, xrefs: 0086E902

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $ $@$SeShutdownPrivilege
API String ID: 2234035333-3163812486
Opcode ID: a266fe3171461b658648bdab235942d437891742a447ad1f5394e4e4666bdb56
Instruction ID: ac15834ca35ec127470f99f04e11d643c3594ee5022af1d7a6450850d5bcf320
Opcode Fuzzy Hash: a266fe3171461b658648bdab235942d437891742a447ad1f5394e4e4666bdb56
Instruction Fuzzy Hash: 1901D676610215ABFB5466B99C8AFBB776CFF14754F1B0422F812E21D2E6A25C4085A0

Function 00881204 Relevance: 12.1, APIs: 8, Instructions: 113networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00881276
WSAGetLastError.WSOCK32 ref: 00881283
bind.WSOCK32(00000000,?,00000010), ref: 008812BA
WSAGetLastError.WSOCK32 ref: 008812C5
closesocket.WSOCK32(00000000), ref: 008812F4
listen.WSOCK32(00000000,00000005), ref: 00881303
WSAGetLastError.WSOCK32 ref: 0088130D
closesocket.WSOCK32(00000000), ref: 0088133C

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: ErrorLast$closesocket$bindlistensocket
String ID:
API String ID: 540024437-0
Opcode ID: 926abcf1a6504d74125e2c9a06768d9dc3395af7e292ef737d5bae59a205eb4b
Instruction ID: 6b5a18c7c571bb828fc009fdb67c6e8933e07eb314b25f3927a4e373a70d36eb
Opcode Fuzzy Hash: 926abcf1a6504d74125e2c9a06768d9dc3395af7e292ef737d5bae59a205eb4b
Instruction Fuzzy Hash: 004171316001109FDB10EF68C888B69BBE5FF46318F188199D856DF2D6CB71ED82CBA1

Function 0086D3A9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00803AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00803A97,?,?,00802E7F,?,?,?,00000000), ref: 00803AC2

Part of subcall function 0086E199: GetFileAttributesW.KERNEL32(?,0086CF95), ref: 0086E19A

FindFirstFileW.KERNEL32(?,?), ref: 0086D420
DeleteFileW.KERNEL32(?,?,?,?), ref: 0086D470
FindNextFileW.KERNEL32(00000000,00000010), ref: 0086D481
FindClose.KERNEL32(00000000), ref: 0086D498
FindClose.KERNEL32(00000000), ref: 0086D4A1

Strings

\*.*, xrefs: 0086D3F2

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: 7fc9811891ec2939239999124fa23b85e069347779c6b10647fbee5f5344f65d
Instruction ID: ef371fc391cc56e1a5ee749458786d29855e32ea633d8113016824696267fcc8
Opcode Fuzzy Hash: 7fc9811891ec2939239999124fa23b85e069347779c6b10647fbee5f5344f65d
Instruction Fuzzy Hash: 95316D315083459BC204EF68DC919AFB7A8FE91304F454A2EF4D1D2291EB31AA098B67

Function 0083E4FF Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 0083E645

Strings

1#IND, xrefs: 0083F83D
1#INF, xrefs: 0083F852
1#SNAN, xrefs: 0083F844
1#QNAN, xrefs: 0083F84B

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: ce27de4e4eba6133a24b1c6175196eb8df05a0d12fadbfbc29b5a2696864ac8e
Instruction ID: 686beceb53efb13a4d3c78f2d3f61a561f2826303e12655410b3a97e3e5d6cb6
Opcode Fuzzy Hash: ce27de4e4eba6133a24b1c6175196eb8df05a0d12fadbfbc29b5a2696864ac8e
Instruction Fuzzy Hash: 7EC22A71E086298FDB25CE28DD407EAB7B5FB85305F1441EAD94DE7281E774AE818F80

Function 0087648E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 008764DC
CoInitialize.OLE32(00000000), ref: 00876639
CoCreateInstance.OLE32(0089FCF8,00000000,00000001,0089FB68,?), ref: 00876650
CoUninitialize.OLE32 ref: 008768D4

Strings

.lnk, xrefs: 008764BA, 00876524, 008765E0

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_wcslen
String ID: .lnk
API String ID: 886957087-24824748
Opcode ID: 73b4f3bfc89af78b3dfe7a2b0fe1b873102d47f84e862e5e9a35c9c55516300d
Instruction ID: 134dcfa0e9f99065f84fd03d9d2140a88952747ba9913d21ef05a93a04cfdf63
Opcode Fuzzy Hash: 73b4f3bfc89af78b3dfe7a2b0fe1b873102d47f84e862e5e9a35c9c55516300d
Instruction Fuzzy Hash: B8D149715086019FD304EF28C881E6BB7E8FF94704F14896DF599CB2A2EB71E905CB92

Function 008822DA Relevance: 9.1, APIs: 6, Instructions: 103COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,00000000), ref: 008822E8

Part of subcall function 0087E4EC: GetWindowRect.USER32(?,?), ref: 0087E504

GetDesktopWindow.USER32 ref: 00882312
GetWindowRect.USER32(00000000), ref: 00882319
mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 00882355
GetCursorPos.USER32(?), ref: 00882381
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 008823DF

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForeground
String ID:
API String ID: 2387181109-0
Opcode ID: b6f1770371e08de991a8f0dfe43309d78827c13ebe70437a3f2f8ef6838d83bb
Instruction ID: d9ee9779b0a4849d4d521afedabb6632b5bacc31187ad13609e581363ca30d6b
Opcode Fuzzy Hash: b6f1770371e08de991a8f0dfe43309d78827c13ebe70437a3f2f8ef6838d83bb
Instruction Fuzzy Hash: 9031C072504315AFDB20EF58C849B5BBBA9FF88314F04091EF985D7291DB35EA09CB92

Function 00879B2B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00809CB3: _wcslen.LIBCMT ref: 00809CBD

FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 00879B78
FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 00879C8B

Part of subcall function 00873874: GetInputState.USER32 ref: 008738CB
Part of subcall function 00873874: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00873966

Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 00879BA8
FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 00879C75

Strings

*.*, xrefs: 00879B5D

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
String ID: *.*
API String ID: 1972594611-438819550
Opcode ID: 7a8a3b02f30c80e2e894b95e9bfd6ca01c906199275f706b808db93a1bd73084
Instruction ID: 4a7401e61ada8a65dee9a6d63e58f4c40206a92feb258a96267a9eb12e97c458
Opcode Fuzzy Hash: 7a8a3b02f30c80e2e894b95e9bfd6ca01c906199275f706b808db93a1bd73084
Instruction Fuzzy Hash: 714160719002099FCF55DFA4C985AEE7BB8FF45310F148056E459E2295EB31DE84CF61

Function 0081997D Relevance: 7.9, APIs: 5, Instructions: 375COMMON

Download Yara Rule

APIs

Part of subcall function 00819BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00819BB2

DefDlgProcW.USER32(?,?,?,?,?), ref: 00819A4E
GetSysColor.USER32(0000000F), ref: 00819B23
SetBkColor.GDI32(?,00000000), ref: 00819B36

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Color$LongProcWindow
String ID:
API String ID: 3131106179-0
Opcode ID: 65a19ffa38e755fa767c406ca18e92316610faa377d283b5273b4e0cdc9c22e5
Instruction ID: 18a9a1c448ef53062bb65152a896cdd3a9a2485c19b64d10f9fbbe091fc0b4fc
Opcode Fuzzy Hash: 65a19ffa38e755fa767c406ca18e92316610faa377d283b5273b4e0cdc9c22e5
Instruction Fuzzy Hash: BEA15070209428BEEB24AA3CAC78DFB3B9DFF46315F154219F582C65D1CA259D89C272

Function 00881806 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0088304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0088307A
Part of subcall function 0088304E: _wcslen.LIBCMT ref: 0088309B

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 0088185D
WSAGetLastError.WSOCK32 ref: 00881884
bind.WSOCK32(00000000,?,00000010), ref: 008818DB
WSAGetLastError.WSOCK32 ref: 008818E6
closesocket.WSOCK32(00000000), ref: 00881915

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
String ID:
API String ID: 1601658205-0
Opcode ID: 4a0a809bd0998ededee9df1843f0bb4ea965c4825c47c899ddcf615fdf6e0730
Instruction ID: e7f947592fb5f0070e0c12a96070e10750b3599033c47749e5424763892cd7d8
Opcode Fuzzy Hash: 4a0a809bd0998ededee9df1843f0bb4ea965c4825c47c899ddcf615fdf6e0730
Instruction Fuzzy Hash: C7518371A002105FDB10AF28CC86F6A77A9FB44718F588458F905DF3D3DB71AD428BA2

Function 00891C41 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 00891CC0
IsWindowEnabled.USER32 ref: 00891CCE
GetForegroundWindow.USER32(?,?,00000001,?), ref: 00891CDB
IsIconic.USER32 ref: 00891CE9
IsZoomed.USER32 ref: 00891CF7

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: 5b4adc24833df03cbc868cad0ff941cc7df0e06962397b6bfd70a632b4c175d2
Instruction ID: ddaba73d0a6ceae8e1d476cd8142ed484735ecb23f0109df123062870c0ffbb2
Opcode Fuzzy Hash: 5b4adc24833df03cbc868cad0ff941cc7df0e06962397b6bfd70a632b4c175d2
Instruction Fuzzy Hash: 6A21D3317442129FDF20AF1AC848B2A7BE5FF95318B1D8059E846CB351CB72DC42CB91

Function 00808060 Relevance: 7.4, Strings: 5, Instructions: 1151COMMON

Download Yara Rule

Strings

VUUU, xrefs: 0080843C
VUUU, xrefs: 00845DF0
VUUU, xrefs: 008083FA
VUUU, xrefs: 008083E8
ERCP, xrefs: 0080813C

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID:
String ID: ERCP$VUUU$VUUU$VUUU$VUUU
API String ID: 0-1546025612
Opcode ID: 95bc62f3580060281f09128345f675412b20366f994538af123f86bc04333123
Instruction ID: 3b3dd99da8861e26a3987a59232d8ce8d8b0a14941ef4c943b959940685adc81
Opcode Fuzzy Hash: 95bc62f3580060281f09128345f675412b20366f994538af123f86bc04333123
Instruction Fuzzy Hash: A8A27A70A0061ECBDF64CF58C8807AEB7B1FB55314F2481AAE855EB285EB709DD1CB91

Function 0086AA57 Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 0086AAAC
SetKeyboardState.USER32(00000080), ref: 0086AAC8
PostMessageW.USER32(?,00000102,00000001,00000001), ref: 0086AB36
SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 0086AB88

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 588cec356938de7cfd354f79f5b0db7725518352d4d6ce343e230b23fb5b4a76
Instruction ID: 9dcf8dbf4dbfa9a95d44f0c84481312140815c2d838397e5773c0b4fde7e69db
Opcode Fuzzy Hash: 588cec356938de7cfd354f79f5b0db7725518352d4d6ce343e230b23fb5b4a76
Instruction Fuzzy Hash: 5D31E930A40258AEEB39CA658C05BFE77AAFB45320F09421BE581E61D1D3758D81CB62

Function 0083BB6F Relevance: 6.1, APIs: 4, Instructions: 90timeCOMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0083BB7F

Part of subcall function 008329C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0083D7D1,00000000,00000000,00000000,00000000,?,0083D7F8,00000000,00000007,00000000,?,0083DBF5,00000000), ref: 008329DE
Part of subcall function 008329C8: GetLastError.KERNEL32(00000000,?,0083D7D1,00000000,00000000,00000000,00000000,?,0083D7F8,00000000,00000007,00000000,?,0083DBF5,00000000,00000000), ref: 008329F0

GetTimeZoneInformation.KERNEL32 ref: 0083BB91
WideCharToMultiByte.KERNEL32(00000000,?,008D121C,000000FF,?,0000003F,?,?), ref: 0083BC09
WideCharToMultiByte.KERNEL32(00000000,?,008D1270,000000FF,?,0000003F,?,?,?,008D121C,000000FF,?,0000003F,?,?), ref: 0083BC36

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorFreeHeapInformationLastTimeZone_free
String ID:
API String ID: 806657224-0
Opcode ID: 82f6fcd3edf4d1a3f68e90f01b9684f4c35ff6f992c57d592ea2735a673f485e
Instruction ID: e313db5c17b0f34916c66cf6e1700c06c91b3cd5aff24428f13f2b955614ac56
Opcode Fuzzy Hash: 82f6fcd3edf4d1a3f68e90f01b9684f4c35ff6f992c57d592ea2735a673f485e
Instruction Fuzzy Hash: 8E31B2B0904205EFCB11DFA9DC80929BBB8FF95720B1446ABE160D73A1D7319E41CB90

Function 0087CE44 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON

Download Yara Rule

APIs

InternetReadFile.WININET(?,?,00000400,?), ref: 0087CE89
GetLastError.KERNEL32(?,00000000), ref: 0087CEEA
SetEvent.KERNEL32(?,?,00000000), ref: 0087CEFE

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: ErrorEventFileInternetLastRead
String ID:
API String ID: 234945975-0
Opcode ID: da3c6a52b92d52a2a032a3c8e81b2a7bcb04ce65d2a391ac6c1fbf2939cdb6d6
Instruction ID: 9f6b8e5111f4480a9c4657fd66ec2d8447cc26eda142071f86c824e4cc9cafb9
Opcode Fuzzy Hash: da3c6a52b92d52a2a032a3c8e81b2a7bcb04ce65d2a391ac6c1fbf2939cdb6d6
Instruction Fuzzy Hash: F421BDB2500705ABEB20DFA5D948BA67BF8FB40318F14841EE54AD3151EB70EE448B64

Function 00868298 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 568stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 008682AA

Strings

|, xrefs: 008682DA
(, xrefs: 008682F0

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: lstrlen
String ID: ($|
API String ID: 1659193697-1631851259
Opcode ID: 24adef32047e4693e8d1e05cf00643a6fa91849be30de5598781f76bca59355b
Instruction ID: d1affc789cc6421f5b09e81682a8c8e940ee40adff9efae5861c8516cbef0a4c
Opcode Fuzzy Hash: 24adef32047e4693e8d1e05cf00643a6fa91849be30de5598781f76bca59355b
Instruction Fuzzy Hash: 20322575A00605DFCB28CF59C481A6AB7F0FF48710B16C56EE59ADB3A1EB70E981CB44

Function 00875C97 Relevance: 4.6, APIs: 3, Instructions: 138fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00875CC1
FindNextFileW.KERNEL32(00000000,?), ref: 00875D17
FindClose.KERNEL32(?), ref: 00875D5F

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Find$File$CloseFirstNext
String ID:
API String ID: 3541575487-0
Opcode ID: b6bb4f42b030529145e7570d554315ee33145da18d8ed5ec01ce110f13a5cf32
Instruction ID: efdf8c1a0c0654c0867f0a53b90f68acd0fc49cd5cc0154d34e7408be7f7c61a
Opcode Fuzzy Hash: b6bb4f42b030529145e7570d554315ee33145da18d8ed5ec01ce110f13a5cf32
Instruction Fuzzy Hash: 5051BA746046019FC714DF28C894A9ABBE4FF49324F14856EE95ACB3A1CB70ED40CB92

Function 00832622 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 0083271A
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00832724
UnhandledExceptionFilter.KERNEL32(?), ref: 00832731

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 1ce0f3ebde2558050c99fab63e28487e46dbb554a95fdb6779385fa61dcfbb21
Instruction ID: 3c021ff568d1ec4ef0a75738594c4081cf33f7d95a83af66ddd7fd7e2613ce5e
Opcode Fuzzy Hash: 1ce0f3ebde2558050c99fab63e28487e46dbb554a95fdb6779385fa61dcfbb21
Instruction Fuzzy Hash: 5D31B574911228ABCB21DF68DC89B9DB7B8FF08310F5041EAE41CA7261E7309F818F85

Function 008751CD Relevance: 4.6, APIs: 3, Instructions: 76COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 008751DA
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00875238
SetErrorMode.KERNEL32(00000000), ref: 008752A1

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: 63f6685ecf4888ff5cac6b9bbb711e6d5d452df52bc9c64384f97e183b67bfc7
Instruction ID: bb89905c11349c876eaa67802d4d065066564aa5e06f4f7767b823a10e6a921c
Opcode Fuzzy Hash: 63f6685ecf4888ff5cac6b9bbb711e6d5d452df52bc9c64384f97e183b67bfc7
Instruction Fuzzy Hash: F8315075A10518DFDB00DF54D884EADBBB4FF49314F088099E809EB3A6DB71E855CB51

Function 008616C3 Relevance: 4.6, APIs: 3, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 0081FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00820668
Part of subcall function 0081FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00820685

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0086170D
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0086173A
GetLastError.KERNEL32 ref: 0086174A

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
String ID:
API String ID: 577356006-0
Opcode ID: 8b75c6f56d43c912ecada3f1e47a3f8e45e7e35f9ce1cea056780814796b7eac
Instruction ID: 62802138ec7b6675de4dc6f7970ea56ad67835db64e11986f0347396190386ad
Opcode Fuzzy Hash: 8b75c6f56d43c912ecada3f1e47a3f8e45e7e35f9ce1cea056780814796b7eac
Instruction Fuzzy Hash: 431194B1414304AFD718AF54EC86D6AB7FDFF44754B25852EE05697242EB71BC418B20

Function 0086D5EB Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0086D608
DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 0086D645
CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0086D650

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle
String ID:
API String ID: 33631002-0
Opcode ID: b682fa2acc8493f274b8b0c75dc11d89a81255b122d55a342af71a778ffc2af5
Instruction ID: f11bcf2553f23c0a3bf1d4f5624645fd8c08b5084c687c2187ff23c2a3d5c4ff
Opcode Fuzzy Hash: b682fa2acc8493f274b8b0c75dc11d89a81255b122d55a342af71a778ffc2af5
Instruction Fuzzy Hash: 96113C75E05228BBDB109F95DC45FAFBBBCFB45B50F108116F904E7290D6704A058BA1

Function 00861663 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 0086168C
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 008616A1
FreeSid.ADVAPI32(?), ref: 008616B1

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: 3e7128029bf6c946813faaad9242501ec79b12245be98137c051caab8f310551
Instruction ID: a7da07d414d6a7fd21fc4433fe0b05f2fa5293521c51aba122777206fffe30c8
Opcode Fuzzy Hash: 3e7128029bf6c946813faaad9242501ec79b12245be98137c051caab8f310551
Instruction Fuzzy Hash: DFF04471940308FBDF00DFE0CC89AAEBBBCFB08200F444561E500E2181E331AA048A50

Function 0085D27A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 0085D28C

Strings

X64, xrefs: 0085D2A8

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: NameUser
String ID: X64
API String ID: 2645101109-893830106
Opcode ID: 19832a0e65cb8c5836cb0f6e0bc5ea71a6a2cf1d898858ea7884f35ae35a2985
Instruction ID: bd0ac06d9508a343db7f3ba78b81d2b403821f336ed01250883706eb99257cff
Opcode Fuzzy Hash: 19832a0e65cb8c5836cb0f6e0bc5ea71a6a2cf1d898858ea7884f35ae35a2985
Instruction Fuzzy Hash: 03D0C9B580121DEECB90DB90DC88DDDB37CFB14309F100152F506E2000D77095888F20

Function 0082CAA0 Relevance: 3.5, APIs: 2, Instructions: 464COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction ID: f2aa0fe9e9059a15c8425f1af599375e69d62a3e133fc26f66cbdba368b5e429
Opcode Fuzzy Hash: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction Fuzzy Hash: 54021C71E002299FDF14CFA9D9806ADFBF1FF48314F25816AD919E7384D731AA418B94

Function 0080CAF0 Relevance: 3.2, Strings: 2, Instructions: 659COMMON

Download Yara Rule

Strings

x, xrefs: 0080CF7F
Variable is not of type 'Object'., xrefs: 00850C40

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID:
String ID: Variable is not of type 'Object'.$x
API String ID: 0-1494074405
Opcode ID: e513340fb8c95e32c82402172e4f5ab6977c230550ed85821528f690884656d7
Instruction ID: 8fe08dab713c76f5de7f01ba4046d45e0028951cc2dc2934800c3afd61f7698d
Opcode Fuzzy Hash: e513340fb8c95e32c82402172e4f5ab6977c230550ed85821528f690884656d7
Instruction Fuzzy Hash: C8327A709002199BDF54DF94CC81AEDB7B5FF05308F248259E806EB292DB75AE49CB62

Function 008768EE Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00876918
FindClose.KERNEL32(00000000), ref: 00876961

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 0f5f8c5049dc413808173455c6e59ab398d04ba4c575f66ba586b308f9589af2
Instruction ID: a60508f264e26a83e73f7f753078cc956bfa24cce52069b43c1e846ecf2c9ce5
Opcode Fuzzy Hash: 0f5f8c5049dc413808173455c6e59ab398d04ba4c575f66ba586b308f9589af2
Instruction Fuzzy Hash: AB11D0716046019FD710DF69C884A16BBE0FF85328F04C699E569CF2A2DB30EC05CB91

Function 008737B5 Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,00884891,?,?,00000035,?), ref: 008737E4
FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,00884891,?,?,00000035,?), ref: 008737F4

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 722740b2644e27acaccb382b5e98dfcdd1f5d768deb1aa86e37b746d101a3684
Instruction ID: dd8cd9e687c77dd36f09abbc6bf856af361872b09cb788174330d8bf48220afd
Opcode Fuzzy Hash: 722740b2644e27acaccb382b5e98dfcdd1f5d768deb1aa86e37b746d101a3684
Instruction Fuzzy Hash: 3AF0E5B16042282AEB2027AA8C4DFEB7BAEFFC47A1F000175F509D2295D9609944C6B1

Function 0086B226 Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 0086B25D
keybd_event.USER32(?,75C0C0D0,?,00000000), ref: 0086B270

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: InputSendkeybd_event
String ID:
API String ID: 3536248340-0
Opcode ID: 27e21a9d27efdbaf107d1c908c621361015e0344f4a5cf3e3d461575df146434
Instruction ID: 8b2aedcd040cdade5e5283a0df271c4758d7e04c076a8c97a427e9974c358498
Opcode Fuzzy Hash: 27e21a9d27efdbaf107d1c908c621361015e0344f4a5cf3e3d461575df146434
Instruction Fuzzy Hash: 50F01D7180428DABDB059FA4C805BAE7BB4FF04309F04801AF955E6192D37986519F94

Function 008610BF Relevance: 3.0, APIs: 2, Instructions: 24COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,008611FC), ref: 008610D4
CloseHandle.KERNEL32(?,?,008611FC), ref: 008610E9

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: a22295d4a7a514f9cf86cc29764530b60a8393cf4b77924af6310bd3f0afb5ad
Instruction ID: c074f0106ccf55d0e81fe8cdd1e71f95a064e6ae8576e3ffa5beb798b5d5f41e
Opcode Fuzzy Hash: a22295d4a7a514f9cf86cc29764530b60a8393cf4b77924af6310bd3f0afb5ad
Instruction Fuzzy Hash: 9FE0BF72018610AEEB252B55FC09EB777ADFF04310F14882EF5A5C44B2DB626CE0DB50

Function 0083676B Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00836766,?,?,00000008,?,?,0083FEFE,00000000), ref: 00836998

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 9ef20272725ccb1ba4ff81572000064edb7b6365c891131d7e10b2a9af9af5fb
Instruction ID: 3129cfaf292cd8a17dc6eef98c13f0a170d9d4d8de728a77415133a560e28cef
Opcode Fuzzy Hash: 9ef20272725ccb1ba4ff81572000064edb7b6365c891131d7e10b2a9af9af5fb
Instruction Fuzzy Hash: E6B13C31510608AFD715CF2CC48AB657BE0FF85368F29C658E899CF2A1D735D9A1CB80

Function 0081B119 Relevance: 1.8, Strings: 1, Instructions: 511COMMON

Download Yara Rule

Strings

, xrefs: 0085851F

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 1fa14a5a3d7e47f70f95a745785b23aad4866b4a5711a732748a28da5dc3acfa
Instruction ID: 613aee88545ad06c2233233c90affc102db9ab2150d9582b963bd0b763788c96
Opcode Fuzzy Hash: 1fa14a5a3d7e47f70f95a745785b23aad4866b4a5711a732748a28da5dc3acfa
Instruction Fuzzy Hash: 4B124D75A00229DFDB14CF58C8816EEB7F9FF48710F14819AE849EB255EB309A85CF94

Function 0087EAA2 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 0087EABD

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: 1623706e68e435f385750653efb2d66cc71cc881ae68a1b5b9b1ac4f87ed5325
Instruction ID: 7edca3f50e56218e8c7655692231890a5debdd309fb27251d0e65c306da58547
Opcode Fuzzy Hash: 1623706e68e435f385750653efb2d66cc71cc881ae68a1b5b9b1ac4f87ed5325
Instruction Fuzzy Hash: ABE01A312002149FD710EF59D804E9AF7E9FFA8764F00845AFC49C72A1DAB0E8408B91

Function 008209D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_000209E1,008203EE), ref: 008209DA

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 72f2f024fc57364b3d8e3aa80dbb46c941a7864329444faa6013a7dbfec51bf3
Instruction ID: e1fa39588e1e3347f5ed8d0e1487884ade553280bafc22b6ab96953bc72e71dd
Opcode Fuzzy Hash: 72f2f024fc57364b3d8e3aa80dbb46c941a7864329444faa6013a7dbfec51bf3
Instruction Fuzzy Hash:

Function 0082781B Relevance: 1.5, Strings: 1, Instructions: 214COMMON

Download Yara Rule

Strings

0, xrefs: 0082798B

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction ID: edeef3a6df98354cf6398ee62cb59c2d837931699ab6cc4e94fd2372fa56d3bf
Opcode Fuzzy Hash: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction Fuzzy Hash: 8D51687160C779ABDF38852FB85E7BE2B85FB12304F180529D982D7282C619DEC1D35A

Function 00836DD9 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe64c9f4154901a9869231e4e7f9695f17aa3335ed4a72449c09a87376d7af06
Instruction ID: 2be5aa7028b62ed2b9990df0df2a844ba1f484298e0fef4bd8d5087f4f46a37d
Opcode Fuzzy Hash: fe64c9f4154901a9869231e4e7f9695f17aa3335ed4a72449c09a87376d7af06
Instruction Fuzzy Hash: D3320162D29F414DE7339638C822326A649BFB73C5F15D737E81AB5DAAEB29C4834140

Function 0081CC39 Relevance: .6, Instructions: 635COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f831e98dd76cbdc84b43d0b7fe64e9e87da2505132414c7899a798a54f94900
Instruction ID: 99b0ea8f014adf4e6326ce671b3f657542b712ace2015e8d9fd788824e204e7f
Opcode Fuzzy Hash: 9f831e98dd76cbdc84b43d0b7fe64e9e87da2505132414c7899a798a54f94900
Instruction Fuzzy Hash: 2132F431A003198FCF24CE69C4946BD7BA5FF85316F28856ADC4ADB291E2349D89DF81

Function 00807920 Relevance: .6, Instructions: 563COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a9c37e922b88c7ad7f7ca2434a4441619a359c3aeb8db572d712aafa898c2771
Instruction ID: 75eb1b25eadff4600adc9687aaae64e109a22568677e8fd50e535c8b03938a65
Opcode Fuzzy Hash: a9c37e922b88c7ad7f7ca2434a4441619a359c3aeb8db572d712aafa898c2771
Instruction Fuzzy Hash: B722BFB0E04609DFDF14CF68D881AAEB7B5FF44314F144629E812EB292EB36AD51CB51

Function 008091C0 Relevance: .5, Instructions: 475COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7eba1f62a54b4f67641d0a7b4c002bd0baecd17cf977463c41ac817e57faa2a
Instruction ID: 258cb85d8c72eb4206dfaa907432aa3516fc5c227726a5e7a9b5d9619d693f2b
Opcode Fuzzy Hash: a7eba1f62a54b4f67641d0a7b4c002bd0baecd17cf977463c41ac817e57faa2a
Instruction Fuzzy Hash: 7002C6B0E00219EFDB04DF68D881AAEB7B5FF54304F118169E856DB3D1EB31AA51CB81

Function 00839EEE Relevance: .3, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce09e9ffcee83886b5096b0d671f476b094aa1d41e17651a698c29029bdaff1f
Instruction ID: 86cd61484df1f2c904e3e7c396a8ca7c50867afb98fcbe871cf1d85b779af105
Opcode Fuzzy Hash: ce09e9ffcee83886b5096b0d671f476b094aa1d41e17651a698c29029bdaff1f
Instruction Fuzzy Hash: 56B1DF20D2AF414DE62396399831336F65CBFBB6D5F91D71BFC6674E22EB2286834140

Function 00821C77 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction ID: d8a11d8c7833d68d7b1df5f0147c65f138085518af589c30722cf97e521f7f57
Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction Fuzzy Hash: 97915A766080B34ADF294639A57C07EFFE1FA623A132A079DD4F2CA1C5EE2495D4D620

Function 008219B0 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction ID: 9560c3b2c3a9317b541f1613249dfe0784b273607c787e0b561794dd0b728e29
Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction Fuzzy Hash: D79124722090B349DF69467AA57C03DFEF1EAA23B536A07AED4F3CA1C1FD1485D49620

Function 00827A4A Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8372bc9bbc3ad6769b2c8ee0957ad05159656a7302f0ebd62936ce887d4310d2
Instruction ID: 6e6181d51891e8a5daae1b4013ba2754979215591ffa860df1e5c27c78f5e7f9
Opcode Fuzzy Hash: 8372bc9bbc3ad6769b2c8ee0957ad05159656a7302f0ebd62936ce887d4310d2
Instruction Fuzzy Hash: 5561797120873996DF389A2EBC95BBE2394FF41774F10091AE943DB281DA119EC2C756

Function 00827CA7 Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90f9489d0d2f45c3309c699b13248532a825e458a37a31377a9649ba190a0c51
Instruction ID: fe9662397fcc906981d4454877d9e5a6c890648a791e954a2955dad32e6eb961
Opcode Fuzzy Hash: 90f9489d0d2f45c3309c699b13248532a825e458a37a31377a9649ba190a0c51
Instruction Fuzzy Hash: 62618D79208739A7DE384A2E7855BBF23C4FF42B04F10095AE843DB2C9DA119DC18766

Function 00821706 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction ID: 31418f0b74bbe76d3ec6e327b49c6d3b2ed3d0a85fa77dcef992ddffe147e4bd
Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction Fuzzy Hash: 548153726090B34DDF694239957843EFFE1FAA23A132A07AED4F2CA1C5EE1485D4D620

Function 00872046 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f507a6a61a244edfa52b0251acaf37e437bb5e82835b88a8e20c428eb640fe99
Instruction ID: f3383d6602bdb2dbc013bef91619bc20d5bbd85abebfd74b4cc0b7edcfe2e6ad
Opcode Fuzzy Hash: f507a6a61a244edfa52b0251acaf37e437bb5e82835b88a8e20c428eb640fe99
Instruction Fuzzy Hash: 7B2184326216118BDB28CE79C81267E73E5F764310F198A2EA4A7C37D0DE35E9048B50

Function 00882ADE Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 486filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00882B30
DeleteObject.GDI32(00000000), ref: 00882B43
DestroyWindow.USER32 ref: 00882B52
GetDesktopWindow.USER32 ref: 00882B6D
GetWindowRect.USER32(00000000), ref: 00882B74
SetRect.USER32(?,00000000,00000000,00000007,00000002), ref: 00882CA3
AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 00882CB1
CreateWindowExW.USER32(?,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00882CF8
GetClientRect.USER32(00000000,?), ref: 00882D04
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00882D40
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00882D62
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00882D75
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00882D80
GlobalLock.KERNEL32(00000000), ref: 00882D89
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00882D98
GlobalUnlock.KERNEL32(00000000), ref: 00882DA1
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00882DA8
GlobalFree.KERNEL32(00000000), ref: 00882DB3
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00882DC5
OleLoadPicture.OLEAUT32(?,00000000,00000000,0089FC38,00000000), ref: 00882DDB
GlobalFree.KERNEL32(00000000), ref: 00882DEB
CopyImage.USER32(00000007,00000000,00000000,00000000,00002000), ref: 00882E11
SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 00882E30
SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00882E52
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0088303F

Strings

static, xrefs: 00882D3A, 00882E91
AutoIt v3, xrefs: 00882CF2
DISPLAY, xrefs: 00882EA2
, xrefs: 00882FC5

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: 759ff60bee86051f7b1dbc1178079d2c692e43e60a754472b71d1f03bf6a2dc0
Instruction ID: 0efeb370e7bb82030b573728859d116d13b452b1ac4da0d7d8aa1fbacda8a74c
Opcode Fuzzy Hash: 759ff60bee86051f7b1dbc1178079d2c692e43e60a754472b71d1f03bf6a2dc0
Instruction Fuzzy Hash: 87024D71500209AFDB14EFA8CC89EAE7BB9FF48714F048159F915EB2A1DB75AD01CB60

Function 008970D5 Relevance: 49.8, APIs: 33, Instructions: 273COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 0089712F
GetSysColorBrush.USER32(0000000F), ref: 00897160
GetSysColor.USER32(0000000F), ref: 0089716C
SetBkColor.GDI32(?,000000FF), ref: 00897186
SelectObject.GDI32(?,?), ref: 00897195
InflateRect.USER32(?,000000FF,000000FF), ref: 008971C0
GetSysColor.USER32(00000010), ref: 008971C8
CreateSolidBrush.GDI32(00000000), ref: 008971CF
FrameRect.USER32(?,?,00000000), ref: 008971DE
DeleteObject.GDI32(00000000), ref: 008971E5
InflateRect.USER32(?,000000FE,000000FE), ref: 00897230
FillRect.USER32(?,?,?), ref: 00897262
GetWindowLongW.USER32(?,000000F0), ref: 00897284

Part of subcall function 008973E8: GetSysColor.USER32(00000012), ref: 00897421
Part of subcall function 008973E8: SetTextColor.GDI32(?,?), ref: 00897425
Part of subcall function 008973E8: GetSysColorBrush.USER32(0000000F), ref: 0089743B
Part of subcall function 008973E8: GetSysColor.USER32(0000000F), ref: 00897446
Part of subcall function 008973E8: GetSysColor.USER32(00000011), ref: 00897463
Part of subcall function 008973E8: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00897471
Part of subcall function 008973E8: SelectObject.GDI32(?,00000000), ref: 00897482
Part of subcall function 008973E8: SetBkColor.GDI32(?,00000000), ref: 0089748B
Part of subcall function 008973E8: SelectObject.GDI32(?,?), ref: 00897498
Part of subcall function 008973E8: InflateRect.USER32(?,000000FF,000000FF), ref: 008974B7
Part of subcall function 008973E8: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 008974CE
Part of subcall function 008973E8: GetWindowLongW.USER32(00000000,000000F0), ref: 008974DB

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
String ID:
API String ID: 4124339563-0
Opcode ID: 38800620e10d7e7bb9ac5fc9549203007eeb98475bafc38826c4edc1654f83af
Instruction ID: 1bfacb28dee2302cc78311a13d0896dbac26f6035b612ac4e170d0c965d92e44
Opcode Fuzzy Hash: 38800620e10d7e7bb9ac5fc9549203007eeb98475bafc38826c4edc1654f83af
Instruction Fuzzy Hash: 3FA18172018301BFDB11AF64DC48E6B7BA9FF89321F180A1AF962D61E1D772E944CB51

Function 00818D85 Relevance: 49.5, APIs: 26, Strings: 2, Instructions: 480windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?), ref: 00818E14
SendMessageW.USER32(?,00001308,?,00000000), ref: 00856AC5
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 00856AFE
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00856F43

Part of subcall function 00818F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00818BE8,?,00000000,?,?,?,?,00818BBA,00000000,?), ref: 00818FC5

SendMessageW.USER32(?,00001053), ref: 00856F7F
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00856F96
ImageList_Destroy.COMCTL32(00000000,?), ref: 00856FAC
ImageList_Destroy.COMCTL32(00000000,?), ref: 00856FB7

Strings

0, xrefs: 00856DCF
U, xrefs: 00818DC2, 00856ADC, 00856B10, 00856B5F, 00856B9F, 00856C47, 00856CE8, 00856D8C, 00856E18, 00856EEF, 00856F15, 00856FC8

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: DestroyImageList_MessageSend$Window$InvalidateMoveRectRemove
String ID: U$0
API String ID: 2760611726-4222668077
Opcode ID: a2605a1888d627d0d3fa63eded44afc78949b07fc1e64a96ae27e08b7d757c2d
Instruction ID: c8723828c72ea84be972382816397a97f63c68380f56675419bdb9946935aca1
Opcode Fuzzy Hash: a2605a1888d627d0d3fa63eded44afc78949b07fc1e64a96ae27e08b7d757c2d
Instruction Fuzzy Hash: C212BE30601201EFDB21DF24D859BA9BBF5FF44312F98456AF885CB261DB32ACA5CB51

Function 00882711 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 330windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 0088273E
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 0088286A
SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 008828A9
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 008828B9
CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 00882900
GetClientRect.USER32(00000000,?), ref: 0088290C
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 00882955
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00882964
GetStockObject.GDI32(00000011), ref: 00882974
SelectObject.GDI32(00000000,00000000), ref: 00882978
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 00882988
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00882991
DeleteDC.GDI32(00000000), ref: 0088299A
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 008829C6
SendMessageW.USER32(00000030,00000000,00000001), ref: 008829DD
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 00882A1D
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00882A31
SendMessageW.USER32(00000404,00000001,00000000), ref: 00882A42
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 00882A77
GetStockObject.GDI32(00000011), ref: 00882A82
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00882A8D
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 00882A97

Strings

msctls_progress32, xrefs: 00882A13
static, xrefs: 0088294F, 00882A71
AutoIt v3, xrefs: 008828F8
DISPLAY, xrefs: 0088295A

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: 080bdd810fac39a0f170cded34ac0f8e819665df50fad8eddeabc66952dd53d4
Instruction ID: 97f5872383f7af39ab7b7c723efed8bd6d21b8ff151984cb2b89ec4f852a61fd
Opcode Fuzzy Hash: 080bdd810fac39a0f170cded34ac0f8e819665df50fad8eddeabc66952dd53d4
Instruction Fuzzy Hash: 75B14A71A00215BFEB14EFA8CC49EAA7BA9FB08714F044255F915E72E0D774AD40CBA4

Function 00874ADF Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00874AED
GetDriveTypeW.KERNEL32(?,0089CB68,?,\\.\,0089CC08), ref: 00874BCA
SetErrorMode.KERNEL32(00000000,0089CB68,?,\\.\,0089CC08), ref: 00874D36

Strings

MMC, xrefs: 00874CDE
SCSI, xrefs: 00874C8A
Unknown, xrefs: 00874BED, 00874C83
SAS, xrefs: 00874CC9
Virtual, xrefs: 00874CE5
1394, xrefs: 00874C9F
CDROM, xrefs: 00874BFB
Network, xrefs: 00874C02
RAID, xrefs: 00874CBB
Fixed, xrefs: 00874C09
RAMDisk, xrefs: 00874BF4
Fibre, xrefs: 00874CAD
SSD, xrefs: 00874C4A
ATAPI, xrefs: 00874C91
ATA, xrefs: 00874C98
\\.\, xrefs: 00874B3F
USB, xrefs: 00874CB4
Removable, xrefs: 00874C10, 00874C15
SSA, xrefs: 00874CA6
iSCSI, xrefs: 00874CC2
PhysicalDrive, xrefs: 00874B76
SATA, xrefs: 00874CD0
FileBackedVirtual, xrefs: 00874CEC

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: 2891da69ddf4779c8375c5c94ae83f257cbcb666d1e66df76dd5b65e9ce76a2e
Instruction ID: be89605a120835088e555044f1552606ad58cf02edc38b85c5eaaad3c68c260a
Opcode Fuzzy Hash: 2891da69ddf4779c8375c5c94ae83f257cbcb666d1e66df76dd5b65e9ce76a2e
Instruction Fuzzy Hash: 2A61A1316051099BCB15DB58C981E6977B0FF84304B24D029F91BEB399EB3ADD519B42

Function 008973E8 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 00897421
SetTextColor.GDI32(?,?), ref: 00897425
GetSysColorBrush.USER32(0000000F), ref: 0089743B
GetSysColor.USER32(0000000F), ref: 00897446
CreateSolidBrush.GDI32(?), ref: 0089744B
GetSysColor.USER32(00000011), ref: 00897463
CreatePen.GDI32(00000000,00000001,00743C00), ref: 00897471
SelectObject.GDI32(?,00000000), ref: 00897482
SetBkColor.GDI32(?,00000000), ref: 0089748B
SelectObject.GDI32(?,?), ref: 00897498
InflateRect.USER32(?,000000FF,000000FF), ref: 008974B7
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 008974CE
GetWindowLongW.USER32(00000000,000000F0), ref: 008974DB
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0089752A
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00897554
InflateRect.USER32(?,000000FD,000000FD), ref: 00897572
DrawFocusRect.USER32(?,?), ref: 0089757D
GetSysColor.USER32(00000011), ref: 0089758E
SetTextColor.GDI32(?,00000000), ref: 00897596
DrawTextW.USER32(?,008970F5,000000FF,?,00000000), ref: 008975A8
SelectObject.GDI32(?,?), ref: 008975BF
DeleteObject.GDI32(?), ref: 008975CA
SelectObject.GDI32(?,?), ref: 008975D0
DeleteObject.GDI32(?), ref: 008975D5
SetTextColor.GDI32(?,?), ref: 008975DB
SetBkColor.GDI32(?,?), ref: 008975E5

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: 21b1429cb219dd6fba698c3f3fffa069d8815b976ee3668fe7d07667e43aa368
Instruction ID: 693ef475c6a42bb1c55d99772a4317a817d1f004815b6fcba6e6fc189e8cfc18
Opcode Fuzzy Hash: 21b1429cb219dd6fba698c3f3fffa069d8815b976ee3668fe7d07667e43aa368
Instruction Fuzzy Hash: 53613C72904218AFDF01AFA4DC49AEEBFB9FF09320F194116F915AB2A1D7759940CB90

Function 00890FF3 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00891128
GetDesktopWindow.USER32 ref: 0089113D
GetWindowRect.USER32(00000000), ref: 00891144
GetWindowLongW.USER32(?,000000F0), ref: 00891199
DestroyWindow.USER32(?), ref: 008911B9
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 008911ED
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0089120B
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 0089121D
SendMessageW.USER32(00000000,00000421,?,?), ref: 00891232
SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 00891245
IsWindowVisible.USER32(00000000), ref: 008912A1
SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 008912BC
SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 008912D0
GetWindowRect.USER32(00000000,?), ref: 008912E8
MonitorFromPoint.USER32(?,?,00000002), ref: 0089130E
GetMonitorInfoW.USER32(00000000,?), ref: 00891328
CopyRect.USER32(?,?), ref: 0089133F
SendMessageW.USER32(00000000,00000412,00000000), ref: 008913AA

Strings

0, xrefs: 008910D3
tooltips_class32, xrefs: 008911E6
(, xrefs: 0089131B

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: 2bcb730d31e36b520ecd0db4718d810333668a19c1bb3b1725432abec43f769c
Instruction ID: d0ea2478c45570211dc91fff9dd29580110e8a7b9aa57e5328e86f5fea558c2b
Opcode Fuzzy Hash: 2bcb730d31e36b520ecd0db4718d810333668a19c1bb3b1725432abec43f769c
Instruction Fuzzy Hash: 78B16D71608341AFDB54EF64C888B5ABBE4FF84354F04891DF999DB2A1C771E844CB52

Function 00818891 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 282windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00818968
GetSystemMetrics.USER32(00000007), ref: 00818970
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 0081899B
GetSystemMetrics.USER32(00000008), ref: 008189A3
GetSystemMetrics.USER32(00000004), ref: 008189C8
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 008189E5
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 008189F5
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00818A28
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00818A3C
GetClientRect.USER32(00000000,000000FF), ref: 00818A5A
GetStockObject.GDI32(00000011), ref: 00818A76
SendMessageW.USER32(00000000,00000030,00000000), ref: 00818A81

Part of subcall function 0081912D: GetCursorPos.USER32(?), ref: 00819141
Part of subcall function 0081912D: ScreenToClient.USER32(00000000,?), ref: 0081915E
Part of subcall function 0081912D: GetAsyncKeyState.USER32(00000001), ref: 00819183
Part of subcall function 0081912D: GetAsyncKeyState.USER32(00000002), ref: 0081919D

SetTimer.USER32(00000000,00000000,00000028,008190FC), ref: 00818AA8

Strings

AutoIt v3 GUI, xrefs: 00818A20

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: 144e58035851ce1a58e046cbb14b0139869788d0e851d425b37f812cda5d2b86
Instruction ID: 3b4307b18aca6e21786110c0c63441bab0cfce80da2ef153490823a7271daa0c
Opcode Fuzzy Hash: 144e58035851ce1a58e046cbb14b0139869788d0e851d425b37f812cda5d2b86
Instruction Fuzzy Hash: 36B15871A00209EFDF14DFA8CC59BAA7BB5FF48315F14422AFA15E7290DB34A880CB51

Function 00860D8B Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 008610F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00861114
Part of subcall function 008610F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00860B9B,?,?,?), ref: 00861120
Part of subcall function 008610F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00860B9B,?,?,?), ref: 0086112F
Part of subcall function 008610F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00860B9B,?,?,?), ref: 00861136
Part of subcall function 008610F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0086114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00860DF5
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00860E29
GetLengthSid.ADVAPI32(?), ref: 00860E40
GetAce.ADVAPI32(?,00000000,?), ref: 00860E7A
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00860E96
GetLengthSid.ADVAPI32(?), ref: 00860EAD
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00860EB5
HeapAlloc.KERNEL32(00000000), ref: 00860EBC
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00860EDD
CopySid.ADVAPI32(00000000), ref: 00860EE4
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00860F13
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00860F35
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00860F47
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00860F6E
HeapFree.KERNEL32(00000000), ref: 00860F75
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00860F7E
HeapFree.KERNEL32(00000000), ref: 00860F85
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00860F8E
HeapFree.KERNEL32(00000000), ref: 00860F95
GetProcessHeap.KERNEL32(00000000,?), ref: 00860FA1
HeapFree.KERNEL32(00000000), ref: 00860FA8

Part of subcall function 00861193: GetProcessHeap.KERNEL32(00000008,00860BB1,?,00000000,?,00860BB1,?), ref: 008611A1
Part of subcall function 00861193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00860BB1,?), ref: 008611A8
Part of subcall function 00861193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00860BB1,?), ref: 008611B7

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: a0d8ed07afc8ad1d1564c3d692eb22a8a74785dec7de7144761154749efa27f5
Instruction ID: 5473a9a354ecfa4d604ee2022329a7b2342259ce0056a85d89b8f097315104df
Opcode Fuzzy Hash: a0d8ed07afc8ad1d1564c3d692eb22a8a74785dec7de7144761154749efa27f5
Instruction Fuzzy Hash: 6871597290021AAFDF219FA4DC48BAFBBB8FF15300F094116F959E6191DB329A05CF64

Function 0088C3B7 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0088C4BD
RegCreateKeyExW.ADVAPI32(?,?,00000000,0089CC08,00000000,?,00000000,?,?), ref: 0088C544
RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 0088C5A4
_wcslen.LIBCMT ref: 0088C5F4
_wcslen.LIBCMT ref: 0088C66F
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 0088C6B2
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 0088C7C1
RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 0088C84D
RegCloseKey.ADVAPI32(?), ref: 0088C881
RegCloseKey.ADVAPI32(00000000), ref: 0088C88E
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 0088C960

Strings

REG_MULTI_SZ, xrefs: 0088C6F5
REG_DWORD, xrefs: 0088C804
REG_SZ, xrefs: 0088C644
REG_BINARY, xrefs: 0088C913
REG_EXPAND_SZ, xrefs: 0088C5CD
REG_QWORD, xrefs: 0088C8C3

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Value$Close$_wcslen$ConnectCreateRegistry
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 9721498-966354055
Opcode ID: 48c9f2688898ae172122334bc926ed4e085a037b6c94db744746c260e4c113f3
Instruction ID: ce8c25dafa511c8a141927fd0511b03a39359e0a3bb651c6b667e08a4444be5e
Opcode Fuzzy Hash: 48c9f2688898ae172122334bc926ed4e085a037b6c94db744746c260e4c113f3
Instruction Fuzzy Hash: 6C1236356042019FDB54EF18C891A2AB7E5FF88714F14885DF89ADB3A2DB31ED41CB92

Function 0089091E Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 372windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 008909C6
_wcslen.LIBCMT ref: 00890A01
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00890A54
_wcslen.LIBCMT ref: 00890A8A
_wcslen.LIBCMT ref: 00890B06
_wcslen.LIBCMT ref: 00890B81

Part of subcall function 0081F9F2: _wcslen.LIBCMT ref: 0081F9FD

Part of subcall function 00862BE8: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00862BFA

Strings

SELECT, xrefs: 00890D11
ISCHECKED, xrefs: 00890CE1
GETSELECTED, xrefs: 00890C4E
COLLAPSE, xrefs: 00890B01, 00890B1C
GETITEMCOUNT, xrefs: 00890C1E
GETTEXT, xrefs: 00890C97
EXPAND, xrefs: 00890BF8
GETTOTALCOUNT, xrefs: 008909F2, 00890A17
EXISTS, xrefs: 00890B7C, 00890B97
UNCHECK, xrefs: 00890D3E
CHECK, xrefs: 00890A85, 00890AA0

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 1103490817-4258414348
Opcode ID: 31ea3500dcaa3bd9c0181c644f979b8422167b7598f640892deb83309dc03812
Instruction ID: 40519726c10d0a51a22403254c0800f73cd8f5e68df5c0ee990b43e609a1e733
Opcode Fuzzy Hash: 31ea3500dcaa3bd9c0181c644f979b8422167b7598f640892deb83309dc03812
Instruction Fuzzy Hash: 44E15A316087118FCB14EF28C85096AB7E1FF98358B19495DF896DB3A2DB31ED45CB82

Function 0088C998 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,0088B6AE,?,?), ref: 0088C9B5
_wcslen.LIBCMT ref: 0088C9F1
_wcslen.LIBCMT ref: 0088CA68
_wcslen.LIBCMT ref: 0088CA9E
_wcslen.LIBCMT ref: 0088CAF9
_wcslen.LIBCMT ref: 0088CB2F
_wcslen.LIBCMT ref: 0088CB7F

Strings

HKCU, xrefs: 0088CBCE
HKEY_CURRENT_USER, xrefs: 0088CBBD
HKLM, xrefs: 0088CA98, 0088CA9D
HKEY_LOCAL_MACHINE, xrefs: 0088CA62, 0088CA67
HKCR, xrefs: 0088CB29, 0088CB2E
HKCC, xrefs: 0088CBAC
HKEY_CURRENT_CONFIG, xrefs: 0088CB79, 0088CB7E
HKEY_CLASSES_ROOT, xrefs: 0088CAF3, 0088CAF8
HKEY_USERS, xrefs: 0088CBDF
HKU, xrefs: 0088CBF0

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 1256254125-909552448
Opcode ID: d6211695ec774bf6cd3deaaff39424c5c7430a5312a903ee436c65c5ca2b283f
Instruction ID: d1d7969ba2f62216f80d46bce29facf585d0f36b240a5e661b31f06f5739686f
Opcode Fuzzy Hash: d6211695ec774bf6cd3deaaff39424c5c7430a5312a903ee436c65c5ca2b283f
Instruction Fuzzy Hash: 0071F47260052A8BCB24FE7CDD41ABA37A5FF60764F150129F866D7289E631CD8487B1

Function 0089833C Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 196windowlibraryCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0089835A
_wcslen.LIBCMT ref: 0089836E
_wcslen.LIBCMT ref: 00898391
_wcslen.LIBCMT ref: 008983B4
LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 008983F2
LoadLibraryExW.KERNEL32(?,00000000,00000032,?,?,00000001,?,?,?,0089361A,?), ref: 0089844E
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00898487
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 008984CA
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00898501
FreeLibrary.KERNEL32(?), ref: 0089850D
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0089851D
DestroyIcon.USER32(?), ref: 0089852C
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00898549
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00898555

Strings

.dll, xrefs: 008983AB
.exe, xrefs: 00898388
.icl, xrefs: 00898368

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
String ID: .dll$.exe$.icl
API String ID: 799131459-1154884017
Opcode ID: 4d5dbb132795d32da71471327c9a6ce5a4c688b9fe133244ae5c904fdf646475
Instruction ID: 2141d01e28813f320948b7f6632105493c4b74771da5e0f20ceaf5a0a14dbb82
Opcode Fuzzy Hash: 4d5dbb132795d32da71471327c9a6ce5a4c688b9fe133244ae5c904fdf646475
Instruction Fuzzy Hash: 4561AE7154021AFAEF14EF68DC41BBE7BA8FF09B21F14460AF815D61D1DB75A980CBA0

Function 00807778 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 273COMMON

Download Yara Rule

Strings

#ce, xrefs: 008078ED
#OnAutoItStartRegister, xrefs: 00807817
Bad directive syntax error, xrefs: 0084519A
#notrayicon, xrefs: 008077E7
#comments-end, xrefs: 008078D9
#comments-start, xrefs: 0080785F, 008078B1
", xrefs: 00845153
Unterminated group of comments, xrefs: 0084528C
Cannot parse #include, xrefs: 00845279
#requireadmin, xrefs: 008077FF
#include, xrefs: 00807847
#cs, xrefs: 00807873, 008078C5
#pragma compile, xrefs: 008077D3
#include-once, xrefs: 0080782F
', xrefs: 00845169

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID:
String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 0-1645009161
Opcode ID: 7687b7ac5f41d09dbeb32043c04e773857d7d7531756cacc7a1798ddb6898c3a
Instruction ID: 37ac5f17df21e7dee2b0b7dc1e2819e892f61cbf5fee66f725e636109cde4eec
Opcode Fuzzy Hash: 7687b7ac5f41d09dbeb32043c04e773857d7d7531756cacc7a1798ddb6898c3a
Instruction Fuzzy Hash: 3B81D371A04219BBEF60AF64DC42FAE37A8FF55340F044025F905EA2D3EB74E951C6A2

Function 00873E79 Relevance: 28.2, APIs: 8, Strings: 8, Instructions: 205COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 00873EF8
_wcslen.LIBCMT ref: 00873F03
_wcslen.LIBCMT ref: 00873F5A
_wcslen.LIBCMT ref: 00873F98
GetDriveTypeW.KERNEL32(?), ref: 00873FD6
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0087401E
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00874059
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00874087

Strings

open, xrefs: 00873F54, 00873F59
type cdaudio alias cd wait, xrefs: 00874001
close cd wait, xrefs: 00874072
open , xrefs: 00873FE5
close, xrefs: 00873EFE, 00873F18
wait, xrefs: 00874044
closed, xrefs: 00873F08, 00873F2D, 00873F46, 00873F7E, 00873F97
set cd door , xrefs: 00874028

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: SendString_wcslen$BuffCharDriveLowerType
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 1839972693-4113822522
Opcode ID: 98335b6b2134726332104aae321af93030d433f281c751d39b350e04fec719ec
Instruction ID: c6281f06e39eeef0fc494adf442dc8a0a29acb464f6e4a9d309902cded971eae
Opcode Fuzzy Hash: 98335b6b2134726332104aae321af93030d433f281c751d39b350e04fec719ec
Instruction Fuzzy Hash: B871E1716042119FC350EF28C88096AB7F4FF94768F10892DF999D3295EB31ED49CB92

Function 00865A1B Relevance: 27.2, APIs: 18, Instructions: 198windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 00865A2E
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00865A40
SetWindowTextW.USER32(?,?), ref: 00865A57
GetDlgItem.USER32(?,000003EA), ref: 00865A6C
SetWindowTextW.USER32(00000000,?), ref: 00865A72
GetDlgItem.USER32(?,000003E9), ref: 00865A82
SetWindowTextW.USER32(00000000,?), ref: 00865A88
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00865AA9
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00865AC3
GetWindowRect.USER32(?,?), ref: 00865ACC
_wcslen.LIBCMT ref: 00865B33
SetWindowTextW.USER32(?,?), ref: 00865B6F
GetDesktopWindow.USER32 ref: 00865B75
GetWindowRect.USER32(00000000), ref: 00865B7C
MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 00865BD3
GetClientRect.USER32(?,?), ref: 00865BE0
PostMessageW.USER32(?,00000005,00000000,?), ref: 00865C05
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00865C2F

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
String ID:
API String ID: 895679908-0
Opcode ID: c9134bad3299a55b6c24c011f9ea48a14b5803d126d8830eb9be52b93c1a86fe
Instruction ID: 109a23167fe3a0bc4c23524f5c6d92020c59c464533694105a4863df38c9a7e2
Opcode Fuzzy Hash: c9134bad3299a55b6c24c011f9ea48a14b5803d126d8830eb9be52b93c1a86fe
Instruction Fuzzy Hash: 5D718E31900B09AFDB20EFA8CE85BAEBBF5FF48714F154919E182E25A0D775E944CB10

Function 0087FE0E Relevance: 27.1, APIs: 18, Instructions: 128COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F89), ref: 0087FE27
LoadCursorW.USER32(00000000,00007F8A), ref: 0087FE32
LoadCursorW.USER32(00000000,00007F00), ref: 0087FE3D
LoadCursorW.USER32(00000000,00007F03), ref: 0087FE48
LoadCursorW.USER32(00000000,00007F8B), ref: 0087FE53
LoadCursorW.USER32(00000000,00007F01), ref: 0087FE5E
LoadCursorW.USER32(00000000,00007F81), ref: 0087FE69
LoadCursorW.USER32(00000000,00007F88), ref: 0087FE74
LoadCursorW.USER32(00000000,00007F80), ref: 0087FE7F
LoadCursorW.USER32(00000000,00007F86), ref: 0087FE8A
LoadCursorW.USER32(00000000,00007F83), ref: 0087FE95
LoadCursorW.USER32(00000000,00007F85), ref: 0087FEA0
LoadCursorW.USER32(00000000,00007F82), ref: 0087FEAB
LoadCursorW.USER32(00000000,00007F84), ref: 0087FEB6
LoadCursorW.USER32(00000000,00007F04), ref: 0087FEC1
LoadCursorW.USER32(00000000,00007F02), ref: 0087FECC
GetCursorInfo.USER32(?), ref: 0087FEDC
GetLastError.KERNEL32 ref: 0087FF1E

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Cursor$Load$ErrorInfoLast
String ID:
API String ID: 3215588206-0
Opcode ID: 6273365dfd01e9070019b40783e1ac6ef16e6b7e2667b282ef0c4ab57ffc622a
Instruction ID: 8f0340740b281c5a356536ef1011a807e8580efbdd2c90d42129aa329476728a
Opcode Fuzzy Hash: 6273365dfd01e9070019b40783e1ac6ef16e6b7e2667b282ef0c4ab57ffc622a
Instruction Fuzzy Hash: A84121B0D083196ADB109FBA8C8985EBFE8FF04754B54852AE11DE7281DF78E9018E91

Function 0089911E Relevance: 26.4, APIs: 10, Strings: 5, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00819BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00819BB2

DragQueryPoint.SHELL32(?,?), ref: 00899147

Part of subcall function 00897674: ClientToScreen.USER32(?,?), ref: 0089769A
Part of subcall function 00897674: GetWindowRect.USER32(?,?), ref: 00897710
Part of subcall function 00897674: PtInRect.USER32(?,?,00898B89), ref: 00897720

SendMessageW.USER32(?,000000B0,?,?), ref: 008991B0
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 008991BB
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 008991DE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 00899225
SendMessageW.USER32(?,000000B0,?,?), ref: 0089923E
SendMessageW.USER32(?,000000B1,?,?), ref: 00899255
SendMessageW.USER32(?,000000B1,?,?), ref: 00899277
DragFinish.SHELL32(?), ref: 0089927E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 00899371

Strings

@GUI_DRAGFILE, xrefs: 00899320
@GUI_DRAGID, xrefs: 008992E9
U, xrefs: 0089917D, 008991EA
x, xrefs: 008992BB
@GUI_DROPID, xrefs: 0089929E

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
String ID: U$@GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID$x
API String ID: 221274066-2173001591
Opcode ID: ec73f74f0af8d5bb6ff81c8e446c48e044e417af114f66b45b08c781c22d2c7f
Instruction ID: 794f3e3ad6d09faff25b5ad4586b736b80da2d2706af1fa0ce9e6f884312e2c2
Opcode Fuzzy Hash: ec73f74f0af8d5bb6ff81c8e446c48e044e417af114f66b45b08c781c22d2c7f
Instruction Fuzzy Hash: 79617B71108301AFD741EF98DC85DABBBE8FF85350F440A2EF595922A1DB309A48CB52

Function 008200C6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON

Download Yara Rule

APIs

__scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 008200C6

Part of subcall function 008200ED: InitializeCriticalSectionAndSpinCount.KERNEL32(008D070C,00000FA0,F6C18742,?,?,?,?,008423B3,000000FF), ref: 0082011C
Part of subcall function 008200ED: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,008423B3,000000FF), ref: 00820127
Part of subcall function 008200ED: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,008423B3,000000FF), ref: 00820138
Part of subcall function 008200ED: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 0082014E
Part of subcall function 008200ED: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 0082015C
Part of subcall function 008200ED: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 0082016A
Part of subcall function 008200ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00820195
Part of subcall function 008200ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 008201A0

___scrt_fastfail.LIBCMT ref: 008200E7

Part of subcall function 008200A3: __onexit.LIBCMT ref: 008200A9

Strings

InitializeConditionVariable, xrefs: 00820148
kernel32.dll, xrefs: 00820133
SleepConditionVariableCS, xrefs: 00820154
api-ms-win-core-synch-l1-2-0.dll, xrefs: 00820122
WakeAllConditionVariable, xrefs: 00820162

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 66158676-1714406822
Opcode ID: b2c200cf53b4e93f977425a033c5bd93446bde37b4c2e6e3f2b8add24f157ca1
Instruction ID: ee02a40eae320e7e21b968be53b294a62605296c7ed2d00795b99035fa57c382
Opcode Fuzzy Hash: b2c200cf53b4e93f977425a033c5bd93446bde37b4c2e6e3f2b8add24f157ca1
Instruction Fuzzy Hash: B8212632645720ABEB107B78BC06B6E37E8FB44B51F08013BF911E6393DB7598408E95

Function 008630F7 Relevance: 24.9, APIs: 8, Strings: 6, Instructions: 400COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0086318D
_wcslen.LIBCMT ref: 008631F8

Strings

CLASS, xrefs: 00863188, 008631A5
INSTANCE, xrefs: 00863453
NAME, xrefs: 00863335, 00863346
CLASSNN, xrefs: 008631F3, 00863204
REGEXPCLASS, xrefs: 00863255, 00863266
TEXT, xrefs: 0086347C

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: _wcslen
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 176396367-1603158881
Opcode ID: 95c1318ce9761581e0dcd1af4e47b3baf5eff3b144edab72af3acab7d778d937
Instruction ID: 925e5f49a8951793f61a27a468fa918f78d8a39077ba9f931010bb3df10bc510
Opcode Fuzzy Hash: 95c1318ce9761581e0dcd1af4e47b3baf5eff3b144edab72af3acab7d778d937
Instruction Fuzzy Hash: 9AE1B532A00526ABCF189FA8C851BEEFBB4FF54714F568129E556F7240DF30AE858790

Function 008744C0 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(00000000,00000000,0089CC08), ref: 00874527
_wcslen.LIBCMT ref: 0087453B
_wcslen.LIBCMT ref: 00874599
_wcslen.LIBCMT ref: 008745F4
_wcslen.LIBCMT ref: 0087463F
_wcslen.LIBCMT ref: 008746A7

Part of subcall function 0081F9F2: _wcslen.LIBCMT ref: 0081F9FD

GetDriveTypeW.KERNEL32(?,008C6BF0,00000061), ref: 00874743

Strings

all, xrefs: 00874531, 00874536
unknown, xrefs: 00874708
ramdisk, xrefs: 008746F1
fixed, xrefs: 00874635, 0087463A
cdrom, xrefs: 0087458F, 00874594
network, xrefs: 0087469D, 008746A2
removable, xrefs: 008745EA, 008745EF

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: _wcslen$BuffCharDriveLowerType
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2055661098-1000479233
Opcode ID: e08ddfa817e035bd164039f763ce7f2ada720ed211e832c108e74b039e934be0
Instruction ID: 462459c6b0c83bacbbf12a692831951683585cc679de46cc7248dbaffae3e207
Opcode Fuzzy Hash: e08ddfa817e035bd164039f763ce7f2ada720ed211e832c108e74b039e934be0
Instruction Fuzzy Hash: A3B103316083029FC714DF28C890A6AB7E5FFA5764F50992DF5AAC7295E730DC84CB62

Function 00896CD9 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 194windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,?), ref: 00896DEB

Part of subcall function 00806B57: _wcslen.LIBCMT ref: 00806B6A

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00896E5F
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00896E81
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00896E94
DestroyWindow.USER32(?), ref: 00896EB5
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00800000,00000000), ref: 00896EE4
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00896EFD
GetDesktopWindow.USER32 ref: 00896F16
GetWindowRect.USER32(00000000), ref: 00896F1D
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00896F35
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00896F4D

Part of subcall function 00819944: GetWindowLongW.USER32(?,000000EB), ref: 00819952

Strings

0, xrefs: 00896D98
U, xrefs: 00896D0F, 00896DCF, 00896DF1, 00896E04
tooltips_class32, xrefs: 00896E58, 00896EDD

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
String ID: U$0$tooltips_class32
API String ID: 2429346358-3917125686
Opcode ID: b2ced47ff00f2f5499473e78945317594730004c33d748501c669991b732b23d
Instruction ID: de814fc3fae047822db391490ed192e9f792dd8befb06fb0952c9ef27fe3f63b
Opcode Fuzzy Hash: b2ced47ff00f2f5499473e78945317594730004c33d748501c669991b732b23d
Instruction Fuzzy Hash: 73716670104244AFDB21EF18DC58FBABBE9FB89304F58051EF999C7261EB71A915CB12

Function 0083DA5D Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 0083DAA1

Part of subcall function 0083D63C: _free.LIBCMT ref: 0083D659
Part of subcall function 0083D63C: _free.LIBCMT ref: 0083D66B
Part of subcall function 0083D63C: _free.LIBCMT ref: 0083D67D
Part of subcall function 0083D63C: _free.LIBCMT ref: 0083D68F
Part of subcall function 0083D63C: _free.LIBCMT ref: 0083D6A1
Part of subcall function 0083D63C: _free.LIBCMT ref: 0083D6B3
Part of subcall function 0083D63C: _free.LIBCMT ref: 0083D6C5
Part of subcall function 0083D63C: _free.LIBCMT ref: 0083D6D7
Part of subcall function 0083D63C: _free.LIBCMT ref: 0083D6E9
Part of subcall function 0083D63C: _free.LIBCMT ref: 0083D6FB
Part of subcall function 0083D63C: _free.LIBCMT ref: 0083D70D
Part of subcall function 0083D63C: _free.LIBCMT ref: 0083D71F
Part of subcall function 0083D63C: _free.LIBCMT ref: 0083D731

_free.LIBCMT ref: 0083DA96

Part of subcall function 008329C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0083D7D1,00000000,00000000,00000000,00000000,?,0083D7F8,00000000,00000007,00000000,?,0083DBF5,00000000), ref: 008329DE
Part of subcall function 008329C8: GetLastError.KERNEL32(00000000,?,0083D7D1,00000000,00000000,00000000,00000000,?,0083D7F8,00000000,00000007,00000000,?,0083DBF5,00000000,00000000), ref: 008329F0

_free.LIBCMT ref: 0083DAB8
_free.LIBCMT ref: 0083DACD
_free.LIBCMT ref: 0083DAD8
_free.LIBCMT ref: 0083DAFA
_free.LIBCMT ref: 0083DB0D
_free.LIBCMT ref: 0083DB1B
_free.LIBCMT ref: 0083DB26
_free.LIBCMT ref: 0083DB5E
_free.LIBCMT ref: 0083DB65
_free.LIBCMT ref: 0083DB82
_free.LIBCMT ref: 0083DB9A

Strings

8m, xrefs: 0083DA62

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID: 8m
API String ID: 161543041-3926704479
Opcode ID: 6779cc06841062628852ef6f57858f6b1a37cf065ed595664b48cd3d3855f048
Instruction ID: 27a6b11f451bb8797bee742b8dbd00be9e0e48a942c01041571aff32d63235c2
Opcode Fuzzy Hash: 6779cc06841062628852ef6f57858f6b1a37cf065ed595664b48cd3d3855f048
Instruction Fuzzy Hash: 253149326043159FEB22AA39F845F5ABBE9FF80320F154469F859D7191DF71EC808BA1

Function 00883FE9 Relevance: 23.2, APIs: 11, Strings: 2, Instructions: 478libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,0089CC08), ref: 008840BB
GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 008840CD
GetModuleFileNameW.KERNEL32(?,?,00000104,?,?,?,0089CC08), ref: 008840F2
FreeLibrary.KERNEL32(00000000,?,0089CC08), ref: 0088413E
StringFromGUID2.OLE32(?,?,00000028,?,0089CC08), ref: 008841A8
SysFreeString.OLEAUT32(00000009), ref: 00884262
QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 008842C8
SysFreeString.OLEAUT32(?), ref: 008842F2

Strings

GetModuleHandleExW, xrefs: 008840C7
kernel32.dll, xrefs: 008840B6

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: FreeString$Library$AddressFileFromLoadModuleNamePathProcQueryType
String ID: GetModuleHandleExW$kernel32.dll
API String ID: 354098117-199464113
Opcode ID: 2d9371aeccbabd487b2ff9fa44d388e5bef1eeef8531fce3b387093cde4c62b3
Instruction ID: 2bfd558ee899ccec3dde2444af7122eb6126ad379b1da8311ee07ee09d9c0eaf
Opcode Fuzzy Hash: 2d9371aeccbabd487b2ff9fa44d388e5bef1eeef8531fce3b387093cde4c62b3
Instruction Fuzzy Hash: 1B122C76A0021AEFDB14EF94C884EAEB7B5FF45318F248099E905DB251D731ED46CBA0

Function 0080326F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(008D1990), ref: 00842F8D
GetMenuItemCount.USER32(008D1990), ref: 0084303D
GetCursorPos.USER32(?), ref: 00843081
SetForegroundWindow.USER32(00000000), ref: 0084308A
TrackPopupMenuEx.USER32(008D1990,00000000,?,00000000,00000000,00000000), ref: 0084309D
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 008430A9

Strings

0, xrefs: 0080327D

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
String ID: 0
API String ID: 36266755-4108050209
Opcode ID: 36a16d31c453c5152feed14cfcbe0a280967e6dce5506fbf6658e6b054db094c
Instruction ID: 52c28e49a0ca4663a9239b3bbb4c7c457b4cb36948e707227993e4ddf887375b
Opcode Fuzzy Hash: 36a16d31c453c5152feed14cfcbe0a280967e6dce5506fbf6658e6b054db094c
Instruction Fuzzy Hash: 47711931644209BFEB319F68CC49F9ABF68FF05328F244216F515E61E1CBB1A954C751

Function 00818BCD Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 168timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00818F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00818BE8,?,00000000,?,?,?,?,00818BBA,00000000,?), ref: 00818FC5

DestroyWindow.USER32(?), ref: 00818C81
KillTimer.USER32(00000000,?,?,?,?,00818BBA,00000000,?), ref: 00818D1B
DestroyAcceleratorTable.USER32(00000000), ref: 00856973
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,00818BBA,00000000,?), ref: 008569A1
ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,00818BBA,00000000,?), ref: 008569B8
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,00818BBA,00000000), ref: 008569D4
DeleteObject.GDI32(00000000), ref: 008569E6

Strings

U, xrefs: 00818C06

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID: U
API String ID: 641708696-2399391058
Opcode ID: 31a4e3609490fc0c72d8f7704c2d1b79a4d76e20d63c465b09adc6893c5f12b5
Instruction ID: 61e40edb31d935693f9dee9d88d327327dcfeda23eea4e02002f6e9d18dac12b
Opcode Fuzzy Hash: 31a4e3609490fc0c72d8f7704c2d1b79a4d76e20d63c465b09adc6893c5f12b5
Instruction Fuzzy Hash: 2961BD30502710EFCB229F18D95ABA5BBF5FF50316F94461AE442D7A60CB32A8D4CF90

Function 0087C476 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0087C4B0
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 0087C4C3
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 0087C4D7
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 0087C4F0
InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 0087C533
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 0087C549
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0087C554
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0087C584
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 0087C5DC
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 0087C5F0
InternetCloseHandle.WININET(00000000), ref: 0087C5FB

Strings

, xrefs: 0087C575

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
String ID:
API String ID: 3800310941-3916222277
Opcode ID: 030c2fa9740c24a4b6d3593bd4074954991f0382c3f6c32aab284c139264995d
Instruction ID: 5e1059ffb22c01fb929398ffbee3af20cea8d453ab6fa2dcbb01c60d3c78caab
Opcode Fuzzy Hash: 030c2fa9740c24a4b6d3593bd4074954991f0382c3f6c32aab284c139264995d
Instruction Fuzzy Hash: 1B516CB1500608BFDB219FA4C988AAB7BBCFF08744F04851EF949D7214DB32E9449B60

Function 00819838 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 137COMMON

Download Yara Rule

APIs

Part of subcall function 00819944: GetWindowLongW.USER32(?,000000EB), ref: 00819952

GetSysColor.USER32(0000000F), ref: 00819862

Strings

U, xrefs: 0081987C

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: ColorLongWindow
String ID: U
API String ID: 259745315-2399391058
Opcode ID: 5f9f28e52310aff6cca298d8ffea0893d07b853599c1d446c5e2ddade3805be6
Instruction ID: 962ac01b70a5591d94b733506c064c4f0d3c79cf0b698f2c11a3d1cc4d1e1eaf
Opcode Fuzzy Hash: 5f9f28e52310aff6cca298d8ffea0893d07b853599c1d446c5e2ddade3805be6
Instruction Fuzzy Hash: 75417E31104644AFDB205F389C98BF93BA9FF06721F584666F9E2C71E1D7319881DB11

Function 0089856F Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,00000000,?), ref: 00898592
GetFileSize.KERNEL32(00000000,00000000), ref: 008985A2
GlobalAlloc.KERNEL32(00000002,00000000), ref: 008985AD
CloseHandle.KERNEL32(00000000), ref: 008985BA
GlobalLock.KERNEL32(00000000), ref: 008985C8
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 008985D7
GlobalUnlock.KERNEL32(00000000), ref: 008985E0
CloseHandle.KERNEL32(00000000), ref: 008985E7
CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 008985F8
OleLoadPicture.OLEAUT32(?,00000000,00000000,0089FC38,?), ref: 00898611
GlobalFree.KERNEL32(00000000), ref: 00898621
GetObjectW.GDI32(?,00000018,000000FF), ref: 00898641
CopyImage.USER32(?,00000000,00000000,?,00002000), ref: 00898671
DeleteObject.GDI32(00000000), ref: 00898699
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 008986AF

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: 86bb0b89ab8ca02b95b5db45598aa7fcd946384975c541a8b8030d8bbdd77e08
Instruction ID: 84d778358dbc2d483b3f906bdcdf22be15b9e7f1d867a83db25ede633e0d3f4e
Opcode Fuzzy Hash: 86bb0b89ab8ca02b95b5db45598aa7fcd946384975c541a8b8030d8bbdd77e08
Instruction Fuzzy Hash: E8413A75600209EFDB11EFA5CC48EAA7BB8FF99715F184059F90AEB260DB319D01DB20

Function 008714BD Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 360timeCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000000), ref: 00871502
VariantCopy.OLEAUT32(?,?), ref: 0087150B
VariantClear.OLEAUT32(?), ref: 00871517
VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 008715FB
VarR8FromDec.OLEAUT32(?,?), ref: 00871657
VariantInit.OLEAUT32(?), ref: 00871708
SysFreeString.OLEAUT32(?), ref: 0087178C
VariantClear.OLEAUT32(?), ref: 008717D8
VariantClear.OLEAUT32(?), ref: 008717E7
VariantInit.OLEAUT32(00000000), ref: 00871823

Strings

Default, xrefs: 008716AF
%4d%02d%02d%02d%02d%02d, xrefs: 00871625

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem
String ID: %4d%02d%02d%02d%02d%02d$Default
API String ID: 1234038744-3931177956
Opcode ID: 8b48d3c0394f9b3b2ecf769e6ec79748988b18e13069e9572bd1874e19d45054
Instruction ID: 032351a9b1d3aeaef3166506c82411b05e5c7a03b134ad18d5ccb481831cf028
Opcode Fuzzy Hash: 8b48d3c0394f9b3b2ecf769e6ec79748988b18e13069e9572bd1874e19d45054
Instruction Fuzzy Hash: B6D1E071A00109DBDF18AF68E889BB9B7B5FF44708F148056E40EEB989DB30D841DB52

Function 0088B60E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00809CB3: _wcslen.LIBCMT ref: 00809CBD

Part of subcall function 0088C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0088B6AE,?,?), ref: 0088C9B5
Part of subcall function 0088C998: _wcslen.LIBCMT ref: 0088C9F1
Part of subcall function 0088C998: _wcslen.LIBCMT ref: 0088CA68
Part of subcall function 0088C998: _wcslen.LIBCMT ref: 0088CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0088B6F4
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0088B772
RegDeleteValueW.ADVAPI32(?,?), ref: 0088B80A
RegCloseKey.ADVAPI32(?), ref: 0088B87E
RegCloseKey.ADVAPI32(?), ref: 0088B89C
LoadLibraryA.KERNEL32(advapi32.dll), ref: 0088B8F2
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 0088B904
RegDeleteKeyW.ADVAPI32(?,?), ref: 0088B922
FreeLibrary.KERNEL32(00000000), ref: 0088B983
RegCloseKey.ADVAPI32(00000000), ref: 0088B994

Strings

RegDeleteKeyExW, xrefs: 0088B8FE
advapi32.dll, xrefs: 0088B8ED

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 146587525-4033151799
Opcode ID: 5a01248e919bd9d3ebb4c22580ecfb8a70911333571bc40c2d9dd082399cb271
Instruction ID: 67b451c823f4249186405a1e417416154ccc6e8c477bb13e4e751eb94317fabd
Opcode Fuzzy Hash: 5a01248e919bd9d3ebb4c22580ecfb8a70911333571bc40c2d9dd082399cb271
Instruction Fuzzy Hash: 9EC16D30204241AFD714EF18C895F2ABBE5FF84318F18855CE59A8B3A2DB75ED45CB92

Function 0089541D Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 191windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00895504
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00895515
CharNextW.USER32(00000158), ref: 00895544
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00895585
SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 0089559B
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 008955AC

Strings

U, xrefs: 0089545F

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: MessageSend$CharNext
String ID: U
API String ID: 1350042424-2399391058
Opcode ID: 7e93dd8822a6a2dc3aa3bbca6081a9b4ed2a89f7f8de3764e6fb10e2a2489f29
Instruction ID: f4f4992f5a705ce1d3a4f0d9f71c769f49899b8845a97a59ba78b5a5e6a39cb3
Opcode Fuzzy Hash: 7e93dd8822a6a2dc3aa3bbca6081a9b4ed2a89f7f8de3764e6fb10e2a2489f29
Instruction Fuzzy Hash: 9061AD71900608AFDF52AF94CC849FE7BB9FF09724F18414AF925EA291D7709A80DB61

Function 0088255C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 008825D8
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 008825E8
CreateCompatibleDC.GDI32(?), ref: 008825F4
SelectObject.GDI32(00000000,?), ref: 00882601
StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 0088266D
GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 008826AC
GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 008826D0
SelectObject.GDI32(?,?), ref: 008826D8
DeleteObject.GDI32(?), ref: 008826E1
DeleteDC.GDI32(?), ref: 008826E8
ReleaseDC.USER32(00000000,?), ref: 008826F3

Strings

(, xrefs: 0088268D

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: fd2498ce840fed79a62620a6d80418f8569e2028d60aed0c7624c6e604560a4d
Instruction ID: ff96da17be8633ecac368d169e118a7abdc7810cbd87dbf08c51c08b23886f2d
Opcode Fuzzy Hash: fd2498ce840fed79a62620a6d80418f8569e2028d60aed0c7624c6e604560a4d
Instruction Fuzzy Hash: 0F610275D00219EFCF04DFA8D884AAEBBB5FF48310F24852AE955E7250E771A941CFA4

Function 0086365B Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 267windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 0086369C
_wcslen.LIBCMT ref: 008636A7
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00863797
GetClassNameW.USER32(?,?,00000400), ref: 0086380C
GetDlgCtrlID.USER32(?), ref: 0086385D
GetWindowRect.USER32(?,?), ref: 00863882
GetParent.USER32(?), ref: 008638A0
ScreenToClient.USER32(00000000), ref: 008638A7
GetClassNameW.USER32(?,?,00000100), ref: 00863921
GetWindowTextW.USER32(?,?,00000400), ref: 0086395D

Strings

%s%u, xrefs: 00863734

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout_wcslen
String ID: %s%u
API String ID: 4010501982-679674701
Opcode ID: 105947b2869c21a538501dafc96dfc89b44dc17c64adeb55b6e393bccd2d4744
Instruction ID: 9d4192264b17caebacc7e218fa4915fb31b1d28c9a0826e632896bd30af24772
Opcode Fuzzy Hash: 105947b2869c21a538501dafc96dfc89b44dc17c64adeb55b6e393bccd2d4744
Instruction Fuzzy Hash: 0A91C171204706AFD719DF24C885FEAFBA9FF44350F018629F99AC2190EB30EA55CB91

Function 00864954 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 253COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000400), ref: 00864994
GetWindowTextW.USER32(?,?,00000400), ref: 008649DA
_wcslen.LIBCMT ref: 008649EB
CharUpperBuffW.USER32(?,00000000), ref: 008649F7
_wcsstr.LIBVCRUNTIME ref: 00864A2C
GetClassNameW.USER32(00000018,?,00000400), ref: 00864A64
GetWindowTextW.USER32(?,?,00000400), ref: 00864A9D
GetClassNameW.USER32(00000018,?,00000400), ref: 00864AE6
GetClassNameW.USER32(?,?,00000400), ref: 00864B20
GetWindowRect.USER32(?,?), ref: 00864B8B

Strings

ThumbnailClass, xrefs: 00864A6F, 00864AF1

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
String ID: ThumbnailClass
API String ID: 1311036022-1241985126
Opcode ID: daf0bbf3c7e87736f8a0cced7e734e4a1887cd3737dac197017497c07b9101ff
Instruction ID: 8a0d7d8310b816bfb16798764ccefe87aa962b97ef45d08209e2bcaa453d8efa
Opcode Fuzzy Hash: daf0bbf3c7e87736f8a0cced7e734e4a1887cd3737dac197017497c07b9101ff
Instruction Fuzzy Hash: 6591DB31004209AFDB05DF54D881BAE7BE8FF84314F05946AFD85DA196EB30ED45CBA2

Function 00893A23 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 182windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00893A9D
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00893AA0
GetWindowLongW.USER32(?,000000F0), ref: 00893AC7
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00893AEA
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00893B62
SendMessageW.USER32(?,00001074,00000000,00000007), ref: 00893BAC
SendMessageW.USER32(?,00001057,00000000,00000000), ref: 00893BC7
SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 00893BE2
SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 00893BF6
SendMessageW.USER32(?,00001008,00000000,00000007), ref: 00893C13

Strings

U, xrefs: 00893A67, 00893A76, 00893AAC, 00893B01, 00893C2A

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: MessageSend$LongWindow
String ID: U
API String ID: 312131281-2399391058
Opcode ID: db56c8c6e6f5640030b829e5b493836f55f3b27a34015731b8279e7d8109bd3f
Instruction ID: 66cff08b8da7b130112039fc51226da382761306c221dd161537cd14b9e6d36d
Opcode Fuzzy Hash: db56c8c6e6f5640030b829e5b493836f55f3b27a34015731b8279e7d8109bd3f
Instruction Fuzzy Hash: AE615975A00208AFDF11EFA8CC85EEE77B8FB09714F14015AFA15E7291C770AA41DB50

Function 0088CC34 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 0088CC64
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 0088CC8D
FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 0088CD48

Part of subcall function 0088CC34: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 0088CCAA
Part of subcall function 0088CC34: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 0088CCBD
Part of subcall function 0088CC34: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 0088CCCF
Part of subcall function 0088CC34: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 0088CD05
Part of subcall function 0088CC34: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 0088CD28

RegDeleteKeyW.ADVAPI32(?,?), ref: 0088CCF3

Strings

RegDeleteKeyExW, xrefs: 0088CCC9
advapi32.dll, xrefs: 0088CCB8

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2734957052-4033151799
Opcode ID: a27e03964fc085116183840cf0e9d0f333f9fb5d8b051885d25965b41e9036e7
Instruction ID: cdf7434531aad7afc54b7d9dc884f9cf8f2eec9b57ea624612bb260de19bdc5e
Opcode Fuzzy Hash: a27e03964fc085116183840cf0e9d0f333f9fb5d8b051885d25965b41e9036e7
Instruction Fuzzy Hash: B5318C71A01129BBDB20AB65DC88EFFBB7CFF05740F040166B906E3244DA349A45DBB0

Function 00873D1E Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 101fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00873D40
_wcslen.LIBCMT ref: 00873D6D
CreateDirectoryW.KERNEL32(?,00000000), ref: 00873D9D
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00873DBE
RemoveDirectoryW.KERNEL32(?), ref: 00873DCE
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 00873E55
CloseHandle.KERNEL32(00000000), ref: 00873E60
CloseHandle.KERNEL32(00000000), ref: 00873E6B

Strings

\??\%s, xrefs: 00873D5B
\, xrefs: 00873D77
:, xrefs: 00873D82

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove_wcslen
String ID: :$\$\??\%s
API String ID: 1149970189-3457252023
Opcode ID: 7e67fe8118dab5eafb8c7a19926ab50c97abd71c1d2ccdcaaebe0147342fe79d
Instruction ID: f4a5a1130ac0ac9737e9a8cbe087ea6e7237b9445e52c156aa05f30c17f12391
Opcode Fuzzy Hash: 7e67fe8118dab5eafb8c7a19926ab50c97abd71c1d2ccdcaaebe0147342fe79d
Instruction Fuzzy Hash: 2031C371904219ABDB209BA4DC49FEB3BBCFF88700F1040B6F509D2164E770D7849B25

Function 0086E6B0 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 0086E6B4

Part of subcall function 0081E551: timeGetTime.WINMM(?,?,0086E6D4), ref: 0081E555

Sleep.KERNEL32(0000000A), ref: 0086E6E1
EnumThreadWindows.USER32(?,Function_0006E665,00000000), ref: 0086E705
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 0086E727
SetActiveWindow.USER32 ref: 0086E746
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 0086E754
SendMessageW.USER32(00000010,00000000,00000000), ref: 0086E773
Sleep.KERNEL32(000000FA), ref: 0086E77E
IsWindow.USER32 ref: 0086E78A
EndDialog.USER32(00000000), ref: 0086E79B

Strings

BUTTON, xrefs: 0086E719

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: f381fa25aa7e49d5fa49b6dd9fee4e607e07a5794a1c6f9eee300d054baf313e
Instruction ID: be7a2b4f63e5e5bbf91693c193fc79bc814c7211f1b7135e42ce45b94071f2df
Opcode Fuzzy Hash: f381fa25aa7e49d5fa49b6dd9fee4e607e07a5794a1c6f9eee300d054baf313e
Instruction Fuzzy Hash: 7B218EB5201304AFEB12AFA4EC89E263B69FB74749F150526F412C22A1DB72AC04DB25

Function 0086E9FC Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 00809CB3: _wcslen.LIBCMT ref: 00809CBD

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 0086EA5D
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 0086EA73
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0086EA84
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 0086EA96
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 0086EAA7

Strings

play PlayMe, xrefs: 0086EAA2
play PlayMe wait, xrefs: 0086EA91
open , xrefs: 0086EA0C
status PlayMe mode, xrefs: 0086EA58
close PlayMe, xrefs: 0086EA6E, 0086EA9B
alias PlayMe, xrefs: 0086EA36

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: SendString$_wcslen
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2420728520-1007645807
Opcode ID: 1efced659e27eb22a0ed8fc3c145280a87b487fda84f8bc8a31ecce241ab66a0
Instruction ID: bc98eeebddf9f17df9ef17e4a38f9b36d8dfb0ab86da5cbf0f760f1347187295
Opcode Fuzzy Hash: 1efced659e27eb22a0ed8fc3c145280a87b487fda84f8bc8a31ecce241ab66a0
Instruction Fuzzy Hash: 55119135A9022979D720A7A9DD4AEFF6E7CFFD1B40F010439B411E21D1EE704918C6B1

Function 00869F91 Relevance: 18.2, APIs: 12, Instructions: 188keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 0086A012
SetKeyboardState.USER32(?), ref: 0086A07D
GetAsyncKeyState.USER32(000000A0), ref: 0086A09D
GetKeyState.USER32(000000A0), ref: 0086A0B4
GetAsyncKeyState.USER32(000000A1), ref: 0086A0E3
GetKeyState.USER32(000000A1), ref: 0086A0F4
GetAsyncKeyState.USER32(00000011), ref: 0086A120
GetKeyState.USER32(00000011), ref: 0086A12E
GetAsyncKeyState.USER32(00000012), ref: 0086A157
GetKeyState.USER32(00000012), ref: 0086A165
GetAsyncKeyState.USER32(0000005B), ref: 0086A18E
GetKeyState.USER32(0000005B), ref: 0086A19C

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 5405b47c2de83635591122fb18c7885483fcd457e40ad62a87c9c4fab1ed2d86
Instruction ID: a2c69d66cc8a35d67bfcae21a4e9fabd7116a3c2b752c5602a7586f1a93b258a
Opcode Fuzzy Hash: 5405b47c2de83635591122fb18c7885483fcd457e40ad62a87c9c4fab1ed2d86
Instruction Fuzzy Hash: E5519A2050478869FB39EB6484157EABFF5FF12340F0A4599D5C2E71C2DE64AA8CCB63

Function 00865CC6 Relevance: 18.2, APIs: 12, Instructions: 173COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 00865CE2
GetWindowRect.USER32(00000000,?), ref: 00865CFB
MoveWindow.USER32(?,0000000A,00000004,?,?,00000004,00000000), ref: 00865D59
GetDlgItem.USER32(?,00000002), ref: 00865D69
GetWindowRect.USER32(00000000,?), ref: 00865D7B
MoveWindow.USER32(?,?,00000004,00000000,?,00000004,00000000), ref: 00865DCF
GetDlgItem.USER32(?,000003E9), ref: 00865DDD
GetWindowRect.USER32(00000000,?), ref: 00865DEF
MoveWindow.USER32(?,0000000A,00000000,?,00000004,00000000), ref: 00865E31
GetDlgItem.USER32(?,000003EA), ref: 00865E44
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00865E5A
InvalidateRect.USER32(?,00000000,00000001), ref: 00865E67

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: aee5eb470addc3349e31cd167ddddf79025869cf2ad5f1dba05ac939d8ee9f2a
Instruction ID: fb4e82416321ef9660ee51c26e720ea376a1f7a8ef767cfb280978e9b11aa7cd
Opcode Fuzzy Hash: aee5eb470addc3349e31cd167ddddf79025869cf2ad5f1dba05ac939d8ee9f2a
Instruction Fuzzy Hash: DE511071B00609AFDF18DFA8DD89AAEBBB5FB48300F558129F516E7294D7719E00CB60

Function 008950D4 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 162windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00002001,00000000,00000000), ref: 00895186
ShowWindow.USER32(?,00000000), ref: 008951C7
ShowWindow.USER32(?,00000005,?,00000000), ref: 008951CD
SetFocus.USER32(?,?,00000005,?,00000000), ref: 008951D1

Part of subcall function 00896FBA: DeleteObject.GDI32(00000000), ref: 00896FE6

GetWindowLongW.USER32(?,000000F0), ref: 0089520D
SetWindowLongW.USER32(?,000000F0,00000000), ref: 0089521A
InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 0089524D
SendMessageW.USER32(?,00001001,00000000,000000FE), ref: 00895287
SendMessageW.USER32(?,00001026,00000000,000000FE), ref: 00895296

Strings

U, xrefs: 00895104

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Window$MessageSend$LongShow$DeleteFocusInvalidateObjectRect
String ID: U
API String ID: 3210457359-2399391058
Opcode ID: 93e332d395221076d1fc6d1c424c4ca1f9a3414bcee29d3f2d075c10a6b7412d
Instruction ID: 9abb3a6ef452edc06becba10be940642fea7456d199e1ee8b19efd909c86fa5a
Opcode Fuzzy Hash: 93e332d395221076d1fc6d1c424c4ca1f9a3414bcee29d3f2d075c10a6b7412d
Instruction Fuzzy Hash: 76519C30A40A08BEEF26BFA8CC4ABD83B65FF05325F1C4112F625D62E0C775A980DB41

Function 00873388 Relevance: 17.6, APIs: 3, Strings: 7, Instructions: 149COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,?), ref: 008733CF

Part of subcall function 00809CB3: _wcslen.LIBCMT ref: 00809CBD

LoadStringW.USER32(00000072,?,00000FFF,?), ref: 008733F0

Strings

Line %d (File "%s"):, xrefs: 00873443, 0087345C
"%s" (%d) : ==> %s:%s%s, xrefs: 00873504
"%s" (%d) : ==> %s:, xrefs: 00873522
Gx, xrefs: 00873388
Incorrect parameters to object property !, xrefs: 008734AB
Error: , xrefs: 008734D1
^ ERROR , xrefs: 0087349E

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Gx$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-1513327326
Opcode ID: bb835a74aa2adf825ed4439ca6ecca14a89b5048fa161380b641138b9eb1d835
Instruction ID: 09ba2dc2a4639e669dc9b494c345ca8c6c947a539948340fa8e199e75716cd35
Opcode Fuzzy Hash: bb835a74aa2adf825ed4439ca6ecca14a89b5048fa161380b641138b9eb1d835
Instruction Fuzzy Hash: A351AF71900209AADF18EBA4DD46EEEB778FF14300F108165F109F2292EB356F58DB62

Function 008696E2 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,?,?,0084F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?), ref: 00869717
LoadStringW.USER32(00000000,?,0084F7F8,00000001), ref: 00869720

Part of subcall function 00809CB3: _wcslen.LIBCMT ref: 00809CBD

GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,0084F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?,00000000), ref: 00869742
LoadStringW.USER32(00000000,?,0084F7F8,00000001), ref: 00869745
MessageBoxW.USER32(00000000,00000000,?,00011010), ref: 00869866

Strings

%s (%d) : ==> %s: %s %s, xrefs: 0086984A
Line %d:, xrefs: 008697A0
Line %d (File "%s"):, xrefs: 0086978F
^ ERROR, xrefs: 008697FB
Error: , xrefs: 0086981D

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wcslen
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 747408836-2268648507
Opcode ID: 66719500067c2e923c3e5c93de7c86e9f618689edeeadfe5a2b3017a768ccb3b
Instruction ID: 3f84481b77032437d5b013b53dff020bef4d6ace1806b3a6183643ff9b59c859
Opcode Fuzzy Hash: 66719500067c2e923c3e5c93de7c86e9f618689edeeadfe5a2b3017a768ccb3b
Instruction Fuzzy Hash: F9410972900219AACB04EBE8DD86EEE777CFF54340F510165F605E21D2EA356F58CB62

Function 008606DE Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 00806B57: _wcslen.LIBCMT ref: 00806B6A

WNetAddConnection2W.MPR(?,?,?,00000000), ref: 008607A2
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 008607BE
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 008607DA
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00860804
CLSIDFromString.OLE32(?,000001FE,?,SOFTWARE\Classes\), ref: 0086082C
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00860837
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 0086083C

Strings

SOFTWARE\Classes\, xrefs: 0086070E
\CLSID, xrefs: 00860724
\IPC$, xrefs: 00860784

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 323675364-22481851
Opcode ID: f863daa5ab94d7123c0ba6b9722f909afd8931305a7ce07b0ad5b96c7c9991dd
Instruction ID: e766192cb50cfced823d018019a1e148552ac81756392e25f1c6c76cb78ce31f
Opcode Fuzzy Hash: f863daa5ab94d7123c0ba6b9722f909afd8931305a7ce07b0ad5b96c7c9991dd
Instruction Fuzzy Hash: FD410572D10229ABCF15EBA4DC95DEEB778FF04350F054169E911A32A1EB31AE44CFA1

Function 00893C46 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 101windowCOMMON

Download Yara Rule

APIs

CreateMenu.USER32 ref: 00893C79
SetMenu.USER32(?,00000000), ref: 00893C88
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00893D10
IsMenu.USER32(?), ref: 00893D24
CreatePopupMenu.USER32 ref: 00893D2E
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00893D5B
DrawMenuBar.USER32 ref: 00893D63

Strings

0, xrefs: 00893C54
F, xrefs: 00893D4E
U, xrefs: 00893CCF, 00893CEC

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup
String ID: U$0$F
API String ID: 161812096-3933276334
Opcode ID: 31e7e8ff9b28b249ccf9e0c3dd58e680572c2149bbadc6446071179f713a0cb4
Instruction ID: d82987c6912c6eae33361f07a9f7fd3323c33fabe59565114832bdad169d94df
Opcode Fuzzy Hash: 31e7e8ff9b28b249ccf9e0c3dd58e680572c2149bbadc6446071179f713a0cb4
Instruction Fuzzy Hash: 30415CB5A01209EFDF14EFA4D854AAA7BB5FF49354F180029F946E7360D731AA10CF94

Function 00893F98 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 0089403B
CreateCompatibleDC.GDI32(00000000), ref: 00894042
SendMessageW.USER32(?,00000173,00000000,00000000), ref: 00894055
SelectObject.GDI32(00000000,00000000), ref: 0089405D
GetPixel.GDI32(00000000,00000000,00000000), ref: 00894068
DeleteDC.GDI32(00000000), ref: 00894072
GetWindowLongW.USER32(?,000000EC), ref: 0089407C
SetLayeredWindowAttributes.USER32(?,?,00000000,00000001,?,00000000,?), ref: 00894092
DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?), ref: 0089409E

Strings

static, xrefs: 00893FD3

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
String ID: static
API String ID: 2559357485-2160076837
Opcode ID: c2e2a2bf57e9608c2fd6415498fa115ba8359b7aec3757560f05e6ebd07fd9dd
Instruction ID: 2c99bb34e04847f73256b691904e1c80eb54bc1458dbc432b3a0c1170d665c1d
Opcode Fuzzy Hash: c2e2a2bf57e9608c2fd6415498fa115ba8359b7aec3757560f05e6ebd07fd9dd
Instruction Fuzzy Hash: C9316E32501219BBDF22AFA8CC09FDA3B68FF0D324F190215FA55E61A0D776D821DB64

Function 00883C30 Relevance: 16.8, APIs: 11, Instructions: 344fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00883C5C
CoInitialize.OLE32(00000000), ref: 00883C8A
CoUninitialize.OLE32 ref: 00883C94
_wcslen.LIBCMT ref: 00883D2D
GetRunningObjectTable.OLE32(00000000,?), ref: 00883DB1
SetErrorMode.KERNEL32(00000001,00000029), ref: 00883ED5
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,?), ref: 00883F0E
CoGetObject.OLE32(?,00000000,0089FB98,?), ref: 00883F2D
SetErrorMode.KERNEL32(00000000), ref: 00883F40
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00883FC4
VariantClear.OLEAUT32(?), ref: 00883FD8

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize_wcslen
String ID:
API String ID: 429561992-0
Opcode ID: 0582ef0520f5346e5f3b4b78c6a290e7073d9f87fc2db30175e554af05a91b3a
Instruction ID: e10bef801602453883773c1f85932649eb9f6f8adf4f5e5d13d8ab845641b510
Opcode Fuzzy Hash: 0582ef0520f5346e5f3b4b78c6a290e7073d9f87fc2db30175e554af05a91b3a
Instruction Fuzzy Hash: DFC125716082059FD700EF68C88492BB7E9FF89B48F14491DF98ADB251DB31EE45CB92

Function 00877A96 Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00877AF3
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00877B8F
SHGetDesktopFolder.SHELL32(?), ref: 00877BA3
CoCreateInstance.OLE32(0089FD08,00000000,00000001,008C6E6C,?), ref: 00877BEF
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00877C74
CoTaskMemFree.OLE32(?,?), ref: 00877CCC
SHBrowseForFolderW.SHELL32(?), ref: 00877D57
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00877D7A
CoTaskMemFree.OLE32(00000000), ref: 00877D81
CoTaskMemFree.OLE32(00000000), ref: 00877DD6
CoUninitialize.OLE32 ref: 00877DDC

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
String ID:
API String ID: 2762341140-0
Opcode ID: 70d24c6830fa28ba3e2c69cd8fd664b9480d996ae7a362d8346d8fe7cc70c11a
Instruction ID: cf237ddbd52234ae8de119e68763d0e7f5d89cb84c9a382f748d812a00e20339
Opcode Fuzzy Hash: 70d24c6830fa28ba3e2c69cd8fd664b9480d996ae7a362d8346d8fe7cc70c11a
Instruction Fuzzy Hash: 1AC12C75A04109AFCB14DFA8C884DAEBBF9FF48314B1484A9E81ADB361D731ED41CB90

Function 0085FA88 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 0085FAAF
SafeArrayAllocData.OLEAUT32(?), ref: 0085FB08
VariantInit.OLEAUT32(?), ref: 0085FB1A
SafeArrayAccessData.OLEAUT32(?,?), ref: 0085FB3A
VariantCopy.OLEAUT32(?,?), ref: 0085FB8D
SafeArrayUnaccessData.OLEAUT32(?), ref: 0085FBA1
VariantClear.OLEAUT32(?), ref: 0085FBB6
SafeArrayDestroyData.OLEAUT32(?), ref: 0085FBC3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0085FBCC
VariantClear.OLEAUT32(?), ref: 0085FBDE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0085FBE9

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: 3673c050aad7ea5ca9ad6d5be51c40df057e91fb89c4be8acb01c9c8d4bcb073
Instruction ID: d55dce378e0ac85aee8dcb28049858848f01711384b6726c04303a3a872745f2
Opcode Fuzzy Hash: 3673c050aad7ea5ca9ad6d5be51c40df057e91fb89c4be8acb01c9c8d4bcb073
Instruction Fuzzy Hash: EA415135A00219DFCF00EF68C8549ADBBB9FF08355F048065E945E7261CB31A945CFA2

Function 00869C79 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00869CA1
GetAsyncKeyState.USER32(000000A0), ref: 00869D22
GetKeyState.USER32(000000A0), ref: 00869D3D
GetAsyncKeyState.USER32(000000A1), ref: 00869D57
GetKeyState.USER32(000000A1), ref: 00869D6C
GetAsyncKeyState.USER32(00000011), ref: 00869D84
GetKeyState.USER32(00000011), ref: 00869D96
GetAsyncKeyState.USER32(00000012), ref: 00869DAE
GetKeyState.USER32(00000012), ref: 00869DC0
GetAsyncKeyState.USER32(0000005B), ref: 00869DD8
GetKeyState.USER32(0000005B), ref: 00869DEA

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 3e67a72017c15e12cad0fbbb6a618c39a5988eba3bf1962125fcec0523312be3
Instruction ID: 02ed41e6a983e8e43a2c0357c6023496fd6a629351c6989c65ff8f4101027038
Opcode Fuzzy Hash: 3e67a72017c15e12cad0fbbb6a618c39a5988eba3bf1962125fcec0523312be3
Instruction Fuzzy Hash: AF41B7345047C96DFF319764C8043B5BEA8FF11344F09806ADAC69A5C2EBF599D8C7A2

Function 00899F86 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 260windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00819BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00819BB2

GetSystemMetrics.USER32(0000000F), ref: 00899FC7
GetSystemMetrics.USER32(0000000F), ref: 00899FE7
MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 0089A224
SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 0089A242
SendMessageW.USER32(00000003,00000469,?,00000000), ref: 0089A263
ShowWindow.USER32(00000003,00000000), ref: 0089A282
InvalidateRect.USER32(?,00000000,00000001), ref: 0089A2A7
DefDlgProcW.USER32(?,00000005,?,?), ref: 0089A2CA

Strings

U, xrefs: 0089A034

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
String ID: U
API String ID: 1211466189-2399391058
Opcode ID: 3abe82017bfacb2af412bbddeae22465a918e6ed91d5b3b46ad303ac581b057b
Instruction ID: fb257e68ee98c8598ac4023819624dd3e7bf4a325d8dfae2adc620862413c9c5
Opcode Fuzzy Hash: 3abe82017bfacb2af412bbddeae22465a918e6ed91d5b3b46ad303ac581b057b
Instruction Fuzzy Hash: 44B16B31600219EFDF18DFA8C9857AE7BB2FF44711F198069EC85DB295D731A940CB91

Function 0088055B Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 008805BC
inet_addr.WSOCK32(?), ref: 0088061C
gethostbyname.WSOCK32(?), ref: 00880628
IcmpCreateFile.IPHLPAPI ref: 00880636
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 008806C6
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 008806E5
IcmpCloseHandle.IPHLPAPI(?), ref: 008807B9
WSACleanup.WSOCK32 ref: 008807BF

Strings

Ping, xrefs: 00880676

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: 4ebefd0c5b23ae28da15c4747697759e6020da9d50f4d5d054ad40ac551efef1
Instruction ID: 145df43871166680f0289ca09d82e458d3068df03a4151b0d0958419a70d9ecf
Opcode Fuzzy Hash: 4ebefd0c5b23ae28da15c4747697759e6020da9d50f4d5d054ad40ac551efef1
Instruction Fuzzy Hash: 66918E356082419FD760EF19C889F1ABBE0FF44318F1485A9E469DB6A2C731ED49CF92

Function 00888CD3 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,00000000,?), ref: 00888CF3

Part of subcall function 00868E54: _wcslen.LIBCMT ref: 00868E77

_wcslen.LIBCMT ref: 00888D4E
_wcslen.LIBCMT ref: 00888D9C
_wcslen.LIBCMT ref: 00888DDC
_wcslen.LIBCMT ref: 00888E6E

Strings

winapi, xrefs: 00888D96, 00888D9B
cdecl, xrefs: 00888D48, 00888D4D
none, xrefs: 00888E65, 00888E6A
stdcall, xrefs: 00888DD6, 00888DDB

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: _wcslen$BuffCharLower
String ID: cdecl$none$stdcall$winapi
API String ID: 707087890-567219261
Opcode ID: eb9965c6040dbc43f0dcd909aab79eeb3544a19e9b9198b9f975739004ab02e6
Instruction ID: 6f8483cc69a837b607caf3ee14e41bd4ca6676169c253d2f49be98d7a1235177
Opcode Fuzzy Hash: eb9965c6040dbc43f0dcd909aab79eeb3544a19e9b9198b9f975739004ab02e6
Instruction Fuzzy Hash: 31518131A00116DBCB24EF6CC9409BEB7A5FF64724BA14229E966E72C5DB31DD40CB91

Function 0088372C Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32 ref: 00883774
CoUninitialize.OLE32 ref: 0088377F
CoCreateInstance.OLE32(?,00000000,00000017,0089FB78,?), ref: 008837D9
IIDFromString.OLE32(?,?), ref: 0088384C
VariantInit.OLEAUT32(?), ref: 008838E4
VariantClear.OLEAUT32(?), ref: 00883936

Strings

NULL Pointer assignment, xrefs: 0088381E
Failed to create object, xrefs: 008837E4, 0088389A
Invalid parameter, xrefs: 00883865

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 636576611-1287834457
Opcode ID: f418b14c7791e36037675f468bae72a057535dda43c3a3f1eaf79383548049ab
Instruction ID: bf46520f5b95032321bb65ff2601aed9a45354c0b44d775f2bf7ec833df7f2d3
Opcode Fuzzy Hash: f418b14c7791e36037675f468bae72a057535dda43c3a3f1eaf79383548049ab
Instruction Fuzzy Hash: 99617C71608301AFD710EF58C849B6ABBE8FF49B14F144829F995DB291D770EE48CB92

Function 0086B5C8 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 142COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 0086B5FC
_wcslen.LIBCMT ref: 0086B608
_wcslen.LIBCMT ref: 0086B64D
_wcslen.LIBCMT ref: 0086B68C
_wcslen.LIBCMT ref: 0086B6C7

Strings

APPEND, xrefs: 0086B6C1, 0086B6C6
REMOVE, xrefs: 0086B602, 0086B607
EXISTS, xrefs: 0086B686, 0086B68B
KEYS, xrefs: 0086B647, 0086B64C

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 1256254125-769500911
Opcode ID: d73f30ce564a981fa2439c62de2e519b83354092686177a9064b332fd5400a0c
Instruction ID: 08cddf615982cb60e999a5bac452331b241ad6ea205d6df057182affb6666267
Opcode Fuzzy Hash: d73f30ce564a981fa2439c62de2e519b83354092686177a9064b332fd5400a0c
Instruction Fuzzy Hash: 6B41A332A011269BCB206F7DC9905BE77A5FBB076CB264629E561DB284F731CDC1C7A0

Function 0086BC5E Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 0086BCFD
IsMenu.USER32(00000000), ref: 0086BD1D
CreatePopupMenu.USER32 ref: 0086BD53
GetMenuItemCount.USER32(S), ref: 0086BDA4
InsertMenuItemW.USER32(S,?,00000001,00000030), ref: 0086BDCC

Strings

S, xrefs: 0086BCE3, 0086BCBC, 0086BDCA
2, xrefs: 0086BD37
0, xrefs: 0086BCA8
S, xrefs: 0086BD2B, 0086BDA3

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup
String ID: 0$2$S$S
API String ID: 93392585-1320522749
Opcode ID: e103ea81140151d430cc14097fa135d333f865343dc78d3181739f1c9c0878e5
Instruction ID: 2a8f30341b2a4910e02db2a548b9e37fc9d869b953e132bcaa51e4956cc5d060
Opcode Fuzzy Hash: e103ea81140151d430cc14097fa135d333f865343dc78d3181739f1c9c0878e5
Instruction Fuzzy Hash: F351BF70A00209ABDF20DFA8D884BAEBBF8FF4535CF15421AE441DF291D7719981CB62

Function 00875393 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 103COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 008753A0
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00875416
GetLastError.KERNEL32 ref: 00875420
SetErrorMode.KERNEL32(00000000,READY), ref: 008754A7

Strings

INVALID, xrefs: 00875459
READONLY, xrefs: 00875452
NOTREADY, xrefs: 0087544B
READY, xrefs: 00875460, 00875468
UNKNOWN, xrefs: 00875444

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: 2cc5e6f8e4949ad89858f40613a12bc6bdfa1d81128f7f7ecb81b187b8d0ea05
Instruction ID: 3be4ff5804ebed2b6df35b22aed711dbc78b8e7ddb8c368f8eec8ccba7629c3f
Opcode Fuzzy Hash: 2cc5e6f8e4949ad89858f40613a12bc6bdfa1d81128f7f7ecb81b187b8d0ea05
Instruction Fuzzy Hash: 8231D6B5A005049FD710DF68C884FAA7BB4FF45305F14C069E50ADB296DBB1DD86CB91

Function 00861EDF Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00809CB3: _wcslen.LIBCMT ref: 00809CBD

Part of subcall function 00863CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00863CCA

SendMessageW.USER32(?,0000018C,000000FF,00020000), ref: 00861F64
GetDlgCtrlID.USER32 ref: 00861F6F
GetParent.USER32 ref: 00861F8B
SendMessageW.USER32(00000000,?,00000111,?), ref: 00861F8E
GetDlgCtrlID.USER32(?), ref: 00861F97
GetParent.USER32(?), ref: 00861FAB
SendMessageW.USER32(00000000,?,00000111,?), ref: 00861FAE

Strings

ComboBox, xrefs: 00861EEC
ListBox, xrefs: 00861F21

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_wcslen
String ID: ComboBox$ListBox
API String ID: 711023334-1403004172
Opcode ID: c849ae0f9cbf9a83cfe44c1880b6156930e6e83f2e1ab4335d4a8ac86dea04b3
Instruction ID: b108d3d49b294910b4145ccc95e5e40c1c0d71ef52483c254fceb8b89a961147
Opcode Fuzzy Hash: c849ae0f9cbf9a83cfe44c1880b6156930e6e83f2e1ab4335d4a8ac86dea04b3
Instruction Fuzzy Hash: 3621B071A00214BBCF05AFA4DC85EEEBBB9FF15310F04411AF961A72E2DB3559149B60

Function 00861FC0 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00809CB3: _wcslen.LIBCMT ref: 00809CBD

Part of subcall function 00863CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00863CCA

SendMessageW.USER32(?,00000186,00020000,00000000), ref: 00862043
GetDlgCtrlID.USER32 ref: 0086204E
GetParent.USER32 ref: 0086206A
SendMessageW.USER32(00000000,?,00000111,?), ref: 0086206D
GetDlgCtrlID.USER32(?), ref: 00862076
GetParent.USER32(?), ref: 0086208A
SendMessageW.USER32(00000000,?,00000111,?), ref: 0086208D

Strings

ComboBox, xrefs: 00861FCD
ListBox, xrefs: 00862002

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_wcslen
String ID: ComboBox$ListBox
API String ID: 711023334-1403004172
Opcode ID: c07cf94ac5ce742bc194ff408f09d1e5b65c4f560a963a0d78fa68240ec8073b
Instruction ID: 283e2ada69a3a912e87a56dc40c49ed402c8f39f9f4b6314836dfede11f55153
Opcode Fuzzy Hash: c07cf94ac5ce742bc194ff408f09d1e5b65c4f560a963a0d78fa68240ec8073b
Instruction Fuzzy Hash: 4521CFB5D00618BBDF11AFA4CC85EEEBBB8FF15300F00405AF991E72A1DA799914DB61

Function 0086B12F Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0086B151
GetForegroundWindow.USER32(00000000,?,?,?,?,?,0086A1E1,?,00000001), ref: 0086B165
GetWindowThreadProcessId.USER32(00000000), ref: 0086B16C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,0086A1E1,?,00000001), ref: 0086B17B
GetWindowThreadProcessId.USER32(?,00000000), ref: 0086B18D
AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,0086A1E1,?,00000001), ref: 0086B1A6
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,0086A1E1,?,00000001), ref: 0086B1B8
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,0086A1E1,?,00000001), ref: 0086B1FD
AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,0086A1E1,?,00000001), ref: 0086B212
AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,0086A1E1,?,00000001), ref: 0086B21D

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: 684e269402f564a93d13b23548d149f49f191a815bd3dcda8fff00ad4e1aa6cc
Instruction ID: f4123b4a938ef94cca7ba4a1bb5d05d415ae3b65078a51f874266553f2bae5f8
Opcode Fuzzy Hash: 684e269402f564a93d13b23548d149f49f191a815bd3dcda8fff00ad4e1aa6cc
Instruction Fuzzy Hash: CE310CB1100604BFDB21AF64DC58FAE7BA9FB21319F16811AFA01C7290C7B49E808F61

Function 00832C80 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00832C94

Part of subcall function 008329C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0083D7D1,00000000,00000000,00000000,00000000,?,0083D7F8,00000000,00000007,00000000,?,0083DBF5,00000000), ref: 008329DE
Part of subcall function 008329C8: GetLastError.KERNEL32(00000000,?,0083D7D1,00000000,00000000,00000000,00000000,?,0083D7F8,00000000,00000007,00000000,?,0083DBF5,00000000,00000000), ref: 008329F0

_free.LIBCMT ref: 00832CA0
_free.LIBCMT ref: 00832CAB
_free.LIBCMT ref: 00832CB6
_free.LIBCMT ref: 00832CC1
_free.LIBCMT ref: 00832CCC
_free.LIBCMT ref: 00832CD7
_free.LIBCMT ref: 00832CE2
_free.LIBCMT ref: 00832CED
_free.LIBCMT ref: 00832CFB

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 2ddcdacff297c21c0991bf2df1bc4abde4b7ce9a973aa6ddd4197811a19849b8
Instruction ID: 578eec8e57db728801001a0ce3238b61a8020137d868235cb6a4087347bd14ea
Opcode Fuzzy Hash: 2ddcdacff297c21c0991bf2df1bc4abde4b7ce9a973aa6ddd4197811a19849b8
Instruction Fuzzy Hash: E911A476100118AFCB02EF98E882EDD7FA5FF45350F4144A5FA489F222DA31EE509B91

Function 00877DF0 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00877FAD
SetCurrentDirectoryW.KERNEL32(?), ref: 00877FC1
GetFileAttributesW.KERNEL32(?), ref: 00877FEB
SetFileAttributesW.KERNEL32(?,00000000), ref: 00878005
SetCurrentDirectoryW.KERNEL32(?), ref: 00878017
SetCurrentDirectoryW.KERNEL32(?), ref: 00878060
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 008780B0

Strings

*.*, xrefs: 00878066

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile
String ID: *.*
API String ID: 769691225-438819550
Opcode ID: 8195c6c8cbac6e145dc9c63e4acd26db881d3e51a57dacc5732bb67af2cbbe4e
Instruction ID: c4cb97151753ed971ee2c73eb3a6c0323cb5691073b1d86027e4caaead17ba6e
Opcode Fuzzy Hash: 8195c6c8cbac6e145dc9c63e4acd26db881d3e51a57dacc5732bb67af2cbbe4e
Instruction Fuzzy Hash: E481A0725082459BDB20EF18C8449AEB3E8FF88714F148C6EF889C7264EB75DD45CB92

Function 00897E9E Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 193windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(00E95520), ref: 00897F37
IsWindowEnabled.USER32(00E95520), ref: 00897F43
SendMessageW.USER32(00000000,0000041C,00000000,00000000), ref: 0089801E
SendMessageW.USER32(00E95520,000000B0,?,?), ref: 00898051
IsDlgButtonChecked.USER32(?,?), ref: 00898089
GetWindowLongW.USER32(00E95520,000000EC), ref: 008980AB
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 008980C3

Strings

U, xrefs: 00897ED2, 00897F51, 00897FFF

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID: U
API String ID: 4072528602-2399391058
Opcode ID: d8dfc2533374672fbfef1d49be68c6b7ceae7353b592aba2db1ade029bce16ad
Instruction ID: ac1a43084f82f02fc8c35d636300eb414af27feb8d06e6adde1a14843d093b5f
Opcode Fuzzy Hash: d8dfc2533374672fbfef1d49be68c6b7ceae7353b592aba2db1ade029bce16ad
Instruction Fuzzy Hash: 37719E34608645EFEF21AF64CC94FBABBB5FF5A300F18445AE945E7261CB31A845DB20

Function 00805BEA Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 00805C7A

Part of subcall function 00805D0A: GetClientRect.USER32(?,?), ref: 00805D30
Part of subcall function 00805D0A: GetWindowRect.USER32(?,?), ref: 00805D71
Part of subcall function 00805D0A: ScreenToClient.USER32(?,?), ref: 00805D99

GetDC.USER32 ref: 008446F5
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00844708
SelectObject.GDI32(00000000,00000000), ref: 00844716
SelectObject.GDI32(00000000,00000000), ref: 0084472B
ReleaseDC.USER32(?,00000000), ref: 00844733
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 008447C4

Strings

U, xrefs: 00844693

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: 2f46444dfa9aea2ca13ed0b71cf584eac0cfb8b43b66589dd084fcd0ab844d4f
Instruction ID: 65826155bfccca95a80c055a7bf3da74fc05ced8edd7585dd5a3f9f419381ac6
Opcode Fuzzy Hash: 2f46444dfa9aea2ca13ed0b71cf584eac0cfb8b43b66589dd084fcd0ab844d4f
Instruction Fuzzy Hash: AB71013140020DEFDF218F64CD84BBA7BB1FF5A324F28122AE955DA1A6C7319842DF60

Function 0087359C Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 150COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 008735E4

Part of subcall function 00809CB3: _wcslen.LIBCMT ref: 00809CBD

LoadStringW.USER32(008D2390,?,00000FFF,?), ref: 0087360A

Strings

Line %d (File "%s"):, xrefs: 0087366B
"%s" (%d) : ==> %s:%s%s, xrefs: 00873724
"%s" (%d) : ==> %s:, xrefs: 00873742
^ ERROR, xrefs: 008736C9
Error: , xrefs: 008736EF

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-2391861430
Opcode ID: 1764b57ccce669c5034efd9d00fa618c463d6e93c2ae1a891cc0c32b8c5dc576
Instruction ID: abf7c67af052f36bbff58c618b3a0d473cd4a7dca7d1087bd11b1413a25efa1c
Opcode Fuzzy Hash: 1764b57ccce669c5034efd9d00fa618c463d6e93c2ae1a891cc0c32b8c5dc576
Instruction Fuzzy Hash: 5B516E71900209BADF18EBA4DC42EEEBB78FF14350F044125F115B22A2EB355B99DF62

Function 00892DFD Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 00892E1C
GetWindowLongW.USER32(?,000000F0), ref: 00892E4F
GetWindowLongW.USER32(?,000000F0), ref: 00892E84
SendMessageW.USER32(?,000000F1,00000000,00000000), ref: 00892EB6
SendMessageW.USER32(?,000000F1,00000001,00000000), ref: 00892EE0
GetWindowLongW.USER32(?,000000F0), ref: 00892EF1
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00892F0B

Strings

U, xrefs: 00892E00, 00892E34, 00892E69, 00892EA1, 00892EC5, 00892EFD

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID: U
API String ID: 2178440468-2399391058
Opcode ID: 5f293293884663f3da8928e27308420eec7baa2faffc106980abd68b051cfe45
Instruction ID: 779e3b29d59a75473766ddb4967e770a4ffc04e54e582855525694ed63f3ccab
Opcode Fuzzy Hash: 5f293293884663f3da8928e27308420eec7baa2faffc106980abd68b051cfe45
Instruction Fuzzy Hash: FF310035645244BFEF21EF58DCD8F693BA0FB9A710F5901A6F901CB2B2CB61A8409B51

Function 0087C253 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0087C272
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0087C29A
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0087C2CA
GetLastError.KERNEL32 ref: 0087C322
SetEvent.KERNEL32(?), ref: 0087C336
InternetCloseHandle.WININET(00000000), ref: 0087C341

Strings

, xrefs: 0087C2BB

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: 8647243a095e568d73eaf8738ddea1a5c3bd821856aba4f90f9180b77c975bbd
Instruction ID: 9def2bcb9e9dcd44b7cf5a439fc0fbcdd8e56621eb761a03e2126e16e3350879
Opcode Fuzzy Hash: 8647243a095e568d73eaf8738ddea1a5c3bd821856aba4f90f9180b77c975bbd
Instruction Fuzzy Hash: DC3169B1600608AFD721AFA88888AAB7AFCFB49744B14851EF44AD3205DB35DD449B61

Function 0086989B Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00843AAF,?,?,Bad directive syntax error,0089CC08,00000000,00000010,?,?,>>>AUTOIT SCRIPT<<<), ref: 008698BC
LoadStringW.USER32(00000000,?,00843AAF,?), ref: 008698C3

Part of subcall function 00809CB3: _wcslen.LIBCMT ref: 00809CBD

MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 00869987

Strings

Line %d:, xrefs: 00869912
Line %d (File "%s"):, xrefs: 0086992D
., xrefs: 0086996D
Error: , xrefs: 00869955
%s (%d) : ==> %s.: %s %s, xrefs: 008698F1

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: HandleLoadMessageModuleString_wcslen
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 858772685-4153970271
Opcode ID: 3f00e634b350ae87f48d0e3c9bdf44d3e455ec3f1999ccbe284c21515f6d06c2
Instruction ID: f7703db06ddc2df83f0166c6c8854584fa06eb87e8f12038efd398a1b77b8bbb
Opcode Fuzzy Hash: 3f00e634b350ae87f48d0e3c9bdf44d3e455ec3f1999ccbe284c21515f6d06c2
Instruction Fuzzy Hash: C3218D31C0021EABCF15AF94CC46EEE7B39FF18304F04446AF515A21E2EB35A668DB12

Function 0086209F Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 008620AB
GetClassNameW.USER32(00000000,?,00000100), ref: 008620C0
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 0086214D

Strings

largeicons, xrefs: 008620E1
smallicons, xrefs: 00862115
SHELLDLL_DefView, xrefs: 008620CC
details, xrefs: 008620FB
list, xrefs: 0086212F

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: ClassMessageNameParentSend
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1290815626-3381328864
Opcode ID: df2e56132a7151b50586f0938fd6b27a36c782cf53fd9cb4e577adc0beab3445
Instruction ID: 35d18d31b9d5175eff182cf2a4f75fb38ce1805d8bdb342f1d5614a298570077
Opcode Fuzzy Hash: df2e56132a7151b50586f0938fd6b27a36c782cf53fd9cb4e577adc0beab3445
Instruction Fuzzy Hash: 8E11367628CB16BAFA026224EC07DA637ACFB16324B21005BFB05E40D1FF75BC825625

Function 00838D45 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 095612cce7fd5acbfc83ee4f442d20e7850ef545e719e9c0fa05b774d7fa6c0d
Instruction ID: 089ec403e10b939a8d811530cdfda49905779930292bd9b5fe5861e884360306
Opcode Fuzzy Hash: 095612cce7fd5acbfc83ee4f442d20e7850ef545e719e9c0fa05b774d7fa6c0d
Instruction Fuzzy Hash: D7C1CE74904249EFCB159FA8D851BADBBB0FF89310F144199F954E7392CBB48941CFA1

Function 0083CE90 Relevance: 13.7, APIs: 9, Instructions: 209COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 0083CEB7
_free.LIBCMT ref: 0083CF22
_free.LIBCMT ref: 0083CF48
_free.LIBCMT ref: 0083CF71
_free.LIBCMT ref: 0083CFA9
_free.LIBCMT ref: 0083CFDA
_free.LIBCMT ref: 0083D01B
SetEnvironmentVariableA.KERNEL32(00000000,00000000), ref: 0083D09C
_free.LIBCMT ref: 0083D0B5

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: _free$EnvironmentVariable___from_strstr_to_strchr
String ID:
API String ID: 1282221369-0
Opcode ID: 859de36988c813d8e2150b22bbbcca5990a2cd2ce76e76ffe337987ca05925c4
Instruction ID: 7945275539c7a7f9525b61efe6a44fa1da27ad5009ca12e7aebd403be5002791
Opcode Fuzzy Hash: 859de36988c813d8e2150b22bbbcca5990a2cd2ce76e76ffe337987ca05925c4
Instruction Fuzzy Hash: B5614771905314AFDF25AFB8A891B697BA5FF85320F14426EF900E7242DB729D01CBD1

Function 00818B06 Relevance: 13.7, APIs: 9, Instructions: 155windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 00856890
ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 008568A9
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 008568B9
ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 008568D1
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 008568F2
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00818874,00000000,00000000,00000000,000000FF,00000000), ref: 00856901
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 0085691E
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00818874,00000000,00000000,00000000,000000FF,00000000), ref: 0085692D

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend
String ID:
API String ID: 1268354404-0
Opcode ID: 7eaad53494bfa713475de0a298eedd6d6cbaff7d1baa4cab83f4f04afdf4024b
Instruction ID: 4b4b77dfe9353d0fdc19182cc092bb40521c4ca7784abb7b815763ddedea1aa2
Opcode Fuzzy Hash: 7eaad53494bfa713475de0a298eedd6d6cbaff7d1baa4cab83f4f04afdf4024b
Instruction Fuzzy Hash: 1B519AB0600209EFDB20DF24CC56BAA7BB9FF58361F144529F946D72A0EB71E990DB50

Function 0087C143 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0087C182
GetLastError.KERNEL32 ref: 0087C195
SetEvent.KERNEL32(?), ref: 0087C1A9

Part of subcall function 0087C253: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0087C272
Part of subcall function 0087C253: GetLastError.KERNEL32 ref: 0087C322
Part of subcall function 0087C253: SetEvent.KERNEL32(?), ref: 0087C336
Part of subcall function 0087C253: InternetCloseHandle.WININET(00000000), ref: 0087C341

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
String ID:
API String ID: 337547030-0
Opcode ID: 1638f16c5e8f0c0bb544cca7d3e72b79aadde25772a61ea083875b0af1ee0413
Instruction ID: f9b62e26ab18d24a07ee02da8f27571a3abac4f392cd4194c2801add0de91d06
Opcode Fuzzy Hash: 1638f16c5e8f0c0bb544cca7d3e72b79aadde25772a61ea083875b0af1ee0413
Instruction Fuzzy Hash: 55318A71200605BFDB21AFE9DC44A66BBF8FF58300B54842EF95AC3615DB31E914ABA0

Function 008625A2 Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00863A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00863A57
Part of subcall function 00863A3D: GetCurrentThreadId.KERNEL32 ref: 00863A5E
Part of subcall function 00863A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,008625B3), ref: 00863A65

MapVirtualKeyW.USER32(00000025,00000000), ref: 008625BD
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 008625DB
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 008625DF
MapVirtualKeyW.USER32(00000025,00000000), ref: 008625E9
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00862601
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 00862605
MapVirtualKeyW.USER32(00000025,00000000), ref: 0086260F
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00862623
Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 00862627

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: 3cced76816cb34a6685691d6b276b51bdccd601585d9d8e793963c6f3cd3d4b7
Instruction ID: 6db04ae1d115cdcc7e2eaaae560367e4cfed5e2387763b46e86568c915200b29
Opcode Fuzzy Hash: 3cced76816cb34a6685691d6b276b51bdccd601585d9d8e793963c6f3cd3d4b7
Instruction Fuzzy Hash: B101B130290624BBFB2077699C8AF593E59EF5AB52F110016F318EE0D1C9E22444DA6A

Function 00861803 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,00861449,?,?,00000000), ref: 0086180C
HeapAlloc.KERNEL32(00000000,?,00861449,?,?,00000000), ref: 00861813
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00861449,?,?,00000000), ref: 00861828
GetCurrentProcess.KERNEL32(?,00000000,?,00861449,?,?,00000000), ref: 00861830
DuplicateHandle.KERNEL32(00000000,?,00861449,?,?,00000000), ref: 00861833
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00861449,?,?,00000000), ref: 00861843
GetCurrentProcess.KERNEL32(00861449,00000000,?,00861449,?,?,00000000), ref: 0086184B
DuplicateHandle.KERNEL32(00000000,?,00861449,?,?,00000000), ref: 0086184E
CreateThread.KERNEL32(00000000,00000000,00861874,00000000,00000000,00000000), ref: 00861868

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: 700a694ae6bcc04c229f7d1e48694a5d73425e120a3029017a3c8afe9d02da43
Instruction ID: 817635f20a3ae0e27f905fe9da83cf7abb913ff5778ccc887d31fece8066bf08
Opcode Fuzzy Hash: 700a694ae6bcc04c229f7d1e48694a5d73425e120a3029017a3c8afe9d02da43
Instruction Fuzzy Hash: 0501BF75240304BFE710AB65DD4DF5B7B6CFB89B11F454411FA05DB2A1C6759800CB34

Function 0086C5D0 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 191windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00807620: _wcslen.LIBCMT ref: 00807625

GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0086C6EE
_wcslen.LIBCMT ref: 0086C735
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0086C79C
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 0086C7CA

Strings

S, xrefs: 0086C64B
0, xrefs: 0086C6AF
S, xrefs: 0086C652

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: ItemMenu$Info_wcslen$Default
String ID: 0$S$S
API String ID: 1227352736-3930462656
Opcode ID: cfac94bb720dc7e6a7499be0c2f59f9997ceeb1399128f0f15c2ff1adeef7f67
Instruction ID: 24240059fe6164d37904df320a17c032e94fffea2e3227abb33cf9a2ddb671f6
Opcode Fuzzy Hash: cfac94bb720dc7e6a7499be0c2f59f9997ceeb1399128f0f15c2ff1adeef7f67
Instruction Fuzzy Hash: 1951DD71604301ABD7509F2CC889A7B77E8FF99314F050A2EF9E5D32A1DB60D8448B56

Function 0088A0E2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON

Download Yara Rule

APIs

Part of subcall function 0086D4DC: CreateToolhelp32Snapshot.KERNEL32 ref: 0086D501
Part of subcall function 0086D4DC: Process32FirstW.KERNEL32(00000000,?), ref: 0086D50F
Part of subcall function 0086D4DC: CloseHandle.KERNEL32(00000000), ref: 0086D5DC

OpenProcess.KERNEL32(00000001,00000000,?), ref: 0088A16D
GetLastError.KERNEL32 ref: 0088A180
OpenProcess.KERNEL32(00000001,00000000,?), ref: 0088A1B3
TerminateProcess.KERNEL32(00000000,00000000), ref: 0088A268
GetLastError.KERNEL32(00000000), ref: 0088A273
CloseHandle.KERNEL32(00000000), ref: 0088A2C4

Strings

SeDebugPrivilege, xrefs: 0088A18F

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: c490cb9b46a6eb81c4e8ee562876cca86ea5c32ea4b5c3b94f7491570724532d
Instruction ID: 5c0a1456a306d8d6ed66a229aade52e8166c78c9765d9ffd4788a5406e6a2a39
Opcode Fuzzy Hash: c490cb9b46a6eb81c4e8ee562876cca86ea5c32ea4b5c3b94f7491570724532d
Instruction Fuzzy Hash: 276159742042429FE724EF18C894F15BBA5FF44318F19849DE4668B7E2CBB6EC45CB92

Function 00893886 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00893925
SendMessageW.USER32(00000000,00001036,00000000,?), ref: 0089393A
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00893954
_wcslen.LIBCMT ref: 00893999
SendMessageW.USER32(?,00001057,00000000,?), ref: 008939C6
SendMessageW.USER32(?,00001061,?,0000000F), ref: 008939F4

Strings

SysListView32, xrefs: 008938F7

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: MessageSend$Window_wcslen
String ID: SysListView32
API String ID: 2147712094-78025650
Opcode ID: 47f7a02c9ce652240467d7f6b7ec6410cfd3c4e8afba7f2415bafd9a921dfc52
Instruction ID: 112369888489635cf60522c3719b85e826b30b01f70603173ac0eb3a60955e46
Opcode Fuzzy Hash: 47f7a02c9ce652240467d7f6b7ec6410cfd3c4e8afba7f2415bafd9a921dfc52
Instruction Fuzzy Hash: 8841B471A00219ABEF21AF64CC49FEA7BA9FF08354F14052AF958E7281D775DD80CB90

Function 008981DB Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 104windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,0085F3AB,00000000,?,?,00000000,?,0085682C,00000004,00000000,00000000), ref: 0089824C
EnableWindow.USER32(?,00000000), ref: 00898272
ShowWindow.USER32(FFFFFFFF,00000000), ref: 008982D1
ShowWindow.USER32(?,00000004), ref: 008982E5
EnableWindow.USER32(?,00000001), ref: 0089830B
SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 0089832F

Strings

U, xrefs: 00898206, 00898252, 00898299, 008982D7, 008982EB

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID: U
API String ID: 642888154-2399391058
Opcode ID: 22cee8d1c4a2170d4b130c2e0ca26952115c26d7a8b179cbc2da89310a83c13c
Instruction ID: 2619c1dbc6f1abfe0b35f39db1054b345b66fe16ab86cea1cda1d38a39c1f744
Opcode Fuzzy Hash: 22cee8d1c4a2170d4b130c2e0ca26952115c26d7a8b179cbc2da89310a83c13c
Instruction Fuzzy Hash: 22417334601645FFDF15EF65C899BA47BE1FF0B714F5C426AE5088B262CB32A841CB50

Function 0086C874 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 0086C913

Strings

warning, xrefs: 0086C8FC
blank, xrefs: 0086C895
info, xrefs: 0086C8B4
stop, xrefs: 0086C8E4
question, xrefs: 0086C8CC

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: 63e1d1580cdadc6abeea362ceff8570889fd9e8527310bd01c8d1f7984072774
Instruction ID: c31e9bd273178ddfa769d66af7d2f0feefae2eac77b5bc15c55d2fd2e0ec18a8
Opcode Fuzzy Hash: 63e1d1580cdadc6abeea362ceff8570889fd9e8527310bd01c8d1f7984072774
Instruction Fuzzy Hash: 38113D3168931ABAE704AB54AC83DBA2BACFF15358B11003FF544E6382E7749D405275

Function 0086DE27 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 70networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 0086DE42
gethostname.WSOCK32(?,00000100), ref: 0086DE5C
gethostbyname.WSOCK32(?), ref: 0086DE69
inet_ntoa.WSOCK32(?), ref: 0086DEAB
_strcat.LIBCMT ref: 0086DEB9
WSACleanup.WSOCK32 ref: 0086DEDE

Strings

0.0.0.0, xrefs: 0086DE87

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: CleanupStartup_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 642191829-3771769585
Opcode ID: ce9adb08038c5abec50a18b889f918d8f0b9ba5fc3cae5e2dd24e34133a972ce
Instruction ID: c031fd0ad0730fd2a66e9a8f25caedb7c67e56582058cc8e11ec0eacd5784bc8
Opcode Fuzzy Hash: ce9adb08038c5abec50a18b889f918d8f0b9ba5fc3cae5e2dd24e34133a972ce
Instruction Fuzzy Hash: E411DD71A04218AFCB207B64AC4ADDE776CFF11715F05017AF545EA091EF768AC18A61

Function 0086ED19 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 0086ED2A
_wcslen.LIBCMT ref: 0086ED3B
_wcslen.LIBCMT ref: 0086ED79
_wcslen.LIBCMT ref: 0086EDAF
_wcslen.LIBCMT ref: 0086EDDF
_wcslen.LIBCMT ref: 0086EDEF
_wcslen.LIBCMT ref: 0086EE2B
_wcslen.LIBCMT ref: 0086EE5A

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: _wcslen$LocalTime
String ID:
API String ID: 952045576-0
Opcode ID: 8c026e059709ee20ac8578d7aef2296a90aee1785184dec2c4477e3050b266c2
Instruction ID: 54dd2d2a6e23afbe6df2c52551b6c9fb8f4544db1441cba58cda15fafb79a680
Opcode Fuzzy Hash: 8c026e059709ee20ac8578d7aef2296a90aee1785184dec2c4477e3050b266c2
Instruction Fuzzy Hash: C8418365C10228B6CB11EBF8DC8A9CFB7A8FF45710F518562E518E3121FB74E295C3A6

Function 0081F8D8 Relevance: 12.1, APIs: 8, Instructions: 124COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,0085682C,00000004,00000000,00000000), ref: 0081F953
ShowWindow.USER32(FFFFFFFF,00000006,?,00000000,?,0085682C,00000004,00000000,00000000), ref: 0085F3D1
ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,0085682C,00000004,00000000,00000000), ref: 0085F454

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 283e381758c8c332a512bb0c502ec863bed347963c7a01a49e744455bd45d9a3
Instruction ID: 1a69b14d911935cb0bc696e7b9e49511a78f840a55f3974e4c67318c633dc07a
Opcode Fuzzy Hash: 283e381758c8c332a512bb0c502ec863bed347963c7a01a49e744455bd45d9a3
Instruction Fuzzy Hash: 43416C30208244BAC734BB2C98887EA7F99FF46324F58413DE747D2663C63298C5CB11

Function 00892D03 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00892D1B
GetDC.USER32(00000000), ref: 00892D23
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00892D2E
ReleaseDC.USER32(00000000,00000000), ref: 00892D3A
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00892D76
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00892D87
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00895A65,?,?,000000FF,00000000,?,000000FF,?), ref: 00892DC2
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00892DE1

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: 003810129dfe60ea383d1c26b52db7d0a7c783d0057ef65fa8fb3d7381b991c0
Instruction ID: 7d9dfc4aa611e95b99c0f2d675a5049682ef23fccef1736ba0a6945a4346ba5c
Opcode Fuzzy Hash: 003810129dfe60ea383d1c26b52db7d0a7c783d0057ef65fa8fb3d7381b991c0
Instruction Fuzzy Hash: F3316972201614BBEF219F548C8AFEB3BA9FB19755F084056FE08DA291C6769C50CBA4

Function 00865622 Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00865637
_memcmp.LIBVCRUNTIME ref: 00865659
_memcmp.LIBVCRUNTIME ref: 00865671
_memcmp.LIBVCRUNTIME ref: 00865684
_memcmp.LIBVCRUNTIME ref: 0086569E
_memcmp.LIBVCRUNTIME ref: 008656B1
_memcmp.LIBVCRUNTIME ref: 008656C9
_memcmp.LIBVCRUNTIME ref: 008656E4

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: a13bb90f66eec9fcce9bccd91999b94cd093b4bf73954d12e0bce5b389338c99
Instruction ID: f27ac3313d45467e3c69597f4f4f3164245102ad03bd28854c4ce351b6569a5d
Opcode Fuzzy Hash: a13bb90f66eec9fcce9bccd91999b94cd093b4bf73954d12e0bce5b389338c99
Instruction Fuzzy Hash: AA21C961640A297BDA18A524DD86FFA335DFF30398F594020FE05DA782F728ED60C5A6

Function 00884FAE Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON

Download Yara Rule

Strings

NULL Pointer assignment, xrefs: 0088502E, 00885383
Not an Object type, xrefs: 00885007

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: 420c39c6e5416c1fb8390eb9b445e251f6043cc29a9beee41efb0a69495df0f5
Instruction ID: 18736f8b04d0049b5ed10a73665d6249598047154eaca2960aba1f0b10b41031
Opcode Fuzzy Hash: 420c39c6e5416c1fb8390eb9b445e251f6043cc29a9beee41efb0a69495df0f5
Instruction Fuzzy Hash: 6ED1B075A0060AAFDF10EFA8C885BAEB7B5FF48344F148069E915EB281E771DD45CB90

Function 00841522 Relevance: 10.8, APIs: 7, Instructions: 268COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(?,?), ref: 008415CE
MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 00841651
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 008416E4
MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 008416FB

Part of subcall function 00833820: RtlAllocateHeap.NTDLL(00000000,?,008D1444,?,0081FDF5,?,?,0080A976,00000010,008D1440,008013FC,?,008013C6,?,00801129), ref: 00833852

MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00841777
__freea.LIBCMT ref: 008417A2
__freea.LIBCMT ref: 008417AE

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
String ID:
API String ID: 2829977744-0
Opcode ID: aadd91692584c8a73bbd55f9bf0a9259a1e4859f45aaed2bf90132d39f5cbd22
Instruction ID: 11bcec3680ca54b8c8b248df8dd9bb78a7727494a0a63b2665a0c41c32b8885c
Opcode Fuzzy Hash: aadd91692584c8a73bbd55f9bf0a9259a1e4859f45aaed2bf90132d39f5cbd22
Instruction Fuzzy Hash: E691C271F0021E9ADF208E64C889AEEBBB5FF59754F194659E805E7141EB35CC80CBA0

Function 00884523 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00884648
VariantInit.OLEAUT32(?), ref: 00884749
VariantClear.OLEAUT32(?), ref: 00884753
VariantClear.OLEAUT32(?), ref: 008847B0

Strings

Incorrect Object type in FOR..IN loop, xrefs: 0088472C
Null Object assignment in FOR..IN loop, xrefs: 008845D8, 00884706, 008847BE

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Variant$ClearInit
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2610073882-625585964
Opcode ID: 9fce553bf83090e4419e1032d703fd40e70aedee77779654784f6c11bad85497
Instruction ID: c2da330c5bdd0835c05017d3f7bb2abbbc39b9c19aa6fbd97d2b08500f2a1dd8
Opcode Fuzzy Hash: 9fce553bf83090e4419e1032d703fd40e70aedee77779654784f6c11bad85497
Instruction Fuzzy Hash: 8B917E72A0021AABDF20EFA4C844FAEBBB8FF46714F108559F515EB281D7709945CFA0

Function 00871187 Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000001,?), ref: 0087125C
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00871284
SafeArrayUnaccessData.OLEAUT32(00000001), ref: 008712A8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 008712D8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 0087135F
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 008713C4
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00871430

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: ArraySafe$Data$Access$UnaccessVartype
String ID:
API String ID: 2550207440-0
Opcode ID: 29ecba558c39f65b56dd99abaa49a5c26291665dc2503d53869bcf96de5ad8a1
Instruction ID: 06ccb901f9d0c3aed5d5e3fed4c611ac29b2b09dcf1e08d35655b287abd639cc
Opcode Fuzzy Hash: 29ecba558c39f65b56dd99abaa49a5c26291665dc2503d53869bcf96de5ad8a1
Instruction Fuzzy Hash: 1991D171A00219AFDB00DF9CC888BBEB7B9FF45315F148029E904EB696D774E941CB95

Function 0081948A Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 76ee0df940e228ee256ff74c943289296a5f79be255f2fafe2d93874940ba7be
Instruction ID: d013e0c2b65f3eb738cbe5b04ad3fcb93c111a42f13ee693f48213564a6cb00d
Opcode Fuzzy Hash: 76ee0df940e228ee256ff74c943289296a5f79be255f2fafe2d93874940ba7be
Instruction Fuzzy Hash: BD911471D00219EFCB10CFA9C884AEEBBB9FF49320F148559E955F7251D375AA82CB60

Function 00883947 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 0088396B
CharUpperBuffW.USER32(?,?), ref: 00883A7A
_wcslen.LIBCMT ref: 00883A8A
VariantClear.OLEAUT32(?), ref: 00883C1F

Part of subcall function 00870CDF: VariantInit.OLEAUT32(00000000), ref: 00870D1F
Part of subcall function 00870CDF: VariantCopy.OLEAUT32(?,?), ref: 00870D28
Part of subcall function 00870CDF: VariantClear.OLEAUT32(?), ref: 00870D34

Strings

Incorrect Parameter format, xrefs: 008839A6, 00883BA1
AUTOIT.ERROR, xrefs: 00883A80, 00883A85

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4137639002-1221869570
Opcode ID: 7fd7bfbed15d86730a563abb6f5117a3ab954ae9977bc646c559d11ec1640eff
Instruction ID: 2a1f97cdd4efeaa8e45038d60690934d5e8b2467c386d6fea00f555ac5b1c278
Opcode Fuzzy Hash: 7fd7bfbed15d86730a563abb6f5117a3ab954ae9977bc646c559d11ec1640eff
Instruction Fuzzy Hash: EF9113756083059FC704EF68C88096AB7E5FF89714F14882DF88ADB351DB31EA45CB92

Function 00884BAD Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

APIs

Part of subcall function 0086000E: CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,0085FF41,80070057,?,?,?,0086035E), ref: 0086002B
Part of subcall function 0086000E: ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0085FF41,80070057,?,?), ref: 00860046
Part of subcall function 0086000E: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0085FF41,80070057,?,?), ref: 00860054
Part of subcall function 0086000E: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0085FF41,80070057,?), ref: 00860064

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,00000001,?,?), ref: 00884C51
_wcslen.LIBCMT ref: 00884D59
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 00884DCF
CoTaskMemFree.OLE32(?), ref: 00884DDA

Strings

NULL Pointer assignment, xrefs: 00884E23, 00884E52

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
String ID: NULL Pointer assignment
API String ID: 614568839-2785691316
Opcode ID: a895925598f62dd79b19892dfcf7c00046c4ebd25d9fcce03e0276b2d50f005d
Instruction ID: ed968c7c8cfc66ea6c18c7bce62b0f8db2eae831444fee9533d4ba540e5593f5
Opcode Fuzzy Hash: a895925598f62dd79b19892dfcf7c00046c4ebd25d9fcce03e0276b2d50f005d
Instruction Fuzzy Hash: 8C91F772D0021EABDF14EFA4DC91AEEB7B9FF08314F108169E515E7291DB705A448F61

Function 00887B7E Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 230COMMON

Download Yara Rule

APIs

Part of subcall function 00820242: EnterCriticalSection.KERNEL32(008D070C,008D1884,?,?,0081198B,008D2518,?,?,?,008012F9,00000000), ref: 0082024D
Part of subcall function 00820242: LeaveCriticalSection.KERNEL32(008D070C,?,0081198B,008D2518,?,?,?,008012F9,00000000), ref: 0082028A

Part of subcall function 00809CB3: _wcslen.LIBCMT ref: 00809CBD

Part of subcall function 008200A3: __onexit.LIBCMT ref: 008200A9

__Init_thread_footer.LIBCMT ref: 00887BFB

Part of subcall function 008201F8: EnterCriticalSection.KERNEL32(008D070C,?,?,00818747,008D2514), ref: 00820202
Part of subcall function 008201F8: LeaveCriticalSection.KERNEL32(008D070C,?,00818747,008D2514), ref: 00820235

Strings

Variable must be of type 'Object'., xrefs: 00887C3A
Gx, xrefs: 00887CD4, 00887D73, 00887D05, 00887E05
5, xrefs: 00887C78
x, xrefs: 00887D5C, 00887C50
Gx, xrefs: 00887C96

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit_wcslen
String ID: 5$Gx$Gx$Variable must be of type 'Object'.$x
API String ID: 535116098-218339946
Opcode ID: 3616245a2223f590ca3f84d82c9c157067c76b5ec373e13f802fdf30c1276d57
Instruction ID: 8b3ab3c51d0ad932cd84e7348ccf2b68282fe80d4f16cbc1570dad887162c7b4
Opcode Fuzzy Hash: 3616245a2223f590ca3f84d82c9c157067c76b5ec373e13f802fdf30c1276d57
Instruction Fuzzy Hash: 2E915970A04209EFCB14EF98D8919ADB7B2FF44304F248159F816EB292DB71EE45CB52

Function 008920FD Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 00892183
GetMenuItemCount.USER32(00000000), ref: 008921B5
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 008921DD
_wcslen.LIBCMT ref: 00892213
GetMenuItemID.USER32(?,?), ref: 0089224D
GetSubMenu.USER32(?,?), ref: 0089225B

Part of subcall function 00863A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00863A57
Part of subcall function 00863A3D: GetCurrentThreadId.KERNEL32 ref: 00863A5E
Part of subcall function 00863A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,008625B3), ref: 00863A65

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 008922E3

Part of subcall function 0086E97B: Sleep.KERNEL32 ref: 0086E9F3

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
String ID:
API String ID: 4196846111-0
Opcode ID: cd9f13836298325f604d860864f620d0393362650fb24bc29c65baf97bc4bcf3
Instruction ID: 4d92fa966d654c6bc8a39711b8c553d35825c09009f76172920cc553753a4f76
Opcode Fuzzy Hash: cd9f13836298325f604d860864f620d0393362650fb24bc29c65baf97bc4bcf3
Instruction Fuzzy Hash: 92717D75A00215AFCF14EFA8C845AAEB7F5FF88310F188459E916EB351DB34ED418B91

Function 0086AEBA Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 0086AEF9
GetKeyboardState.USER32(?), ref: 0086AF0E
SetKeyboardState.USER32(?), ref: 0086AF6F
PostMessageW.USER32(?,00000101,00000010,?), ref: 0086AF9D
PostMessageW.USER32(?,00000101,00000011,?), ref: 0086AFBC
PostMessageW.USER32(?,00000101,00000012,?), ref: 0086AFFD
PostMessageW.USER32(?,00000101,0000005B,?), ref: 0086B020

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 46772aa6ebfdc77d957bcfd262d445d7bc8dca060d3dd798a2fa1eac60b33368
Instruction ID: 1a45f7ca0f13369298f346ddd1c0572c97435affebf1c3369f06f34e11def5d9
Opcode Fuzzy Hash: 46772aa6ebfdc77d957bcfd262d445d7bc8dca060d3dd798a2fa1eac60b33368
Instruction Fuzzy Hash: C651C4A0A047D53DFB3642348C45BBA7EE9BB06308F098489E1D5D54C3D7A9A8C4D752

Function 0086ACDA Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 0086AD19
GetKeyboardState.USER32(?), ref: 0086AD2E
SetKeyboardState.USER32(?), ref: 0086AD8F
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 0086ADBB
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 0086ADD8
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 0086AE17
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 0086AE38

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: a510e0157dbdc1960cc57ff1f43958607b6c436a857a94ea6c2a5cf7768b30f5
Instruction ID: c465774dbadeeed95015bf2f9c5666a8e8384e6fd7cc08d3930bc62901b04dca
Opcode Fuzzy Hash: a510e0157dbdc1960cc57ff1f43958607b6c436a857a94ea6c2a5cf7768b30f5
Instruction Fuzzy Hash: 7351F6A16047D53DFB3B83348C95B7A7EE8FB05304F098489E1D5E68C2C295EC84DB52

Function 0083542E Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(00843CD6,?,?,?,?,?,?,?,?,00835BA3,?,?,00843CD6,?,?), ref: 00835470
__fassign.LIBCMT ref: 008354EB
__fassign.LIBCMT ref: 00835506
WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,00843CD6,00000005,00000000,00000000), ref: 0083552C
WriteFile.KERNEL32(?,00843CD6,00000000,00835BA3,00000000,?,?,?,?,?,?,?,?,?,00835BA3,?), ref: 0083554B
WriteFile.KERNEL32(?,?,00000001,00835BA3,00000000,?,?,?,?,?,?,?,?,?,00835BA3,?), ref: 00835584

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: 85f6480d5bbf89689e68cf2fdd16f144e3844ca94a589ba05cfa7f5567e3b8cd
Instruction ID: c3c23245dc5df4f18157f56aa4ccf44873df490ac8cc342365e9b7227f9931bd
Opcode Fuzzy Hash: 85f6480d5bbf89689e68cf2fdd16f144e3844ca94a589ba05cfa7f5567e3b8cd
Instruction Fuzzy Hash: 8E51B4B1A006499FDB10CFA8D855AEEBBF9FF49300F14452AF955E7291D730AA41CBA0

Function 00896B76 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 131windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(00000002,000000F0,?), ref: 00896C33
SetWindowLongW.USER32(?,000000EC,?), ref: 00896C4A
SendMessageW.USER32(00000002,00001036,00000000,?), ref: 00896C73
ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,0087AB79,00000000,00000000), ref: 00896C98
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 00896CC7

Strings

U, xrefs: 00896BB0, 00896C55

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Window$Long$MessageSendShow
String ID: U
API String ID: 3688381893-2399391058
Opcode ID: 5fab29c8255615ffc1047340a4400bccbe542efaf59258c8f308890ec4b18ca7
Instruction ID: f64fdf5c8b87a1efe97299ae484e73a649302b46fdf341aa39d750db6501f8e3
Opcode Fuzzy Hash: 5fab29c8255615ffc1047340a4400bccbe542efaf59258c8f308890ec4b18ca7
Instruction Fuzzy Hash: E041B535604104AFDF25EF28CC58FA57BA5FB09368F190229F899E72E0E371ED61C650

Function 00832051 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 008320C3
_free.LIBCMT ref: 008320E3

Strings

x, xrefs: 00832076, 008320B8, 008320D8, 00832158

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: _free
String ID: x
API String ID: 269201875-2890206012
Opcode ID: eb936c7e6dafc3ed120b73e32cbfd5f7e9ce05b2486ffef4630d7e5c9653b1fa
Instruction ID: 3ea980d6b5ff3d143a62876f68a99fd49434f822493b9b0b4a7fb7eeafec4b51
Opcode Fuzzy Hash: eb936c7e6dafc3ed120b73e32cbfd5f7e9ce05b2486ffef4630d7e5c9653b1fa
Instruction Fuzzy Hash: 6341D132A00614AFCB24DF78C981A5EB7B5FF89714F1545A8E616EB392DA31AD01CB81

Function 00822D20 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00822D4B
___except_validate_context_record.LIBVCRUNTIME ref: 00822D53
_ValidateLocalCookies.LIBCMT ref: 00822DE1
__IsNonwritableInCurrentImage.LIBCMT ref: 00822E0C
_ValidateLocalCookies.LIBCMT ref: 00822E61

Strings

csm, xrefs: 00822DF6

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: bc2a4bc9d79782535a748951f76bd3531c7d8250d5e6bf1205a7a971daa8c696
Instruction ID: 5d751ac84c7e3a21ee06b303162fb91c957e1d069fc9c561b5d4fb3192897462
Opcode Fuzzy Hash: bc2a4bc9d79782535a748951f76bd3531c7d8250d5e6bf1205a7a971daa8c696
Instruction Fuzzy Hash: BE41E334E0022CBBCF10DF68E844AAEBBB4FF45324F148165E814EB392D7359A81CB91

Function 008810B8 Relevance: 10.6, APIs: 7, Instructions: 110networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0088304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0088307A
Part of subcall function 0088304E: _wcslen.LIBCMT ref: 0088309B

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00881112
WSAGetLastError.WSOCK32 ref: 00881121
WSAGetLastError.WSOCK32 ref: 008811C9
closesocket.WSOCK32(00000000), ref: 008811F9

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: ErrorLast$_wcslenclosesocketinet_addrsocket
String ID:
API String ID: 2675159561-0
Opcode ID: f65ef292447b5ca56599c5c0865666a5d799db97593952d32011661c7585575c
Instruction ID: d146ecc28ed8ccc679a07d3f28ba2fcefaf2e1e262a52b15193c02ad82b81cf3
Opcode Fuzzy Hash: f65ef292447b5ca56599c5c0865666a5d799db97593952d32011661c7585575c
Instruction Fuzzy Hash: 8C41D435600204AFDB10AF58CC8CBA9B7E9FF45368F148159F915EB291CB71ED42CBA1

Function 0086CF00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0086DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,0086CF22,?), ref: 0086DDFD

Part of subcall function 0086DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,0086CF22,?), ref: 0086DE16

lstrcmpiW.KERNEL32(?,?), ref: 0086CF45
MoveFileW.KERNEL32(?,?), ref: 0086CF7F
_wcslen.LIBCMT ref: 0086D005
_wcslen.LIBCMT ref: 0086D01B
SHFileOperationW.SHELL32(?), ref: 0086D061

Strings

\*.*, xrefs: 0086CFF3

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
String ID: \*.*
API String ID: 3164238972-1173974218
Opcode ID: ae3d35f1d75dea3e90e17640143799b26b395aa49a0e04073981f84f91035072
Instruction ID: 24eeac3ddce2ae55ced0c895529b9b2694a897e7ea3ce00d3cd3d46e6d7d3d0f
Opcode Fuzzy Hash: ae3d35f1d75dea3e90e17640143799b26b395aa49a0e04073981f84f91035072
Instruction Fuzzy Hash: 4D4131719452189FDF12EBA4D981AEEB7B9FF08380F1100E6E545EB142EE74A688CB51

Function 00893D7C Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00893E35
IsMenu.USER32(?), ref: 00893E4A
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00893E92
DrawMenuBar.USER32 ref: 00893EA5

Strings

U, xrefs: 00893DF7, 00893E12
0, xrefs: 00893D89

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert
String ID: U$0
API String ID: 3076010158-4222668077
Opcode ID: 68a6945f1c71aff0bd37fdadc03058e1bbf7dba2a2549a0d41791ccf3317a58a
Instruction ID: 95674fe900a3bd49f41bd9878dbe9c0076a852033b9e0e1e7891e79e805b2c04
Opcode Fuzzy Hash: 68a6945f1c71aff0bd37fdadc03058e1bbf7dba2a2549a0d41791ccf3317a58a
Instruction Fuzzy Hash: D1413575A01209AFDF10EF64D884AAEBBB9FF49354F08412AF905EB650D730AE44CF60

Function 00867726 Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00867769
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0086778F
SysAllocString.OLEAUT32(00000000), ref: 00867792
SysAllocString.OLEAUT32(?), ref: 008677B0
SysFreeString.OLEAUT32(?), ref: 008677B9
StringFromGUID2.OLE32(?,?,00000028), ref: 008677DE
SysAllocString.OLEAUT32(?), ref: 008677EC

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 78816418a222f5fae73a7d9386fe1e4d3fe56d5fdc9d6f078da8389a300cb5ab
Instruction ID: 46ccbd21a3cdda8f991db5caf608c4ccab9e5fb04527d078295be41d8cca1276
Opcode Fuzzy Hash: 78816418a222f5fae73a7d9386fe1e4d3fe56d5fdc9d6f078da8389a300cb5ab
Instruction Fuzzy Hash: 9C21B076608219AFDF10EFA8CD88CBB77ACFF093687058026FA14DB151D674DC4187A4

Function 008677FD Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00867842
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00867868
SysAllocString.OLEAUT32(00000000), ref: 0086786B
SysAllocString.OLEAUT32 ref: 0086788C
SysFreeString.OLEAUT32 ref: 00867895
StringFromGUID2.OLE32(?,?,00000028), ref: 008678AF
SysAllocString.OLEAUT32(?), ref: 008678BD

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: abd990c98d738fcf01828755c76751cc9f4b6df442780b4ee45332403f2c4e77
Instruction ID: 8bf87fe0a45d0534490741b6d5bdd2f07453610202ffe476e62bab9dbcec3da1
Opcode Fuzzy Hash: abd990c98d738fcf01828755c76751cc9f4b6df442780b4ee45332403f2c4e77
Instruction Fuzzy Hash: 63217431608208AFDB10AFB8DC88DAA77ECFB097647158135F915CB2A1D670DC81CBA8

Function 008704D2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 008704F2
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 0087052E

Strings

nul, xrefs: 00870567

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: c168ce72a4e49dfdd979ee8dc6ca5585e9d0a860010a3501de2251a3a6aeb14a
Instruction ID: 85f7ccc1ab186cc7ac3d52a768c17dea6d555902bab5740bf7247f4369f9dcc7
Opcode Fuzzy Hash: c168ce72a4e49dfdd979ee8dc6ca5585e9d0a860010a3501de2251a3a6aeb14a
Instruction Fuzzy Hash: A0218D71500305EBDB209F69DC44A9A7BB4FF54724F248A19F8A9E62E4D771D940CF20

Function 008705A7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 008705C6
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00870601

Strings

nul, xrefs: 00870639

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 84725a4570459bc5907640012be77274eeb33f3eef5e9cac33c92f1674740bde
Instruction ID: b3ede07a924707891a9dad1f99db8444e04a478c39cf7c204e8ce8e7e564a834
Opcode Fuzzy Hash: 84725a4570459bc5907640012be77274eeb33f3eef5e9cac33c92f1674740bde
Instruction Fuzzy Hash: 2521D171500305DBDB209F688C14A9A77E4FFA1724F248A1AF8A5E72E4D770D860CF20

Function 008940AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0080600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0080604C
Part of subcall function 0080600E: GetStockObject.GDI32(00000011), ref: 00806060
Part of subcall function 0080600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 0080606A

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00894112
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 0089411F
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 0089412A
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00894139
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00894145

Strings

Msctls_Progress32, xrefs: 008940E3

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: dfb5eda3b5bfecac42cdbdcc4d77920a39253b27903a07ed694ee946cecf27bb
Instruction ID: 8a57dd555737af9eff6d8ce9b092905dbbe131ec7d7fda3a79a7f19fc4071c45
Opcode Fuzzy Hash: dfb5eda3b5bfecac42cdbdcc4d77920a39253b27903a07ed694ee946cecf27bb
Instruction Fuzzy Hash: 1A1190B214021DBEEF119E64CC85EE77F6DFF08798F004111BA18E2190C6729C219BA4

Function 0081990C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 74COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 008198CC
SetTextColor.GDI32(?,?), ref: 008198D6
SetBkMode.GDI32(?,00000001), ref: 008198E9
GetStockObject.GDI32(00000005), ref: 008198F1
GetWindowLongW.USER32(?,000000EB), ref: 00819952

Strings

U, xrefs: 00819960

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Color$LongModeObjectStockTextWindow
String ID: U
API String ID: 1860813098-2399391058
Opcode ID: 4df2b26f64a0b2bcd44fe94779e7d54d6c22144aab42827357132b241ff23fb8
Instruction ID: edd08cf04259e11fd085113cda23531ee2179fd52488cf51ed3eeee9bc65e95b
Opcode Fuzzy Hash: 4df2b26f64a0b2bcd44fe94779e7d54d6c22144aab42827357132b241ff23fb8
Instruction Fuzzy Hash: D821E9715493909FCB224F34EC68AE53F64FF53331B18429EE9D1CA1A2D7324992CB11

Function 0083D7DF Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0083D7A3: _free.LIBCMT ref: 0083D7CC

_free.LIBCMT ref: 0083D82D

Part of subcall function 008329C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0083D7D1,00000000,00000000,00000000,00000000,?,0083D7F8,00000000,00000007,00000000,?,0083DBF5,00000000), ref: 008329DE
Part of subcall function 008329C8: GetLastError.KERNEL32(00000000,?,0083D7D1,00000000,00000000,00000000,00000000,?,0083D7F8,00000000,00000007,00000000,?,0083DBF5,00000000,00000000), ref: 008329F0

_free.LIBCMT ref: 0083D838
_free.LIBCMT ref: 0083D843
_free.LIBCMT ref: 0083D897
_free.LIBCMT ref: 0083D8A2
_free.LIBCMT ref: 0083D8AD
_free.LIBCMT ref: 0083D8B8

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction ID: f6fb5ef22450ff740fdaf9d5dd67b24056d62e1460583c5e013fbb04b4abb9f7
Opcode Fuzzy Hash: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction Fuzzy Hash: 64115E71940B14AAD621BFB4EC47FCB7BDCFF80700F400825BA99E6292DA65B50586E2

Function 0086DA5A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 0086DA74
LoadStringW.USER32(00000000), ref: 0086DA7B
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 0086DA91
LoadStringW.USER32(00000000), ref: 0086DA98
MessageBoxW.USER32(00000000,?,?,00011010), ref: 0086DADC

Strings

%s (%d) : ==> %s: %s %s, xrefs: 0086DAB9

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: HandleLoadModuleString$Message
String ID: %s (%d) : ==> %s: %s %s
API String ID: 4072794657-3128320259
Opcode ID: 346fb7d4776bdcb4a2b15aef0ec6860061fd0d82493cbe7fed9850edf4275744
Instruction ID: 11a8242cfc58dc2f264f99b26a84587e3927db99b7ef1a00dbd0eb1b31506165
Opcode Fuzzy Hash: 346fb7d4776bdcb4a2b15aef0ec6860061fd0d82493cbe7fed9850edf4275744
Instruction Fuzzy Hash: 6C0162F29042187FEB11EBE49D89EEB376CF708305F440496B746E2041EA759E844F74

Function 0087096B Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(00E8E030,00E8E030), ref: 0087097B
EnterCriticalSection.KERNEL32(00E8E010,00000000), ref: 0087098D
TerminateThread.KERNEL32(?,000001F6), ref: 0087099B
WaitForSingleObject.KERNEL32(?,000003E8), ref: 008709A9
CloseHandle.KERNEL32(?), ref: 008709B8
InterlockedExchange.KERNEL32(00E8E030,000001F6), ref: 008709C8
LeaveCriticalSection.KERNEL32(00E8E010), ref: 008709CF

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: 7e3161e66e56f729f4b53baba9b72a3cde802f27c9afb211e71d9dddb2c2f173
Instruction ID: 5287ec6a31eab4b3071e8c7815ace269f8b196dff5b56b276d8664efc9e932b9
Opcode Fuzzy Hash: 7e3161e66e56f729f4b53baba9b72a3cde802f27c9afb211e71d9dddb2c2f173
Instruction Fuzzy Hash: 17F0E131446912FFD7516FA4EE8DBD6BB35FF05702F841016F201908A5C776A465CFA0

Function 00805D0A Relevance: 9.3, APIs: 6, Instructions: 276COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 00805D30
GetWindowRect.USER32(?,?), ref: 00805D71
ScreenToClient.USER32(?,?), ref: 00805D99
GetClientRect.USER32(?,?), ref: 00805ED7
GetWindowRect.USER32(?,?), ref: 00805EF8

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Rect$Client$Window$Screen
String ID:
API String ID: 1296646539-0
Opcode ID: a522cdf409bd0a5148da54f5f8c3e18554f29e02c301f5719e2ce9c81f54c2ac
Instruction ID: f338ffe062ce87f223ee126d5ccf7d35454251b151bb25bbbea8cb296341697d
Opcode Fuzzy Hash: a522cdf409bd0a5148da54f5f8c3e18554f29e02c301f5719e2ce9c81f54c2ac
Instruction Fuzzy Hash: 35B16B34A0064ADBDB10CFA9C8407EEBBF1FF58314F14941AE8A9D7290DB34AA51DF64

Function 008301B7 Relevance: 9.3, APIs: 6, Instructions: 269COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 008300BA
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 008300D6
__allrem.LIBCMT ref: 008300ED
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0083010B
__allrem.LIBCMT ref: 00830122
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00830140

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: c0aa086816e9a6b10c8594d9af3fc1b6618250ddc70608c46d0048b3e4fbc764
Instruction ID: ab2114224862029fa61fb409d55ff0bf6500d53c7424a9d76b41898cd708a7be
Opcode Fuzzy Hash: c0aa086816e9a6b10c8594d9af3fc1b6618250ddc70608c46d0048b3e4fbc764
Instruction Fuzzy Hash: 62812771A00B1A9BE7249F2CDC51B6A73F8FF81724F24413AF551D6682EB74D9408BD1

Function 00881D10 Relevance: 9.3, APIs: 6, Instructions: 254networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00883149: select.WSOCK32(00000000,?,00000000,00000000,?,?,?,00000000,?,?,?,0088101C,00000000,?,?,00000000), ref: 00883195

__WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 00881DC0
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00881DE1
WSAGetLastError.WSOCK32 ref: 00881DF2
inet_ntoa.WSOCK32(?), ref: 00881E8C
htons.WSOCK32(?,?,?,?,?), ref: 00881EDB
_strlen.LIBCMT ref: 00881F35

Part of subcall function 008639E8: _strlen.LIBCMT ref: 008639F2

Part of subcall function 00806D9E: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000002,?,?,?,?,0081CF58,?,?,?), ref: 00806DBA
Part of subcall function 00806D9E: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,?,?,?,0081CF58,?,?,?), ref: 00806DED

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: ByteCharMultiWide_strlen$ErrorLasthtonsinet_ntoaselect
String ID:
API String ID: 1923757996-0
Opcode ID: 8396385892e6bd7c31431c253f76387a6328f00a6747a449e07647ba04791e65
Instruction ID: 9716dfdeef4cac96a783fae5bd83d71d0081e1ef74eadbea63779ec977f621e7
Opcode Fuzzy Hash: 8396385892e6bd7c31431c253f76387a6328f00a6747a449e07647ba04791e65
Instruction Fuzzy Hash: D3A1A031204340AFC714EB28C889E2A77A9FF84318F54895CF5569B2E2DF71ED46CB92

Function 008361FE Relevance: 9.2, APIs: 6, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,008282D9,008282D9,?,?,?,0083644F,00000001,00000001,8BE85006), ref: 00836258
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,0083644F,00000001,00000001,8BE85006,?,?,?), ref: 008362DE
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 008363D8
__freea.LIBCMT ref: 008363E5

Part of subcall function 00833820: RtlAllocateHeap.NTDLL(00000000,?,008D1444,?,0081FDF5,?,?,0080A976,00000010,008D1440,008013FC,?,008013C6,?,00801129), ref: 00833852

__freea.LIBCMT ref: 008363EE
__freea.LIBCMT ref: 00836413

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: 84970da3ddfd6376ede5906d9423d9f243835972376bcb4d1ca3ce3199993731
Instruction ID: 3901a67fc305c12a6f31f4856cfa66c4151b74e3c0cee7db3d1a7e8d99d2dd1b
Opcode Fuzzy Hash: 84970da3ddfd6376ede5906d9423d9f243835972376bcb4d1ca3ce3199993731
Instruction Fuzzy Hash: AF51B072A00216BBDF259F68DC81EAF77A9FB84750F158629FC05D6241EB34DC60C6E0

Function 0088BBDB Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00809CB3: _wcslen.LIBCMT ref: 00809CBD

Part of subcall function 0088C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0088B6AE,?,?), ref: 0088C9B5
Part of subcall function 0088C998: _wcslen.LIBCMT ref: 0088C9F1
Part of subcall function 0088C998: _wcslen.LIBCMT ref: 0088CA68
Part of subcall function 0088C998: _wcslen.LIBCMT ref: 0088CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0088BCCA
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0088BD25
RegCloseKey.ADVAPI32(00000000), ref: 0088BD6A
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 0088BD99
RegCloseKey.ADVAPI32(?,?,00000000), ref: 0088BDF3
RegCloseKey.ADVAPI32(?), ref: 0088BDFF

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
String ID:
API String ID: 1120388591-0
Opcode ID: 4e1155be939dde4cfbdf6284e9ccd076b39f08849447fdace0ad904710024ddc
Instruction ID: 54cc4ad74bda3abc1687bf68a2172469a435b74ff195d2c35bc4e8eec72c5d61
Opcode Fuzzy Hash: 4e1155be939dde4cfbdf6284e9ccd076b39f08849447fdace0ad904710024ddc
Instruction Fuzzy Hash: 28818170208241EFD714EF24C895E6ABBE5FF84308F14855DF5598B2A2DB31ED45CB92

Function 0085F7AD Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000035), ref: 0085F7B9
SysAllocString.OLEAUT32(00000001), ref: 0085F860
VariantCopy.OLEAUT32(0085FA64,00000000), ref: 0085F889
VariantClear.OLEAUT32(0085FA64), ref: 0085F8AD
VariantCopy.OLEAUT32(0085FA64,00000000), ref: 0085F8B1
VariantClear.OLEAUT32(?), ref: 0085F8BB

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Variant$ClearCopy$AllocInitString
String ID:
API String ID: 3859894641-0
Opcode ID: e8fe31c7abdcc3de1caaeb8a6858197310c840663f055da32cbf965da5a02f1e
Instruction ID: 64d25eb8801982a941e9ab963eec99098bf1cc872a2218d6227eeec8118fa53b
Opcode Fuzzy Hash: e8fe31c7abdcc3de1caaeb8a6858197310c840663f055da32cbf965da5a02f1e
Instruction Fuzzy Hash: 8A51B431600314ABCF20AB69D895B29B7A8FF45316F249467EE05DF297DB708C84C797

Function 0087910C Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 383COMMON

Download Yara Rule

APIs

Part of subcall function 00807620: _wcslen.LIBCMT ref: 00807625

Part of subcall function 00806B57: _wcslen.LIBCMT ref: 00806B6A

GetOpenFileNameW.COMDLG32(00000058), ref: 008794E5
_wcslen.LIBCMT ref: 00879506
_wcslen.LIBCMT ref: 0087952D
GetSaveFileNameW.COMDLG32(00000058), ref: 00879585

Strings

X, xrefs: 00879412

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: _wcslen$FileName$OpenSave
String ID: X
API String ID: 83654149-3081909835
Opcode ID: 1294c7167e105a84ac3a1390eaa59e2c2db6c0c3818859bbe26fdbf01fa585e6
Instruction ID: f68123af38646b046d9c6d758dc146355193b723b2570975122e96f4ec78ea2c
Opcode Fuzzy Hash: 1294c7167e105a84ac3a1390eaa59e2c2db6c0c3818859bbe26fdbf01fa585e6
Instruction Fuzzy Hash: 0FE18E316083108FD764EF28C881A6AB7E4FF85314F04896DE999DB3A2DB31DD45CB92

Function 0081920C Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00819BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00819BB2

BeginPaint.USER32(?,?,?), ref: 00819241
GetWindowRect.USER32(?,?), ref: 008192A5
ScreenToClient.USER32(?,?), ref: 008192C2
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 008192D3
EndPaint.USER32(?,?,?,?,?), ref: 00819321
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 008571EA

Part of subcall function 00819339: BeginPath.GDI32(00000000), ref: 00819357

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
String ID:
API String ID: 3050599898-0
Opcode ID: b01f510591089fe727d560a999b40b4249851a29bc4a2b73854b11f30eeea15d
Instruction ID: 790b89299192bfd7bb884bd2669afe94fe9a9a40f0e30bab9302f83a71fce754
Opcode Fuzzy Hash: b01f510591089fe727d560a999b40b4249851a29bc4a2b73854b11f30eeea15d
Instruction Fuzzy Hash: 38419F30105201AFDB11DF68DCA8FAA7BACFF55325F14026AF9A5C72A1C7319885DB62

Function 008707EF Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 0087080C
ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 00870847
EnterCriticalSection.KERNEL32(?), ref: 00870863
LeaveCriticalSection.KERNEL32(?), ref: 008708DC
ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 008708F3
InterlockedExchange.KERNEL32(?,000001F6), ref: 00870921

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
String ID:
API String ID: 3368777196-0
Opcode ID: 8abd3fe14b3cf128b815d7de6fa8db87f15f1ed8f7e188c69da605a09c7b3b29
Instruction ID: 493b6296e0e39e823a7267c98c5649e6d873d81e935fad0daf1d906e8302a42f
Opcode Fuzzy Hash: 8abd3fe14b3cf128b815d7de6fa8db87f15f1ed8f7e188c69da605a09c7b3b29
Instruction Fuzzy Hash: EE415871A00205EBDF14AF58DC85AAA77B8FF04300B1480A6E904DA29BD731DEA1DBA5

Function 00864C7D Relevance: 9.1, APIs: 6, Instructions: 87windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00864C95
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00864CB2
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00864CEA
_wcslen.LIBCMT ref: 00864D08
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00864D10
_wcsstr.LIBVCRUNTIME ref: 00864D1A

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
String ID:
API String ID: 72514467-0
Opcode ID: 2ea5987530b9365050007cc0df08332badb3496ecb6135023cbce50f70f5806b
Instruction ID: bb8958d0bc530fe442e6fc946c5815477a17cf0728ade4d24d2790efaebd2f58
Opcode Fuzzy Hash: 2ea5987530b9365050007cc0df08332badb3496ecb6135023cbce50f70f5806b
Instruction Fuzzy Hash: 8D212632604204BBEB566B39AC09E7F7BACFF45750F15902EF905CA192EA61CC4092A1

Function 0087581E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON

Download Yara Rule

APIs

Part of subcall function 00803AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00803A97,?,?,00802E7F,?,?,?,00000000), ref: 00803AC2

_wcslen.LIBCMT ref: 0087587B
CoInitialize.OLE32(00000000), ref: 00875995
CoCreateInstance.OLE32(0089FCF8,00000000,00000001,0089FB68,?), ref: 008759AE
CoUninitialize.OLE32 ref: 008759CC

Strings

.lnk, xrefs: 00875876, 008758C1, 00875985

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
String ID: .lnk
API String ID: 3172280962-24824748
Opcode ID: 77b808d751fda1fd3ac2b49f40fafd2f477bee18f3b5d9262486f5509f842db1
Instruction ID: c9ff52f0dff1af9a82b72581653eba5f78dc3205c1d4d8220c3d355c12f6ec95
Opcode Fuzzy Hash: 77b808d751fda1fd3ac2b49f40fafd2f477bee18f3b5d9262486f5509f842db1
Instruction Fuzzy Hash: 39D142716086019FC714DF28C880A2ABBE5FF89724F14885DF989DB3A1DB71ED45CB92

Function 0086175D Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00860FB4: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00860FCA
Part of subcall function 00860FB4: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00860FD6
Part of subcall function 00860FB4: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00860FE5
Part of subcall function 00860FB4: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00860FEC
Part of subcall function 00860FB4: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00861002

GetLengthSid.ADVAPI32(?,00000000,00861335), ref: 008617AE
GetProcessHeap.KERNEL32(00000008,00000000), ref: 008617BA
HeapAlloc.KERNEL32(00000000), ref: 008617C1
CopySid.ADVAPI32(00000000,00000000,?), ref: 008617DA
GetProcessHeap.KERNEL32(00000000,00000000,00861335), ref: 008617EE
HeapFree.KERNEL32(00000000), ref: 008617F5

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: 55c2e0f477b47cf48367df6839f99b2765f2775c31fd4813d8e33bb72959dac3
Instruction ID: 46763219742df53c6c8a095246bdc68e714ded7e186e04ce11065841190cff9a
Opcode Fuzzy Hash: 55c2e0f477b47cf48367df6839f99b2765f2775c31fd4813d8e33bb72959dac3
Instruction Fuzzy Hash: 3B11BB32600205FFDF10AFA4DC49BAF7BA9FB42359F194019F481E7216D736AA40CB60

Function 008614CE Relevance: 9.1, APIs: 6, Instructions: 64processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 008614FF
OpenProcessToken.ADVAPI32(00000000), ref: 00861506
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00861515
CloseHandle.KERNEL32(00000004), ref: 00861520
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0086154F
DestroyEnvironmentBlock.USERENV(00000000), ref: 00861563

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: 0fb093d82ecc59c39e225fe19a9a53573fec90c0e7d99769be8a2e0acf2ed999
Instruction ID: 2b8d2bb617a0f12c0f590430dde622b85dc8bf64897051c0f06c4a48a7672565
Opcode Fuzzy Hash: 0fb093d82ecc59c39e225fe19a9a53573fec90c0e7d99769be8a2e0acf2ed999
Instruction Fuzzy Hash: 6511297250120DABDF119FA8EE49FDE7BA9FF48748F094015FA05A2161C3768E60EB61

Function 00823382 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00823379,00822FE5), ref: 00823390
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0082339E
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 008233B7
SetLastError.KERNEL32(00000000,?,00823379,00822FE5), ref: 00823409

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 7e808daa93e59b207c341979ede70c086fff40b4757d56df357ee953f0eb4c22
Instruction ID: 557000cc3aac745ef26544b64b00622b95b467f24e3abaabce06d7009284f42a
Opcode Fuzzy Hash: 7e808daa93e59b207c341979ede70c086fff40b4757d56df357ee953f0eb4c22
Instruction Fuzzy Hash: FE014C33208731BEA61437787CA99172AA8FB257797200229F410C03F0EF264E836154

Function 00832D74 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00835686,00843CD6,?,00000000,?,00835B6A,?,?,?,?,?,0082E6D1,?,008C8A48), ref: 00832D78
_free.LIBCMT ref: 00832DAB
_free.LIBCMT ref: 00832DD3
SetLastError.KERNEL32(00000000,?,?,?,?,0082E6D1,?,008C8A48,00000010,00804F4A,?,?,00000000,00843CD6), ref: 00832DE0
SetLastError.KERNEL32(00000000,?,?,?,?,0082E6D1,?,008C8A48,00000010,00804F4A,?,?,00000000,00843CD6), ref: 00832DEC
_abort.LIBCMT ref: 00832DF2

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: bb9beb2369e7251faff1af0041cec187a4522e3fe313516ebad6f24305e09e1d
Instruction ID: 355f7beaf1c36feb0b0caeeee28c22bec0272f6ab2d1c23599e172b45211b07d
Opcode Fuzzy Hash: bb9beb2369e7251faff1af0041cec187a4522e3fe313516ebad6f24305e09e1d
Instruction Fuzzy Hash: 07F0FC315056146FC612373DBC06F1F2A69FFC17B5F28051AF824D22D2EF75880251E2

Function 00898A24 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 00819639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00819693
Part of subcall function 00819639: SelectObject.GDI32(?,00000000), ref: 008196A2
Part of subcall function 00819639: BeginPath.GDI32(?), ref: 008196B9
Part of subcall function 00819639: SelectObject.GDI32(?,00000000), ref: 008196E2

MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 00898A4E
LineTo.GDI32(?,00000003,00000000), ref: 00898A62
MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 00898A70
LineTo.GDI32(?,00000000,00000003), ref: 00898A80
EndPath.GDI32(?), ref: 00898A90
StrokePath.GDI32(?), ref: 00898AA0

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: 6bc80bb2f3c491d21d05b48078dfe5db9ad3b60c9ce1187a35387a5ec71b4bf7
Instruction ID: a73fdf3c9901d4ca39625af7916b940022e3b3c258a0b49f1ab1924fc4a21bc6
Opcode Fuzzy Hash: 6bc80bb2f3c491d21d05b48078dfe5db9ad3b60c9ce1187a35387a5ec71b4bf7
Instruction Fuzzy Hash: C311C976040119FFDF12AF94DC88EAA7FADFF08354F048012FA199A1A1C7729D55DBA0

Function 008651FD Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00865218
GetDeviceCaps.GDI32(00000000,00000058), ref: 00865229
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00865230
ReleaseDC.USER32(00000000,00000000), ref: 00865238
MulDiv.KERNEL32(000009EC,?,00000000), ref: 0086524F
MulDiv.KERNEL32(000009EC,00000001,?), ref: 00865261

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: a9f841e96d72ee7532204ef7abb85fa6183eb087664e3dfa06bdd092cb9da6f5
Instruction ID: 6fdb850d1eab026d11967d189bfc402b8780b8ffdda8c23ad088e833e095ad1f
Opcode Fuzzy Hash: a9f841e96d72ee7532204ef7abb85fa6183eb087664e3dfa06bdd092cb9da6f5
Instruction Fuzzy Hash: 81014475A00714BBEB106BA59C49E5EBF78FB44751F044066FA04E7381D6719800CF60

Function 00801BC3 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 00801BF4
MapVirtualKeyW.USER32(00000010,00000000), ref: 00801BFC
MapVirtualKeyW.USER32(000000A0,00000000), ref: 00801C07
MapVirtualKeyW.USER32(000000A1,00000000), ref: 00801C12
MapVirtualKeyW.USER32(00000011,00000000), ref: 00801C1A
MapVirtualKeyW.USER32(00000012,00000000), ref: 00801C22

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: 8362c950de40bb06b6def8bad085b73c5bc3e546337088f4b9d79460d6cf91b8
Instruction ID: f29cd8a1fe5b34e6d7c621231edb51b5a2a802eecfa59f24641ad9d9ba68e9e4
Opcode Fuzzy Hash: 8362c950de40bb06b6def8bad085b73c5bc3e546337088f4b9d79460d6cf91b8
Instruction Fuzzy Hash: E10167B0902B5ABDE3009F6A8C85B52FFA8FF19354F04411BA15C4BA42C7F5A864CBE5

Function 0086EB20 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 0086EB30
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 0086EB46
GetWindowThreadProcessId.USER32(?,?), ref: 0086EB55
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0086EB64
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0086EB6E
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0086EB75

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: 419f5405ce3495e8ad6a8e2bf086110baf2dc2e678804333b1e6d10ac4e086a0
Instruction ID: 9201b57dd63945f8dafd864196d58a0877eb84102702076a3e4f1ad8427878c6
Opcode Fuzzy Hash: 419f5405ce3495e8ad6a8e2bf086110baf2dc2e678804333b1e6d10ac4e086a0
Instruction Fuzzy Hash: E5F05E72240158BFE7216B629C0EEEF7E7CFFCAB11F04015AF601E1191D7A25A01C6B9

Function 00857439 Relevance: 9.0, APIs: 6, Instructions: 37windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?), ref: 00857452
SendMessageW.USER32(?,00001328,00000000,?), ref: 00857469
GetWindowDC.USER32(?), ref: 00857475
GetPixel.GDI32(00000000,?,?), ref: 00857484
ReleaseDC.USER32(?,00000000), ref: 00857496
GetSysColor.USER32(00000005), ref: 008574B0

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: ClientColorMessagePixelRectReleaseSendWindow
String ID:
API String ID: 272304278-0
Opcode ID: 53a945a2158d3a50679df2fd8889970afdb9c81cd6dc811fb988e38596c5a21a
Instruction ID: 116f7ac7e21a78615aba74cc108d7eae65a2c0d3d57f62eeb0ad55651a97c9a0
Opcode Fuzzy Hash: 53a945a2158d3a50679df2fd8889970afdb9c81cd6dc811fb988e38596c5a21a
Instruction Fuzzy Hash: 39014B31500219EFDB516FA4EC08BAA7BB5FF04312F594165FE16A21A1CB321E51AB50

Function 00861874 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 0086187F
UnloadUserProfile.USERENV(?,?), ref: 0086188B
CloseHandle.KERNEL32(?), ref: 00861894
CloseHandle.KERNEL32(?), ref: 0086189C
GetProcessHeap.KERNEL32(00000000,?), ref: 008618A5
HeapFree.KERNEL32(00000000), ref: 008618AC

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: 3e3a7af14e382f65948396c31884867fb76e6ae922a0a9b83c0579defbc10126
Instruction ID: 6f7e61bb20a9fc6a4fd75f4d82369a55bed0279b5bcc4f6b4fbfda23d8897ee0
Opcode Fuzzy Hash: 3e3a7af14e382f65948396c31884867fb76e6ae922a0a9b83c0579defbc10126
Instruction Fuzzy Hash: A9E0E536004101BFDB016FA5EE0C90AFF39FF49B22B148222F22581170CB339420EF64

Function 0088AD64 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(0000003C), ref: 0088AEA3

Part of subcall function 00807620: _wcslen.LIBCMT ref: 00807625

GetProcessId.KERNEL32(00000000), ref: 0088AF38
CloseHandle.KERNEL32(00000000), ref: 0088AF67

Strings

@, xrefs: 0088AE72
<, xrefs: 0088AE6B

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: CloseExecuteHandleProcessShell_wcslen
String ID: <$@
API String ID: 146682121-1426351568
Opcode ID: 375280ee82a8a0ded7a32359d587212d7df089dbc9810fe94bd4987e9705863f
Instruction ID: 2e423b416732ca7486816c152046f857a7513dc3321dfe0498c4e166f7ec223a
Opcode Fuzzy Hash: 375280ee82a8a0ded7a32359d587212d7df089dbc9810fe94bd4987e9705863f
Instruction Fuzzy Hash: AA713A75A00615DFDB14EF58C884A9EBBB4FF08314F04849AE816AB392CB75ED41CB92

Function 00896278 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 138COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 008962E2
ScreenToClient.USER32(?,?), ref: 00896315
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 00896382

Strings

U, xrefs: 008962B1, 008963AC

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID: U
API String ID: 3880355969-2399391058
Opcode ID: b82fb5b5826d88d7f20ee03d42aa81d2e5819ee130c10c3756efeb47e303cbd1
Instruction ID: de1d560f90dcd03baa5e4f2b34739c4817fa72a227610e47e9668f95bb415026
Opcode Fuzzy Hash: b82fb5b5826d88d7f20ee03d42aa81d2e5819ee130c10c3756efeb47e303cbd1
Instruction Fuzzy Hash: 8C512A74A00209AFDF10EF68D8909AE7BB5FF45360F14826AF815DB290E731AD91DB50

Function 0086719E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00867206
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 0086723C
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 0086724D
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 008672CF

Strings

DllGetClassObject, xrefs: 00867242

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: 65d7e17ebb9605f306b663c12399973888a10773e07404e3535529717b2965ed
Instruction ID: a6a851a23dcbd0b9e1618737b823f9893a17ae0e2dc7b34a4ba15fb2705c356d
Opcode Fuzzy Hash: 65d7e17ebb9605f306b663c12399973888a10773e07404e3535529717b2965ed
Instruction Fuzzy Hash: 4C416C71A04204AFDB15CF54C895B9ABBA9FF44318F1680A9BD06DF30AD7B1D944CBE0

Function 0086C27D Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 114windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 0086C306
DeleteMenu.USER32(?,00000007,00000000), ref: 0086C34C
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,008D1990,S), ref: 0086C395

Strings

S, xrefs: 0086C28D
0, xrefs: 0086C2DF

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Menu$Delete$InfoItem
String ID: 0$S
API String ID: 135850232-4004268476
Opcode ID: 674a27a647fd9f94a5156ce0bfe94f18a9446d671e38249d20695e41cda7f3f3
Instruction ID: bb3d030d398ab7420b28eb2f7b797afc26f7af3cca91a8d3ec5738b6a76612e3
Opcode Fuzzy Hash: 674a27a647fd9f94a5156ce0bfe94f18a9446d671e38249d20695e41cda7f3f3
Instruction Fuzzy Hash: 5A417E312043019FD720DF29D945B6ABBA8FB85314F16861EF9A5D73D1D730E904CB62

Function 008952C1 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 104windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001024,00000000,?), ref: 00895352
GetWindowLongW.USER32(?,000000F0), ref: 00895375
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00895382
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 008953A8

Strings

U, xrefs: 008952F1

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: LongWindow$InvalidateMessageRectSend
String ID: U
API String ID: 3340791633-2399391058
Opcode ID: a6b2d6c39f32eceac37457dc8f0bc61154a1f6ce9c045a9e6df374c64538f038
Instruction ID: 25e4b9972b9a3d8a2ec8b5b039c5cdc937f0280b3d604f512d1fe3ed67767379
Opcode Fuzzy Hash: a6b2d6c39f32eceac37457dc8f0bc61154a1f6ce9c045a9e6df374c64538f038
Instruction Fuzzy Hash: 5D31CF34A55A0CEFEF22BA54CC15BE97765FB06390F5C4102FA11D63E1C7B19980BB42

Function 00897674 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 102windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 0089769A
GetWindowRect.USER32(?,?), ref: 00897710
PtInRect.USER32(?,?,00898B89), ref: 00897720
MessageBeep.USER32(00000000), ref: 0089778C

Strings

U, xrefs: 008976D6, 00897733

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID: U
API String ID: 1352109105-2399391058
Opcode ID: d78d9d33785ecaf5e966adce49508d2f4447e236e22e8b50c98243d63f7935c9
Instruction ID: 1241753c1698f5aa440d3bd02bcb1abaf11708a56d469cc7bd1313b8070d091e
Opcode Fuzzy Hash: d78d9d33785ecaf5e966adce49508d2f4447e236e22e8b50c98243d63f7935c9
Instruction Fuzzy Hash: F1419A34A19254FFDF01EF98C898EA9BBF4FF89304F5941A9E814DB261C331A941CB90

Function 00861DE2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00809CB3: _wcslen.LIBCMT ref: 00809CBD

Part of subcall function 00863CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00863CCA

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00861E66
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00861E79
SendMessageW.USER32(?,00000189,?,00000000), ref: 00861EA9

Part of subcall function 00806B57: _wcslen.LIBCMT ref: 00806B6A

Strings

ComboBox, xrefs: 00861DF0
ListBox, xrefs: 00861E25

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: MessageSend$_wcslen$ClassName
String ID: ComboBox$ListBox
API String ID: 2081771294-1403004172
Opcode ID: 982adf2b09962dcbcd22526247ac8ba233e49a3f5da30b1be7d36a9d74b757c3
Instruction ID: 33d74d91804353293a47e8b2d3d85663201c02a92c902c6c904b4289c13732d6
Opcode Fuzzy Hash: 982adf2b09962dcbcd22526247ac8ba233e49a3f5da30b1be7d36a9d74b757c3
Instruction Fuzzy Hash: AE213771A00104BADF54AB68DC49DFFB7B8FF41360B194119F821E72E2DB3A89059620

Function 0088C9EA Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 91COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0088C9F1
_wcslen.LIBCMT ref: 0088CA68
_wcslen.LIBCMT ref: 0088CA9E
_wcslen.LIBCMT ref: 0088CAF9
_wcslen.LIBCMT ref: 0088CB2F
_wcslen.LIBCMT ref: 0088CB7F

Strings

HKLM, xrefs: 0088CA98, 0088CA9D
HKEY_LOCAL_MACHINE, xrefs: 0088CA62, 0088CA67

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: _wcslen
String ID: HKEY_LOCAL_MACHINE$HKLM
API String ID: 176396367-4004644295
Opcode ID: cc4ba1ddb3c0f631d8325090bba1c0524564b8ef1a93a22721e832eb931a20d0
Instruction ID: 0adcb2e2cb0f6e8673dc48245741d1cdf26df423661554e0d4bf6ad981a956ec
Opcode Fuzzy Hash: cc4ba1ddb3c0f631d8325090bba1c0524564b8ef1a93a22721e832eb931a20d0
Instruction Fuzzy Hash: 7D31F5B2A001794BCB28FE6C98405BE37A2FFA1754B05402AE851EB34DE671CE8497B0

Function 00894653 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 87windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00894705
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00894713
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 0089471A

Strings

msctls_updown32, xrefs: 00894684
U, xrefs: 008946D0, 008946EF

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: U$msctls_updown32
API String ID: 4014797782-3180792962
Opcode ID: a3fad8a60a1459e869541132c1f2f1101c2874defc3a64f118dbaca3f9b491ed
Instruction ID: af5b505238f3e69d9ae8c41939227caa1fdbbc4737d916fc808705e6aea64f5c
Opcode Fuzzy Hash: a3fad8a60a1459e869541132c1f2f1101c2874defc3a64f118dbaca3f9b491ed
Instruction Fuzzy Hash: 3C216DB5600208BFEB11EF68DC91DB637ADFB5A394B440049F601D7251DB31EC12CA60

Function 00898FC9 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00819BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00819BB2

GetCursorPos.USER32(?), ref: 00899001
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00857711,?,?,?,?,?), ref: 00899016
GetCursorPos.USER32(?), ref: 0089905E
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00857711,?,?,?), ref: 00899094

Strings

U, xrefs: 0089902E, 00899064

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID: U
API String ID: 2864067406-2399391058
Opcode ID: bab5037c7b682ab12b89b7640d540bc70e6d462e3f3a5c6eb069c3535c93917d
Instruction ID: ad60f25838247e32d7907ec14cd123c06d4c72281b393e8ae2158fd566dc5d1d
Opcode Fuzzy Hash: bab5037c7b682ab12b89b7640d540bc70e6d462e3f3a5c6eb069c3535c93917d
Instruction Fuzzy Hash: F1218D35600418FFCF25AF99CC58EEA7BB9FF49360F09416AF95587261C33299A0DB60

Function 00892F17 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00892F8D
LoadLibraryW.KERNEL32(?), ref: 00892F94
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00892FA9
DestroyWindow.USER32(?), ref: 00892FB1

Strings

SysAnimate32, xrefs: 00892F68

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: MessageSend$DestroyLibraryLoadWindow
String ID: SysAnimate32
API String ID: 3529120543-1011021900
Opcode ID: f925a5c2077abc71fb2050d18d7189caa00e4f9c3c12ef4269cad51e995fafc8
Instruction ID: ff853beb9b91ac2d8fbc6ae837b28faca394c3a1dabe3abbf7404f4c03a08eb9
Opcode Fuzzy Hash: f925a5c2077abc71fb2050d18d7189caa00e4f9c3c12ef4269cad51e995fafc8
Instruction Fuzzy Hash: 9521AC72200209BBEF21AFA4DC84EBB37B9FB99364F180629F954D2190DB71DC519760

Function 00824D6D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00824D1E,008328E9,?,00824CBE,008328E9,008C88B8,0000000C,00824E15,008328E9,00000002), ref: 00824D8D
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00824DA0
FreeLibrary.KERNEL32(00000000,?,?,?,00824D1E,008328E9,?,00824CBE,008328E9,008C88B8,0000000C,00824E15,008328E9,00000002,00000000), ref: 00824DC3

Strings

mscoree.dll, xrefs: 00824D86
CorExitProcess, xrefs: 00824D98

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 727a88d657ea35547fc0a3a09bcfee1d86bd72247b9c8e5e1f53b5530a4ff2ad
Instruction ID: 461ae0eafe2bdd979f717f28e9951343a9524e2573f6e528fe069eff275f904a
Opcode Fuzzy Hash: 727a88d657ea35547fc0a3a09bcfee1d86bd72247b9c8e5e1f53b5530a4ff2ad
Instruction Fuzzy Hash: 2DF0AF30A00218BBDB10AF90EC09BADBBB4FF04751F0400A5F80AE2260CB325D80DEA0

Function 0085D3A0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 29libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32 ref: 0085D3AD
GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 0085D3BF
FreeLibrary.KERNEL32(00000000), ref: 0085D3E5

Strings

GetSystemWow64DirectoryW, xrefs: 0085D3B9
X64, xrefs: 0085D2A8

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: GetSystemWow64DirectoryW$X64
API String ID: 145871493-2590602151
Opcode ID: ed6542053c9b44bce24591e9f1da03c9689c16c814789b17929c8ae8e4aa4567
Instruction ID: f7a1c17cfa7d8db1cb3743e17b00dd30a0d254dddde6de7037a478d41e329e6c
Opcode Fuzzy Hash: ed6542053c9b44bce24591e9f1da03c9689c16c814789b17929c8ae8e4aa4567
Instruction Fuzzy Hash: EEF05531806B209BCB7167208C08AAE3724FF10707F58815AFD02E6320EB30CDCCCA82

Function 00804E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00804EDD,?,@b,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00804E9C
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00804EAE
FreeLibrary.KERNEL32(00000000,?,?,00804EDD,?,@b,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00804EC0

Strings

kernel32.dll, xrefs: 00804E94
Wow64DisableWow64FsRedirection, xrefs: 00804EA8

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 145871493-3689287502
Opcode ID: e1f01729ccd98db97a67ef13d31e34634b9038b132e2d475a5b2c2abf391efc2
Instruction ID: 01221a274247b181547ea591cbcf6705ee0d52d58622eeb5ed5db85c0302abb2
Opcode Fuzzy Hash: e1f01729ccd98db97a67ef13d31e34634b9038b132e2d475a5b2c2abf391efc2
Instruction Fuzzy Hash: F0E0CD35A415225BD3712B25FC18B5F7554FF81F7270D0116FD04D3250DB65CD0240E4

Function 00804E59 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00843CDE,?,@b,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00804E62
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00804E74
FreeLibrary.KERNEL32(00000000,?,?,00843CDE,?,@b,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00804E87

Strings

kernel32.dll, xrefs: 00804E5B
Wow64RevertWow64FsRedirection, xrefs: 00804E6E

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 145871493-1355242751
Opcode ID: c365bcc4cb5cb29de2daeb80206b08473670241b726c1055adffa40283886ef7
Instruction ID: 65923e7b17dd0d19bf4897f37aa04e4007e9ae8b4961dd3b8cf4c92fd310d03b
Opcode Fuzzy Hash: c365bcc4cb5cb29de2daeb80206b08473670241b726c1055adffa40283886ef7
Instruction Fuzzy Hash: 40D01235542621579A622B25BC18E8B7A18FF85B71389451ABA09E2294CF66CD0285D4

Function 00872947 Relevance: 7.8, APIs: 5, Instructions: 313fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00872C05
DeleteFileW.KERNEL32(?), ref: 00872C87
CopyFileW.KERNEL32(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00872C9D
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00872CAE
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00872CC0

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: File$Delete$Copy
String ID:
API String ID: 3226157194-0
Opcode ID: cc9c8eaba9b4680e5aab3511b05d0ffc30d6cc80117adb967f334e88fe9d3bc4
Instruction ID: f8a1df50b87063e44b4819d92eec0253b08b6b26a489055cf15f4e9cac941aa4
Opcode Fuzzy Hash: cc9c8eaba9b4680e5aab3511b05d0ffc30d6cc80117adb967f334e88fe9d3bc4
Instruction Fuzzy Hash: 83B1407190012DABDF21DBA8CC85EDEB77DFF49354F1080A6F509E6145EA31DA448F61

Function 0088A387 Relevance: 7.8, APIs: 5, Instructions: 256COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 0088A427
OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 0088A435
GetProcessIoCounters.KERNEL32(00000000,?), ref: 0088A468
CloseHandle.KERNEL32(?), ref: 0088A63D

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Process$CloseCountersCurrentHandleOpen
String ID:
API String ID: 3488606520-0
Opcode ID: 45b8efa760da223c24136d7a601248f63e0d4fd8fbae0f7f7e6ccb5382e9f921
Instruction ID: e6426ef3b45441a9d948a89924b760b2941f9713f375b989ef7951768805a96e
Opcode Fuzzy Hash: 45b8efa760da223c24136d7a601248f63e0d4fd8fbae0f7f7e6ccb5382e9f921
Instruction Fuzzy Hash: 66A15A716043019FE724EF28C886B2AB7E5FB84714F14885DF55ADB2D2DAB1EC418B92

Function 0086E3FB Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0086DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,0086CF22,?), ref: 0086DDFD

Part of subcall function 0086DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,0086CF22,?), ref: 0086DE16

Part of subcall function 0086E199: GetFileAttributesW.KERNEL32(?,0086CF95), ref: 0086E19A

lstrcmpiW.KERNEL32(?,?), ref: 0086E473
MoveFileW.KERNEL32(?,?), ref: 0086E4AC
_wcslen.LIBCMT ref: 0086E5EB
_wcslen.LIBCMT ref: 0086E603
SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 0086E650

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
String ID:
API String ID: 3183298772-0
Opcode ID: 42f61afeae96896256ce6ba29390c28513b8939052b87735f67a6e38a3af6ded
Instruction ID: 58871bad515740df972c61a7f8086c70c9e809807bb5c839a6d237a3df2cf0d3
Opcode Fuzzy Hash: 42f61afeae96896256ce6ba29390c28513b8939052b87735f67a6e38a3af6ded
Instruction Fuzzy Hash: BE5150B25087859BC724EBA4DC819DB73DCFF85340F00492EF689D3191EE75A688876B

Function 0088B9C9 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00809CB3: _wcslen.LIBCMT ref: 00809CBD

Part of subcall function 0088C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0088B6AE,?,?), ref: 0088C9B5
Part of subcall function 0088C998: _wcslen.LIBCMT ref: 0088C9F1
Part of subcall function 0088C998: _wcslen.LIBCMT ref: 0088CA68
Part of subcall function 0088C998: _wcslen.LIBCMT ref: 0088CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0088BAA5
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0088BB00
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 0088BB63
RegCloseKey.ADVAPI32(?,?), ref: 0088BBA6
RegCloseKey.ADVAPI32(00000000), ref: 0088BBB3

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
String ID:
API String ID: 826366716-0
Opcode ID: ee9f5934662237e02ae5e2825f7b038ee0251d4caf4bbdb1e94fc011e10a70c8
Instruction ID: 55bafe089434c3ad37a9c70063dc0541fa1f0253e075bc6902b866a172af52b6
Opcode Fuzzy Hash: ee9f5934662237e02ae5e2825f7b038ee0251d4caf4bbdb1e94fc011e10a70c8
Instruction Fuzzy Hash: E1619031209241EFD714EF14C891E2ABBE5FF84318F5485ADF4998B2A2DB31ED45CB92

Function 00868BB0 Relevance: 7.7, APIs: 5, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00868BCD
VariantClear.OLEAUT32 ref: 00868C3E
VariantClear.OLEAUT32 ref: 00868C9D
VariantClear.OLEAUT32(?), ref: 00868D10
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00868D3B

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType
String ID:
API String ID: 4136290138-0
Opcode ID: 0e82caa166a9418763fb27ca62cfbc61fdf54e04be46aa8c958bf96f057371eb
Instruction ID: 4414d903a798ce14a19b256a75aabcd5e85196441f52a1d44742fe02f1913272
Opcode Fuzzy Hash: 0e82caa166a9418763fb27ca62cfbc61fdf54e04be46aa8c958bf96f057371eb
Instruction Fuzzy Hash: E6515BB5A00219EFCB14CF58C894AAAB7F4FF89314F168559E909DB350E730E911CFA0

Function 00878AFB Relevance: 7.6, APIs: 5, Instructions: 143COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00878BAE
GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 00878BDA
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00878C32
WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00878C57
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00878C5F

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String
String ID:
API String ID: 2832842796-0
Opcode ID: 2fc746c2c0a6f56e075c2ddd26b1a9cde741a37c1cd5d254f21506155efcea0b
Instruction ID: 2eaa87a1eb8fb937a621017f37f4e7732c8e99d909afc66a8b9175c34e0af4c7
Opcode Fuzzy Hash: 2fc746c2c0a6f56e075c2ddd26b1a9cde741a37c1cd5d254f21506155efcea0b
Instruction Fuzzy Hash: 83515A35A00215DFDB41DF68C885AAABBF5FF48314F08C459E849AB3A2CB35ED41CB91

Function 00888EE4 Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(?,00000000,?), ref: 00888F40
GetProcAddress.KERNEL32(00000000,?), ref: 00888FD0
GetProcAddress.KERNEL32(00000000,00000000), ref: 00888FEC
GetProcAddress.KERNEL32(00000000,?), ref: 00889032
FreeLibrary.KERNEL32(00000000), ref: 00889052

Part of subcall function 0081F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,00871043,?,753CE610), ref: 0081F6E6
Part of subcall function 0081F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,0085FA64,00000000,00000000,?,?,00871043,?,753CE610,?,0085FA64), ref: 0081F70D

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
String ID:
API String ID: 666041331-0
Opcode ID: f0d31f32bdb6c4c506e836e8c829aab460c5dcec4544a5c9f9097d19a470eac9
Instruction ID: c8d404985ca29488b8b8b32ff5ee970090325990aefe3218bb5fb704d95faeb5
Opcode Fuzzy Hash: f0d31f32bdb6c4c506e836e8c829aab460c5dcec4544a5c9f9097d19a470eac9
Instruction Fuzzy Hash: 1F513C35604605DFC711EF58C8848ADBBF1FF49314B4980A9E94AEB3A2DB31ED85CB91

Function 0081912D Relevance: 7.6, APIs: 5, Instructions: 121keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00819141
ScreenToClient.USER32(00000000,?), ref: 0081915E
GetAsyncKeyState.USER32(00000001), ref: 00819183
GetAsyncKeyState.USER32(00000002), ref: 0081919D

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: f8a18a3d40b03246d86934e4fe3fd325a9f7a2eb0b61eb34dae4c99f70cc102c
Instruction ID: c630ae41da15ca54f485b7f5e2858092a3a653db0de50ee80987203566d710f9
Opcode Fuzzy Hash: f8a18a3d40b03246d86934e4fe3fd325a9f7a2eb0b61eb34dae4c99f70cc102c
Instruction Fuzzy Hash: F841707190850AFBDF059F68D858BEEB778FF05324F248216E865E32D0C7346994CB51

Function 00873874 Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 008738CB
TranslateAcceleratorW.USER32(?,00000000,?), ref: 00873922
TranslateMessage.USER32(?), ref: 0087394B
DispatchMessageW.USER32(?), ref: 00873955
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00873966

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchInputPeekState
String ID:
API String ID: 2256411358-0
Opcode ID: 20b21a6f2f9c879028465b93ea6004df24ae5aa2185b5e136e9e7ccda79861d2
Instruction ID: 69f2d80b8e6ac1e507cecfb38ef12baaf52b8697ee356a17728bb7d9002615d7
Opcode Fuzzy Hash: 20b21a6f2f9c879028465b93ea6004df24ae5aa2185b5e136e9e7ccda79861d2
Instruction Fuzzy Hash: EA31E870505345BEEF25CB749848BB67FA8FF06304F04866AD56AC21A4D3B5D684EB13

Function 0087CF1A Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,00000000,?,?,?,0087C21E,00000000), ref: 0087CF38
InternetReadFile.WININET(?,00000000,?,?), ref: 0087CF6F
GetLastError.KERNEL32(?,00000000,?,?,?,0087C21E,00000000), ref: 0087CFB4
SetEvent.KERNEL32(?,?,00000000,?,?,?,0087C21E,00000000), ref: 0087CFC8
SetEvent.KERNEL32(?,?,00000000,?,?,?,0087C21E,00000000), ref: 0087CFF2

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: EventInternet$AvailableDataErrorFileLastQueryRead
String ID:
API String ID: 3191363074-0
Opcode ID: 13b525e451161a0f106e20db209eae17cc7e6a837dd856e981085031e1f54e9b
Instruction ID: 42595f9276e8d708cbbbd49a02f5775c0f02fb58b1a444be73a917afea7db949
Opcode Fuzzy Hash: 13b525e451161a0f106e20db209eae17cc7e6a837dd856e981085031e1f54e9b
Instruction Fuzzy Hash: 26317A71600209AFDB20DFA9D884AABBBF9FF14354B14842EF50AE3105DB70EE409B60

Function 00861901 Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00861915
PostMessageW.USER32(00000001,00000201,00000001), ref: 008619C1
Sleep.KERNEL32(00000000,?,?,?), ref: 008619C9
PostMessageW.USER32(00000001,00000202,00000000), ref: 008619DA
Sleep.KERNEL32(00000000,?,?,?,?), ref: 008619E2

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: cdb6dc1f1e13fae8113765bd7620a542ea46213ad999791632f2713c13cb9b87
Instruction ID: 07000b490224a0339e17b7e32b6727f487284fbb0dbb0eacbbd2a4622bb942b6
Opcode Fuzzy Hash: cdb6dc1f1e13fae8113765bd7620a542ea46213ad999791632f2713c13cb9b87
Instruction Fuzzy Hash: 0C319C71A00219EFCB00CFA8C99DA9E3BB5FB04315F594229F921EB2D2C7709944CB90

Function 00895706 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001053,000000FF,?), ref: 00895745
SendMessageW.USER32(?,00001074,?,00000001), ref: 0089579D
_wcslen.LIBCMT ref: 008957AF
_wcslen.LIBCMT ref: 008957BA
SendMessageW.USER32(?,00001002,00000000,?), ref: 00895816

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: MessageSend$_wcslen
String ID:
API String ID: 763830540-0
Opcode ID: 51d42353044fe66e7f1f9169eb7da02fcd0c0dfcd9542f5f725ab55c42e381fb
Instruction ID: f5b9c938ace578cd5b9f35c239536be8e701a2367a4cce2dd483cd20020cd90c
Opcode Fuzzy Hash: 51d42353044fe66e7f1f9169eb7da02fcd0c0dfcd9542f5f725ab55c42e381fb
Instruction Fuzzy Hash: 4F218771904618AADF61AFA4DC45AED7B78FF14724F144216E929EA180D7708A85CF50

Function 00880930 Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00880951
GetForegroundWindow.USER32 ref: 00880968
GetDC.USER32(00000000), ref: 008809A4
GetPixel.GDI32(00000000,?,00000003), ref: 008809B0
ReleaseDC.USER32(00000000,00000003), ref: 008809E8

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: 666ddaab4187cd42a91d193db189dec905bd62d5cc5abb8224fe2e8e7c6c2213
Instruction ID: 24ddc06b3ed427fce788279324f2f0ccdc998c0bb8acb0eae7980a06f48d4473
Opcode Fuzzy Hash: 666ddaab4187cd42a91d193db189dec905bd62d5cc5abb8224fe2e8e7c6c2213
Instruction Fuzzy Hash: E6216236A00204AFD754EF69CC44A6EBBE5FF48704F04806DE85AD7761DB70AC44CB51

Function 0083CDBD Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 0083CDC6
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0083CDE9

Part of subcall function 00833820: RtlAllocateHeap.NTDLL(00000000,?,008D1444,?,0081FDF5,?,?,0080A976,00000010,008D1440,008013FC,?,008013C6,?,00801129), ref: 00833852

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0083CE0F
_free.LIBCMT ref: 0083CE22
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0083CE31

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: 1ecf83134e267be958a1ab8ec3d0659f195fbe9127f1dc563e0a2f635b230173
Instruction ID: 47906e8e9fb6448645fc078262f0432a171affc6f4266a921b7fabd8a2b99c87
Opcode Fuzzy Hash: 1ecf83134e267be958a1ab8ec3d0659f195fbe9127f1dc563e0a2f635b230173
Instruction Fuzzy Hash: 9A01AC726012157F2721267AEC4CD7B7D6DFEC6BA1715012AFD05E7201DB628D0193F1

Function 00819639 Relevance: 7.6, APIs: 5, Instructions: 66COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00819693
SelectObject.GDI32(?,00000000), ref: 008196A2
BeginPath.GDI32(?), ref: 008196B9
SelectObject.GDI32(?,00000000), ref: 008196E2

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: fc50e24c0a6e4f6bda6225c963a709b16618b019512dc6ba53305e60c58f6d39
Instruction ID: f8acbbf54e90ce3d6e784d1905c693201d4b1afe1182f6ba24f79ea3524c2847
Opcode Fuzzy Hash: fc50e24c0a6e4f6bda6225c963a709b16618b019512dc6ba53305e60c58f6d39
Instruction Fuzzy Hash: 2A214A70802205FBDF119F68EC28BE93BA8FF20365F944317F851A61A1D3715896CBA5

Function 00865711 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00865726
_memcmp.LIBVCRUNTIME ref: 00865744
_memcmp.LIBVCRUNTIME ref: 00865757
_memcmp.LIBVCRUNTIME ref: 0086576F
_memcmp.LIBVCRUNTIME ref: 00865787

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 8dd3ce20c8305a485b72fc2e70ac5c694356c94a8de2b149dc9384694a3366e2
Instruction ID: 4f2fdd5d4f6534f0b8bf134b8c44b384dc103719c325c9b452861f0fcabd284b
Opcode Fuzzy Hash: 8dd3ce20c8305a485b72fc2e70ac5c694356c94a8de2b149dc9384694a3366e2
Instruction Fuzzy Hash: B101F561241619BBDA0CA514AD86FBB734DFB313A8F158020FE04EE342F725ED6082E1

Function 00832DF8 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,0082F2DE,00833863,008D1444,?,0081FDF5,?,?,0080A976,00000010,008D1440,008013FC,?,008013C6), ref: 00832DFD
_free.LIBCMT ref: 00832E32
_free.LIBCMT ref: 00832E59
SetLastError.KERNEL32(00000000,00801129), ref: 00832E66
SetLastError.KERNEL32(00000000,00801129), ref: 00832E6F

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 2c96ed6fd8cb9f4a60b2b61f3c7f775b854dab8db4f2e0a5ab4a9762b6601972
Instruction ID: 947301319337a180b21aa59c433c480b885b843cdfbd15314ab002f15d3c9f72
Opcode Fuzzy Hash: 2c96ed6fd8cb9f4a60b2b61f3c7f775b854dab8db4f2e0a5ab4a9762b6601972
Instruction Fuzzy Hash: 560128322056006BCA1277797C47E2B2A6DFBC13B9F29012AF825E22D3EF789C0150E1

Function 0086000E Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,0085FF41,80070057,?,?,?,0086035E), ref: 0086002B
ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0085FF41,80070057,?,?), ref: 00860046
lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0085FF41,80070057,?,?), ref: 00860054
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0085FF41,80070057,?), ref: 00860064
CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0085FF41,80070057,?,?), ref: 00860070

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: 41ddf933db7e62f770452ed5bb3ac9770780cc649dd36b5314ac01f9a4413142
Instruction ID: 57628a0b78ac3ceb904fecdba584dbcd4eadc754075fb3e791165db0d008e2c6
Opcode Fuzzy Hash: 41ddf933db7e62f770452ed5bb3ac9770780cc649dd36b5314ac01f9a4413142
Instruction Fuzzy Hash: DD01AD72600604BFDB109F68DC08FAB7AEDFF48792F194125F905E2210E7B2DD409BA0

Function 0086E97B Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?), ref: 0086E997
QueryPerformanceFrequency.KERNEL32(?), ref: 0086E9A5
Sleep.KERNEL32(00000000), ref: 0086E9AD
QueryPerformanceCounter.KERNEL32(?), ref: 0086E9B7
Sleep.KERNEL32 ref: 0086E9F3

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: e087b22774ee246d068d31b237a98b6635b9969f0b03ae1c2f31f37d8bb76bde
Instruction ID: c070cbc8cae8f794cdd4a4262032e3d480a32e9efff0b0596ddd70752856c383
Opcode Fuzzy Hash: e087b22774ee246d068d31b237a98b6635b9969f0b03ae1c2f31f37d8bb76bde
Instruction Fuzzy Hash: D1011335C0162DDBCF00AFE5D859AEEBF78FF09701F460556E902F2241CB3196558BA6

Function 008610F9 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00861114
GetLastError.KERNEL32(?,00000000,00000000,?,?,00860B9B,?,?,?), ref: 00861120
GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00860B9B,?,?,?), ref: 0086112F
HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00860B9B,?,?,?), ref: 00861136
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0086114D

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: b44aebc25815ecd04ff4fba75697943c0fe7d1d75a5611c8b4aabe347a739b86
Instruction ID: 5589c469df15ae8b28fc05ccd579aabf5148f410a02e5a511c068a8c54e323e7
Opcode Fuzzy Hash: b44aebc25815ecd04ff4fba75697943c0fe7d1d75a5611c8b4aabe347a739b86
Instruction Fuzzy Hash: CD011D75100205BFDF125FA5DC4DA6A3B6EFF86360B59441AFA45D7360DA32DC009A60

Function 00860FB4 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00860FCA
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00860FD6
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00860FE5
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00860FEC
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00861002

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 52e828d61acd701bbf27200e0e38060b95309b9563628da18845be03316c682a
Instruction ID: 9377d3d8f968aef56d2172e3f51397de7690730d94b5e68b0238ba165db78f03
Opcode Fuzzy Hash: 52e828d61acd701bbf27200e0e38060b95309b9563628da18845be03316c682a
Instruction Fuzzy Hash: 8AF04935200701ABDF216FA49C4DF5A3BADFF89B62F694416FA45C6261CA72DC408A70

Function 00861014 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 0086102A
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00861036
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00861045
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 0086104C
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00861062

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 219ea3237ad43fbcd4fd3889ef1c94ac60b3748380c60fddecf8f1605dfe07e4
Instruction ID: 34c9516ae694fc55101a9a8186fe12d0c27b26a3605fbf5a1042135130a83153
Opcode Fuzzy Hash: 219ea3237ad43fbcd4fd3889ef1c94ac60b3748380c60fddecf8f1605dfe07e4
Instruction Fuzzy Hash: 17F04935200711ABDF21AFA4EC4DF5A3BADFF89761F290416FA45C6261CA72D8408AB0

Function 0087030F Relevance: 7.5, APIs: 6, Instructions: 41COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,?,?,0087017D,?,008732FC,?,00000001,00842592,?), ref: 00870324
CloseHandle.KERNEL32(?,?,?,?,0087017D,?,008732FC,?,00000001,00842592,?), ref: 00870331
CloseHandle.KERNEL32(?,?,?,?,0087017D,?,008732FC,?,00000001,00842592,?), ref: 0087033E
CloseHandle.KERNEL32(?,?,?,?,0087017D,?,008732FC,?,00000001,00842592,?), ref: 0087034B
CloseHandle.KERNEL32(?,?,?,?,0087017D,?,008732FC,?,00000001,00842592,?), ref: 00870358
CloseHandle.KERNEL32(?,?,?,?,0087017D,?,008732FC,?,00000001,00842592,?), ref: 00870365

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 9bc6a25ead70fe620dc7d9b91a473990967127ff02133b1841271fcc8da85485
Instruction ID: 073507c74a1badd152e21627b5e07a26aff391c3e20e25381eace0338b982eb3
Opcode Fuzzy Hash: 9bc6a25ead70fe620dc7d9b91a473990967127ff02133b1841271fcc8da85485
Instruction Fuzzy Hash: 0B019072800B15DFC730AF66D880412F7F5FE502153158A3FD19A92A31C371A954DE80

Function 0083D73A Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0083D752

Part of subcall function 008329C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0083D7D1,00000000,00000000,00000000,00000000,?,0083D7F8,00000000,00000007,00000000,?,0083DBF5,00000000), ref: 008329DE
Part of subcall function 008329C8: GetLastError.KERNEL32(00000000,?,0083D7D1,00000000,00000000,00000000,00000000,?,0083D7F8,00000000,00000007,00000000,?,0083DBF5,00000000,00000000), ref: 008329F0

_free.LIBCMT ref: 0083D764
_free.LIBCMT ref: 0083D776
_free.LIBCMT ref: 0083D788
_free.LIBCMT ref: 0083D79A

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 5152aa6d084eb12419cb5d78579411a5367cdccfaae5e12817497019526a7d6a
Instruction ID: 28d4117e09feea9c10ae3f1a649de5ac06ab77fea863720e22e24c7b144fdee0
Opcode Fuzzy Hash: 5152aa6d084eb12419cb5d78579411a5367cdccfaae5e12817497019526a7d6a
Instruction Fuzzy Hash: ECF01D72545318AB8621EB68F9C6E2A7FEDFB84710FA40845F448E7502CB30FC808AE5

Function 00865C44 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 00865C58
GetWindowTextW.USER32(00000000,?,00000100), ref: 00865C6F
MessageBeep.USER32(00000000), ref: 00865C87
KillTimer.USER32(?,0000040A), ref: 00865CA3
EndDialog.USER32(?,00000001), ref: 00865CBD

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: c7f9ccfa66466798887f8ffe1caac1e49a8e0109c0f55b243faf326aa9f0db39
Instruction ID: 9246395327ac5690131b2c0af9010f1d7c23cc92d7b6def722d239c514cc3d15
Opcode Fuzzy Hash: c7f9ccfa66466798887f8ffe1caac1e49a8e0109c0f55b243faf326aa9f0db39
Instruction Fuzzy Hash: 07018170600B04AFEB216B50DD5EFA67BB8FB10B05F05055EA583E10E1DBF5A9948B90

Function 008322A0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 008322BE

Part of subcall function 008329C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0083D7D1,00000000,00000000,00000000,00000000,?,0083D7F8,00000000,00000007,00000000,?,0083DBF5,00000000), ref: 008329DE
Part of subcall function 008329C8: GetLastError.KERNEL32(00000000,?,0083D7D1,00000000,00000000,00000000,00000000,?,0083D7F8,00000000,00000007,00000000,?,0083DBF5,00000000,00000000), ref: 008329F0

_free.LIBCMT ref: 008322D0
_free.LIBCMT ref: 008322E3
_free.LIBCMT ref: 008322F4
_free.LIBCMT ref: 00832305

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: d8444ba6ea7ee32c99e6be4744d8a267286f69d5785130056f581f82a78b9eab
Instruction ID: 637c81de3f7f40a188f64b7e7b09fbbf5aed84f43f65f3139067e602fb8ae1c7
Opcode Fuzzy Hash: d8444ba6ea7ee32c99e6be4744d8a267286f69d5785130056f581f82a78b9eab
Instruction Fuzzy Hash: 1DF05E748021309B8A12EF98BC01F0D3F64FB58760F11075BF818D22B5CB310812AFE5

Function 008195C5 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 008195D4
StrokeAndFillPath.GDI32(?,?,008571F7,00000000,?,?,?), ref: 008195F0
SelectObject.GDI32(?,00000000), ref: 00819603
DeleteObject.GDI32 ref: 00819616
StrokePath.GDI32(?), ref: 00819631

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: 49e85247755d56e7d28a2becea84479cb15021a38980a3442c47ec8fdd413447
Instruction ID: 1b1d2465db9bfa641670957ebee65d88c963fd0f6e230c1cd0e34f773d115c8f
Opcode Fuzzy Hash: 49e85247755d56e7d28a2becea84479cb15021a38980a3442c47ec8fdd413447
Instruction Fuzzy Hash: 29F0B631006608FBDB166F65ED2C7A43F65FF11322F488316E469950F1C7318995DF24

Function 00830F47 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE

Download Yara Rule

APIs

__freea.LIBCMT ref: 008310F9
__freea.LIBCMT ref: 00831117

Part of subcall function 00831537: _free.LIBCMT ref: 0083154F

Strings

am/pm, xrefs: 0083117A
a/p, xrefs: 008311DE

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: __freea$_free
String ID: a/p$am/pm
API String ID: 3432400110-3206640213
Opcode ID: 2b91ecf61b5decdc732d8f1057e37ecb91fbd3736417583ba28fae565b122cb4
Instruction ID: cc2f8f2664e90bd34bc34d67e9972c51c9b2775c2b7790991a870825ad30654a
Opcode Fuzzy Hash: 2b91ecf61b5decdc732d8f1057e37ecb91fbd3736417583ba28fae565b122cb4
Instruction Fuzzy Hash: 37D1CE3190020A9ADF289F68C85DBFEB7B1FF85B04F284159E901EBA51D7799D80CBD1

Function 0080BBE0 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 232COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 0080BEB3

Strings

@b, xrefs: 0080BBE6
, xrefs: 0080BC1B, 0080BCC7
x, xrefs: 0080BC10

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID: $@b$x
API String ID: 1385522511-3978502647
Opcode ID: 099bf6ab77457f2e18bafbed6418fdda2b06ea828ec82e9dc8113bc242667535
Instruction ID: 20758752d8b96c150efbc2f702ac655738b1558ac6733f8ee1798f1bc0326876
Opcode Fuzzy Hash: 099bf6ab77457f2e18bafbed6418fdda2b06ea828ec82e9dc8113bc242667535
Instruction Fuzzy Hash: 9B913A75A0020ADFCB98CF58C890AA9B7F1FF68314F24816AD955EB391D731ED81CB90

Function 00862716 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0086B403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,008621D0,?,?,00000034,00000800,?,00000034), ref: 0086B42D

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00862760

Part of subcall function 0086B3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,008621FF,?,?,00000800,?,00001073,00000000,?,?), ref: 0086B3F8

Part of subcall function 0086B32A: GetWindowThreadProcessId.USER32(?,?), ref: 0086B355
Part of subcall function 0086B32A: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00862194,00000034,?,?,00001004,00000000,00000000), ref: 0086B365
Part of subcall function 0086B32A: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00862194,00000034,?,?,00001004,00000000,00000000), ref: 0086B37B

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 008627CD
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 0086281A

Strings

@, xrefs: 00862832

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: 92148420507071a821d9dcd18083f241a683dfba3e443c209768d7ccdef4fa2e
Instruction ID: cde62b00fd52a8401e15d16b39ae2eaad396eebb045a7397fbab01d33c5d7e78
Opcode Fuzzy Hash: 92148420507071a821d9dcd18083f241a683dfba3e443c209768d7ccdef4fa2e
Instruction Fuzzy Hash: 4F412C72900218AEDB11DBA8CD46FEEBBB8FB09304F014099EA55B7181DB716E85CB61

Function 0083172E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\file.exe,00000104), ref: 00831769
_free.LIBCMT ref: 00831834
_free.LIBCMT ref: 0083183E

Strings

C:\Users\user\Desktop\file.exe, xrefs: 00831760, 00831767, 00831796, 008317CE

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\file.exe
API String ID: 2506810119-1957095476
Opcode ID: 7f1e3f207c2d7266842f82c11cc832f7fe2851064a8150a8a901b4d924e1f261
Instruction ID: b89e4afeb9279c86abafb9c0a1a6fa091c62080ec1ee837022e7d0feea444793
Opcode Fuzzy Hash: 7f1e3f207c2d7266842f82c11cc832f7fe2851064a8150a8a901b4d924e1f261
Instruction Fuzzy Hash: AF316A75A00218BBDF21DB99DC89D9EBBBCFFC5B10F1441A6E804D7215DAB08A40CBE5

Function 00894416 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,0089CC08,00000000,?,?,?,?), ref: 008944AA
GetWindowLongW.USER32 ref: 008944C7
SetWindowLongW.USER32(?,000000F0,00000000), ref: 008944D7

Strings

SysTreeView32, xrefs: 0089447C

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: 8f5c8eff0462b239375f67c1fdd211612b4b332899978896b473da3758fca003
Instruction ID: 322b0315fec66548a4903a875d687ec8a142f340534ff9a48438d0e473539c61
Opcode Fuzzy Hash: 8f5c8eff0462b239375f67c1fdd211612b4b332899978896b473da3758fca003
Instruction Fuzzy Hash: 8331AB31210605ABDF20AE78DC45FEA7BA9FB08324F285319F979E21D0D770AC519B50

Function 00894537 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 95windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000027,00001132,00000000,?), ref: 0089461F
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00894634

Strings

', xrefs: 0089458E
U, xrefs: 008945D7

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: MessageSend
String ID: U$'
API String ID: 3850602802-2019772650
Opcode ID: 504b3ff00e65e84ad99ba8f618730ee92ca2798985dbafbda255d528c6290042
Instruction ID: 8cf165159863e897f1ae8023b8b08a852d8c0615c1b3a43485589e872f0ab28a
Opcode Fuzzy Hash: 504b3ff00e65e84ad99ba8f618730ee92ca2798985dbafbda255d528c6290042
Instruction Fuzzy Hash: 413117B4A0120AAFDF14DFA9C990BDABBB5FF09300F15516AE905EB341D770A942CF90

Function 0088304E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0088335B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,00883077,?,?), ref: 00883378

inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0088307A
_wcslen.LIBCMT ref: 0088309B
htons.WSOCK32(00000000,?,?,00000000), ref: 00883106

Strings

255.255.255.255, xrefs: 00883095, 0088309A

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: ByteCharMultiWide_wcslenhtonsinet_addr
String ID: 255.255.255.255
API String ID: 946324512-2422070025
Opcode ID: 5b6b268b28f5b7ad5080102290fa8cef9159166f740b3e79e46a910935d95595
Instruction ID: 5804f7b4e5ccbea3d5ff833cbf54b99cfca343596016f8cafa95be09f013717c
Opcode Fuzzy Hash: 5b6b268b28f5b7ad5080102290fa8cef9159166f740b3e79e46a910935d95595
Instruction Fuzzy Hash: 0131D339604205DFCB10EF68C885EAA77E0FF14B18F248069E916DB392DB72EE45C761

Function 00893EB8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00893F40
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00893F54
SendMessageW.USER32(?,00001002,00000000,?), ref: 00893F78

Strings

SysMonthCal32, xrefs: 00893F0B

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: 074c145135646f8afd3cbfccbb34b3b275dad682fb3fbd0f0755de9bf58b7017
Instruction ID: f86130a67b65bfb9f68d2c18656c47d71e88a87420c80d90d97786b605187b8f
Opcode Fuzzy Hash: 074c145135646f8afd3cbfccbb34b3b275dad682fb3fbd0f0755de9bf58b7017
Instruction Fuzzy Hash: A2219C32600219BBDF22AF54DC46FEA3B79FF48714F150219FA15AB1D0DAB5A9508BA0

Function 008695AD Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 85COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0086961D

Strings

#OnAutoItStartRegister, xrefs: 008695F3
#notrayicon, xrefs: 008695B7
#requireadmin, xrefs: 008695D9

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: _wcslen
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 176396367-2734436370
Opcode ID: c717db38c6eb9182de9f1880c83f98a7ea7df642bc5dcfaf2f6123fb84eb5a76
Instruction ID: 819f17a46fe8db817cc95932a4b4dcf3eef0458285b9f5a4cced353202b0d4a8
Opcode Fuzzy Hash: c717db38c6eb9182de9f1880c83f98a7ea7df642bc5dcfaf2f6123fb84eb5a76
Instruction Fuzzy Hash: CF213B72104620A6C731AA28DC06FB773DCFF61314F154025F99AD71C1EB75AD85C296

Function 008937B7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00893840
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00893850
MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00893876

Strings

Listbox, xrefs: 0089380F

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: 12284f3358f866d370ad6361480259105c5d5c2c2bea841cc2938ca647682f5b
Instruction ID: 48b7194614a551e1c7cec0ee902601ff8d207171da5579b6b3a25bbd47290a5f
Opcode Fuzzy Hash: 12284f3358f866d370ad6361480259105c5d5c2c2bea841cc2938ca647682f5b
Instruction Fuzzy Hash: E7218E72610218BBEF21AF94CC85FBB376AFF89754F148125F915AB190C672DC528BA0

Function 008749F4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00874A08
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00874A5C
SetErrorMode.KERNEL32(00000000,?,?,0089CC08), ref: 00874AD0

Strings

%lu, xrefs: 00874A6F

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: ErrorMode$InformationVolume
String ID: %lu
API String ID: 2507767853-685833217
Opcode ID: 91388d2b9fd8315be06e0fc18cb26849b8362366ec3d868272e50fdf72557157
Instruction ID: 73d21f10f7c4857ccb9c8d0e8b1b3abc94ff479dcbde327d6d4149fa69d8983b
Opcode Fuzzy Hash: 91388d2b9fd8315be06e0fc18cb26849b8362366ec3d868272e50fdf72557157
Instruction Fuzzy Hash: CB311075A00119AFDB10DF58C985EAABBF8FF04308F1480A5E909DB252D775ED45CB61

Function 008941EB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 0089424F
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00894264
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00894271

Strings

msctls_trackbar32, xrefs: 00894226

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: c782b7e664a2dfd208785bb5f43ff40a7a62464e06d9f991381c87f5b6955323
Instruction ID: c6a293f48a03ca2efdb70d77918c59460eaff007c727ffebaf92cb1361e34f61
Opcode Fuzzy Hash: c782b7e664a2dfd208785bb5f43ff40a7a62464e06d9f991381c87f5b6955323
Instruction Fuzzy Hash: 90110632240208BEEF206F69CC06FAB3BACFF95B54F110524FA55E2190D271DC629B20

Function 00862F52 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00806B57: _wcslen.LIBCMT ref: 00806B6A

Part of subcall function 00862DA7: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00862DC5
Part of subcall function 00862DA7: GetWindowThreadProcessId.USER32(?,00000000), ref: 00862DD6
Part of subcall function 00862DA7: GetCurrentThreadId.KERNEL32 ref: 00862DDD
Part of subcall function 00862DA7: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00862DE4

GetFocus.USER32 ref: 00862F78

Part of subcall function 00862DEE: GetParent.USER32(00000000), ref: 00862DF9

GetClassNameW.USER32(?,?,00000100), ref: 00862FC3
EnumChildWindows.USER32(?,0086303B), ref: 00862FEB

Strings

%s%d, xrefs: 00862FFF

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
String ID: %s%d
API String ID: 1272988791-1110647743
Opcode ID: a64d52044c51b9c185e8bd47dbb2fca7eea8fcb34b8a411e2e22c7188d945cc9
Instruction ID: 6a0ee3667d2606ae025ace1824ceb2e6bf7cc18ea7484d81232bdf5291376b9a
Opcode Fuzzy Hash: a64d52044c51b9c185e8bd47dbb2fca7eea8fcb34b8a411e2e22c7188d945cc9
Instruction Fuzzy Hash: 6711D5B12002096BCF417F64CC95FED376AFF94314F0440B9B909DB292DE3199498B61

Function 00895882 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 008958C1
SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 008958EE
DrawMenuBar.USER32(?), ref: 008958FD

Strings

0, xrefs: 0089588F

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Menu$InfoItem$Draw
String ID: 0
API String ID: 3227129158-4108050209
Opcode ID: 8a37ea392a1c57f627ff7722c9b16c44c24de8da9c8ebe68d80ef1aa23fadaa3
Instruction ID: 662c36e1d7709ad8a816172cae2388d9feb4db9f40fe62ed0e8c05936bd76764
Opcode Fuzzy Hash: 8a37ea392a1c57f627ff7722c9b16c44c24de8da9c8ebe68d80ef1aa23fadaa3
Instruction Fuzzy Hash: 46016131500218EFDF51AF15EC44BAEBBB8FF45760F188099F949DA151DB308A84DF21

Function 00897803 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 41windowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,008D18B0,0089A364,000000FC,?,00000000,00000000,?,?,?,008576CF,?,?,?,?,?), ref: 00897805
GetFocus.USER32 ref: 0089780D

Part of subcall function 00819BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00819BB2

Part of subcall function 00819944: GetWindowLongW.USER32(?,000000EB), ref: 00819952

SendMessageW.USER32(?,000000B0,000001BC,000001C0), ref: 0089787A

Strings

U, xrefs: 00897841, 00897852

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Window$Long$FocusForegroundMessageSend
String ID: U
API String ID: 3601265619-2399391058
Opcode ID: 1a1f2f6fac5720186cd6ef8f1447ee3fa0f5bc4d1339a919e9a7110e2152ac48
Instruction ID: 797eabeea4aa2ffc8833398a35ad3835e6cf44b39bc4132d2557fe7ad1ebcf2f
Opcode Fuzzy Hash: 1a1f2f6fac5720186cd6ef8f1447ee3fa0f5bc4d1339a919e9a7110e2152ac48
Instruction Fuzzy Hash: 5F017131615110AFDB25EB68D85CAB677E6FF8A320F1C026EE025D72A1CB316C46CB50

Function 0086007F Relevance: 6.3, APIs: 4, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a124d5e145415c16dd382b455f940d042e7b7a48687c5e48283dd983e40cb487
Instruction ID: 37902387b3fc9c1409a3920dea4062983d8ca2f06a29522b04aa0859364cb88a
Opcode Fuzzy Hash: a124d5e145415c16dd382b455f940d042e7b7a48687c5e48283dd983e40cb487
Instruction Fuzzy Hash: DFC14875A0020AAFDB15CFA8C894BAEB7B5FF48305F218598E505EB351D731EE41CB94

Function 00833E80 Relevance: 6.3, APIs: 4, Instructions: 305COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 00833F0B
__alldvrm.LIBCMT ref: 0083410C
__alldvrm.LIBCMT ref: 0083412E

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: __alldvrm$_strrchr
String ID:
API String ID: 1036877536-0
Opcode ID: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
Instruction ID: 2f515113cf7101786f8cc26bf7ad934458c31174d38ea7ac0c63882aa456002e
Opcode Fuzzy Hash: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
Instruction Fuzzy Hash: AAA14872E00B869FDB25CF28C8917AEBBE4FFA1354F14416DE585DB281C638A981C7D1

Function 0088342E Relevance: 6.3, APIs: 4, Instructions: 257COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00883459
CoUninitialize.OLE32 ref: 00883463
VariantInit.OLEAUT32(?), ref: 0088346E
VariantClear.OLEAUT32(?), ref: 0088371B

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Variant$ClearInitInitializeUninitialize
String ID:
API String ID: 1998397398-0
Opcode ID: 82b195f76f5eb76dd22457257e596cf3f174a769ed09783fd7e3ef1a84267bac
Instruction ID: 2030df8845041f95da0d96ce43007a58071cd48aec405e3aa7c274656357db55
Opcode Fuzzy Hash: 82b195f76f5eb76dd22457257e596cf3f174a769ed09783fd7e3ef1a84267bac
Instruction Fuzzy Hash: F0A12C756043019FC710EF28C985A6AB7E5FF88714F048859F98ADB3A2DB71EE41CB52

Function 00860436 Relevance: 6.2, APIs: 4, Instructions: 230COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,0089FC08,?), ref: 008605F0
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,0089FC08,?), ref: 00860608
CLSIDFromProgID.OLE32(?,?,00000000,0089CC40,000000FF,?,00000000,00000800,00000000,?,0089FC08,?), ref: 0086062D
_memcmp.LIBVCRUNTIME ref: 0086064E

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: b5d58d11281a23afeb74fe69b4946732167255e7fcde13568227abe8a6bbb9b1
Instruction ID: fae24145e5c16cd9f24c6c5e85053d6982a3af8d9e668c3984d2673229fccce4
Opcode Fuzzy Hash: b5d58d11281a23afeb74fe69b4946732167255e7fcde13568227abe8a6bbb9b1
Instruction Fuzzy Hash: 1E810771A00209AFCB04DF94C988EEEB7B9FF89315F214558E506EB250DB71AE06CF64

Function 00841391 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 008414C0

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 6ac7d2a17e89899b7b32bd03a8aa5652b45ef123e6844fee17460c683761c134
Instruction ID: 4275f61880635cfd59fb4fde28ada4b445fe1e8fbe8f26715e4d371aadde1a29
Opcode Fuzzy Hash: 6ac7d2a17e89899b7b32bd03a8aa5652b45ef123e6844fee17460c683761c134
Instruction Fuzzy Hash: E9412C31A0011CABDF217BBD9C49AAE3AB6FF42370F144225F519D6292E77448C196A7

Function 00881AD6 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 00881AFD
WSAGetLastError.WSOCK32 ref: 00881B0B
#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00881B8A
WSAGetLastError.WSOCK32 ref: 00881B94

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: ErrorLast$socket
String ID:
API String ID: 1881357543-0
Opcode ID: a4beb9041e71e2c3263480c8dde84c43131ebfaf10aca5de522992ba3efeb59e
Instruction ID: 91d999376dcbdcd68f6bc4ad817a03bf3c5187cd2f1ac3f2d25a6c534b77f577
Opcode Fuzzy Hash: a4beb9041e71e2c3263480c8dde84c43131ebfaf10aca5de522992ba3efeb59e
Instruction Fuzzy Hash: FE4160746002006FEB20AF28C886F6577E5FB44718F548558F51ADF3D2DA72DD828B91

Function 0083B41F Relevance: 6.1, APIs: 4, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b58be1daac30fcb4dc9668e6a14f0d654524aeb3310222dec4a12f17077d6a9
Instruction ID: cbcdcd003b52a90d12bb4d9b9bc3cf5dbbb95c8283ddcb1950d7d8f4c52e0493
Opcode Fuzzy Hash: 0b58be1daac30fcb4dc9668e6a14f0d654524aeb3310222dec4a12f17077d6a9
Instruction Fuzzy Hash: 054104B5A00318AFD7249F7CCC41BAABBA9FBC8720F10852AF241DB682D771994187C5

Function 008756D9 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00875783
GetLastError.KERNEL32(?,00000000), ref: 008757A9
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 008757CE
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 008757FA

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: 41e32aadbb30920ec7ce270c2d6fae889afdd8cc3ad901bc754c71417821411f
Instruction ID: a5b2dda8c6b092f567663782a24c170b67991b61713a3af8cec20801b746e20c
Opcode Fuzzy Hash: 41e32aadbb30920ec7ce270c2d6fae889afdd8cc3ad901bc754c71417821411f
Instruction Fuzzy Hash: 12412F35600610DFCB11EF59C944A5EBBE1FF49320B19C498E84A9B3A6CB75FD40CB92

Function 0083D8C3 Relevance: 6.1, APIs: 4, Instructions: 110COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,8BE85006,00826D71,00000000,00000000,008282D9,?,008282D9,?,00000001,00826D71,8BE85006,00000001,008282D9,008282D9), ref: 0083D910
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0083D999
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 0083D9AB
__freea.LIBCMT ref: 0083D9B4

Part of subcall function 00833820: RtlAllocateHeap.NTDLL(00000000,?,008D1444,?,0081FDF5,?,?,0080A976,00000010,008D1440,008013FC,?,008013C6,?,00801129), ref: 00833852

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: 3c37ad76c3bebf746788f84bf08fe78b6556e2d84097e570c65b8706c7ab29c7
Instruction ID: 3d7942a413fcebec472e03e41162bc5252c0285a973aaaf8546fa41562fe00fa
Opcode Fuzzy Hash: 3c37ad76c3bebf746788f84bf08fe78b6556e2d84097e570c65b8706c7ab29c7
Instruction Fuzzy Hash: 4C31CD72A0021AABDF259F69EC45EAE7BA5FB80310F050168FC04DB250EB35CD50CBE0

Function 0086AB9C Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,75C0C0D0,?,00008000), ref: 0086ABF1
SetKeyboardState.USER32(00000080,?,00008000), ref: 0086AC0D
PostMessageW.USER32(00000000,00000101,00000000), ref: 0086AC74
SendInput.USER32(00000001,?,0000001C,75C0C0D0,?,00008000), ref: 0086ACC6

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: b06043590e8686e1a10b97054ac7d59a61860b15abf239b87057323c9e9b4671
Instruction ID: aa8f958111d47c826776497e0ffbb549152acd52d0109538d5587b16557520b5
Opcode Fuzzy Hash: b06043590e8686e1a10b97054ac7d59a61860b15abf239b87057323c9e9b4671
Instruction Fuzzy Hash: 50310630A00618AFEF39CB69CC05BFA7BA9FB89310F09431AE485E61D1C37599859B53

Function 008916DA Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 008916EB

Part of subcall function 00863A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00863A57
Part of subcall function 00863A3D: GetCurrentThreadId.KERNEL32 ref: 00863A5E
Part of subcall function 00863A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,008625B3), ref: 00863A65

GetCaretPos.USER32(?), ref: 008916FF
ClientToScreen.USER32(00000000,?), ref: 0089174C
GetForegroundWindow.USER32 ref: 00891752

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: d713fc50b632530461b2692ba9e966b87ae53e3d3b7caf5dc6e43bed60ec6145
Instruction ID: a2e83ad5022668c956182ce52d8562387c45f25b7d12ae48008350b30884a614
Opcode Fuzzy Hash: d713fc50b632530461b2692ba9e966b87ae53e3d3b7caf5dc6e43bed60ec6145
Instruction Fuzzy Hash: 00313075D00149AFDB00EFA9C885CAEBBF9FF48304B5480AAE415E7251EB31DE45CBA1

Function 0086DF95 Relevance: 6.1, APIs: 4, Instructions: 87COMMON

Download Yara Rule

APIs

Part of subcall function 00807620: _wcslen.LIBCMT ref: 00807625

_wcslen.LIBCMT ref: 0086DFCB
_wcslen.LIBCMT ref: 0086DFE2
_wcslen.LIBCMT ref: 0086E00D
GetTextExtentPoint32W.GDI32(?,00000000,00000000,?), ref: 0086E018

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: _wcslen$ExtentPoint32Text
String ID:
API String ID: 3763101759-0
Opcode ID: a459d694b88df6f9288d949e2c351600acb2df027e4bf3276eabbae4ed4e5051
Instruction ID: b9580ced354b28b545313640730c9e629faa275d0524ce7aa89210170ae1ea71
Opcode Fuzzy Hash: a459d694b88df6f9288d949e2c351600acb2df027e4bf3276eabbae4ed4e5051
Instruction Fuzzy Hash: CA21D675D00614EFCB10DFA8D881BAEBBF8FF45750F154065E905FB242D6B09D818BA2

Function 0086D4DC Relevance: 6.1, APIs: 4, Instructions: 86processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0086D501
Process32FirstW.KERNEL32(00000000,?), ref: 0086D50F
Process32NextW.KERNEL32(00000000,?), ref: 0086D52F
CloseHandle.KERNEL32(00000000), ref: 0086D5DC

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: e819533a6682472e42c412793e0489c824cbfbd14c8a9d8173f82bbaff558e23
Instruction ID: 15878d53fa7ba46336164891de2bec6b4d5071e54e0702c28390ac88e389058c
Opcode Fuzzy Hash: e819533a6682472e42c412793e0489c824cbfbd14c8a9d8173f82bbaff558e23
Instruction Fuzzy Hash: EE316D715083009FD304EF58CC85AABBBE8FF99354F14092DF582C62A2EB719945CBA3

Function 0086D2C1 Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,0089CB68), ref: 0086D2FB
GetLastError.KERNEL32 ref: 0086D30A
CreateDirectoryW.KERNEL32(?,00000000), ref: 0086D319
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,0089CB68), ref: 0086D376

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: 9bba62d7fd773695897fdefd69567ca4095d7f852317cf510fd76a20eee71ff3
Instruction ID: 5f7be83541876c4be11a68fbcb6c2df4a6fda754e2bcba3697bcaa90ccbe0a58
Opcode Fuzzy Hash: 9bba62d7fd773695897fdefd69567ca4095d7f852317cf510fd76a20eee71ff3
Instruction Fuzzy Hash: F7218D70A083019FC710EF28C98186A77E8FE56328F554A1EF4A9C73E1E7319946CB93

Function 00861571 Relevance: 6.1, APIs: 4, Instructions: 78memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00861014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 0086102A
Part of subcall function 00861014: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00861036
Part of subcall function 00861014: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00861045
Part of subcall function 00861014: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 0086104C
Part of subcall function 00861014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00861062

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 008615BE
_memcmp.LIBVCRUNTIME ref: 008615E1
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00861617
HeapFree.KERNEL32(00000000), ref: 0086161E

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: bf725af4a2ebb4187c1e20de9b47e4fb43480aaeefca1ba092ba7b3128a6e9e2
Instruction ID: b0e36e3fc92bd6b443b6c9305953043f88603717fc9e0d949920b5411caa44d8
Opcode Fuzzy Hash: bf725af4a2ebb4187c1e20de9b47e4fb43480aaeefca1ba092ba7b3128a6e9e2
Instruction Fuzzy Hash: 87216631E00108AFDF00DFA8C94ABEEB7B8FF54354F1A4459E441EB242E731AA05CBA0

Function 00892782 Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 0089280A
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00892824
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00892832
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 00892840

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: 75da24103113d87a19d7f587d609b8bfceeebfe6a9fa8b2ecda46d04f283306e
Instruction ID: 6bfb5443dda7ac89b470ffb5aba7dea9be339d489462c221e4366cfe6fd59ac2
Opcode Fuzzy Hash: 75da24103113d87a19d7f587d609b8bfceeebfe6a9fa8b2ecda46d04f283306e
Instruction Fuzzy Hash: 6221AE31204115BFDB14AB28CC44FAA7B95FF45328F188259F426DB6E2CB71EC42C791

Function 008678F5 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00868D7D: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,0086790A,?,000000FF,?,00868754,00000000,?,0000001C,?,?), ref: 00868D8C
Part of subcall function 00868D7D: lstrcpyW.KERNEL32(00000000,?,?,0086790A,?,000000FF,?,00868754,00000000,?,0000001C,?,?,00000000), ref: 00868DB2
Part of subcall function 00868D7D: lstrcmpiW.KERNEL32(00000000,?,0086790A,?,000000FF,?,00868754,00000000,?,0000001C,?,?), ref: 00868DE3

lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,00868754,00000000,?,0000001C,?,?,00000000), ref: 00867923
lstrcpyW.KERNEL32(00000000,?,?,00868754,00000000,?,0000001C,?,?,00000000), ref: 00867949
lstrcmpiW.KERNEL32(00000002,cdecl,?,00868754,00000000,?,0000001C,?,?,00000000), ref: 00867984

Strings

cdecl, xrefs: 0086797B

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: 525f1f18b84d34b749721488488d0e8aa5bc292b66e404fb222d7b282bfe7330
Instruction ID: 06b1211184ea564ee6da46711cdc77693269974dd96599a571038b8fa8a4b678
Opcode Fuzzy Hash: 525f1f18b84d34b749721488488d0e8aa5bc292b66e404fb222d7b282bfe7330
Instruction Fuzzy Hash: FA11293A200301ABCB156F38C844D7A7BE9FF85354B40402AF906CB364EB35D811C7A1

Function 00897CC2 Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 00897D0B
SetWindowLongW.USER32(00000000,000000F0,?), ref: 00897D2A
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 00897D42
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,0087B7AD,00000000), ref: 00897D6B

Part of subcall function 00819BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00819BB2

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Window$Long
String ID:
API String ID: 847901565-0
Opcode ID: 8a6574157d49d378d336abb5c20dd92fbe8086262c8cef9371529988eb04d335
Instruction ID: 06ee91184c9b10692f92cfc1d1fbc258c7ba82fc7e43459d784c2ab5d36351ea
Opcode Fuzzy Hash: 8a6574157d49d378d336abb5c20dd92fbe8086262c8cef9371529988eb04d335
Instruction Fuzzy Hash: 8011AC71225614AFCF10AF68CC08AA63BA4FF45364F194329F839C72E0D7318D51CB50

Function 00895660 Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001060,?,00000004), ref: 008956BB
_wcslen.LIBCMT ref: 008956CD
_wcslen.LIBCMT ref: 008956D8
SendMessageW.USER32(?,00001002,00000000,?), ref: 00895816

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: MessageSend_wcslen
String ID:
API String ID: 455545452-0
Opcode ID: be75a1d77ea79fd23bb5edc63e807c93ac73b7f3c87fb81080590bcbbea1cf64
Instruction ID: a02577e062458b893fe0bad38fe8d1206af3175d1705751defdabb2310a80124
Opcode Fuzzy Hash: be75a1d77ea79fd23bb5edc63e807c93ac73b7f3c87fb81080590bcbbea1cf64
Instruction Fuzzy Hash: FA11E671600618A6DF22FF65DC85AEE7BBCFF11764F18412AF915E6181E770CA80CB64

Function 00831D09 Relevance: 6.1, APIs: 4, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50829d5884532785e36751cc57682c3454854e42dbd28e1bf8528f2efef54520
Instruction ID: 4f4f68f1d692fd71fd756d2fd14f8cfb34fdc76f980a88da9a62a92390f7fa21
Opcode Fuzzy Hash: 50829d5884532785e36751cc57682c3454854e42dbd28e1bf8528f2efef54520
Instruction Fuzzy Hash: 3B016DB220961A7EFA212A787CC5F676B1DFFC2BB8F341326F521E11D2DB619C0051A1

Function 00861A27 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00861A47
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00861A59
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00861A6F
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00861A8A

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 451215b0319d7c720ccd5b2b37f408e281a6c0af4ef66e933a2940da8ec69673
Instruction ID: 72f839c25688f10a385da1c96a4b29517dd0ae223be39bf4003bb1d42164dffa
Opcode Fuzzy Hash: 451215b0319d7c720ccd5b2b37f408e281a6c0af4ef66e933a2940da8ec69673
Instruction Fuzzy Hash: E211273A901229FFEF11DBA4C985FADBB78FB08750F250492EA04B7290D7716E50DB94

Function 0086E1D6 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0086E1FD
MessageBoxW.USER32(?,?,?,?), ref: 0086E230
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 0086E246
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 0086E24D

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait
String ID:
API String ID: 2880819207-0
Opcode ID: f0d4183d727c6c36b60acd93e7315f330a4932e6756472727a5945ed6775c0e2
Instruction ID: e62af0aa33605046fcd293bcaad68a9f82f58d9aa986a0e3afde2d3366fe8da5
Opcode Fuzzy Hash: f0d4183d727c6c36b60acd93e7315f330a4932e6756472727a5945ed6775c0e2
Instruction Fuzzy Hash: 42110476904218BBCB05AFA8AC09A9E7FADFF45320F044316F824E3390D3B58A0487A0

Function 0082D1CC Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,?,0082CFF9,00000000,00000004,00000000), ref: 0082D218
GetLastError.KERNEL32 ref: 0082D224
__dosmaperr.LIBCMT ref: 0082D22B
ResumeThread.KERNEL32(00000000), ref: 0082D249

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Thread$CreateErrorLastResume__dosmaperr
String ID:
API String ID: 173952441-0
Opcode ID: d8e6b161935999bc92f513e89511a1ef77cb1392516f91e4ae20525c4cdad1d2
Instruction ID: e9049dd7208509d9427e6897d0c82120cd7b14c7d5c4ca12d8a3eca22a0fa2fb
Opcode Fuzzy Hash: d8e6b161935999bc92f513e89511a1ef77cb1392516f91e4ae20525c4cdad1d2
Instruction Fuzzy Hash: 0E01D636405328FBDB116BA9EC09BAE7E69FF81330F10422AF925D21D1CF719981C6A1

Function 00899EF3 Relevance: 6.1, APIs: 4, Instructions: 55COMMON

Download Yara Rule

APIs

Part of subcall function 00819BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00819BB2

GetClientRect.USER32(?,?), ref: 00899F31
GetCursorPos.USER32(?), ref: 00899F3B
ScreenToClient.USER32(?,?), ref: 00899F46
DefDlgProcW.USER32(?,00000020,?,00000000,?,?,?), ref: 00899F7A

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID:
API String ID: 4127811313-0
Opcode ID: 0267a0dfc20233d34c0be89947ca92f0d4160a4d136feffa5e8cc7e98bb8ecf6
Instruction ID: 3218d1c87f1b5fb4da985aed47344a41cd06f06c95938e0952251fb7ec32e864
Opcode Fuzzy Hash: 0267a0dfc20233d34c0be89947ca92f0d4160a4d136feffa5e8cc7e98bb8ecf6
Instruction Fuzzy Hash: 1411063290051ABBDF10EFA8D8499EEB7B9FF45311F48055AF952E3150DB31BA81CBA1

Function 0080600E Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0080604C
GetStockObject.GDI32(00000011), ref: 00806060
SendMessageW.USER32(00000000,00000030,00000000), ref: 0080606A

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID:
API String ID: 3970641297-0
Opcode ID: 237d64e4dc6f2d5b80beec6054107cd9759d6b1e2fd430e2709a7d1bdcd990f4
Instruction ID: e0441524981d65e31eb4fe6c346e1b43fb8817aaadd5f0857719a551987d1fe8
Opcode Fuzzy Hash: 237d64e4dc6f2d5b80beec6054107cd9759d6b1e2fd430e2709a7d1bdcd990f4
Instruction Fuzzy Hash: 64115E72541909BFEF525F949C54EEA7BA9FF18364F040216FA14A2150D7329C709BA0

Function 00823B3C Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 00823B56

Part of subcall function 00823AA3: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 00823AD2
Part of subcall function 00823AA3: ___AdjustPointer.LIBCMT ref: 00823AED

_UnwindNestedFrames.LIBCMT ref: 00823B6B
__FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 00823B7C
CallCatchBlock.LIBVCRUNTIME ref: 00823BA4

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
String ID:
API String ID: 737400349-0
Opcode ID: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction ID: 57a96f9d232351bcea7ec44e1662ae2104662810588e166a296c8736f95da79f
Opcode Fuzzy Hash: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction Fuzzy Hash: B1012932100158BBDF126E99EC42EEB3F6AFF48764F044014FE48A6121C736E9A1DBB1

Function 00833073 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,008013C6,00000000,00000000,?,0083301A,008013C6,00000000,00000000,00000000,?,0083328B,00000006,FlsSetValue), ref: 008330A5
GetLastError.KERNEL32(?,0083301A,008013C6,00000000,00000000,00000000,?,0083328B,00000006,FlsSetValue,008A2290,FlsSetValue,00000000,00000364,?,00832E46), ref: 008330B1
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,0083301A,008013C6,00000000,00000000,00000000,?,0083328B,00000006,FlsSetValue,008A2290,FlsSetValue,00000000), ref: 008330BF

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: ba0863dc0c575703941acad85aa65f15ba1969855ef1e78dcaa9738ef18ca620
Instruction ID: 6c08a87d50c75a396330122b30597291aa7779989be873d6c845ffe6ec742e8c
Opcode Fuzzy Hash: ba0863dc0c575703941acad85aa65f15ba1969855ef1e78dcaa9738ef18ca620
Instruction Fuzzy Hash: 82012B32301A26ABCB354BB8AC94A577B98FF85B71F240721F905E7150C722D901C6E0

Function 00867464 Relevance: 6.1, APIs: 4, Instructions: 51registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000), ref: 0086747F
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 00867497
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 008674AC
RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 008674CA

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: 191a84fa1b27d70f5a69a27d85bcc563d48397bcecf85d1662bec409b5c26c17
Instruction ID: 4f07bd7e1c89738e8567621334a30edc0bcaf40f63d8cdfb301dde3fdaad68ae
Opcode Fuzzy Hash: 191a84fa1b27d70f5a69a27d85bcc563d48397bcecf85d1662bec409b5c26c17
Instruction Fuzzy Hash: CF11EDB0205305ABE7209F14ED0CB927BFCFB00B08F10816AE616D6091DBB1E904CBE4

Function 0086B0A8 Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,0086ACD3,?,00008000), ref: 0086B0C4
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,0086ACD3,?,00008000), ref: 0086B0E9
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,0086ACD3,?,00008000), ref: 0086B0F3
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,0086ACD3,?,00008000), ref: 0086B126

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: f6c74dadd2710573b1c159377a5c31fadf0222e76ffaae897505c95b9ebcc7bb
Instruction ID: 8ed625704996127aaf883266451de57a698d24dfa44a335e8fdc21b2c3e191b3
Opcode Fuzzy Hash: f6c74dadd2710573b1c159377a5c31fadf0222e76ffaae897505c95b9ebcc7bb
Instruction Fuzzy Hash: E9116131C0151DEBCF00AFE4E9596EEBF78FF4A715F124086D941F2145DB3095908B55

Function 00897E14 Relevance: 6.0, APIs: 4, Instructions: 46COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00897E33
ScreenToClient.USER32(?,?), ref: 00897E4B
ScreenToClient.USER32(?,?), ref: 00897E6F
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00897E8A

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: 43126736beebe8cbd66e7b607bc484445fcc169ad4ea8cbcaac8cedef8295438
Instruction ID: c2fad51a09b8545a5c1a7365651bcc8cb0d8a931df1c43e5286267066b3e807e
Opcode Fuzzy Hash: 43126736beebe8cbd66e7b607bc484445fcc169ad4ea8cbcaac8cedef8295438
Instruction Fuzzy Hash: 781142B9D0024AAFDB41DF98C884AEEBBF9FF18310F549066E915E3210D735AA54CF90

Function 00862DA7 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00862DC5
GetWindowThreadProcessId.USER32(?,00000000), ref: 00862DD6
GetCurrentThreadId.KERNEL32 ref: 00862DDD
AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00862DE4

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: 3bbc4af23fb6969083679893f592decf53432d37e323752289e40880dfe3b0e3
Instruction ID: 7f4d1dd98cef51dab3f825fa3cdeebf3abbce7582079d21d20d0bc118169e8ea
Opcode Fuzzy Hash: 3bbc4af23fb6969083679893f592decf53432d37e323752289e40880dfe3b0e3
Instruction Fuzzy Hash: 1FE092B11016287BDB202B739C0DFEB3E6CFF52BA1F45055AF106D10909AA2C840C6B0

Function 00898863 Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00819639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00819693
Part of subcall function 00819639: SelectObject.GDI32(?,00000000), ref: 008196A2
Part of subcall function 00819639: BeginPath.GDI32(?), ref: 008196B9
Part of subcall function 00819639: SelectObject.GDI32(?,00000000), ref: 008196E2

MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 00898887
LineTo.GDI32(?,?,?), ref: 00898894
EndPath.GDI32(?), ref: 008988A4
StrokePath.GDI32(?), ref: 008988B2

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: 875e789f8608da76eaf419c8e919eec827795199dee94b5204ffdd31a0a86b9d
Instruction ID: 7b922cdc4c534b7fb871ba14ef656f66f4f30b1cb535a229a5bebe303eed893e
Opcode Fuzzy Hash: 875e789f8608da76eaf419c8e919eec827795199dee94b5204ffdd31a0a86b9d
Instruction Fuzzy Hash: 4BF03A36042659FADF127F94AC0DFCA3F59BF06310F488102FA11A50E1C7765551CBB9

Function 008198B0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 008198CC
SetTextColor.GDI32(?,?), ref: 008198D6
SetBkMode.GDI32(?,00000001), ref: 008198E9
GetStockObject.GDI32(00000005), ref: 008198F1

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Color$ModeObjectStockText
String ID:
API String ID: 4037423528-0
Opcode ID: 97ffb403a42fcb46453fd1009a5442cdb8d23d839c9651d44c653eb2ed29ea68
Instruction ID: 50fffd5f3a35eb52083ccec8e3cf2c603429e597713bd657bf6c6ee831a1c7cb
Opcode Fuzzy Hash: 97ffb403a42fcb46453fd1009a5442cdb8d23d839c9651d44c653eb2ed29ea68
Instruction Fuzzy Hash: 19E06531244240ABDB216B74BC09BD83F10FB11336F08C21AF7FA940E1C77246449B10

Function 0086162B Relevance: 6.0, APIs: 4, Instructions: 22threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 00861634
OpenThreadToken.ADVAPI32(00000000,?,?,?,008611D9), ref: 0086163B
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,008611D9), ref: 00861648
OpenProcessToken.ADVAPI32(00000000,?,?,?,008611D9), ref: 0086164F

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: af96083f4ee5a5954e4a1b4e5732535c16f90606ec955e242e4d8fadc7029e2a
Instruction ID: 132fc47aebb1da762e8ec8f610bd99aa8a68bbf17e103d922ab1a52981c61662
Opcode Fuzzy Hash: af96083f4ee5a5954e4a1b4e5732535c16f90606ec955e242e4d8fadc7029e2a
Instruction Fuzzy Hash: BBE08C36602211EBDB202FE1AE0EB863B7CFF54792F1D880AF245C9080E6358440CB60

Function 0085D858 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 0085D858
GetDC.USER32(00000000), ref: 0085D862
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0085D882
ReleaseDC.USER32(?), ref: 0085D8A3

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 8e1889562a010ce147d0f3ecb67a6040ae95fc013926f88f20c9204d386840d4
Instruction ID: 3ddd6da0ec06de87f3a537d7b80321c8b514de4f082c354e86a01086b273d8a1
Opcode Fuzzy Hash: 8e1889562a010ce147d0f3ecb67a6040ae95fc013926f88f20c9204d386840d4
Instruction Fuzzy Hash: A0E01AB1800205DFCF42AFA0D80866DBBB5FB18311F18841AE806E7250CB3A9945AF51

Function 0085D86C Relevance: 6.0, APIs: 4, Instructions: 18COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 0085D86C
GetDC.USER32(00000000), ref: 0085D876
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0085D882
ReleaseDC.USER32(?), ref: 0085D8A3

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 5841a565cbdcce25d4502059b02644b5be764c9a86b4818a9b2b33b9f2c1c475
Instruction ID: 21eb97bb661c07369737cd54813e66b12010b6e2ebcd9800c521f8d48ed3022d
Opcode Fuzzy Hash: 5841a565cbdcce25d4502059b02644b5be764c9a86b4818a9b2b33b9f2c1c475
Instruction Fuzzy Hash: 7DE012B1800204EFCF42AFA0D80866DBBB5FB18310F18800AE80AE7250CB3A9901AF50

Function 00874D87 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON

Download Yara Rule

APIs

Part of subcall function 00807620: _wcslen.LIBCMT ref: 00807625

WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 00874ED4

Strings

LPT, xrefs: 00874DFB
*, xrefs: 00874E10

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Connection_wcslen
String ID: *$LPT
API String ID: 1725874428-3443410124
Opcode ID: 33d6fd87bed5021d18ac2cc7dff1058e62ed4f30e483f48a7fd2d2fc5a1d40b3
Instruction ID: 560f95e09a76289c108a649241d84148fabda621ff3eff7c12c9ca592cba90d8
Opcode Fuzzy Hash: 33d6fd87bed5021d18ac2cc7dff1058e62ed4f30e483f48a7fd2d2fc5a1d40b3
Instruction Fuzzy Hash: D8914C75A002049FCB14DF58C884EA9BBF1FF44318F19D099E40A9B3A6DB71ED85CB91

Function 0082E27D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 0082E30D

Strings

pow, xrefs: 0082E2E5, 0082E302

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: 9d6b3abadc9c9bae251832981583a67e3a6802af8d40b2f9ac69096d289436b6
Instruction ID: cdecedc928b9e3e0eea04b37a48fc4cd4ada1bebd842e984ce279fb5c1468b71
Opcode Fuzzy Hash: 9d6b3abadc9c9bae251832981583a67e3a6802af8d40b2f9ac69096d289436b6
Instruction Fuzzy Hash: B2515CA1A0C10696DB35B718E9053793B94FF80B41F304968E496C27EDDF35CCD19ACA

Function 0081E187 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON

Download Yara Rule

Strings

#, xrefs: 0081E1B1

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: 587d8d732d646f83363f8288656b6e54f3b3dca3a07d35d8054798e34c02510d
Instruction ID: 30da81b18b43c44b5224f22af6b4fc4c2b3a2a1c1b454008d1a1e704167722eb
Opcode Fuzzy Hash: 587d8d732d646f83363f8288656b6e54f3b3dca3a07d35d8054798e34c02510d
Instruction Fuzzy Hash: 5C51317590025ADFDB19DF28C891AFA7BA9FF19311F244059FC91DB2C0D6309E86CBA1

Function 0081F291 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 0081F2A2
GlobalMemoryStatusEx.KERNEL32(?), ref: 0081F2BB

Strings

@, xrefs: 0081F2AF

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: 52bf6ba008d42364ce297f5a60d70eb737cdd33ea9e925cbc1dfe7e428a27a64
Instruction ID: aa7d59a2a8fdc163b82e70fce5cd6ffd762f1cd1a4452604f2101694a1bb4cf4
Opcode Fuzzy Hash: 52bf6ba008d42364ce297f5a60d70eb737cdd33ea9e925cbc1dfe7e428a27a64
Instruction Fuzzy Hash: 7E516871418B459BE320AF14DC86BABBBF8FB84300F81495DF29981195EF709529CB67

Function 00885745 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,00000003,?,?), ref: 008857E0
_wcslen.LIBCMT ref: 008857EC

Strings

CALLARGARRAY, xrefs: 008857E6, 008857EB

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: BuffCharUpper_wcslen
String ID: CALLARGARRAY
API String ID: 157775604-1150593374
Opcode ID: 5493c9039cca408db71014e56a8ef83cc54005823513d90acdb4df0ccf75fea2
Instruction ID: 1e72271f667a55dd6ec4935f2d7ee5d12ec6a467d1b70479940d2cac799cfe62
Opcode Fuzzy Hash: 5493c9039cca408db71014e56a8ef83cc54005823513d90acdb4df0ccf75fea2
Instruction Fuzzy Hash: 3D419F31E002099FCB14EFA9C8819EEBBB5FF59724F14406AE505E7292E7709D81CBA1

Function 0087D0F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98networkCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0087D130
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 0087D13A

Strings

|, xrefs: 0087D10B

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: CrackInternet_wcslen
String ID: |
API String ID: 596671847-2343686810
Opcode ID: 6c2e81f2bbeea06d80f20ce61646f47672b823711f86a7edeef4324b5b5a1ff0
Instruction ID: 4737ce9d027a86c2d5aeaebc8f550e2242969397b18714dc15330ca66c82f32c
Opcode Fuzzy Hash: 6c2e81f2bbeea06d80f20ce61646f47672b823711f86a7edeef4324b5b5a1ff0
Instruction Fuzzy Hash: A8311C71D01219ABCF55EFA4CC85AEEBFB9FF04300F504019F819E6166E731A956CB61

Function 0089356C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 00893621
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 0089365C

Strings

static, xrefs: 008935BC

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: 894b4ed8674651b033e624319c58f71cca9eb9ed1950adfeb0ef64f8bf32fbac
Instruction ID: 5e68ed8a444419e6b8f2c6b03bf821148d255d115e7adf86461afb7cc3904039
Opcode Fuzzy Hash: 894b4ed8674651b033e624319c58f71cca9eb9ed1950adfeb0ef64f8bf32fbac
Instruction Fuzzy Hash: 66318D71100604AEDF11EF68DC80EFB73A9FF98724F048619F8A5D7280DA31AD91D760

Function 008197C0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 80COMMON

Download Yara Rule

APIs

Part of subcall function 00819BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00819BB2

Part of subcall function 00819944: GetWindowLongW.USER32(?,000000EB), ref: 00819952

GetParent.USER32(?), ref: 008573A3
DefDlgProcW.USER32(?,00000133,?,?,?,?), ref: 0085742D

Strings

U, xrefs: 0081980F, 008573D2, 008573F9

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: LongWindow$ParentProc
String ID: U
API String ID: 2181805148-2399391058
Opcode ID: 2e54dc8a01abb15b54898c143d0a1efe44f0dc59909d45a47ef9da7ddb2a2889
Instruction ID: 999bb6a145a8f63c476a3f96a03fa87b47a399454b1a8622afd3d83a98bc270c
Opcode Fuzzy Hash: 2e54dc8a01abb15b54898c143d0a1efe44f0dc59909d45a47ef9da7ddb2a2889
Instruction Fuzzy Hash: 3821A030600104AFCF259F28DC69DE93BA9FF0A375F444265FD698B2A2D3319D95D640

Function 008931EF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 0089327C
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00893287

Strings

Combobox, xrefs: 00893249

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: 36ea2754e4ec93b264764d437b220900d10e53691410ec04297b488b4d16be27
Instruction ID: bb3e0cd527978fe8a8804a1dd3d133c169659f0275b0f186aaaf824cc61a8643
Opcode Fuzzy Hash: 36ea2754e4ec93b264764d437b220900d10e53691410ec04297b488b4d16be27
Instruction Fuzzy Hash: 1711B2713002087FFF25AF94DC84EBB376AFB94365F144129F918E7290D6319D518760

Function 008932A6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

CreatePopupMenu.USER32 ref: 008932C7
CreatePopupMenu.USER32 ref: 00893339

Strings

U, xrefs: 00893313, 0089334B

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: CreateMenuPopup
String ID: U
API String ID: 3826294624-2399391058
Opcode ID: f474992b69e8962c612a6c351c19a84a8b4dfd8f680556a0ee9001468eee844a
Instruction ID: 6e9f4bea3ad97306a9294d06585d2737ff1252e709d62cbca9b47dc664478c0b
Opcode Fuzzy Hash: f474992b69e8962c612a6c351c19a84a8b4dfd8f680556a0ee9001468eee844a
Instruction Fuzzy Hash: BF213934605204AFCF21DFA8C445B96BBE5FF0A365F48816AE899CB351D332AE42DF51

Function 00893710 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 0080600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0080604C
Part of subcall function 0080600E: GetStockObject.GDI32(00000011), ref: 00806060
Part of subcall function 0080600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 0080606A

GetWindowRect.USER32(00000000,?), ref: 0089377A
GetSysColor.USER32(00000012), ref: 00893794

Strings

static, xrefs: 00893757

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: a237170771fd3a8dbe1a78757abd649abc9863a2809bbb22dfa799cf377cf763
Instruction ID: 2f4685d0aac21f2f8307776377cb9f936074a35e7aaecc7b60abb7d2c836643e
Opcode Fuzzy Hash: a237170771fd3a8dbe1a78757abd649abc9863a2809bbb22dfa799cf377cf763
Instruction Fuzzy Hash: 971129B2610209AFDF01EFA8CC45AFA7BB8FB08314F044925F955E2250E735E8619B50

Function 00896181 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 008961FC
SendMessageW.USER32(?,00000194,00000000,00000000), ref: 00896225

Strings

U, xrefs: 008961A2

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: MessageSend
String ID: U
API String ID: 3850602802-2399391058
Opcode ID: e4fe4679d81947a6672f3fade6e3f228416f59b04cda8fb50a8639d6fbd18a79
Instruction ID: 424fb074f4a087531ee1d5224e974bb101afbad6415802d8879070a59cb28c41
Opcode Fuzzy Hash: e4fe4679d81947a6672f3fade6e3f228416f59b04cda8fb50a8639d6fbd18a79
Instruction Fuzzy Hash: EC11C431140218BEEF15AFA8CC19FB93BA4FB06714F084115FA26DA1D1F3B1DA20EB60

Function 0087CD1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 0087CD7D
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 0087CDA6

Strings

<local>, xrefs: 0087CD66

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: f0be2a1c8c50dc760c2485a00c0e9a57aec9e039362e3d5888d1e130c20d6fce
Instruction ID: 10ef4d07e697c9a8baa434b89c5372517d136f9b0f5a1cdff11a584b0c501401
Opcode Fuzzy Hash: f0be2a1c8c50dc760c2485a00c0e9a57aec9e039362e3d5888d1e130c20d6fce
Instruction Fuzzy Hash: 8F11A071205635BAD7384AA68C89EE7BEA8FB127A8F00822EB10DC3184D674D840D6F0

Function 00893429 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 008934AB
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 008934BA

Strings

edit, xrefs: 0089348F

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: ac3fdcbdae4ebb63deb7700ab94449667aa0126831963ad20406941f428a065f
Instruction ID: d1b6d4b552b483437ff68152d74004a279cd491fdf9da92607cad85f97b2578c
Opcode Fuzzy Hash: ac3fdcbdae4ebb63deb7700ab94449667aa0126831963ad20406941f428a065f
Instruction Fuzzy Hash: 85119D71100108AAEF12AE64DC44AAA37AAFB25378F554324F961D31D0C732ED519768

Function 00894791 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 60windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 008947EA

Strings

0, xrefs: 008947D3
U, xrefs: 008947AE

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: InfoItemMenu
String ID: U$0
API String ID: 1619232296-4222668077
Opcode ID: e0e79be8ddc990a63fd7f944b4cd0dd1ebc6e6e97615b6f71de03284c54858dd
Instruction ID: 4d2011e2d15b88cf14cf70353ca5734bb00caa1db0025a76bb9f83b6f3c32f1c
Opcode Fuzzy Hash: e0e79be8ddc990a63fd7f944b4cd0dd1ebc6e6e97615b6f71de03284c54858dd
Instruction Fuzzy Hash: 09118E34A40188EFDF28EF48D850EE877B6FB0A355F986066E852EB251C731AD43DA54

Function 00894F80 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 60windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,?,?,?), ref: 00894FCC

Strings

U, xrefs: 00894FA1

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: MessageSend
String ID: U
API String ID: 3850602802-2399391058
Opcode ID: ef5d32aa28faf094fa0db1bfbf6e37a5bd2dd700452d95f54da4f445511fb26c
Instruction ID: ff4dce68cc16400a0d597e6fb9d59ffd2746e06f1be3e6bf09993f0a0d1144b8
Opcode Fuzzy Hash: ef5d32aa28faf094fa0db1bfbf6e37a5bd2dd700452d95f54da4f445511fb26c
Instruction Fuzzy Hash: FD21D37660011AEFCF16EFA8C950CEA7BB5FB4D344B144155F906E7310D631E921DBA0

Function 00866C86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 00809CB3: _wcslen.LIBCMT ref: 00809CBD

CharUpperBuffW.USER32(?,?,?), ref: 00866CB6
_wcslen.LIBCMT ref: 00866CC2

Strings

STOP, xrefs: 00866CBC, 00866CC1

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: STOP
API String ID: 1256254125-2411985666
Opcode ID: 39d140c8f93d4fcae6b4ee9d534ea28d6b8f890c41569a1fe73ae13ba4914e6c
Instruction ID: d3dda77b3eecfc451da0f7dabf6073d7852bc3dae7efa55c79ca42c5d2d2091d
Opcode Fuzzy Hash: 39d140c8f93d4fcae6b4ee9d534ea28d6b8f890c41569a1fe73ae13ba4914e6c
Instruction Fuzzy Hash: 2501C432A1096A8ACB21AFBDDC809BF77B5FF61714B120528E862D6191FA32D960C650

Function 008190DF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52COMMON

Download Yara Rule

Strings

U, xrefs: 00857077, 0085709D

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID:
String ID: U
API String ID: 0-2399391058
Opcode ID: 30d59a09fc589d0337f267607e809a62da1cd744449240075fed3ea51b249bab
Instruction ID: 4bffa9f49c4cfdf74e5493ce3e5e797725decf0652a3dcf2b6154253be400b88
Opcode Fuzzy Hash: 30d59a09fc589d0337f267607e809a62da1cd744449240075fed3ea51b249bab
Instruction Fuzzy Hash: 65113D34604A04AFCB20DF18D854EA5BBE6FF99320F548259F9658B3E0C771E945CF90

Function 00861CDE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00809CB3: _wcslen.LIBCMT ref: 00809CBD

Part of subcall function 00863CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00863CCA

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00861D4C

Strings

ComboBox, xrefs: 00861CEB
ListBox, xrefs: 00861D16

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 2df13f255686c8ab56cc1bc8e471a2ce0e2c6a81f8de6ad9a2ca7894168c3e22
Instruction ID: 6a01332b6d63f022957dc2f2eb1af2041aab77c4a9dce760caf38fb5e34dbad4
Opcode Fuzzy Hash: 2df13f255686c8ab56cc1bc8e471a2ce0e2c6a81f8de6ad9a2ca7894168c3e22
Instruction Fuzzy Hash: 0601D871601218ABCF44EBA8CC55DFE7768FF56350F080519F872E73C2EA3159088761

Function 00861BD8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00809CB3: _wcslen.LIBCMT ref: 00809CBD

Part of subcall function 00863CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00863CCA

SendMessageW.USER32(?,00000180,00000000,?), ref: 00861C46

Strings

ComboBox, xrefs: 00861BE5
ListBox, xrefs: 00861C10

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: c494108e1e3c74ab646bb898aa35d5b45b5a7c8dde97c6694b2aafcd7208b0c3
Instruction ID: bcd2bdf5a72d6a4bb9899960583e601d2b129585b84231c0371f8336e87b86bf
Opcode Fuzzy Hash: c494108e1e3c74ab646bb898aa35d5b45b5a7c8dde97c6694b2aafcd7208b0c3
Instruction Fuzzy Hash: F401B171A8010866CF05EB94CD56AFF77A8FB21340F190019E456E32C2EA209E1896B2

Function 00861C5C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00809CB3: _wcslen.LIBCMT ref: 00809CBD

Part of subcall function 00863CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00863CCA

SendMessageW.USER32(?,00000182,?,00000000), ref: 00861CC8

Strings

ComboBox, xrefs: 00861C69
ListBox, xrefs: 00861C94

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: dbb4b20cbe7bfb15a85dd309e9ea4405f0b680690a85069d62653847f9fae5ad
Instruction ID: 97f1af695585f01dd8f38c76d10add04accd16b8a14787d54762ab0196e21954
Opcode Fuzzy Hash: dbb4b20cbe7bfb15a85dd309e9ea4405f0b680690a85069d62653847f9fae5ad
Instruction Fuzzy Hash: 0B01A2B1A8011866DF14EBA8CE05EFF77A8FB11340F190019B842F32C3EA219F08D672

Function 00861D68 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00809CB3: _wcslen.LIBCMT ref: 00809CBD

Part of subcall function 00863CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00863CCA

SendMessageW.USER32(?,0000018B,00000000,00000000), ref: 00861DD3

Strings

ComboBox, xrefs: 00861D75
ListBox, xrefs: 00861DA0

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: a853b8e5e49771a676924a0e9cb6b59006457064d73677f418e23da97dc0dcf5
Instruction ID: 59ac708b54c17d1f94dd8662ba431658b50fabdfa869aaccb18b5663c7b0c440
Opcode Fuzzy Hash: a853b8e5e49771a676924a0e9cb6b59006457064d73677f418e23da97dc0dcf5
Instruction Fuzzy Hash: 1DF08171A4121866DB04A7A8CC56FFF7778FB11350F090919F862E32C2DA60AA088361

Function 008990A1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00819BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00819BB2

DefDlgProcW.USER32(?,0000002B,?,?,?,?,?,?,?,0085769C,?,?,?), ref: 00899111

Part of subcall function 00819944: GetWindowLongW.USER32(?,000000EB), ref: 00819952

SendMessageW.USER32(?,00000401,00000000,00000000), ref: 008990F7

Strings

U, xrefs: 008990D6

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: LongWindow$MessageProcSend
String ID: U
API String ID: 982171247-2399391058
Opcode ID: a4549eb19b894706903d74cc5330286bce633aa4f64862074afd31cc17051894
Instruction ID: b06664e70b7c0aa75ddccd19af1ef78f0fa93bb4ab40133c4ea660f556097c6f
Opcode Fuzzy Hash: a4549eb19b894706903d74cc5330286bce633aa4f64862074afd31cc17051894
Instruction Fuzzy Hash: 5E012430201204BBDF21AF18CC59FA63BAAFF85364F08012DF9918B2E1C7326C41CB10

Function 0088747E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00887493
_wcslen.LIBCMT ref: 008874B9

Strings

3, 3, 16, 1, xrefs: 00887483

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: _wcslen
String ID: 3, 3, 16, 1
API String ID: 176396367-3042988571
Opcode ID: 84506b8fc46cac3dfc3d7dc7d321f89ddc2adf85e0ed315a46b00c490b5ec228
Instruction ID: efadeb4b3d22f665e556b9c50f7e805f6ec9fdd0375f1483e078fe0b3f815b07
Opcode Fuzzy Hash: 84506b8fc46cac3dfc3d7dc7d321f89ddc2adf85e0ed315a46b00c490b5ec228
Instruction Fuzzy Hash: D7E02B02204230109231327DACC1A7F5A99FFC5750734282BF985D2276EAD4CDD193B6

Function 00860B15 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00860B23

Strings

Error allocating memory., xrefs: 00860B1C
AutoIt, xrefs: 00860B17

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Message
String ID: AutoIt$Error allocating memory.
API String ID: 2030045667-4017498283
Opcode ID: b3bc4e09dcfd59ca30c7bd9bea121f1eee551d65b2daa32cddb2a841fae65c7e
Instruction ID: 1359df5513aee643b001c521bbe2296da153dfd2078ec99424c046e8e8297c9e
Opcode Fuzzy Hash: b3bc4e09dcfd59ca30c7bd9bea121f1eee551d65b2daa32cddb2a841fae65c7e
Instruction Fuzzy Hash: 5AE0483124431836D61537987C03FD97E88FF05B65F14446AF798D95C38AE264E056BA

Function 00820D42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 0081F7C9: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00820D71,?,?,?,0080100A), ref: 0081F7CE

IsDebuggerPresent.KERNEL32(?,?,?,0080100A), ref: 00820D75
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,0080100A), ref: 00820D84

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00820D7F

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 55579361-631824599
Opcode ID: dc6b99b62c5fdfc62dd2f5d3c2fd1bedee2c3e7c0f9301b94a44320d5dc69fa3
Instruction ID: 8c2808eb2d02d1b811386a1cbe24f32116129fc638502573066ece1199ba322b
Opcode Fuzzy Hash: dc6b99b62c5fdfc62dd2f5d3c2fd1bedee2c3e7c0f9301b94a44320d5dc69fa3
Instruction Fuzzy Hash: 83E06D702017518BD760AFFCE8083467BE4FF00740F044A2EE582C6652DBB5E4888F91

Function 00873017 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?,00000001), ref: 0087302F
GetTempFileNameW.KERNEL32(?,aut,00000000,?), ref: 00873044

Strings

aut, xrefs: 00873038

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: b7e29768a778d72841e2cfc4be78284963798d73d678bd970f22865a3a26d770
Instruction ID: e3c1315efbe73427d03b54aa80797e60b1aabab7971044bfc9b6fb963ba77463
Opcode Fuzzy Hash: b7e29768a778d72841e2cfc4be78284963798d73d678bd970f22865a3a26d770
Instruction Fuzzy Hash: C2D05E7250032877DA20A7E4AC0EFCB3B6CEB04750F0002A2B655E2091EAB5D984CAE0

Function 0085D21C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 0085D220

Strings

%.3d, xrefs: 0085D22B
X64, xrefs: 0085D2A8

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: LocalTime
String ID: %.3d$X64
API String ID: 481472006-1077770165
Opcode ID: 65635e7c3c333a565ef2dea759344dd2ceca1016fc781564f595eaff4a039a90
Instruction ID: 82ebf2e436e697812ab780b1194ccd3c50eb0a7f7034d2e7a743619b4ab795ec
Opcode Fuzzy Hash: 65635e7c3c333a565ef2dea759344dd2ceca1016fc781564f595eaff4a039a90
Instruction Fuzzy Hash: 95D0127580830CE9CB6097E0CC459F9B37CFF08306F908456FD06D1041D634E58CAB62

Function 00892322 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0089232C
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 0089233F

Part of subcall function 0086E97B: Sleep.KERNEL32 ref: 0086E9F3

Strings

Shell_TrayWnd, xrefs: 00892325

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 52836cfca81a59dc4745bc4b4e84eb203b792d09179321a0c7f2977492664187
Instruction ID: 36859f35ded1d2a0d9e680eb972b3c4ee392bb07fd7d16a379ae0603df32265d
Opcode Fuzzy Hash: 52836cfca81a59dc4745bc4b4e84eb203b792d09179321a0c7f2977492664187
Instruction Fuzzy Hash: BCD0C936394310B6E6A4B7709C4FFC66A24BF10B10F054A2A7755EA1D4D9B5A8118A54

Function 00892356 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0089236C
PostMessageW.USER32(00000000), ref: 00892373

Part of subcall function 0086E97B: Sleep.KERNEL32 ref: 0086E9F3

Strings

Shell_TrayWnd, xrefs: 00892365

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 921ac969ae1008f37ba2d7c1a9d6555043e95f55ecf021c3c5302fb77e1096b4
Instruction ID: fb497b0ccc96818c90d4456fe7d37c25b8775d9f3a3d31e8f8b511cf71e0d53a
Opcode Fuzzy Hash: 921ac969ae1008f37ba2d7c1a9d6555043e95f55ecf021c3c5302fb77e1096b4
Instruction Fuzzy Hash: 64D0C9363813107AE6A4B7709C4FFC66A24BB14B10F054A2A7755EA1D4D9B5A8118A54

Function 0083BDFD Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,?,?,00000000,?,?,?,?,?,00000000,?), ref: 0083BE93
GetLastError.KERNEL32 ref: 0083BEA1
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0083BEFC

Memory Dump Source

Source File: 00000000.00000002.1711977872.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1711954598.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712061917.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712153338.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1712175864.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: 4ef2a8efa833988a0dd58039972ff77f2781da3fb3ed77b5363a3b7abea52b06
Instruction ID: 7ada22fd652caf26fd0b1fc8b2855e043cb7addf9dc816a1b595ceef77e4101e
Opcode Fuzzy Hash: 4ef2a8efa833988a0dd58039972ff77f2781da3fb3ed77b5363a3b7abea52b06
Instruction Fuzzy Hash: 624107B4600216EFCF219F69DC54ABA7BA4FF81310F14516AFA59DB1A1DF308C00CBA1

Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 199.232.214.172
Source: unknown	TCP traffic detected without corresponding DNS query: 199.232.214.172
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 199.232.214.172

Source: global traffic	HTTP traffic detected: GET /account?=https://accounts.google.com/v3/signin/challenge/pwd HTTP/1.1Host: youtube.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7X-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiUocsBCJz+zAEIhaDNAQjcvc0BCLnKzQEIotHNAQiK080BCJ7WzQEIp9jNAQj5wNQVGPbJzQEYutLNARjrjaUXSec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /account?=https%3A%2F%2Faccounts.google.com%2Fv3%2Fsignin%2Fchallenge%2Fpwd HTTP/1.1Host: www.youtube.comConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7X-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiUocsBCJz+zAEIhaDNAQjcvc0BCLnKzQEIotHNAQiK080BCJ7WzQEIp9jNAQj5wNQVGPbJzQEYutLNARjrjaUXSec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentsec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: YSC=kv2mQAOd_S4
Source: global traffic	HTTP traffic detected: GET /fs/windows/config.json HTTP/1.1Connection: Keep-AliveAccept: /Accept-Encoding: identityIf-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMTRange: bytes=0-2147483646User-Agent: Microsoft BITS/7.8Host: fs.microsoft.com
Source: global traffic	HTTP traffic detected: GET /accounts/CheckConnection?pmpo=https%3A%2F%2Faccounts.google.com&v=1351726012&timestamp=1727903049136 HTTP/1.1Host: accounts.youtube.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-full-version: "117.0.5938.132"sec-ch-ua-arch: "x86"sec-ch-ua-platform: "Windows"sec-ch-ua-platform-version: "10.0.0"sec-ch-ua-model: ""sec-ch-ua-bitness: "64"sec-ch-ua-wow64: ?0sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7X-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiUocsBCJz+zAEIhaDNAQjcvc0BCLnKzQEIotHNAQiK080BCJ7WzQEIp9jNAQj5wNQVGPbJzQEYutLNARjrjaUXSec-Fetch-Site: cross-siteSec-Fetch-Mode: navigateSec-Fetch-Dest: iframeReferer: https://accounts.google.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /favicon.ico HTTP/1.1Host: www.google.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-arch: "x86"sec-ch-ua-full-version: "117.0.5938.132"sec-ch-ua-platform-version: "10.0.0"sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132"sec-ch-ua-bitness: "64"sec-ch-ua-model: ""sec-ch-ua-wow64: ?0sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8X-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiUocsBCJz+zAEIhaDNAQjcvc0BCLnKzQEIotHNAQiK080BCJ7WzQEIp9jNAQj5wNQVGPbJzQEYutLNARjrjaUXSec-Fetch-Site: same-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://accounts.google.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: NID=518=nVB3bI8VyUEdTEPtQxeZH1YDnBZr1h4MvQMo98hYTmmd_C4e6GcEgpm-6XLAANgikEHryIW7ro_4RQzJaLTwR2okQF0CJ45YV0Jd5zQUKUVWgdQxJhDEq0nPpkeviapAnV8kYtxKljxENLtHGlJ47NUsbTvRDT4gakOctITmfnOJDXHPUA
Source: global traffic	HTTP traffic detected: GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=rcEZevvxWwmovel&MD=GzkgClcm HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic	HTTP traffic detected: GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=rcEZevvxWwmovel&MD=GzkgClcm HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Chrome Cache Entry: 74

Chrome Cache Entry: 75

Chrome Cache Entry: 76

Chrome Cache Entry: 77

Chrome Cache Entry: 78

Chrome Cache Entry: 79

Chrome Cache Entry: 80

Chrome Cache Entry: 81

Chrome Cache Entry: 82

Chrome Cache Entry: 83

Chrome Cache Entry: 84

Chrome Cache Entry: 85

Chrome Cache Entry: 86

Chrome Cache Entry: 87

Chrome Cache Entry: 88

Chrome Cache Entry: 89

Static File Info

General

Windows Analysis Report
file.exe

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre