Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1524981
MD5:	746063bf48eaa219d09d96b5184ad1de
SHA1:	ab9f355421da2267713c07fdd573b20db64730e9
SHA256:	1f0a0a605b06a2536f8ed6cfd666c21dd37fae64a04ee2f6ebc3957cbf58dda5
Tags:	exeuser-Bitsight
Infos:

Detection

Credential Flusher

Score:	72
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected Credential Flusher

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Found API chain indicative of sandbox detection

Machine Learning detection for sample

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

Potential key logger detected (key state polling based)

Sample execution stops while process was sleeping (likely an evasion)

Sleep loop found (likely to delay execution)

Stores files to the Windows start menu directory

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Uses taskkill to terminate processes

Classification

Process Tree

System is w10x64

file.exe (PID: 4824 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 746063BF48EAA219D09D96B5184AD1DE)

taskkill.exe (PID: 2860 cmdline: taskkill /F /IM chrome.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 6200 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 3552 cmdline: taskkill /F /IM msedge.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 3556 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 2228 cmdline: taskkill /F /IM firefox.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 6152 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 1220 cmdline: taskkill /F /IM opera.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 1400 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 1476 cmdline: taskkill /F /IM brave.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 6220 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

chrome.exe (PID: 5748 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --start-fullscreen --no-first-run --disable-session-crashed-bubble --disable-infobars MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 2860 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2104 --field-trial-handle=1984,i,18014017823423047097,8512500813314935792,262144 /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 7956 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5404 --field-trial-handle=1984,i,18014017823423047097,8512500813314935792,262144 /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 7964 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5596 --field-trial-handle=1984,i,18014017823423047097,8512500813314935792,262144 /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
Process Memory Space: file.exe PID: 4824	JoeSecurity_CredentialFlusher	Yara detected Credential Flusher	Joe Security

String found in binary or memory: _.fq(p)+"/familylink/privacy/notice/embedded?langCountry="+_.fq(p);break;case "PuZJUb":a+="https://www.youtube.com/t/terms?chromeless=1&hl="+_.fq(m);break;case "fxTQxb":a+="https://youtube.com/t/terms?gl="+_.fq(_.oq(c))+"&hl="+_.fq(d)+"&override_hl=1"+(f?"&linkless=1":"");break;case "prAmvd":a+="https://www.google.com/intl/"+_.fq(m)+"/chromebook/termsofservice.html?languageCode="+_.fq(d)+"&regionCode="+_.fq(c);break;case "NfnTze":a+="https://policies.google.com/privacy/google-partners"+(f?"/embedded": equals www.youtube.com (Youtube)

Source: global traffic	DNS traffic detected: DNS query: youtube.com
Source: global traffic	DNS traffic detected: DNS query: www.youtube.com
Source: global traffic	DNS traffic detected: DNS query: www.google.com
Source: global traffic	DNS traffic detected: DNS query: accounts.youtube.com
Source: global traffic	DNS traffic detected: DNS query: play.google.com

Source: unknown

HTTP traffic detected: POST /log?format=json&hasfast=true&authuser=0 HTTP/1.1Host: play.google.comConnection: keep-aliveContent-Length: 519sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-arch: "x86"Content-Type: application/x-www-form-urlencoded;charset=UTF-8sec-ch-ua-full-version: "117.0.5938.132"sec-ch-ua-platform-version: "10.0.0"X-Goog-AuthUser: 0sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132"sec-ch-ua-bitness: "64"sec-ch-ua-model: ""sec-ch-ua-wow64: ?0sec-ch-ua-platform: "Windows"Accept: */*Origin: https://accounts.google.comX-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIkqHLAQiFoM0BCNy9zQEI2sPNAQjpxc0BCLnKzQEIv9HNAQiK080BCNDWzQEIqNjNAQj5wNQVGI/OzQEYutLNARjC2M0BGOuNpRc=Sec-Fetch-Site: same-siteSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: https://accounts.google.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9

Source: file.exe, 00000000.00000003.2290694241.00000000012DB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2290734355.00000000012E1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.co
Source: chromecache_96.14.dr	String found in binary or memory: https://accounts.google.com
Source: chromecache_96.14.dr	String found in binary or memory: https://accounts.google.com/TOS?loc=
Source: file.exe, 00000000.00000002.2291136379.00000000012A7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/v3/signin/challenge/pwd
Source: file.exe, 00000000.00000003.2290694241.00000000012DB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2290734355.00000000012E1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://accounts.googlj
Source: chromecache_102.14.dr	String found in binary or memory: https://apis.google.com/js/api.js
Source: chromecache_96.14.dr	String found in binary or memory: https://apis.google.com/js/rpc:shindig_random.js?onload=credentialservice.postMessage
Source: chromecache_96.14.dr	String found in binary or memory: https://families.google.com/intl/
Source: chromecache_102.14.dr	String found in binary or memory: https://fonts.gstatic.com/s/i/productlogos/drive_2020q4/v10/192px.svg
Source: chromecache_102.14.dr	String found in binary or memory: https://fonts.gstatic.com/s/i/productlogos/gmail_2020q4/v10/web-48dp/logo_gmail_2020q4_color_2x_web_
Source: chromecache_102.14.dr	String found in binary or memory: https://fonts.gstatic.com/s/i/productlogos/maps/v7/192px.svg
Source: chromecache_96.14.dr	String found in binary or memory: https://g.co/recover
Source: chromecache_96.14.dr	String found in binary or memory: https://play.google.com/log?format=json&hasfast=true
Source: chromecache_96.14.dr	String found in binary or memory: https://play.google.com/work/enroll?identifier=
Source: chromecache_96.14.dr	String found in binary or memory: https://play.google/intl/
Source: chromecache_96.14.dr	String found in binary or memory: https://policies.google.com/privacy
Source: chromecache_96.14.dr	String found in binary or memory: https://policies.google.com/privacy/additional
Source: chromecache_96.14.dr	String found in binary or memory: https://policies.google.com/privacy/google-partners
Source: chromecache_96.14.dr	String found in binary or memory: https://policies.google.com/technologies/cookies
Source: chromecache_96.14.dr	String found in binary or memory: https://policies.google.com/technologies/location-data
Source: chromecache_96.14.dr	String found in binary or memory: https://policies.google.com/terms
Source: chromecache_96.14.dr	String found in binary or memory: https://policies.google.com/terms/location
Source: chromecache_96.14.dr	String found in binary or memory: https://policies.google.com/terms/service-specific
Source: chromecache_102.14.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/account-recovery-email-pin.gif
Source: chromecache_102.14.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/account-recovery-password.svg
Source: chromecache_102.14.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/account-recovery-sms-or-voice-pin.gif
Source: chromecache_102.14.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/account-recovery-sms-pin.gif
Source: chromecache_102.14.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/account-recovery-stop-go-landing-page_1x.png
Source: chromecache_102.14.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/animation/
Source: chromecache_102.14.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/ble_device.png
Source: chromecache_102.14.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/ble_pin.png
Source: chromecache_102.14.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/contacts_backup_sync.png
Source: chromecache_102.14.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/contacts_backup_sync_1x.png
Source: chromecache_102.14.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/contacts_backup_sync_2x.png
Source: chromecache_102.14.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/contacts_backup_sync_darkmode_1x.png
Source: chromecache_102.14.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/continue_on_your_phone.png
Source: chromecache_102.14.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/device_phone_number_verification.png
Source: chromecache_102.14.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/device_prompt_silent_tap_yes_darkmode.gif
Source: chromecache_102.14.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/device_prompt_tap_yes.gif
Source: chromecache_102.14.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/device_prompt_tap_yes_darkmode.gif
Source: chromecache_102.14.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kid_success.svg
Source: chromecache_102.14.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kid_success_darkmode.svg
Source: chromecache_102.14.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidfork_who_will_use_dark_v2.svg
Source: chromecache_102.14.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidfork_who_will_use_updated.svg
Source: chromecache_102.14.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidfork_who_will_use_updated_darkmode.svg
Source: chromecache_102.14.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidfork_who_will_use_v2.svg
Source: chromecache_102.14.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignin_not_ready.png
Source: chromecache_102.14.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignin_stick_around_1.svg
Source: chromecache_102.14.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignin_stick_around_dark_1.svg
Source: chromecache_102.14.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_child_account_1.svg
Source: chromecache_102.14.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_child_account_darkmode_1.svg
Source: chromecache_102.14.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_child_privacy_1.svg
Source: chromecache_102.14.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_child_privacy_darkmode_1.svg
Source: chromecache_102.14.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_created.png
Source: chromecache_102.14.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_double_device.svg
Source: chromecache_102.14.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_double_device_darkmode.svg
Source: chromecache_102.14.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_full_house.png
Source: chromecache_102.14.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_link_accounts_1.svg
Source: chromecache_102.14.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_link_accounts_darkmode_1.svg
Source: chromecache_102.14.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_parent_app_decision.svg
Source: chromecache_102.14.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_parent_app_decision_darkmode.svg
Source: chromecache_102.14.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_parent_supervision_1.svg
Source: chromecache_102.14.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_parent_supervision_darkmode_1.svg
Source: chromecache_102.14.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_respect_others_1.svg
Source: chromecache_102.14.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_respect_others_darkmode_1.svg
Source: chromecache_102.14.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_single_device.svg
Source: chromecache_102.14.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_single_device_darkmode.svg
Source: chromecache_102.14.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_stop.png
Source: chromecache_102.14.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/personalization_reminders.svg
Source: chromecache_102.14.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/phone_number_sign_in_2x.png
Source: chromecache_102.14.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/return_to_desktop.svg
Source: chromecache_102.14.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/return_to_desktop_darkmode.svg
Source: chromecache_102.14.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/security_key.gif
Source: chromecache_102.14.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/security_key_ios_center.png
Source: chromecache_102.14.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/security_key_laptop.gif
Source: chromecache_102.14.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/security_key_nfc_discovered.gif
Source: chromecache_102.14.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/security_key_nfc_discovered_darkmode.gif
Source: chromecache_102.14.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/security_key_phone.gif
Source: chromecache_102.14.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/signin_googleapp_ios.gif
Source: chromecache_102.14.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/signin_googleapp_pulldown.gif
Source: chromecache_102.14.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/signin_tapyes.gif
Source: chromecache_102.14.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/smart_lock_2x.png
Source: chromecache_102.14.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/usb_key.svg
Source: chromecache_102.14.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/web_and_app_activity.svg
Source: chromecache_102.14.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/who_will_be_using_this_device.svg
Source: chromecache_102.14.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/you_tube_history.svg
Source: chromecache_102.14.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/feature_not_available.svg
Source: chromecache_102.14.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/feature_not_available_dark.svg
Source: chromecache_102.14.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/gmail_ios_authzen.gif
Source: chromecache_102.14.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/paaskey.svg
Source: chromecache_102.14.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_challenge.svg
Source: chromecache_102.14.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_challenge_darkmode.svg
Source: chromecache_102.14.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_darkmode.svg
Source: chromecache_102.14.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_enrollment.svg
Source: chromecache_102.14.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_enrollment_cross_device.svg
Source: chromecache_102.14.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_enrollment_cross_device_darkmode.svg
Source: chromecache_102.14.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_enrollment_darkmode.svg
Source: chromecache_102.14.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_enrollment_error.svg
Source: chromecache_102.14.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_enrollment_error_darkmode.svg
Source: chromecache_102.14.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_enrollment_reauth.svg
Source: chromecache_102.14.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_enrollment_reauth_darkmode.svg
Source: chromecache_102.14.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_success.svg
Source: chromecache_102.14.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_success_darkmode.svg
Source: chromecache_102.14.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkeyerror.svg
Source: chromecache_102.14.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkeyerror_darkmode.svg
Source: chromecache_102.14.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/red_globe_dark.svg
Source: chromecache_102.14.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/red_globe_light.svg
Source: chromecache_102.14.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/screenlock.png
Source: chromecache_102.14.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/security_key_ipad.gif
Source: chromecache_102.14.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/security_key_iphone.gif
Source: chromecache_102.14.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/security_key_iphone_nfc.gif
Source: chromecache_102.14.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/security_key_iphone_usb.gif
Source: chromecache_102.14.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/security_key_phone.svg
Source: chromecache_102.14.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/security_keys.svg
Source: chromecache_102.14.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/success_checkmark_2.svg
Source: chromecache_102.14.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/success_checkmark_2_darkmode.svg
Source: chromecache_102.14.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/ui/loading_spinner_gm.gif
Source: chromecache_102.14.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/ui/progress_spinner_color_20dp_4x.gif
Source: chromecache_102.14.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/ui/success-gm-default_2x.png
Source: chromecache_102.14.dr	String found in binary or memory: https://ssl.gstatic.com/apps/signup/resources/custom-email-address.svg
Source: chromecache_102.14.dr	String found in binary or memory: https://ssl.gstatic.com/images/hpp/shield_security_checkup_green_2x_web_96dp.png
Source: chromecache_102.14.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/chaptering/account_setup_chapter_dark_1.svg
Source: chromecache_102.14.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/chaptering/account_setup_chapter_v1.svg
Source: chromecache_102.14.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/chaptering/device_setup_chapter_dark_v1.svg
Source: chromecache_102.14.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/chaptering/device_setup_chapter_v1.svg
Source: chromecache_102.14.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/chaptering/parental_control_chapter_dark_v1.svg
Source: chromecache_102.14.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/chaptering/parental_control_chapter_v1.svg
Source: chromecache_102.14.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/conversion/conversion_accountslinked.svg
Source: chromecache_102.14.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/conversion/conversion_accountslinked_dark.svg
Source: chromecache_102.14.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/conversion/conversion_childneedshelp.svg
Source: chromecache_102.14.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/conversion/conversion_childneedshelp_dark.svg
Source: chromecache_102.14.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/conversion/conversion_nextstepsforparents.svg
Source: chromecache_102.14.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/conversion/conversion_nextstepsforparents_dark.svg
Source: chromecache_102.14.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_allset.svg
Source: chromecache_102.14.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_allset_dark.svg
Source: chromecache_102.14.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_apps_devices.svg
Source: chromecache_102.14.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_apps_devices_darkmode.svg
Source: chromecache_102.14.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_areyousurekid.svg
Source: chromecache_102.14.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_areyousurekid_dark.svg
Source: chromecache_102.14.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_birthdayemail.svg
Source: chromecache_102.14.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_birthdayemail_dark.svg
Source: chromecache_102.14.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_choose_apps.svg
Source: chromecache_102.14.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_choose_apps_darkmode.svg
Source: chromecache_102.14.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_confirmation.svg
Source: chromecache_102.14.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_exploremore.svg
Source: chromecache_102.14.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_exploremore_dark.svg
Source: chromecache_102.14.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_intro.svg
Source: chromecache_102.14.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_intro_darkmode.svg
Source: chromecache_102.14.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_privacy_terms_a18.svg
Source: chromecache_102.14.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_privacy_terms_a18_darkmode.svg
Source: chromecache_102.14.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_privacyterms.svg
Source: chromecache_102.14.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_privacyterms_dark.svg
Source: chromecache_102.14.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_review_settings.svg
Source: chromecache_102.14.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_review_settings_darkmode.svg
Source: chromecache_102.14.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_safe_search.svg
Source: chromecache_102.14.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_safe_search_darkmode.svg
Source: chromecache_102.14.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_success_unchanged_a18.svg
Source: chromecache_102.14.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_success_unchanged_a18_darkmode.svg
Source: chromecache_102.14.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_success_update_a18.svg
Source: chromecache_102.14.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_success_update_a18_darkmode.svg
Source: chromecache_102.14.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_supervision_choice.svg
Source: chromecache_102.14.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_supervision_choice_a18.svg
Source: chromecache_102.14.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_supervision_choice_a18_darkmode.svg
Source: chromecache_102.14.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_supervision_choice_darkmode.svg
Source: chromecache_102.14.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_supervisiongrad.svg
Source: chromecache_102.14.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_supervisiongrad_dark.svg
Source: chromecache_102.14.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/guardianlinking/linking_complete_0.svg
Source: chromecache_102.14.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/guardianlinking/linking_complete_dark_0.svg
Source: chromecache_102.14.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/ads_personalization.svg
Source: chromecache_102.14.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/ads_personalization_darkmode.svg
Source: chromecache_102.14.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/confirmation.svg
Source: chromecache_102.14.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/confirmation_darkmode.svg
Source: chromecache_102.14.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/eligibility_error.svg
Source: chromecache_102.14.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/eligibility_error_darkmode.svg
Source: chromecache_102.14.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/fork.svg
Source: chromecache_102.14.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/fork_darkmode.svg
Source: chromecache_102.14.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/intro.svg
Source: chromecache_102.14.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/intro_darkmode.svg
Source: chromecache_102.14.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/personal_results.svg
Source: chromecache_102.14.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/personal_results_darkmode.svg
Source: chromecache_102.14.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/safe_search.svg
Source: chromecache_102.14.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/safe_search_darkmode.svg
Source: chromecache_102.14.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/check_notifications.svg
Source: chromecache_102.14.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/check_notifications_dark.svg
Source: chromecache_102.14.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/kid_watch_installing_family_link_2.svg
Source: chromecache_102.14.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/kid_watch_installing_family_link_dark_2.svg
Source: chromecache_102.14.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/kid_watch_set_up_location_sharing_2.svg
Source: chromecache_102.14.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/kid_watch_set_up_location_sharing_dark_2.svg
Source: chromecache_102.14.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/kid_watch_set_up_parental_controls_2.svg
Source: chromecache_102.14.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/kid_watch_set_up_parental_controls_dark_2.svg
Source: chromecache_102.14.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/kid_watch_set_up_school_time_2.svg
Source: chromecache_102.14.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/kid_watch_set_up_school_time_dark_2.svg
Source: chromecache_102.14.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/location_sharing_enabled_2.svg
Source: chromecache_102.14.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/location_sharing_enabled_dark_3.svg
Source: chromecache_102.14.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/parent_sign_in_prologue_1.svg
Source: chromecache_102.14.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/parent_sign_in_prologue_dark_1.svg
Source: chromecache_102.14.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/set_up_complete_1.svg
Source: chromecache_102.14.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/set_up_complete_dark_1.svg
Source: chromecache_102.14.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/set_up_contacts_2.svg
Source: chromecache_102.14.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/set_up_contacts_dark_2.svg
Source: chromecache_102.14.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/set_up_family_link_boy_1.svg
Source: chromecache_102.14.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/set_up_family_link_boy_dark_1.svg
Source: chromecache_102.14.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/set_up_family_link_girl_2.svg
Source: chromecache_102.14.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/set_up_family_link_girl_dark_2.svg
Source: chromecache_102.14.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/ulp_continue_without_gmail_dark_v2.svg
Source: chromecache_102.14.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/ulp_continue_without_gmail_v2.svg
Source: chromecache_102.14.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/all_set.svg
Source: chromecache_102.14.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/all_set_dark.svg
Source: chromecache_102.14.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/are_you_sure_parent.svg
Source: chromecache_102.14.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/are_you_sure_parent_dark.svg
Source: chromecache_102.14.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/content_restriction.svg
Source: chromecache_102.14.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/content_restriction_dark.svg
Source: chromecache_102.14.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/error.svg
Source: chromecache_102.14.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/error_dark.svg
Source: chromecache_102.14.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/how_controls_work.svg
Source: chromecache_102.14.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/how_controls_work_dark.svg
Source: chromecache_102.14.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/next_steps.svg
Source: chromecache_102.14.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/next_steps_dark.svg
Source: chromecache_102.14.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/setup_controls.svg
Source: chromecache_102.14.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/setup_controls_dark.svg
Source: chromecache_102.14.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/who_parent.svg
Source: chromecache_102.14.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/who_parent_dark.svg
Source: chromecache_102.14.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/who_teen.svg
Source: chromecache_102.14.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/who_teen_dark.svg
Source: chromecache_102.14.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teentoadultgraduation/supervision_choice.svg
Source: chromecache_102.14.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teentoadultgraduation/supervision_choice_darkmode.svg
Source: chromecache_102.14.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/ulp_appblock/kid_setup_parent_escalation.svg
Source: chromecache_102.14.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/ulp_appblock/kid_setup_parent_escalation_dark.svg
Source: chromecache_102.14.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/ulp_appblock/send_email_confirmation.svg
Source: chromecache_102.14.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/ulp_appblock/send_email_confirmation_dark.svg
Source: chromecache_102.14.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/ulp_appblock/success_sent_email.svg
Source: chromecache_102.14.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/ulp_appblock/success_sent_email_dark.svg
Source: chromecache_102.14.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/ulpupgrade/kidprofileupgrade_all_set.svg
Source: chromecache_102.14.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/ulpupgrade/kidprofileupgrade_all_set_darkmode.svg
Source: chromecache_102.14.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/all_set.svg
Source: chromecache_102.14.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/all_set_dark.svg
Source: chromecache_102.14.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/almost_done_kids_space_dark.svg
Source: chromecache_102.14.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/almost_done_kids_space_v2.svg
Source: chromecache_102.14.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/devices_connected_tablet_v2.svg
Source: chromecache_102.14.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/devices_connected_tablet_v2_dark.svg
Source: chromecache_102.14.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/devices_connected_v2.svg
Source: chromecache_102.14.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/devices_connected_v2_dark.svg
Source: chromecache_102.14.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/emailinstallfamilylink.svg
Source: chromecache_102.14.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/emailinstallfamilylink_dark.svg
Source: chromecache_102.14.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/familylinkinstalling.svg
Source: chromecache_102.14.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/familylinkinstalling_dark.svg
Source: chromecache_102.14.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/hand_over_device_dark_v2.svg
Source: chromecache_102.14.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/hand_over_device_v2.svg
Source: chromecache_102.14.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/linking_accounts_v2.svg
Source: chromecache_102.14.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/linking_accounts_v2_dark.svg
Source: chromecache_102.14.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/locationsetup.svg
Source: chromecache_102.14.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/locationsetup_dark.svg
Source: chromecache_102.14.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/manage_parental_controls_email.svg
Source: chromecache_102.14.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/manage_parental_controls_email_v2.svg
Source: chromecache_102.14.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/manage_parental_controls_email_v2_dark.svg
Source: chromecache_102.14.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/manage_parental_controls_v2.svg
Source: chromecache_102.14.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/manage_parental_controls_v2_dark.svg
Source: chromecache_102.14.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/open_family_link_v2.svg
Source: chromecache_102.14.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/open_family_link_v2_dark.svg
Source: chromecache_102.14.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/parents_help.svg
Source: chromecache_102.14.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/parents_help_dark.svg
Source: chromecache_102.14.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/set_up_kids_space.png
Source: chromecache_102.14.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/set_up_kids_space_dark.png
Source: chromecache_102.14.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/setupcontrol.svg
Source: chromecache_102.14.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/setupcontrol_dark.svg
Source: chromecache_102.14.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/setuplocation.svg
Source: chromecache_102.14.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/setuplocation_dark.svg
Source: chromecache_102.14.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/setuptimelimits.svg
Source: chromecache_102.14.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/setuptimelimits_dark.svg
Source: chromecache_102.14.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/supervision_ready_v2.svg
Source: chromecache_102.14.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/supervision_ready_v2_dark.svg
Source: chromecache_102.14.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/youtubeaccess.svg
Source: chromecache_102.14.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/youtubeaccess_dark.svg
Source: chromecache_96.14.dr	String found in binary or memory: https://support.google.com/accounts?hl=
Source: chromecache_96.14.dr	String found in binary or memory: https://support.google.com/accounts?p=new-si-ui
Source: chromecache_96.14.dr	String found in binary or memory: https://support.google.com/websearch/answer/4358949?hl=ko&ref_topic=3285072
Source: chromecache_102.14.dr	String found in binary or memory: https://uberproxy-pen-redirect.corp.google.com/uberproxy/pen?url=
Source: chromecache_96.14.dr	String found in binary or memory: https://www.google.com
Source: chromecache_96.14.dr	String found in binary or memory: https://www.google.com/intl/
Source: chromecache_102.14.dr	String found in binary or memory: https://www.gstatic.com/accounts/speedbump/authzen_optin_illustration.gif
Source: chromecache_102.14.dr	String found in binary or memory: https://www.gstatic.com/images/branding/product/2x/chrome_48dp.png
Source: chromecache_102.14.dr	String found in binary or memory: https://www.gstatic.com/images/branding/product/2x/googleg_48dp.png
Source: chromecache_102.14.dr	String found in binary or memory: https://www.gstatic.com/images/branding/product/2x/gsa_48dp.png
Source: chromecache_102.14.dr	String found in binary or memory: https://www.gstatic.com/images/branding/product/2x/play_prism_48dp.png
Source: chromecache_102.14.dr	String found in binary or memory: https://www.gstatic.com/images/branding/product/2x/youtube_48dp.png
Source: chromecache_96.14.dr	String found in binary or memory: https://www.gstatic.com/images/branding/productlogos/googleg/v6/36px.svg
Source: chromecache_96.14.dr	String found in binary or memory: https://www.youtube.com/t/terms?chromeless=1&hl=
Source: file.exe, 00000000.00000003.2059433921.0000000000B94000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd
Source: chromecache_96.14.dr	String found in binary or memory: https://youtube.com/t/terms?gl=

Source: unknown	Network traffic detected: HTTP traffic on port 49674 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49766
Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 49758 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49764
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49763
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown	Network traffic detected: HTTP traffic on port 49766 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49764 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49758
Source: unknown	Network traffic detected: HTTP traffic on port 49759 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49757
Source: unknown	Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49756
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown	Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49703 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49761 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49767 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49763 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49703
Source: unknown	Network traffic detected: HTTP traffic on port 49756 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49767

Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.5:49715 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.5:49720 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.202.163.200:443 -> 192.168.2.5:49740 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.202.163.200:443 -> 192.168.2.5:49759 version: TLS 1.2

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00C9EAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_00C9EAFF

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00C9ED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_00C9ED6A

Source: C:\Users\user\Desktop\file.exe

0_2_00C9EAFF

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00C8AA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,

0_2_00C8AA57

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00CB9576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_00CB9576

System Summary

Binary is likely a compiled AutoIt script file

Source: file.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: file.exe, 00000000.00000000.2038080445.0000000000CE2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_2eacd4f7-8
Source: file.exe, 00000000.00000000.2038080445.0000000000CE2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_dddecbfe-0
Source: file.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_58c6126b-0
Source: file.exe	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_29177a16-2

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00C8D5EB: CreateFileW,DeviceIoControl,CloseHandle,

0_2_00C8D5EB

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00C81201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_00C81201

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00C8E8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_00C8E8F6

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C92046	0_2_00C92046
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C28060	0_2_00C28060
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C88298	0_2_00C88298
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C5E4FF	0_2_00C5E4FF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C5676B	0_2_00C5676B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CB4873	0_2_00CB4873
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C2CAF0	0_2_00C2CAF0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C4CAA0	0_2_00C4CAA0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C3CC39	0_2_00C3CC39
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C56DD9	0_2_00C56DD9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C291C0	0_2_00C291C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C3B119	0_2_00C3B119
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C41394	0_2_00C41394
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C41706	0_2_00C41706
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C4781B	0_2_00C4781B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C419B0	0_2_00C419B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C3997D	0_2_00C3997D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C27920	0_2_00C27920
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C47A4A	0_2_00C47A4A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C47CA7	0_2_00C47CA7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C41C77	0_2_00C41C77
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C59EEE	0_2_00C59EEE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CABE44	0_2_00CABE44
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C41F32	0_2_00C41F32

Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00C3F9F2 appears 40 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00C40A30 appears 46 times

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: classification engine

Classification label: mal72.troj.evad.winEXE@46/36@12/8

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00C937B5 GetLastError,FormatMessageW,

0_2_00C937B5

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C810BF AdjustTokenPrivileges,CloseHandle,		0_2_00C810BF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C816C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_00C816C3

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00C951CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_00C951CD

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00CAA67C CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_00CAA67C

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00C9648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize,

0_2_00C9648E

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00C242A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_00C242A2

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6200:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6220:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3556:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6152:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1400:120:WilError_03

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: file.exe

ReversingLabs: Detection: 15%

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --start-fullscreen --no-first-run --disable-session-crashed-bubble --disable-infobars
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2104 --field-trial-handle=1984,i,18014017823423047097,8512500813314935792,262144 /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5404 --field-trial-handle=1984,i,18014017823423047097,8512500813314935792,262144 /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5596 --field-trial-handle=1984,i,18014017823423047097,8512500813314935792,262144 /prefetch:8
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --start-fullscreen --no-first-run --disable-session-crashed-bubble --disable-infobars	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2104 --field-trial-handle=1984,i,18014017823423047097,8512500813314935792,262144 /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5404 --field-trial-handle=1984,i,18014017823423047097,8512500813314935792,262144 /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5596 --field-trial-handle=1984,i,18014017823423047097,8512500813314935792,262144 /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior

Source: Google Drive.lnk.12.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: YouTube.lnk.12.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Sheets.lnk.12.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Gmail.lnk.12.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Slides.lnk.12.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Docs.lnk.12.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00C242DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00C242DE

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C40A76 push ecx; ret	0_2_00C40A89
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C31199 push cs; ret	0_2_00C3119A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C3119C push cs; ret	0_2_00C311A2
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C31900 push ss; ret	0_2_00C31906

Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C3F98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_00C3F98E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CB1C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_00CB1C41

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Found API chain indicative of sandbox detection

Source: C:\Users\user\Desktop\file.exe

Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep

graph_0-74751

Source: C:\Users\user\Desktop\file.exe

Window / User API: threadDelayed 1182

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

API coverage: 4.0 %

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\file.exe

Thread sleep count: Count: 1182 delay: -10

Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C8DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00C8DBBE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C5C2A2 FindFirstFileExW,	0_2_00C5C2A2
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C968EE FindFirstFileW,FindClose,	0_2_00C968EE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C9698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	0_2_00C9698F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C8D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00C8D076
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C8D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00C8D3A9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C99642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00C99642
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C9979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00C9979D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C99B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_00C99B2B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C95C97 FindFirstFileW,FindNextFileW,FindClose,	0_2_00C95C97

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00C242DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00C242DE

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00C9EAA2 BlockInput,

0_2_00C9EAA2

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00C52622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00C52622

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00C242DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00C242DE

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00C44CE8 mov eax, dword ptr fs:[00000030h]

0_2_00C44CE8

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00C80B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

0_2_00C80B62

Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C52622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00C52622
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C4083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00C4083F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C409D5 SetUnhandledExceptionFilter,	0_2_00C409D5
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C40C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00C40C21

Source: C:\Users\user\Desktop\file.exe

0_2_00C81201

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00C62BA5 KiUserCallbackDispatcher,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00C62BA5

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00C8B226 SendInput,keybd_event,

0_2_00C8B226

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00CA22DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event,

0_2_00CA22DA

Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

0_2_00C80B62

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00C81663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_00C81663

Source: file.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: file.exe	Binary or memory string: Shell_TrayWnd

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00C40698 cpuid

0_2_00C40698

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00C98195 GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,

0_2_00C98195

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00C5B952 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,

0_2_00C5B952

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00C242DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00C242DE

Stealing of Sensitive Information

Yara detected Credential Flusher

Source: Yara match

File source: Process Memory Space: file.exe PID: 4824, type: MEMORYSTR

Remote Access Functionality

Yara detected Credential Flusher

Source: Yara match

File source: Process Memory Space: file.exe PID: 4824, type: MEMORYSTR

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CA1204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,		0_2_00CA1204
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CA1806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_00CA1806

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	2 Disable or Modify Tools	21 Input Capture	2 System Time Discovery	Remote Services	1 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Native API	2 Valid Accounts	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 File and Directory Discovery	Remote Desktop Protocol	21 Input Capture	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	1 Registry Run Keys / Startup Folder	2 Valid Accounts	2 Obfuscated Files or Information	Security Account Manager	16 System Information Discovery	SMB/Windows Admin Shares	3 Clipboard Data	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	21 Access Token Manipulation	1 DLL Side-Loading	NTDS	12 Security Software Discovery	Distributed Component Object Model	Input Capture	4 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	2 Process Injection	1 Masquerading	LSA Secrets	11 Virtualization/Sandbox Evasion	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	1 Registry Run Keys / Startup Folder	2 Valid Accounts	Cached Domain Credentials	3 Process Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	11 Virtualization/Sandbox Evasion	DCSync	11 Application Window Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	21 Access Token Manipulation	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	2 Process Injection	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
file.exe	16%	ReversingLabs
file.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
https://play.google/intl/	0%	URL Reputation	safe
https://families.google.com/intl/	0%	URL Reputation	safe
https://policies.google.com/technologies/location-data	0%	URL Reputation	safe
https://apis.google.com/js/api.js	0%	URL Reputation	safe
https://policies.google.com/privacy/google-partners	0%	URL Reputation	safe
https://policies.google.com/terms/service-specific	0%	URL Reputation	safe
https://g.co/recover	0%	URL Reputation	safe
https://policies.google.com/privacy/additional	0%	URL Reputation	safe
https://support.google.com/websearch/answer/4358949?hl=ko&ref_topic=3285072	0%	URL Reputation	safe
https://policies.google.com/technologies/cookies	0%	URL Reputation	safe
https://policies.google.com/terms	0%	URL Reputation	safe
https://uberproxy-pen-redirect.corp.google.com/uberproxy/pen?url=	0%	URL Reputation	safe
https://support.google.com/accounts?hl=	0%	URL Reputation	safe
https://policies.google.com/terms/location	0%	URL Reputation	safe
https://policies.google.com/privacy	0%	URL Reputation	safe
https://support.google.com/accounts?p=new-si-ui	0%	URL Reputation	safe
https://apis.google.com/js/rpc:shindig_random.js?onload=credentialservice.postMessage	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
youtube-ui.l.google.com	172.217.18.14	true	false	unknown
www3.l.google.com	142.250.185.174	true	false	unknown
play.google.com	172.217.18.14	true	false	unknown
www.google.com	216.58.206.36	true	false	unknown
youtube.com	142.250.186.46	true	false	unknown
accounts.youtube.com	unknown	unknown	false	unknown
www.youtube.com	unknown	unknown	false	unknown

Contacted URLs

Name	Malicious	Reputation
https://play.google.com/log?format=json&hasfast=true&authuser=0	false	unknown
https://www.google.com/favicon.ico	false	unknown
https://play.google.com/log?hasfast=true&authuser=0&format=json	false	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://accounts.google.co	file.exe, 00000000.00000003.2290694241.00000000012DB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2290734355.00000000012E1000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://play.google/intl/	chromecache_96.14.dr	false	URL Reputation: safe	unknown
https://families.google.com/intl/	chromecache_96.14.dr	false	URL Reputation: safe	unknown
https://youtube.com/t/terms?gl=	chromecache_96.14.dr	false		unknown
https://policies.google.com/technologies/location-data	chromecache_96.14.dr	false	URL Reputation: safe	unknown
https://www.google.com/intl/	chromecache_96.14.dr	false		unknown
https://apis.google.com/js/api.js	chromecache_102.14.dr	false	URL Reputation: safe	unknown
https://policies.google.com/privacy/google-partners	chromecache_96.14.dr	false	URL Reputation: safe	unknown
https://play.google.com/work/enroll?identifier=	chromecache_96.14.dr	false		unknown
https://policies.google.com/terms/service-specific	chromecache_96.14.dr	false	URL Reputation: safe	unknown
https://g.co/recover	chromecache_96.14.dr	false	URL Reputation: safe	unknown
https://policies.google.com/privacy/additional	chromecache_96.14.dr	false	URL Reputation: safe	unknown
https://support.google.com/websearch/answer/4358949?hl=ko&ref_topic=3285072	chromecache_96.14.dr	false	URL Reputation: safe	unknown
https://policies.google.com/technologies/cookies	chromecache_96.14.dr	false	URL Reputation: safe	unknown
https://policies.google.com/terms	chromecache_96.14.dr	false	URL Reputation: safe	unknown
https://uberproxy-pen-redirect.corp.google.com/uberproxy/pen?url=	chromecache_102.14.dr	false	URL Reputation: safe	unknown
https://www.google.com	chromecache_96.14.dr	false		unknown
https://play.google.com/log?format=json&hasfast=true	chromecache_96.14.dr	false		unknown
https://accounts.googlj	file.exe, 00000000.00000003.2290694241.00000000012DB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2290734355.00000000012E1000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://www.youtube.com/t/terms?chromeless=1&hl=	chromecache_96.14.dr	false		unknown
https://support.google.com/accounts?hl=	chromecache_96.14.dr	false	URL Reputation: safe	unknown
https://policies.google.com/terms/location	chromecache_96.14.dr	false	URL Reputation: safe	unknown
https://policies.google.com/privacy	chromecache_96.14.dr	false	URL Reputation: safe	unknown
https://support.google.com/accounts?p=new-si-ui	chromecache_96.14.dr	false	URL Reputation: safe	unknown
https://apis.google.com/js/rpc:shindig_random.js?onload=credentialservice.postMessage	chromecache_96.14.dr	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
142.250.186.46	youtube.com	United States	15169	GOOGLEUS	false
172.217.18.14	youtube-ui.l.google.com	United States	15169	GOOGLEUS	false
216.58.206.78	unknown	United States	15169	GOOGLEUS	false
216.58.206.36	www.google.com	United States	15169	GOOGLEUS	false
239.255.255.250	unknown	Reserved	unknown	unknown	false
142.250.185.174	www3.l.google.com	United States	15169	GOOGLEUS	false

Private

IP
192.168.2.16
192.168.2.5

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1524981
Start date and time:	2024-10-03 14:51:30 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 15s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	20
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal72.troj.evad.winEXE@46/36@12/8
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 93% Number of executed functions: 40 Number of non-executed functions: 299
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 142.250.184.195, 142.250.181.238, 142.251.173.84, 34.104.35.123, 142.250.185.234, 142.250.186.170, 142.250.185.106, 142.250.184.234, 172.217.16.138, 142.250.181.234, 172.217.18.10, 142.250.184.202, 142.250.185.202, 142.250.74.202, 142.250.185.74, 216.58.206.42, 142.250.186.42, 142.250.185.138, 142.250.186.106, 142.250.185.170, 142.250.185.227, 216.58.212.163, 172.217.18.106, 142.250.186.138, 142.250.186.74, 172.217.16.202, 216.58.206.74, 93.184.221.240, 192.229.221.95, 142.250.186.67, 142.250.110.84, 172.217.16.142
Excluded domains from analysis (whitelisted): clients1.google.com, fs.microsoft.com, accounts.google.com, content-autofill.googleapis.com, slscr.update.microsoft.com, fonts.gstatic.com, ctldl.windowsupdate.com, clientservices.googleapis.com, fe3cr.delivery.mp.microsoft.com, clients2.google.com, ocsp.digicert.com, edgedl.me.gvt1.com, update.googleapis.com, clients.l.google.com, www.gstatic.com, optimizationguide-pa.googleapis.com
Not all processes where analyzed, report is missing behavior information
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: file.exe

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
239.255.255.250	file.exe	Get hash	malicious	Credential Flusher	Browse
	Stager.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	https://trello.com/c/HA4sCE32	Get hash	malicious	HTMLPhisher	Browse
	https://drmerp.com/bWFpbEBrc2xhdy5jby51aw==&xBvSo7gjDRPy&hmr&x-ad-vt-unk&OC305935	Get hash	malicious	HTMLPhisher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	phish_alert_sp2_2.0.0.0.eml	Get hash	malicious	Phisher	Browse
	http://arcor.cfd	Get hash	malicious	HTMLPhisher	Browse
	http://arcor.cfd#warszawa@psgaz.pl	Get hash	malicious	HTMLPhisher	Browse

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
28a2c9bd18a11de089ef85a160da29e4	file.exe	Get hash	malicious	Credential Flusher	Browse	172.202.163.200 184.28.90.27
	Stager.exe	Get hash	malicious	Unknown	Browse	172.202.163.200 184.28.90.27
	file.exe	Get hash	malicious	Credential Flusher	Browse	172.202.163.200 184.28.90.27
	https://trello.com/c/HA4sCE32	Get hash	malicious	HTMLPhisher	Browse	172.202.163.200 184.28.90.27
	https://drmerp.com/bWFpbEBrc2xhdy5jby51aw==&xBvSo7gjDRPy&hmr&x-ad-vt-unk&OC305935	Get hash	malicious	HTMLPhisher	Browse	172.202.163.200 184.28.90.27
	file.exe	Get hash	malicious	Credential Flusher	Browse	172.202.163.200 184.28.90.27
	file.exe	Get hash	malicious	Credential Flusher	Browse	172.202.163.200 184.28.90.27
	file.exe	Get hash	malicious	Credential Flusher	Browse	172.202.163.200 184.28.90.27
	file.exe	Get hash	malicious	Credential Flusher	Browse	172.202.163.200 184.28.90.27
	http://investmentmemo.xyz	Get hash	malicious	HtmlDropper	Browse	172.202.163.200 184.28.90.27

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Thu Oct 3 11:52:26 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2677
Entropy (8bit):	3.972330200275292
Encrypted:	false
SSDEEP:	48:8ZdwoTQsxsHUidAKZdA19ehwiZUklqehgy+3:88ok+T3y
MD5:	BDAB5FD603F3BFEA794D08E2761B7B96
SHA1:	6A6648129C34865E73B3C3F39FE833DE27399A65
SHA-256:	06FFA6D78CE588C3D48381F92A822093399AD15CC30D9DB23580298F7E7BC74F
SHA-512:	0357F1CEA111DC8852E8F3D2A003595C6769993E522EC2A133031B38EFE93BE190437D795C5776BB9482E168A907EC0A1115B5C8D087A6AE67E6C78E0C862FA8
Malicious:	false
Preview:	L..................F.@.. ...$+.,............N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....DWWn..PROGRA~1..t......O.ICY.f....B...............J......SX.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.VCY.f....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.VCY.f....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.VCY.f..........................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.VCY.f...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i..........."........C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Thu Oct 3 11:52:25 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2679
Entropy (8bit):	3.9850005068229764
Encrypted:	false
SSDEEP:	48:8sddwoTQsxsHUidAKZdA1weh/iZUkAQkqehny+2:8lok+h9QKy
MD5:	5187577892D5F275EF898062BC500F4B
SHA1:	B57C962AA31E0832696C818FAF16B934FD5EC146
SHA-256:	DD837D6265ADDF466618BBC1E905E1A5E4691D735E21E61BEE477BC9D507A460
SHA-512:	4B5E07FC5F0719246525F501775AB7AA42752C30924E820BE7760F5770E51239736026732A3B53E5D76A7F9192C5986D594B10AF974D7BB3F433D5E4C6D93AC4
Malicious:	false
Preview:	L..................F.@.. ...$+.,...../......N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....DWWn..PROGRA~1..t......O.ICY.f....B...............J......SX.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.VCY.f....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.VCY.f....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.VCY.f..........................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.VCY.f...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i..........."........C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Wed Oct 4 12:54:07 2023, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2693
Entropy (8bit):	3.999472173355142
Encrypted:	false
SSDEEP:	48:8xKdwoTQsxsHUidAKZdA14tseh7sFiZUkmgqeh7sBy+BX:8xPok+Rnzy
MD5:	A37AFF04E9AF42131E314E1CA57B27FA
SHA1:	1D7EFF9E1421C9FBA7DB4F23217518E56B952D44
SHA-256:	E587B46F02ED4A7C42AAA19CB70A66CFD2B2050A8960BC8442D2C675ECE46FFE
SHA-512:	1C8665E2792ACA3B3697EBFA5B091E9D6F16921D1941AB11BA69A58415414E925CC477E21CADDBCA2DE651C118F1E9249875536544CD83C64929C056B46166D0
Malicious:	false
Preview:	L..................F.@.. ...$+.,......e>....N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....DWWn..PROGRA~1..t......O.ICY.f....B...............J......SX.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.VCY.f....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.VCY.f....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.VCY.f..........................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.VDW.n...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i..........."........C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Thu Oct 3 11:52:25 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2681
Entropy (8bit):	3.9809526244518536
Encrypted:	false
SSDEEP:	48:8LdwoTQsxsHUidAKZdA1vehDiZUkwqehby+R:8mok+Cpy
MD5:	D266AF31E02567BBFBBD2CF9E155E3E4
SHA1:	D691558478FB067A3E5EDAFE6857D26D05DF0EBF
SHA-256:	A9D8212B77250CFE6AEA2B92686B5EEA7659990AB44884FD812460CCFD57AC5D
SHA-512:	73317AC881681AE3AC04ADE7E9AF1B7A6A18E5E5AAA3D270647EDD8E6512C2224D8134063803649DEE141B4BED92E0E0FCDB949AB4A1FA9C7F958AC498F6BE38
Malicious:	false
Preview:	L..................F.@.. ...$+.,....lj......N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....DWWn..PROGRA~1..t......O.ICY.f....B...............J......SX.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.VCY.f....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.VCY.f....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.VCY.f..........................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.VCY.f...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i..........."........C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Thu Oct 3 11:52:26 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2681
Entropy (8bit):	3.972860143251594
Encrypted:	false
SSDEEP:	48:8+dwoTQsxsHUidAKZdA1hehBiZUk1W1qehty+C:8Dok+y9Ny
MD5:	236BD427EEA781D2215C751089027BC0
SHA1:	2FFA1307E844BA9E46AB40ECBB6C1A40BA263110
SHA-256:	8082783C96463A713FF2C329A56F3604895484AFECF59BB973F03CB39D82C93F
SHA-512:	5A2B97985F01664277E70C01AA09F6747D01DEB21989A68D2F70D1B9EBF3D71DA498F97B779D884BB72316116E8F64238C50835C935F93DEAB1D6EA60EB8B291
Malicious:	false
Preview:	L..................F.@.. ...$+.,.....V......N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....DWWn..PROGRA~1..t......O.ICY.f....B...............J......SX.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.VCY.f....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.VCY.f....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.VCY.f..........................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.VCY.f...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i..........."........C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Thu Oct 3 11:52:25 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2683
Entropy (8bit):	3.9849291365726085
Encrypted:	false
SSDEEP:	48:8OdwoTQsxsHUidAKZdA1duT+ehOuTbbiZUk5OjqehOuTbzy+yT+:8Tok+sT/TbxWOvTbzy7T
MD5:	4C90EB2E1D35754B1C62A19DCDADAFEC
SHA1:	54E5D7097D0AE2C8FA0B9ECDFC4B956250E557F6
SHA-256:	5440197219BF595A1B3F321305FAB90ED6DA33043BCB4F0F48C1A0C1FD644591
SHA-512:	932E2CDBA0DE2429DD3CB7559F3C5C7A06A9B978CC156CF8652AF1EBD450DC4D8014770E25EC6C708FC57097FCB29180C7A70966E86FAB3E1D6C306B3933EA76
Malicious:	false
Preview:	L..................F.@.. ...$+.,............N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....DWWn..PROGRA~1..t......O.ICY.f....B...............J......SX.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.VCY.f....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.VCY.f....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.VCY.f..........................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.VCY.f...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i..........."........C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

Chrome Cache Entry: 100

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (570)
Category:	downloaded
Size (bytes):	3467
Entropy (8bit):	5.514745431912774
Encrypted:	false
SSDEEP:	96:ozbld2fNUmeqJNizhNtt1W8t//loyIpXmdVE2w:onSKE8PWe/Cy4X3j
MD5:	8DEF399E8355ABC23E64505281005099
SHA1:	24FF74C3AEFD7696D84FF148465DF4B1B60B1696
SHA-256:	F128D7218E1286B05DF11310AD3C8F4CF781402698E45448850D2A3A22F5F185
SHA-512:	33721DD47658D8E12ADF6BD9E9316EB89F5B6297927F7FD60F954E04B829DCBF0E1AE6DDD9A3401F45E0011AE4B1397B960C218238A3D0F633A2173D8E604082
Malicious:	false
URL:	"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en.RgRbaBHDctU.es5.O/ck=boq-identity.AccountsSignInUi.gAiX_O5afVA.L.B1.O/am=xIFgKBimEQjEH54DekBRIOQAAAAAAAAAAKANAAB0DA/d=1/exm=A7fCU,AvtSve,CMcBD,E87wgc,EFQ78c,EIOG1e,EN3i8d,Fndnac,GwYlN,I6YDgd,IZT63,K0PMbc,K1ZKnb,KUM7Z,L1AAkb,L9OGUe,LDQI,LEikZe,MY7mZe,MpJwZc,NOeYWe,NTMZac,O6y8ed,P6sQOc,PHUIyb,PrPYRd,RMhBfe,Rkm0ef,RqjULd,SCuOPb,SD8Jgb,STuCOe,SpsfSb,Tbb4sb,UUJqVe,Uas9Hd,WpP9Yc,XVq9Qb,YHI3We,YTxL4,YgOFye,ZDZcre,ZZ4WUe,ZakeSe,ZwDk9d,_b,_tp,aC1iue,aW3pY,b3kMqb,bSspM,bTi8wc,byfTOb,cYShmd,eVCnO,f8Gu1e,gJzDyc,hc6Ubd,iAskyc,inNHtf,iyZMqd,lsjVmc,ltDFwf,lwddkf,m9oV,mvkUhe,mzzZzc,n73qwf,njlZCf,oLggrd,pxq3x,q0xTif,qPYxq,qPfo0c,qmdT9,rCcCxc,rmumx,sOXFj,siKnQd,soHxf,t2srLd,tUnxGc,vHEMJe,vfuNJf,vjKJJ,vvMGie,w9hDv,wg1P6b,ws9Tlc,xBaz7b,xQtZb,xiZRqc,y5vRwf,yRXbo,ywOR5c,z0u0L,zbML3c,ziXSP,ziZ8Mc,zr1jrb,zy0vNb/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlHHHUTOu8QCHKV2CSS4q8_ZgreBVQ/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:GwYlN;EmZ2Bf:zr1jrb;JsbNhc:Xd8iUd;K5nYTd:ZDZcre;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;ScI3Yc:e7Hzgb;UpnZUd:nnwwYc;Uvc8o:VDovNc;XdiAjb:NLiXbe;YIZmRd:A1yn5d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;dowIGb:ebZ3mb;eBAeSb:zbML3c;iFQyKf:vfuNJf;lOO0Vd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qafBPd:yDVVkb;qddgKe:xQtZb;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=Wt6vjf,hhhU8,FCpbqb,WhJNk"
Preview:	"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi\|\|{};(function(_){var window=this;.try{._.k("Wt6vjf");.var cya=function(){var a=_.He();return _.Lj(a,1)},Yt=function(a){this.Da=_.t(a,0,Yt.messageId)};_.J(Yt,_.w);Yt.prototype.Ha=function(){return _.Dj(this,1)};Yt.prototype.Va=function(a){return _.Vj(this,1,a)};Yt.messageId="f.bo";var Zt=function(){_.hm.call(this)};_.J(Zt,_.hm);Zt.prototype.xd=function(){this.CT=!1;dya(this);_.hm.prototype.xd.call(this)};Zt.prototype.aa=function(){eya(this);if(this.wC)return fya(this),!1;if(!this.KV)return $t(this),!0;this.dispatchEvent("p");if(!this.zP)return $t(this),!0;this.wM?(this.dispatchEvent("r"),$t(this)):fya(this);return!1};.var gya=function(a){var b=new _.ap(a.W4);a.qQ!=null&&_.Jn(b,"authuser",a.qQ);return b},fya=function(a){a.wC=!0;var b=gya(a),c="rt=r&f_uid="+_.pk(a.zP);_.cn(b,(0,_.bg)(a.ea,a),"POST",c)};.Zt.prototype.ea=function(a){a=a.target;eya(this);if(_.fn(a)){this.cK=0;if(this.wM)this.wC=!1,this.dispatchEvent("r"

Chrome Cache Entry: 101

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with no line terminators
Category:	downloaded
Size (bytes):	84
Entropy (8bit):	4.875266466142591
Encrypted:	false
SSDEEP:	3:DZFJu0+WVTBCq2Bjdw2KsJJuYHSKnZ:lFJuuVTBudw29nu4SKZ
MD5:	87B6333E98B7620EA1FF98D1A837A39E
SHA1:	105DE6815B0885357DE1414BFC0D77FCC9E924EF
SHA-256:	DCD3C133C5C40BECD4100BBE6EDAE84C9735E778E4234A5E8395C56FF8A733BA
SHA-512:	867D7943D813685FAA76394E53199750C55817E836FD19C933F74D11E9657CE66719A6D6B2E39EE1DE62358BCE364E38A55F4E138DF92337DE6985DDCD5D0994
Malicious:	false
URL:	https://content-autofill.googleapis.com/v1/pages/ChVDaHJvbWUvMTE3LjAuNTkzOC4xMzISHgmA6QC9dWevzxIFDRkBE_oSBQ3oIX6GEgUN05ioBw==?alt=proto
Preview:	Cj0KBw0ZARP6GgAKKQ3oIX6GGgQISxgCKhwIClIYCg5AIS4jJF8qLSY/Ky8lLBABGP////8PCgcN05ioBxoA

Chrome Cache Entry: 102

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (553)
Category:	downloaded
Size (bytes):	744362
Entropy (8bit):	5.791334302173818
Encrypted:	false
SSDEEP:	6144:YVXWBQkPdzg5pTX1ROv/duPzd8C3s891/Q:Nfd8j91/Q
MD5:	5998B16F22823CDA571E9767D2F000F5
SHA1:	8F191C974AF3FDEF368C7A2706A1C81C7F379ADB
SHA-256:	7FFEA98E198646D080873710AD217394C63EF97E6B8F5DD0EBF5E3BB8B7AED8E
SHA-512:	951A410744AFBD905141EB68846DCC707F36B6A3A7C3734633B98064441E417A14F52B1F3FB347114ED15E7899D3554EA9745EACF7076955119AA0EF9ADD206E
Malicious:	false
URL:	"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en.RgRbaBHDctU.es5.O/am=xIFgKBimEQjEH54DekBRIOQAAAAAAAAAAKANAAB0DA/d=1/excm=_b,_tp,identifierview/ed=1/dg=0/wt=2/ujg=1/rs=AOaEmlGukuT5y8NnMp7TQhoXvWQoBnYT8w/m=_b,_tp"
Preview:	"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi\|\|{};(function(_){var window=this;.try{._._F_toggles_initialize=function(a){(typeof globalThis!=="undefined"?globalThis:typeof self!=="undefined"?self:this)._F_toggles=a\|\|[]};(0,_._F_toggles_initialize)([0x286081c4, 0x20469860, 0x39e1fc40, 0x14501e80, 0xe420, 0x0, 0x1a000000, 0x1d000003, 0xc, ]);./.. Copyright The Closure Library Authors.. SPDX-License-Identifier: Apache-2.0././.. Copyright Google LLC. SPDX-License-Identifier: Apache-2.0././.. Copyright 2024 Google, Inc. SPDX-License-Identifier: MIT././. SPDX-License-Identifier: Apache-2.0././. Copyright The Closure Library Authors.. SPDX-License-Identifier: Apache-2.0./.var baa,daa,Ma,Sa,gaa,iaa,jb,qaa,waa,Caa,Haa,Kaa,Jb,Laa,Ob,Qb,Rb,Maa,Naa,Sb,Oaa,Paa,Qaa,Yb,Vaa,Xaa,ec,fc,gc,bba,cba,gba,jba,lba,mba,qba,tba,nba,sba,rba,pba,oba,uba,yba,Cba,Dba,Aba,Hc,Ic,Gba,Iba,Mba,Nba,Oba,Pba,Lba,Qba,Sba,dd,Uba,Vba,Xba,Zba,Yba,aca,bca,cca,dca,fca,eca,hca,ica,jca,kca,nca,

Chrome Cache Entry: 103

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (522)
Category:	downloaded
Size (bytes):	5050
Entropy (8bit):	5.289052544075544
Encrypted:	false
SSDEEP:	96:o4We0hP7OBFXYvB1sig3Fd8HkaXzLmUrv8Vh1WJlLQXT2v2gqw:655758Fd8HkaPZ0GmAD
MD5:	26E26FD11772DFF5C7004BEA334289CC
SHA1:	638DAAF541BDE31E95AEE4F8ADA677434D7051DB
SHA-256:	ADFE3E4960982F5EF4C043052A9990D8683C5FC2B590E817B6B1A5774DDE2CE3
SHA-512:	C31929EB6D1C60D6A84A2574FF60490394A6D6F9B354972F3328952F570D80B3F2AEC916B0E1B66DDB1AC056EB75BFAC477E7AF631D0AD1810EDBAF025465D66
Malicious:	false
URL:	"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en.RgRbaBHDctU.es5.O/ck=boq-identity.AccountsSignInUi.gAiX_O5afVA.L.B1.O/am=xIFgKBimEQjEH54DekBRIOQAAAAAAAAAAKANAAB0DA/d=1/exm=A7fCU,AvtSve,CMcBD,E87wgc,EFQ78c,EIOG1e,EN3i8d,Fndnac,GwYlN,I6YDgd,IZT63,K0PMbc,K1ZKnb,KUM7Z,L1AAkb,L9OGUe,LDQI,LEikZe,MY7mZe,MpJwZc,NOeYWe,NTMZac,O6y8ed,P6sQOc,PHUIyb,PrPYRd,RMhBfe,Rkm0ef,RqjULd,SCuOPb,SD8Jgb,STuCOe,SpsfSb,Tbb4sb,UUJqVe,Uas9Hd,WpP9Yc,XVq9Qb,YHI3We,YTxL4,YgOFye,ZDZcre,ZZ4WUe,ZakeSe,ZwDk9d,_b,_tp,aC1iue,aW3pY,b3kMqb,bSspM,bTi8wc,byfTOb,cYShmd,eVCnO,f8Gu1e,gJzDyc,hc6Ubd,iAskyc,inNHtf,iyZMqd,lsjVmc,ltDFwf,lwddkf,m9oV,mvkUhe,mzzZzc,n73qwf,njlZCf,oLggrd,pxq3x,q0xTif,qPYxq,qPfo0c,qmdT9,rCcCxc,rmumx,sOXFj,siKnQd,soHxf,t2srLd,tUnxGc,vHEMJe,vfuNJf,vjKJJ,vvMGie,w9hDv,ws9Tlc,xBaz7b,xQtZb,xiZRqc,y5vRwf,yRXbo,ywOR5c,z0u0L,zbML3c,ziXSP,ziZ8Mc,zr1jrb,zy0vNb/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlHHHUTOu8QCHKV2CSS4q8_ZgreBVQ/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:GwYlN;EmZ2Bf:zr1jrb;JsbNhc:Xd8iUd;K5nYTd:ZDZcre;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;ScI3Yc:e7Hzgb;UpnZUd:nnwwYc;Uvc8o:VDovNc;XdiAjb:NLiXbe;YIZmRd:A1yn5d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;dowIGb:ebZ3mb;eBAeSb:zbML3c;iFQyKf:vfuNJf;lOO0Vd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qafBPd:yDVVkb;qddgKe:xQtZb;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=wg1P6b"
Preview:	"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi\|\|{};(function(_){var window=this;.try{._.jNa=_.y("wg1P6b",[_.TA,_.Cn,_.Kn]);._.k("wg1P6b");.var Z5a;Z5a=_.mh(["aria-"]);._.uJ=function(a){_.X.call(this,a.Fa);this.Ka=this.wa=this.aa=this.viewportElement=this.Na=null;this.Hc=a.Ea.ff;this.ab=a.Ea.focus;this.Fc=a.Ea.Fc;this.ea=this.Pi();a=-1*parseInt(_.Co(this.Pi().el(),"marginTop")\|\|"0",10);var b=parseInt(_.Co(this.Pi().el(),"marginBottom")\|\|"0",10);this.Ta={top:a,right:0,bottom:b,left:0};a=_.cf(this.getData("isMenuDynamic"),!1);b=_.cf(this.getData("isMenuHoisted"),!1);this.Ga=a?1:b?2:0;this.ka=!1;this.Ca=1;this.Ga!==1&&(this.aa=this.Sa("U0exHf").children().Wc(0),_.ku(this,.$5a(this,this.aa.el())));_.kF(this.oa())&&(a=this.oa().el(),b=this.we.bind(this),a.__soy_skip_handler=b)};_.J(_.uJ,_.X);_.uJ.Ba=function(){return{Ea:{ff:_.ZE,focus:_.KE,Fc:_.ru}}};_.uJ.prototype.xF=function(a){var b=a.source;this.Na=b;var c;((c=a.data)==null?0:c.fz)?(a=a.data.fz,this.Ca=a==="MOUS

Chrome Cache Entry: 89

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	HTML document, ASCII text, with very long lines (681)
Category:	downloaded
Size (bytes):	4067
Entropy (8bit):	5.363457972758152
Encrypted:	false
SSDEEP:	96:G2CiFZX5BReR68ujioIRVrqtyzBeTV6SfyAKLif9cLw:bCMZXVeR6jiosVrqtyzBaImyAKw9z
MD5:	B027BF10F968F37628EB698B2CF46D8E
SHA1:	0C9801E4FF3BE18102E6E22246B4262FCC6CE011
SHA-256:	98608C8414932B6F029948A323B1236EFB96861306FD1EDEB6CE47E180392B47
SHA-512:	3B1E5A3B247273F025EACF389F98BC139F8453ECEC7A2EC762A4E3279F220B7BED2CB23CD5630E92ED03187C514956DF814E9450FFAA10BFE312633B445DBEF1
Malicious:	false
URL:	"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en.RgRbaBHDctU.es5.O/ck=boq-identity.AccountsSignInUi.gAiX_O5afVA.L.B1.O/am=xIFgKBimEQjEH54DekBRIOQAAAAAAAAAAKANAAB0DA/d=1/exm=A7fCU,AvtSve,CMcBD,E87wgc,EFQ78c,EIOG1e,EN3i8d,Fndnac,GwYlN,I6YDgd,IZT63,K0PMbc,K1ZKnb,KUM7Z,L1AAkb,L9OGUe,LDQI,LEikZe,MY7mZe,MpJwZc,NOeYWe,NTMZac,O6y8ed,P6sQOc,PHUIyb,PrPYRd,RMhBfe,Rkm0ef,RqjULd,SCuOPb,SD8Jgb,STuCOe,SpsfSb,Tbb4sb,UUJqVe,Uas9Hd,WpP9Yc,XVq9Qb,YHI3We,YTxL4,YgOFye,ZDZcre,ZakeSe,ZwDk9d,_b,_tp,aC1iue,aW3pY,b3kMqb,bSspM,bTi8wc,byfTOb,cYShmd,eVCnO,f8Gu1e,gJzDyc,hc6Ubd,inNHtf,iyZMqd,lsjVmc,ltDFwf,lwddkf,m9oV,mvkUhe,mzzZzc,n73qwf,njlZCf,oLggrd,pxq3x,qPYxq,qPfo0c,qmdT9,rCcCxc,rmumx,siKnQd,soHxf,t2srLd,tUnxGc,vHEMJe,vfuNJf,vjKJJ,vvMGie,w9hDv,ws9Tlc,xBaz7b,xQtZb,xiZRqc,y5vRwf,yRXbo,ywOR5c,z0u0L,zbML3c,ziZ8Mc,zr1jrb,zy0vNb/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlHHHUTOu8QCHKV2CSS4q8_ZgreBVQ/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:GwYlN;EmZ2Bf:zr1jrb;JsbNhc:Xd8iUd;K5nYTd:ZDZcre;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;ScI3Yc:e7Hzgb;UpnZUd:nnwwYc;Uvc8o:VDovNc;XdiAjb:NLiXbe;YIZmRd:A1yn5d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;dowIGb:ebZ3mb;eBAeSb:zbML3c;iFQyKf:vfuNJf;lOO0Vd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qafBPd:yDVVkb;qddgKe:xQtZb;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=sOXFj,q0xTif,ZZ4WUe"
Preview:	"use strict";_F_installCss(".N7rBcd{overflow-x:auto}sentinel{}");.this.default_AccountsSignInUi=this.default_AccountsSignInUi\|\|{};(function(_){var window=this;.try{._.vg(_.aqa);._.k("sOXFj");.var tu=function(a){_.W.call(this,a.Fa)};_.J(tu,_.W);tu.Ba=_.W.Ba;tu.prototype.aa=function(a){return a()};_.nu(_.$pa,tu);._.l();._.k("oGtAuc");._.yya=new _.pf(_.aqa);._.l();._.k("q0xTif");.var sza=function(a){var b=function(d){_.Sn(d)&&(_.Sn(d).Jc=null,_.Du(d,null));d.XyHi9&&(d.XyHi9=null)};b(a);a=a.querySelectorAll("[c-wiz]");for(var c=0;c<a.length;c++)b(a[c])},Pu=function(a){_.kt.call(this,a.Fa);this.Qa=this.dom=null;if(this.kl()){var b=_.zm(this.Ug(),[_.Em,_.Dm]);b=_.ni([b[_.Em],b[_.Dm]]).then(function(c){this.Qa=c[0];this.dom=c[1]},null,this);_.hu(this,b)}this.Ra=a.lm.zea};_.J(Pu,_.kt);Pu.Ba=function(){return{lm:{zea:function(a){return _.Ue(a)}}}};Pu.prototype.zp=function(a){return this.Ra.zp(a)};.Pu.prototype.getData=function(a){return this.Ra.getData(a)};Pu.prototype.qo=function(){_.Kt(this.d

Chrome Cache Entry: 90

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (533)
Category:	downloaded
Size (bytes):	9210
Entropy (8bit):	5.404371326611379
Encrypted:	false
SSDEEP:	192:EEFZpeip4HzZlY0If0Ma23jcUcrhCx6VD1TYPi8:Es/p4jgjUhtD1TY68
MD5:	21E893B65627B397E22619A9F5BB9662
SHA1:	F561B0F66211C1E7B22F94B4935C312AB7087E85
SHA-256:	FFA9B8BC8EF2CDFF5EB4BA1A0BA1710A253A5B42535E2A369D5026967DCF4673
SHA-512:	3DE3CD6A4E9B06AB3EB324E90A40B5F2AEEA8D7D6A2651C310E993CF79EEB5AC6E2E33C587F46B2DD20CC862354FD1A61AEBB9B990E6805F6629404BA285F8FA
Malicious:	false
URL:	"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en.RgRbaBHDctU.es5.O/ck=boq-identity.AccountsSignInUi.gAiX_O5afVA.L.B1.O/am=xIFgKBimEQjEH54DekBRIOQAAAAAAAAAAKANAAB0DA/d=1/exm=AvtSve,CMcBD,EFQ78c,EIOG1e,EN3i8d,Fndnac,GwYlN,I6YDgd,IZT63,K0PMbc,K1ZKnb,KUM7Z,L1AAkb,L9OGUe,LDQI,LEikZe,MY7mZe,MpJwZc,NOeYWe,NTMZac,O6y8ed,PrPYRd,Rkm0ef,SCuOPb,STuCOe,SpsfSb,UUJqVe,Uas9Hd,WpP9Yc,XVq9Qb,YHI3We,YTxL4,ZakeSe,_b,_tp,aC1iue,aW3pY,b3kMqb,bSspM,byfTOb,cYShmd,eVCnO,gJzDyc,hc6Ubd,inNHtf,iyZMqd,lsjVmc,lwddkf,m9oV,mvkUhe,mzzZzc,n73qwf,njlZCf,oLggrd,qPfo0c,qmdT9,rCcCxc,siKnQd,t2srLd,tUnxGc,vHEMJe,vfuNJf,vjKJJ,vvMGie,ws9Tlc,xBaz7b,xQtZb,xiZRqc,y5vRwf,z0u0L,zbML3c,ziZ8Mc,zr1jrb,zy0vNb/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlHHHUTOu8QCHKV2CSS4q8_ZgreBVQ/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:GwYlN;EmZ2Bf:zr1jrb;JsbNhc:Xd8iUd;K5nYTd:ZDZcre;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;ScI3Yc:e7Hzgb;UpnZUd:nnwwYc;Uvc8o:VDovNc;XdiAjb:NLiXbe;YIZmRd:A1yn5d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;dowIGb:ebZ3mb;eBAeSb:zbML3c;iFQyKf:vfuNJf;lOO0Vd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qafBPd:yDVVkb;qddgKe:xQtZb;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=ltDFwf,SD8Jgb,rmumx,E87wgc,qPYxq,Tbb4sb,pxq3x,f8Gu1e,soHxf,YgOFye,yRXbo,bTi8wc,ywOR5c,PHUIyb"
Preview:	"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi\|\|{};(function(_){var window=this;.try{._.qNa=_.y("SD8Jgb",[]);._.GX=function(a,b){if(typeof b==="string")a.Lc(b);else if(b instanceof _.Fp&&b.ia&&b.ia===_.A)b=_.Ya(b.Lw()),a.empty().append(b);else if(b instanceof _.Ua)b=_.Ya(b),a.empty().append(b);else if(b instanceof Node)a.empty().append(b);else throw Error("Vf");};_.HX=function(a){var b=_.Io(a,"[jsslot]");if(b.size()>0)return b;b=new _.Go([_.Kk("span")]);_.Jo(b,"jsslot","");a.empty().append(b);return b};_.NLb=function(a){return a===null\|\|typeof a==="string"&&_.Hi(a)};._.k("SD8Jgb");._.MX=function(a){_.X.call(this,a.Fa);this.Ua=a.controller.Ua;this.od=a.controllers.od[0]\|\|null;this.header=a.controller.header;this.nav=a.controller.nav;var b;(b=this.oa().find("button:not([type])").el())==null\|\|b.setAttribute("type","button")};_.J(_.MX,_.X);_.MX.Ba=function(){return{controller:{Ua:{jsname:"n7vHCb",ctor:_.mv},header:{jsname:"tJHJj",ctor:_.mv},nav:{jsname:"DH6Rkf",ct

Chrome Cache Entry: 91

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (395)
Category:	downloaded
Size (bytes):	1608
Entropy (8bit):	5.257113147606035
Encrypted:	false
SSDEEP:	48:o72ZrNZ4yNAbU+15fMxIdf5WENoBCbw7DbG2bEJrw:oyNNAY+1i4HoBNG2Ilw
MD5:	F06E2DC5CC446B39F878B5F8E4D78418
SHA1:	9F1F34FDD8F8DAB942A9B95D9F720587B6F6AD48
SHA-256:	118E4D2FE7CEF205F9AFC87636554C6D8220882B158333EE3D1990282D158B8F
SHA-512:	893C4F883CD1C88C6AAF5A6E7F232D62823A53E1FFDE5C1C52BB066D75781DD041F4D281CDBF18070D921CE862652D8863E2B9D5E0190CFA4128890D62C44168
Malicious:	false
URL:	"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en.RgRbaBHDctU.es5.O/ck=boq-identity.AccountsSignInUi.gAiX_O5afVA.L.B1.O/am=xIFgKBimEQjEH54DekBRIOQAAAAAAAAAAKANAAB0DA/d=1/exm=AvtSve,CMcBD,E87wgc,EFQ78c,EIOG1e,EN3i8d,Fndnac,GwYlN,I6YDgd,IZT63,K0PMbc,K1ZKnb,KUM7Z,L1AAkb,L9OGUe,LDQI,LEikZe,MY7mZe,MpJwZc,NOeYWe,NTMZac,O6y8ed,P6sQOc,PHUIyb,PrPYRd,RMhBfe,Rkm0ef,RqjULd,SCuOPb,SD8Jgb,STuCOe,SpsfSb,Tbb4sb,UUJqVe,Uas9Hd,WpP9Yc,XVq9Qb,YHI3We,YTxL4,YgOFye,ZakeSe,ZwDk9d,_b,_tp,aC1iue,aW3pY,b3kMqb,bSspM,bTi8wc,byfTOb,cYShmd,eVCnO,f8Gu1e,gJzDyc,hc6Ubd,inNHtf,iyZMqd,lsjVmc,ltDFwf,lwddkf,m9oV,mvkUhe,mzzZzc,n73qwf,njlZCf,oLggrd,pxq3x,qPYxq,qPfo0c,qmdT9,rCcCxc,rmumx,siKnQd,soHxf,t2srLd,tUnxGc,vHEMJe,vfuNJf,vjKJJ,vvMGie,ws9Tlc,xBaz7b,xQtZb,xiZRqc,y5vRwf,yRXbo,ywOR5c,z0u0L,zbML3c,ziZ8Mc,zr1jrb,zy0vNb/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlHHHUTOu8QCHKV2CSS4q8_ZgreBVQ/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:GwYlN;EmZ2Bf:zr1jrb;JsbNhc:Xd8iUd;K5nYTd:ZDZcre;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;ScI3Yc:e7Hzgb;UpnZUd:nnwwYc;Uvc8o:VDovNc;XdiAjb:NLiXbe;YIZmRd:A1yn5d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;dowIGb:ebZ3mb;eBAeSb:zbML3c;iFQyKf:vfuNJf;lOO0Vd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qafBPd:yDVVkb;qddgKe:xQtZb;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=w9hDv,ZDZcre,A7fCU"
Preview:	"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi\|\|{};(function(_){var window=this;.try{._.k("w9hDv");._.vg(_.Hla);_.eA=function(a){_.W.call(this,a.Fa);this.aa=a.Xa.cache};_.J(_.eA,_.W);_.eA.Ba=function(){return{Xa:{cache:_.dt}}};_.eA.prototype.execute=function(a){_.Bb(a,function(b){var c;_.$e(b)&&(c=b.eb.kc(b.kb));c&&this.aa.xG(c)},this);return{}};_.nu(_.Nla,_.eA);._.l();._.k("ZDZcre");.var fH=function(a){_.W.call(this,a.Fa);this.Wl=a.Ea.Wl;this.d4=a.Ea.metadata;this.aa=a.Ea.ot};_.J(fH,_.W);fH.Ba=function(){return{Ea:{Wl:_.KG,metadata:_.VZa,ot:_.HG}}};fH.prototype.execute=function(a){var b=this;a=this.aa.create(a);return _.Bb(a,function(c){var d=b.d4.getType(c.Od())===2?b.Wl.Rb(c):b.Wl.fetch(c);return _.yl(c,_.LG)?d.then(function(e){return _.Dd(e)}):d},this)};_.nu(_.Sla,fH);._.l();._.k("K5nYTd");._.UZa=new _.pf(_.Ola);._.l();._.k("sP4Vbe");.._.l();._.k("kMFpHd");.._.l();._.k("A7fCU");.var NG=function(a){_.W.call(this,a.Fa);this.aa=a.Ea.tQ};_.J(NG,_.W);NG.Ba=func

Chrome Cache Entry: 92

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows icon resource - 2 icons, 16x16, 32 bits/pixel, 32x32, 32 bits/pixel
Category:	downloaded
Size (bytes):	5430
Entropy (8bit):	3.6534652184263736
Encrypted:	false
SSDEEP:	48:wIJct3xIAxG/7nvWDtZcdYLtX7B6QXL3aqG8Q:wIJct+A47v+rcqlBPG9B
MD5:	F3418A443E7D841097C714D69EC4BCB8
SHA1:	49263695F6B0CDD72F45CF1B775E660FDC36C606
SHA-256:	6DA5620880159634213E197FAFCA1DDE0272153BE3E4590818533FAB8D040770
SHA-512:	82D017C4B7EC8E0C46E8B75DA0CA6A52FD8BCE7FCF4E556CBDF16B49FC81BE9953FE7E25A05F63ECD41C7272E8BB0A9FD9AEDF0AC06CB6032330B096B3702563
Malicious:	false
URL:	https://www.google.com/favicon.ico
Preview:	............ .h...&... .... .........(....... ..... ............................................0...................................................................................................................................v.].X.:.X.:.r.Y........................................q.X.S.4.S.4.S.4.S.4.S.4.S.4...X....................0........q.W.S.4.X.:.................J...A...g.........................K.H.V.8..........................F..B.....................,.......................................B..............................................B..B..B..B..B...u..........................................B..B..B..B..B...{.................5.......k...........................................................7R..8F.................................................2........Vb..5C..;I..................R^.....................0................Xc..5C..5C..5C..5C..5C..5C..lv..........................................]i..<J..:G..Zf....................................................

Chrome Cache Entry: 93

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (2907)
Category:	downloaded
Size (bytes):	22833
Entropy (8bit):	5.425034548615223
Encrypted:	false
SSDEEP:	384:7lFo6ZEdpgtmyiPixV9OX9gMBpHkHnfst9lZulagGcwYHiRFjJzN7:77o6ZviPixV8xpEHn89l4IgGcwYCRtb7
MD5:	749B18538FE32BFE0815D75F899F5B21
SHA1:	AF95A019211AF69F752A43CAA54A83C2AFD41D28
SHA-256:	116B2687C1D5E00DB56A79894AB0C12D4E2E000B9379B7E7AD751B84DF611F3F
SHA-512:	E4B6F4556AA0FD9979BB52681508F5E26FFB256473803F74F7F5C8D93FA3636D7D0A5835618FBC6123022805CE0D9616A7451A0F302C665E28A6090B5D588505
Malicious:	false
URL:	"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en.RgRbaBHDctU.es5.O/ck=boq-identity.AccountsSignInUi.gAiX_O5afVA.L.B1.O/am=xIFgKBimEQjEH54DekBRIOQAAAAAAAAAAKANAAB0DA/d=1/exm=AvtSve,CMcBD,E87wgc,EFQ78c,EIOG1e,EN3i8d,Fndnac,GwYlN,I6YDgd,IZT63,K0PMbc,K1ZKnb,KUM7Z,L1AAkb,L9OGUe,LDQI,LEikZe,MY7mZe,MpJwZc,NOeYWe,NTMZac,O6y8ed,PHUIyb,PrPYRd,Rkm0ef,SCuOPb,SD8Jgb,STuCOe,SpsfSb,Tbb4sb,UUJqVe,Uas9Hd,WpP9Yc,XVq9Qb,YHI3We,YTxL4,YgOFye,ZakeSe,_b,_tp,aC1iue,aW3pY,b3kMqb,bSspM,bTi8wc,byfTOb,cYShmd,eVCnO,f8Gu1e,gJzDyc,hc6Ubd,inNHtf,iyZMqd,lsjVmc,ltDFwf,lwddkf,m9oV,mvkUhe,mzzZzc,n73qwf,njlZCf,oLggrd,pxq3x,qPYxq,qPfo0c,qmdT9,rCcCxc,rmumx,siKnQd,soHxf,t2srLd,tUnxGc,vHEMJe,vfuNJf,vjKJJ,vvMGie,ws9Tlc,xBaz7b,xQtZb,xiZRqc,y5vRwf,yRXbo,ywOR5c,z0u0L,zbML3c,ziZ8Mc,zr1jrb,zy0vNb/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlHHHUTOu8QCHKV2CSS4q8_ZgreBVQ/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:GwYlN;EmZ2Bf:zr1jrb;JsbNhc:Xd8iUd;K5nYTd:ZDZcre;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;ScI3Yc:e7Hzgb;UpnZUd:nnwwYc;Uvc8o:VDovNc;XdiAjb:NLiXbe;YIZmRd:A1yn5d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;dowIGb:ebZ3mb;eBAeSb:zbML3c;iFQyKf:vfuNJf;lOO0Vd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qafBPd:yDVVkb;qddgKe:xQtZb;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=RqjULd"
Preview:	"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi\|\|{};(function(_){var window=this;.try{._.uu.prototype.da=_.ca(40,function(){return _.rj(this,3)});_.$y=function(a,b){this.key=a;this.defaultValue=!1;this.flagName=b};_.$y.prototype.ctor=function(a){return typeof a==="boolean"?a:this.defaultValue};_.az=function(){this.ka=!0;var a=_.vj(_.dk(_.Be("TSDtV",window),_.zya),_.uu,1,_.qj())[0];if(a){var b={};for(var c=_.n(_.vj(a,_.Aya,2,_.qj())),d=c.next();!d.done;d=c.next()){d=d.value;var e=_.Jj(d,1).toString();switch(_.tj(d,_.vu)){case 3:b[e]=_.Hj(d,_.lj(d,_.vu,3));break;case 2:b[e]=_.Jj(d,_.lj(d,_.vu,2));break;case 4:b[e]=_.Kj(d,_.lj(d,_.vu,4));break;case 5:b[e]=_.Lj(d,_.lj(d,_.vu,5));break;case 6:b[e]=_.Pj(d,_.ff,6,_.vu);break;default:throw Error("jd`"+_.tj(d,_.vu));}}}else b={};this.ea=b;this.token=.a?a.da():null};_.az.prototype.aa=function(a){if(!this.ka\|\|a.key in this.ea)a=a.ctor(this.ea[a.key]);else if(_.Be("nQyAE",window)){var b=_.Cya(a.flagName);if(b===null)a=a.de

Chrome Cache Entry: 94

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (683)
Category:	downloaded
Size (bytes):	3131
Entropy (8bit):	5.355381206612617
Encrypted:	false
SSDEEP:	48:o7FEEM3MtH15jNQ8jsK3rnw0dkckTrKEp/OqLE9xz0W5Bzv3M6hIHYA+JITbwrF8:oq675jOArwoAmI/DLaxNPL5m+m6w
MD5:	E2A7251AD83A0D0634FEA2703D10ED07
SHA1:	90D72011F31FC40D3DA3748F2817F90A29EB5C01
SHA-256:	1079B49C4AAF5C10E4F2E6A086623F40D200A71FF2A1F64E88AA6C91E4BE7A6F
SHA-512:	CD6D75580EA8BD97CF7C7C0E0BD9D9A54FB6EA7DF1DDB5A95E94D38B260F9EE1425C640839ECD229B8D01E145CF2786CA374D31EC537EB8FE17FF415D5B985F5
Malicious:	false
URL:	"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en.RgRbaBHDctU.es5.O/ck=boq-identity.AccountsSignInUi.gAiX_O5afVA.L.B1.O/am=xIFgKBimEQjEH54DekBRIOQAAAAAAAAAAKANAAB0DA/d=1/exm=AvtSve,CMcBD,E87wgc,EFQ78c,EIOG1e,EN3i8d,Fndnac,GwYlN,I6YDgd,IZT63,K0PMbc,K1ZKnb,KUM7Z,L1AAkb,L9OGUe,LDQI,LEikZe,MY7mZe,MpJwZc,NOeYWe,NTMZac,O6y8ed,PHUIyb,PrPYRd,Rkm0ef,RqjULd,SCuOPb,SD8Jgb,STuCOe,SpsfSb,Tbb4sb,UUJqVe,Uas9Hd,WpP9Yc,XVq9Qb,YHI3We,YTxL4,YgOFye,ZakeSe,_b,_tp,aC1iue,aW3pY,b3kMqb,bSspM,bTi8wc,byfTOb,cYShmd,eVCnO,f8Gu1e,gJzDyc,hc6Ubd,inNHtf,iyZMqd,lsjVmc,ltDFwf,lwddkf,m9oV,mvkUhe,mzzZzc,n73qwf,njlZCf,oLggrd,pxq3x,qPYxq,qPfo0c,qmdT9,rCcCxc,rmumx,siKnQd,soHxf,t2srLd,tUnxGc,vHEMJe,vfuNJf,vjKJJ,vvMGie,ws9Tlc,xBaz7b,xQtZb,xiZRqc,y5vRwf,yRXbo,ywOR5c,z0u0L,zbML3c,ziZ8Mc,zr1jrb,zy0vNb/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlHHHUTOu8QCHKV2CSS4q8_ZgreBVQ/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:GwYlN;EmZ2Bf:zr1jrb;JsbNhc:Xd8iUd;K5nYTd:ZDZcre;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;ScI3Yc:e7Hzgb;UpnZUd:nnwwYc;Uvc8o:VDovNc;XdiAjb:NLiXbe;YIZmRd:A1yn5d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;dowIGb:ebZ3mb;eBAeSb:zbML3c;iFQyKf:vfuNJf;lOO0Vd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qafBPd:yDVVkb;qddgKe:xQtZb;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=ZwDk9d,RMhBfe"
Preview:	"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi\|\|{};(function(_){var window=this;.try{._.k("ZwDk9d");.var gA=function(a){_.W.call(this,a.Fa)};_.J(gA,_.W);gA.Ba=_.W.Ba;gA.prototype.eS=function(a){return _.Xe(this,{Xa:{gT:_.ll}}).then(function(b){var c=window._wjdd,d=window._wjdc;return!c&&d?new _.li(function(e){window._wjdc=function(f){d(f);e(ZJa(f,b,a))}}):ZJa(c,b,a)})};var ZJa=function(a,b,c){return(a=a&&a[c])?a:b.Xa.gT.eS(c)};.gA.prototype.aa=function(a,b){var c=_.Zra(b).Rj;if(c.startsWith("$")){var d=_.gm.get(a);_.uq[b]&&(d\|\|(d={},_.gm.set(a,d)),d[c]=_.uq[b],delete _.uq[b],_.vq--);if(d)if(a=d[c])b=_.af(a);else throw Error("Jb`"+b);else b=null}else b=null;return b};_.nu(_.Lfa,gA);._.l();._.k("SNUn3");._.YJa=new _.pf(_.wg);._.l();._.k("RMhBfe");.var $Ja=function(a){var b=_.tq(a);return b?new _.li(function(c,d){var e=function(){b=_.tq(a);var f=_.Sfa(a,b);f?c(f.getAttribute("jsdata")):window.document.readyState=="complete"?(f=["Unable to find deferred jsdata wit

Chrome Cache Entry: 95

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (468)
Category:	downloaded
Size (bytes):	1858
Entropy (8bit):	5.298162049824456
Encrypted:	false
SSDEEP:	48:o7vGoolL3ALFKphnpiu7xOKAcfO/3d/rYh4vZorw:o/QLUFUL4KA+2y0Mw
MD5:	CE055F881BDAB4EF6C1C8AA4B3890348
SHA1:	2671741A70E9F5B608F690AAEEA4972003747654
SHA-256:	9B91C23691D6032CDFE28863E369624B2EDB033E1487A1D1BB0977E3590E5462
SHA-512:	8A22250628985C2E570E6FBADFC0D5CB6753F0735130F9E74962A409476C2859C5C81F8A0F5C427A9F13ED399C8E251FA43FF67AD5F16860640D45E7A538E857
Malicious:	false
URL:	"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en.RgRbaBHDctU.es5.O/ck=boq-identity.AccountsSignInUi.gAiX_O5afVA.L.B1.O/am=xIFgKBimEQjEH54DekBRIOQAAAAAAAAAAKANAAB0DA/d=1/exm=A7fCU,AvtSve,CMcBD,E87wgc,EFQ78c,EIOG1e,EN3i8d,Fndnac,GwYlN,I6YDgd,IZT63,K0PMbc,K1ZKnb,KUM7Z,L1AAkb,L9OGUe,LDQI,LEikZe,MY7mZe,MpJwZc,NOeYWe,NTMZac,O6y8ed,P6sQOc,PHUIyb,PrPYRd,RMhBfe,Rkm0ef,RqjULd,SCuOPb,SD8Jgb,STuCOe,SpsfSb,Tbb4sb,UUJqVe,Uas9Hd,WpP9Yc,XVq9Qb,YHI3We,YTxL4,YgOFye,ZDZcre,ZZ4WUe,ZakeSe,ZwDk9d,_b,_tp,aC1iue,aW3pY,b3kMqb,bSspM,bTi8wc,byfTOb,cYShmd,eVCnO,f8Gu1e,gJzDyc,hc6Ubd,inNHtf,iyZMqd,lsjVmc,ltDFwf,lwddkf,m9oV,mvkUhe,mzzZzc,n73qwf,njlZCf,oLggrd,pxq3x,q0xTif,qPYxq,qPfo0c,qmdT9,rCcCxc,rmumx,sOXFj,siKnQd,soHxf,t2srLd,tUnxGc,vHEMJe,vfuNJf,vjKJJ,vvMGie,w9hDv,ws9Tlc,xBaz7b,xQtZb,xiZRqc,y5vRwf,yRXbo,ywOR5c,z0u0L,zbML3c,ziZ8Mc,zr1jrb,zy0vNb/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlHHHUTOu8QCHKV2CSS4q8_ZgreBVQ/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:GwYlN;EmZ2Bf:zr1jrb;JsbNhc:Xd8iUd;K5nYTd:ZDZcre;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;ScI3Yc:e7Hzgb;UpnZUd:nnwwYc;Uvc8o:VDovNc;XdiAjb:NLiXbe;YIZmRd:A1yn5d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;dowIGb:ebZ3mb;eBAeSb:zbML3c;iFQyKf:vfuNJf;lOO0Vd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qafBPd:yDVVkb;qddgKe:xQtZb;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=iAskyc,ziXSP"
Preview:	"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi\|\|{};(function(_){var window=this;.try{._.k("iAskyc");._.QZ=function(a){_.W.call(this,a.Fa);this.window=a.Ea.window.get();this.Nc=a.Ea.Nc};_.J(_.QZ,_.W);_.QZ.Ba=function(){return{Ea:{window:_.qu,Nc:_.DE}}};_.QZ.prototype.Po=function(){};_.QZ.prototype.addEncryptionRecoveryMethod=function(){};_.RZ=function(a){return(a==null?void 0:a.Jo)\|\|function(){}};_.SZ=function(a){return(a==null?void 0:a.m3)\|\|function(){}};_.GPb=function(a){return(a==null?void 0:a.Op)\|\|function(){}};._.HPb=function(a){return new Map(Array.from(a,function(b){var c=_.n(b);b=c.next().value;c=c.next().value;return[b,c.map(function(d){return{epoch:d.epoch,key:new Uint8Array(d.key)}})]}))};_.IPb=function(a){setTimeout(function(){throw a;},0)};_.QZ.prototype.kO=function(){return!0};_.nu(_.An,_.QZ);._.l();._.k("ziXSP");.var j_=function(a){_.QZ.call(this,a.Fa)};_.J(j_,_.QZ);j_.Ba=_.QZ.Ba;j_.prototype.Po=function(a,b,c){var d;if((d=this.window.chrome)==nu

Chrome Cache Entry: 96

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (5693)
Category:	downloaded
Size (bytes):	698791
Entropy (8bit):	5.595243292922648
Encrypted:	false
SSDEEP:	6144:TJvaKtQfcxene0F2HhPM8RGYcBlKmd5r6XIQqS7SlncOpYMSrBg5X3O4mAEFD7:TJyKtkIct842IQqHJ09
MD5:	7A4AEFC2F596D19F522738DB34C5A680
SHA1:	7F6E9BE8B3C1450075365A31FF6E4B49F1D35BA7
SHA-256:	61D7FF7565945545C0D823CCFC5DB5D09C8714FBF8AD77994F389F08289124B2
SHA-512:	7D80188B002DB3ED7360B9B236DE435F2008345ECEC00FDE39412BE39DE5C08FD80CBD2D7370D0DBB98F4BCCA0CEF147AD9E7935AC2894DB55D81C1B32EB647E
Malicious:	false
URL:	"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en.RgRbaBHDctU.es5.O/ck=boq-identity.AccountsSignInUi.gAiX_O5afVA.L.B1.O/am=xIFgKBimEQjEH54DekBRIOQAAAAAAAAAAKANAAB0DA/d=1/exm=LEikZe,_b,_tp,byfTOb,lsjVmc/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlHHHUTOu8QCHKV2CSS4q8_ZgreBVQ/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:GwYlN;EmZ2Bf:zr1jrb;JsbNhc:Xd8iUd;K5nYTd:ZDZcre;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;ScI3Yc:e7Hzgb;UpnZUd:nnwwYc;Uvc8o:VDovNc;XdiAjb:NLiXbe;YIZmRd:A1yn5d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;dowIGb:ebZ3mb;eBAeSb:zbML3c;iFQyKf:vfuNJf;lOO0Vd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qafBPd:yDVVkb;qddgKe:xQtZb;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=n73qwf,SCuOPb,IZT63,vfuNJf,UUJqVe,ws9Tlc,siKnQd,XVq9Qb,STuCOe,njlZCf,m9oV,vjKJJ,y5vRwf,iyZMqd,NTMZac,mzzZzc,rCcCxc,vvMGie,K1ZKnb,ziZ8Mc,b3kMqb,mvkUhe,CMcBD,Fndnac,t2srLd,EN3i8d,z0u0L,xiZRqc,NOeYWe,O6y8ed,L9OGUe,PrPYRd,MpJwZc,qPfo0c,cYShmd,hc6Ubd,Rkm0ef,KUM7Z,oLggrd,inNHtf,L1AAkb,WpP9Yc,lwddkf,gJzDyc,SpsfSb,aC1iue,tUnxGc,aW3pY,ZakeSe,EFQ78c,xQtZb,I6YDgd,zbML3c,zr1jrb,vHEMJe,YHI3We,YTxL4,bSspM,Uas9Hd,zy0vNb,K0PMbc,AvtSve,qmdT9,MY7mZe,xBaz7b,GwYlN,eVCnO,EIOG1e,LDQI"
Preview:	"use strict";_F_installCss(".r4WGQb{position:relative}.Dl08I>:first-child{margin-top:0}.Dl08I>:last-child{margin-bottom:0}.IzwVE{color:#1f1f1f;color:var(--gm3-sys-color-on-surface,#1f1f1f);font-family:\"Google Sans\",roboto,\"Noto Sans Myanmar UI\",arial,sans-serif;font-size:1.25rem;font-weight:400;letter-spacing:0rem;line-height:1.2}.l5PPKe{color:#1f1f1f;color:var(--gm3-sys-color-on-surface,#1f1f1f);font-size:1rem}.l5PPKe .dMNVAe{margin:0;padding:0}.l5PPKe>:first-child{margin-top:0;padding-top:0}.l5PPKe>:last-child{margin-bottom:0;padding-bottom:0}.Dl08I{margin:0;padding:0;position:relative}.Dl08I>.SmR8:only-child{padding-top:1px}.Dl08I>.SmR8:only-child::before{top:0}.Dl08I>.SmR8:not(first-child){padding-bottom:1px}.Dl08I>.SmR8::after{bottom:0}.Dl08I>.SmR8:only-child::before,.Dl08I>.SmR8::after{border-bottom:1px solid #c4c7c5;border-bottom:1px solid var(--gm3-sys-color-outline-variant,#c4c7c5);content:\"\";height:0;left:0;position:absolute;width:100%}.aZvCDf{margin-top:8px;margin-left

Chrome Cache Entry: 97

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (755)
Category:	downloaded
Size (bytes):	1460
Entropy (8bit):	5.291808298251231
Encrypted:	false
SSDEEP:	24:kMYD7DuZvuhqCsNRxoYTY9/qoVk7hz1l2p6vDMW94uEQOeGbCx4VGbgCSFBV87OU:o7DuZWhv6oy12kvwKEeGbC6GbHSh/Hrw
MD5:	4CA7ADFE744A690411EA4D3EA8DB9E4B
SHA1:	2CF1777A199E25378D330DA68BED1871B5C5BC32
SHA-256:	128129BA736B3094323499B0498A5B3A909C1529717461C34B70080A5B1603BD
SHA-512:	8BD3477AF41D1F0FE74AFFCB177BEC0F5F4FDCBBA6BD29D9C2567E6FFDEF5DEB7FF74BF348F33209C39D7BB4958E748DF6731D3DC8F6947352276BC92EAF9E79
Malicious:	false
URL:	"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en.RgRbaBHDctU.es5.O/ck=boq-identity.AccountsSignInUi.gAiX_O5afVA.L.B1.O/am=xIFgKBimEQjEH54DekBRIOQAAAAAAAAAAKANAAB0DA/d=1/exm=AvtSve,CMcBD,E87wgc,EFQ78c,EIOG1e,EN3i8d,Fndnac,GwYlN,I6YDgd,IZT63,K0PMbc,K1ZKnb,KUM7Z,L1AAkb,L9OGUe,LDQI,LEikZe,MY7mZe,MpJwZc,NOeYWe,NTMZac,O6y8ed,PHUIyb,PrPYRd,RMhBfe,Rkm0ef,RqjULd,SCuOPb,SD8Jgb,STuCOe,SpsfSb,Tbb4sb,UUJqVe,Uas9Hd,WpP9Yc,XVq9Qb,YHI3We,YTxL4,YgOFye,ZakeSe,ZwDk9d,_b,_tp,aC1iue,aW3pY,b3kMqb,bSspM,bTi8wc,byfTOb,cYShmd,eVCnO,f8Gu1e,gJzDyc,hc6Ubd,inNHtf,iyZMqd,lsjVmc,ltDFwf,lwddkf,m9oV,mvkUhe,mzzZzc,n73qwf,njlZCf,oLggrd,pxq3x,qPYxq,qPfo0c,qmdT9,rCcCxc,rmumx,siKnQd,soHxf,t2srLd,tUnxGc,vHEMJe,vfuNJf,vjKJJ,vvMGie,ws9Tlc,xBaz7b,xQtZb,xiZRqc,y5vRwf,yRXbo,ywOR5c,z0u0L,zbML3c,ziZ8Mc,zr1jrb,zy0vNb/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlHHHUTOu8QCHKV2CSS4q8_ZgreBVQ/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:GwYlN;EmZ2Bf:zr1jrb;JsbNhc:Xd8iUd;K5nYTd:ZDZcre;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;ScI3Yc:e7Hzgb;UpnZUd:nnwwYc;Uvc8o:VDovNc;XdiAjb:NLiXbe;YIZmRd:A1yn5d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;dowIGb:ebZ3mb;eBAeSb:zbML3c;iFQyKf:vfuNJf;lOO0Vd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qafBPd:yDVVkb;qddgKe:xQtZb;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=P6sQOc"
Preview:	"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi\|\|{};(function(_){var window=this;.try{._.k("lOO0Vd");._.VZa=new _.pf(_.Am);._.l();._.k("P6sQOc");.var $Za=!!(_.Kh[1]&16);var b_a=function(a,b,c,d,e){this.ea=a;this.wa=b;this.ka=c;this.Ca=d;this.Ga=e;this.aa=0;this.da=a_a(this)},c_a=function(a){var b={};_.La(a.yS(),function(e){b[e]=!0});var c=a.pS(),d=a.tS();return new b_a(a.qP(),c.aa()1E3,a.WR(),d.aa()1E3,b)},a_a=function(a){return Math.random()Math.min(a.waMath.pow(a.ka,a.aa),a.Ca)},OG=function(a,b){return a.aa>=a.ea?!1:b!=null?!!a.Ga[b]:!0};var PG=function(a){_.W.call(this,a.Fa);this.da=a.Ea.EV;this.ea=a.Ea.metadata;a=a.Ea.Xga;this.fetch=a.fetch.bind(a)};_.J(PG,_.W);PG.Ba=function(){return{Ea:{EV:_.YZa,metadata:_.VZa,Xga:_.OZa}}};PG.prototype.aa=function(a,b){if(this.ea.getType(a.Od())!==1)return _.Sm(a);var c=this.da.eV;return(c=c?c_a(c):null)&&OG(c)?_.wya(a,d_a(this,a,b,c)):_.Sm(a)};.var d_a=function(a,b,c,d){return c.then(function(e){return e},function(e)

Chrome Cache Entry: 98

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (1694)
Category:	downloaded
Size (bytes):	32500
Entropy (8bit):	5.378903546681047
Encrypted:	false
SSDEEP:	768:zYlbuROstb0e39nKGrkysU0smpu4OLOdzIf1p/5GeSsngurz6aKEEEGo/:zYl61Cysbu4OLOdzIfrIen72ZFo/
MD5:	BF4BF9728A7C302FBA5B14F3D0F1878B
SHA1:	2607CA7A93710D629400077FF3602CB207E6F53D
SHA-256:	8981E7B228DF7D6A8797C0CD1E9B0F1F88337D5F0E1C27A04E7A57D2C4309798
SHA-512:	AC9E170FC3AFDC0CF6BB8E926B93EF129A5FAD1BBA51B60BABCF3555E9B652E98F86A00FB099879DED35DD3FFE72ECFA597E20E6CA8CF402BEDEC40F78412EDA
Malicious:	false
URL:	"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en.RgRbaBHDctU.es5.O/ck=boq-identity.AccountsSignInUi.gAiX_O5afVA.L.B1.O/am=xIFgKBimEQjEH54DekBRIOQAAAAAAAAAAKANAAB0DA/d=1/exm=_b,_tp/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlHHHUTOu8QCHKV2CSS4q8_ZgreBVQ/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:GwYlN;EmZ2Bf:zr1jrb;JsbNhc:Xd8iUd;K5nYTd:ZDZcre;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;ScI3Yc:e7Hzgb;UpnZUd:nnwwYc;Uvc8o:VDovNc;XdiAjb:NLiXbe;YIZmRd:A1yn5d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;dowIGb:ebZ3mb;eBAeSb:zbML3c;iFQyKf:vfuNJf;lOO0Vd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qafBPd:yDVVkb;qddgKe:xQtZb;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=byfTOb,lsjVmc,LEikZe"
Preview:	"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi\|\|{};(function(_){var window=this;.try{.var Aua=function(a,b){this.da=a;this.ea=b;if(!c){var c=new _.ap("//www.google.com/images/cleardot.gif");_.op(c)}this.ka=c};_.h=Aua.prototype;_.h.Zc=null;_.h.lZ=1E4;_.h.bA=!1;_.h.nQ=0;_.h.zJ=null;_.h.bV=null;_.h.setTimeout=function(a){this.lZ=a};_.h.start=function(){if(this.bA)throw Error("dc");this.bA=!0;this.nQ=0;Bua(this)};_.h.stop=function(){Cua(this);this.bA=!1};.var Bua=function(a){a.nQ++;navigator!==null&&"onLine"in navigator&&!navigator.onLine?_.km((0,_.bg)(a.aH,a,!1),0):(a.aa=new Image,a.aa.onload=(0,_.bg)(a.Fja,a),a.aa.onerror=(0,_.bg)(a.Eja,a),a.aa.onabort=(0,_.bg)(a.Dja,a),a.zJ=_.km(a.Gja,a.lZ,a),a.aa.src=String(a.ka))};_.h=Aua.prototype;_.h.Fja=function(){this.aH(!0)};_.h.Eja=function(){this.aH(!1)};_.h.Dja=function(){this.aH(!1)};_.h.Gja=function(){this.aH(!1)};._.h.aH=function(a){Cua(this);a?(this.bA=!1,this.da.call(this.ea,!0)):this.nQ<=0?Bua(this):(this.bA=!1,

Chrome Cache Entry: 99

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	Web Open Font Format (Version 2), TrueType, length 52280, version 1.0
Category:	downloaded
Size (bytes):	52280
Entropy (8bit):	7.995413196679271
Encrypted:	true
SSDEEP:	1536:1rvqtK8DZilXxwJ8mMwAZy7phqsFLdG3B4d:xytBZits8bw4wzbFxG3B4d
MD5:	F61F0D4D0F968D5BBA39A84C76277E1A
SHA1:	AA3693EA140ECA418B4B2A30F6A68F6F43B4BEB2
SHA-256:	57147F08949ABABE7DEEF611435AE418475A693E3823769A25C2A39B6EAD9CCC
SHA-512:	6C3BD90F709BCF9151C9ED9FFEA55C4F6883E7FDA2A4E26BF018C83FE1CFBE4F4AA0DB080D6D024070D53B2257472C399C8AC44EEFD38B9445640EFA85D5C487
Malicious:	false
URL:	https://fonts.gstatic.com/s/googlesans/v58/4UaRrENHsxJlGDuGo1OIlJfC6l_24rlCK1Yo_Iq2vgCI.woff2
Preview:	wOF2.......8.....................................^...$..4?HVAR..?MVAR9.`?STAT.',..J/.......`..(..Z.0..R.6.$.... .....K..[..q..c..T.....>.P.j.`.w..#...%......N.".....$..3.0.6......... .L.rX/r[j.y.\|(.4.%#.....2.v.m..-..%.....;-.Y.{..&..O=#l@...k..7g..ZI...#.Z./+T..r7...M..3).Z%.x....s..sL..[A!.51w'/.8V..2Z..%.X.h.o.).]..9..Q`.$.....7..kZ.~O........d..g.n.d.Rw+&....Cz..uy#..fz,(.J....v.%..`..9.....h...?O..:...c%.....6s....xl..#...5..._......1.>.)"U.4 W....?%......6//!$...!.n9C@n...........!""^.....W..Z<.7.x.."UT.T....E.."R>.R..t.....H d..e_.K../.+8.Q.P.ZQ....;...U....]......._.e......71.?.7.ORv.?...l...G\|.P...\|:...I.X..2.,.L........d.g.]}W#uW]QnuP-s.;.-Y.....].......C..j_.M0...y.......J..........NY..@A...,....-.F......'..w./j5g.vUS...U..0.&...y7.LP.....%.....Y......Y..D. e.A..G.?.$.......6...eaK.n5.m...N...,...+BCl..L> .E9~.b[.w.x....6<...}.e...%V....O.......*.?...a..#[eE.4..p..$...].....%......o._......N.._~..El....b..A.0.r8.....\|..D.d..

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.5838009000706945
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	919'040 bytes
MD5:	746063bf48eaa219d09d96b5184ad1de
SHA1:	ab9f355421da2267713c07fdd573b20db64730e9
SHA256:	1f0a0a605b06a2536f8ed6cfd666c21dd37fae64a04ee2f6ebc3957cbf58dda5
SHA512:	463e0126e38ae135e4ff603a86b8298a5ce9c7c0ac1f0651ffe78c98205c3482b4349bbf3d8bb13608c80e3462b0b3e22dc94e4ddb2e31db143a2f1fc7b34cd4
SSDEEP:	12288:eqDEvFo+yo4DdbbMWu/jrQu4M9lBAlKhQcDGB3cuBNGE6iOrpfe4JdaDgayTJ:eqDEvCTbMWu7rQYlBQcBiT6rprG8aSJ
TLSH:	58159E0273D1C062FFAB92334B5AF6515BBC69260123E61F13981DB9BE701B1563E7A3
File Content Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......................j:......j:..C...j:......@.*...............................n.......~.............{.......{.......{.........z....

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x420577
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x66FE920D [Thu Oct 3 12:46:05 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	948cc502fe9226992dce9417f952fce3

Entrypoint Preview

Instruction
call 00007F0B152358F3h
jmp 00007F0B152351FFh
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F0B152353DDh
mov dword ptr [esi], 0049FDF0h
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FDF8h
mov dword ptr [ecx], 0049FDF0h
ret
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F0B152353AAh
mov dword ptr [esi], 0049FE0Ch
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FE14h
mov dword ptr [ecx], 0049FE0Ch
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
and dword ptr [eax], 00000000h
and dword ptr [eax+04h], 00000000h
push eax
mov eax, dword ptr [ebp+08h]
add eax, 04h
push eax
call 00007F0B15237F9Dh
pop ecx
pop ecx
mov eax, esi
pop esi
pop ebp
retn 0004h
lea eax, dword ptr [ecx+04h]
mov dword ptr [ecx], 0049FDD0h
push eax
call 00007F0B15237FE8h
pop ecx
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
push eax
call 00007F0B15237FD1h
test byte ptr [ebp+08h], 00000001h
pop ecx

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc8e64	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xd4000	0x9bf4	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xde000	0x7594	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xb0ff0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xc3400	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xb1010	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x9c000	0x894	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x9ab1d	0x9ac00	0a1473f3064dcbc32ef93c5c8a90f3a6	False	0.565500681542811	data	6.668273581389308	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x9c000	0x2fb82	0x2fc00	c9cf2468b60bf4f80f136ed54b3989fb	False	0.35289185209424084	data	5.691811547483722	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xcc000	0x706c	0x4800	53b9025d545d65e23295e30afdbd16d9	False	0.04356553819444445	DOS executable (block device driver @\273\)	0.5846666986982398	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xd4000	0x9bf4	0x9c00	a0ff2fe8bc6a05aec5c21c281aedfb04	False	0.31810897435897434	data	5.331451166549155	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xde000	0x7594	0x7600	c68ee8931a32d45eb82dc450ee40efc3	False	0.7628111758474576	data	6.7972128181359786	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xd45a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xd46d0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xd47f8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xd4920	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xd4c08	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xd4d30	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xd5bd8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xd6480	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xd69e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xd8f90	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xda038	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xda4a0	0x50	data	English	Great Britain	0.9
RT_STRING	0xda4f0	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xdaa84	0x68a	data	English	Great Britain	0.2735961768219833
RT_STRING	0xdb110	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xdb5a0	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xdbb9c	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xdc1f8	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xdc660	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xdc7b8	0xeba	data			1.0029177718832891
RT_GROUP_ICON	0xdd674	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0xdd6ec	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0xdd700	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0xdd714	0x14	data	English	Great Britain	1.25
RT_VERSION	0xdd728	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0xdd804	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	gethostbyname, recv, send, socket, inet_ntoa, setsockopt, ntohs, WSACleanup, WSAStartup, sendto, htons, __WSAFDIsSet, select, accept, listen, bind, inet_addr, ioctlsocket, recvfrom, WSAGetLastError, closesocket, gethostname, connect
VERSION.dll	GetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetGetConnectionW, WNetCancelConnection2W, WNetUseConnectionW, WNetAddConnection2W
WININET.dll	HttpOpenRequestW, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, InternetConnectW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetQueryDataAvailable
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpSendEcho, IcmpCloseHandle, IcmpCreateFile
USERENV.dll	DestroyEnvironmentBlock, LoadUserProfileW, CreateEnvironmentBlock, UnloadUserProfile
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetShortPathNameW, DeleteFileW, IsDebuggerPresent, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, LoadResource, LockResource, SizeofResource, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, LoadLibraryW, GetLocalTime, CompareStringW, GetCurrentThread, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, VirtualAlloc, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, ResetEvent, WaitForSingleObjectEx, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, CloseHandle, GetFullPathNameW, GetStartupInfoW, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, SetLastError, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, ResumeThread, FreeLibraryAndExitThread, GetACP, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetStringTypeW, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, ReadConsoleW, GetTimeZoneInformation, FindFirstFileExW, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableA, SetCurrentDirectoryW, FindNextFileW, WriteConsoleW
USER32.dll	GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, PeekMessageW, GetInputState, UnregisterHotKey, CharLowerBuffW, MonitorFromPoint, MonitorFromRect, LoadImageW, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, ClientToScreen, GetCursorPos, DeleteMenu, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, LockWindowUpdate, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, RegisterHotKey, GetCursorInfo, SetWindowPos, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, TrackPopupMenuEx, GetMessageW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, DispatchMessageW, keybd_event, TranslateMessage, ScreenToClient
GDI32.dll	EndPath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, GetDeviceCaps, SetPixel, CloseFigure, LineTo, AngleArc, MoveToEx, Ellipse, CreateCompatibleBitmap, CreateCompatibleDC, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, SelectObject, StretchBlt, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, GetDIBits, StrokePath
COMDLG32.dll	GetSaveFileNameW, GetOpenFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, RegCreateKeyExW, GetSecurityDescriptorDacl, GetAclInformation, GetUserNameW, AddAce, SetSecurityDescriptorDacl, InitiateSystemShutdownExW
SHELL32.dll	DragFinish, DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
OLEAUT32.dll	CreateStdDispatch, CreateDispTypeInfo, UnRegisterTypeLib, UnRegisterTypeLibForUser, RegisterTypeLibForUser, RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, VariantChangeType, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysStringLen, QueryPathOfRegTypeLib, SysAllocString, VariantInit, VariantClear, DispCallFunc, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, SafeArrayDestroyDescriptor, VariantCopy, OleLoadPicture

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 3, 2024 14:52:16.697447062 CEST	49675	443	192.168.2.5	23.1.237.91
Oct 3, 2024 14:52:16.697448969 CEST	49674	443	192.168.2.5	23.1.237.91
Oct 3, 2024 14:52:16.806802988 CEST	49673	443	192.168.2.5	23.1.237.91
Oct 3, 2024 14:52:24.391901970 CEST	49705	443	192.168.2.5	142.250.186.46
Oct 3, 2024 14:52:24.391963005 CEST	443	49705	142.250.186.46	192.168.2.5
Oct 3, 2024 14:52:24.392024994 CEST	49705	443	192.168.2.5	142.250.186.46
Oct 3, 2024 14:52:24.393608093 CEST	49705	443	192.168.2.5	142.250.186.46
Oct 3, 2024 14:52:24.393629074 CEST	443	49705	142.250.186.46	192.168.2.5
Oct 3, 2024 14:52:25.080171108 CEST	443	49705	142.250.186.46	192.168.2.5
Oct 3, 2024 14:52:25.080534935 CEST	49705	443	192.168.2.5	142.250.186.46
Oct 3, 2024 14:52:25.080563068 CEST	443	49705	142.250.186.46	192.168.2.5
Oct 3, 2024 14:52:25.080960035 CEST	443	49705	142.250.186.46	192.168.2.5
Oct 3, 2024 14:52:25.081015110 CEST	49705	443	192.168.2.5	142.250.186.46
Oct 3, 2024 14:52:25.081837893 CEST	443	49705	142.250.186.46	192.168.2.5
Oct 3, 2024 14:52:25.081887960 CEST	49705	443	192.168.2.5	142.250.186.46
Oct 3, 2024 14:52:25.086363077 CEST	49705	443	192.168.2.5	142.250.186.46
Oct 3, 2024 14:52:25.086445093 CEST	443	49705	142.250.186.46	192.168.2.5
Oct 3, 2024 14:52:25.086843014 CEST	49705	443	192.168.2.5	142.250.186.46
Oct 3, 2024 14:52:25.086858988 CEST	443	49705	142.250.186.46	192.168.2.5
Oct 3, 2024 14:52:25.137829065 CEST	49705	443	192.168.2.5	142.250.186.46
Oct 3, 2024 14:52:25.596133947 CEST	443	49705	142.250.186.46	192.168.2.5
Oct 3, 2024 14:52:25.596363068 CEST	49705	443	192.168.2.5	142.250.186.46
Oct 3, 2024 14:52:25.596590996 CEST	443	49705	142.250.186.46	192.168.2.5
Oct 3, 2024 14:52:25.596647024 CEST	443	49705	142.250.186.46	192.168.2.5
Oct 3, 2024 14:52:25.598417044 CEST	49705	443	192.168.2.5	142.250.186.46
Oct 3, 2024 14:52:25.663953066 CEST	49705	443	192.168.2.5	142.250.186.46
Oct 3, 2024 14:52:25.663992882 CEST	443	49705	142.250.186.46	192.168.2.5
Oct 3, 2024 14:52:25.664005995 CEST	49705	443	192.168.2.5	142.250.186.46
Oct 3, 2024 14:52:25.664045095 CEST	49705	443	192.168.2.5	142.250.186.46
Oct 3, 2024 14:52:25.718298912 CEST	49710	443	192.168.2.5	172.217.18.14
Oct 3, 2024 14:52:25.718347073 CEST	443	49710	172.217.18.14	192.168.2.5
Oct 3, 2024 14:52:25.718419075 CEST	49710	443	192.168.2.5	172.217.18.14
Oct 3, 2024 14:52:25.718736887 CEST	49710	443	192.168.2.5	172.217.18.14
Oct 3, 2024 14:52:25.718746901 CEST	443	49710	172.217.18.14	192.168.2.5
Oct 3, 2024 14:52:26.309674978 CEST	49674	443	192.168.2.5	23.1.237.91
Oct 3, 2024 14:52:26.310249090 CEST	49675	443	192.168.2.5	23.1.237.91
Oct 3, 2024 14:52:26.416943073 CEST	443	49710	172.217.18.14	192.168.2.5
Oct 3, 2024 14:52:26.419055939 CEST	49673	443	192.168.2.5	23.1.237.91
Oct 3, 2024 14:52:26.422534943 CEST	49710	443	192.168.2.5	172.217.18.14
Oct 3, 2024 14:52:26.422560930 CEST	443	49710	172.217.18.14	192.168.2.5
Oct 3, 2024 14:52:26.423057079 CEST	443	49710	172.217.18.14	192.168.2.5
Oct 3, 2024 14:52:26.423113108 CEST	49710	443	192.168.2.5	172.217.18.14
Oct 3, 2024 14:52:26.423789978 CEST	443	49710	172.217.18.14	192.168.2.5
Oct 3, 2024 14:52:26.423839092 CEST	49710	443	192.168.2.5	172.217.18.14
Oct 3, 2024 14:52:26.426420927 CEST	49710	443	192.168.2.5	172.217.18.14
Oct 3, 2024 14:52:26.426511049 CEST	443	49710	172.217.18.14	192.168.2.5
Oct 3, 2024 14:52:26.427126884 CEST	49710	443	192.168.2.5	172.217.18.14
Oct 3, 2024 14:52:26.427145958 CEST	443	49710	172.217.18.14	192.168.2.5
Oct 3, 2024 14:52:26.481564999 CEST	49710	443	192.168.2.5	172.217.18.14
Oct 3, 2024 14:52:26.754631042 CEST	443	49710	172.217.18.14	192.168.2.5
Oct 3, 2024 14:52:26.754704952 CEST	49710	443	192.168.2.5	172.217.18.14
Oct 3, 2024 14:52:26.754731894 CEST	443	49710	172.217.18.14	192.168.2.5
Oct 3, 2024 14:52:26.755688906 CEST	443	49710	172.217.18.14	192.168.2.5
Oct 3, 2024 14:52:26.755789995 CEST	49710	443	192.168.2.5	172.217.18.14
Oct 3, 2024 14:52:26.757622004 CEST	49710	443	192.168.2.5	172.217.18.14
Oct 3, 2024 14:52:26.757644892 CEST	443	49710	172.217.18.14	192.168.2.5
Oct 3, 2024 14:52:28.089462042 CEST	443	49703	23.1.237.91	192.168.2.5
Oct 3, 2024 14:52:28.089637041 CEST	49703	443	192.168.2.5	23.1.237.91
Oct 3, 2024 14:52:28.775002003 CEST	49714	443	192.168.2.5	216.58.206.36
Oct 3, 2024 14:52:28.775048018 CEST	443	49714	216.58.206.36	192.168.2.5
Oct 3, 2024 14:52:28.775120974 CEST	49714	443	192.168.2.5	216.58.206.36
Oct 3, 2024 14:52:28.775333881 CEST	49714	443	192.168.2.5	216.58.206.36
Oct 3, 2024 14:52:28.775352001 CEST	443	49714	216.58.206.36	192.168.2.5
Oct 3, 2024 14:52:28.911590099 CEST	49715	443	192.168.2.5	184.28.90.27
Oct 3, 2024 14:52:28.911645889 CEST	443	49715	184.28.90.27	192.168.2.5
Oct 3, 2024 14:52:28.911712885 CEST	49715	443	192.168.2.5	184.28.90.27
Oct 3, 2024 14:52:28.913583040 CEST	49715	443	192.168.2.5	184.28.90.27
Oct 3, 2024 14:52:28.913614035 CEST	443	49715	184.28.90.27	192.168.2.5
Oct 3, 2024 14:52:29.470551968 CEST	443	49714	216.58.206.36	192.168.2.5
Oct 3, 2024 14:52:29.470900059 CEST	49714	443	192.168.2.5	216.58.206.36
Oct 3, 2024 14:52:29.470925093 CEST	443	49714	216.58.206.36	192.168.2.5
Oct 3, 2024 14:52:29.471911907 CEST	443	49714	216.58.206.36	192.168.2.5
Oct 3, 2024 14:52:29.471967936 CEST	49714	443	192.168.2.5	216.58.206.36
Oct 3, 2024 14:52:29.473836899 CEST	49714	443	192.168.2.5	216.58.206.36
Oct 3, 2024 14:52:29.473932028 CEST	443	49714	216.58.206.36	192.168.2.5
Oct 3, 2024 14:52:29.528460026 CEST	49714	443	192.168.2.5	216.58.206.36
Oct 3, 2024 14:52:29.528484106 CEST	443	49714	216.58.206.36	192.168.2.5
Oct 3, 2024 14:52:29.575333118 CEST	49714	443	192.168.2.5	216.58.206.36
Oct 3, 2024 14:52:29.929394007 CEST	443	49715	184.28.90.27	192.168.2.5
Oct 3, 2024 14:52:29.929506063 CEST	49715	443	192.168.2.5	184.28.90.27
Oct 3, 2024 14:52:29.974071026 CEST	49715	443	192.168.2.5	184.28.90.27
Oct 3, 2024 14:52:29.974098921 CEST	443	49715	184.28.90.27	192.168.2.5
Oct 3, 2024 14:52:29.974380016 CEST	443	49715	184.28.90.27	192.168.2.5
Oct 3, 2024 14:52:30.028475046 CEST	49715	443	192.168.2.5	184.28.90.27
Oct 3, 2024 14:52:30.162595034 CEST	49715	443	192.168.2.5	184.28.90.27
Oct 3, 2024 14:52:30.207406998 CEST	443	49715	184.28.90.27	192.168.2.5
Oct 3, 2024 14:52:30.411711931 CEST	443	49715	184.28.90.27	192.168.2.5
Oct 3, 2024 14:52:30.411782980 CEST	443	49715	184.28.90.27	192.168.2.5
Oct 3, 2024 14:52:30.411832094 CEST	49715	443	192.168.2.5	184.28.90.27
Oct 3, 2024 14:52:30.411891937 CEST	49715	443	192.168.2.5	184.28.90.27
Oct 3, 2024 14:52:30.411914110 CEST	443	49715	184.28.90.27	192.168.2.5
Oct 3, 2024 14:52:30.411927938 CEST	49715	443	192.168.2.5	184.28.90.27
Oct 3, 2024 14:52:30.411933899 CEST	443	49715	184.28.90.27	192.168.2.5
Oct 3, 2024 14:52:30.483150959 CEST	49720	443	192.168.2.5	184.28.90.27
Oct 3, 2024 14:52:30.483191013 CEST	443	49720	184.28.90.27	192.168.2.5
Oct 3, 2024 14:52:30.483273029 CEST	49720	443	192.168.2.5	184.28.90.27
Oct 3, 2024 14:52:30.483556986 CEST	49720	443	192.168.2.5	184.28.90.27
Oct 3, 2024 14:52:30.483567953 CEST	443	49720	184.28.90.27	192.168.2.5
Oct 3, 2024 14:52:31.368196011 CEST	443	49720	184.28.90.27	192.168.2.5
Oct 3, 2024 14:52:31.368292093 CEST	49720	443	192.168.2.5	184.28.90.27
Oct 3, 2024 14:52:31.374685049 CEST	49720	443	192.168.2.5	184.28.90.27
Oct 3, 2024 14:52:31.374695063 CEST	443	49720	184.28.90.27	192.168.2.5
Oct 3, 2024 14:52:31.374998093 CEST	443	49720	184.28.90.27	192.168.2.5
Oct 3, 2024 14:52:31.392302036 CEST	49720	443	192.168.2.5	184.28.90.27
Oct 3, 2024 14:52:31.439403057 CEST	443	49720	184.28.90.27	192.168.2.5
Oct 3, 2024 14:52:31.667041063 CEST	443	49720	184.28.90.27	192.168.2.5
Oct 3, 2024 14:52:31.667115927 CEST	443	49720	184.28.90.27	192.168.2.5
Oct 3, 2024 14:52:31.667181969 CEST	49720	443	192.168.2.5	184.28.90.27
Oct 3, 2024 14:52:31.670542002 CEST	49720	443	192.168.2.5	184.28.90.27
Oct 3, 2024 14:52:31.670562983 CEST	443	49720	184.28.90.27	192.168.2.5
Oct 3, 2024 14:52:31.670624971 CEST	49720	443	192.168.2.5	184.28.90.27
Oct 3, 2024 14:52:31.670631886 CEST	443	49720	184.28.90.27	192.168.2.5
Oct 3, 2024 14:52:35.499730110 CEST	49732	443	192.168.2.5	142.250.185.174
Oct 3, 2024 14:52:35.499783039 CEST	443	49732	142.250.185.174	192.168.2.5
Oct 3, 2024 14:52:35.499852896 CEST	49732	443	192.168.2.5	142.250.185.174
Oct 3, 2024 14:52:35.500081062 CEST	49732	443	192.168.2.5	142.250.185.174
Oct 3, 2024 14:52:35.500091076 CEST	443	49732	142.250.185.174	192.168.2.5
Oct 3, 2024 14:52:36.146204948 CEST	443	49732	142.250.185.174	192.168.2.5
Oct 3, 2024 14:52:36.146769047 CEST	49732	443	192.168.2.5	142.250.185.174
Oct 3, 2024 14:52:36.146791935 CEST	443	49732	142.250.185.174	192.168.2.5
Oct 3, 2024 14:52:36.147156954 CEST	443	49732	142.250.185.174	192.168.2.5
Oct 3, 2024 14:52:36.147226095 CEST	49732	443	192.168.2.5	142.250.185.174
Oct 3, 2024 14:52:36.147840023 CEST	443	49732	142.250.185.174	192.168.2.5
Oct 3, 2024 14:52:36.147886038 CEST	49732	443	192.168.2.5	142.250.185.174
Oct 3, 2024 14:52:36.148953915 CEST	49732	443	192.168.2.5	142.250.185.174
Oct 3, 2024 14:52:36.149005890 CEST	443	49732	142.250.185.174	192.168.2.5
Oct 3, 2024 14:52:36.149220943 CEST	49732	443	192.168.2.5	142.250.185.174
Oct 3, 2024 14:52:36.149229050 CEST	443	49732	142.250.185.174	192.168.2.5
Oct 3, 2024 14:52:36.199621916 CEST	49732	443	192.168.2.5	142.250.185.174
Oct 3, 2024 14:52:36.467267036 CEST	443	49732	142.250.185.174	192.168.2.5
Oct 3, 2024 14:52:36.467787027 CEST	443	49732	142.250.185.174	192.168.2.5
Oct 3, 2024 14:52:36.467853069 CEST	49732	443	192.168.2.5	142.250.185.174
Oct 3, 2024 14:52:36.467888117 CEST	443	49732	142.250.185.174	192.168.2.5
Oct 3, 2024 14:52:36.467928886 CEST	49732	443	192.168.2.5	142.250.185.174
Oct 3, 2024 14:52:36.468199015 CEST	443	49732	142.250.185.174	192.168.2.5
Oct 3, 2024 14:52:36.468242884 CEST	49732	443	192.168.2.5	142.250.185.174
Oct 3, 2024 14:52:36.473382950 CEST	443	49732	142.250.185.174	192.168.2.5
Oct 3, 2024 14:52:36.473481894 CEST	49732	443	192.168.2.5	142.250.185.174
Oct 3, 2024 14:52:36.479017019 CEST	443	49732	142.250.185.174	192.168.2.5
Oct 3, 2024 14:52:36.479099989 CEST	49732	443	192.168.2.5	142.250.185.174
Oct 3, 2024 14:52:36.479198933 CEST	443	49732	142.250.185.174	192.168.2.5
Oct 3, 2024 14:52:36.479244947 CEST	49732	443	192.168.2.5	142.250.185.174
Oct 3, 2024 14:52:36.485465050 CEST	443	49732	142.250.185.174	192.168.2.5
Oct 3, 2024 14:52:36.485528946 CEST	49732	443	192.168.2.5	142.250.185.174
Oct 3, 2024 14:52:36.491580963 CEST	443	49732	142.250.185.174	192.168.2.5
Oct 3, 2024 14:52:36.491628885 CEST	49732	443	192.168.2.5	142.250.185.174
Oct 3, 2024 14:52:36.491796970 CEST	443	49732	142.250.185.174	192.168.2.5
Oct 3, 2024 14:52:36.491838932 CEST	49732	443	192.168.2.5	142.250.185.174
Oct 3, 2024 14:52:36.554207087 CEST	443	49732	142.250.185.174	192.168.2.5
Oct 3, 2024 14:52:36.554295063 CEST	49732	443	192.168.2.5	142.250.185.174
Oct 3, 2024 14:52:36.554423094 CEST	443	49732	142.250.185.174	192.168.2.5
Oct 3, 2024 14:52:36.554470062 CEST	49732	443	192.168.2.5	142.250.185.174
Oct 3, 2024 14:52:36.555953026 CEST	443	49732	142.250.185.174	192.168.2.5
Oct 3, 2024 14:52:36.556006908 CEST	49732	443	192.168.2.5	142.250.185.174
Oct 3, 2024 14:52:36.561907053 CEST	443	49732	142.250.185.174	192.168.2.5
Oct 3, 2024 14:52:36.561976910 CEST	49732	443	192.168.2.5	142.250.185.174
Oct 3, 2024 14:52:36.562114954 CEST	443	49732	142.250.185.174	192.168.2.5
Oct 3, 2024 14:52:36.562159061 CEST	49732	443	192.168.2.5	142.250.185.174
Oct 3, 2024 14:52:36.568350077 CEST	443	49732	142.250.185.174	192.168.2.5
Oct 3, 2024 14:52:36.568402052 CEST	49732	443	192.168.2.5	142.250.185.174
Oct 3, 2024 14:52:36.574455976 CEST	443	49732	142.250.185.174	192.168.2.5
Oct 3, 2024 14:52:36.574525118 CEST	49732	443	192.168.2.5	142.250.185.174
Oct 3, 2024 14:52:36.574687004 CEST	443	49732	142.250.185.174	192.168.2.5
Oct 3, 2024 14:52:36.580852985 CEST	443	49732	142.250.185.174	192.168.2.5
Oct 3, 2024 14:52:36.580916882 CEST	49732	443	192.168.2.5	142.250.185.174
Oct 3, 2024 14:52:36.580945969 CEST	443	49732	142.250.185.174	192.168.2.5
Oct 3, 2024 14:52:36.587140083 CEST	443	49732	142.250.185.174	192.168.2.5
Oct 3, 2024 14:52:36.587182999 CEST	49732	443	192.168.2.5	142.250.185.174
Oct 3, 2024 14:52:36.587203026 CEST	443	49732	142.250.185.174	192.168.2.5
Oct 3, 2024 14:52:36.587258101 CEST	443	49732	142.250.185.174	192.168.2.5
Oct 3, 2024 14:52:36.587295055 CEST	49732	443	192.168.2.5	142.250.185.174
Oct 3, 2024 14:52:36.587332010 CEST	49732	443	192.168.2.5	142.250.185.174
Oct 3, 2024 14:52:36.587348938 CEST	443	49732	142.250.185.174	192.168.2.5
Oct 3, 2024 14:52:36.587362051 CEST	49732	443	192.168.2.5	142.250.185.174
Oct 3, 2024 14:52:36.587393999 CEST	49732	443	192.168.2.5	142.250.185.174
Oct 3, 2024 14:52:36.676369905 CEST	49735	443	192.168.2.5	172.217.18.14
Oct 3, 2024 14:52:36.676402092 CEST	443	49735	172.217.18.14	192.168.2.5
Oct 3, 2024 14:52:36.676590919 CEST	49735	443	192.168.2.5	172.217.18.14
Oct 3, 2024 14:52:36.676944017 CEST	49735	443	192.168.2.5	172.217.18.14
Oct 3, 2024 14:52:36.676954985 CEST	443	49735	172.217.18.14	192.168.2.5
Oct 3, 2024 14:52:36.723733902 CEST	49736	443	192.168.2.5	172.217.18.14
Oct 3, 2024 14:52:36.723793030 CEST	443	49736	172.217.18.14	192.168.2.5
Oct 3, 2024 14:52:36.724292040 CEST	49736	443	192.168.2.5	172.217.18.14
Oct 3, 2024 14:52:36.724414110 CEST	49736	443	192.168.2.5	172.217.18.14
Oct 3, 2024 14:52:36.724430084 CEST	443	49736	172.217.18.14	192.168.2.5
Oct 3, 2024 14:52:37.234355927 CEST	49740	443	192.168.2.5	172.202.163.200
Oct 3, 2024 14:52:37.234389067 CEST	443	49740	172.202.163.200	192.168.2.5
Oct 3, 2024 14:52:37.234822035 CEST	49740	443	192.168.2.5	172.202.163.200
Oct 3, 2024 14:52:37.236130953 CEST	49740	443	192.168.2.5	172.202.163.200
Oct 3, 2024 14:52:37.236150026 CEST	443	49740	172.202.163.200	192.168.2.5
Oct 3, 2024 14:52:37.347491980 CEST	443	49735	172.217.18.14	192.168.2.5
Oct 3, 2024 14:52:37.374716043 CEST	443	49736	172.217.18.14	192.168.2.5
Oct 3, 2024 14:52:37.388297081 CEST	49735	443	192.168.2.5	172.217.18.14
Oct 3, 2024 14:52:37.413281918 CEST	49735	443	192.168.2.5	172.217.18.14
Oct 3, 2024 14:52:37.413312912 CEST	443	49735	172.217.18.14	192.168.2.5
Oct 3, 2024 14:52:37.413536072 CEST	49736	443	192.168.2.5	172.217.18.14
Oct 3, 2024 14:52:37.413579941 CEST	443	49736	172.217.18.14	192.168.2.5
Oct 3, 2024 14:52:37.414084911 CEST	443	49736	172.217.18.14	192.168.2.5
Oct 3, 2024 14:52:37.414099932 CEST	443	49735	172.217.18.14	192.168.2.5
Oct 3, 2024 14:52:37.414201021 CEST	49736	443	192.168.2.5	172.217.18.14
Oct 3, 2024 14:52:37.414210081 CEST	49735	443	192.168.2.5	172.217.18.14
Oct 3, 2024 14:52:37.414859056 CEST	443	49736	172.217.18.14	192.168.2.5
Oct 3, 2024 14:52:37.414922953 CEST	49736	443	192.168.2.5	172.217.18.14
Oct 3, 2024 14:52:37.415350914 CEST	443	49735	172.217.18.14	192.168.2.5
Oct 3, 2024 14:52:37.415441036 CEST	49735	443	192.168.2.5	172.217.18.14
Oct 3, 2024 14:52:37.418879986 CEST	49736	443	192.168.2.5	172.217.18.14
Oct 3, 2024 14:52:37.418909073 CEST	49735	443	192.168.2.5	172.217.18.14
Oct 3, 2024 14:52:37.418962955 CEST	443	49736	172.217.18.14	192.168.2.5
Oct 3, 2024 14:52:37.419013023 CEST	443	49735	172.217.18.14	192.168.2.5
Oct 3, 2024 14:52:37.419424057 CEST	49736	443	192.168.2.5	172.217.18.14
Oct 3, 2024 14:52:37.419441938 CEST	443	49736	172.217.18.14	192.168.2.5
Oct 3, 2024 14:52:37.419486046 CEST	49735	443	192.168.2.5	172.217.18.14
Oct 3, 2024 14:52:37.419501066 CEST	443	49735	172.217.18.14	192.168.2.5
Oct 3, 2024 14:52:37.464888096 CEST	49736	443	192.168.2.5	172.217.18.14
Oct 3, 2024 14:52:37.467844009 CEST	49735	443	192.168.2.5	172.217.18.14
Oct 3, 2024 14:52:37.630412102 CEST	443	49735	172.217.18.14	192.168.2.5
Oct 3, 2024 14:52:37.630609035 CEST	443	49735	172.217.18.14	192.168.2.5
Oct 3, 2024 14:52:37.630678892 CEST	49735	443	192.168.2.5	172.217.18.14
Oct 3, 2024 14:52:37.631082058 CEST	49735	443	192.168.2.5	172.217.18.14
Oct 3, 2024 14:52:37.631082058 CEST	49735	443	192.168.2.5	172.217.18.14
Oct 3, 2024 14:52:37.631117105 CEST	443	49735	172.217.18.14	192.168.2.5
Oct 3, 2024 14:52:37.631200075 CEST	49735	443	192.168.2.5	172.217.18.14
Oct 3, 2024 14:52:37.632132053 CEST	49742	443	192.168.2.5	172.217.18.14
Oct 3, 2024 14:52:37.632164001 CEST	443	49742	172.217.18.14	192.168.2.5
Oct 3, 2024 14:52:37.632602930 CEST	49742	443	192.168.2.5	172.217.18.14
Oct 3, 2024 14:52:37.632602930 CEST	49742	443	192.168.2.5	172.217.18.14
Oct 3, 2024 14:52:37.632632971 CEST	443	49742	172.217.18.14	192.168.2.5
Oct 3, 2024 14:52:37.656431913 CEST	443	49736	172.217.18.14	192.168.2.5
Oct 3, 2024 14:52:37.656538010 CEST	443	49736	172.217.18.14	192.168.2.5
Oct 3, 2024 14:52:37.656594992 CEST	49736	443	192.168.2.5	172.217.18.14
Oct 3, 2024 14:52:37.657188892 CEST	49736	443	192.168.2.5	172.217.18.14
Oct 3, 2024 14:52:37.657215118 CEST	443	49736	172.217.18.14	192.168.2.5
Oct 3, 2024 14:52:37.658133030 CEST	49743	443	192.168.2.5	172.217.18.14
Oct 3, 2024 14:52:37.658174038 CEST	443	49743	172.217.18.14	192.168.2.5
Oct 3, 2024 14:52:37.658233881 CEST	49743	443	192.168.2.5	172.217.18.14
Oct 3, 2024 14:52:37.658530951 CEST	49743	443	192.168.2.5	172.217.18.14
Oct 3, 2024 14:52:37.658541918 CEST	443	49743	172.217.18.14	192.168.2.5
Oct 3, 2024 14:52:37.929915905 CEST	443	49740	172.202.163.200	192.168.2.5
Oct 3, 2024 14:52:37.929984093 CEST	49740	443	192.168.2.5	172.202.163.200
Oct 3, 2024 14:52:37.931915998 CEST	49740	443	192.168.2.5	172.202.163.200
Oct 3, 2024 14:52:37.931927919 CEST	443	49740	172.202.163.200	192.168.2.5
Oct 3, 2024 14:52:37.932171106 CEST	443	49740	172.202.163.200	192.168.2.5
Oct 3, 2024 14:52:37.979837894 CEST	49740	443	192.168.2.5	172.202.163.200
Oct 3, 2024 14:52:38.264425993 CEST	443	49742	172.217.18.14	192.168.2.5
Oct 3, 2024 14:52:38.264823914 CEST	49742	443	192.168.2.5	172.217.18.14
Oct 3, 2024 14:52:38.264837027 CEST	443	49742	172.217.18.14	192.168.2.5
Oct 3, 2024 14:52:38.265131950 CEST	443	49742	172.217.18.14	192.168.2.5
Oct 3, 2024 14:52:38.265187979 CEST	49742	443	192.168.2.5	172.217.18.14
Oct 3, 2024 14:52:38.265731096 CEST	443	49742	172.217.18.14	192.168.2.5
Oct 3, 2024 14:52:38.265784979 CEST	49742	443	192.168.2.5	172.217.18.14
Oct 3, 2024 14:52:38.266302109 CEST	49742	443	192.168.2.5	172.217.18.14
Oct 3, 2024 14:52:38.266345978 CEST	443	49742	172.217.18.14	192.168.2.5
Oct 3, 2024 14:52:38.266604900 CEST	49742	443	192.168.2.5	172.217.18.14
Oct 3, 2024 14:52:38.266612053 CEST	443	49742	172.217.18.14	192.168.2.5
Oct 3, 2024 14:52:38.266664982 CEST	49742	443	192.168.2.5	172.217.18.14
Oct 3, 2024 14:52:38.286811113 CEST	443	49743	172.217.18.14	192.168.2.5
Oct 3, 2024 14:52:38.287050009 CEST	49743	443	192.168.2.5	172.217.18.14
Oct 3, 2024 14:52:38.287064075 CEST	443	49743	172.217.18.14	192.168.2.5
Oct 3, 2024 14:52:38.287367105 CEST	443	49743	172.217.18.14	192.168.2.5
Oct 3, 2024 14:52:38.287426949 CEST	49743	443	192.168.2.5	172.217.18.14
Oct 3, 2024 14:52:38.287975073 CEST	443	49743	172.217.18.14	192.168.2.5
Oct 3, 2024 14:52:38.288027048 CEST	49743	443	192.168.2.5	172.217.18.14
Oct 3, 2024 14:52:38.288217068 CEST	49743	443	192.168.2.5	172.217.18.14
Oct 3, 2024 14:52:38.288269997 CEST	443	49743	172.217.18.14	192.168.2.5
Oct 3, 2024 14:52:38.288424969 CEST	49743	443	192.168.2.5	172.217.18.14
Oct 3, 2024 14:52:38.288433075 CEST	443	49743	172.217.18.14	192.168.2.5
Oct 3, 2024 14:52:38.288448095 CEST	49743	443	192.168.2.5	172.217.18.14
Oct 3, 2024 14:52:38.307403088 CEST	443	49742	172.217.18.14	192.168.2.5
Oct 3, 2024 14:52:38.331397057 CEST	443	49743	172.217.18.14	192.168.2.5
Oct 3, 2024 14:52:38.340569973 CEST	49743	443	192.168.2.5	172.217.18.14
Oct 3, 2024 14:52:38.620378971 CEST	443	49742	172.217.18.14	192.168.2.5
Oct 3, 2024 14:52:38.620486975 CEST	443	49742	172.217.18.14	192.168.2.5
Oct 3, 2024 14:52:38.620527029 CEST	49742	443	192.168.2.5	172.217.18.14
Oct 3, 2024 14:52:38.621001959 CEST	443	49743	172.217.18.14	192.168.2.5
Oct 3, 2024 14:52:38.621112108 CEST	443	49743	172.217.18.14	192.168.2.5
Oct 3, 2024 14:52:38.621157885 CEST	49743	443	192.168.2.5	172.217.18.14
Oct 3, 2024 14:52:38.621208906 CEST	49742	443	192.168.2.5	172.217.18.14
Oct 3, 2024 14:52:38.621218920 CEST	443	49742	172.217.18.14	192.168.2.5
Oct 3, 2024 14:52:38.623032093 CEST	49743	443	192.168.2.5	172.217.18.14
Oct 3, 2024 14:52:38.623048067 CEST	443	49743	172.217.18.14	192.168.2.5
Oct 3, 2024 14:52:38.675580978 CEST	49740	443	192.168.2.5	172.202.163.200
Oct 3, 2024 14:52:38.719402075 CEST	443	49740	172.202.163.200	192.168.2.5
Oct 3, 2024 14:52:38.903685093 CEST	443	49740	172.202.163.200	192.168.2.5
Oct 3, 2024 14:52:38.903721094 CEST	443	49740	172.202.163.200	192.168.2.5
Oct 3, 2024 14:52:38.903729916 CEST	443	49740	172.202.163.200	192.168.2.5
Oct 3, 2024 14:52:38.903742075 CEST	443	49740	172.202.163.200	192.168.2.5
Oct 3, 2024 14:52:38.903767109 CEST	443	49740	172.202.163.200	192.168.2.5
Oct 3, 2024 14:52:38.903789043 CEST	49740	443	192.168.2.5	172.202.163.200
Oct 3, 2024 14:52:38.903808117 CEST	443	49740	172.202.163.200	192.168.2.5
Oct 3, 2024 14:52:38.903819084 CEST	49740	443	192.168.2.5	172.202.163.200
Oct 3, 2024 14:52:38.903848886 CEST	49740	443	192.168.2.5	172.202.163.200
Oct 3, 2024 14:52:38.905247927 CEST	443	49740	172.202.163.200	192.168.2.5
Oct 3, 2024 14:52:38.905308008 CEST	49740	443	192.168.2.5	172.202.163.200
Oct 3, 2024 14:52:38.905317068 CEST	443	49740	172.202.163.200	192.168.2.5
Oct 3, 2024 14:52:38.906152010 CEST	443	49740	172.202.163.200	192.168.2.5
Oct 3, 2024 14:52:38.906193972 CEST	49740	443	192.168.2.5	172.202.163.200
Oct 3, 2024 14:52:38.979109049 CEST	49714	443	192.168.2.5	216.58.206.36
Oct 3, 2024 14:52:39.023395061 CEST	443	49714	216.58.206.36	192.168.2.5
Oct 3, 2024 14:52:39.246120930 CEST	443	49714	216.58.206.36	192.168.2.5
Oct 3, 2024 14:52:39.246380091 CEST	443	49714	216.58.206.36	192.168.2.5
Oct 3, 2024 14:52:39.246479034 CEST	49714	443	192.168.2.5	216.58.206.36
Oct 3, 2024 14:52:39.246501923 CEST	443	49714	216.58.206.36	192.168.2.5
Oct 3, 2024 14:52:39.246788979 CEST	443	49714	216.58.206.36	192.168.2.5
Oct 3, 2024 14:52:39.246814013 CEST	443	49714	216.58.206.36	192.168.2.5
Oct 3, 2024 14:52:39.246829987 CEST	49714	443	192.168.2.5	216.58.206.36
Oct 3, 2024 14:52:39.246839046 CEST	443	49714	216.58.206.36	192.168.2.5
Oct 3, 2024 14:52:39.247020006 CEST	49714	443	192.168.2.5	216.58.206.36
Oct 3, 2024 14:52:39.247348070 CEST	443	49714	216.58.206.36	192.168.2.5
Oct 3, 2024 14:52:39.247397900 CEST	443	49714	216.58.206.36	192.168.2.5
Oct 3, 2024 14:52:39.247435093 CEST	49714	443	192.168.2.5	216.58.206.36
Oct 3, 2024 14:52:39.248939991 CEST	49714	443	192.168.2.5	216.58.206.36
Oct 3, 2024 14:52:39.248960018 CEST	443	49714	216.58.206.36	192.168.2.5
Oct 3, 2024 14:52:39.630986929 CEST	49740	443	192.168.2.5	172.202.163.200
Oct 3, 2024 14:52:39.631025076 CEST	443	49740	172.202.163.200	192.168.2.5
Oct 3, 2024 14:52:39.631041050 CEST	49740	443	192.168.2.5	172.202.163.200
Oct 3, 2024 14:52:39.631048918 CEST	443	49740	172.202.163.200	192.168.2.5
Oct 3, 2024 14:52:44.531922102 CEST	49755	443	192.168.2.5	172.217.18.14
Oct 3, 2024 14:52:44.531985998 CEST	443	49755	172.217.18.14	192.168.2.5
Oct 3, 2024 14:52:44.532319069 CEST	49755	443	192.168.2.5	172.217.18.14
Oct 3, 2024 14:52:44.532320023 CEST	49755	443	192.168.2.5	172.217.18.14
Oct 3, 2024 14:52:44.532365084 CEST	443	49755	172.217.18.14	192.168.2.5
Oct 3, 2024 14:52:45.568492889 CEST	443	49755	172.217.18.14	192.168.2.5
Oct 3, 2024 14:52:45.568886995 CEST	49755	443	192.168.2.5	172.217.18.14
Oct 3, 2024 14:52:45.568912983 CEST	443	49755	172.217.18.14	192.168.2.5
Oct 3, 2024 14:52:45.569256067 CEST	443	49755	172.217.18.14	192.168.2.5
Oct 3, 2024 14:52:45.569545984 CEST	49755	443	192.168.2.5	172.217.18.14
Oct 3, 2024 14:52:45.569597006 CEST	443	49755	172.217.18.14	192.168.2.5
Oct 3, 2024 14:52:45.569705009 CEST	49755	443	192.168.2.5	172.217.18.14
Oct 3, 2024 14:52:45.569715023 CEST	49755	443	192.168.2.5	172.217.18.14
Oct 3, 2024 14:52:45.569720984 CEST	443	49755	172.217.18.14	192.168.2.5
Oct 3, 2024 14:52:45.891629934 CEST	443	49755	172.217.18.14	192.168.2.5
Oct 3, 2024 14:52:45.892287016 CEST	443	49755	172.217.18.14	192.168.2.5
Oct 3, 2024 14:52:45.895358086 CEST	49755	443	192.168.2.5	172.217.18.14
Oct 3, 2024 14:52:45.896117926 CEST	49755	443	192.168.2.5	172.217.18.14
Oct 3, 2024 14:52:45.896132946 CEST	443	49755	172.217.18.14	192.168.2.5
Oct 3, 2024 14:53:06.968811035 CEST	49756	443	192.168.2.5	172.217.18.14
Oct 3, 2024 14:53:06.968879938 CEST	443	49756	172.217.18.14	192.168.2.5
Oct 3, 2024 14:53:06.969012976 CEST	49756	443	192.168.2.5	172.217.18.14
Oct 3, 2024 14:53:06.969259024 CEST	49756	443	192.168.2.5	172.217.18.14
Oct 3, 2024 14:53:06.969280958 CEST	443	49756	172.217.18.14	192.168.2.5
Oct 3, 2024 14:53:07.327346087 CEST	49757	443	192.168.2.5	172.217.18.14
Oct 3, 2024 14:53:07.327411890 CEST	443	49757	172.217.18.14	192.168.2.5
Oct 3, 2024 14:53:07.327574968 CEST	49757	443	192.168.2.5	172.217.18.14
Oct 3, 2024 14:53:07.327783108 CEST	49757	443	192.168.2.5	172.217.18.14
Oct 3, 2024 14:53:07.327796936 CEST	443	49757	172.217.18.14	192.168.2.5
Oct 3, 2024 14:53:07.631881952 CEST	443	49756	172.217.18.14	192.168.2.5
Oct 3, 2024 14:53:07.632309914 CEST	49756	443	192.168.2.5	172.217.18.14
Oct 3, 2024 14:53:07.632376909 CEST	443	49756	172.217.18.14	192.168.2.5
Oct 3, 2024 14:53:07.632827997 CEST	443	49756	172.217.18.14	192.168.2.5
Oct 3, 2024 14:53:07.633224010 CEST	49756	443	192.168.2.5	172.217.18.14
Oct 3, 2024 14:53:07.633299112 CEST	443	49756	172.217.18.14	192.168.2.5
Oct 3, 2024 14:53:07.633420944 CEST	49756	443	192.168.2.5	172.217.18.14
Oct 3, 2024 14:53:07.633457899 CEST	49756	443	192.168.2.5	172.217.18.14
Oct 3, 2024 14:53:07.633471012 CEST	443	49756	172.217.18.14	192.168.2.5
Oct 3, 2024 14:53:07.733481884 CEST	49758	443	192.168.2.5	172.217.18.14
Oct 3, 2024 14:53:07.733536005 CEST	443	49758	172.217.18.14	192.168.2.5
Oct 3, 2024 14:53:07.733613014 CEST	49758	443	192.168.2.5	172.217.18.14
Oct 3, 2024 14:53:07.733880043 CEST	49758	443	192.168.2.5	172.217.18.14
Oct 3, 2024 14:53:07.733896971 CEST	443	49758	172.217.18.14	192.168.2.5
Oct 3, 2024 14:53:07.944328070 CEST	443	49756	172.217.18.14	192.168.2.5
Oct 3, 2024 14:53:07.944473028 CEST	443	49756	172.217.18.14	192.168.2.5
Oct 3, 2024 14:53:07.944550037 CEST	49756	443	192.168.2.5	172.217.18.14
Oct 3, 2024 14:53:07.944835901 CEST	49756	443	192.168.2.5	172.217.18.14
Oct 3, 2024 14:53:07.944895029 CEST	443	49756	172.217.18.14	192.168.2.5
Oct 3, 2024 14:53:07.974870920 CEST	443	49757	172.217.18.14	192.168.2.5
Oct 3, 2024 14:53:07.975132942 CEST	49757	443	192.168.2.5	172.217.18.14
Oct 3, 2024 14:53:07.975150108 CEST	443	49757	172.217.18.14	192.168.2.5
Oct 3, 2024 14:53:07.976464033 CEST	443	49757	172.217.18.14	192.168.2.5
Oct 3, 2024 14:53:07.976892948 CEST	49757	443	192.168.2.5	172.217.18.14
Oct 3, 2024 14:53:07.977066994 CEST	443	49757	172.217.18.14	192.168.2.5
Oct 3, 2024 14:53:07.977082968 CEST	49757	443	192.168.2.5	172.217.18.14
Oct 3, 2024 14:53:07.977108002 CEST	49757	443	192.168.2.5	172.217.18.14
Oct 3, 2024 14:53:07.977226973 CEST	443	49757	172.217.18.14	192.168.2.5
Oct 3, 2024 14:53:08.029016018 CEST	49757	443	192.168.2.5	172.217.18.14
Oct 3, 2024 14:53:08.477149010 CEST	443	49757	172.217.18.14	192.168.2.5
Oct 3, 2024 14:53:08.477463007 CEST	443	49757	172.217.18.14	192.168.2.5
Oct 3, 2024 14:53:08.477565050 CEST	49757	443	192.168.2.5	172.217.18.14
Oct 3, 2024 14:53:08.478020906 CEST	49757	443	192.168.2.5	172.217.18.14
Oct 3, 2024 14:53:08.478045940 CEST	443	49757	172.217.18.14	192.168.2.5
Oct 3, 2024 14:53:08.479809999 CEST	443	49758	172.217.18.14	192.168.2.5
Oct 3, 2024 14:53:08.480102062 CEST	49758	443	192.168.2.5	172.217.18.14
Oct 3, 2024 14:53:08.480118036 CEST	443	49758	172.217.18.14	192.168.2.5
Oct 3, 2024 14:53:08.480433941 CEST	443	49758	172.217.18.14	192.168.2.5
Oct 3, 2024 14:53:08.480813980 CEST	49758	443	192.168.2.5	172.217.18.14
Oct 3, 2024 14:53:08.480875015 CEST	443	49758	172.217.18.14	192.168.2.5
Oct 3, 2024 14:53:08.480981112 CEST	49758	443	192.168.2.5	172.217.18.14
Oct 3, 2024 14:53:08.481007099 CEST	49758	443	192.168.2.5	172.217.18.14
Oct 3, 2024 14:53:08.481012106 CEST	443	49758	172.217.18.14	192.168.2.5
Oct 3, 2024 14:53:08.675803900 CEST	443	49758	172.217.18.14	192.168.2.5
Oct 3, 2024 14:53:08.675904036 CEST	443	49758	172.217.18.14	192.168.2.5
Oct 3, 2024 14:53:08.675976038 CEST	49758	443	192.168.2.5	172.217.18.14
Oct 3, 2024 14:53:08.676501989 CEST	49758	443	192.168.2.5	172.217.18.14
Oct 3, 2024 14:53:08.676518917 CEST	443	49758	172.217.18.14	192.168.2.5
Oct 3, 2024 14:53:16.494875908 CEST	49759	443	192.168.2.5	172.202.163.200
Oct 3, 2024 14:53:16.494920969 CEST	443	49759	172.202.163.200	192.168.2.5
Oct 3, 2024 14:53:16.495002985 CEST	49759	443	192.168.2.5	172.202.163.200
Oct 3, 2024 14:53:16.495398045 CEST	49759	443	192.168.2.5	172.202.163.200
Oct 3, 2024 14:53:16.495415926 CEST	443	49759	172.202.163.200	192.168.2.5
Oct 3, 2024 14:53:18.123117924 CEST	443	49759	172.202.163.200	192.168.2.5
Oct 3, 2024 14:53:18.123194933 CEST	49759	443	192.168.2.5	172.202.163.200
Oct 3, 2024 14:53:18.128304005 CEST	49759	443	192.168.2.5	172.202.163.200
Oct 3, 2024 14:53:18.128319025 CEST	443	49759	172.202.163.200	192.168.2.5
Oct 3, 2024 14:53:18.128531933 CEST	443	49759	172.202.163.200	192.168.2.5
Oct 3, 2024 14:53:18.142816067 CEST	49759	443	192.168.2.5	172.202.163.200
Oct 3, 2024 14:53:18.187412024 CEST	443	49759	172.202.163.200	192.168.2.5
Oct 3, 2024 14:53:18.383594990 CEST	443	49759	172.202.163.200	192.168.2.5
Oct 3, 2024 14:53:18.383662939 CEST	443	49759	172.202.163.200	192.168.2.5
Oct 3, 2024 14:53:18.383717060 CEST	443	49759	172.202.163.200	192.168.2.5
Oct 3, 2024 14:53:18.383770943 CEST	49759	443	192.168.2.5	172.202.163.200
Oct 3, 2024 14:53:18.383795977 CEST	443	49759	172.202.163.200	192.168.2.5
Oct 3, 2024 14:53:18.383829117 CEST	49759	443	192.168.2.5	172.202.163.200
Oct 3, 2024 14:53:18.383909941 CEST	49759	443	192.168.2.5	172.202.163.200
Oct 3, 2024 14:53:18.384265900 CEST	443	49759	172.202.163.200	192.168.2.5
Oct 3, 2024 14:53:18.384316921 CEST	443	49759	172.202.163.200	192.168.2.5
Oct 3, 2024 14:53:18.384352922 CEST	49759	443	192.168.2.5	172.202.163.200
Oct 3, 2024 14:53:18.384368896 CEST	443	49759	172.202.163.200	192.168.2.5
Oct 3, 2024 14:53:18.384385109 CEST	49759	443	192.168.2.5	172.202.163.200
Oct 3, 2024 14:53:18.384639025 CEST	443	49759	172.202.163.200	192.168.2.5
Oct 3, 2024 14:53:18.384694099 CEST	49759	443	192.168.2.5	172.202.163.200
Oct 3, 2024 14:53:18.412842035 CEST	49759	443	192.168.2.5	172.202.163.200
Oct 3, 2024 14:53:18.412895918 CEST	443	49759	172.202.163.200	192.168.2.5
Oct 3, 2024 14:53:18.412921906 CEST	49759	443	192.168.2.5	172.202.163.200
Oct 3, 2024 14:53:18.412935019 CEST	443	49759	172.202.163.200	192.168.2.5
Oct 3, 2024 14:53:28.763595104 CEST	49761	443	192.168.2.5	216.58.206.36
Oct 3, 2024 14:53:28.763634920 CEST	443	49761	216.58.206.36	192.168.2.5
Oct 3, 2024 14:53:28.763706923 CEST	49761	443	192.168.2.5	216.58.206.36
Oct 3, 2024 14:53:28.764028072 CEST	49761	443	192.168.2.5	216.58.206.36
Oct 3, 2024 14:53:28.764045954 CEST	443	49761	216.58.206.36	192.168.2.5
Oct 3, 2024 14:53:29.469158888 CEST	443	49761	216.58.206.36	192.168.2.5
Oct 3, 2024 14:53:29.473113060 CEST	49761	443	192.168.2.5	216.58.206.36
Oct 3, 2024 14:53:29.473149061 CEST	443	49761	216.58.206.36	192.168.2.5
Oct 3, 2024 14:53:29.473480940 CEST	443	49761	216.58.206.36	192.168.2.5
Oct 3, 2024 14:53:29.473776102 CEST	49761	443	192.168.2.5	216.58.206.36
Oct 3, 2024 14:53:29.473844051 CEST	443	49761	216.58.206.36	192.168.2.5
Oct 3, 2024 14:53:29.527920008 CEST	49761	443	192.168.2.5	216.58.206.36
Oct 3, 2024 14:53:37.857950926 CEST	49763	443	192.168.2.5	216.58.206.78
Oct 3, 2024 14:53:37.857991934 CEST	443	49763	216.58.206.78	192.168.2.5
Oct 3, 2024 14:53:37.858066082 CEST	49763	443	192.168.2.5	216.58.206.78
Oct 3, 2024 14:53:37.858146906 CEST	49764	443	192.168.2.5	216.58.206.78
Oct 3, 2024 14:53:37.858175993 CEST	443	49764	216.58.206.78	192.168.2.5
Oct 3, 2024 14:53:37.858393908 CEST	49764	443	192.168.2.5	216.58.206.78
Oct 3, 2024 14:53:37.858433008 CEST	49763	443	192.168.2.5	216.58.206.78
Oct 3, 2024 14:53:37.858441114 CEST	443	49763	216.58.206.78	192.168.2.5
Oct 3, 2024 14:53:37.858746052 CEST	49764	443	192.168.2.5	216.58.206.78
Oct 3, 2024 14:53:37.858757019 CEST	443	49764	216.58.206.78	192.168.2.5
Oct 3, 2024 14:53:38.561995029 CEST	443	49763	216.58.206.78	192.168.2.5
Oct 3, 2024 14:53:38.562357903 CEST	49763	443	192.168.2.5	216.58.206.78
Oct 3, 2024 14:53:38.562424898 CEST	443	49763	216.58.206.78	192.168.2.5
Oct 3, 2024 14:53:38.562845945 CEST	443	49763	216.58.206.78	192.168.2.5
Oct 3, 2024 14:53:38.563127995 CEST	49763	443	192.168.2.5	216.58.206.78
Oct 3, 2024 14:53:38.563199997 CEST	443	49763	216.58.206.78	192.168.2.5
Oct 3, 2024 14:53:38.563277006 CEST	49763	443	192.168.2.5	216.58.206.78
Oct 3, 2024 14:53:38.563314915 CEST	49763	443	192.168.2.5	216.58.206.78
Oct 3, 2024 14:53:38.563328028 CEST	443	49763	216.58.206.78	192.168.2.5
Oct 3, 2024 14:53:38.567193985 CEST	443	49764	216.58.206.78	192.168.2.5
Oct 3, 2024 14:53:38.567658901 CEST	49764	443	192.168.2.5	216.58.206.78
Oct 3, 2024 14:53:38.567676067 CEST	443	49764	216.58.206.78	192.168.2.5
Oct 3, 2024 14:53:38.568041086 CEST	443	49764	216.58.206.78	192.168.2.5
Oct 3, 2024 14:53:38.568444967 CEST	49764	443	192.168.2.5	216.58.206.78
Oct 3, 2024 14:53:38.568506956 CEST	443	49764	216.58.206.78	192.168.2.5
Oct 3, 2024 14:53:38.568582058 CEST	49764	443	192.168.2.5	216.58.206.78
Oct 3, 2024 14:53:38.568608046 CEST	49764	443	192.168.2.5	216.58.206.78
Oct 3, 2024 14:53:38.568613052 CEST	443	49764	216.58.206.78	192.168.2.5
Oct 3, 2024 14:53:38.875531912 CEST	443	49763	216.58.206.78	192.168.2.5
Oct 3, 2024 14:53:38.875675917 CEST	443	49763	216.58.206.78	192.168.2.5
Oct 3, 2024 14:53:38.875783920 CEST	49763	443	192.168.2.5	216.58.206.78
Oct 3, 2024 14:53:38.878001928 CEST	49763	443	192.168.2.5	216.58.206.78
Oct 3, 2024 14:53:38.878036022 CEST	443	49763	216.58.206.78	192.168.2.5
Oct 3, 2024 14:53:38.878586054 CEST	443	49764	216.58.206.78	192.168.2.5
Oct 3, 2024 14:53:38.880561113 CEST	443	49764	216.58.206.78	192.168.2.5
Oct 3, 2024 14:53:38.880629063 CEST	49764	443	192.168.2.5	216.58.206.78
Oct 3, 2024 14:53:38.900242090 CEST	49764	443	192.168.2.5	216.58.206.78
Oct 3, 2024 14:53:38.900280952 CEST	443	49764	216.58.206.78	192.168.2.5
Oct 3, 2024 14:53:39.357383013 CEST	443	49761	216.58.206.36	192.168.2.5
Oct 3, 2024 14:53:39.357553005 CEST	443	49761	216.58.206.36	192.168.2.5
Oct 3, 2024 14:53:39.357625961 CEST	49761	443	192.168.2.5	216.58.206.36
Oct 3, 2024 14:53:52.732455015 CEST	49761	443	192.168.2.5	216.58.206.36
Oct 3, 2024 14:53:52.732487917 CEST	443	49761	216.58.206.36	192.168.2.5
Oct 3, 2024 14:54:08.158421993 CEST	49766	443	192.168.2.5	216.58.206.78
Oct 3, 2024 14:54:08.158478022 CEST	443	49766	216.58.206.78	192.168.2.5
Oct 3, 2024 14:54:08.158580065 CEST	49766	443	192.168.2.5	216.58.206.78
Oct 3, 2024 14:54:08.159050941 CEST	49766	443	192.168.2.5	216.58.206.78
Oct 3, 2024 14:54:08.159069061 CEST	443	49766	216.58.206.78	192.168.2.5
Oct 3, 2024 14:54:08.283932924 CEST	49767	443	192.168.2.5	216.58.206.78
Oct 3, 2024 14:54:08.283981085 CEST	443	49767	216.58.206.78	192.168.2.5
Oct 3, 2024 14:54:08.284244061 CEST	49767	443	192.168.2.5	216.58.206.78
Oct 3, 2024 14:54:08.284338951 CEST	49767	443	192.168.2.5	216.58.206.78
Oct 3, 2024 14:54:08.284347057 CEST	443	49767	216.58.206.78	192.168.2.5
Oct 3, 2024 14:54:08.800759077 CEST	443	49766	216.58.206.78	192.168.2.5
Oct 3, 2024 14:54:08.801048994 CEST	49766	443	192.168.2.5	216.58.206.78
Oct 3, 2024 14:54:08.801073074 CEST	443	49766	216.58.206.78	192.168.2.5
Oct 3, 2024 14:54:08.801435947 CEST	443	49766	216.58.206.78	192.168.2.5
Oct 3, 2024 14:54:08.801809072 CEST	49766	443	192.168.2.5	216.58.206.78
Oct 3, 2024 14:54:08.801856995 CEST	49766	443	192.168.2.5	216.58.206.78
Oct 3, 2024 14:54:08.801863909 CEST	443	49766	216.58.206.78	192.168.2.5
Oct 3, 2024 14:54:08.801877022 CEST	443	49766	216.58.206.78	192.168.2.5
Oct 3, 2024 14:54:08.801883936 CEST	49766	443	192.168.2.5	216.58.206.78
Oct 3, 2024 14:54:08.841808081 CEST	49766	443	192.168.2.5	216.58.206.78
Oct 3, 2024 14:54:08.841835976 CEST	443	49766	216.58.206.78	192.168.2.5
Oct 3, 2024 14:54:08.972419977 CEST	443	49767	216.58.206.78	192.168.2.5
Oct 3, 2024 14:54:08.972711086 CEST	49767	443	192.168.2.5	216.58.206.78
Oct 3, 2024 14:54:08.972731113 CEST	443	49767	216.58.206.78	192.168.2.5
Oct 3, 2024 14:54:08.973098040 CEST	443	49767	216.58.206.78	192.168.2.5
Oct 3, 2024 14:54:08.973352909 CEST	49767	443	192.168.2.5	216.58.206.78
Oct 3, 2024 14:54:08.973414898 CEST	443	49767	216.58.206.78	192.168.2.5
Oct 3, 2024 14:54:08.973479033 CEST	49767	443	192.168.2.5	216.58.206.78
Oct 3, 2024 14:54:08.973493099 CEST	49767	443	192.168.2.5	216.58.206.78
Oct 3, 2024 14:54:08.973505020 CEST	443	49767	216.58.206.78	192.168.2.5
Oct 3, 2024 14:54:09.146517038 CEST	443	49766	216.58.206.78	192.168.2.5
Oct 3, 2024 14:54:09.147166014 CEST	443	49766	216.58.206.78	192.168.2.5
Oct 3, 2024 14:54:09.147249937 CEST	49766	443	192.168.2.5	216.58.206.78
Oct 3, 2024 14:54:09.147599936 CEST	49766	443	192.168.2.5	216.58.206.78
Oct 3, 2024 14:54:09.147624016 CEST	443	49766	216.58.206.78	192.168.2.5
Oct 3, 2024 14:54:09.317229033 CEST	443	49767	216.58.206.78	192.168.2.5
Oct 3, 2024 14:54:09.320648909 CEST	443	49767	216.58.206.78	192.168.2.5
Oct 3, 2024 14:54:09.320720911 CEST	49767	443	192.168.2.5	216.58.206.78
Oct 3, 2024 14:54:09.321042061 CEST	49767	443	192.168.2.5	216.58.206.78
Oct 3, 2024 14:54:09.321060896 CEST	443	49767	216.58.206.78	192.168.2.5

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 3, 2024 14:52:24.374049902 CEST	52972	53	192.168.2.5	1.1.1.1
Oct 3, 2024 14:52:24.374212027 CEST	51960	53	192.168.2.5	1.1.1.1
Oct 3, 2024 14:52:24.380966902 CEST	53	52972	1.1.1.1	192.168.2.5
Oct 3, 2024 14:52:24.381748915 CEST	53	51960	1.1.1.1	192.168.2.5
Oct 3, 2024 14:52:24.381907940 CEST	53	56068	1.1.1.1	192.168.2.5
Oct 3, 2024 14:52:24.390674114 CEST	53	49603	1.1.1.1	192.168.2.5
Oct 3, 2024 14:52:25.667560101 CEST	50320	53	192.168.2.5	1.1.1.1
Oct 3, 2024 14:52:25.667659998 CEST	55516	53	192.168.2.5	1.1.1.1
Oct 3, 2024 14:52:25.717367887 CEST	53	50320	1.1.1.1	192.168.2.5
Oct 3, 2024 14:52:25.717458010 CEST	53	55516	1.1.1.1	192.168.2.5
Oct 3, 2024 14:52:25.783895969 CEST	53	55029	1.1.1.1	192.168.2.5
Oct 3, 2024 14:52:28.700603008 CEST	57038	53	192.168.2.5	1.1.1.1
Oct 3, 2024 14:52:28.700866938 CEST	53521	53	192.168.2.5	1.1.1.1
Oct 3, 2024 14:52:28.766318083 CEST	53	57038	1.1.1.1	192.168.2.5
Oct 3, 2024 14:52:28.766339064 CEST	53	53521	1.1.1.1	192.168.2.5
Oct 3, 2024 14:52:29.264312983 CEST	53	63906	1.1.1.1	192.168.2.5
Oct 3, 2024 14:52:32.638102055 CEST	53	51703	1.1.1.1	192.168.2.5
Oct 3, 2024 14:52:35.482458115 CEST	57659	53	192.168.2.5	1.1.1.1
Oct 3, 2024 14:52:35.482587099 CEST	57391	53	192.168.2.5	1.1.1.1
Oct 3, 2024 14:52:35.489321947 CEST	53	57659	1.1.1.1	192.168.2.5
Oct 3, 2024 14:52:35.490958929 CEST	53	57391	1.1.1.1	192.168.2.5
Oct 3, 2024 14:52:36.629177094 CEST	49939	53	192.168.2.5	1.1.1.1
Oct 3, 2024 14:52:36.629359007 CEST	64027	53	192.168.2.5	1.1.1.1
Oct 3, 2024 14:52:36.636300087 CEST	53	64027	1.1.1.1	192.168.2.5
Oct 3, 2024 14:52:36.636323929 CEST	53	49939	1.1.1.1	192.168.2.5
Oct 3, 2024 14:52:42.755108118 CEST	53	54449	1.1.1.1	192.168.2.5
Oct 3, 2024 14:53:01.710607052 CEST	53	61827	1.1.1.1	192.168.2.5
Oct 3, 2024 14:53:24.104156017 CEST	53	63925	1.1.1.1	192.168.2.5
Oct 3, 2024 14:53:24.109838963 CEST	53	62012	1.1.1.1	192.168.2.5
Oct 3, 2024 14:53:37.589873075 CEST	53	56002	1.1.1.1	192.168.2.5
Oct 3, 2024 14:53:37.844014883 CEST	64106	53	192.168.2.5	1.1.1.1
Oct 3, 2024 14:53:37.844136953 CEST	59156	53	192.168.2.5	1.1.1.1
Oct 3, 2024 14:53:37.857372999 CEST	53	64106	1.1.1.1	192.168.2.5
Oct 3, 2024 14:53:37.857379913 CEST	53	59156	1.1.1.1	192.168.2.5
Oct 3, 2024 14:53:52.740502119 CEST	53	53240	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 3, 2024 14:52:24.374049902 CEST	192.168.2.5	1.1.1.1	0xfe38	Standard query (0)	youtube.com	A (IP address)	IN (0x0001)	false
Oct 3, 2024 14:52:24.374212027 CEST	192.168.2.5	1.1.1.1	0x60fa	Standard query (0)	youtube.com	65	IN (0x0001)	false
Oct 3, 2024 14:52:25.667560101 CEST	192.168.2.5	1.1.1.1	0xec9f	Standard query (0)	www.youtube.com	A (IP address)	IN (0x0001)	false
Oct 3, 2024 14:52:25.667659998 CEST	192.168.2.5	1.1.1.1	0xd584	Standard query (0)	www.youtube.com	65	IN (0x0001)	false
Oct 3, 2024 14:52:28.700603008 CEST	192.168.2.5	1.1.1.1	0xd9b6	Standard query (0)	www.google.com	A (IP address)	IN (0x0001)	false
Oct 3, 2024 14:52:28.700866938 CEST	192.168.2.5	1.1.1.1	0x8ca1	Standard query (0)	www.google.com	65	IN (0x0001)	false
Oct 3, 2024 14:52:35.482458115 CEST	192.168.2.5	1.1.1.1	0xfd93	Standard query (0)	accounts.youtube.com	A (IP address)	IN (0x0001)	false
Oct 3, 2024 14:52:35.482587099 CEST	192.168.2.5	1.1.1.1	0xba8e	Standard query (0)	accounts.youtube.com	65	IN (0x0001)	false
Oct 3, 2024 14:52:36.629177094 CEST	192.168.2.5	1.1.1.1	0x9ec5	Standard query (0)	play.google.com	A (IP address)	IN (0x0001)	false
Oct 3, 2024 14:52:36.629359007 CEST	192.168.2.5	1.1.1.1	0x6cc4	Standard query (0)	play.google.com	65	IN (0x0001)	false
Oct 3, 2024 14:53:37.844014883 CEST	192.168.2.5	1.1.1.1	0x7f7	Standard query (0)	play.google.com	A (IP address)	IN (0x0001)	false
Oct 3, 2024 14:53:37.844136953 CEST	192.168.2.5	1.1.1.1	0xef28	Standard query (0)	play.google.com	65	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 3, 2024 14:52:24.380966902 CEST	1.1.1.1	192.168.2.5	0xfe38	No error (0)	youtube.com		142.250.186.46	A (IP address)	IN (0x0001)	false
Oct 3, 2024 14:52:24.381748915 CEST	1.1.1.1	192.168.2.5	0x60fa	No error (0)	youtube.com			65	IN (0x0001)	false
Oct 3, 2024 14:52:25.717367887 CEST	1.1.1.1	192.168.2.5	0xec9f	No error (0)	www.youtube.com	youtube-ui.l.google.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 3, 2024 14:52:25.717367887 CEST	1.1.1.1	192.168.2.5	0xec9f	No error (0)	youtube-ui.l.google.com		172.217.18.14	A (IP address)	IN (0x0001)	false
Oct 3, 2024 14:52:25.717367887 CEST	1.1.1.1	192.168.2.5	0xec9f	No error (0)	youtube-ui.l.google.com		142.250.186.46	A (IP address)	IN (0x0001)	false
Oct 3, 2024 14:52:25.717367887 CEST	1.1.1.1	192.168.2.5	0xec9f	No error (0)	youtube-ui.l.google.com		216.58.206.46	A (IP address)	IN (0x0001)	false
Oct 3, 2024 14:52:25.717367887 CEST	1.1.1.1	192.168.2.5	0xec9f	No error (0)	youtube-ui.l.google.com		172.217.16.206	A (IP address)	IN (0x0001)	false
Oct 3, 2024 14:52:25.717367887 CEST	1.1.1.1	192.168.2.5	0xec9f	No error (0)	youtube-ui.l.google.com		142.250.185.238	A (IP address)	IN (0x0001)	false
Oct 3, 2024 14:52:25.717367887 CEST	1.1.1.1	192.168.2.5	0xec9f	No error (0)	youtube-ui.l.google.com		142.250.185.206	A (IP address)	IN (0x0001)	false
Oct 3, 2024 14:52:25.717367887 CEST	1.1.1.1	192.168.2.5	0xec9f	No error (0)	youtube-ui.l.google.com		142.250.186.110	A (IP address)	IN (0x0001)	false
Oct 3, 2024 14:52:25.717367887 CEST	1.1.1.1	192.168.2.5	0xec9f	No error (0)	youtube-ui.l.google.com		142.250.185.174	A (IP address)	IN (0x0001)	false
Oct 3, 2024 14:52:25.717367887 CEST	1.1.1.1	192.168.2.5	0xec9f	No error (0)	youtube-ui.l.google.com		142.250.186.78	A (IP address)	IN (0x0001)	false
Oct 3, 2024 14:52:25.717367887 CEST	1.1.1.1	192.168.2.5	0xec9f	No error (0)	youtube-ui.l.google.com		142.250.185.110	A (IP address)	IN (0x0001)	false
Oct 3, 2024 14:52:25.717367887 CEST	1.1.1.1	192.168.2.5	0xec9f	No error (0)	youtube-ui.l.google.com		142.250.186.174	A (IP address)	IN (0x0001)	false
Oct 3, 2024 14:52:25.717367887 CEST	1.1.1.1	192.168.2.5	0xec9f	No error (0)	youtube-ui.l.google.com		142.250.185.142	A (IP address)	IN (0x0001)	false
Oct 3, 2024 14:52:25.717367887 CEST	1.1.1.1	192.168.2.5	0xec9f	No error (0)	youtube-ui.l.google.com		142.250.184.206	A (IP address)	IN (0x0001)	false
Oct 3, 2024 14:52:25.717367887 CEST	1.1.1.1	192.168.2.5	0xec9f	No error (0)	youtube-ui.l.google.com		142.250.184.238	A (IP address)	IN (0x0001)	false
Oct 3, 2024 14:52:25.717367887 CEST	1.1.1.1	192.168.2.5	0xec9f	No error (0)	youtube-ui.l.google.com		142.250.74.206	A (IP address)	IN (0x0001)	false
Oct 3, 2024 14:52:25.717367887 CEST	1.1.1.1	192.168.2.5	0xec9f	No error (0)	youtube-ui.l.google.com		142.250.181.238	A (IP address)	IN (0x0001)	false
Oct 3, 2024 14:52:25.717458010 CEST	1.1.1.1	192.168.2.5	0xd584	No error (0)	www.youtube.com	youtube-ui.l.google.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 3, 2024 14:52:25.717458010 CEST	1.1.1.1	192.168.2.5	0xd584	No error (0)	youtube-ui.l.google.com			65	IN (0x0001)	false
Oct 3, 2024 14:52:28.766318083 CEST	1.1.1.1	192.168.2.5	0xd9b6	No error (0)	www.google.com		216.58.206.36	A (IP address)	IN (0x0001)	false
Oct 3, 2024 14:52:28.766339064 CEST	1.1.1.1	192.168.2.5	0x8ca1	No error (0)	www.google.com			65	IN (0x0001)	false
Oct 3, 2024 14:52:35.489321947 CEST	1.1.1.1	192.168.2.5	0xfd93	No error (0)	accounts.youtube.com	www3.l.google.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 3, 2024 14:52:35.489321947 CEST	1.1.1.1	192.168.2.5	0xfd93	No error (0)	www3.l.google.com		142.250.185.174	A (IP address)	IN (0x0001)	false
Oct 3, 2024 14:52:35.490958929 CEST	1.1.1.1	192.168.2.5	0xba8e	No error (0)	accounts.youtube.com	www3.l.google.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 3, 2024 14:52:36.636323929 CEST	1.1.1.1	192.168.2.5	0x9ec5	No error (0)	play.google.com		172.217.18.14	A (IP address)	IN (0x0001)	false
Oct 3, 2024 14:53:37.857372999 CEST	1.1.1.1	192.168.2.5	0x7f7	No error (0)	play.google.com		216.58.206.78	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

youtube.com

www.youtube.com

fs.microsoft.com

https:

accounts.youtube.com

play.google.com

www.google.com

slscr.update.microsoft.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49705	142.250.186.46	443	2860	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-03 12:52:25 UTC	859	OUT	GET /account?=https://accounts.google.com/v3/signin/challenge/pwd HTTP/1.1 Host: youtube.com Connection: keep-alive sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "Windows" Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 X-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIkqHLAQiFoM0BCNy9zQEI2sPNAQjpxc0BCLnKzQEIv9HNAQiK080BCNDWzQEIqNjNAQj5wNQVGI/OzQEYutLNARjC2M0BGOuNpRc= Sec-Fetch-Site: none Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-10-03 12:52:25 UTC	1726	IN	HTTP/1.1 301 Moved Permanently Content-Type: application/binary X-Content-Type-Options: nosniff Expires: Thu, 03 Oct 2024 12:52:25 GMT Date: Thu, 03 Oct 2024 12:52:25 GMT Cache-Control: private, max-age=31536000 Location: https://www.youtube.com/account?=https%3A%2F%2Faccounts.google.com%2Fv3%2Fsignin%2Fchallenge%2Fpwd X-Frame-Options: SAMEORIGIN Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Report-To: {"group":"youtube_main","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/youtube_main"}]} Content-Security-Policy: require-trusted-types-for 'script';report-uri /cspreport Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Vary: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Origin-Trial: AmhMBR6zCLzDDxpW+HfpP67BqwIknWnyMOXOQGfzYswFmJe+fgaI6XZgAzcxOrzNtP7hEDsOo1jdjFnVr2IdxQ4AAAB4eyJvcmlnaW4iOiJodHRwczovL3lvdXR1YmUuY29tOjQ0MyIsImZlYXR1cmUiOiJXZWJWaWV3WFJlcXVlc3RlZFdpdGhEZXByZWNhdGlvbiIsImV4cGlyeSI6MTc1ODA2NzE5OSwiaXNTdWJkb21haW4iOnRydWV9 Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Cross-Origin-Opener-Policy: same-origin-allow-popups; report-to="youtube_main" Server: ESF Content-Length: 0 X-XSS-Protection: 0 Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49710	172.217.18.14	443	2860	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-03 12:52:26 UTC	877	OUT	GET /account?=https%3A%2F%2Faccounts.google.com%2Fv3%2Fsignin%2Fchallenge%2Fpwd HTTP/1.1 Host: www.youtube.com Connection: keep-alive Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 X-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIkqHLAQiFoM0BCNy9zQEI2sPNAQjpxc0BCLnKzQEIv9HNAQiK080BCNDWzQEIqNjNAQj5wNQVGI/OzQEYutLNARjC2M0BGOuNpRc= Sec-Fetch-Site: none Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "Windows" Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-10-03 12:52:26 UTC	2634	IN	HTTP/1.1 303 See Other Content-Type: application/binary X-Content-Type-Options: nosniff Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Thu, 03 Oct 2024 12:52:26 GMT Location: https://accounts.google.com/ServiceLogin?service=youtube&uilel=3&passive=true&continue=https%3A%2F%2Fwww.youtube.com%2Fsignin%3Faction_handle_signin%3Dtrue%26app%3Ddesktop%26hl%3Den%26next%3Dhttps%253A%252F%252Fwww.youtube.com%252Faccount%253F%253Dhttps%25253A%25252F%25252Faccounts.google.com%25252Fv3%25252Fsignin%25252Fchallenge%25252Fpwd%26feature%3Dredirect_login&hl=en X-Frame-Options: SAMEORIGIN Strict-Transport-Security: max-age=31536000 Cross-Origin-Opener-Policy: same-origin-allow-popups; report-to="youtube_main" Origin-Trial: AmhMBR6zCLzDDxpW+HfpP67BqwIknWnyMOXOQGfzYswFmJe+fgaI6XZgAzcxOrzNtP7hEDsOo1jdjFnVr2IdxQ4AAAB4eyJvcmlnaW4iOiJodHRwczovL3lvdXR1YmUuY29tOjQ0MyIsImZlYXR1cmUiOiJXZWJWaWV3WFJlcXVlc3RlZFdpdGhEZXByZWNhdGlvbiIsImV4cGlyeSI6MTc1ODA2NzE5OSwiaXNTdWJkb21haW4iOnRydWV9 Content-Security-Policy: require-trusted-types-for 'script' Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Vary: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Report-To: {"group":"youtube_main","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/youtube_main"}]} P3P: CP="This is not a P3P policy! See http://support.google.com/accounts/answer/151657?hl=en for more info." Server: ESF Content-Length: 0 X-XSS-Protection: 0 Set-Cookie: GPS=1; Domain=.youtube.com; Expires=Thu, 03-Oct-2024 13:22:26 GMT; Path=/; Secure; HttpOnly Set-Cookie: YSC=7UAqN2_zyEE; Domain=.youtube.com; Path=/; Secure; HttpOnly; SameSite=none; Partitioned Set-Cookie: VISITOR_INFO1_LIVE=JnPeaOIjK54; Domain=.youtube.com; Expires=Tue, 01-Apr-2025 12:52:26 GMT; Path=/; Secure; HttpOnly; SameSite=none; Partitioned Set-Cookie: VISITOR_PRIVACY_METADATA=CgJVUxIEGgAgWw%3D%3D; Domain=.youtube.com; Expires=Tue, 01-Apr-2025 12:52:26 GMT; Path=/; Secure; HttpOnly; SameSite=none; Partitioned Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	49715	184.28.90.27	443

Timestamp	Bytes transferred	Direction	Data
2024-10-03 12:52:30 UTC	161	OUT	HEAD /fs/windows/config.json HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Encoding: identity User-Agent: Microsoft BITS/7.8 Host: fs.microsoft.com
2024-10-03 12:52:30 UTC	466	IN	HTTP/1.1 200 OK Content-Disposition: attachment; filename=config.json; filename*=UTF-8''config.json Content-Type: application/octet-stream ETag: "0x64667F707FF07D62B733DBCB79EFE3855E6886C9975B0C0B467D46231B3FA5E7" Last-Modified: Tue, 16 May 2017 22:58:00 GMT Server: ECAcc (lpl/EF70) X-CID: 11 X-Ms-ApiVersion: Distribute 1.2 X-Ms-Region: prod-neu-z1 Cache-Control: public, max-age=13992 Date: Thu, 03 Oct 2024 12:52:30 GMT Connection: close X-CID: 2

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.5	49720	184.28.90.27	443

Timestamp	Bytes transferred	Direction	Data
2024-10-03 12:52:31 UTC	239	OUT	GET /fs/windows/config.json HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Encoding: identity If-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMT Range: bytes=0-2147483646 User-Agent: Microsoft BITS/7.8 Host: fs.microsoft.com
2024-10-03 12:52:31 UTC	514	IN	HTTP/1.1 200 OK ApiVersion: Distribute 1.1 Content-Disposition: attachment; filename=config.json; filename*=UTF-8''config.json Content-Type: application/octet-stream ETag: "0x64667F707FF07D62B733DBCB79EFE3855E6886C9975B0C0B467D46231B3FA5E7" Last-Modified: Tue, 16 May 2017 22:58:00 GMT Server: ECAcc (lpl/EF06) X-CID: 11 X-Ms-ApiVersion: Distribute 1.2 X-Ms-Region: prod-weu-z1 Cache-Control: public, max-age=25925 Date: Thu, 03 Oct 2024 12:52:31 GMT Content-Length: 55 Connection: close X-CID: 2
2024-10-03 12:52:31 UTC	55	IN	Data Raw: 7b 22 66 6f 6e 74 53 65 74 55 72 69 22 3a 22 66 6f 6e 74 73 65 74 2d 32 30 31 37 2d 30 34 2e 6a 73 6f 6e 22 2c 22 62 61 73 65 55 72 69 22 3a 22 66 6f 6e 74 73 22 7d Data Ascii: {"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.5	49732	142.250.185.174	443	2860	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-03 12:52:36 UTC	1244	OUT	GET /accounts/CheckConnection?pmpo=https%3A%2F%2Faccounts.google.com&v=-851070450&timestamp=1727959954890 HTTP/1.1 Host: accounts.youtube.com Connection: keep-alive sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 sec-ch-ua-full-version: "117.0.5938.132" sec-ch-ua-arch: "x86" sec-ch-ua-platform: "Windows" sec-ch-ua-platform-version: "10.0.0" sec-ch-ua-model: "" sec-ch-ua-bitness: "64" sec-ch-ua-wow64: ?0 sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132" Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 X-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIkqHLAQiFoM0BCNy9zQEI2sPNAQjpxc0BCLnKzQEIv9HNAQiK080BCNDWzQEIqNjNAQj5wNQVGI/OzQEYutLNARjC2M0BGOuNpRc= Sec-Fetch-Site: cross-site Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: iframe Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-10-03 12:52:36 UTC	1969	IN	HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 X-Frame-Options: ALLOW-FROM https://accounts.google.com Content-Security-Policy: frame-ancestors https://accounts.google.com Content-Security-Policy: script-src 'report-sample' 'nonce-6agMS22T4Donai01TXTG-g' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/AccountsDomainCookiesCheckConnectionHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/AccountsDomainCookiesCheckConnectionHttp/cspreport/allowlist Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/AccountsDomainCookiesCheckConnectionHttp/cspreport Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Thu, 03 Oct 2024 12:52:36 GMT Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Cross-Origin-Opener-Policy: same-origin Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Cross-Origin-Resource-Policy: cross-origin reporting-endpoints: default="/_/AccountsDomainCookiesCheckConnectionHttp/web-reports?context=eJzjstDikmLw0JBikPj6kkkDiJ3SZ7AGAXHSv_OsRUB8ufsS63UgVu25xGoKxEUSV1ibgFiIh2PK8l_b2QQazt1fwaikl5RfGJ-ZkppXkllSmZKfm5iZl5yfn52ZWlycWlSWWhRvZGBkYmBpZKRnYBFfYAAA2wItcQ" Server: ESF X-XSS-Protection: 0 X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2024-10-03 12:52:36 UTC	1969	IN	Data Raw: 37 36 31 39 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 20 6e 6f 6e 63 65 3d 22 36 61 67 4d 53 32 32 54 34 44 6f 6e 61 69 30 31 54 58 54 47 2d 67 22 3e 22 75 73 65 20 73 74 72 69 63 74 22 3b 74 68 69 73 2e 64 65 66 61 75 6c 74 5f 41 63 63 6f 75 6e 74 73 44 6f 6d 61 69 6e 63 6f 6f 6b 69 65 73 43 68 65 63 6b 63 6f 6e 6e 65 63 74 69 6f 6e 4a 73 3d 74 68 69 73 2e 64 65 66 61 75 6c 74 5f 41 63 63 6f 75 6e 74 73 44 6f 6d 61 69 6e 63 6f 6f 6b 69 65 73 43 68 65 63 6b 63 6f 6e 6e 65 63 74 69 6f 6e 4a 73 7c 7c 7b 7d 3b 28 66 75 6e 63 74 69 6f 6e 28 5f 29 7b 76 61 72 20 77 69 6e 64 6f 77 3d 74 68 69 73 3b 0a 74 72 79 7b 0a 5f 2e 5f 46 5f 74 6f 67 67 6c 65 73 5f 69 6e 69 74 69 61 6c 69 7a 65 3d 66 75 6e 63 74 69 6f 6e 28 61 29 7b 28 74 79 70 65 6f Data Ascii: 7619<html><head><script nonce="6agMS22T4Donai01TXTG-g">"use strict";this.default_AccountsDomaincookiesCheckconnectionJs=this.default_AccountsDomaincookiesCheckconnectionJs\|\|{};(function(_){var window=this;try{_._F_toggles_initialize=function(a){(typeo
2024-10-03 12:52:36 UTC	1969	IN	Data Raw: 54 72 69 64 65 6e 74 5c 2f 28 5c 64 2e 5c 64 29 2f 2e 65 78 65 63 28 62 29 2c 0a 63 5b 31 5d 3d 3d 22 37 2e 30 22 29 69 66 28 62 26 26 62 5b 31 5d 29 73 77 69 74 63 68 28 62 5b 31 5d 29 7b 63 61 73 65 20 22 34 2e 30 22 3a 61 3d 22 38 2e 30 22 3b 62 72 65 61 6b 3b 63 61 73 65 20 22 35 2e 30 22 3a 61 3d 22 39 2e 30 22 3b 62 72 65 61 6b 3b 63 61 73 65 20 22 36 2e 30 22 3a 61 3d 22 31 30 2e 30 22 3b 62 72 65 61 6b 3b 63 61 73 65 20 22 37 2e 30 22 3a 61 3d 22 31 31 2e 30 22 7d 65 6c 73 65 20 61 3d 22 37 2e 30 22 3b 65 6c 73 65 20 61 3d 63 5b 31 5d 3b 62 3d 61 7d 65 6c 73 65 20 62 3d 22 22 3b 72 65 74 75 72 6e 20 62 7d 76 61 72 20 64 3d 52 65 67 45 78 70 28 22 28 5b 41 2d 5a 5d 5b 5c 5c 77 20 5d 2b 29 2f 28 5b 5e 5c 5c 73 5d 2b 29 5c 5c 73 2a 28 3f 3a 5c 5c 28 Data Ascii: Trident\/(\d.\d)/.exec(b),c[1]=="7.0")if(b&&b[1])switch(b[1]){case "4.0":a="8.0";break;case "5.0":a="9.0";break;case "6.0":a="10.0";break;case "7.0":a="11.0"}else a="7.0";else a=c[1];b=a}else b="";return b}var d=RegExp("([A-Z][\\w ]+)/([^\\s]+)\\s*(?:\\(
2024-10-03 12:52:36 UTC	1969	IN	Data Raw: 74 63 68 28 74 79 70 65 6f 66 20 61 29 7b 63 61 73 65 20 22 6e 75 6d 62 65 72 22 3a 72 65 74 75 72 6e 20 69 73 46 69 6e 69 74 65 28 61 29 3f 61 3a 53 74 72 69 6e 67 28 61 29 3b 63 61 73 65 20 22 62 69 67 69 6e 74 22 3a 72 65 74 75 72 6e 28 41 61 3f 0a 61 3e 3d 42 61 26 26 61 3c 3d 43 61 3a 61 5b 30 5d 3d 3d 3d 22 2d 22 3f 75 61 28 61 2c 44 61 29 3a 75 61 28 61 2c 45 61 29 29 3f 4e 75 6d 62 65 72 28 61 29 3a 53 74 72 69 6e 67 28 61 29 3b 63 61 73 65 20 22 62 6f 6f 6c 65 61 6e 22 3a 72 65 74 75 72 6e 20 61 3f 31 3a 30 3b 63 61 73 65 20 22 6f 62 6a 65 63 74 22 3a 69 66 28 61 29 69 66 28 41 72 72 61 79 2e 69 73 41 72 72 61 79 28 61 29 29 7b 69 66 28 43 28 61 29 29 72 65 74 75 72 6e 7d 65 6c 73 65 20 69 66 28 46 61 26 26 61 21 3d 6e 75 6c 6c 26 26 61 20 69 6e Data Ascii: tch(typeof a){case "number":return isFinite(a)?a:String(a);case "bigint":return(Aa?a>=Ba&&a<=Ca:a[0]==="-"?ua(a,Da):ua(a,Ea))?Number(a):String(a);case "boolean":return a?1:0;case "object":if(a)if(Array.isArray(a)){if(C(a))return}else if(Fa&&a!=null&&a in
2024-10-03 12:52:36 UTC	1969	IN	Data Raw: 7b 76 61 72 20 62 3b 69 66 28 61 26 26 28 62 3d 51 61 29 21 3d 6e 75 6c 6c 26 26 62 2e 68 61 73 28 61 29 26 26 28 62 3d 61 2e 43 29 29 66 6f 72 28 76 61 72 20 63 3d 30 3b 63 3c 62 2e 6c 65 6e 67 74 68 3b 63 2b 2b 29 7b 76 61 72 20 64 3d 62 5b 63 5d 3b 69 66 28 63 3d 3d 3d 62 2e 6c 65 6e 67 74 68 2d 31 26 26 41 28 64 29 29 66 6f 72 28 76 61 72 20 65 20 69 6e 20 64 29 7b 76 61 72 20 66 3d 64 5b 65 5d 3b 41 72 72 61 79 2e 69 73 41 72 72 61 79 28 66 29 26 26 0a 52 61 28 66 2c 61 29 7d 65 6c 73 65 20 41 72 72 61 79 2e 69 73 41 72 72 61 79 28 64 29 26 26 52 61 28 64 2c 61 29 7d 61 3d 45 3f 61 2e 43 3a 4d 61 28 61 2e 43 2c 50 61 2c 76 6f 69 64 20 30 2c 76 6f 69 64 20 30 2c 21 31 29 3b 65 3d 21 45 3b 69 66 28 62 3d 61 2e 6c 65 6e 67 74 68 29 7b 64 3d 61 5b 62 2d Data Ascii: {var b;if(a&&(b=Qa)!=null&&b.has(a)&&(b=a.C))for(var c=0;c<b.length;c++){var d=b[c];if(c===b.length-1&&A(d))for(var e in d){var f=d[e];Array.isArray(f)&&Ra(f,a)}else Array.isArray(d)&&Ra(d,a)}a=E?a.C:Ma(a.C,Pa,void 0,void 0,!1);e=!E;if(b=a.length){d=a[b-
2024-10-03 12:52:36 UTC	1969	IN	Data Raw: 6f 6c 2e 69 74 65 72 61 74 6f 72 22 2c 66 75 6e 63 74 69 6f 6e 28 61 29 7b 69 66 28 61 29 72 65 74 75 72 6e 20 61 3b 61 3d 53 79 6d 62 6f 6c 28 22 63 22 29 3b 66 6f 72 28 76 61 72 20 62 3d 22 41 72 72 61 79 20 49 6e 74 38 41 72 72 61 79 20 55 69 6e 74 38 41 72 72 61 79 20 55 69 6e 74 38 43 6c 61 6d 70 65 64 41 72 72 61 79 20 49 6e 74 31 36 41 72 72 61 79 20 55 69 6e 74 31 36 41 72 72 61 79 20 49 6e 74 33 32 41 72 72 61 79 20 55 69 6e 74 33 32 41 72 72 61 79 20 46 6c 6f 61 74 33 32 41 72 72 61 79 20 46 6c 6f 61 74 36 34 41 72 72 61 79 22 2e 73 70 6c 69 74 28 22 20 22 29 2c 63 3d 30 3b 63 3c 62 2e 6c 65 6e 67 74 68 3b 63 2b 2b 29 7b 76 61 72 20 64 3d 57 61 5b 62 5b 63 5d 5d 3b 74 79 70 65 6f 66 20 64 3d 3d 3d 22 66 75 6e 63 74 69 6f 6e 22 26 26 74 79 70 65 Data Ascii: ol.iterator",function(a){if(a)return a;a=Symbol("c");for(var b="Array Int8Array Uint8Array Uint8ClampedArray Int16Array Uint16Array Int32Array Uint32Array Float32Array Float64Array".split(" "),c=0;c<b.length;c++){var d=Wa[b[c]];typeof d==="function"&&type
2024-10-03 12:52:36 UTC	1969	IN	Data Raw: 29 3b 65 28 22 66 72 65 65 7a 65 22 29 3b 65 28 22 70 72 65 76 65 6e 74 45 78 74 65 6e 73 69 6f 6e 73 22 29 3b 65 28 22 73 65 61 6c 22 29 3b 76 61 72 20 68 3d 30 2c 67 3d 66 75 6e 63 74 69 6f 6e 28 6b 29 7b 74 68 69 73 2e 67 3d 28 68 2b 3d 4d 61 74 68 2e 72 61 6e 64 6f 6d 28 29 2b 31 29 2e 74 6f 53 74 72 69 6e 67 28 29 3b 69 66 28 6b 29 7b 6b 3d 48 28 6b 29 3b 66 6f 72 28 76 61 72 20 6c 3b 21 28 6c 3d 6b 2e 6e 65 78 74 28 29 29 2e 64 6f 6e 65 3b 29 6c 3d 6c 2e 76 61 6c 75 65 2c 74 68 69 73 2e 73 65 74 28 6c 5b 30 5d 2c 6c 5b 31 5d 29 7d 7d 3b 67 2e 70 72 6f 74 6f 74 79 70 65 2e 73 65 74 3d 66 75 6e 63 74 69 6f 6e 28 6b 2c 6c 29 7b 69 66 28 21 63 28 6b 29 29 74 68 72 6f 77 20 45 72 72 6f 72 28 22 69 22 29 3b 64 28 6b 29 3b 69 66 28 21 49 28 6b 2c 66 29 29 Data Ascii: );e("freeze");e("preventExtensions");e("seal");var h=0,g=function(k){this.g=(h+=Math.random()+1).toString();if(k){k=H(k);for(var l;!(l=k.next()).done;)l=l.value,this.set(l[0],l[1])}};g.prototype.set=function(k,l){if(!c(k))throw Error("i");d(k);if(!I(k,f))
2024-10-03 12:52:36 UTC	1969	IN	Data Raw: 75 72 6e 20 67 2e 76 61 6c 75 65 7d 29 7d 3b 63 2e 70 72 6f 74 6f 74 79 70 65 2e 66 6f 72 45 61 63 68 3d 66 75 6e 63 74 69 6f 6e 28 67 2c 6b 29 7b 66 6f 72 28 76 61 72 20 6c 3d 74 68 69 73 2e 65 6e 74 72 69 65 73 28 29 2c 6d 3b 21 28 6d 3d 6c 2e 6e 65 78 74 28 29 29 2e 64 6f 6e 65 3b 29 6d 3d 0a 6d 2e 76 61 6c 75 65 2c 67 2e 63 61 6c 6c 28 6b 2c 6d 5b 31 5d 2c 6d 5b 30 5d 2c 74 68 69 73 29 7d 3b 63 2e 70 72 6f 74 6f 74 79 70 65 5b 53 79 6d 62 6f 6c 2e 69 74 65 72 61 74 6f 72 5d 3d 63 2e 70 72 6f 74 6f 74 79 70 65 2e 65 6e 74 72 69 65 73 3b 76 61 72 20 64 3d 66 75 6e 63 74 69 6f 6e 28 67 2c 6b 29 7b 76 61 72 20 6c 3d 6b 26 26 74 79 70 65 6f 66 20 6b 3b 6c 3d 3d 22 6f 62 6a 65 63 74 22 7c 7c 6c 3d 3d 22 66 75 6e 63 74 69 6f 6e 22 3f 62 2e 68 61 73 28 6b 29 Data Ascii: urn g.value})};c.prototype.forEach=function(g,k){for(var l=this.entries(),m;!(m=l.next()).done;)m=m.value,g.call(k,m[1],m[0],this)};c.prototype[Symbol.iterator]=c.prototype.entries;var d=function(g,k){var l=k&&typeof k;l=="object"\|\|l=="function"?b.has(k)
2024-10-03 12:52:36 UTC	1969	IN	Data Raw: 6f 6e 28 61 29 7b 72 65 74 75 72 6e 20 61 3f 61 3a 66 75 6e 63 74 69 6f 6e 28 62 29 7b 72 65 74 75 72 6e 20 74 79 70 65 6f 66 20 62 3d 3d 3d 22 6e 75 6d 62 65 72 22 26 26 69 73 4e 61 4e 28 62 29 7d 7d 29 3b 76 61 72 20 66 62 3d 66 62 7c 7c 7b 7d 2c 71 3d 74 68 69 73 7c 7c 73 65 6c 66 2c 67 62 3d 71 2e 5f 46 5f 74 6f 67 67 6c 65 73 7c 7c 5b 5d 2c 68 62 3d 66 75 6e 63 74 69 6f 6e 28 61 29 7b 61 3d 61 2e 73 70 6c 69 74 28 22 2e 22 29 3b 66 6f 72 28 76 61 72 20 62 3d 71 2c 63 3d 30 3b 63 3c 61 2e 6c 65 6e 67 74 68 3b 63 2b 2b 29 69 66 28 62 3d 62 5b 61 5b 63 5d 5d 2c 62 3d 3d 6e 75 6c 6c 29 72 65 74 75 72 6e 20 6e 75 6c 6c 3b 72 65 74 75 72 6e 20 62 7d 2c 69 62 3d 22 63 6c 6f 73 75 72 65 5f 75 69 64 5f 22 2b 28 4d 61 74 68 2e 72 61 6e 64 6f 6d 28 29 2a 31 45 Data Ascii: on(a){return a?a:function(b){return typeof b==="number"&&isNaN(b)}});var fb=fb\|\|{},q=this\|\|self,gb=q._F_toggles\|\|[],hb=function(a){a=a.split(".");for(var b=q,c=0;c<a.length;c++)if(b=b[a[c]],b==null)return null;return b},ib="closure_uid_"+(Math.random()*1E
2024-10-03 12:52:36 UTC	1969	IN	Data Raw: 74 65 78 74 5f 5f 39 38 34 33 38 32 3d 7b 7d 29 3b 61 2e 5f 5f 63 6c 6f 73 75 72 65 5f 5f 65 72 72 6f 72 5f 5f 63 6f 6e 74 65 78 74 5f 5f 39 38 34 33 38 32 2e 73 65 76 65 72 69 74 79 3d 62 7d 3b 76 61 72 20 71 62 3d 66 75 6e 63 74 69 6f 6e 28 61 2c 62 2c 63 29 7b 63 3d 63 7c 7c 71 3b 76 61 72 20 64 3d 63 2e 6f 6e 65 72 72 6f 72 2c 65 3d 21 21 62 3b 63 2e 6f 6e 65 72 72 6f 72 3d 66 75 6e 63 74 69 6f 6e 28 66 2c 68 2c 67 2c 6b 2c 6c 29 7b 64 26 26 64 28 66 2c 68 2c 67 2c 6b 2c 6c 29 3b 61 28 7b 6d 65 73 73 61 67 65 3a 66 2c 66 69 6c 65 4e 61 6d 65 3a 68 2c 6c 69 6e 65 3a 67 2c 6c 69 6e 65 4e 75 6d 62 65 72 3a 67 2c 63 61 3a 6b 2c 65 72 72 6f 72 3a 6c 7d 29 3b 72 65 74 75 72 6e 20 65 7d 7d 2c 74 62 3d 66 75 6e 63 74 69 6f 6e 28 61 29 7b 76 61 72 20 62 3d 68 Data Ascii: text__984382={});a.__closure__error__context__984382.severity=b};var qb=function(a,b,c){c=c\|\|q;var d=c.onerror,e=!!b;c.onerror=function(f,h,g,k,l){d&&d(f,h,g,k,l);a({message:f,fileName:h,line:g,lineNumber:g,ca:k,error:l});return e}},tb=function(a){var b=h
2024-10-03 12:52:36 UTC	1969	IN	Data Raw: 22 6e 75 6d 62 65 72 22 3a 66 3d 53 74 72 69 6e 67 28 66 29 3b 62 72 65 61 6b 3b 63 61 73 65 20 22 62 6f 6f 6c 65 61 6e 22 3a 66 3d 66 3f 22 74 72 75 65 22 3a 22 66 61 6c 73 65 22 3b 62 72 65 61 6b 3b 63 61 73 65 20 22 66 75 6e 63 74 69 6f 6e 22 3a 66 3d 28 66 3d 73 62 28 66 29 29 3f 66 3a 22 5b 66 6e 5d 22 3b 62 72 65 61 6b 3b 64 65 66 61 75 6c 74 3a 66 3d 0a 74 79 70 65 6f 66 20 66 7d 66 2e 6c 65 6e 67 74 68 3e 34 30 26 26 28 66 3d 66 2e 73 6c 69 63 65 28 30 2c 34 30 29 2b 22 2e 2e 2e 22 29 3b 63 2e 70 75 73 68 28 66 29 7d 62 2e 70 75 73 68 28 61 29 3b 63 2e 70 75 73 68 28 22 29 5c 6e 22 29 3b 74 72 79 7b 63 2e 70 75 73 68 28 77 62 28 61 2e 63 61 6c 6c 65 72 2c 62 29 29 7d 63 61 74 63 68 28 68 29 7b 63 2e 70 75 73 68 28 22 5b 65 78 63 65 70 74 69 6f 6e Data Ascii: "number":f=String(f);break;case "boolean":f=f?"true":"false";break;case "function":f=(f=sb(f))?f:"[fn]";break;default:f=typeof f}f.length>40&&(f=f.slice(0,40)+"...");c.push(f)}b.push(a);c.push(")\n");try{c.push(wb(a.caller,b))}catch(h){c.push("[exception

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.5	49736	172.217.18.14	443	2860	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-03 12:52:37 UTC	549	OUT	OPTIONS /log?format=json&hasfast=true&authuser=0 HTTP/1.1 Host: play.google.com Connection: keep-alive Accept: / Access-Control-Request-Method: POST Access-Control-Request-Headers: x-goog-authuser Origin: https://accounts.google.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Sec-Fetch-Mode: cors Sec-Fetch-Site: same-site Sec-Fetch-Dest: empty Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-10-03 12:52:37 UTC	520	IN	HTTP/1.1 200 OK Access-Control-Allow-Origin: https://accounts.google.com Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Max-Age: 86400 Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: X-Playlog-Web,authorization,origin,x-goog-authuser Content-Type: text/plain; charset=UTF-8 Date: Thu, 03 Oct 2024 12:52:37 GMT Server: Playlog Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.5	49735	172.217.18.14	443	2860	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-03 12:52:37 UTC	549	OUT	OPTIONS /log?format=json&hasfast=true&authuser=0 HTTP/1.1 Host: play.google.com Connection: keep-alive Accept: / Access-Control-Request-Method: POST Access-Control-Request-Headers: x-goog-authuser Origin: https://accounts.google.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Sec-Fetch-Mode: cors Sec-Fetch-Site: same-site Sec-Fetch-Dest: empty Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-10-03 12:52:37 UTC	520	IN	HTTP/1.1 200 OK Access-Control-Allow-Origin: https://accounts.google.com Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Max-Age: 86400 Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: X-Playlog-Web,authorization,origin,x-goog-authuser Content-Type: text/plain; charset=UTF-8 Date: Thu, 03 Oct 2024 12:52:37 GMT Server: Playlog Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.5	49742	172.217.18.14	443	2860	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-03 12:52:38 UTC	1132	OUT	POST /log?format=json&hasfast=true&authuser=0 HTTP/1.1 Host: play.google.com Connection: keep-alive Content-Length: 519 sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-arch: "x86" Content-Type: application/x-www-form-urlencoded;charset=UTF-8 sec-ch-ua-full-version: "117.0.5938.132" sec-ch-ua-platform-version: "10.0.0" X-Goog-AuthUser: 0 sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132" sec-ch-ua-bitness: "64" sec-ch-ua-model: "" sec-ch-ua-wow64: ?0 sec-ch-ua-platform: "Windows" Accept: / Origin: https://accounts.google.com X-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIkqHLAQiFoM0BCNy9zQEI2sPNAQjpxc0BCLnKzQEIv9HNAQiK080BCNDWzQEIqNjNAQj5wNQVGI/OzQEYutLNARjC2M0BGOuNpRc= Sec-Fetch-Site: same-site Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-10-03 12:52:38 UTC	519	OUT	Data Raw: 5b 5b 31 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 5b 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 22 65 6e 22 2c 6e 75 6c 6c 2c 22 33 30 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 47 6f 6f 67 6c 65 20 43 68 72 6f 6d 65 22 2c 22 31 31 37 22 5d 2c 5b 22 4e 6f 74 3b 41 3d 42 72 61 6e 64 22 2c 22 38 22 5d 2c 5b 22 43 68 72 6f 6d 69 75 6d 22 2c 22 31 31 37 22 5d 5d 2c 30 2c 22 57 69 6e 64 6f 77 73 22 2c 22 31 30 2e 30 2e 30 22 2c 22 78 38 36 22 2c 22 22 2c 22 31 31 37 2e 30 2e 35 39 33 38 2e 31 33 32 22 5d 2c 5b 31 2c 30 2c 30 2c 30 2c 30 5d 5d 5d 2c 31 38 32 38 2c 5b 5b 22 31 37 32 37 39 35 39 39 35 36 30 34 32 22 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c Data Ascii: [[1,null,null,null,null,null,null,null,null,null,[null,null,null,null,"en",null,"30",null,[[["Google Chrome","117"],["Not;A=Brand","8"],["Chromium","117"]],0,"Windows","10.0.0","x86","","117.0.5938.132"],[1,0,0,0,0]]],1828,[["1727959956042",null,null,null
2024-10-03 12:52:38 UTC	932	IN	HTTP/1.1 200 OK Access-Control-Allow-Origin: https://accounts.google.com Cross-Origin-Resource-Policy: cross-origin Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: X-Playlog-Web Set-Cookie: NID=518=o710wXYHqA1BpYVDHpq0XnUQqI6OzVubxLwaQckAGeJu9arld-VLbhMnXmJQhPhmZf61SQAwrPycVTdx4OnFW5rnaoN4J7SxfYcfl6jbNQCmD2LtQu-PSBDXm17bG8p222o8eGDJVZGITi7Qk35W1ONsde1M7JiADQaXXKZ-a9Xs27YRBA; expires=Fri, 04-Apr-2025 12:52:38 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=none P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info." Content-Type: text/plain; charset=UTF-8 Date: Thu, 03 Oct 2024 12:52:38 GMT Server: Playlog Cache-Control: private X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Expires: Thu, 03 Oct 2024 12:52:38 GMT Connection: close Transfer-Encoding: chunked
2024-10-03 12:52:38 UTC	137	IN	Data Raw: 38 33 0d 0a 5b 22 2d 31 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 41 4e 44 52 4f 49 44 5f 42 41 43 4b 55 50 22 2c 30 5d 2c 5b 22 42 41 54 54 45 52 59 5f 53 54 41 54 53 22 2c 30 5d 2c 5b 22 53 4d 41 52 54 5f 53 45 54 55 50 22 2c 30 5d 2c 5b 22 54 52 4f 4e 22 2c 30 5d 5d 2c 2d 33 33 33 34 37 33 37 35 39 34 30 32 34 39 37 31 32 32 35 5d 2c 5b 5d 2c 7b 22 31 37 35 32 33 37 33 37 35 22 3a 5b 31 30 30 30 30 5d 7d 5d 0d 0a Data Ascii: 83["-1",null,[[["ANDROID_BACKUP",0],["BATTERY_STATS",0],["SMART_SETUP",0],["TRON",0]],-3334737594024971225],[],{"175237375":[10000]}]
2024-10-03 12:52:38 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.5	49743	172.217.18.14	443	2860	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-03 12:52:38 UTC	1132	OUT	POST /log?format=json&hasfast=true&authuser=0 HTTP/1.1 Host: play.google.com Connection: keep-alive Content-Length: 505 sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-arch: "x86" Content-Type: application/x-www-form-urlencoded;charset=UTF-8 sec-ch-ua-full-version: "117.0.5938.132" sec-ch-ua-platform-version: "10.0.0" X-Goog-AuthUser: 0 sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132" sec-ch-ua-bitness: "64" sec-ch-ua-model: "" sec-ch-ua-wow64: ?0 sec-ch-ua-platform: "Windows" Accept: / Origin: https://accounts.google.com X-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIkqHLAQiFoM0BCNy9zQEI2sPNAQjpxc0BCLnKzQEIv9HNAQiK080BCNDWzQEIqNjNAQj5wNQVGI/OzQEYutLNARjC2M0BGOuNpRc= Sec-Fetch-Site: same-site Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-10-03 12:52:38 UTC	505	OUT	Data Raw: 5b 5b 31 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 5b 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 22 65 6e 22 2c 6e 75 6c 6c 2c 22 33 30 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 47 6f 6f 67 6c 65 20 43 68 72 6f 6d 65 22 2c 22 31 31 37 22 5d 2c 5b 22 4e 6f 74 3b 41 3d 42 72 61 6e 64 22 2c 22 38 22 5d 2c 5b 22 43 68 72 6f 6d 69 75 6d 22 2c 22 31 31 37 22 5d 5d 2c 30 2c 22 57 69 6e 64 6f 77 73 22 2c 22 31 30 2e 30 2e 30 22 2c 22 78 38 36 22 2c 22 22 2c 22 31 31 37 2e 30 2e 35 39 33 38 2e 31 33 32 22 5d 2c 5b 31 2c 30 2c 30 2c 30 2c 30 5d 5d 5d 2c 31 38 32 38 2c 5b 5b 22 31 37 32 37 39 35 39 39 35 36 31 33 37 22 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c Data Ascii: [[1,null,null,null,null,null,null,null,null,null,[null,null,null,null,"en",null,"30",null,[[["Google Chrome","117"],["Not;A=Brand","8"],["Chromium","117"]],0,"Windows","10.0.0","x86","","117.0.5938.132"],[1,0,0,0,0]]],1828,[["1727959956137",null,null,null
2024-10-03 12:52:38 UTC	930	IN	HTTP/1.1 200 OK Access-Control-Allow-Origin: https://accounts.google.com Cross-Origin-Resource-Policy: cross-origin Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: X-Playlog-Web Set-Cookie: NID=518=ea-68rD4VqKg83ox4-Kh60EVPMtVqx7APOsIZWPCLJ4JZEDKXh8TZ2L-DL3W6pAIIGQSF1p1D7o0xwaz5hpKAb0Ix7RqwS15rUl3EO5JKxDqn6jbanyXrrT_gkfIe3nULd93tQmfblyQNgOSlSJ0YWut4EbeyarpAmFMXgZbqewiNsHb; expires=Fri, 04-Apr-2025 12:52:38 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=none P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info." Content-Type: text/plain; charset=UTF-8 Date: Thu, 03 Oct 2024 12:52:38 GMT Server: Playlog Cache-Control: private X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Expires: Thu, 03 Oct 2024 12:52:38 GMT Connection: close Transfer-Encoding: chunked
2024-10-03 12:52:38 UTC	137	IN	Data Raw: 38 33 0d 0a 5b 22 2d 31 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 41 4e 44 52 4f 49 44 5f 42 41 43 4b 55 50 22 2c 30 5d 2c 5b 22 42 41 54 54 45 52 59 5f 53 54 41 54 53 22 2c 30 5d 2c 5b 22 53 4d 41 52 54 5f 53 45 54 55 50 22 2c 30 5d 2c 5b 22 54 52 4f 4e 22 2c 30 5d 5d 2c 2d 33 33 33 34 37 33 37 35 39 34 30 32 34 39 37 31 32 32 35 5d 2c 5b 5d 2c 7b 22 31 37 35 32 33 37 33 37 35 22 3a 5b 31 30 30 30 30 5d 7d 5d 0d 0a Data Ascii: 83["-1",null,[[["ANDROID_BACKUP",0],["BATTERY_STATS",0],["SMART_SETUP",0],["TRON",0]],-3334737594024971225],[],{"175237375":[10000]}]
2024-10-03 12:52:38 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.5	49740	172.202.163.200	443

Timestamp	Bytes transferred	Direction	Data
2024-10-03 12:52:38 UTC	306	OUT	GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=urwy376vUoYwN9O&MD=cUCp41Hp HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33 Host: slscr.update.microsoft.com
2024-10-03 12:52:38 UTC	560	IN	HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Type: application/octet-stream Expires: -1 Last-Modified: Mon, 01 Jan 0001 00:00:00 GMT ETag: "XAopazV00XDWnJCwkmEWRv6JkbjRA9QSSZ2+e/3MzEk=_2880" MS-CorrelationId: 6f4ddad4-7737-4589-be87-2fd7296519b5 MS-RequestId: dad0dc2b-5b33-4e63-8dc8-ce300d104094 MS-CV: o6GIbP6aUEWK4E90.0 X-Microsoft-SLSClientCache: 2880 Content-Disposition: attachment; filename=environment.cab X-Content-Type-Options: nosniff Date: Thu, 03 Oct 2024 12:52:38 GMT Connection: close Content-Length: 24490
2024-10-03 12:52:38 UTC	15824	IN	Data Raw: 4d 53 43 46 00 00 00 00 92 1e 00 00 00 00 00 00 44 00 00 00 00 00 00 00 03 01 01 00 01 00 04 00 23 d0 00 00 14 00 00 00 00 00 10 00 92 1e 00 00 18 41 00 00 00 00 00 00 00 00 00 00 64 00 00 00 01 00 01 00 e6 42 00 00 00 00 00 00 00 00 00 00 00 00 80 00 65 6e 76 69 72 6f 6e 6d 65 6e 74 2e 63 61 62 00 78 cf 8d 5c 26 1e e6 42 43 4b ed 5c 07 54 13 db d6 4e a3 f7 2e d5 d0 3b 4c 42 af 4a 57 10 e9 20 bd 77 21 94 80 88 08 24 2a 02 02 d2 55 10 a4 a8 88 97 22 8a 0a d2 11 04 95 ae d2 8b 20 28 0a 88 20 45 05 f4 9f 80 05 bd ed dd f7 ff 77 dd f7 bf 65 d6 4a 66 ce 99 33 67 4e d9 7b 7f fb db 7b 56 f4 4d 34 b4 21 e0 a7 03 0a d9 fc 68 6e 1d 20 70 28 14 02 85 20 20 ad 61 10 08 e3 66 0d ed 66 9b 1d 6a 90 af 1f 17 f0 4b 68 35 01 83 6c fb 44 42 5c 7d 83 3d 03 30 be 3e ae be 58 Data Ascii: MSCFD#AdBenvironment.cabx\&BCK\TN.;LBJW w!$*U" ( EweJf3gN{{VM4!hn p( affjKh5lDB\}=0>X
2024-10-03 12:52:38 UTC	8666	IN	Data Raw: 04 01 31 2f 30 2d 30 0a 02 05 00 e1 2b 8a 50 02 01 00 30 0a 02 01 00 02 02 12 fe 02 01 ff 30 07 02 01 00 02 02 11 e6 30 0a 02 05 00 e1 2c db d0 02 01 00 30 36 06 0a 2b 06 01 04 01 84 59 0a 04 02 31 28 30 26 30 0c 06 0a 2b 06 01 04 01 84 59 0a 03 02 a0 0a 30 08 02 01 00 02 03 07 a1 20 a1 0a 30 08 02 01 00 02 03 01 86 a0 30 0d 06 09 2a 86 48 86 f7 0d 01 01 05 05 00 03 81 81 00 0c d9 08 df 48 94 57 65 3e ad e7 f2 17 9c 1f ca 3d 4d 6c cd 51 e1 ed 9c 17 a5 52 35 0f fd de 4b bd 22 92 c5 69 e5 d7 9f 29 23 72 40 7a ca 55 9d 8d 11 ad d5 54 00 bb 53 b4 87 7b 72 84 da 2d f6 e3 2c 4f 7e ba 1a 58 88 6e d6 b9 6d 16 ae 85 5b b5 c2 81 a8 e0 ee 0a 9c 60 51 3a 7b e4 61 f8 c3 e4 38 bd 7d 28 17 d6 79 f0 c8 58 c6 ef 1f f7 88 65 b1 ea 0a c0 df f7 ee 5c 23 c2 27 fd 98 63 08 31 Data Ascii: 1/0-0+P000,06+Y1(0&0+Y0 00*HHWe>=MlQR5K"i)#r@zUTS{r-,O~Xnm[`Q:{a8}(yXe\#'c1

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.5	49714	216.58.206.36	443	2860	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-03 12:52:38 UTC	1219	OUT	GET /favicon.ico HTTP/1.1 Host: www.google.com Connection: keep-alive sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-arch: "x86" sec-ch-ua-full-version: "117.0.5938.132" sec-ch-ua-platform-version: "10.0.0" sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132" sec-ch-ua-bitness: "64" sec-ch-ua-model: "" sec-ch-ua-wow64: ?0 sec-ch-ua-platform: "Windows" Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8 X-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIkqHLAQiFoM0BCNy9zQEI2sPNAQjpxc0BCLnKzQEIv9HNAQiK080BCNDWzQEIqNjNAQj5wNQVGI/OzQEYutLNARjC2M0BGOuNpRc= Sec-Fetch-Site: same-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: image Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: NID=518=ea-68rD4VqKg83ox4-Kh60EVPMtVqx7APOsIZWPCLJ4JZEDKXh8TZ2L-DL3W6pAIIGQSF1p1D7o0xwaz5hpKAb0Ix7RqwS15rUl3EO5JKxDqn6jbanyXrrT_gkfIe3nULd93tQmfblyQNgOSlSJ0YWut4EbeyarpAmFMXgZbqewiNsHb
2024-10-03 12:52:39 UTC	705	IN	HTTP/1.1 200 OK Accept-Ranges: bytes Cross-Origin-Resource-Policy: cross-origin Cross-Origin-Opener-Policy-Report-Only: same-origin; report-to="static-on-bigtable" Report-To: {"group":"static-on-bigtable","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/static-on-bigtable"}]} Content-Length: 5430 X-Content-Type-Options: nosniff Server: sffe X-XSS-Protection: 0 Date: Thu, 03 Oct 2024 10:34:04 GMT Expires: Fri, 11 Oct 2024 10:34:04 GMT Cache-Control: public, max-age=691200 Last-Modified: Tue, 22 Oct 2019 18:30:00 GMT Content-Type: image/x-icon Vary: Accept-Encoding Age: 8315 Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-10-03 12:52:39 UTC	685	IN	Data Raw: 00 00 01 00 02 00 10 10 00 00 01 00 20 00 68 04 00 00 26 00 00 00 20 20 00 00 01 00 20 00 a8 10 00 00 8e 04 00 00 28 00 00 00 10 00 00 00 20 00 00 00 01 00 20 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff ff ff 30 fd fd fd 96 fd fd fd d8 fd fd fd f9 fd fd fd f9 fd fd fd d7 fd fd fd 94 fe fe fe 2e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fe fe fe 09 fd fd fd 99 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd 95 ff ff ff 08 00 00 00 00 00 00 00 00 00 00 00 00 fe fe fe 09 fd fd fd c1 ff ff ff ff fa fd f9 ff b4 d9 a7 ff 76 ba 5d ff 58 ab 3a ff 58 aa 3a ff 72 b8 59 ff ac d5 9d ff f8 fb f6 ff ff Data Ascii: h& ( 0.v]X:X:rY
2024-10-03 12:52:39 UTC	1390	IN	Data Raw: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd d8 fd fd fd 99 ff ff ff ff 92 cf fb ff 37 52 ec ff 38 46 ea ff d0 d4 fa ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd 96 fe fe fe 32 ff ff ff ff f9 f9 fe ff 56 62 ed ff 35 43 ea ff 3b 49 eb ff 95 9c f4 ff cf d2 fa ff d1 d4 fa ff 96 9d f4 ff 52 5e ed ff e1 e3 fc ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 30 00 00 00 00 fd fd fd 9d ff ff ff ff e8 ea fd ff 58 63 ee ff 35 43 ea ff 35 43 ea ff 35 43 ea ff 35 43 ea ff 35 43 ea ff 35 43 ea ff 6c 76 f0 ff ff ff ff ff ff ff ff ff fd fd fd 98 00 00 00 00 00 00 00 00 ff ff ff 0a fd fd fd c3 ff ff ff ff f9 f9 fe ff a5 ac f6 ff 5d 69 ee ff 3c 4a Data Ascii: 7R8F2Vb5C;IR^0Xc5C5C5C5C5C5Clv]i<J
2024-10-03 12:52:39 UTC	1390	IN	Data Raw: ff ff ff ff ff ff ff ff ff ff ff fd fd fd d0 ff ff ff 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fd fd fd 8b ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff b1 d8 a3 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 60 a5 35 ff ca 8e 3e ff f9 c1 9f ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd 87 00 00 00 00 00 00 00 00 00 00 00 00 fe fe fe 25 fd fd fd fb ff ff ff ff ff ff ff ff ff ff ff ff c2 e0 b7 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 6e b6 54 ff 9f ce 8d ff b7 da aa ff b8 db ab ff a5 d2 95 ff 7b bc 64 ff 54 a8 35 ff 53 a8 34 ff 77 a0 37 ff e3 89 41 ff f4 85 42 ff f4 85 42 ff Data Ascii: S4S4S4S4S4S4S4S4S4S4S4S4S4S4`5>%S4S4S4S4S4S4nT{dT5S4w7ABB
2024-10-03 12:52:39 UTC	1390	IN	Data Raw: ff f4 85 42 ff f4 85 42 ff f4 85 42 ff f4 85 42 ff f4 85 42 ff f4 85 42 ff fb d5 bf ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd ea fd fd fd cb ff ff ff ff ff ff ff ff ff ff ff ff 46 cd fc ff 05 bc fb ff 05 bc fb ff 05 bc fb ff 21 ae f9 ff fb fb ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd c8 fd fd fd 9c ff ff ff ff ff ff ff ff ff ff ff ff 86 df fd ff 05 bc fb ff 05 bc fb ff 15 93 f5 ff 34 49 eb ff b3 b8 f7 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff Data Ascii: BBBBBBF!4I
2024-10-03 12:52:39 UTC	575	IN	Data Raw: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd d2 fe fe fe 24 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff ff ff 0a fd fd fd 8d fd fd fd fc ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd fb fd fd fd 8b fe fe fe 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fe fe fe 27 fd fd fd 9f fd fd fd f7 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff Data Ascii: $'

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.5	49755	172.217.18.14	443	2860	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-03 12:52:45 UTC	1304	OUT	POST /log?format=json&hasfast=true&authuser=0 HTTP/1.1 Host: play.google.com Connection: keep-alive Content-Length: 1221 sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-arch: "x86" Content-Type: text/plain;charset=UTF-8 sec-ch-ua-full-version: "117.0.5938.132" sec-ch-ua-platform-version: "10.0.0" X-Goog-AuthUser: 0 sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132" sec-ch-ua-bitness: "64" sec-ch-ua-model: "" sec-ch-ua-wow64: ?0 sec-ch-ua-platform: "Windows" Accept: / Origin: https://accounts.google.com X-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIkqHLAQiFoM0BCNy9zQEI2sPNAQjpxc0BCLnKzQEIv9HNAQiK080BCNDWzQEIqNjNAQj5wNQVGI/OzQEYutLNARjC2M0BGOuNpRc= Sec-Fetch-Site: same-site Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: NID=518=ea-68rD4VqKg83ox4-Kh60EVPMtVqx7APOsIZWPCLJ4JZEDKXh8TZ2L-DL3W6pAIIGQSF1p1D7o0xwaz5hpKAb0Ix7RqwS15rUl3EO5JKxDqn6jbanyXrrT_gkfIe3nULd93tQmfblyQNgOSlSJ0YWut4EbeyarpAmFMXgZbqewiNsHb
2024-10-03 12:52:45 UTC	1221	OUT	Data Raw: 5b 5b 31 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 5b 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 22 65 6e 22 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 5b 5b 5b 22 47 6f 6f 67 6c 65 20 43 68 72 6f 6d 65 22 2c 22 31 31 37 22 5d 2c 5b 22 4e 6f 74 3b 41 3d 42 72 61 6e 64 22 2c 22 38 22 5d 2c 5b 22 43 68 72 6f 6d 69 75 6d 22 2c 22 31 31 37 22 5d 5d 2c 30 2c 22 57 69 6e 64 6f 77 73 22 2c 22 31 30 2e 30 2e 30 22 2c 22 78 38 36 22 2c 22 22 2c 22 31 31 37 2e 30 2e 35 39 33 38 2e 31 33 32 22 5d 2c 5b 34 2c 30 2c 30 2c 30 2c 30 5d 5d 5d 2c 35 35 38 2c 5b 5b 22 31 37 32 37 39 35 39 39 35 33 30 30 30 22 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c Data Ascii: [[1,null,null,null,null,null,null,null,null,null,[null,null,null,null,"en",null,null,null,[[["Google Chrome","117"],["Not;A=Brand","8"],["Chromium","117"]],0,"Windows","10.0.0","x86","","117.0.5938.132"],[4,0,0,0,0]]],558,[["1727959953000",null,null,null,
2024-10-03 12:52:45 UTC	938	IN	HTTP/1.1 200 OK Access-Control-Allow-Origin: https://accounts.google.com Cross-Origin-Resource-Policy: cross-origin Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: X-Playlog-Web Set-Cookie: NID=518=BiPrCnTi1ZHqN48EFWpAK6EJxd3Oo48bXVaRTECTao0hULq9AFWvkQCkeiKqGQPAsRb72-jR7vW3vJJyGX6V-QyTl_y5G72WcfGMUR2oe40-OKvv1CFPOZ3GaGkaweCmtGc08_uyEVR-ge2j70S64hQeN168-5IRw6iFx9tEfsIBsj3CFh8QxOQG; expires=Fri, 04-Apr-2025 12:52:45 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=none P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info." Content-Type: text/plain; charset=UTF-8 Date: Thu, 03 Oct 2024 12:52:45 GMT Server: Playlog Cache-Control: private X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Expires: Thu, 03 Oct 2024 12:52:45 GMT Connection: close Transfer-Encoding: chunked
2024-10-03 12:52:45 UTC	137	IN	Data Raw: 38 33 0d 0a 5b 22 2d 31 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 41 4e 44 52 4f 49 44 5f 42 41 43 4b 55 50 22 2c 30 5d 2c 5b 22 42 41 54 54 45 52 59 5f 53 54 41 54 53 22 2c 30 5d 2c 5b 22 53 4d 41 52 54 5f 53 45 54 55 50 22 2c 30 5d 2c 5b 22 54 52 4f 4e 22 2c 30 5d 5d 2c 2d 33 33 33 34 37 33 37 35 39 34 30 32 34 39 37 31 32 32 35 5d 2c 5b 5d 2c 7b 22 31 37 35 32 33 37 33 37 35 22 3a 5b 31 30 30 30 30 5d 7d 5d 0d 0a Data Ascii: 83["-1",null,[[["ANDROID_BACKUP",0],["BATTERY_STATS",0],["SMART_SETUP",0],["TRON",0]],-3334737594024971225],[],{"175237375":[10000]}]
2024-10-03 12:52:45 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.5	49756	172.217.18.14	443	2860	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-03 12:53:07 UTC	1335	OUT	POST /log?format=json&hasfast=true&authuser=0 HTTP/1.1 Host: play.google.com Connection: keep-alive Content-Length: 1337 sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-arch: "x86" Content-Type: application/x-www-form-urlencoded;charset=UTF-8 sec-ch-ua-full-version: "117.0.5938.132" sec-ch-ua-platform-version: "10.0.0" X-Goog-AuthUser: 0 sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132" sec-ch-ua-bitness: "64" sec-ch-ua-model: "" sec-ch-ua-wow64: ?0 sec-ch-ua-platform: "Windows" Accept: / Origin: https://accounts.google.com X-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIkqHLAQiFoM0BCNy9zQEI2sPNAQjpxc0BCLnKzQEIv9HNAQiK080BCNDWzQEIqNjNAQj5wNQVGI/OzQEYutLNARjC2M0BGOuNpRc= Sec-Fetch-Site: same-site Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: NID=518=BiPrCnTi1ZHqN48EFWpAK6EJxd3Oo48bXVaRTECTao0hULq9AFWvkQCkeiKqGQPAsRb72-jR7vW3vJJyGX6V-QyTl_y5G72WcfGMUR2oe40-OKvv1CFPOZ3GaGkaweCmtGc08_uyEVR-ge2j70S64hQeN168-5IRw6iFx9tEfsIBsj3CFh8QxOQG
2024-10-03 12:53:07 UTC	1337	OUT	Data Raw: 5b 5b 31 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 5b 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 22 65 6e 22 2c 6e 75 6c 6c 2c 22 33 30 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 47 6f 6f 67 6c 65 20 43 68 72 6f 6d 65 22 2c 22 31 31 37 22 5d 2c 5b 22 4e 6f 74 3b 41 3d 42 72 61 6e 64 22 2c 22 38 22 5d 2c 5b 22 43 68 72 6f 6d 69 75 6d 22 2c 22 31 31 37 22 5d 5d 2c 30 2c 22 57 69 6e 64 6f 77 73 22 2c 22 31 30 2e 30 2e 30 22 2c 22 78 38 36 22 2c 22 22 2c 22 31 31 37 2e 30 2e 35 39 33 38 2e 31 33 32 22 5d 2c 5b 31 2c 30 2c 30 2c 30 2c 30 5d 5d 5d 2c 31 38 32 38 2c 5b 5b 22 31 37 32 37 39 35 39 39 38 36 33 38 31 22 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c Data Ascii: [[1,null,null,null,null,null,null,null,null,null,[null,null,null,null,"en",null,"30",null,[[["Google Chrome","117"],["Not;A=Brand","8"],["Chromium","117"]],0,"Windows","10.0.0","x86","","117.0.5938.132"],[1,0,0,0,0]]],1828,[["1727959986381",null,null,null
2024-10-03 12:53:07 UTC	523	IN	HTTP/1.1 200 OK Access-Control-Allow-Origin: https://accounts.google.com Cross-Origin-Resource-Policy: cross-origin Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: X-Playlog-Web Content-Type: text/plain; charset=UTF-8 Date: Thu, 03 Oct 2024 12:53:07 GMT Server: Playlog Cache-Control: private X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2024-10-03 12:53:07 UTC	137	IN	Data Raw: 38 33 0d 0a 5b 22 2d 31 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 41 4e 44 52 4f 49 44 5f 42 41 43 4b 55 50 22 2c 30 5d 2c 5b 22 42 41 54 54 45 52 59 5f 53 54 41 54 53 22 2c 30 5d 2c 5b 22 53 4d 41 52 54 5f 53 45 54 55 50 22 2c 30 5d 2c 5b 22 54 52 4f 4e 22 2c 30 5d 5d 2c 2d 33 33 33 34 37 33 37 35 39 34 30 32 34 39 37 31 32 32 35 5d 2c 5b 5d 2c 7b 22 31 37 35 32 33 37 33 37 35 22 3a 5b 31 30 30 30 30 5d 7d 5d 0d 0a Data Ascii: 83["-1",null,[[["ANDROID_BACKUP",0],["BATTERY_STATS",0],["SMART_SETUP",0],["TRON",0]],-3334737594024971225],[],{"175237375":[10000]}]
2024-10-03 12:53:07 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.5	49757	172.217.18.14	443	2860	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-03 12:53:07 UTC	1335	OUT	POST /log?format=json&hasfast=true&authuser=0 HTTP/1.1 Host: play.google.com Connection: keep-alive Content-Length: 1368 sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-arch: "x86" Content-Type: application/x-www-form-urlencoded;charset=UTF-8 sec-ch-ua-full-version: "117.0.5938.132" sec-ch-ua-platform-version: "10.0.0" X-Goog-AuthUser: 0 sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132" sec-ch-ua-bitness: "64" sec-ch-ua-model: "" sec-ch-ua-wow64: ?0 sec-ch-ua-platform: "Windows" Accept: / Origin: https://accounts.google.com X-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIkqHLAQiFoM0BCNy9zQEI2sPNAQjpxc0BCLnKzQEIv9HNAQiK080BCNDWzQEIqNjNAQj5wNQVGI/OzQEYutLNARjC2M0BGOuNpRc= Sec-Fetch-Site: same-site Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: NID=518=BiPrCnTi1ZHqN48EFWpAK6EJxd3Oo48bXVaRTECTao0hULq9AFWvkQCkeiKqGQPAsRb72-jR7vW3vJJyGX6V-QyTl_y5G72WcfGMUR2oe40-OKvv1CFPOZ3GaGkaweCmtGc08_uyEVR-ge2j70S64hQeN168-5IRw6iFx9tEfsIBsj3CFh8QxOQG
2024-10-03 12:53:07 UTC	1368	OUT	Data Raw: 5b 5b 31 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 5b 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 22 65 6e 22 2c 6e 75 6c 6c 2c 22 33 30 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 47 6f 6f 67 6c 65 20 43 68 72 6f 6d 65 22 2c 22 31 31 37 22 5d 2c 5b 22 4e 6f 74 3b 41 3d 42 72 61 6e 64 22 2c 22 38 22 5d 2c 5b 22 43 68 72 6f 6d 69 75 6d 22 2c 22 31 31 37 22 5d 5d 2c 30 2c 22 57 69 6e 64 6f 77 73 22 2c 22 31 30 2e 30 2e 30 22 2c 22 78 38 36 22 2c 22 22 2c 22 31 31 37 2e 30 2e 35 39 33 38 2e 31 33 32 22 5d 2c 5b 31 2c 30 2c 30 2c 30 2c 30 5d 5d 5d 2c 31 38 32 38 2c 5b 5b 22 31 37 32 37 39 35 39 39 38 36 37 34 30 22 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c Data Ascii: [[1,null,null,null,null,null,null,null,null,null,[null,null,null,null,"en",null,"30",null,[[["Google Chrome","117"],["Not;A=Brand","8"],["Chromium","117"]],0,"Windows","10.0.0","x86","","117.0.5938.132"],[1,0,0,0,0]]],1828,[["1727959986740",null,null,null
2024-10-03 12:53:08 UTC	523	IN	HTTP/1.1 200 OK Access-Control-Allow-Origin: https://accounts.google.com Cross-Origin-Resource-Policy: cross-origin Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: X-Playlog-Web Content-Type: text/plain; charset=UTF-8 Date: Thu, 03 Oct 2024 12:53:08 GMT Server: Playlog Cache-Control: private X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2024-10-03 12:53:08 UTC	137	IN	Data Raw: 38 33 0d 0a 5b 22 2d 31 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 41 4e 44 52 4f 49 44 5f 42 41 43 4b 55 50 22 2c 30 5d 2c 5b 22 42 41 54 54 45 52 59 5f 53 54 41 54 53 22 2c 30 5d 2c 5b 22 53 4d 41 52 54 5f 53 45 54 55 50 22 2c 30 5d 2c 5b 22 54 52 4f 4e 22 2c 30 5d 5d 2c 2d 33 33 33 34 37 33 37 35 39 34 30 32 34 39 37 31 32 32 35 5d 2c 5b 5d 2c 7b 22 31 37 35 32 33 37 33 37 35 22 3a 5b 31 30 30 30 30 5d 7d 5d 0d 0a Data Ascii: 83["-1",null,[[["ANDROID_BACKUP",0],["BATTERY_STATS",0],["SMART_SETUP",0],["TRON",0]],-3334737594024971225],[],{"175237375":[10000]}]
2024-10-03 12:53:08 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.5	49758	172.217.18.14	443	2860	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-03 12:53:08 UTC	1295	OUT	POST /log?hasfast=true&authuser=0&format=json HTTP/1.1 Host: play.google.com Connection: keep-alive Content-Length: 1043 sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-arch: "x86" sec-ch-ua-full-version: "117.0.5938.132" Content-Type: text/plain;charset=UTF-8 sec-ch-ua-platform-version: "10.0.0" sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132" sec-ch-ua-bitness: "64" sec-ch-ua-model: "" sec-ch-ua-wow64: ?0 sec-ch-ua-platform: "Windows" Accept: / Origin: https://accounts.google.com X-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIkqHLAQiFoM0BCNy9zQEI2sPNAQjpxc0BCLnKzQEIv9HNAQiK080BCNDWzQEIqNjNAQj5wNQVGI/OzQEYutLNARjC2M0BGOuNpRc= Sec-Fetch-Site: same-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: NID=518=BiPrCnTi1ZHqN48EFWpAK6EJxd3Oo48bXVaRTECTao0hULq9AFWvkQCkeiKqGQPAsRb72-jR7vW3vJJyGX6V-QyTl_y5G72WcfGMUR2oe40-OKvv1CFPOZ3GaGkaweCmtGc08_uyEVR-ge2j70S64hQeN168-5IRw6iFx9tEfsIBsj3CFh8QxOQG
2024-10-03 12:53:08 UTC	1043	OUT	Data Raw: 5b 5b 31 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 5b 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 22 65 6e 22 2c 6e 75 6c 6c 2c 22 62 6f 71 5f 69 64 65 6e 74 69 74 79 66 72 6f 6e 74 65 6e 64 61 75 74 68 75 69 73 65 72 76 65 72 5f 32 30 32 34 30 39 32 39 2e 30 37 5f 70 30 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 47 6f 6f 67 6c 65 20 43 68 72 6f 6d 65 22 2c 22 31 31 37 22 5d 2c 5b 22 4e 6f 74 3b 41 3d 42 72 61 6e 64 22 2c 22 38 22 5d 2c 5b 22 43 68 72 6f 6d 69 75 6d 22 2c 22 31 31 37 22 5d 5d 2c 30 2c 22 57 69 6e 64 6f 77 73 22 2c 22 31 30 2e 30 2e 30 22 2c 22 78 38 36 22 2c 22 22 2c 22 31 31 37 2e 30 2e 35 39 33 38 2e 31 33 32 22 5d 2c 5b 33 2c 30 2c 30 Data Ascii: [[1,null,null,null,null,null,null,null,null,null,[null,null,null,null,"en",null,"boq_identityfrontendauthuiserver_20240929.07_p0",null,[[["Google Chrome","117"],["Not;A=Brand","8"],["Chromium","117"]],0,"Windows","10.0.0","x86","","117.0.5938.132"],[3,0,0
2024-10-03 12:53:08 UTC	523	IN	HTTP/1.1 200 OK Access-Control-Allow-Origin: https://accounts.google.com Cross-Origin-Resource-Policy: cross-origin Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: X-Playlog-Web Content-Type: text/plain; charset=UTF-8 Date: Thu, 03 Oct 2024 12:53:08 GMT Server: Playlog Cache-Control: private X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2024-10-03 12:53:08 UTC	137	IN	Data Raw: 38 33 0d 0a 5b 22 2d 31 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 41 4e 44 52 4f 49 44 5f 42 41 43 4b 55 50 22 2c 30 5d 2c 5b 22 42 41 54 54 45 52 59 5f 53 54 41 54 53 22 2c 30 5d 2c 5b 22 53 4d 41 52 54 5f 53 45 54 55 50 22 2c 30 5d 2c 5b 22 54 52 4f 4e 22 2c 30 5d 5d 2c 2d 33 33 33 34 37 33 37 35 39 34 30 32 34 39 37 31 32 32 35 5d 2c 5b 5d 2c 7b 22 31 37 35 32 33 37 33 37 35 22 3a 5b 31 30 30 30 30 5d 7d 5d 0d 0a Data Ascii: 83["-1",null,[[["ANDROID_BACKUP",0],["BATTERY_STATS",0],["SMART_SETUP",0],["TRON",0]],-3334737594024971225],[],{"175237375":[10000]}]
2024-10-03 12:53:08 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.5	49759	172.202.163.200	443

Timestamp	Bytes transferred	Direction	Data
2024-10-03 12:53:18 UTC	306	OUT	GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=urwy376vUoYwN9O&MD=cUCp41Hp HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33 Host: slscr.update.microsoft.com
2024-10-03 12:53:18 UTC	560	IN	HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Type: application/octet-stream Expires: -1 Last-Modified: Mon, 01 Jan 0001 00:00:00 GMT ETag: "vic+p1MiJJ+/WMnK08jaWnCBGDfvkGRzPk9f8ZadQHg=_1440" MS-CorrelationId: 36694965-1b27-4051-8da3-44b9a9a2f33a MS-RequestId: cb343332-1480-4f0d-9888-9b392f109896 MS-CV: of/BTXMESk+ps7Rn.0 X-Microsoft-SLSClientCache: 1440 Content-Disposition: attachment; filename=environment.cab X-Content-Type-Options: nosniff Date: Thu, 03 Oct 2024 12:53:17 GMT Connection: close Content-Length: 30005
2024-10-03 12:53:18 UTC	15824	IN	Data Raw: 4d 53 43 46 00 00 00 00 8d 2b 00 00 00 00 00 00 44 00 00 00 00 00 00 00 03 01 01 00 01 00 04 00 5b 49 00 00 14 00 00 00 00 00 10 00 8d 2b 00 00 a8 49 00 00 00 00 00 00 00 00 00 00 64 00 00 00 01 00 01 00 72 4d 00 00 00 00 00 00 00 00 00 00 00 00 80 00 65 6e 76 69 72 6f 6e 6d 65 6e 74 2e 63 61 62 00 fe f6 51 be 21 2b 72 4d 43 4b ed 7c 05 58 54 eb da f6 14 43 49 37 0a 02 d2 b9 86 0e 41 52 a4 1b 24 a5 bb 43 24 44 18 94 90 92 52 41 3a 05 09 95 ee 54 b0 00 91 2e e9 12 10 04 11 c9 6f 10 b7 a2 67 9f bd cf 3e ff b7 ff b3 bf 73 ed e1 9a 99 f5 c6 7a d7 bb de f5 3e cf fd 3c f7 dc 17 4a 1a 52 e7 41 a8 97 1e 14 f4 e5 25 7d f4 05 82 82 c1 20 30 08 06 ba c3 05 02 11 7f a9 c1 ff d2 87 5c 1e f4 ed 65 8e 7a 1f f6 0a 40 03 1d 7b f9 83 2c 1c 2f db b8 3a 39 3a 58 38 ba 73 5e Data Ascii: MSCF+D[I+IdrMenvironment.cabQ!+rMCK\|XTCI7AR$C$DRA:T.og>sz><JRA%} 0\ez@{,/:9:X8s^
2024-10-03 12:53:18 UTC	14181	IN	Data Raw: 06 03 55 04 06 13 02 55 53 31 13 30 11 06 03 55 04 08 13 0a 57 61 73 68 69 6e 67 74 6f 6e 31 10 30 0e 06 03 55 04 07 13 07 52 65 64 6d 6f 6e 64 31 1e 30 1c 06 03 55 04 0a 13 15 4d 69 63 72 6f 73 6f 66 74 20 43 6f 72 70 6f 72 61 74 69 6f 6e 31 26 30 24 06 03 55 04 03 13 1d 4d 69 63 72 6f 73 6f 66 74 20 54 69 6d 65 2d 53 74 61 6d 70 20 50 43 41 20 32 30 31 30 30 1e 17 0d 32 33 31 30 31 32 31 39 30 37 32 35 5a 17 0d 32 35 30 31 31 30 31 39 30 37 32 35 5a 30 81 d2 31 0b 30 09 06 03 55 04 06 13 02 55 53 31 13 30 11 06 03 55 04 08 13 0a 57 61 73 68 69 6e 67 74 6f 6e 31 10 30 0e 06 03 55 04 07 13 07 52 65 64 6d 6f 6e 64 31 1e 30 1c 06 03 55 04 0a 13 15 4d 69 63 72 6f 73 6f 66 74 20 43 6f 72 70 6f 72 61 74 69 6f 6e 31 2d 30 2b 06 03 55 04 0b 13 24 4d 69 63 72 6f Data Ascii: UUS10UWashington10URedmond10UMicrosoft Corporation1&0$UMicrosoft Time-Stamp PCA 20100231012190725Z250110190725Z010UUS10UWashington10URedmond10UMicrosoft Corporation1-0+U$Micro

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.5	49763	216.58.206.78	443	2860	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-03 12:53:38 UTC	1335	OUT	POST /log?format=json&hasfast=true&authuser=0 HTTP/1.1 Host: play.google.com Connection: keep-alive Content-Length: 1340 sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-arch: "x86" Content-Type: application/x-www-form-urlencoded;charset=UTF-8 sec-ch-ua-full-version: "117.0.5938.132" sec-ch-ua-platform-version: "10.0.0" X-Goog-AuthUser: 0 sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132" sec-ch-ua-bitness: "64" sec-ch-ua-model: "" sec-ch-ua-wow64: ?0 sec-ch-ua-platform: "Windows" Accept: / Origin: https://accounts.google.com X-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIkqHLAQiFoM0BCNy9zQEI2sPNAQjpxc0BCLnKzQEIv9HNAQiK080BCNDWzQEIqNjNAQj5wNQVGI/OzQEYutLNARjC2M0BGOuNpRc= Sec-Fetch-Site: same-site Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: NID=518=BiPrCnTi1ZHqN48EFWpAK6EJxd3Oo48bXVaRTECTao0hULq9AFWvkQCkeiKqGQPAsRb72-jR7vW3vJJyGX6V-QyTl_y5G72WcfGMUR2oe40-OKvv1CFPOZ3GaGkaweCmtGc08_uyEVR-ge2j70S64hQeN168-5IRw6iFx9tEfsIBsj3CFh8QxOQG
2024-10-03 12:53:38 UTC	1340	OUT	Data Raw: 5b 5b 31 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 5b 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 22 65 6e 22 2c 6e 75 6c 6c 2c 22 33 30 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 47 6f 6f 67 6c 65 20 43 68 72 6f 6d 65 22 2c 22 31 31 37 22 5d 2c 5b 22 4e 6f 74 3b 41 3d 42 72 61 6e 64 22 2c 22 38 22 5d 2c 5b 22 43 68 72 6f 6d 69 75 6d 22 2c 22 31 31 37 22 5d 5d 2c 30 2c 22 57 69 6e 64 6f 77 73 22 2c 22 31 30 2e 30 2e 30 22 2c 22 78 38 36 22 2c 22 22 2c 22 31 31 37 2e 30 2e 35 39 33 38 2e 31 33 32 22 5d 2c 5b 31 2c 30 2c 30 2c 30 2c 30 5d 5d 5d 2c 31 38 32 38 2c 5b 5b 22 31 37 32 37 39 36 30 30 31 37 32 35 37 22 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c Data Ascii: [[1,null,null,null,null,null,null,null,null,null,[null,null,null,null,"en",null,"30",null,[[["Google Chrome","117"],["Not;A=Brand","8"],["Chromium","117"]],0,"Windows","10.0.0","x86","","117.0.5938.132"],[1,0,0,0,0]]],1828,[["1727960017257",null,null,null
2024-10-03 12:53:38 UTC	523	IN	HTTP/1.1 200 OK Access-Control-Allow-Origin: https://accounts.google.com Cross-Origin-Resource-Policy: cross-origin Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: X-Playlog-Web Content-Type: text/plain; charset=UTF-8 Date: Thu, 03 Oct 2024 12:53:38 GMT Server: Playlog Cache-Control: private X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2024-10-03 12:53:38 UTC	137	IN	Data Raw: 38 33 0d 0a 5b 22 2d 31 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 41 4e 44 52 4f 49 44 5f 42 41 43 4b 55 50 22 2c 30 5d 2c 5b 22 42 41 54 54 45 52 59 5f 53 54 41 54 53 22 2c 30 5d 2c 5b 22 53 4d 41 52 54 5f 53 45 54 55 50 22 2c 30 5d 2c 5b 22 54 52 4f 4e 22 2c 30 5d 5d 2c 2d 33 33 33 34 37 33 37 35 39 34 30 32 34 39 37 31 32 32 35 5d 2c 5b 5d 2c 7b 22 31 37 35 32 33 37 33 37 35 22 3a 5b 31 30 30 30 30 5d 7d 5d 0d 0a Data Ascii: 83["-1",null,[[["ANDROID_BACKUP",0],["BATTERY_STATS",0],["SMART_SETUP",0],["TRON",0]],-3334737594024971225],[],{"175237375":[10000]}]
2024-10-03 12:53:38 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.5	49764	216.58.206.78	443	2860	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-03 12:53:38 UTC	1335	OUT	POST /log?format=json&hasfast=true&authuser=0 HTTP/1.1 Host: play.google.com Connection: keep-alive Content-Length: 1272 sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-arch: "x86" Content-Type: application/x-www-form-urlencoded;charset=UTF-8 sec-ch-ua-full-version: "117.0.5938.132" sec-ch-ua-platform-version: "10.0.0" X-Goog-AuthUser: 0 sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132" sec-ch-ua-bitness: "64" sec-ch-ua-model: "" sec-ch-ua-wow64: ?0 sec-ch-ua-platform: "Windows" Accept: / Origin: https://accounts.google.com X-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIkqHLAQiFoM0BCNy9zQEI2sPNAQjpxc0BCLnKzQEIv9HNAQiK080BCNDWzQEIqNjNAQj5wNQVGI/OzQEYutLNARjC2M0BGOuNpRc= Sec-Fetch-Site: same-site Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: NID=518=BiPrCnTi1ZHqN48EFWpAK6EJxd3Oo48bXVaRTECTao0hULq9AFWvkQCkeiKqGQPAsRb72-jR7vW3vJJyGX6V-QyTl_y5G72WcfGMUR2oe40-OKvv1CFPOZ3GaGkaweCmtGc08_uyEVR-ge2j70S64hQeN168-5IRw6iFx9tEfsIBsj3CFh8QxOQG
2024-10-03 12:53:38 UTC	1272	OUT	Data Raw: 5b 5b 31 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 5b 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 22 65 6e 22 2c 6e 75 6c 6c 2c 22 33 30 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 47 6f 6f 67 6c 65 20 43 68 72 6f 6d 65 22 2c 22 31 31 37 22 5d 2c 5b 22 4e 6f 74 3b 41 3d 42 72 61 6e 64 22 2c 22 38 22 5d 2c 5b 22 43 68 72 6f 6d 69 75 6d 22 2c 22 31 31 37 22 5d 5d 2c 30 2c 22 57 69 6e 64 6f 77 73 22 2c 22 31 30 2e 30 2e 30 22 2c 22 78 38 36 22 2c 22 22 2c 22 31 31 37 2e 30 2e 35 39 33 38 2e 31 33 32 22 5d 2c 5b 31 2c 30 2c 30 2c 30 2c 30 5d 5d 5d 2c 31 38 32 38 2c 5b 5b 22 31 37 32 37 39 36 30 30 31 37 32 35 39 22 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c Data Ascii: [[1,null,null,null,null,null,null,null,null,null,[null,null,null,null,"en",null,"30",null,[[["Google Chrome","117"],["Not;A=Brand","8"],["Chromium","117"]],0,"Windows","10.0.0","x86","","117.0.5938.132"],[1,0,0,0,0]]],1828,[["1727960017259",null,null,null
2024-10-03 12:53:38 UTC	523	IN	HTTP/1.1 200 OK Access-Control-Allow-Origin: https://accounts.google.com Cross-Origin-Resource-Policy: cross-origin Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: X-Playlog-Web Content-Type: text/plain; charset=UTF-8 Date: Thu, 03 Oct 2024 12:53:38 GMT Server: Playlog Cache-Control: private X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2024-10-03 12:53:38 UTC	137	IN	Data Raw: 38 33 0d 0a 5b 22 2d 31 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 41 4e 44 52 4f 49 44 5f 42 41 43 4b 55 50 22 2c 30 5d 2c 5b 22 42 41 54 54 45 52 59 5f 53 54 41 54 53 22 2c 30 5d 2c 5b 22 53 4d 41 52 54 5f 53 45 54 55 50 22 2c 30 5d 2c 5b 22 54 52 4f 4e 22 2c 30 5d 5d 2c 2d 33 33 33 34 37 33 37 35 39 34 30 32 34 39 37 31 32 32 35 5d 2c 5b 5d 2c 7b 22 31 37 35 32 33 37 33 37 35 22 3a 5b 31 30 30 30 30 5d 7d 5d 0d 0a Data Ascii: 83["-1",null,[[["ANDROID_BACKUP",0],["BATTERY_STATS",0],["SMART_SETUP",0],["TRON",0]],-3334737594024971225],[],{"175237375":[10000]}]
2024-10-03 12:53:38 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.5	49766	216.58.206.78	443	2860	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-03 12:54:08 UTC	1335	OUT	POST /log?format=json&hasfast=true&authuser=0 HTTP/1.1 Host: play.google.com Connection: keep-alive Content-Length: 1217 sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-arch: "x86" Content-Type: application/x-www-form-urlencoded;charset=UTF-8 sec-ch-ua-full-version: "117.0.5938.132" sec-ch-ua-platform-version: "10.0.0" X-Goog-AuthUser: 0 sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132" sec-ch-ua-bitness: "64" sec-ch-ua-model: "" sec-ch-ua-wow64: ?0 sec-ch-ua-platform: "Windows" Accept: / Origin: https://accounts.google.com X-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIkqHLAQiFoM0BCNy9zQEI2sPNAQjpxc0BCLnKzQEIv9HNAQiK080BCNDWzQEIqNjNAQj5wNQVGI/OzQEYutLNARjC2M0BGOuNpRc= Sec-Fetch-Site: same-site Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: NID=518=BiPrCnTi1ZHqN48EFWpAK6EJxd3Oo48bXVaRTECTao0hULq9AFWvkQCkeiKqGQPAsRb72-jR7vW3vJJyGX6V-QyTl_y5G72WcfGMUR2oe40-OKvv1CFPOZ3GaGkaweCmtGc08_uyEVR-ge2j70S64hQeN168-5IRw6iFx9tEfsIBsj3CFh8QxOQG
2024-10-03 12:54:08 UTC	1217	OUT	Data Raw: 5b 5b 31 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 5b 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 22 65 6e 22 2c 6e 75 6c 6c 2c 22 33 30 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 47 6f 6f 67 6c 65 20 43 68 72 6f 6d 65 22 2c 22 31 31 37 22 5d 2c 5b 22 4e 6f 74 3b 41 3d 42 72 61 6e 64 22 2c 22 38 22 5d 2c 5b 22 43 68 72 6f 6d 69 75 6d 22 2c 22 31 31 37 22 5d 5d 2c 30 2c 22 57 69 6e 64 6f 77 73 22 2c 22 31 30 2e 30 2e 30 22 2c 22 78 38 36 22 2c 22 22 2c 22 31 31 37 2e 30 2e 35 39 33 38 2e 31 33 32 22 5d 2c 5b 31 2c 30 2c 30 2c 30 2c 30 5d 5d 5d 2c 31 38 32 38 2c 5b 5b 22 31 37 32 37 39 36 30 30 34 37 35 37 32 22 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c Data Ascii: [[1,null,null,null,null,null,null,null,null,null,[null,null,null,null,"en",null,"30",null,[[["Google Chrome","117"],["Not;A=Brand","8"],["Chromium","117"]],0,"Windows","10.0.0","x86","","117.0.5938.132"],[1,0,0,0,0]]],1828,[["1727960047572",null,null,null
2024-10-03 12:54:09 UTC	523	IN	HTTP/1.1 200 OK Access-Control-Allow-Origin: https://accounts.google.com Cross-Origin-Resource-Policy: cross-origin Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: X-Playlog-Web Content-Type: text/plain; charset=UTF-8 Date: Thu, 03 Oct 2024 12:54:09 GMT Server: Playlog Cache-Control: private X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2024-10-03 12:54:09 UTC	137	IN	Data Raw: 38 33 0d 0a 5b 22 2d 31 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 41 4e 44 52 4f 49 44 5f 42 41 43 4b 55 50 22 2c 30 5d 2c 5b 22 42 41 54 54 45 52 59 5f 53 54 41 54 53 22 2c 30 5d 2c 5b 22 53 4d 41 52 54 5f 53 45 54 55 50 22 2c 30 5d 2c 5b 22 54 52 4f 4e 22 2c 30 5d 5d 2c 2d 33 33 33 34 37 33 37 35 39 34 30 32 34 39 37 31 32 32 35 5d 2c 5b 5d 2c 7b 22 31 37 35 32 33 37 33 37 35 22 3a 5b 31 30 30 30 30 5d 7d 5d 0d 0a Data Ascii: 83["-1",null,[[["ANDROID_BACKUP",0],["BATTERY_STATS",0],["SMART_SETUP",0],["TRON",0]],-3334737594024971225],[],{"175237375":[10000]}]
2024-10-03 12:54:09 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.5	49767	216.58.206.78	443	2860	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-03 12:54:08 UTC	1335	OUT	POST /log?format=json&hasfast=true&authuser=0 HTTP/1.1 Host: play.google.com Connection: keep-alive Content-Length: 1240 sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-arch: "x86" Content-Type: application/x-www-form-urlencoded;charset=UTF-8 sec-ch-ua-full-version: "117.0.5938.132" sec-ch-ua-platform-version: "10.0.0" X-Goog-AuthUser: 0 sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132" sec-ch-ua-bitness: "64" sec-ch-ua-model: "" sec-ch-ua-wow64: ?0 sec-ch-ua-platform: "Windows" Accept: / Origin: https://accounts.google.com X-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIkqHLAQiFoM0BCNy9zQEI2sPNAQjpxc0BCLnKzQEIv9HNAQiK080BCNDWzQEIqNjNAQj5wNQVGI/OzQEYutLNARjC2M0BGOuNpRc= Sec-Fetch-Site: same-site Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: NID=518=BiPrCnTi1ZHqN48EFWpAK6EJxd3Oo48bXVaRTECTao0hULq9AFWvkQCkeiKqGQPAsRb72-jR7vW3vJJyGX6V-QyTl_y5G72WcfGMUR2oe40-OKvv1CFPOZ3GaGkaweCmtGc08_uyEVR-ge2j70S64hQeN168-5IRw6iFx9tEfsIBsj3CFh8QxOQG
2024-10-03 12:54:08 UTC	1240	OUT	Data Raw: 5b 5b 31 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 5b 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 22 65 6e 22 2c 6e 75 6c 6c 2c 22 33 30 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 47 6f 6f 67 6c 65 20 43 68 72 6f 6d 65 22 2c 22 31 31 37 22 5d 2c 5b 22 4e 6f 74 3b 41 3d 42 72 61 6e 64 22 2c 22 38 22 5d 2c 5b 22 43 68 72 6f 6d 69 75 6d 22 2c 22 31 31 37 22 5d 5d 2c 30 2c 22 57 69 6e 64 6f 77 73 22 2c 22 31 30 2e 30 2e 30 22 2c 22 78 38 36 22 2c 22 22 2c 22 31 31 37 2e 30 2e 35 39 33 38 2e 31 33 32 22 5d 2c 5b 31 2c 30 2c 30 2c 30 2c 30 5d 5d 5d 2c 31 38 32 38 2c 5b 5b 22 31 37 32 37 39 36 30 30 34 37 36 39 38 22 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c Data Ascii: [[1,null,null,null,null,null,null,null,null,null,[null,null,null,null,"en",null,"30",null,[[["Google Chrome","117"],["Not;A=Brand","8"],["Chromium","117"]],0,"Windows","10.0.0","x86","","117.0.5938.132"],[1,0,0,0,0]]],1828,[["1727960047698",null,null,null
2024-10-03 12:54:09 UTC	523	IN	HTTP/1.1 200 OK Access-Control-Allow-Origin: https://accounts.google.com Cross-Origin-Resource-Policy: cross-origin Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: X-Playlog-Web Content-Type: text/plain; charset=UTF-8 Date: Thu, 03 Oct 2024 12:54:09 GMT Server: Playlog Cache-Control: private X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2024-10-03 12:54:09 UTC	137	IN	Data Raw: 38 33 0d 0a 5b 22 2d 31 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 41 4e 44 52 4f 49 44 5f 42 41 43 4b 55 50 22 2c 30 5d 2c 5b 22 42 41 54 54 45 52 59 5f 53 54 41 54 53 22 2c 30 5d 2c 5b 22 53 4d 41 52 54 5f 53 45 54 55 50 22 2c 30 5d 2c 5b 22 54 52 4f 4e 22 2c 30 5d 5d 2c 2d 33 33 33 34 37 33 37 35 39 34 30 32 34 39 37 31 32 32 35 5d 2c 5b 5d 2c 7b 22 31 37 35 32 33 37 33 37 35 22 3a 5b 31 30 30 30 30 5d 7d 5d 0d 0a Data Ascii: 83["-1",null,[[["ANDROID_BACKUP",0],["BATTERY_STATS",0],["SMART_SETUP",0],["TRON",0]],-3334737594024971225],[],{"175237375":[10000]}]
2024-10-03 12:54:09 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Target ID:	0
Start time:	08:52:20
Start date:	03/10/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0xc20000
File size:	919'040 bytes
MD5 hash:	746063BF48EAA219D09D96B5184AD1DE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	08:52:20
Start date:	03/10/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM chrome.exe /T
Imagebase:	0x950000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	08:52:20
Start date:	03/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	08:52:20
Start date:	03/10/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM msedge.exe /T
Imagebase:	0x950000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	08:52:20
Start date:	03/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	08:52:20
Start date:	03/10/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM firefox.exe /T
Imagebase:	0x950000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	08:52:20
Start date:	03/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	08:52:21
Start date:	03/10/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM opera.exe /T
Imagebase:	0x950000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	08:52:21
Start date:	03/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	08:52:21
Start date:	03/10/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM brave.exe /T
Imagebase:	0x950000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	08:52:21
Start date:	03/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	08:52:22
Start date:	03/10/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --start-fullscreen --no-first-run --disable-session-crashed-bubble --disable-infobars
Imagebase:	0x7ff715980000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	14
Start time:	08:52:23
Start date:	03/10/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2104 --field-trial-handle=1984,i,18014017823423047097,8512500813314935792,262144 /prefetch:8
Imagebase:	0x7ff715980000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	15
Start time:	08:52:36
Start date:	03/10/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5404 --field-trial-handle=1984,i,18014017823423047097,8512500813314935792,262144 /prefetch:8
Imagebase:	0x7ff715980000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	16
Start time:	08:52:36
Start date:	03/10/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5596 --field-trial-handle=1984,i,18014017823423047097,8512500813314935792,262144 /prefetch:8
Imagebase:	0x7ff715980000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	2.5%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	4.9%
Total number of Nodes:	1541
Total number of Limit Nodes:	59

Executed Functions

Function 00C242DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 00C2430D

Part of subcall function 00C26B57: _wcslen.LIBCMT ref: 00C26B6A

GetCurrentProcess.KERNEL32(?,00CBCB64,00000000,?,?), ref: 00C24422
IsWow64Process.KERNEL32(00000000,?,?), ref: 00C24429
LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 00C24454
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00C24466
GetNativeSystemInfo.KERNELBASE(?,?,?), ref: 00C24474
FreeLibrary.KERNEL32(00000000,?,?), ref: 00C2447B
GetSystemInfo.KERNEL32(?,?,?), ref: 00C244A0

Strings

kernel32.dll, xrefs: 00C2444F
GetNativeSystemInfo, xrefs: 00C24460
|O, xrefs: 00C636F8

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
String ID: GetNativeSystemInfo$kernel32.dll$|O
API String ID: 3290436268-3101561225
Opcode ID: a28b92ce42c0969d0580c80d95df29910caf09e4f9bc409f5b49c04457be9cea
Instruction ID: df395008ea6071cf081cf4119e593a77fb469452163e82176e35f97dfa2267d8
Opcode Fuzzy Hash: a28b92ce42c0969d0580c80d95df29910caf09e4f9bc409f5b49c04457be9cea
Instruction Fuzzy Hash: 00A1A47695A2D4DFC725D76DBC813BD7FE47B26300B0C58A9E88593A32D220460DDB23

Function 00C242A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,00C250AA,?,?,00000000,00000000), ref: 00C242B2
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00C250AA,?,?,00000000,00000000), ref: 00C242C9
LoadResource.KERNEL32(?,00000000,?,?,00C250AA,?,?,00000000,00000000,?,?,?,?,?,?,00C24F20), ref: 00C635BE
SizeofResource.KERNEL32(?,00000000,?,?,00C250AA,?,?,00000000,00000000,?,?,?,?,?,?,00C24F20), ref: 00C635D3
LockResource.KERNEL32(00C250AA,?,?,00C250AA,?,?,00000000,00000000,?,?,?,?,?,?,00C24F20,?), ref: 00C635E6

Strings

SCRIPT, xrefs: 00C242BF

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: 75c7461af66aa40c8b018f6f9a6b3ca241d12a061dc769340d51e6fffe336d2f
Instruction ID: 575fb7980e9cdbe4cb7df6f0d7a614ef3f7f49f473b4a454a3f654ad45f4298a
Opcode Fuzzy Hash: 75c7461af66aa40c8b018f6f9a6b3ca241d12a061dc769340d51e6fffe336d2f
Instruction Fuzzy Hash: 45118E74200700FFDB258BA6EC88F6B7BB9EBC5B51F104269F412D6690DB71DD008631

Function 00C62BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetCurrentDirectoryW.KERNEL32(?), ref: 00C22B6B

Part of subcall function 00C23A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00CF1418,?,00C22E7F,?,?,?,00000000), ref: 00C23A78

Part of subcall function 00C29CB3: _wcslen.LIBCMT ref: 00C29CBD

GetForegroundWindow.USER32(runas,?,?,?,?,?,00CE2224), ref: 00C62C10
ShellExecuteW.SHELL32(00000000,?,?,00CE2224), ref: 00C62C17

Strings

runas, xrefs: 00C62C0B

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: CurrentDirectoryExecuteFileForegroundModuleNameShellWindow_wcslen
String ID: runas
API String ID: 448630720-4000483414
Opcode ID: 5c1ec2d320ce27fd56cfd984e923afe80dc18ebb527ea507b8c840e197860688
Instruction ID: 814ce076987985d504cd36ba5ae8a48415e0d428471e1811e856b010e7526302
Opcode Fuzzy Hash: 5c1ec2d320ce27fd56cfd984e923afe80dc18ebb527ea507b8c840e197860688
Instruction Fuzzy Hash: 0C11B431208395ABC714FF60F891ABE7BA4EBD5310F48082DF593164A2CF358A0AE752

Function 00CAA67C Relevance: 6.2, APIs: 4, Instructions: 175
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00CAA6AC
Process32FirstW.KERNEL32(00000000,?), ref: 00CAA6BA

Part of subcall function 00C29CB3: _wcslen.LIBCMT ref: 00C29CBD

Process32NextW.KERNEL32(00000000,?), ref: 00CAA79C
CloseHandle.KERNELBASE(00000000), ref: 00CAA7AB

Part of subcall function 00C3CE60: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,00C63303,?), ref: 00C3CE8A

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
String ID:
API String ID: 1991900642-0
Opcode ID: c0141b1df10b5acf057d5c08421ac8ebaa6e9cccbfdf66c9d350211cb9d779f7
Instruction ID: 82ef36dd334fb790ebd2b11a3532a2fafd00ed064bc3e8ed58768700e58697ef
Opcode Fuzzy Hash: c0141b1df10b5acf057d5c08421ac8ebaa6e9cccbfdf66c9d350211cb9d779f7
Instruction Fuzzy Hash: 89513B71508311AFD710EF24D886A6FBBE8FF89754F00492DF595972A2EB30D904DBA2

Function 00C8DBBE Relevance: 6.0, APIs: 4, Instructions: 29filestringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,00C65222), ref: 00C8DBCE
GetFileAttributesW.KERNELBASE(?), ref: 00C8DBDD
FindFirstFileW.KERNEL32(?,?), ref: 00C8DBEE
FindClose.KERNEL32(00000000), ref: 00C8DBFA

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: FileFind$AttributesCloseFirstlstrlen
String ID:
API String ID: 2695905019-0
Opcode ID: 438a329c50dae272d230189913c443148ddf884473f791442d0290b68eba845d
Instruction ID: 89b52405fd4f394b89de54686912e10796b291827fda286346169963f6f74753
Opcode Fuzzy Hash: 438a329c50dae272d230189913c443148ddf884473f791442d0290b68eba845d
Instruction Fuzzy Hash: BFF0A030810910578320BB7CAC4DAAE376C9E01338F104702F836C20F0EBB05E54879A

Function 00C44CE8 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00C528E9,?,00C44CBE,00C528E9,00CE88B8,0000000C,00C44E15,00C528E9,00000002,00000000,?,00C528E9), ref: 00C44D09
TerminateProcess.KERNEL32(00000000,?,00C44CBE,00C528E9,00CE88B8,0000000C,00C44E15,00C528E9,00000002,00000000,?,00C528E9), ref: 00C44D10
ExitProcess.KERNEL32 ref: 00C44D22

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: f52595dada68502b1ec2449d3bb6bbb087d2fbeea38bb4f60d5b26629416dbd9
Instruction ID: 4668bae2dd484a16145d27a87caf61ac8151bc4171efa051005fddc7ff000577
Opcode Fuzzy Hash: f52595dada68502b1ec2449d3bb6bbb087d2fbeea38bb4f60d5b26629416dbd9
Instruction Fuzzy Hash: 69E0B631400148ABCF15AF54DD49B9C3BA9FB41791F604118FC159A132CB35DE42DA80

Function 00CAAFF9 Relevance: 24.4, APIs: 16, Instructions: 418
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_wcslen.LIBCMT ref: 00CAB198
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00CAB1B0
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00CAB1D4
_wcslen.LIBCMT ref: 00CAB200
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00CAB214
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00CAB236
_wcslen.LIBCMT ref: 00CAB332

Part of subcall function 00C905A7: GetStdHandle.KERNEL32(000000F6), ref: 00C905C6

_wcslen.LIBCMT ref: 00CAB34B
_wcslen.LIBCMT ref: 00CAB366
CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00CAB3B6
GetLastError.KERNEL32(00000000), ref: 00CAB407
CloseHandle.KERNEL32(?), ref: 00CAB439
CloseHandle.KERNEL32(00000000), ref: 00CAB44A
CloseHandle.KERNEL32(00000000), ref: 00CAB45C
CloseHandle.KERNEL32(00000000), ref: 00CAB46E
CloseHandle.KERNEL32(?), ref: 00CAB4E3

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
String ID:
API String ID: 2178637699-0
Opcode ID: fd4ed092d0614c386a33788716150e52209d74c09896e7cac6381b1f4fecafac
Instruction ID: 1a7a50f8f28d1fa4495a824febf840a8e410b9680344b09599482587ae10e06f
Opcode Fuzzy Hash: fd4ed092d0614c386a33788716150e52209d74c09896e7cac6381b1f4fecafac
Instruction Fuzzy Hash: 5DF1CE715083019FCB14EF24C891B6EBBE5BF86318F14895DF8999B2A2CB31ED41DB52

Function 00C2D731 Relevance: 21.6, APIs: 14, Instructions: 624windowsleeptimeCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 00C2D807
timeGetTime.WINMM ref: 00C2DA07
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00C2DB28
TranslateMessage.USER32(?), ref: 00C2DB7B
DispatchMessageW.USER32(?), ref: 00C2DB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00C2DB9F
Sleep.KERNELBASE(0000000A), ref: 00C2DBB1

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: Message$Peek$DispatchInputSleepStateTimeTranslatetime
String ID:
API String ID: 2189390790-0
Opcode ID: 407ae7c60dd58872fb9077ff263faa4c00d83820948854be4a3bf94c43a4dd5d
Instruction ID: 229aa22f4ee67e3b22c2cd70db2b99569fdde0ad4786cb8a9c1cfc2fe0eba868
Opcode Fuzzy Hash: 407ae7c60dd58872fb9077ff263faa4c00d83820948854be4a3bf94c43a4dd5d
Instruction Fuzzy Hash: B9421430608351DFD729DF25D894BAAB7E0FF65310F14861DF8AA87691CB70E984DB82

Function 00C22CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00C22D07
RegisterClassExW.USER32(00000030), ref: 00C22D31
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00C22D42
InitCommonControlsEx.COMCTL32(?), ref: 00C22D5F
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00C22D6F
LoadIconW.USER32(000000A9), ref: 00C22D85
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00C22D94

Strings

0, xrefs: 00C22CE9
+, xrefs: 00C22CF0
TaskbarCreated, xrefs: 00C22D37
AutoIt v3 GUI, xrefs: 00C22D23

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 48cb3919f34594d187c80732589acb9d7ca6f88662b16abad4bad662f7a32075
Instruction ID: c874d4120f9da2bdab68b8a3a19fa68037f7382f9eb0b89d504458baa29af947
Opcode Fuzzy Hash: 48cb3919f34594d187c80732589acb9d7ca6f88662b16abad4bad662f7a32075
Instruction Fuzzy Hash: EB2193B5911318EFDB00DFA4E889BEDBBB4FB08701F14421AF951A62A0DBB55644CF91

Function 00C6065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00C6039A: CreateFileW.KERNELBASE(00000000,00000000,?,00C60704,?,?,00000000,?,00C60704,00000000,0000000C), ref: 00C603B7

GetLastError.KERNEL32 ref: 00C6076F
__dosmaperr.LIBCMT ref: 00C60776
GetFileType.KERNELBASE(00000000), ref: 00C60782
GetLastError.KERNEL32 ref: 00C6078C
__dosmaperr.LIBCMT ref: 00C60795
CloseHandle.KERNEL32(00000000), ref: 00C607B5
CloseHandle.KERNEL32(?), ref: 00C608FF
GetLastError.KERNEL32 ref: 00C60931
__dosmaperr.LIBCMT ref: 00C60938

Strings

H, xrefs: 00C608BD

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: b473bc92d311320b5b8d5c9a4614c67877c4124be1115801b4c826cc0852addd
Instruction ID: 4498fb81f6e140ada7c5fb8000bc93d0eb991f4a11b314791d475d23cc92d894
Opcode Fuzzy Hash: b473bc92d311320b5b8d5c9a4614c67877c4124be1115801b4c826cc0852addd
Instruction Fuzzy Hash: 8FA11932A141048FDF29EF68D891BAE7BE1AB46320F24015DF815AB3D2D7319D13DB51

Function 00C2344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00C23A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00CF1418,?,00C22E7F,?,?,?,00000000), ref: 00C23A78

Part of subcall function 00C23357: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00C23379

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 00C2356A
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 00C6318D
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 00C631CE
RegCloseKey.ADVAPI32(?), ref: 00C63210
_wcslen.LIBCMT ref: 00C63277
_wcslen.LIBCMT ref: 00C63286

Strings

Include, xrefs: 00C63184, 00C631C5
\, xrefs: 00C6328C
Software\AutoIt v3\AutoIt, xrefs: 00C23560
\Include\, xrefs: 00C23527

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 98802146-2727554177
Opcode ID: b32cc433cc63efc863d154f97cba7479db7a5e7aa05552844baefee992043629
Instruction ID: 832550c77ee87eedf93035d7e0ce599f1b3feed97b8dd6a4a2619ae642de9620
Opcode Fuzzy Hash: b32cc433cc63efc863d154f97cba7479db7a5e7aa05552844baefee992043629
Instruction Fuzzy Hash: EA7158B14043119FC314EF69E881AAFBBE8FF95740F40082EF555831B1EB349A49DB62

Function 00C22B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00C22B8E
LoadCursorW.USER32(00000000,00007F00), ref: 00C22B9D
LoadIconW.USER32(00000063), ref: 00C22BB3
LoadIconW.USER32(000000A4), ref: 00C22BC5
LoadIconW.USER32(000000A2), ref: 00C22BD7
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00C22BEF
RegisterClassExW.USER32(?), ref: 00C22C40

Part of subcall function 00C22CD4: GetSysColorBrush.USER32(0000000F), ref: 00C22D07
Part of subcall function 00C22CD4: RegisterClassExW.USER32(00000030), ref: 00C22D31
Part of subcall function 00C22CD4: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00C22D42
Part of subcall function 00C22CD4: InitCommonControlsEx.COMCTL32(?), ref: 00C22D5F
Part of subcall function 00C22CD4: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00C22D6F
Part of subcall function 00C22CD4: LoadIconW.USER32(000000A9), ref: 00C22D85
Part of subcall function 00C22CD4: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00C22D94

Strings

AutoIt v3, xrefs: 00C22C2F
#, xrefs: 00C22C16
0, xrefs: 00C22C0F

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: f07bbd3559d42480ec2bba9df5dd9fdec49a7cc65753cbf197c3982c187eb96b
Instruction ID: 3a1c936d2516d1a4c3ffb925519768383f89cebc6fa2f65d5bb8d16d80917558
Opcode Fuzzy Hash: f07bbd3559d42480ec2bba9df5dd9fdec49a7cc65753cbf197c3982c187eb96b
Instruction Fuzzy Hash: 04211A74E00315EBDB109FA6EC95BBE7FB4FB48B50F08011AEA00A66B0D7B10548DF91

Function 00C23170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,00C2316A,?,?), ref: 00C231D8
KillTimer.USER32(?,00000001,?,?,?,?,?,00C2316A,?,?), ref: 00C23204
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00C23227
RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,00C2316A,?,?), ref: 00C23232
CreatePopupMenu.USER32 ref: 00C23246
PostQuitMessage.USER32(00000000), ref: 00C23267

Strings

TaskbarCreated, xrefs: 00C2322D

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: aed12e9d9249a8b3cf2458bb916f4a1a8b4e084e4e9b16a72d9e65fa788ae418
Instruction ID: 3e8166f0ac0d4102081a277bd88c79e605cdfbd6e5097357f70fc8cde74ceb36
Opcode Fuzzy Hash: aed12e9d9249a8b3cf2458bb916f4a1a8b4e084e4e9b16a72d9e65fa788ae418
Instruction Fuzzy Hash: 844119352402A4E7DF251B78BD8DB7D3A29EB05350F080125F951969E2CB79CB40E7A2

Function 00C21410 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00C21459
CoUninitialize.COMBASE ref: 00C214F8
UnregisterHotKey.USER32(?), ref: 00C216DD
DestroyWindow.USER32(?), ref: 00C624B9
FreeLibrary.KERNEL32(?), ref: 00C6251E
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00C6254B

Strings

close all, xrefs: 00C21454

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: 34e7064f2d3fb747df858a4ec1b4461ee69cc41ab06cd05d586c465bc1499cf9
Instruction ID: 4363b7cede5dd9cd9d9a29cd5bfeafc8b4e188ea4d3e84cbc6c498787c348003
Opcode Fuzzy Hash: 34e7064f2d3fb747df858a4ec1b4461ee69cc41ab06cd05d586c465bc1499cf9
Instruction Fuzzy Hash: 1AD15A31701622CFDB29EF15D8D9A29F7A0BF15700F1842ADE84A6B661DB30ED12DF91

Function 00C22C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00C22C91
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00C22CB2
ShowWindow.USER32(00000000,?,?,?,?,?,?,00C21CAD,?), ref: 00C22CC6
ShowWindow.USER32(00000000,?,?,?,?,?,?,00C21CAD,?), ref: 00C22CCF

Strings

AutoIt v3, xrefs: 00C22C89, 00C22C8E, 00C22C8F
edit, xrefs: 00C22CAC

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: 7f45a87ee89fdb4fa40aa68143275ab475a6abff42f4ac38a440e98b8b160040
Instruction ID: d87b1f67847f975d00776883f5f598a51ab7309dba1edf886e1e1f6441f0741b
Opcode Fuzzy Hash: 7f45a87ee89fdb4fa40aa68143275ab475a6abff42f4ac38a440e98b8b160040
Instruction Fuzzy Hash: 9EF0DA76940290BAEB311B17AC48FBB3EBDD7C7F60F04005AFD00A65B0C6615854DAB1

Function 00C52DF8 Relevance: 7.6, APIs: 5, Instructions: 53
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLastError.KERNEL32(?,?,?,00C4F2DE,00C53863,00CF1444,?,00C3FDF5,?,?,00C2A976,00000010,00CF1440,00C213FC,?,00C213C6), ref: 00C52DFD
_free.LIBCMT ref: 00C52E32
_free.LIBCMT ref: 00C52E59
SetLastError.KERNEL32(00000000,00C21129), ref: 00C52E66
SetLastError.KERNEL32(00000000,00C21129), ref: 00C52E6F

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: ddaa5e3e4a6d9bad15b1dc40b256b5b972320c69034cdd9f8463e92063c4407a
Instruction ID: f24b54db4efb4e0cc52687e385d848b0c1aab3b7f500771d7792f09c10d51a7e
Opcode Fuzzy Hash: ddaa5e3e4a6d9bad15b1dc40b256b5b972320c69034cdd9f8463e92063c4407a
Instruction Fuzzy Hash: 6A01FE3E10550067C61227756C87F6F16D99BD33A7F244129FC31A2293DFA49DCD5128

Function 00C23B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,00C23B0F,SwapMouseButtons,00000004,?), ref: 00C23B40
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,00C23B0F,SwapMouseButtons,00000004,?), ref: 00C23B61
RegCloseKey.KERNELBASE(00000000,?,?,?,80000001,80000001,?,00C23B0F,SwapMouseButtons,00000004,?), ref: 00C23B83

Strings

Control Panel\Mouse, xrefs: 00C23B3E

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: 83624f29372261402125faf129cd5a9b94ec09b06bc6675ded936f89fea0a849
Instruction ID: ac3a7b6bb841a1ecc43cc28f1e3ce6f99e48789a6425f1cbdaca580817b76ed7
Opcode Fuzzy Hash: 83624f29372261402125faf129cd5a9b94ec09b06bc6675ded936f89fea0a849
Instruction Fuzzy Hash: 021127B5611268FFDB20CFA5EC84AAEBBB8EF04744B10856AB805D7110E2359F409BA0

Function 00C23923 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94windowCOMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 00C633A2

Part of subcall function 00C26B57: _wcslen.LIBCMT ref: 00C26B6A

Shell_NotifyIconW.SHELL32(00000001,?), ref: 00C23A04

Strings

Line: , xrefs: 00C633EB

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: IconLoadNotifyShell_String_wcslen
String ID: Line:
API String ID: 2289894680-1585850449
Opcode ID: 5a1e1deb63f1d1b7da6a2d1dea6f22de9f11e48d49bc443a94ccbb36aecdf971
Instruction ID: 99eadbe3d41a91bdc409fa20d2f3ab17a4c8b283f3830bc786537e70b9972387
Opcode Fuzzy Hash: 5a1e1deb63f1d1b7da6a2d1dea6f22de9f11e48d49bc443a94ccbb36aecdf971
Instruction Fuzzy Hash: E031E3715083A4ABC325EB20EC45FEFB3E8AB41310F04092AF599825A1DB749B49DBD3

Function 00C3FDDB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 00C40668

Part of subcall function 00C432A4: RaiseException.KERNEL32(?,?,?,00C4068A,?,00CF1444,?,?,?,?,?,?,00C4068A,00C21129,00CE8738,00C21129), ref: 00C43304

__CxxThrowException@8.LIBVCRUNTIME ref: 00C40685

Strings

Unknown exception, xrefs: 00C40692

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID: Unknown exception
API String ID: 3476068407-410509341
Opcode ID: 9d425945bf2eea76c224c8c2c026486a0874ee9fedda0b5e258bdcabe86a9c6e
Instruction ID: 5f53520884f127979cc0f491dc6b15941f3ed7ed66226b56b960af289e67f58c
Opcode Fuzzy Hash: 9d425945bf2eea76c224c8c2c026486a0874ee9fedda0b5e258bdcabe86a9c6e
Instruction Fuzzy Hash: D2F0C23494060DB78B00BA65E84AC9E7B6CBE40310B704535BE2896592EF71DB6AD990

Function 00C210F3 Relevance: 4.7, APIs: 3, Instructions: 153comCOMMON

Download Yara Rule

APIs

Part of subcall function 00C21BC3: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00C21BF4
Part of subcall function 00C21BC3: MapVirtualKeyW.USER32(00000010,00000000), ref: 00C21BFC
Part of subcall function 00C21BC3: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00C21C07
Part of subcall function 00C21BC3: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00C21C12
Part of subcall function 00C21BC3: MapVirtualKeyW.USER32(00000011,00000000), ref: 00C21C1A
Part of subcall function 00C21BC3: MapVirtualKeyW.USER32(00000012,00000000), ref: 00C21C22

Part of subcall function 00C21B4A: RegisterWindowMessageW.USER32(00000004,?,00C212C4), ref: 00C21BA2

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 00C2136A
OleInitialize.OLE32 ref: 00C21388
CloseHandle.KERNEL32(00000000,00000000), ref: 00C624AB

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID:
API String ID: 1986988660-0
Opcode ID: 650b116cfb362be3f4bc12797da1c78002a6a14b46f647c6dc20aadb6e3d4b5e
Instruction ID: 9593dc22fbdba46e8d0597eedd62f356b6cb5ee8a432d188450cea0b16101e9a
Opcode Fuzzy Hash: 650b116cfb362be3f4bc12797da1c78002a6a14b46f647c6dc20aadb6e3d4b5e
Instruction Fuzzy Hash: 3071ABB4911244CFC784EF7AA9457BD3AE0FB9839475D822AED0ACB2A1EB314444DF43

Function 00C8C161 Relevance: 4.6, APIs: 3, Instructions: 74timewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00C23923: Shell_NotifyIconW.SHELL32(00000001,?), ref: 00C23A04

Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00C8C259
KillTimer.USER32(?,00000001,?,?), ref: 00C8C261
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00C8C270

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: IconNotifyShell_Timer$Kill
String ID:
API String ID: 3500052701-0
Opcode ID: 1d2e52cd2af639d04ecb94ad8fbf90894aeeb6fd2b795f095d0abc05d18815a1
Instruction ID: 275017ad89f0b2b115dd2cdb8760c65aa3f313b643fbeea7fec5af522ccd4da1
Opcode Fuzzy Hash: 1d2e52cd2af639d04ecb94ad8fbf90894aeeb6fd2b795f095d0abc05d18815a1
Instruction Fuzzy Hash: EA319870904354AFEB62DF64C8D5BEBBBFC9B06308F04049DD5E997181C7745A84CB65

Function 00C586AE Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE

Download Yara Rule

APIs

CloseHandle.KERNELBASE(00000000,00000000,?,?,00C585CC,?,00CE8CC8,0000000C), ref: 00C58704
GetLastError.KERNEL32(?,00C585CC,?,00CE8CC8,0000000C), ref: 00C5870E
__dosmaperr.LIBCMT ref: 00C58739

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: CloseErrorHandleLast__dosmaperr
String ID:
API String ID: 2583163307-0
Opcode ID: bf1ec7d8455da0d6f24934c963950affb11eb7b4a6fa363925c5c51caef6b8ae
Instruction ID: e021187d1d5b25a395236bfb7b996fd7896776822e4b03f7f978691c658d6199
Opcode Fuzzy Hash: bf1ec7d8455da0d6f24934c963950affb11eb7b4a6fa363925c5c51caef6b8ae
Instruction Fuzzy Hash: 9D016B3AA1562017D3606234A84577E27494F91776F390219FC28AB0E2DEA08DCDD15C

Function 00C2DB38 Relevance: 4.5, APIs: 3, Instructions: 29windowsleepCOMMON

Download Yara Rule

APIs

TranslateMessage.USER32(?), ref: 00C2DB7B
DispatchMessageW.USER32(?), ref: 00C2DB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00C2DB9F
Sleep.KERNELBASE(0000000A), ref: 00C2DBB1
TranslateAcceleratorW.USER32(?,?,?), ref: 00C71CC9

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchPeekSleep
String ID:
API String ID: 3288985973-0
Opcode ID: 84d5f514fadc40bd3f0c238611ca2c77ec9f0d304d348f47c29acdbd8e33782a
Instruction ID: 743b8c2093b660208ca41967ff0721401f2e0d73e0dafa3bc133eeecae9426de
Opcode Fuzzy Hash: 84d5f514fadc40bd3f0c238611ca2c77ec9f0d304d348f47c29acdbd8e33782a
Instruction Fuzzy Hash: 57F05E306043449BEB30CBA4DC99FEA73ACEB44351F144618EA5AD30C0DB309588DB26

Function 00C31310 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 00C317F6

Strings

CALL, xrefs: 00C317C6

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID: CALL
API String ID: 1385522511-4196123274
Opcode ID: fdc0e63205f54377a005e371235a993408709571b66a6a2cb7df18317dadbabb
Instruction ID: 8111a31a317eb38b8682992be1538004ce3a1d4f12ba557ef8981db7281538b8
Opcode Fuzzy Hash: fdc0e63205f54377a005e371235a993408709571b66a6a2cb7df18317dadbabb
Instruction Fuzzy Hash: 2F228A706183019FC714DF25C484B2ABBF1BF89314F28892DF89A8B3A1D731E945DB92

Function 00C22DE3 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 64COMMON

Download Yara Rule

APIs

GetOpenFileNameW.COMDLG32(?), ref: 00C62C8C

Part of subcall function 00C23AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00C23A97,?,?,00C22E7F,?,?,?,00000000), ref: 00C23AC2

Part of subcall function 00C22DA5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00C22DC4

Strings

X, xrefs: 00C62C5A

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen
String ID: X
API String ID: 779396738-3081909835
Opcode ID: 64a04eb7f8ff782a03f9fc8ee0c760b47b2651a84dd99222002d438ffcd5b09a
Instruction ID: 2da9e425c9c4dced4351ae37b17c109e18fc932f88031d25f5fe49cbc280c60f
Opcode Fuzzy Hash: 64a04eb7f8ff782a03f9fc8ee0c760b47b2651a84dd99222002d438ffcd5b09a
Instruction Fuzzy Hash: D321D570A102A8AFDF11EF94D845BEE7BFCAF58314F004059E405B7241DBB85A49DFA1

Function 00C23837 Relevance: 3.1, APIs: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000000,?), ref: 00C23908

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: 3d5654f76f33353877611d1533910c2159e8a3cf4e46cefefc26d93df182ed4b
Instruction ID: 8d2c3f0d6f85074824b9041dd24e3defddfd1863171f71091c73a5c1d3aef583
Opcode Fuzzy Hash: 3d5654f76f33353877611d1533910c2159e8a3cf4e46cefefc26d93df182ed4b
Instruction Fuzzy Hash: 7A31C370604351CFD320DF25D8847ABBBF8FB49318F00092EF99987690E775AA48CB52

Function 00C3F645 Relevance: 3.0, APIs: 2, Instructions: 29sleeptimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 00C3F661

Part of subcall function 00C2D731: GetInputState.USER32 ref: 00C2D807

Sleep.KERNEL32(00000000), ref: 00C7F2DE

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: InputSleepStateTimetime
String ID:
API String ID: 4149333218-0
Opcode ID: 740fd6cea3981ebec1d8a8942dc093b2766be1c2963dd3cb830794a811480906
Instruction ID: 7f111ac1bf9c4f89862fcd7ec1592e734d4f43aff898a347e2ecba59aec715e0
Opcode Fuzzy Hash: 740fd6cea3981ebec1d8a8942dc093b2766be1c2963dd3cb830794a811480906
Instruction Fuzzy Hash: 02F08C31240615AFD310EF69E48AB6AB7E8EF55760F00412AF85ADB661DB70AC00CBA0

Function 00C2B710 Relevance: 2.1, APIs: 1, Instructions: 587COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 00C2BB4E

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID:
API String ID: 1385522511-0
Opcode ID: 3f761f3bf038ca71f982a335d6ada22f7ca736c23778cea39bf757fa6700d256
Instruction ID: ab4a8cdceb332bb6aa255710e91920d7010dcdd4d0ec3649b7f875bccb5ee085
Opcode Fuzzy Hash: 3f761f3bf038ca71f982a335d6ada22f7ca736c23778cea39bf757fa6700d256
Instruction Fuzzy Hash: 1C32DF75A00219DFCB20CF54D894BBEB7B9FF44300F248059E929AB6A1C774EE81DB91

Function 00C24ECB Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00C24E90: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00C24EDD,?,00CF1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00C24E9C
Part of subcall function 00C24E90: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00C24EAE
Part of subcall function 00C24E90: FreeLibrary.KERNEL32(00000000,?,?,00C24EDD,?,00CF1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00C24EC0

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,00CF1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00C24EFD

Part of subcall function 00C24E59: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00C63CDE,?,00CF1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00C24E62
Part of subcall function 00C24E59: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00C24E74
Part of subcall function 00C24E59: FreeLibrary.KERNEL32(00000000,?,?,00C63CDE,?,00CF1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00C24E87

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: Library$Load$AddressFreeProc
String ID:
API String ID: 2632591731-0
Opcode ID: 292f6051b73d064ef961f11fd8c5d63d1d35175e87cb16c144b6b9fcb6dfcbeb
Instruction ID: d213282ec0657e17a581f3c94821a371a105d5831366b9f8aedcd1bca775d8a7
Opcode Fuzzy Hash: 292f6051b73d064ef961f11fd8c5d63d1d35175e87cb16c144b6b9fcb6dfcbeb
Instruction Fuzzy Hash: 36110A32610215ABDF28FFA4ED42FAD77A5AF90710F10442DF542A65C1DEB09E15AB50

Function 00C58402 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT ref: 00C58440

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: ec398097ad0c7ba83b339ba374d1066c59cadeabb0a6d4047352af98725c41a3
Instruction ID: f30923892979071522c2cd49a84e7f7afa625e00861493c81887e04a8d036fd9
Opcode Fuzzy Hash: ec398097ad0c7ba83b339ba374d1066c59cadeabb0a6d4047352af98725c41a3
Instruction Fuzzy Hash: E411487590410AAFCB05DF58E940A9F7BF9EF48301F104059FC09AB312DB30DA15CBA9

Function 00CB29BF Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,?,?,?,00CB14B5,?), ref: 00CB2A01

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: ForegroundWindow
String ID:
API String ID: 2020703349-0
Opcode ID: 2edc65f974c7fb0efab1c54bc13787f16213db7f8feab2f842b64e8133ca8fda
Instruction ID: fb86ac0f04126afeb270d5ae5060c7754d311f951a531544beb6aa7ccaf483f6
Opcode Fuzzy Hash: 2edc65f974c7fb0efab1c54bc13787f16213db7f8feab2f842b64e8133ca8fda
Instruction Fuzzy Hash: FE01D436740A819FD334CA2DC454BA67792EBC9314F298568C05B8B251DB32FD42D7A0

Function 00C4E602 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction ID: 1577ce8737c6c50ce1caede9ddf87ea36775f56c513e9e696c3cfbb4b33cc94a
Opcode Fuzzy Hash: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction Fuzzy Hash: D3F0F436510A1896C7313A7A9C05BDA339CBF62336F120715F825A22D2CF74994AA6A9

Function 00C54C7D Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,00C21129,00000000,?,00C52E29,00000001,00000364,?,?,?,00C4F2DE,00C53863,00CF1444,?,00C3FDF5,?), ref: 00C54CBE

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: cd28b56a7cfd9bf6cac05116c7f8c2a7f236746829c7c6b57709dddc961eaeeb
Instruction ID: 2d130f18790d74cbd1dbcf08fc9ae6a8b0b74e7284f211083fcbf7531c9ffbe9
Opcode Fuzzy Hash: cd28b56a7cfd9bf6cac05116c7f8c2a7f236746829c7c6b57709dddc961eaeeb
Instruction Fuzzy Hash: 64F0593920223067DB281F669C04B5A3788BFD13AAB144111BC35A7280CA70F9C992E8

Function 00C53820 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,00CF1444,?,00C3FDF5,?,?,00C2A976,00000010,00CF1440,00C213FC,?,00C213C6,?,00C21129), ref: 00C53852

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 14491d0b9945779f1f1e7cb3f8beac2928b1ce426015c58378dfa754f0b6f7e4
Instruction ID: e404e36772ac67955ab5d149d69eaf0afd0a7de98ee504897884346dffc834d4
Opcode Fuzzy Hash: 14491d0b9945779f1f1e7cb3f8beac2928b1ce426015c58378dfa754f0b6f7e4
Instruction Fuzzy Hash: B2E0E5391002A4A6E73926679C00B9A3748AB427F6F190123BC24A74D1CB51DF8991F9

Function 00C24F39 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,00CF1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00C24F6D

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 884a10b9932158cb35cc14403e3b2cf8ae047b36affcfc56d037f21554c86e87
Instruction ID: 74a292d44e26036955d113bb049f39da42626acbe4883bc98bc6ecf17bd3d2ab
Opcode Fuzzy Hash: 884a10b9932158cb35cc14403e3b2cf8ae047b36affcfc56d037f21554c86e87
Instruction Fuzzy Hash: 4CF0A071005321CFCB388FA5E590816B7E0FF40319310897EE1EA82910C7319844DF10

Function 00C230F2 Relevance: 1.5, APIs: 1, Instructions: 24windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000002,?), ref: 00C2314E

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: df189a1c6a061ee3c1f013fd09afa22d4e1d20e4d2528afaf5493afe6378a214
Instruction ID: 4de09337f25ec0dd33210728ce76b8231db69fd8b98d93e7c51e5a4407bec53d
Opcode Fuzzy Hash: df189a1c6a061ee3c1f013fd09afa22d4e1d20e4d2528afaf5493afe6378a214
Instruction Fuzzy Hash: DEF037709143589FE7529F24DC46BED7BBCA701708F0401E5A54896192D7745B88CF52

Function 00C22DA5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00C22DC4

Part of subcall function 00C26B57: _wcslen.LIBCMT ref: 00C26B6A

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: LongNamePath_wcslen
String ID:
API String ID: 541455249-0
Opcode ID: 8ebe9b0acae274b59a75d312204ef584d3ebc5981e122e9af8356c1f4e5f707c
Instruction ID: 153af8c30089c832ed22278ebd1d9efb60af3742a6f5b9ec4b855b88d896a7d2
Opcode Fuzzy Hash: 8ebe9b0acae274b59a75d312204ef584d3ebc5981e122e9af8356c1f4e5f707c
Instruction Fuzzy Hash: 8EE0CD726001245BC720D6989C05FDA77DDDFC8790F040171FD09D7248D960AD809551

Function 00C22B3D Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00C23837: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00C23908

Part of subcall function 00C2D731: GetInputState.USER32 ref: 00C2D807

SetCurrentDirectoryW.KERNEL32(?), ref: 00C22B6B

Part of subcall function 00C230F2: Shell_NotifyIconW.SHELL32(00000002,?), ref: 00C2314E

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: IconNotifyShell_$CurrentDirectoryInputState
String ID:
API String ID: 3667716007-0
Opcode ID: 633d9e1b487b6027b1a2684dc00285dff7f2e874c4d202ba32876b62a6544fcb
Instruction ID: 0c4c720f46e3bd9e4e9bc76500da6ac3766bc473451ee500112f3c72e734b4c7
Opcode Fuzzy Hash: 633d9e1b487b6027b1a2684dc00285dff7f2e874c4d202ba32876b62a6544fcb
Instruction Fuzzy Hash: 90E07D213002A807CB04BB34B8526BDB749DBE1311F44053EF143475A3CF2846459362

Function 00C6039A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,00000000,?,00C60704,?,?,00000000,?,00C60704,00000000,0000000C), ref: 00C603B7

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 2778a5a9dcb7957e18d7ed896da1a59ea508340f027fccf47eb771796f7fb271
Instruction ID: 3073017e34baff4bfb0f1b9e75a36dd97ca3a873c9b48ecaba5e68d47e5681a6
Opcode Fuzzy Hash: 2778a5a9dcb7957e18d7ed896da1a59ea508340f027fccf47eb771796f7fb271
Instruction Fuzzy Hash: BBD06C3204010DBBDF028F84DD46EDE3BAAFB48714F014100BE1866020C732E821AB90

Function 00C21CAD Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00002001,00000000,00000002), ref: 00C21CBC

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: InfoParametersSystem
String ID:
API String ID: 3098949447-0
Opcode ID: 2aeac18e79a37fb3b1f0704529601b6e80cdebaaad1d462bb5e66ee0a20a7557
Instruction ID: 6a76862c34c1cb876c2a91aa919296b9fc89af02a5c9bf4e28be3ff878d0ae89
Opcode Fuzzy Hash: 2aeac18e79a37fb3b1f0704529601b6e80cdebaaad1d462bb5e66ee0a20a7557
Instruction Fuzzy Hash: A5C09B36280305DFF6144B80BC4AF387754A348B00F044001F609555F3C3A11414F651

Non-executed Functions

Function 00CB9576 Relevance: 72.4, APIs: 39, Strings: 2, Instructions: 625windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00C39BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00C39BB2

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 00CB961A
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00CB965B
GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 00CB969F
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00CB96C9
SendMessageW.USER32 ref: 00CB96F2
GetKeyState.USER32(00000011), ref: 00CB978B
GetKeyState.USER32(00000009), ref: 00CB9798
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00CB97AE
GetKeyState.USER32(00000010), ref: 00CB97B8
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00CB97E9
SendMessageW.USER32 ref: 00CB9810
SendMessageW.USER32(?,00001030,?,00CB7E95), ref: 00CB9918
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 00CB992E
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 00CB9941
SetCapture.USER32(?), ref: 00CB994A
ClientToScreen.USER32(?,?), ref: 00CB99AF
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 00CB99BC
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00CB99D6
ReleaseCapture.USER32 ref: 00CB99E1
GetCursorPos.USER32(?), ref: 00CB9A19
ScreenToClient.USER32(?,?), ref: 00CB9A26
SendMessageW.USER32(?,00001012,00000000,?), ref: 00CB9A80
SendMessageW.USER32 ref: 00CB9AAE
SendMessageW.USER32(?,00001111,00000000,?), ref: 00CB9AEB
SendMessageW.USER32 ref: 00CB9B1A
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00CB9B3B
SendMessageW.USER32(?,0000110B,00000009,?), ref: 00CB9B4A
GetCursorPos.USER32(?), ref: 00CB9B68
ScreenToClient.USER32(?,?), ref: 00CB9B75
GetParent.USER32(?), ref: 00CB9B93
SendMessageW.USER32(?,00001012,00000000,?), ref: 00CB9BFA
SendMessageW.USER32 ref: 00CB9C2B
ClientToScreen.USER32(?,?), ref: 00CB9C84
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00CB9CB4
SendMessageW.USER32(?,00001111,00000000,?), ref: 00CB9CDE
SendMessageW.USER32 ref: 00CB9D01
ClientToScreen.USER32(?,?), ref: 00CB9D4E
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00CB9D82

Part of subcall function 00C39944: GetWindowLongW.USER32(?,000000EB), ref: 00C39952

GetWindowLongW.USER32(?,000000F0), ref: 00CB9E05

Strings

@GUI_DRAGID, xrefs: 00CB997D
F, xrefs: 00CB9D07

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease
String ID: @GUI_DRAGID$F
API String ID: 3429851547-4164748364
Opcode ID: 97cdf1d05c72479ca50e57b380db1407f59f4b0e33b1b9b9bd48392e4068476e
Instruction ID: 4a2e24b03d3134f608c2b0a2f53c32a0dda0b1e47155809f95125d57cff8d57b
Opcode Fuzzy Hash: 97cdf1d05c72479ca50e57b380db1407f59f4b0e33b1b9b9bd48392e4068476e
Instruction Fuzzy Hash: A8428A34204651AFDB20CF24CC84FAABBF5FF49310F144619FAA9972A1D771EA50DB92

Function 00CB4873 Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 566windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000408,00000000,00000000), ref: 00CB48F3
SendMessageW.USER32(00000000,00000188,00000000,00000000), ref: 00CB4908
SendMessageW.USER32(00000000,0000018A,00000000,00000000), ref: 00CB4927
SendMessageW.USER32(?,00000148,00000000,00000000), ref: 00CB494B
SendMessageW.USER32(00000000,00000147,00000000,00000000), ref: 00CB495C
SendMessageW.USER32(00000000,00000149,00000000,00000000), ref: 00CB497B
SendMessageW.USER32(00000000,0000130B,00000000,00000000), ref: 00CB49AE
SendMessageW.USER32(00000000,0000133C,00000000,?), ref: 00CB49D4
SendMessageW.USER32(00000000,0000110A,00000009,00000000), ref: 00CB4A0F
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00CB4A56
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00CB4A7E
IsMenu.USER32(?), ref: 00CB4A97
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00CB4AF2
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00CB4B20
GetWindowLongW.USER32(?,000000F0), ref: 00CB4B94
SendMessageW.USER32(?,0000113E,00000000,00000008), ref: 00CB4BE3
SendMessageW.USER32(00000000,00001001,00000000,?), ref: 00CB4C82
wsprintfW.USER32 ref: 00CB4CAE
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00CB4CC9
GetWindowTextW.USER32(?,00000000,00000001), ref: 00CB4CF1
SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00CB4D13
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00CB4D33
GetWindowTextW.USER32(?,00000000,00000001), ref: 00CB4D5A

Strings

%d/%02d/%02d, xrefs: 00CB4CA8

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: MessageSend$MenuWindow$InfoItemText$Longwsprintf
String ID: %d/%02d/%02d
API String ID: 4054740463-328681919
Opcode ID: c63f36716c7f9d021d0bc6e298e51fed5e99173bca7808f0138e60d16c65827d
Instruction ID: a122e118474ddbfcdd26809bd45c5f14441db97658f21f2cb3154076f484388f
Opcode Fuzzy Hash: c63f36716c7f9d021d0bc6e298e51fed5e99173bca7808f0138e60d16c65827d
Instruction Fuzzy Hash: CD12DF71604214ABEB298F69CC49FEE7BF8EF45710F104229F525EB2E2DB749A41CB50

Function 00C3F98E Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,00000000,00000000), ref: 00C3F998
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00C7F474
IsIconic.USER32(00000000), ref: 00C7F47D
ShowWindow.USER32(00000000,00000009), ref: 00C7F48A
SetForegroundWindow.USER32(00000000), ref: 00C7F494
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00C7F4AA
GetCurrentThreadId.KERNEL32 ref: 00C7F4B1
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00C7F4BD
AttachThreadInput.USER32(?,00000000,00000001), ref: 00C7F4CE
AttachThreadInput.USER32(?,00000000,00000001), ref: 00C7F4D6
AttachThreadInput.USER32(00000000,000000FF,00000001), ref: 00C7F4DE
SetForegroundWindow.USER32(00000000), ref: 00C7F4E1
MapVirtualKeyW.USER32(00000012,00000000), ref: 00C7F4F6
keybd_event.USER32(00000012,00000000), ref: 00C7F501
MapVirtualKeyW.USER32(00000012,00000000), ref: 00C7F50B
keybd_event.USER32(00000012,00000000), ref: 00C7F510
MapVirtualKeyW.USER32(00000012,00000000), ref: 00C7F519
keybd_event.USER32(00000012,00000000), ref: 00C7F51E
MapVirtualKeyW.USER32(00000012,00000000), ref: 00C7F528
keybd_event.USER32(00000012,00000000), ref: 00C7F52D
SetForegroundWindow.USER32(00000000), ref: 00C7F530
AttachThreadInput.USER32(?,000000FF,00000000), ref: 00C7F557

Strings

Shell_TrayWnd, xrefs: 00C7F46F

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: 8f730b6615a5084fc8b750604ca868fdb85f7508fce69228e1cf18d16974117c
Instruction ID: d9609286de4137d328844bdc82a4a6ef913dc81620b3235540c94d86d2e1aa65
Opcode Fuzzy Hash: 8f730b6615a5084fc8b750604ca868fdb85f7508fce69228e1cf18d16974117c
Instruction Fuzzy Hash: CE316471A40318BFEB306BB59C8AFBF7E6CEB44B50F10416AFA15F61D1C6B15D01AA60

Function 00C81201 Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 241COMMON

Download Yara Rule

APIs

Part of subcall function 00C816C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00C8170D
Part of subcall function 00C816C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00C8173A
Part of subcall function 00C816C3: GetLastError.KERNEL32 ref: 00C8174A

LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 00C81286
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 00C812A8
CloseHandle.KERNEL32(?), ref: 00C812B9
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 00C812D1
GetProcessWindowStation.USER32 ref: 00C812EA
SetProcessWindowStation.USER32(00000000), ref: 00C812F4
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00C81310

Part of subcall function 00C810BF: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00C811FC), ref: 00C810D4
Part of subcall function 00C810BF: CloseHandle.KERNEL32(?,?,00C811FC), ref: 00C810E9

Strings

winsta0, xrefs: 00C812CC
, xrefs: 00C8125A
default, xrefs: 00C8130B

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
String ID: $default$winsta0
API String ID: 22674027-1027155976
Opcode ID: b94fa5e84bffea2b4917f069a83b40ff47ca38a66ff473e78f23cf7d0048f246
Instruction ID: 3efc1373edd04eb24c8680d03162c2da53dac4a55e663825dc877c4f570359fa
Opcode Fuzzy Hash: b94fa5e84bffea2b4917f069a83b40ff47ca38a66ff473e78f23cf7d0048f246
Instruction Fuzzy Hash: 88818C71900209AFDF11AFA5DC89FEE7BBDEF44708F184129F921A61A0D7318A46DB24

Function 00C80B62 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00C810F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00C81114
Part of subcall function 00C810F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00C80B9B,?,?,?), ref: 00C81120
Part of subcall function 00C810F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00C80B9B,?,?,?), ref: 00C8112F
Part of subcall function 00C810F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00C80B9B,?,?,?), ref: 00C81136
Part of subcall function 00C810F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00C8114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00C80BCC
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00C80C00
GetLengthSid.ADVAPI32(?), ref: 00C80C17
GetAce.ADVAPI32(?,00000000,?), ref: 00C80C51
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00C80C6D
GetLengthSid.ADVAPI32(?), ref: 00C80C84
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00C80C8C
HeapAlloc.KERNEL32(00000000), ref: 00C80C93
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00C80CB4
CopySid.ADVAPI32(00000000), ref: 00C80CBB
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00C80CEA
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00C80D0C
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00C80D1E
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00C80D45
HeapFree.KERNEL32(00000000), ref: 00C80D4C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00C80D55
HeapFree.KERNEL32(00000000), ref: 00C80D5C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00C80D65
HeapFree.KERNEL32(00000000), ref: 00C80D6C
GetProcessHeap.KERNEL32(00000000,?), ref: 00C80D78
HeapFree.KERNEL32(00000000), ref: 00C80D7F

Part of subcall function 00C81193: GetProcessHeap.KERNEL32(00000008,00C80BB1,?,00000000,?,00C80BB1,?), ref: 00C811A1
Part of subcall function 00C81193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00C80BB1,?), ref: 00C811A8
Part of subcall function 00C81193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00C80BB1,?), ref: 00C811B7

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 1fe07e153177f5af35c8d5293d31a862b83900b0ba7e59ffd81d85550c02cd85
Instruction ID: fc895690775c07d1da247464c238e69bd55644cf0834599184048b3323e88e28
Opcode Fuzzy Hash: 1fe07e153177f5af35c8d5293d31a862b83900b0ba7e59ffd81d85550c02cd85
Instruction Fuzzy Hash: A8716E7290020AAFDF50EFA4DC84FAEBBB8BF04304F14461AF914A7191D771AA09CB60

Function 00C9EAFF Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(00CBCC08), ref: 00C9EB29
IsClipboardFormatAvailable.USER32(0000000D), ref: 00C9EB37
GetClipboardData.USER32(0000000D), ref: 00C9EB43
CloseClipboard.USER32 ref: 00C9EB4F
GlobalLock.KERNEL32(00000000), ref: 00C9EB87
CloseClipboard.USER32 ref: 00C9EB91
GlobalUnlock.KERNEL32(00000000), ref: 00C9EBBC
IsClipboardFormatAvailable.USER32(00000001), ref: 00C9EBC9
GetClipboardData.USER32(00000001), ref: 00C9EBD1
GlobalLock.KERNEL32(00000000), ref: 00C9EBE2
GlobalUnlock.KERNEL32(00000000), ref: 00C9EC22
IsClipboardFormatAvailable.USER32(0000000F), ref: 00C9EC38
GetClipboardData.USER32(0000000F), ref: 00C9EC44
GlobalLock.KERNEL32(00000000), ref: 00C9EC55
DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 00C9EC77
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 00C9EC94
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 00C9ECD2
GlobalUnlock.KERNEL32(00000000), ref: 00C9ECF3
CountClipboardFormats.USER32 ref: 00C9ED14
CloseClipboard.USER32 ref: 00C9ED59

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
String ID:
API String ID: 420908878-0
Opcode ID: 5f339d5826300197ae47b7591f36ca1536b7c77525952f24811c92ad3096235b
Instruction ID: 82ef10475bf9543704e99ac5301d771c815e3644a3da6cc73d80bd79b4184360
Opcode Fuzzy Hash: 5f339d5826300197ae47b7591f36ca1536b7c77525952f24811c92ad3096235b
Instruction Fuzzy Hash: D361CF35204302AFD700EF24D889F2E77A4EF94714F184659F456972A2DB31DE45DB62

Function 00C9698F Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00C969BE
FindClose.KERNEL32(00000000), ref: 00C96A12
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00C96A4E
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00C96A75

Part of subcall function 00C29CB3: _wcslen.LIBCMT ref: 00C29CBD

FileTimeToSystemTime.KERNEL32(?,?), ref: 00C96AB2
FileTimeToSystemTime.KERNEL32(?,?), ref: 00C96ADF

Strings

%4d%02d%02d%02d%02d%02d, xrefs: 00C96B6A
%02d, xrefs: 00C96C00, 00C96C0A, 00C96C5A, 00C96CAA, 00C96CFA, 00C96D4A
%03d, xrefs: 00C96DA2
%4d%02d%02d%02d%02d%02d%03d, xrefs: 00C96B32
%4d, xrefs: 00C96BB1

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
API String ID: 3830820486-3289030164
Opcode ID: 488d7e67890118e75d876a2c86a11eac0d01811a46f380386cf4c3460c696bc7
Instruction ID: 8e5895911970f4ce419b43861cdc6cd077e902f31ef2436b0b2333d694eb8f4e
Opcode Fuzzy Hash: 488d7e67890118e75d876a2c86a11eac0d01811a46f380386cf4c3460c696bc7
Instruction Fuzzy Hash: 60D15EB2508350AFC710EBA4D995EAFB7ECBF88704F44491DF585C6291EB34DA08DB62

Function 00C99642 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,75918FB0,?,00000000), ref: 00C99663
GetFileAttributesW.KERNEL32(?), ref: 00C996A1
SetFileAttributesW.KERNEL32(?,?), ref: 00C996BB
FindNextFileW.KERNEL32(00000000,?), ref: 00C996D3
FindClose.KERNEL32(00000000), ref: 00C996DE
FindFirstFileW.KERNEL32(*.*,?), ref: 00C996FA
SetCurrentDirectoryW.KERNEL32(?), ref: 00C9974A
SetCurrentDirectoryW.KERNEL32(00CE6B7C), ref: 00C99768
FindNextFileW.KERNEL32(00000000,00000010), ref: 00C99772
FindClose.KERNEL32(00000000), ref: 00C9977F
FindClose.KERNEL32(00000000), ref: 00C9978F

Strings

*.*, xrefs: 00C996F5

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1409584000-438819550
Opcode ID: 73fa7314986419c50c56b12c0578c7b09a87098f68109ea9dd91af3815fa8213
Instruction ID: d74c898258ecdcc0378eb117d3120593c56a95c12d7572184e6bcb2251e7007a
Opcode Fuzzy Hash: 73fa7314986419c50c56b12c0578c7b09a87098f68109ea9dd91af3815fa8213
Instruction Fuzzy Hash: B031A3325402196BDF24AFF9DC8DBDE77ACEF49320F14426AF915E21A0DB74DA448A24

Function 00C9979D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,75918FB0,?,00000000), ref: 00C997BE
FindNextFileW.KERNEL32(00000000,?), ref: 00C99819
FindClose.KERNEL32(00000000), ref: 00C99824
FindFirstFileW.KERNEL32(*.*,?), ref: 00C99840
SetCurrentDirectoryW.KERNEL32(?), ref: 00C99890
SetCurrentDirectoryW.KERNEL32(00CE6B7C), ref: 00C998AE
FindNextFileW.KERNEL32(00000000,00000010), ref: 00C998B8
FindClose.KERNEL32(00000000), ref: 00C998C5
FindClose.KERNEL32(00000000), ref: 00C998D5

Part of subcall function 00C8DAE5: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 00C8DB00

Strings

*.*, xrefs: 00C9983B

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 2640511053-438819550
Opcode ID: 62b328f67971ff25f2d11fc4e77e70ab09d02d0b36d81d0280e1ed88919ff8d3
Instruction ID: 297f455901cd246c1bcf01e85ac041b12dda6683e1c10f1bd4bddc755a1aa6bb
Opcode Fuzzy Hash: 62b328f67971ff25f2d11fc4e77e70ab09d02d0b36d81d0280e1ed88919ff8d3
Instruction Fuzzy Hash: E231A5315006196BDF24AFB9DC4CADE77ACEF06320F14416DE864A21E1DB71DA44DA64

Function 00CABE44 Relevance: 17.0, APIs: 11, Instructions: 456registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00CAC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00CAB6AE,?,?), ref: 00CAC9B5
Part of subcall function 00CAC998: _wcslen.LIBCMT ref: 00CAC9F1
Part of subcall function 00CAC998: _wcslen.LIBCMT ref: 00CACA68
Part of subcall function 00CAC998: _wcslen.LIBCMT ref: 00CACA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00CABF3E
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?), ref: 00CABFA9
RegCloseKey.ADVAPI32(00000000), ref: 00CABFCD
RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 00CAC02C
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 00CAC0E7
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 00CAC154
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 00CAC1E9
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,?,?,?,00000000), ref: 00CAC23A
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 00CAC2E3
RegCloseKey.ADVAPI32(?,?,00000000), ref: 00CAC382
RegCloseKey.ADVAPI32(00000000), ref: 00CAC38F

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: QueryValue$Close_wcslen$BuffCharConnectOpenRegistryUpper
String ID:
API String ID: 3102970594-0
Opcode ID: a4b16ee88a4d9c19373f367db5440753f6c26a54c5bd9b2c45f5aa230dbe389b
Instruction ID: c7dcbdb6bd354e0c9104a8f2e19ad9fe7568c288581725d2940516ad9688c5bf
Opcode Fuzzy Hash: a4b16ee88a4d9c19373f367db5440753f6c26a54c5bd9b2c45f5aa230dbe389b
Instruction Fuzzy Hash: 78025B71604201AFC714DF28C8D5E2ABBE5EF89308F18859DF85ADB2A2DB31ED45CB51

Function 00C98195 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00C98257
SystemTimeToFileTime.KERNEL32(?,?), ref: 00C98267
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00C98273
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00C98310
SetCurrentDirectoryW.KERNEL32(?), ref: 00C98324
SetCurrentDirectoryW.KERNEL32(?), ref: 00C98356
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00C9838C
SetCurrentDirectoryW.KERNEL32(?), ref: 00C98395

Strings

*.*, xrefs: 00C9839B

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local$System
String ID: *.*
API String ID: 1464919966-438819550
Opcode ID: 9e3b60d65ef9c975ea9d3f6293a2cf06cbf116ff60d184686d9227a0bc6a4307
Instruction ID: f18cfb87b9e79a8386ea9292d4563c544ea199aea27f293e236bac4f35665292
Opcode Fuzzy Hash: 9e3b60d65ef9c975ea9d3f6293a2cf06cbf116ff60d184686d9227a0bc6a4307
Instruction Fuzzy Hash: FC617D715043059FCB10EF64D884A9EB3E8FF89314F04492DF999D7251DB31EA49CB92

Function 00C8D076 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00C23AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00C23A97,?,?,00C22E7F,?,?,?,00000000), ref: 00C23AC2

Part of subcall function 00C8E199: GetFileAttributesW.KERNEL32(?,00C8CF95), ref: 00C8E19A

FindFirstFileW.KERNEL32(?,?), ref: 00C8D122
DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 00C8D1DD
MoveFileW.KERNEL32(?,?), ref: 00C8D1F0
DeleteFileW.KERNEL32(?,?,?,?), ref: 00C8D20D
FindNextFileW.KERNEL32(00000000,00000010), ref: 00C8D237

Part of subcall function 00C8D29C: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,00C8D21C,?,?), ref: 00C8D2B2

FindClose.KERNEL32(00000000,?,?,?), ref: 00C8D253
FindClose.KERNEL32(00000000), ref: 00C8D264

Strings

\*.*, xrefs: 00C8D0CD, 00C8D0D6, 00C8D0EB

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 1946585618-1173974218
Opcode ID: 2aa8da9ec9a52228b02d7cdd3969e44be7c2be20786ef41956f3519712763d9e
Instruction ID: a0ca28f4b5b9e6cd379f2dd4203914de4dead61868f2cb3c24074db6529446cb
Opcode Fuzzy Hash: 2aa8da9ec9a52228b02d7cdd3969e44be7c2be20786ef41956f3519712763d9e
Instruction Fuzzy Hash: C3618C31C0115DABCF05FBE0EA92AEDB7B9AF55304F244165E402771A2EB306F09EB65

Function 00C9ED6A Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00C9ED91
EmptyClipboard.USER32 ref: 00C9ED97
GlobalAlloc.KERNEL32(00000002,?), ref: 00C9EDAC
CloseClipboard.USER32 ref: 00C9EEA3

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: 4244807d53962fd90ce844a3d2e6bdf7e455b731eb9b41ff978f59a441a00e6d
Instruction ID: 16896066d5b74125f401239b219382a0578c4375c597c52a5fac6bbca1b5249b
Opcode Fuzzy Hash: 4244807d53962fd90ce844a3d2e6bdf7e455b731eb9b41ff978f59a441a00e6d
Instruction Fuzzy Hash: 60419E35604621AFEB20DF19E88CF19BBE5FF54328F14C199E4258BA62C735ED41CB91

Function 00C8E8F6 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 00C816C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00C8170D
Part of subcall function 00C816C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00C8173A
Part of subcall function 00C816C3: GetLastError.KERNEL32 ref: 00C8174A

ExitWindowsEx.USER32(?,00000000), ref: 00C8E932

Strings

, xrefs: 00C8E920
@, xrefs: 00C8E925
SeShutdownPrivilege, xrefs: 00C8E902
, xrefs: 00C8E95C

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $ $@$SeShutdownPrivilege
API String ID: 2234035333-3163812486
Opcode ID: bca24b24f97498230c13d5779e11b328cc210d20e62a41037ec5ba4d2c58aab3
Instruction ID: 905dc65e19794cc47bb1acca437fb302b66c6f7f24af26bc81eb036cfb5a65e9
Opcode Fuzzy Hash: bca24b24f97498230c13d5779e11b328cc210d20e62a41037ec5ba4d2c58aab3
Instruction Fuzzy Hash: E601F972610211ABEB6436B59CC6FFF729C9714759F194521FC13E31E2D6E09D4093A8

Function 00CA1204 Relevance: 12.1, APIs: 8, Instructions: 113networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00CA1276
WSAGetLastError.WSOCK32 ref: 00CA1283
bind.WSOCK32(00000000,?,00000010), ref: 00CA12BA
WSAGetLastError.WSOCK32 ref: 00CA12C5
closesocket.WSOCK32(00000000), ref: 00CA12F4
listen.WSOCK32(00000000,00000005), ref: 00CA1303
WSAGetLastError.WSOCK32 ref: 00CA130D
closesocket.WSOCK32(00000000), ref: 00CA133C

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: ErrorLast$closesocket$bindlistensocket
String ID:
API String ID: 540024437-0
Opcode ID: 70ed36cc78464282c6a005cb8ed62c90a4fcc4eda16568e09b3d252e2342ac5f
Instruction ID: f00dd951b5777ae3d4cab4704ae09f399a1e7d590512591c0f9cbd6a9e15d172
Opcode Fuzzy Hash: 70ed36cc78464282c6a005cb8ed62c90a4fcc4eda16568e09b3d252e2342ac5f
Instruction Fuzzy Hash: A34170316001519FD710DF68D5C8B29BBE5AF46318F188298E8669F2E2C771ED81CBE1

Function 00C5B952 Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00C5B9D4
_free.LIBCMT ref: 00C5B9F8
_free.LIBCMT ref: 00C5BB7F
GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,00CC3700), ref: 00C5BB91
WideCharToMultiByte.KERNEL32(00000000,00000000,00CF121C,000000FF,00000000,0000003F,00000000,?,?), ref: 00C5BC09
WideCharToMultiByte.KERNEL32(00000000,00000000,00CF1270,000000FF,?,0000003F,00000000,?), ref: 00C5BC36
_free.LIBCMT ref: 00C5BD4B

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: _free$ByteCharMultiWide$InformationTimeZone
String ID:
API String ID: 314583886-0
Opcode ID: b5742a71cd19eee3336a8aa653c3a12deac8b34ab785dc15addff16e6da3df36
Instruction ID: 5a84e7d6990c66a217f653d2ca5a0c6a1fd62e844788840c1ace39736d38509d
Opcode Fuzzy Hash: b5742a71cd19eee3336a8aa653c3a12deac8b34ab785dc15addff16e6da3df36
Instruction Fuzzy Hash: 73C119799042459FCB209F698C41BBEBFB8EF41311F18419AECA4D7251EB309E89D758

Function 00C8D3A9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00C23AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00C23A97,?,?,00C22E7F,?,?,?,00000000), ref: 00C23AC2

Part of subcall function 00C8E199: GetFileAttributesW.KERNEL32(?,00C8CF95), ref: 00C8E19A

FindFirstFileW.KERNEL32(?,?), ref: 00C8D420
DeleteFileW.KERNEL32(?,?,?,?), ref: 00C8D470
FindNextFileW.KERNEL32(00000000,00000010), ref: 00C8D481
FindClose.KERNEL32(00000000), ref: 00C8D498
FindClose.KERNEL32(00000000), ref: 00C8D4A1

Strings

\*.*, xrefs: 00C8D3F2

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: 6a3af9e65d63ae8fd20f5133236e9b26a086e78671cacac38527894316eab6ea
Instruction ID: 385d25e6f6c1257ab0328ff290b88138927f1b3211082b7caf5e99394136bb3e
Opcode Fuzzy Hash: 6a3af9e65d63ae8fd20f5133236e9b26a086e78671cacac38527894316eab6ea
Instruction Fuzzy Hash: 90315E710083959BC304FF64D8919AFB7A8BE95314F444E2DF4E2931E1EB30AA09DB67

Function 00C5E4FF Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 00C5E645

Strings

1#SNAN, xrefs: 00C5F844
1#IND, xrefs: 00C5F83D
1#QNAN, xrefs: 00C5F84B
1#INF, xrefs: 00C5F852

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: 90cf1ba26d00bf62975b924a9ae21002bcb4040cdfa10c40aba5b848ae528631
Instruction ID: 43c13555841c66877fa6bd66b1aa213a91b926109db9cf76250ab0fd0dc3de05
Opcode Fuzzy Hash: 90cf1ba26d00bf62975b924a9ae21002bcb4040cdfa10c40aba5b848ae528631
Instruction Fuzzy Hash: 31C24B75E046288FDB29CE28CD407EAB7B5EB48306F1441EAD85DE7241E774AF868F44

Function 00C9648E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00C964DC
CoInitialize.OLE32(00000000), ref: 00C96639
CoCreateInstance.OLE32(00CBFCF8,00000000,00000001,00CBFB68,?), ref: 00C96650
CoUninitialize.OLE32 ref: 00C968D4

Strings

.lnk, xrefs: 00C964BA, 00C96524, 00C965E0

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_wcslen
String ID: .lnk
API String ID: 886957087-24824748
Opcode ID: ddef6713cce895dd9cccacd719feeab4cce7d5c110f53d4882443e14008c21f8
Instruction ID: 2f8a7ae5ca490946edc82139a422ab9b74beba1427033d999e81a3021b2fe96f
Opcode Fuzzy Hash: ddef6713cce895dd9cccacd719feeab4cce7d5c110f53d4882443e14008c21f8
Instruction Fuzzy Hash: 65D14971508211AFC704EF24D895E6BB7E8FF98704F00496DF5958B2A1DB71EE09CBA2

Function 00CA22DA Relevance: 9.1, APIs: 6, Instructions: 103COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,00000000), ref: 00CA22E8

Part of subcall function 00C9E4EC: GetWindowRect.USER32(?,?), ref: 00C9E504

GetDesktopWindow.USER32 ref: 00CA2312
GetWindowRect.USER32(00000000), ref: 00CA2319
mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 00CA2355
GetCursorPos.USER32(?), ref: 00CA2381
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00CA23DF

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForeground
String ID:
API String ID: 2387181109-0
Opcode ID: 8b239635ff7422a091c569042fc087c732f064803a15843e692eb89af29a9d54
Instruction ID: 91c6e399183cbb87e7e83ed41c7e420ebab90136191a0baa4905c9b4e5aa2c0a
Opcode Fuzzy Hash: 8b239635ff7422a091c569042fc087c732f064803a15843e692eb89af29a9d54
Instruction Fuzzy Hash: 6531E272505316AFCB20DF58D849F9BB7ADFF86318F000A19F99597191DB34EA08CB92

Function 00C99B2B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00C29CB3: _wcslen.LIBCMT ref: 00C29CBD

FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 00C99B78
FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 00C99C8B

Part of subcall function 00C93874: GetInputState.USER32 ref: 00C938CB
Part of subcall function 00C93874: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00C93966

Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 00C99BA8
FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 00C99C75

Strings

*.*, xrefs: 00C99B5D

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
String ID: *.*
API String ID: 1972594611-438819550
Opcode ID: 7a83874f51026ba103082a301f436bc67e127e8b56a0af2cb8c8cd11dac210ff
Instruction ID: 6aff522b57f1ce83d6a78a592ed5eaeadd25d96086cd101c02ca496c27fe557d
Opcode Fuzzy Hash: 7a83874f51026ba103082a301f436bc67e127e8b56a0af2cb8c8cd11dac210ff
Instruction Fuzzy Hash: 1041607194421AAFCF14DF68DC89AEEBBB8FF05310F24416AE815A2191EB309F44DF61

Function 00C3997D Relevance: 7.9, APIs: 5, Instructions: 375COMMON

Download Yara Rule

APIs

Part of subcall function 00C39BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00C39BB2

DefDlgProcW.USER32(?,?,?,?,?), ref: 00C39A4E
GetSysColor.USER32(0000000F), ref: 00C39B23
SetBkColor.GDI32(?,00000000), ref: 00C39B36

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: Color$LongProcWindow
String ID:
API String ID: 3131106179-0
Opcode ID: 39ba9ec05adac6c3d90c153ddedf2f93cf4609453dd84301e9da47b644d41dcb
Instruction ID: 03a94af83d8e82caa44578b9837308fcec1653fad642d7e20d847bc69d824054
Opcode Fuzzy Hash: 39ba9ec05adac6c3d90c153ddedf2f93cf4609453dd84301e9da47b644d41dcb
Instruction Fuzzy Hash: C2A15C71128408EEE729AA3E8C99FBF365DDB42340F154309F522C66A5CAB59F01E272

Function 00CA1806 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00CA304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 00CA307A
Part of subcall function 00CA304E: _wcslen.LIBCMT ref: 00CA309B

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 00CA185D
WSAGetLastError.WSOCK32 ref: 00CA1884
bind.WSOCK32(00000000,?,00000010), ref: 00CA18DB
WSAGetLastError.WSOCK32 ref: 00CA18E6
closesocket.WSOCK32(00000000), ref: 00CA1915

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
String ID:
API String ID: 1601658205-0
Opcode ID: c7358641c70396b733b1cc55913ede9d2d1f3332807644bd068c2da42b7d3653
Instruction ID: e97ac11fe8c77e1b08db45d7da86bd06c8762c03d17310e14d4c5fa4637c2d18
Opcode Fuzzy Hash: c7358641c70396b733b1cc55913ede9d2d1f3332807644bd068c2da42b7d3653
Instruction Fuzzy Hash: 1C51D371A00210AFDB10AF24D8C6F2A77E5AF49718F188158F9156F3C3C775AE41DBA1

Function 00CB1C41 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 00CB1CC0
IsWindowEnabled.USER32 ref: 00CB1CCE
GetForegroundWindow.USER32(?,?,00000001,?), ref: 00CB1CDB
IsIconic.USER32 ref: 00CB1CE9
IsZoomed.USER32 ref: 00CB1CF7

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: 5086c6c123ffee98db2a6456e59f44a81b53d8ee09ac3d7d9337d2772ee45a8a
Instruction ID: fe4e7528f1963cc7a1301fa0937f076a4152f08acc6b8a2af5fa6b9b1da8f8e2
Opcode Fuzzy Hash: 5086c6c123ffee98db2a6456e59f44a81b53d8ee09ac3d7d9337d2772ee45a8a
Instruction Fuzzy Hash: E921D3317402105FD7218F2AC8A4BAA7FA5EF85315F5C8058EC4ACB351CB71EE42CB90

Function 00C28060 Relevance: 7.4, Strings: 5, Instructions: 1151COMMON

Download Yara Rule

Strings

VUUU, xrefs: 00C283E8
VUUU, xrefs: 00C65DF0
VUUU, xrefs: 00C2843C
ERCP, xrefs: 00C2813C
VUUU, xrefs: 00C283FA

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID:
String ID: ERCP$VUUU$VUUU$VUUU$VUUU
API String ID: 0-1546025612
Opcode ID: 9496d5b990d85aeebd087d8d5fb06d5fc52e69a33df2dadc01a37a589759942d
Instruction ID: 52942769dd738d46396b985ca1409def38c0fa05db0c6e187167ab63bafd2c22
Opcode Fuzzy Hash: 9496d5b990d85aeebd087d8d5fb06d5fc52e69a33df2dadc01a37a589759942d
Instruction Fuzzy Hash: 27A2A070E0162ACBDF34CF59D8907ADB7B1BF54310F2481AAE825A7684DB749E85CF90

Function 00C8AA57 Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 00C8AAAC
SetKeyboardState.USER32(00000080), ref: 00C8AAC8
PostMessageW.USER32(?,00000102,00000001,00000001), ref: 00C8AB36
SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 00C8AB88

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 0d836a337aab5cc15887da3af79cb37af193ab536009790a7e104dff7be27775
Instruction ID: 439ed3f6b0096a23c17c570907a70504b5f0b538a9dd66a0ba84324a12320b96
Opcode Fuzzy Hash: 0d836a337aab5cc15887da3af79cb37af193ab536009790a7e104dff7be27775
Instruction Fuzzy Hash: 57313970A40218AFFF35EB65CC45BFE7BAAAB44318F04421BF0A1561D0D3758E81D76A

Function 00C9CE44 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON

Download Yara Rule

APIs

InternetReadFile.WININET(?,?,00000400,?), ref: 00C9CE89
GetLastError.KERNEL32(?,00000000), ref: 00C9CEEA
SetEvent.KERNEL32(?,?,00000000), ref: 00C9CEFE

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: ErrorEventFileInternetLastRead
String ID:
API String ID: 234945975-0
Opcode ID: af15bc6064841c33725ec2c6a7ef2836821a56a594f761ea00915949a51429f4
Instruction ID: 358549eb394765b9d9d9fb1904bf37359ab8212f07cdec5d7764e6c9e23326cf
Opcode Fuzzy Hash: af15bc6064841c33725ec2c6a7ef2836821a56a594f761ea00915949a51429f4
Instruction Fuzzy Hash: CA21ACB1900705EBEF20DFA6C988BABB7FCEB50354F10442EE556D2151E770EE049B60

Function 00C88298 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 568stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 00C882AA

Strings

|, xrefs: 00C882DA
(, xrefs: 00C882F0

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: lstrlen
String ID: ($|
API String ID: 1659193697-1631851259
Opcode ID: 294bf222ba303d0de1caf33f379291c03e8c8c9b5b3a62bff13a6f8558551e7c
Instruction ID: aadd2488830441c9da988579c04702c6c563a502a193c116ac143f20cc3ed3e9
Opcode Fuzzy Hash: 294bf222ba303d0de1caf33f379291c03e8c8c9b5b3a62bff13a6f8558551e7c
Instruction Fuzzy Hash: 9C324474A006059FCB28DF19C080A6AB7F0FF48714B51C46EE5AADB7A1EB70E981CB44

Function 00C95C97 Relevance: 4.6, APIs: 3, Instructions: 138fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00C95CC1
FindNextFileW.KERNEL32(00000000,?), ref: 00C95D17
FindClose.KERNEL32(?), ref: 00C95D5F

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: Find$File$CloseFirstNext
String ID:
API String ID: 3541575487-0
Opcode ID: 716904d0f7998f59b82e22596fd8310507dfa56a87748f20271bd9f6dde2664d
Instruction ID: 5edeeec4ed9fa6ce936d1447d8b6542a1a791b511c6d73e0666b6a92978a406c
Opcode Fuzzy Hash: 716904d0f7998f59b82e22596fd8310507dfa56a87748f20271bd9f6dde2664d
Instruction Fuzzy Hash: 93519B756046019FCB14DF28D498E9AB7E4FF49314F14855EE96A8B3A2CB30ED04CF91

Function 00C52622 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 00C5271A
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00C52724
UnhandledExceptionFilter.KERNEL32(?), ref: 00C52731

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 2ec032e04ecfa874febb1222ecbc25bb1462c83660be26ead833702efef1d8aa
Instruction ID: 028b54ce5e5dbbdbf29b72ea1357bf8aa73367211727cdb3e9c49dfd6f146731
Opcode Fuzzy Hash: 2ec032e04ecfa874febb1222ecbc25bb1462c83660be26ead833702efef1d8aa
Instruction Fuzzy Hash: C631B5759512189BCB21DF64DC89BDDB7B8BF08310F5042EAE81CA7261E7309F859F45

Function 00C951CD Relevance: 4.6, APIs: 3, Instructions: 76COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00C951DA
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00C95238
SetErrorMode.KERNEL32(00000000), ref: 00C952A1

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: 5e95f689703b5201e28b96decfa185f94b68a36a3c9723d02de07bab0bf92edc
Instruction ID: ee8ec7c4e8fe9a533462a42ac4c92bc129091adfdd0d252140c5e874c7ef6b9a
Opcode Fuzzy Hash: 5e95f689703b5201e28b96decfa185f94b68a36a3c9723d02de07bab0bf92edc
Instruction Fuzzy Hash: 26312B75A005189FDB00DF94D8C8FADBBB4FF49314F088099E805AB3A2DB31E955CB91

Function 00C816C3 Relevance: 4.6, APIs: 3, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 00C3FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00C40668
Part of subcall function 00C3FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00C40685

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00C8170D
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00C8173A
GetLastError.KERNEL32 ref: 00C8174A

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
String ID:
API String ID: 577356006-0
Opcode ID: dec6dccdd93b81aa38f9927a4b51ab383ee4136b8bfbee2c9fba13a3e2bd0219
Instruction ID: 5a5590c9bb744ea93af5dabc4f21ce1736fd7c45d3b2a1143578d187d9f51fd3
Opcode Fuzzy Hash: dec6dccdd93b81aa38f9927a4b51ab383ee4136b8bfbee2c9fba13a3e2bd0219
Instruction Fuzzy Hash: 0C118CB2814204AFD718AF54ECCAE6BB7FDEB44714B24852EF46657241EB70BC428B24

Function 00C8D5EB Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 00C8D608
DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 00C8D645
CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 00C8D650

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle
String ID:
API String ID: 33631002-0
Opcode ID: 50fbb46830de56c1610e44bfc3927d1cc662a50055d7cf42f8b12bf9eb4f29a1
Instruction ID: 5a46af2c27cf20829518f116d0419c84d2d248ea2503833dfaa7254f87b7bc8f
Opcode Fuzzy Hash: 50fbb46830de56c1610e44bfc3927d1cc662a50055d7cf42f8b12bf9eb4f29a1
Instruction Fuzzy Hash: 4B118E71E05228BFDB108F99EC84FAFBBBCEB45B60F108121F914E7290D2704E018BA1

Function 00C81663 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 00C8168C
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 00C816A1
FreeSid.ADVAPI32(?), ref: 00C816B1

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: eec323f532a4060f87dcd852e5fec477da19fad1689be02f6aee7abfe41a0d29
Instruction ID: aa5a43da593d179594c08dde017ff1f3b19bff824a81b5205b766e9106359d0b
Opcode Fuzzy Hash: eec323f532a4060f87dcd852e5fec477da19fad1689be02f6aee7abfe41a0d29
Instruction Fuzzy Hash: FCF0F471950309FBDB00EFE4DC89AAEBBBCFB08604F504565E901E2181E774AA448B64

Function 00C5C2A2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 127COMMON

Download Yara Rule

Strings

/, xrefs: 00C5C36C

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID:
String ID: /
API String ID: 0-2043925204
Opcode ID: 0842db65abb38e3860b7f61f2de81e9f87151a30d9d32aadfa7a6aa9602b3665
Instruction ID: 9c521541d929881c77e7a6e074de0e792c5b8781cce2bd04f616d4d642283576
Opcode Fuzzy Hash: 0842db65abb38e3860b7f61f2de81e9f87151a30d9d32aadfa7a6aa9602b3665
Instruction Fuzzy Hash: 1541337A900318AFCB209FB9CC89EBB77B8EB84315F104268FD15C7190E2709EC58B58

Function 00C4CAA0 Relevance: 3.5, APIs: 2, Instructions: 464COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction ID: f6b792da03e315db686ee15b51bc64fb3fa02d06511a77b31e53beb64903b9f1
Opcode Fuzzy Hash: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction Fuzzy Hash: B6022B71E012199BDF54CFA9C8C06ADFBF1FF48314F25816AD929E7390D731AA418B94

Function 00C968EE Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00C96918
FindClose.KERNEL32(00000000), ref: 00C96961

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: a440f43323a2d5bbfca95b6c242cebc856b47cee536993569612ee9ae34d85a7
Instruction ID: a9be70d1906cb954128dcde9f3adbca9e240b0a6ea878c2b04d8be4d800ebfc4
Opcode Fuzzy Hash: a440f43323a2d5bbfca95b6c242cebc856b47cee536993569612ee9ae34d85a7
Instruction Fuzzy Hash: 5C118E316042109FCB10DF69D4C8A1ABBE5EF89328F15C6A9E4698F6A2C730EC05CB91

Function 00C937B5 Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,00CA4891,?,?,00000035,?), ref: 00C937E4
FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,00CA4891,?,?,00000035,?), ref: 00C937F4

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 1135d16c8a290d7366ea47ea6b834fc6f4aab82ec5248eb60a3f678bc7efc1bd
Instruction ID: e341a0d554e37b85acd3451c6e94b9900b3714d99a110f6f2af681913593c209
Opcode Fuzzy Hash: 1135d16c8a290d7366ea47ea6b834fc6f4aab82ec5248eb60a3f678bc7efc1bd
Instruction Fuzzy Hash: FEF0E5B07042282AEB2057A69C8DFEB3AAEEFC5761F000265F509D22D1DA609904C6B1

Function 00C8B226 Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 00C8B25D
keybd_event.USER32(?,75A8C0D0,?,00000000), ref: 00C8B270

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: InputSendkeybd_event
String ID:
API String ID: 3536248340-0
Opcode ID: 6e4a06822912a9c91cc580d7b3e75dc1b3633c3ffd97e68c721edc9e5954df45
Instruction ID: 0162936ae407561ee248a2574799c4e26b5026c6243b4c6dc2991f95548897e2
Opcode Fuzzy Hash: 6e4a06822912a9c91cc580d7b3e75dc1b3633c3ffd97e68c721edc9e5954df45
Instruction Fuzzy Hash: 37F06D7080424EABDF059FA0C805BEE7BB0FF04309F008009F961A5192C37986019F98

Function 00C810BF Relevance: 3.0, APIs: 2, Instructions: 24COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00C811FC), ref: 00C810D4
CloseHandle.KERNEL32(?,?,00C811FC), ref: 00C810E9

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: 83ef741245b32006cf8f45ee53929c7190c7aa141e3d655aa548a81d0ebe1a6a
Instruction ID: da93d3b60964e5af1a377107f5b1027ceb9e9925fb681ad663357c06da5e1139
Opcode Fuzzy Hash: 83ef741245b32006cf8f45ee53929c7190c7aa141e3d655aa548a81d0ebe1a6a
Instruction Fuzzy Hash: 49E04F32418600AFE7252B11FC09F7777E9EB04320F14892DF4A5804B1DB626C91EB50

Function 00C2CAF0 Relevance: 1.9, Strings: 1, Instructions: 659COMMON

Download Yara Rule

Strings

Variable is not of type 'Object'., xrefs: 00C70C40

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID:
String ID: Variable is not of type 'Object'.
API String ID: 0-1840281001
Opcode ID: cd56040db22b2d732c8863ee5b7eaafc01953d219a3b9fbc42b1e8b36ad6648b
Instruction ID: 6688bcce7e8e40a4d7bcd233f880f84b76081c9b523f98d121929670f847213e
Opcode Fuzzy Hash: cd56040db22b2d732c8863ee5b7eaafc01953d219a3b9fbc42b1e8b36ad6648b
Instruction Fuzzy Hash: E932BC70900228DBCF14DF94E9C1BEDB7B5FF09304F208069E81AAB692D775AE45DB61

Function 00C5676B Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00C56766,?,?,00000008,?,?,00C5FEFE,00000000), ref: 00C56998

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: cb1a20373b4180e0e8520ee43e80bfb63bdf88f0e05788ca8bb2137a216b5671
Instruction ID: ab8a93f9c6b4b27bd9a3397eb9627a2bfed7094b422caa337aefac0e79e13a71
Opcode Fuzzy Hash: cb1a20373b4180e0e8520ee43e80bfb63bdf88f0e05788ca8bb2137a216b5671
Instruction Fuzzy Hash: 59B16C39610608DFD715CF28C486B657BE0FF05366F658658ECA9CF2A2C335DA89CB44

Function 00C3B119 Relevance: 1.8, Strings: 1, Instructions: 511COMMON

Download Yara Rule

Strings

, xrefs: 00C7851F

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: b3fb3b0b399346bc16ebf99983d8fb468b1599692f9469448b683b8fb60c1af4
Instruction ID: c011e6707b9cb54f86d6cae88ff386d943517fa9695ce8698df5a0033a78e055
Opcode Fuzzy Hash: b3fb3b0b399346bc16ebf99983d8fb468b1599692f9469448b683b8fb60c1af4
Instruction Fuzzy Hash: E3126E71A102299BCB14CF59C881BEEB7F5FF48710F14819AE959EB251EB309E85CF90

Function 00C9EAA2 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 00C9EABD

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: 5dc2836610b770781093453b354b2ccef52b02d779b84b67ad218db6d0bacb6c
Instruction ID: f8d8da63c6e6abc1fb7972e076a891f97b9c96546aaa66a32b4201ce8a15a29e
Opcode Fuzzy Hash: 5dc2836610b770781093453b354b2ccef52b02d779b84b67ad218db6d0bacb6c
Instruction Fuzzy Hash: D8E048312002159FD710EF59D444E5AFBD9AF58760F048426FC45C7761DB70EC419B90

Function 00C409D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_000209E1,00C403EE), ref: 00C409DA

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: aa0283e641509bdf74ce434271c80280cd313de376ccd186498ed92d6a0df92a
Instruction ID: bd0c8c19261875eda3ce74e09d5253bcbc698bb0c1ebf99b39a403d232361144
Opcode Fuzzy Hash: aa0283e641509bdf74ce434271c80280cd313de376ccd186498ed92d6a0df92a
Instruction Fuzzy Hash:

Function 00C4781B Relevance: 1.5, Strings: 1, Instructions: 214COMMON

Download Yara Rule

Strings

0, xrefs: 00C4798B

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction ID: e26b7a5c077455ebd52cf364c24e6211c50b405f44687ccb70857df0f4c5fc04
Opcode Fuzzy Hash: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction Fuzzy Hash: 35518B71A0C7455BDF388579895D7BF2789BB22300F180B09E8A2EB2C2C715DF09E356

Function 00C56DD9 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af88cc12de7b34de2a8711ff12e426c5647a03f9722f5944dfe352091476fb20
Instruction ID: 5f352ce7b04a20ffc1280cd3052b9f68403f9bfa395a1fc0b2eae6535eba3b2f
Opcode Fuzzy Hash: af88cc12de7b34de2a8711ff12e426c5647a03f9722f5944dfe352091476fb20
Instruction Fuzzy Hash: 5B321326D29F014DD7239634D822339A249AFB73C6F15D737EC2AB59A6EF28C5C34100

Function 00C3CC39 Relevance: .6, Instructions: 635COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 929805c733b7b72954014c8614dbd92e2dea039d56b02cac0e034cfc0ad07d1b
Instruction ID: c3598c2985832d650e171b84cd28db2fa53089f8e756518892307528ae60ad3e
Opcode Fuzzy Hash: 929805c733b7b72954014c8614dbd92e2dea039d56b02cac0e034cfc0ad07d1b
Instruction Fuzzy Hash: 51321631A001578BDF28DF29D4D467D7BA1EB45310F28C56EE86EAB291D730DE82EB41

Function 00C27920 Relevance: .6, Instructions: 563COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05b9aa4153c5e8a03b7c56803153eb62c0d3e9765a4a33d37bc5e5045f1b9e90
Instruction ID: 112cb640ac639a3821146153e0296109534a1a64af24e15efc8e73ca792f5c90
Opcode Fuzzy Hash: 05b9aa4153c5e8a03b7c56803153eb62c0d3e9765a4a33d37bc5e5045f1b9e90
Instruction Fuzzy Hash: FD22D170A0061ADFDF14CF65D8C1AAEB3F1FF44300F204629E816A7691EB36AE55DB50

Function 00C291C0 Relevance: .5, Instructions: 475COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c10657fb7e572fc474158f4f11c32ac0679aab4ec0e9d3d08eb09aeae7c76ef
Instruction ID: ed17a798c2b28bd2ad0fe451bb5d38b4203a230da30ebc1aacbe9d3a061424c1
Opcode Fuzzy Hash: 9c10657fb7e572fc474158f4f11c32ac0679aab4ec0e9d3d08eb09aeae7c76ef
Instruction Fuzzy Hash: 8E02C6B0E00219EFDB14DF55D881AAEBBB1FF44304F108569E8169B291EB31EE21DB95

Function 00C59EEE Relevance: .3, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22edf8e84cf75026e75dee9201259378458b12dc2cdf4cbf294dd66f67ba0741
Instruction ID: ad125024d3cfb9dde10cb0c5a086dd1fdf59f8eec2aff12f10e2998b83ae33b7
Opcode Fuzzy Hash: 22edf8e84cf75026e75dee9201259378458b12dc2cdf4cbf294dd66f67ba0741
Instruction Fuzzy Hash: 66B1E120D2AF814DD3239639D83133AB65CAFBB6D5F95D71BFC2674D62EB2286834140

Function 00C41C77 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction ID: 4289f811252e586c442959e26ff96629a15dcc7f4c5c3db5e0ddbc3abdcdebec
Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction Fuzzy Hash: 739157766080E34ADB2A467E857407EFFE17A523B131E079DDCF2CA1C5FE249A94D620

Function 00C41F32 Relevance: .2, Instructions: 244COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
Instruction ID: 38a74a2d61e377475189b1c43643274c3373840a8c110d7544842017a7716bee
Opcode Fuzzy Hash: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
Instruction Fuzzy Hash: 63917A726090E349EB2D467A857503DFFE16A923A135E079DF8F2CB1C5EE24CA58D620

Function 00C419B0 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction ID: e5bed8bbf9892df857f66a3537b1942588a479d0fa2b37dcad05525218cd36f0
Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction Fuzzy Hash: 619115722090E34EDB6D467A857443DFFE1AA923A131E079DDCF2CA1C5FE24D694E620

Function 00C47A4A Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03301619bf102c4c31924df29fa0706d223576eb907da8fb87dd865a831e32c8
Instruction ID: 8eecf0d18269045bfdc80102f2619767fed662bb5b4729de1dc25fbc3dbe7458
Opcode Fuzzy Hash: 03301619bf102c4c31924df29fa0706d223576eb907da8fb87dd865a831e32c8
Instruction Fuzzy Hash: 9061787160874997EE349A288D95BBE2398FF41700F201B1EFDA3DB281DB119F46E356

Function 00C47CA7 Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ebc6e359fac7bd68019a1189440f013adbfeaa65ac0abcce308b523f081befc
Instruction ID: 4f4c5225925e5167411102475d76c8c4a3908fbe518ccd74249a75ccf051b3d5
Opcode Fuzzy Hash: 2ebc6e359fac7bd68019a1189440f013adbfeaa65ac0abcce308b523f081befc
Instruction Fuzzy Hash: 3961CD31E2C7496BDE389A284D95BBF2398FF42704F100B59E953DB281DB12EF429355

Function 00C41706 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction ID: e7bb34e96758302fd2ee4ab78053c77e06ca7fbbe204b17b794f7f89d45c2518
Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction Fuzzy Hash: E58143726090E349DB6D467A857443EFFE17A923A131E079DDCF2CA1C1EE249794E620

Function 00C92046 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41f9c06b2eaf597d5e1dff16273f6ddcad019c6b2fa2be0825164468f6364f34
Instruction ID: d5db6a420af4e0c4c8aff40f692e7c443d20d291a4807759e68605b031481d1a
Opcode Fuzzy Hash: 41f9c06b2eaf597d5e1dff16273f6ddcad019c6b2fa2be0825164468f6364f34
Instruction Fuzzy Hash: B221B7326206158BDB28CF79C82377E73E5A754320F25862EE4A7C37D1DE35A904CB80

Function 00CA2ADE Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 486filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00CA2B30
DeleteObject.GDI32(00000000), ref: 00CA2B43
DestroyWindow.USER32 ref: 00CA2B52
GetDesktopWindow.USER32 ref: 00CA2B6D
GetWindowRect.USER32(00000000), ref: 00CA2B74
SetRect.USER32(?,00000000,00000000,00000007,00000002), ref: 00CA2CA3
AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 00CA2CB1
CreateWindowExW.USER32(?,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00CA2CF8
GetClientRect.USER32(00000000,?), ref: 00CA2D04
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00CA2D40
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00CA2D62
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00CA2D75
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00CA2D80
GlobalLock.KERNEL32(00000000), ref: 00CA2D89
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00CA2D98
GlobalUnlock.KERNEL32(00000000), ref: 00CA2DA1
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00CA2DA8
GlobalFree.KERNEL32(00000000), ref: 00CA2DB3
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00CA2DC5
OleLoadPicture.OLEAUT32(?,00000000,00000000,00CBFC38,00000000), ref: 00CA2DDB
GlobalFree.KERNEL32(00000000), ref: 00CA2DEB
CopyImage.USER32(00000007,00000000,00000000,00000000,00002000), ref: 00CA2E11
SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 00CA2E30
SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00CA2E52
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00CA303F

Strings

AutoIt v3, xrefs: 00CA2CF2
, xrefs: 00CA2FC5
DISPLAY, xrefs: 00CA2EA2
static, xrefs: 00CA2D3A, 00CA2E91

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: 05373507ae50097d76d9901a45658923f050770df3a1c021f1416162a9afb8d2
Instruction ID: 80680eb1f7ccaca0920cb35189871ba3c7e19a93823494cc42f721aabe1994a0
Opcode Fuzzy Hash: 05373507ae50097d76d9901a45658923f050770df3a1c021f1416162a9afb8d2
Instruction Fuzzy Hash: F0025971900215EFDB14DFA8DC89FAE7BB9EB49714F048258F915AB2A1CB74ED01CB60

Function 00CB70D5 Relevance: 49.8, APIs: 33, Instructions: 273COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 00CB712F
GetSysColorBrush.USER32(0000000F), ref: 00CB7160
GetSysColor.USER32(0000000F), ref: 00CB716C
SetBkColor.GDI32(?,000000FF), ref: 00CB7186
SelectObject.GDI32(?,?), ref: 00CB7195
InflateRect.USER32(?,000000FF,000000FF), ref: 00CB71C0
GetSysColor.USER32(00000010), ref: 00CB71C8
CreateSolidBrush.GDI32(00000000), ref: 00CB71CF
FrameRect.USER32(?,?,00000000), ref: 00CB71DE
DeleteObject.GDI32(00000000), ref: 00CB71E5
InflateRect.USER32(?,000000FE,000000FE), ref: 00CB7230
FillRect.USER32(?,?,?), ref: 00CB7262
GetWindowLongW.USER32(?,000000F0), ref: 00CB7284

Part of subcall function 00CB73E8: GetSysColor.USER32(00000012), ref: 00CB7421
Part of subcall function 00CB73E8: SetTextColor.GDI32(?,?), ref: 00CB7425
Part of subcall function 00CB73E8: GetSysColorBrush.USER32(0000000F), ref: 00CB743B
Part of subcall function 00CB73E8: GetSysColor.USER32(0000000F), ref: 00CB7446
Part of subcall function 00CB73E8: GetSysColor.USER32(00000011), ref: 00CB7463
Part of subcall function 00CB73E8: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00CB7471
Part of subcall function 00CB73E8: SelectObject.GDI32(?,00000000), ref: 00CB7482
Part of subcall function 00CB73E8: SetBkColor.GDI32(?,00000000), ref: 00CB748B
Part of subcall function 00CB73E8: SelectObject.GDI32(?,?), ref: 00CB7498
Part of subcall function 00CB73E8: InflateRect.USER32(?,000000FF,000000FF), ref: 00CB74B7
Part of subcall function 00CB73E8: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00CB74CE
Part of subcall function 00CB73E8: GetWindowLongW.USER32(00000000,000000F0), ref: 00CB74DB

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
String ID:
API String ID: 4124339563-0
Opcode ID: 11b8bcb59c3046b65e6a9db50c93be62879ed199f6718663f8085a7d752a5bba
Instruction ID: 6763ea0928cade1d4b35e73fbc1f2f8eee5abc912f45319c4163a050e82cbac4
Opcode Fuzzy Hash: 11b8bcb59c3046b65e6a9db50c93be62879ed199f6718663f8085a7d752a5bba
Instruction Fuzzy Hash: 50A16272008301EFD7119F64DC88B9F7BA9FB89321F100B19F9A2A61E1D775E944DB62

Function 00C38D85 Relevance: 47.7, APIs: 26, Strings: 1, Instructions: 480windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?), ref: 00C38E14
SendMessageW.USER32(?,00001308,?,00000000), ref: 00C76AC5
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 00C76AFE
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00C76F43

Part of subcall function 00C38F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00C38BE8,?,00000000,?,?,?,?,00C38BBA,00000000,?), ref: 00C38FC5

SendMessageW.USER32(?,00001053), ref: 00C76F7F
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00C76F96
ImageList_Destroy.COMCTL32(00000000,?), ref: 00C76FAC
ImageList_Destroy.COMCTL32(00000000,?), ref: 00C76FB7

Strings

0, xrefs: 00C76DCF

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: DestroyImageList_MessageSend$Window$InvalidateMoveRectRemove
String ID: 0
API String ID: 2760611726-4108050209
Opcode ID: 867e201817f4a852ab1dc0d27c05360b67177d2885f2c7b502ac153e9a9d5f92
Instruction ID: 07d4e03ee13605e330eba78d62ce2efbef1f9f3ae27dd12be3afaf78d2301f2b
Opcode Fuzzy Hash: 867e201817f4a852ab1dc0d27c05360b67177d2885f2c7b502ac153e9a9d5f92
Instruction Fuzzy Hash: 6F12BB34200A01DFDB25CF24C884BBABBA5FB45300F188569F4A9CB261CB71EE56DF91

Function 00CA2711 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 330windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 00CA273E
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00CA286A
SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 00CA28A9
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 00CA28B9
CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 00CA2900
GetClientRect.USER32(00000000,?), ref: 00CA290C
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 00CA2955
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00CA2964
GetStockObject.GDI32(00000011), ref: 00CA2974
SelectObject.GDI32(00000000,00000000), ref: 00CA2978
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 00CA2988
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00CA2991
DeleteDC.GDI32(00000000), ref: 00CA299A
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 00CA29C6
SendMessageW.USER32(00000030,00000000,00000001), ref: 00CA29DD
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 00CA2A1D
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00CA2A31
SendMessageW.USER32(00000404,00000001,00000000), ref: 00CA2A42
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 00CA2A77
GetStockObject.GDI32(00000011), ref: 00CA2A82
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00CA2A8D
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 00CA2A97

Strings

AutoIt v3, xrefs: 00CA28F8
msctls_progress32, xrefs: 00CA2A13
DISPLAY, xrefs: 00CA295A
static, xrefs: 00CA294F, 00CA2A71

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: 7cc5195de98ba1708fc7d1447f172274beb0887f0e97211b8d58528416bafee9
Instruction ID: ff625f897ba4f6fb7362bcc1560f1e52849bf965bfec4780bfe0e229f6c12ec4
Opcode Fuzzy Hash: 7cc5195de98ba1708fc7d1447f172274beb0887f0e97211b8d58528416bafee9
Instruction Fuzzy Hash: 1FB14C71A00215AFEB14DFA8DC89FAE7BA9EB49714F044214F915EB2A0D774ED40CBA0

Function 00C94ADF Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00C94AED
GetDriveTypeW.KERNEL32(?,00CBCB68,?,\\.\,00CBCC08), ref: 00C94BCA
SetErrorMode.KERNEL32(00000000,00CBCB68,?,\\.\,00CBCC08), ref: 00C94D36

Strings

\\.\, xrefs: 00C94B3F
iSCSI, xrefs: 00C94CC2
SSD, xrefs: 00C94C4A
FileBackedVirtual, xrefs: 00C94CEC
1394, xrefs: 00C94C9F
USB, xrefs: 00C94CB4
Fixed, xrefs: 00C94C09
RAID, xrefs: 00C94CBB
Removable, xrefs: 00C94C10, 00C94C15
ATAPI, xrefs: 00C94C91
CDROM, xrefs: 00C94BFB
Virtual, xrefs: 00C94CE5
ATA, xrefs: 00C94C98
SSA, xrefs: 00C94CA6
Network, xrefs: 00C94C02
MMC, xrefs: 00C94CDE
RAMDisk, xrefs: 00C94BF4
PhysicalDrive, xrefs: 00C94B76
SATA, xrefs: 00C94CD0
Unknown, xrefs: 00C94BED, 00C94C83
Fibre, xrefs: 00C94CAD
SCSI, xrefs: 00C94C8A
SAS, xrefs: 00C94CC9

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: 5725293d00c18a7a7c1e5b10ca3f19447e384483a4114afb7dc226ff72c86c91
Instruction ID: 0f70e9dbe8b57f45167982328543ebe32d2a04f26e3f4e21c499ace9497b06cd
Opcode Fuzzy Hash: 5725293d00c18a7a7c1e5b10ca3f19447e384483a4114afb7dc226ff72c86c91
Instruction Fuzzy Hash: 0361D330705246DFCF0CDF26CA8AD6CB7A1EB18384B244465F806AB691DB35EF52EB41

Function 00CB73E8 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 00CB7421
SetTextColor.GDI32(?,?), ref: 00CB7425
GetSysColorBrush.USER32(0000000F), ref: 00CB743B
GetSysColor.USER32(0000000F), ref: 00CB7446
CreateSolidBrush.GDI32(?), ref: 00CB744B
GetSysColor.USER32(00000011), ref: 00CB7463
CreatePen.GDI32(00000000,00000001,00743C00), ref: 00CB7471
SelectObject.GDI32(?,00000000), ref: 00CB7482
SetBkColor.GDI32(?,00000000), ref: 00CB748B
SelectObject.GDI32(?,?), ref: 00CB7498
InflateRect.USER32(?,000000FF,000000FF), ref: 00CB74B7
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00CB74CE
GetWindowLongW.USER32(00000000,000000F0), ref: 00CB74DB
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00CB752A
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00CB7554
InflateRect.USER32(?,000000FD,000000FD), ref: 00CB7572
DrawFocusRect.USER32(?,?), ref: 00CB757D
GetSysColor.USER32(00000011), ref: 00CB758E
SetTextColor.GDI32(?,00000000), ref: 00CB7596
DrawTextW.USER32(?,00CB70F5,000000FF,?,00000000), ref: 00CB75A8
SelectObject.GDI32(?,?), ref: 00CB75BF
DeleteObject.GDI32(?), ref: 00CB75CA
SelectObject.GDI32(?,?), ref: 00CB75D0
DeleteObject.GDI32(?), ref: 00CB75D5
SetTextColor.GDI32(?,?), ref: 00CB75DB
SetBkColor.GDI32(?,?), ref: 00CB75E5

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: ea142c45e76a314877965cd38b599fa1ea0a2e2deb16a051bf31972b59355be3
Instruction ID: 20cf75c44a81bc563354d02f77af8cf44a48bf81b3cf44fd010bafcb6d0a614f
Opcode Fuzzy Hash: ea142c45e76a314877965cd38b599fa1ea0a2e2deb16a051bf31972b59355be3
Instruction Fuzzy Hash: 55615D72904218AFDB119FA8DC89FEE7FB9EB48320F114215F915BB2A1D7709940DFA0

Function 00CB0FF3 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00CB1128
GetDesktopWindow.USER32 ref: 00CB113D
GetWindowRect.USER32(00000000), ref: 00CB1144
GetWindowLongW.USER32(?,000000F0), ref: 00CB1199
DestroyWindow.USER32(?), ref: 00CB11B9
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00CB11ED
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00CB120B
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00CB121D
SendMessageW.USER32(00000000,00000421,?,?), ref: 00CB1232
SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 00CB1245
IsWindowVisible.USER32(00000000), ref: 00CB12A1
SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 00CB12BC
SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 00CB12D0
GetWindowRect.USER32(00000000,?), ref: 00CB12E8
MonitorFromPoint.USER32(?,?,00000002), ref: 00CB130E
GetMonitorInfoW.USER32(00000000,?), ref: 00CB1328
CopyRect.USER32(?,?), ref: 00CB133F
SendMessageW.USER32(00000000,00000412,00000000), ref: 00CB13AA

Strings

(, xrefs: 00CB131B
0, xrefs: 00CB10D3
tooltips_class32, xrefs: 00CB11E6

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: ff77bd33a09adb557a3b3d0015aa99fc1de21a5bf04e4fffc872e99412033211
Instruction ID: 133745b4d97684306c2ccbed0fe638ed8bf630beb84c90e2fd869450eada558d
Opcode Fuzzy Hash: ff77bd33a09adb557a3b3d0015aa99fc1de21a5bf04e4fffc872e99412033211
Instruction Fuzzy Hash: 71B1BC71608351AFD710DF64D884BAEBBE4FF88300F448A18F9999B2A1D770ED44CB92

Function 00CB0241 Relevance: 35.4, APIs: 7, Strings: 13, Instructions: 391windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00CB02E5
_wcslen.LIBCMT ref: 00CB031F
_wcslen.LIBCMT ref: 00CB0389
_wcslen.LIBCMT ref: 00CB03F1
_wcslen.LIBCMT ref: 00CB0475
SendMessageW.USER32(?,00001032,00000000,00000000), ref: 00CB04C5
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00CB0504

Part of subcall function 00C3F9F2: _wcslen.LIBCMT ref: 00C3F9FD

Part of subcall function 00C8223F: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00C82258
Part of subcall function 00C8223F: SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00C8228A

Strings

GETSUBITEMCOUNT, xrefs: 00CB0384, 00CB039F
SELECT, xrefs: 00CB0548
SELECTCLEAR, xrefs: 00CB052D
GETSELECTED, xrefs: 00CB05E1
DESELECT, xrefs: 00CB059C
VIEWCHANGE, xrefs: 00CB0675
SELECTALL, xrefs: 00CB0515
GETTEXT, xrefs: 00CB03EC, 00CB0407
GETSELECTEDCOUNT, xrefs: 00CB0470, 00CB048B
GETITEMCOUNT, xrefs: 00CB0316, 00CB0337
SELECTINVERT, xrefs: 00CB057E
ISSELECTED, xrefs: 00CB04DD
FINDITEM, xrefs: 00CB0627

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
API String ID: 1103490817-719923060
Opcode ID: 972c6d6e77655d7026ef879247124eef857c46980eb2f37b3a384d7c7fdc4bb4
Instruction ID: 34cbbee2147600d8bef9edaa3b3abcf2cea7c8105d2bcda2bc54f381f9d01e35
Opcode Fuzzy Hash: 972c6d6e77655d7026ef879247124eef857c46980eb2f37b3a384d7c7fdc4bb4
Instruction Fuzzy Hash: 31E1C0312083518FCB14DF25C5919AFB3E6BF98314F244A6CF8A69B6A1DB30EE45DB41

Function 00C38891 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 282windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00C38968
GetSystemMetrics.USER32(00000007), ref: 00C38970
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00C3899B
GetSystemMetrics.USER32(00000008), ref: 00C389A3
GetSystemMetrics.USER32(00000004), ref: 00C389C8
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00C389E5
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00C389F5
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00C38A28
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00C38A3C
GetClientRect.USER32(00000000,000000FF), ref: 00C38A5A
GetStockObject.GDI32(00000011), ref: 00C38A76
SendMessageW.USER32(00000000,00000030,00000000), ref: 00C38A81

Part of subcall function 00C3912D: GetCursorPos.USER32(?), ref: 00C39141
Part of subcall function 00C3912D: ScreenToClient.USER32(00000000,?), ref: 00C3915E
Part of subcall function 00C3912D: GetAsyncKeyState.USER32(00000001), ref: 00C39183
Part of subcall function 00C3912D: GetAsyncKeyState.USER32(00000002), ref: 00C3919D

SetTimer.USER32(00000000,00000000,00000028,00C390FC), ref: 00C38AA8

Strings

AutoIt v3 GUI, xrefs: 00C38A20

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: e00f3789226d238160274b2e8e09192746ff8115ae1eab86279a34b28da6d6b8
Instruction ID: 96c890380553018ba293ea5b77a02b66985bd857c9401373b97ded5ecea6d791
Opcode Fuzzy Hash: e00f3789226d238160274b2e8e09192746ff8115ae1eab86279a34b28da6d6b8
Instruction Fuzzy Hash: 7FB18971A00209EFDF14DFA8CC85BAE3BB5FB48314F158229FA15AB2D0DB74A944CB51

Function 00C80D8B Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00C810F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00C81114
Part of subcall function 00C810F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00C80B9B,?,?,?), ref: 00C81120
Part of subcall function 00C810F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00C80B9B,?,?,?), ref: 00C8112F
Part of subcall function 00C810F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00C80B9B,?,?,?), ref: 00C81136
Part of subcall function 00C810F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00C8114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00C80DF5
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00C80E29
GetLengthSid.ADVAPI32(?), ref: 00C80E40
GetAce.ADVAPI32(?,00000000,?), ref: 00C80E7A
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00C80E96
GetLengthSid.ADVAPI32(?), ref: 00C80EAD
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00C80EB5
HeapAlloc.KERNEL32(00000000), ref: 00C80EBC
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00C80EDD
CopySid.ADVAPI32(00000000), ref: 00C80EE4
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00C80F13
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00C80F35
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00C80F47
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00C80F6E
HeapFree.KERNEL32(00000000), ref: 00C80F75
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00C80F7E
HeapFree.KERNEL32(00000000), ref: 00C80F85
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00C80F8E
HeapFree.KERNEL32(00000000), ref: 00C80F95
GetProcessHeap.KERNEL32(00000000,?), ref: 00C80FA1
HeapFree.KERNEL32(00000000), ref: 00C80FA8

Part of subcall function 00C81193: GetProcessHeap.KERNEL32(00000008,00C80BB1,?,00000000,?,00C80BB1,?), ref: 00C811A1
Part of subcall function 00C81193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00C80BB1,?), ref: 00C811A8
Part of subcall function 00C81193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00C80BB1,?), ref: 00C811B7

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 33729d71279b9992f7cdb0b25b11b038ec60a5e90c2c01c744ee3cf2706b237d
Instruction ID: 30b0b40e70ebefb2fc2b3cde3b141167f637d71775c2f4fe55a144157145661c
Opcode Fuzzy Hash: 33729d71279b9992f7cdb0b25b11b038ec60a5e90c2c01c744ee3cf2706b237d
Instruction Fuzzy Hash: DE715E7190020AABDF60EFA4DC45FAEBBB8BF05344F148215FA69E7191D7319A19CB60

Function 00CAC3B7 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00CAC4BD
RegCreateKeyExW.ADVAPI32(?,?,00000000,00CBCC08,00000000,?,00000000,?,?), ref: 00CAC544
RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 00CAC5A4
_wcslen.LIBCMT ref: 00CAC5F4
_wcslen.LIBCMT ref: 00CAC66F
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 00CAC6B2
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 00CAC7C1
RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 00CAC84D
RegCloseKey.ADVAPI32(?), ref: 00CAC881
RegCloseKey.ADVAPI32(00000000), ref: 00CAC88E
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 00CAC960

Strings

REG_BINARY, xrefs: 00CAC913
REG_EXPAND_SZ, xrefs: 00CAC5CD
REG_SZ, xrefs: 00CAC644
REG_QWORD, xrefs: 00CAC8C3
REG_DWORD, xrefs: 00CAC804
REG_MULTI_SZ, xrefs: 00CAC6F5

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: Value$Close$_wcslen$ConnectCreateRegistry
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 9721498-966354055
Opcode ID: 6ccd45e9533567061668b1ebcbf07a217f952c63d8646195f9c2696d51cd9573
Instruction ID: 3be928bac921eed2e83c4acdb380a4e375307c754058b90f5fa8ede1c0e23533
Opcode Fuzzy Hash: 6ccd45e9533567061668b1ebcbf07a217f952c63d8646195f9c2696d51cd9573
Instruction Fuzzy Hash: F41289356042119FC714DF28D881B2AB7E5FF89718F04896CF89A9B7A2DB31ED41DB81

Function 00CB091E Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 372windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00CB09C6
_wcslen.LIBCMT ref: 00CB0A01
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00CB0A54
_wcslen.LIBCMT ref: 00CB0A8A
_wcslen.LIBCMT ref: 00CB0B06
_wcslen.LIBCMT ref: 00CB0B81

Part of subcall function 00C3F9F2: _wcslen.LIBCMT ref: 00C3F9FD

Part of subcall function 00C82BE8: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00C82BFA

Strings

GETTEXT, xrefs: 00CB0C97
EXPAND, xrefs: 00CB0BF8
GETTOTALCOUNT, xrefs: 00CB09F2, 00CB0A17
ISCHECKED, xrefs: 00CB0CE1
SELECT, xrefs: 00CB0D11
EXISTS, xrefs: 00CB0B7C, 00CB0B97
GETSELECTED, xrefs: 00CB0C4E
GETITEMCOUNT, xrefs: 00CB0C1E
CHECK, xrefs: 00CB0A85, 00CB0AA0
UNCHECK, xrefs: 00CB0D3E
COLLAPSE, xrefs: 00CB0B01, 00CB0B1C

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 1103490817-4258414348
Opcode ID: 8756ab4958433502898067741aa5d945329a211fc316b0c026160be37ab2af2e
Instruction ID: c589489f2d5f3879c93d705dcbee70ee78273fd66a94384f5679011326dc10bf
Opcode Fuzzy Hash: 8756ab4958433502898067741aa5d945329a211fc316b0c026160be37ab2af2e
Instruction Fuzzy Hash: ADE19D316083518FCB14DF25C49096BB7E1BF98314F24895DF8A69B7A2D730EE46DB81

Function 00CAC998 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,00CAB6AE,?,?), ref: 00CAC9B5
_wcslen.LIBCMT ref: 00CAC9F1
_wcslen.LIBCMT ref: 00CACA68
_wcslen.LIBCMT ref: 00CACA9E
_wcslen.LIBCMT ref: 00CACAF9
_wcslen.LIBCMT ref: 00CACB2F
_wcslen.LIBCMT ref: 00CACB7F

Strings

HKU, xrefs: 00CACBF0
HKCU, xrefs: 00CACBCE
HKEY_CLASSES_ROOT, xrefs: 00CACAF3, 00CACAF8
HKEY_CURRENT_CONFIG, xrefs: 00CACB79, 00CACB7E
HKEY_CURRENT_USER, xrefs: 00CACBBD
HKLM, xrefs: 00CACA98, 00CACA9D
HKEY_USERS, xrefs: 00CACBDF
HKCR, xrefs: 00CACB29, 00CACB2E
HKCC, xrefs: 00CACBAC
HKEY_LOCAL_MACHINE, xrefs: 00CACA62, 00CACA67

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 1256254125-909552448
Opcode ID: 5f4e618ae655796142ec9a26427599e486eff2c5ea348c9a18d6ca6962443d2d
Instruction ID: 3c86888373cedcbd01f5560016a2b1e787bdb04c089953c7d8803affd19b12b1
Opcode Fuzzy Hash: 5f4e618ae655796142ec9a26427599e486eff2c5ea348c9a18d6ca6962443d2d
Instruction Fuzzy Hash: EC71D73260416B8BCF20DE7DD9D16BE3395AB6275CF250528F87697284E631CE45E3A0

Function 00CB833C Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 196windowlibraryCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00CB835A
_wcslen.LIBCMT ref: 00CB836E
_wcslen.LIBCMT ref: 00CB8391
_wcslen.LIBCMT ref: 00CB83B4
LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 00CB83F2
LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,00CB5BF2), ref: 00CB844E
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00CB8487
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 00CB84CA
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00CB8501
FreeLibrary.KERNEL32(?), ref: 00CB850D
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00CB851D
DestroyIcon.USER32(?,?,?,?,?,00CB5BF2), ref: 00CB852C
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00CB8549
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00CB8555

Strings

.icl, xrefs: 00CB8368
.dll, xrefs: 00CB83AB
.exe, xrefs: 00CB8388

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
String ID: .dll$.exe$.icl
API String ID: 799131459-1154884017
Opcode ID: 13c11a5c74ad04c4abf3342c7a55b20744ac06309765ec49a6128f53f8976d7d
Instruction ID: 1809a429d07cc3f9acaf789b43c2df1cd825003fdddc45797542a24f98a2990a
Opcode Fuzzy Hash: 13c11a5c74ad04c4abf3342c7a55b20744ac06309765ec49a6128f53f8976d7d
Instruction Fuzzy Hash: 8F61DF71500215BEEB24DF64CC81BFE77ACBB08B11F104609F825E61D1DF74AA88EBA0

Function 00C27778 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 273COMMON

Download Yara Rule

Strings

#ce, xrefs: 00C278ED
", xrefs: 00C65153
#OnAutoItStartRegister, xrefs: 00C27817
#pragma compile, xrefs: 00C277D3
Unterminated group of comments, xrefs: 00C6528C
#cs, xrefs: 00C27873, 00C278C5
#comments-end, xrefs: 00C278D9
#notrayicon, xrefs: 00C277E7
#comments-start, xrefs: 00C2785F, 00C278B1
Bad directive syntax error, xrefs: 00C6519A
#requireadmin, xrefs: 00C277FF
#include, xrefs: 00C27847
', xrefs: 00C65169
Cannot parse #include, xrefs: 00C65279
#include-once, xrefs: 00C2782F

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID:
String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 0-1645009161
Opcode ID: e0174b2f53bf877ed99c7b1d643e25db676b2bf0f6bf3297069bad8fcf6f0016
Instruction ID: d3e730c23d3cf22af369daef542dc27fefc4b9cad09b02c0f45d8da9bb49c38b
Opcode Fuzzy Hash: e0174b2f53bf877ed99c7b1d643e25db676b2bf0f6bf3297069bad8fcf6f0016
Instruction Fuzzy Hash: C8812771A04225BBDF21AF61ECC2FAE37B8BF15700F144124F914AB592EB70DA45D7A1

Function 00C93E79 Relevance: 28.2, APIs: 8, Strings: 8, Instructions: 205COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 00C93EF8
_wcslen.LIBCMT ref: 00C93F03
_wcslen.LIBCMT ref: 00C93F5A
_wcslen.LIBCMT ref: 00C93F98
GetDriveTypeW.KERNEL32(?), ref: 00C93FD6
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00C9401E
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00C94059
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00C94087

Strings

close, xrefs: 00C93EFE, 00C93F18
wait, xrefs: 00C94044
type cdaudio alias cd wait, xrefs: 00C94001
open , xrefs: 00C93FE5
close cd wait, xrefs: 00C94072
set cd door , xrefs: 00C94028
open, xrefs: 00C93F54, 00C93F59
closed, xrefs: 00C93F08, 00C93F2D, 00C93F46, 00C93F7E, 00C93F97

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: SendString_wcslen$BuffCharDriveLowerType
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 1839972693-4113822522
Opcode ID: 795a852053eaf8d8ab599be3681154967ac997e1c1a538a21389cf20838ed2d9
Instruction ID: 82a4bbd308d53944f55ab0f4c7b808855533778403c95d009f174fe97bd5e5f8
Opcode Fuzzy Hash: 795a852053eaf8d8ab599be3681154967ac997e1c1a538a21389cf20838ed2d9
Instruction Fuzzy Hash: 9271E1726043119FCB10EF24C88596EB7F4EFA8754F10492DF8A597261EB30EE46DB91

Function 00C85A1B Relevance: 27.2, APIs: 18, Instructions: 198windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 00C85A2E
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00C85A40
SetWindowTextW.USER32(?,?), ref: 00C85A57
GetDlgItem.USER32(?,000003EA), ref: 00C85A6C
SetWindowTextW.USER32(00000000,?), ref: 00C85A72
GetDlgItem.USER32(?,000003E9), ref: 00C85A82
SetWindowTextW.USER32(00000000,?), ref: 00C85A88
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00C85AA9
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00C85AC3
GetWindowRect.USER32(?,?), ref: 00C85ACC
_wcslen.LIBCMT ref: 00C85B33
SetWindowTextW.USER32(?,?), ref: 00C85B6F
GetDesktopWindow.USER32 ref: 00C85B75
GetWindowRect.USER32(00000000), ref: 00C85B7C
MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 00C85BD3
GetClientRect.USER32(?,?), ref: 00C85BE0
PostMessageW.USER32(?,00000005,00000000,?), ref: 00C85C05
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00C85C2F

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
String ID:
API String ID: 895679908-0
Opcode ID: 38d9bde30aee976cd693cb6ba673956108913a5f5f4eaa778e06a513b10334f1
Instruction ID: 4ec441390a1a65f93575b8df882b3f439ab5b3717f413c284ad8ebb7ff0f6b9a
Opcode Fuzzy Hash: 38d9bde30aee976cd693cb6ba673956108913a5f5f4eaa778e06a513b10334f1
Instruction Fuzzy Hash: E2716E31900B05AFDB20EFA9CE85FAEBBF5FF48708F104618E552A25A0D7B5E944CB54

Function 00C9FE0E Relevance: 27.1, APIs: 18, Instructions: 128COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F89), ref: 00C9FE27
LoadCursorW.USER32(00000000,00007F8A), ref: 00C9FE32
LoadCursorW.USER32(00000000,00007F00), ref: 00C9FE3D
LoadCursorW.USER32(00000000,00007F03), ref: 00C9FE48
LoadCursorW.USER32(00000000,00007F8B), ref: 00C9FE53
LoadCursorW.USER32(00000000,00007F01), ref: 00C9FE5E
LoadCursorW.USER32(00000000,00007F81), ref: 00C9FE69
LoadCursorW.USER32(00000000,00007F88), ref: 00C9FE74
LoadCursorW.USER32(00000000,00007F80), ref: 00C9FE7F
LoadCursorW.USER32(00000000,00007F86), ref: 00C9FE8A
LoadCursorW.USER32(00000000,00007F83), ref: 00C9FE95
LoadCursorW.USER32(00000000,00007F85), ref: 00C9FEA0
LoadCursorW.USER32(00000000,00007F82), ref: 00C9FEAB
LoadCursorW.USER32(00000000,00007F84), ref: 00C9FEB6
LoadCursorW.USER32(00000000,00007F04), ref: 00C9FEC1
LoadCursorW.USER32(00000000,00007F02), ref: 00C9FECC
GetCursorInfo.USER32(?), ref: 00C9FEDC
GetLastError.KERNEL32 ref: 00C9FF1E

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: Cursor$Load$ErrorInfoLast
String ID:
API String ID: 3215588206-0
Opcode ID: f6a9ae9295ee838accd0f946c3462f1c7eef133bfa8f2ddb90ad6f6d0cc0d569
Instruction ID: 94e4499d186984d404ffdc90b0dd4266907504c04ad6c65975ed41f563f00807
Opcode Fuzzy Hash: f6a9ae9295ee838accd0f946c3462f1c7eef133bfa8f2ddb90ad6f6d0cc0d569
Instruction Fuzzy Hash: 954152B0D08319AADB10DFBA8CC995EBFE8FF04354B50452AF11DE7281DB78A901CE91

Function 00C400C6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON

Download Yara Rule

APIs

__scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 00C400C6

Part of subcall function 00C400ED: InitializeCriticalSectionAndSpinCount.KERNEL32(00CF070C,00000FA0,D1CC8207,?,?,?,?,00C623B3,000000FF), ref: 00C4011C
Part of subcall function 00C400ED: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,00C623B3,000000FF), ref: 00C40127
Part of subcall function 00C400ED: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,00C623B3,000000FF), ref: 00C40138
Part of subcall function 00C400ED: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 00C4014E
Part of subcall function 00C400ED: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 00C4015C
Part of subcall function 00C400ED: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 00C4016A
Part of subcall function 00C400ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00C40195
Part of subcall function 00C400ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00C401A0

___scrt_fastfail.LIBCMT ref: 00C400E7

Part of subcall function 00C400A3: __onexit.LIBCMT ref: 00C400A9

Strings

api-ms-win-core-synch-l1-2-0.dll, xrefs: 00C40122
kernel32.dll, xrefs: 00C40133
InitializeConditionVariable, xrefs: 00C40148
SleepConditionVariableCS, xrefs: 00C40154
WakeAllConditionVariable, xrefs: 00C40162

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 66158676-1714406822
Opcode ID: fa4bc962eb273e97a645b669898204f0743fb4a689e7e24b07c520b3f1949a67
Instruction ID: c787a1a05d713cce0fbe2e04b6fe9bc0c7553ade277dd48abee28188ed43eee1
Opcode Fuzzy Hash: fa4bc962eb273e97a645b669898204f0743fb4a689e7e24b07c520b3f1949a67
Instruction Fuzzy Hash: 6121C933A847106BD7116BB4AC86B6E7398FB45F51F20063EFE11A6292DF749C008A91

Function 00C830F7 Relevance: 24.9, APIs: 8, Strings: 6, Instructions: 400COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00C8318D
_wcslen.LIBCMT ref: 00C831F8

Strings

REGEXPCLASS, xrefs: 00C83255, 00C83266
NAME, xrefs: 00C83335, 00C83346
INSTANCE, xrefs: 00C83453
TEXT, xrefs: 00C8347C
CLASS, xrefs: 00C83188, 00C831A5
CLASSNN, xrefs: 00C831F3, 00C83204

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: _wcslen
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 176396367-1603158881
Opcode ID: 74382f99938ee55919c7b9d8d8130859ceb3945a64ce1f8ad067404851304f3c
Instruction ID: 418567503c22e9dda550c5e80cff4974daf12772c414a0dacd3cca091f4c586e
Opcode Fuzzy Hash: 74382f99938ee55919c7b9d8d8130859ceb3945a64ce1f8ad067404851304f3c
Instruction Fuzzy Hash: 84E11731A00696ABCF18AF78C8517EDFBB0BF54B18F149129E466B7240DB30AF859794

Function 00C944C0 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(00000000,00000000,00CBCC08), ref: 00C94527
_wcslen.LIBCMT ref: 00C9453B
_wcslen.LIBCMT ref: 00C94599
_wcslen.LIBCMT ref: 00C945F4
_wcslen.LIBCMT ref: 00C9463F
_wcslen.LIBCMT ref: 00C946A7

Part of subcall function 00C3F9F2: _wcslen.LIBCMT ref: 00C3F9FD

GetDriveTypeW.KERNEL32(?,00CE6BF0,00000061), ref: 00C94743

Strings

cdrom, xrefs: 00C9458F, 00C94594
removable, xrefs: 00C945EA, 00C945EF
all, xrefs: 00C94531, 00C94536
network, xrefs: 00C9469D, 00C946A2
ramdisk, xrefs: 00C946F1
fixed, xrefs: 00C94635, 00C9463A
unknown, xrefs: 00C94708

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: _wcslen$BuffCharDriveLowerType
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2055661098-1000479233
Opcode ID: 6cd3a84d2063bd64ae9e55bb9ce1fd179c693a3d5df1f4fe63692fd18371cdd8
Instruction ID: b74bef0c27bb746c59c4da241310d4fc2f50b1694257bd69b7681bacbb6990cb
Opcode Fuzzy Hash: 6cd3a84d2063bd64ae9e55bb9ce1fd179c693a3d5df1f4fe63692fd18371cdd8
Instruction Fuzzy Hash: 1CB134716083029FCB18DF28C894E6EB7E5BFA5760F10491DF0A6C7291D730DA46CBA2

Function 00CA3FE9 Relevance: 23.2, APIs: 11, Strings: 2, Instructions: 478libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00CBCC08), ref: 00CA40BB
GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 00CA40CD
GetModuleFileNameW.KERNEL32(?,?,00000104,?,?,?,00CBCC08), ref: 00CA40F2
FreeLibrary.KERNEL32(00000000,?,00CBCC08), ref: 00CA413E
StringFromGUID2.OLE32(?,?,00000028,?,00CBCC08), ref: 00CA41A8
SysFreeString.OLEAUT32(00000009), ref: 00CA4262
QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 00CA42C8
SysFreeString.OLEAUT32(?), ref: 00CA42F2

Strings

kernel32.dll, xrefs: 00CA40B6
GetModuleHandleExW, xrefs: 00CA40C7

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: FreeString$Library$AddressFileFromLoadModuleNamePathProcQueryType
String ID: GetModuleHandleExW$kernel32.dll
API String ID: 354098117-199464113
Opcode ID: a3d6f475007f54a3151fc4035c9c73b5e086b025e015865dda956a4f722c5a2b
Instruction ID: 0333dd5440d23463b609415f5ef9f0facf93faeaa07fec93f5f1efe98de46a5d
Opcode Fuzzy Hash: a3d6f475007f54a3151fc4035c9c73b5e086b025e015865dda956a4f722c5a2b
Instruction Fuzzy Hash: 16124F75A00116EFDB18DF54C884EAEB7B5FF89318F248098F9159B251D771EE42CBA0

Function 00C2326F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(00CF1990), ref: 00C62F8D
GetMenuItemCount.USER32(00CF1990), ref: 00C6303D
GetCursorPos.USER32(?), ref: 00C63081
SetForegroundWindow.USER32(00000000), ref: 00C6308A
TrackPopupMenuEx.USER32(00CF1990,00000000,?,00000000,00000000,00000000), ref: 00C6309D
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00C630A9

Strings

0, xrefs: 00C2327D

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
String ID: 0
API String ID: 36266755-4108050209
Opcode ID: 6449976ea692486ddd92cbceb10dd40473546062dc96118720855d7afc3aead6
Instruction ID: b5f4355b998ac3f9727d7046f4ab989f57a8699fa8acc1db8075b197c358cb07
Opcode Fuzzy Hash: 6449976ea692486ddd92cbceb10dd40473546062dc96118720855d7afc3aead6
Instruction Fuzzy Hash: 7F713A30640656BEEB319F65DCC9FAABF69FF04324F200216F5246A1E1C7B1AE14D751

Function 00CB6CD9 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 194windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,?), ref: 00CB6DEB

Part of subcall function 00C26B57: _wcslen.LIBCMT ref: 00C26B6A

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00CB6E5F
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00CB6E81
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00CB6E94
DestroyWindow.USER32(?), ref: 00CB6EB5
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00C20000,00000000), ref: 00CB6EE4
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00CB6EFD
GetDesktopWindow.USER32 ref: 00CB6F16
GetWindowRect.USER32(00000000), ref: 00CB6F1D
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00CB6F35
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00CB6F4D

Part of subcall function 00C39944: GetWindowLongW.USER32(?,000000EB), ref: 00C39952

Strings

0, xrefs: 00CB6D98
tooltips_class32, xrefs: 00CB6E58, 00CB6EDD

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
String ID: 0$tooltips_class32
API String ID: 2429346358-3619404913
Opcode ID: b17c0806ab0aca397e542d5d007c13d3b19de138c71c44c9c0d97779a05b2c46
Instruction ID: 521a7cc510dc17704c36d3b56075bbfcb2c7aeae782f3367723b5034012c1ffa
Opcode Fuzzy Hash: b17c0806ab0aca397e542d5d007c13d3b19de138c71c44c9c0d97779a05b2c46
Instruction Fuzzy Hash: 01716575504284AFDB21CF68D888FBABBE9EB89304F08051DF99997261C774EA05DB12

Function 00CB911E Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00C39BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00C39BB2

DragQueryPoint.SHELL32(?,?), ref: 00CB9147

Part of subcall function 00CB7674: ClientToScreen.USER32(?,?), ref: 00CB769A
Part of subcall function 00CB7674: GetWindowRect.USER32(?,?), ref: 00CB7710
Part of subcall function 00CB7674: PtInRect.USER32(?,?,00CB8B89), ref: 00CB7720

SendMessageW.USER32(?,000000B0,?,?), ref: 00CB91B0
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 00CB91BB
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 00CB91DE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 00CB9225
SendMessageW.USER32(?,000000B0,?,?), ref: 00CB923E
SendMessageW.USER32(?,000000B1,?,?), ref: 00CB9255
SendMessageW.USER32(?,000000B1,?,?), ref: 00CB9277
DragFinish.SHELL32(?), ref: 00CB927E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 00CB9371

Strings

@GUI_DRAGID, xrefs: 00CB92E9
@GUI_DRAGFILE, xrefs: 00CB9320
@GUI_DROPID, xrefs: 00CB929E

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
API String ID: 221274066-3440237614
Opcode ID: c8fae5093901cf0dc23d6fcce69ba39f8dff7a3f7bd6200d39f8eea78b9ef463
Instruction ID: 4b8e4a0a60e5eee8c7dab1de0c9a4d9b1ff37034336facebacd97d713e5f21b5
Opcode Fuzzy Hash: c8fae5093901cf0dc23d6fcce69ba39f8dff7a3f7bd6200d39f8eea78b9ef463
Instruction Fuzzy Hash: 03615C71108301AFD701DF64DC85EAFBBE8EF99750F000A2DF595931A1DB709A49DB52

Function 00C9C476 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00C9C4B0
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 00C9C4C3
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 00C9C4D7
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 00C9C4F0
InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 00C9C533
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 00C9C549
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00C9C554
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00C9C584
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 00C9C5DC
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 00C9C5F0
InternetCloseHandle.WININET(00000000), ref: 00C9C5FB

Strings

, xrefs: 00C9C575

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
String ID:
API String ID: 3800310941-3916222277
Opcode ID: 94c8973795cfbd06fb02c4685ae392dd25a850c56b24b8124b071a5c431075d2
Instruction ID: d4b462e46767f5a2243277ed4331e0d5de7c98368ed0219a89f1acaf4e69d41c
Opcode Fuzzy Hash: 94c8973795cfbd06fb02c4685ae392dd25a850c56b24b8124b071a5c431075d2
Instruction Fuzzy Hash: 895129B1600608BFEB219F65C9C8BBB7BFCFB08754F004519F956D6250DB34EA44AB61

Function 00CB856F Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,00000000,?,000000EC), ref: 00CB8592
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00CB85A2
GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00CB85AD
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00CB85BA
GlobalLock.KERNEL32(00000000), ref: 00CB85C8
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00CB85D7
GlobalUnlock.KERNEL32(00000000), ref: 00CB85E0
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00CB85E7
CreateStreamOnHGlobal.OLE32(00000000,00000001,000000F0,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00CB85F8
OleLoadPicture.OLEAUT32(000000F0,00000000,00000000,00CBFC38,?), ref: 00CB8611
GlobalFree.KERNEL32(00000000), ref: 00CB8621
GetObjectW.GDI32(?,00000018,?), ref: 00CB8641
CopyImage.USER32(?,00000000,00000000,?,00002000), ref: 00CB8671
DeleteObject.GDI32(?), ref: 00CB8699
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 00CB86AF

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: 1fea1aee250b5ae3dd23b6120a55a55a4b3e71205f552110173114745fb88d5d
Instruction ID: 2b8de416996de828d150d9e47eb9d5cf8278d487819d0dd5b6f8d2d1164d646b
Opcode Fuzzy Hash: 1fea1aee250b5ae3dd23b6120a55a55a4b3e71205f552110173114745fb88d5d
Instruction Fuzzy Hash: 98410975600205AFDB119FA5DC88FAE7BBCEF89B11F104159F915E7260DB709A05CB60

Function 00C914BD Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 360timeCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000000), ref: 00C91502
VariantCopy.OLEAUT32(?,?), ref: 00C9150B
VariantClear.OLEAUT32(?), ref: 00C91517
VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 00C915FB
VarR8FromDec.OLEAUT32(?,?), ref: 00C91657
VariantInit.OLEAUT32(?), ref: 00C91708
SysFreeString.OLEAUT32(?), ref: 00C9178C
VariantClear.OLEAUT32(?), ref: 00C917D8
VariantClear.OLEAUT32(?), ref: 00C917E7
VariantInit.OLEAUT32(00000000), ref: 00C91823

Strings

%4d%02d%02d%02d%02d%02d, xrefs: 00C91625
Default, xrefs: 00C916AF

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem
String ID: %4d%02d%02d%02d%02d%02d$Default
API String ID: 1234038744-3931177956
Opcode ID: 2e98bc7c3d77815ed50b469201d600186b8eab1346ef1b23914998bdf3758575
Instruction ID: da466ba107a1c18f1dd2c70a2903df38b0f8eb784b8f2cc7c59c8cfd2896d783
Opcode Fuzzy Hash: 2e98bc7c3d77815ed50b469201d600186b8eab1346ef1b23914998bdf3758575
Instruction Fuzzy Hash: 77D10531A00116DBDF009F66D88EB7DB7B5BF44700F1A845AF846ABA90DB30DD42EB61

Function 00CAB60E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00C29CB3: _wcslen.LIBCMT ref: 00C29CBD

Part of subcall function 00CAC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00CAB6AE,?,?), ref: 00CAC9B5
Part of subcall function 00CAC998: _wcslen.LIBCMT ref: 00CAC9F1
Part of subcall function 00CAC998: _wcslen.LIBCMT ref: 00CACA68
Part of subcall function 00CAC998: _wcslen.LIBCMT ref: 00CACA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00CAB6F4
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00CAB772
RegDeleteValueW.ADVAPI32(?,?), ref: 00CAB80A
RegCloseKey.ADVAPI32(?), ref: 00CAB87E
RegCloseKey.ADVAPI32(?), ref: 00CAB89C
LoadLibraryA.KERNEL32(advapi32.dll), ref: 00CAB8F2
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00CAB904
RegDeleteKeyW.ADVAPI32(?,?), ref: 00CAB922
FreeLibrary.KERNEL32(00000000), ref: 00CAB983
RegCloseKey.ADVAPI32(00000000), ref: 00CAB994

Strings

RegDeleteKeyExW, xrefs: 00CAB8FE
advapi32.dll, xrefs: 00CAB8ED

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 146587525-4033151799
Opcode ID: af7a5bb9d88d826cc94836e2ddc40d891d7f060dfb0de84de9d39e08b3b5a3f6
Instruction ID: 2ebbd25ea09866067d65afb8e5a2aa0562d0c5de5d8878e5ba3be517e517ca58
Opcode Fuzzy Hash: af7a5bb9d88d826cc94836e2ddc40d891d7f060dfb0de84de9d39e08b3b5a3f6
Instruction Fuzzy Hash: 57C18B30208202AFD714DF28D494F2ABBE5BF85308F14855CF4AA8B6A3CB75ED45CB91

Function 00CA255C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00CA25D8
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 00CA25E8
CreateCompatibleDC.GDI32(?), ref: 00CA25F4
SelectObject.GDI32(00000000,?), ref: 00CA2601
StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 00CA266D
GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 00CA26AC
GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 00CA26D0
SelectObject.GDI32(?,?), ref: 00CA26D8
DeleteObject.GDI32(?), ref: 00CA26E1
DeleteDC.GDI32(?), ref: 00CA26E8
ReleaseDC.USER32(00000000,?), ref: 00CA26F3

Strings

(, xrefs: 00CA268D

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: f425ec19371c33e91ec982350a4e1efbdf124686ae6b9a0c590f621b5d478824
Instruction ID: c1fb33b4de0411e3172fdc15589c61132be18a7a51eeb33345f2b7d7d011e448
Opcode Fuzzy Hash: f425ec19371c33e91ec982350a4e1efbdf124686ae6b9a0c590f621b5d478824
Instruction Fuzzy Hash: 8661E275D0021AEFCF04CFA8D984EAEBBB5FF48314F208529E955A7250D770A941DFA0

Function 00C5DA5D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 00C5DAA1

Part of subcall function 00C5D63C: _free.LIBCMT ref: 00C5D659
Part of subcall function 00C5D63C: _free.LIBCMT ref: 00C5D66B
Part of subcall function 00C5D63C: _free.LIBCMT ref: 00C5D67D
Part of subcall function 00C5D63C: _free.LIBCMT ref: 00C5D68F
Part of subcall function 00C5D63C: _free.LIBCMT ref: 00C5D6A1
Part of subcall function 00C5D63C: _free.LIBCMT ref: 00C5D6B3
Part of subcall function 00C5D63C: _free.LIBCMT ref: 00C5D6C5
Part of subcall function 00C5D63C: _free.LIBCMT ref: 00C5D6D7
Part of subcall function 00C5D63C: _free.LIBCMT ref: 00C5D6E9
Part of subcall function 00C5D63C: _free.LIBCMT ref: 00C5D6FB
Part of subcall function 00C5D63C: _free.LIBCMT ref: 00C5D70D
Part of subcall function 00C5D63C: _free.LIBCMT ref: 00C5D71F
Part of subcall function 00C5D63C: _free.LIBCMT ref: 00C5D731

_free.LIBCMT ref: 00C5DA96

Part of subcall function 00C529C8: HeapFree.KERNEL32(00000000,00000000,?,00C5D7D1,00000000,00000000,00000000,00000000,?,00C5D7F8,00000000,00000007,00000000,?,00C5DBF5,00000000), ref: 00C529DE
Part of subcall function 00C529C8: GetLastError.KERNEL32(00000000,?,00C5D7D1,00000000,00000000,00000000,00000000,?,00C5D7F8,00000000,00000007,00000000,?,00C5DBF5,00000000,00000000), ref: 00C529F0

_free.LIBCMT ref: 00C5DAB8
_free.LIBCMT ref: 00C5DACD
_free.LIBCMT ref: 00C5DAD8
_free.LIBCMT ref: 00C5DAFA
_free.LIBCMT ref: 00C5DB0D
_free.LIBCMT ref: 00C5DB1B
_free.LIBCMT ref: 00C5DB26
_free.LIBCMT ref: 00C5DB5E
_free.LIBCMT ref: 00C5DB65
_free.LIBCMT ref: 00C5DB82
_free.LIBCMT ref: 00C5DB9A

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 12e6638aabe8b724da97c46a5a956aaf6a6aea27cbc480688573a489686c5d65
Instruction ID: 98bf967c841a294ae68ad0f7e3d3cfc61be9c9ff64cd0948d4a82f0e9ff190af
Opcode Fuzzy Hash: 12e6638aabe8b724da97c46a5a956aaf6a6aea27cbc480688573a489686c5d65
Instruction Fuzzy Hash: 83316F396043049FDB31AA39E845B9677E9FF11312F114419F86AE7291DF31ADC8E728

Function 00C8365B Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 267windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 00C8369C
_wcslen.LIBCMT ref: 00C836A7
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00C83797
GetClassNameW.USER32(?,?,00000400), ref: 00C8380C
GetDlgCtrlID.USER32(?), ref: 00C8385D
GetWindowRect.USER32(?,?), ref: 00C83882
GetParent.USER32(?), ref: 00C838A0
ScreenToClient.USER32(00000000), ref: 00C838A7
GetClassNameW.USER32(?,?,00000100), ref: 00C83921
GetWindowTextW.USER32(?,?,00000400), ref: 00C8395D

Strings

%s%u, xrefs: 00C83734

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout_wcslen
String ID: %s%u
API String ID: 4010501982-679674701
Opcode ID: 14644a6ca51950138c8386d9270087a09652f23526aab1fe75c8dec877ea0ab8
Instruction ID: 80e35009e4e4e7cbf2376e5048f4090f9feee18c43fed37c4fbd988a10a9bbf6
Opcode Fuzzy Hash: 14644a6ca51950138c8386d9270087a09652f23526aab1fe75c8dec877ea0ab8
Instruction Fuzzy Hash: 5C91E671204746AFD719EF24C885FAAF7A8FF44718F005629F9A9C2190DB30EB45CB95

Function 00C84954 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 253COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000400), ref: 00C84994
GetWindowTextW.USER32(?,?,00000400), ref: 00C849DA
_wcslen.LIBCMT ref: 00C849EB
CharUpperBuffW.USER32(?,00000000), ref: 00C849F7
_wcsstr.LIBVCRUNTIME ref: 00C84A2C
GetClassNameW.USER32(00000018,?,00000400), ref: 00C84A64
GetWindowTextW.USER32(?,?,00000400), ref: 00C84A9D
GetClassNameW.USER32(00000018,?,00000400), ref: 00C84AE6
GetClassNameW.USER32(?,?,00000400), ref: 00C84B20
GetWindowRect.USER32(?,?), ref: 00C84B8B

Strings

ThumbnailClass, xrefs: 00C84A6F, 00C84AF1

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
String ID: ThumbnailClass
API String ID: 1311036022-1241985126
Opcode ID: 0f41eaf5b202e61bb29b2e7737135912c80fe6029aa6b43f8e54452e80aa253f
Instruction ID: b31217c6463ee1b59dca2a95f5aa8b390f570e1d4a85be068b885f44fcf33fa5
Opcode Fuzzy Hash: 0f41eaf5b202e61bb29b2e7737135912c80fe6029aa6b43f8e54452e80aa253f
Instruction Fuzzy Hash: 7291BF311042069FDB18EF14C985FBA77E8FF84318F04856AFD959A096EB30EE45CBA5

Function 00CB8D0E Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 221windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00C39BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00C39BB2

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00CB8D5A
GetFocus.USER32 ref: 00CB8D6A
GetDlgCtrlID.USER32(00000000), ref: 00CB8D75
DefDlgProcW.USER32(?,00000111,?,?,00000000,?,?,?,?,?,?,?), ref: 00CB8E1D
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 00CB8ECF
GetMenuItemCount.USER32(?), ref: 00CB8EEC
GetMenuItemID.USER32(?,00000000), ref: 00CB8EFC
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 00CB8F2E
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 00CB8F70
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00CB8FA1

Strings

0, xrefs: 00CB8E9F

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow
String ID: 0
API String ID: 1026556194-4108050209
Opcode ID: 085f80d400bcf3ad275c1ae4385b23368697a40b1211dc0fc5e8734f3365e163
Instruction ID: ee9bd0ab34af930ebbc613f079634e41d09c99a5dcafcf78a59df88cc3788266
Opcode Fuzzy Hash: 085f80d400bcf3ad275c1ae4385b23368697a40b1211dc0fc5e8734f3365e163
Instruction Fuzzy Hash: A381AF715083419FDB20CF24C884ABBBBEDFB88354F040A19F99497291DB70DA08DBA2

Function 00C8BF30 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 190windowsleepCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00CF1990,000000FF,00000000,00000030), ref: 00C8BFAC
SetMenuItemInfoW.USER32(00CF1990,00000004,00000000,00000030), ref: 00C8BFE1
Sleep.KERNEL32(000001F4), ref: 00C8BFF3
GetMenuItemCount.USER32(?), ref: 00C8C039
GetMenuItemID.USER32(?,00000000), ref: 00C8C056
GetMenuItemID.USER32(?,-00000001), ref: 00C8C082
GetMenuItemID.USER32(?,?), ref: 00C8C0C9
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00C8C10F
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00C8C124
SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00C8C145

Strings

0, xrefs: 00C8BF3D

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep
String ID: 0
API String ID: 1460738036-4108050209
Opcode ID: 5bb50c41239e7a27492abd4a25638e3ac1a30c24a58e2a3949845b17883fc43e
Instruction ID: fc9072ffa612c28161d8a4a1c682797ecf97410ef8714b2828cb965910930373
Opcode Fuzzy Hash: 5bb50c41239e7a27492abd4a25638e3ac1a30c24a58e2a3949845b17883fc43e
Instruction Fuzzy Hash: 92619FB090025AAFDF21EF64DCC8FAE7BB8EB05348F140115E921A3292C735AE44DB75

Function 00C8DC0E Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 178COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(?,?), ref: 00C8DC20
GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 00C8DC46
_wcslen.LIBCMT ref: 00C8DC50
_wcsstr.LIBVCRUNTIME ref: 00C8DCA0
VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 00C8DCBC

Strings

StringFileInfo\, xrefs: 00C8DC8F
DefaultLangCodepage, xrefs: 00C8DD1F
%u.%u.%u.%u, xrefs: 00C8DD9A
04090000, xrefs: 00C8DCF2
\VarFileInfo\Translation, xrefs: 00C8DCB4

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: FileInfoVersion$QuerySizeValue_wcslen_wcsstr
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 1939486746-1459072770
Opcode ID: 1c5d205ce1d9e6ebd8c64fcfd7389eb2625f44a8568db7d4c830de03eb4d9a65
Instruction ID: 0840d4c0a48c065e2e1998865e147faf156a256cf6335b72960ace5208a214a6
Opcode Fuzzy Hash: 1c5d205ce1d9e6ebd8c64fcfd7389eb2625f44a8568db7d4c830de03eb4d9a65
Instruction Fuzzy Hash: 9141FF329402117BDB24BA65DC83EBF77ACEF55754F10006AF901A61C2EA749A01A7B9

Function 00CACC34 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 00CACC64
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 00CACC8D
FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 00CACD48

Part of subcall function 00CACC34: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 00CACCAA
Part of subcall function 00CACC34: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 00CACCBD
Part of subcall function 00CACC34: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00CACCCF
Part of subcall function 00CACC34: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 00CACD05
Part of subcall function 00CACC34: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 00CACD28

RegDeleteKeyW.ADVAPI32(?,?), ref: 00CACCF3

Strings

RegDeleteKeyExW, xrefs: 00CACCC9
advapi32.dll, xrefs: 00CACCB8

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2734957052-4033151799
Opcode ID: 3c894264d521e0d374281fe0929cda2eaa91c67fd3ef7ac8773c8503dfa24cc4
Instruction ID: 0b2a76349d94703d75b2729aa5716a3022ca081e6e60d2ca1f72992507d6dacc
Opcode Fuzzy Hash: 3c894264d521e0d374281fe0929cda2eaa91c67fd3ef7ac8773c8503dfa24cc4
Instruction Fuzzy Hash: 17318E7190112ABBDB209B55DCC8FFFBB7CEF16758F000265F916E2240DB749A459AB0

Function 00C93D1E Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 101fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00C93D40
_wcslen.LIBCMT ref: 00C93D6D
CreateDirectoryW.KERNEL32(?,00000000), ref: 00C93D9D
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00C93DBE
RemoveDirectoryW.KERNEL32(?), ref: 00C93DCE
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 00C93E55
CloseHandle.KERNEL32(00000000), ref: 00C93E60
CloseHandle.KERNEL32(00000000), ref: 00C93E6B

Strings

:, xrefs: 00C93D82
\, xrefs: 00C93D77
\??\%s, xrefs: 00C93D5B

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove_wcslen
String ID: :$\$\??\%s
API String ID: 1149970189-3457252023
Opcode ID: 1108a67f9853bce7c90593cd0d3ca972b0f5caf7e895ad5957aa843b4f7fea1b
Instruction ID: 369f168465a81dc34bafe762a7e431c160b4f91144093f0797cfe8feda4f04aa
Opcode Fuzzy Hash: 1108a67f9853bce7c90593cd0d3ca972b0f5caf7e895ad5957aa843b4f7fea1b
Instruction Fuzzy Hash: 4E319EB6A14249ABDB219FA0DC89FEF37BCEF88700F1041B5F619D6160EB7497448B24

Function 00C8E6B0 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 00C8E6B4

Part of subcall function 00C3E551: timeGetTime.WINMM(?,?,00C8E6D4), ref: 00C3E555

Sleep.KERNEL32(0000000A), ref: 00C8E6E1
EnumThreadWindows.USER32(?,Function_0006E665,00000000), ref: 00C8E705
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 00C8E727
SetActiveWindow.USER32 ref: 00C8E746
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00C8E754
SendMessageW.USER32(00000010,00000000,00000000), ref: 00C8E773
Sleep.KERNEL32(000000FA), ref: 00C8E77E
IsWindow.USER32 ref: 00C8E78A
EndDialog.USER32(00000000), ref: 00C8E79B

Strings

BUTTON, xrefs: 00C8E719

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: e751979a428bc6245d7503509f512ad7ec5fd4944d365bccfb2daf216c92e334
Instruction ID: 6e9a50df8c48f90935c4d660259bca45b13b8a73973902909f6306b6ba212771
Opcode Fuzzy Hash: e751979a428bc6245d7503509f512ad7ec5fd4944d365bccfb2daf216c92e334
Instruction Fuzzy Hash: 86216DB0200644AFEB106F60ECC9F3E3B69E754B4DF111525F811C21B1DBB1AC04EB2A

Function 00C8E9FC Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 00C29CB3: _wcslen.LIBCMT ref: 00C29CBD

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00C8EA5D
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00C8EA73
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00C8EA84
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00C8EA96
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 00C8EAA7

Strings

play PlayMe wait, xrefs: 00C8EA91
close PlayMe, xrefs: 00C8EA6E, 00C8EA9B
alias PlayMe, xrefs: 00C8EA36
open , xrefs: 00C8EA0C
status PlayMe mode, xrefs: 00C8EA58
play PlayMe, xrefs: 00C8EAA2

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: SendString$_wcslen
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2420728520-1007645807
Opcode ID: e08197e1cfc7366606a240a7b835b5a477d3c1794327e3047344211725aabdda
Instruction ID: 126b6e2cbb86363023c8b064fbaec6438a81ccff142f0e71385fd7698aeec1a1
Opcode Fuzzy Hash: e08197e1cfc7366606a240a7b835b5a477d3c1794327e3047344211725aabdda
Instruction Fuzzy Hash: B11137316A02B979D724F766DC4ADFF6A7CEBD1F44F400435B411A20D1DE705A45D6B0

Function 00C89F91 Relevance: 18.2, APIs: 12, Instructions: 188keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00C8A012
SetKeyboardState.USER32(?), ref: 00C8A07D
GetAsyncKeyState.USER32(000000A0), ref: 00C8A09D
GetKeyState.USER32(000000A0), ref: 00C8A0B4
GetAsyncKeyState.USER32(000000A1), ref: 00C8A0E3
GetKeyState.USER32(000000A1), ref: 00C8A0F4
GetAsyncKeyState.USER32(00000011), ref: 00C8A120
GetKeyState.USER32(00000011), ref: 00C8A12E
GetAsyncKeyState.USER32(00000012), ref: 00C8A157
GetKeyState.USER32(00000012), ref: 00C8A165
GetAsyncKeyState.USER32(0000005B), ref: 00C8A18E
GetKeyState.USER32(0000005B), ref: 00C8A19C

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 5c9d9c2c87bf5d05273b9135caa17c4f21922c832d1da2aecdc68b08d16c96cb
Instruction ID: fe08d9c3b6220888ab726e00f7c7ca1adb1bdbbd1dcdd33fdcae32b5ec5f7ce0
Opcode Fuzzy Hash: 5c9d9c2c87bf5d05273b9135caa17c4f21922c832d1da2aecdc68b08d16c96cb
Instruction Fuzzy Hash: 7651EB309047886AFB35FBA048147FEAFB49F12348F0C459AD5D2571C2EA64AF4CC76A

Function 00C85CC6 Relevance: 18.2, APIs: 12, Instructions: 173COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 00C85CE2
GetWindowRect.USER32(00000000,?), ref: 00C85CFB
MoveWindow.USER32(?,0000000A,00000004,?,?,00000004,00000000), ref: 00C85D59
GetDlgItem.USER32(?,00000002), ref: 00C85D69
GetWindowRect.USER32(00000000,?), ref: 00C85D7B
MoveWindow.USER32(?,?,00000004,00000000,?,00000004,00000000), ref: 00C85DCF
GetDlgItem.USER32(?,000003E9), ref: 00C85DDD
GetWindowRect.USER32(00000000,?), ref: 00C85DEF
MoveWindow.USER32(?,0000000A,00000000,?,00000004,00000000), ref: 00C85E31
GetDlgItem.USER32(?,000003EA), ref: 00C85E44
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00C85E5A
InvalidateRect.USER32(?,00000000,00000001), ref: 00C85E67

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: b2243d9406abace523d4e7c4d531cf3bca236fbb29c0b166b8eec40aef8705da
Instruction ID: 23d0432077e33ef5bcf258d98c3ebf32dc41094ab10741f82274008b40aed4b8
Opcode Fuzzy Hash: b2243d9406abace523d4e7c4d531cf3bca236fbb29c0b166b8eec40aef8705da
Instruction Fuzzy Hash: 2151FE71A00605AFDF18DF68DD89BAEBBB9FB48305F148229F915E7290D7709E04CB54

Function 00C38BCD Relevance: 18.2, APIs: 12, Instructions: 168timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00C38F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00C38BE8,?,00000000,?,?,?,?,00C38BBA,00000000,?), ref: 00C38FC5

DestroyWindow.USER32(?), ref: 00C38C81
KillTimer.USER32(00000000,?,?,?,?,00C38BBA,00000000,?), ref: 00C38D1B
DestroyAcceleratorTable.USER32(00000000), ref: 00C76973
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,00C38BBA,00000000,?), ref: 00C769A1
ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,00C38BBA,00000000,?), ref: 00C769B8
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,00C38BBA,00000000), ref: 00C769D4
DeleteObject.GDI32(00000000), ref: 00C769E6

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: 6143e2a10d17f012ebe92821676ee71ac6d15b9258222bfb5f8ed1f433bb5e7e
Instruction ID: 06a65041483b4d27f76de5ece1c864988f8af3adcf188b41a68549134a245599
Opcode Fuzzy Hash: 6143e2a10d17f012ebe92821676ee71ac6d15b9258222bfb5f8ed1f433bb5e7e
Instruction Fuzzy Hash: BC61AF30511B00DFCB259F25E948B3977F1FB40322F189518F456A75A0CB75AE84DFA1

Function 00C39838 Relevance: 18.1, APIs: 12, Instructions: 137COMMON

Download Yara Rule

APIs

Part of subcall function 00C39944: GetWindowLongW.USER32(?,000000EB), ref: 00C39952

GetSysColor.USER32(0000000F), ref: 00C39862

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: 957aa97301b12fdf881485864e14a479992ef39060193df0a65684a787e207b1
Instruction ID: e37c5105d7cca0abd11901240d30f12bd4c862d9c108820122c9f02f8ea0eb66
Opcode Fuzzy Hash: 957aa97301b12fdf881485864e14a479992ef39060193df0a65684a787e207b1
Instruction Fuzzy Hash: 8741A031114644AFDB205F389C88BBE3BA5EB46330F144715F9B6972E1C7B19D41DB12

Function 00C896E2 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,?,?,00C6F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?), ref: 00C89717
LoadStringW.USER32(00000000,?,00C6F7F8,00000001), ref: 00C89720

Part of subcall function 00C29CB3: _wcslen.LIBCMT ref: 00C29CBD

GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,00C6F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?,00000000), ref: 00C89742
LoadStringW.USER32(00000000,?,00C6F7F8,00000001), ref: 00C89745
MessageBoxW.USER32(00000000,00000000,?,00011010), ref: 00C89866

Strings

Error: , xrefs: 00C8981D
^ ERROR, xrefs: 00C897FB
%s (%d) : ==> %s: %s %s, xrefs: 00C8984A
Line %d (File "%s"):, xrefs: 00C8978F
Line %d:, xrefs: 00C897A0

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wcslen
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 747408836-2268648507
Opcode ID: b099190c0e988f7c2df2594e45a09ebf75c586a5e02f18f7c0cc1180d137a4ab
Instruction ID: 556b7384e936b6f72cb834a1eae9b461bcf8029a9d9a6f89ec8e00ebd938a355
Opcode Fuzzy Hash: b099190c0e988f7c2df2594e45a09ebf75c586a5e02f18f7c0cc1180d137a4ab
Instruction Fuzzy Hash: 56414C72800219ABCB04FBE0ED86EFEB778EF55344F140465F505720A2EA356F49EB61

Function 00C806DE Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 00C26B57: _wcslen.LIBCMT ref: 00C26B6A

WNetAddConnection2W.MPR(?,?,?,00000000), ref: 00C807A2
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 00C807BE
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 00C807DA
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00C80804
CLSIDFromString.OLE32(?,000001FE,?,SOFTWARE\Classes\), ref: 00C8082C
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00C80837
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00C8083C

Strings

SOFTWARE\Classes\, xrefs: 00C8070E
\IPC$, xrefs: 00C80784
\CLSID, xrefs: 00C80724

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 323675364-22481851
Opcode ID: 12409158685413d0b11645c3fccc111691f343c827af37d1e0ea7d70f38d7fcf
Instruction ID: 71ce4a8c52c4dbd3c3feeb69be66025c861a10ee9a6df28697453dd63d017c93
Opcode Fuzzy Hash: 12409158685413d0b11645c3fccc111691f343c827af37d1e0ea7d70f38d7fcf
Instruction Fuzzy Hash: 27411472C10229ABCF21EBA4EC859EDB778FF44354F144129E911A31A1EB309E48DBA0

Function 00CB3F98 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 00CB403B
CreateCompatibleDC.GDI32(00000000), ref: 00CB4042
SendMessageW.USER32(?,00000173,00000000,00000000), ref: 00CB4055
SelectObject.GDI32(00000000,00000000), ref: 00CB405D
GetPixel.GDI32(00000000,00000000,00000000), ref: 00CB4068
DeleteDC.GDI32(00000000), ref: 00CB4072
GetWindowLongW.USER32(?,000000EC), ref: 00CB407C
SetLayeredWindowAttributes.USER32(?,?,00000000,00000001,?,00000000,?), ref: 00CB4092
DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?), ref: 00CB409E

Strings

static, xrefs: 00CB3FD3

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
String ID: static
API String ID: 2559357485-2160076837
Opcode ID: da773a209aa555379c02f44f5a4cafd5be6af2bde79cc5cadcdbf84a74f82538
Instruction ID: aa98bb29457e5aaf70b722d382ef839364f441eb0c67086d7b982af6b1abd634
Opcode Fuzzy Hash: da773a209aa555379c02f44f5a4cafd5be6af2bde79cc5cadcdbf84a74f82538
Instruction Fuzzy Hash: CF316C32505219ABDF21AFA8DC49FEE3B68EF0D320F110311FA65A61A1C775D910DBA4

Function 00CA3C30 Relevance: 16.8, APIs: 11, Instructions: 344fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00CA3C5C
CoInitialize.OLE32(00000000), ref: 00CA3C8A
CoUninitialize.OLE32 ref: 00CA3C94
_wcslen.LIBCMT ref: 00CA3D2D
GetRunningObjectTable.OLE32(00000000,?), ref: 00CA3DB1
SetErrorMode.KERNEL32(00000001,00000029), ref: 00CA3ED5
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,?), ref: 00CA3F0E
CoGetObject.OLE32(?,00000000,00CBFB98,?), ref: 00CA3F2D
SetErrorMode.KERNEL32(00000000), ref: 00CA3F40
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00CA3FC4
VariantClear.OLEAUT32(?), ref: 00CA3FD8

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize_wcslen
String ID:
API String ID: 429561992-0
Opcode ID: e22cc1e85b8df4965a99fe1a9c361a79525cc0eec7445faa290cb73956fddc97
Instruction ID: 7a485d9bdf53d75990904957e5c50a8c13ee1122c8fb4e8e7012a556d175d59e
Opcode Fuzzy Hash: e22cc1e85b8df4965a99fe1a9c361a79525cc0eec7445faa290cb73956fddc97
Instruction Fuzzy Hash: DBC15671A083469FC700DF68C89492BBBE9FF8A748F10495DF99A9B250D731EE05CB52

Function 00C97A96 Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00C97AF3
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00C97B8F
SHGetDesktopFolder.SHELL32(?), ref: 00C97BA3
CoCreateInstance.OLE32(00CBFD08,00000000,00000001,00CE6E6C,?), ref: 00C97BEF
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00C97C74
CoTaskMemFree.OLE32(?,?), ref: 00C97CCC
SHBrowseForFolderW.SHELL32(?), ref: 00C97D57
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00C97D7A
CoTaskMemFree.OLE32(00000000), ref: 00C97D81
CoTaskMemFree.OLE32(00000000), ref: 00C97DD6
CoUninitialize.OLE32 ref: 00C97DDC

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
String ID:
API String ID: 2762341140-0
Opcode ID: a7f099b0532e77ad06c1ad53e93e52c73cbc2aa928de761d6d7bfd4a663c6296
Instruction ID: 935f9d019360dc34da580cee8a7b5db24336ee7e965d27b7cbc5a39aa464a14d
Opcode Fuzzy Hash: a7f099b0532e77ad06c1ad53e93e52c73cbc2aa928de761d6d7bfd4a663c6296
Instruction Fuzzy Hash: 70C11A75A04119AFCB14DFA4C888DAEBBF9FF48304F1485A9F8199B661D731EE41CB90

Function 00CB541D Relevance: 16.7, APIs: 11, Instructions: 191windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00CB5504
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00CB5515
CharNextW.USER32(00000158), ref: 00CB5544
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00CB5585
SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 00CB559B
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00CB55AC

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: MessageSend$CharNext
String ID:
API String ID: 1350042424-0
Opcode ID: 171265ca075cd3ff81838647a61ae4bc57fa5fa72fa68f8ef04b49d3dbc60d1b
Instruction ID: a4e733e9c3d38d0fc243ba9b99321d6249b13efb6e2273f210fd43c4016db581
Opcode Fuzzy Hash: 171265ca075cd3ff81838647a61ae4bc57fa5fa72fa68f8ef04b49d3dbc60d1b
Instruction Fuzzy Hash: 7E616770900608AFDF209FA5CC84FFE7BB9EB09725F148145FA25AB290D7749A81DB61

Function 00C7FA88 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 00C7FAAF
SafeArrayAllocData.OLEAUT32(?), ref: 00C7FB08
VariantInit.OLEAUT32(?), ref: 00C7FB1A
SafeArrayAccessData.OLEAUT32(?,?), ref: 00C7FB3A
VariantCopy.OLEAUT32(?,?), ref: 00C7FB8D
SafeArrayUnaccessData.OLEAUT32(?), ref: 00C7FBA1
VariantClear.OLEAUT32(?), ref: 00C7FBB6
SafeArrayDestroyData.OLEAUT32(?), ref: 00C7FBC3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00C7FBCC
VariantClear.OLEAUT32(?), ref: 00C7FBDE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00C7FBE9

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: 5ae40e189b7797e8a5bf7faa2e0e62ec0bf30e842aa3e60a02912952073b3c7d
Instruction ID: 312337c0c38e1d2f811c8888c907e5f9b38adaa46e94a5e74fdef1044b81bb56
Opcode Fuzzy Hash: 5ae40e189b7797e8a5bf7faa2e0e62ec0bf30e842aa3e60a02912952073b3c7d
Instruction Fuzzy Hash: D2414435900219DFCB00DF64D894ABDBBB9EF48354F008569E955A7251C730AA46DFA0

Function 00C89C79 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00C89CA1
GetAsyncKeyState.USER32(000000A0), ref: 00C89D22
GetKeyState.USER32(000000A0), ref: 00C89D3D
GetAsyncKeyState.USER32(000000A1), ref: 00C89D57
GetKeyState.USER32(000000A1), ref: 00C89D6C
GetAsyncKeyState.USER32(00000011), ref: 00C89D84
GetKeyState.USER32(00000011), ref: 00C89D96
GetAsyncKeyState.USER32(00000012), ref: 00C89DAE
GetKeyState.USER32(00000012), ref: 00C89DC0
GetAsyncKeyState.USER32(0000005B), ref: 00C89DD8
GetKeyState.USER32(0000005B), ref: 00C89DEA

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 7092df86446bbb86b85acfe307340f79cc582dd0f7ae6e591ab70c55b6da5fde
Instruction ID: 291c42765231436366c020864988e30506c2471fd3fdafd3a56a5456cb35cbf4
Opcode Fuzzy Hash: 7092df86446bbb86b85acfe307340f79cc582dd0f7ae6e591ab70c55b6da5fde
Instruction Fuzzy Hash: 944195346047C96DFF31A664C8443B5BEA0EB1134CF0C805ADAD6565C2DBB59BC8C7AA

Function 00CA055B Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00CA05BC
inet_addr.WSOCK32(?), ref: 00CA061C
gethostbyname.WSOCK32(?), ref: 00CA0628
IcmpCreateFile.IPHLPAPI ref: 00CA0636
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00CA06C6
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00CA06E5
IcmpCloseHandle.IPHLPAPI(?), ref: 00CA07B9
WSACleanup.WSOCK32 ref: 00CA07BF

Strings

Ping, xrefs: 00CA0676

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: 42d81ca675d86844ddcb6cf84fae042ff21c83cefa204bdcd59c160dc8f0d12b
Instruction ID: 8aea2cc625a203019d38260957b1682af7c793d0942899df6f582a7248c9c806
Opcode Fuzzy Hash: 42d81ca675d86844ddcb6cf84fae042ff21c83cefa204bdcd59c160dc8f0d12b
Instruction Fuzzy Hash: E2918D356042029FD720DF19D489F1ABBE0AF4A358F2485A9F46ADB6A2C730FD45CF91

Function 00CA8CD3 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,00000000,?), ref: 00CA8CF3

Part of subcall function 00C88E54: _wcslen.LIBCMT ref: 00C88E77

_wcslen.LIBCMT ref: 00CA8D4E
_wcslen.LIBCMT ref: 00CA8D9C
_wcslen.LIBCMT ref: 00CA8DDC
_wcslen.LIBCMT ref: 00CA8E6E

Strings

stdcall, xrefs: 00CA8DD6, 00CA8DDB
winapi, xrefs: 00CA8D96, 00CA8D9B
none, xrefs: 00CA8E65, 00CA8E6A
cdecl, xrefs: 00CA8D48, 00CA8D4D

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: _wcslen$BuffCharLower
String ID: cdecl$none$stdcall$winapi
API String ID: 707087890-567219261
Opcode ID: 8b40d4b23f64768e216ec99479368aa78e9cccf5799913f81cc0697a9bfaa20f
Instruction ID: ed524daadb9d99bcb93b866d96ab5244e873975d1f17157eeaf9b24bc6a11a09
Opcode Fuzzy Hash: 8b40d4b23f64768e216ec99479368aa78e9cccf5799913f81cc0697a9bfaa20f
Instruction Fuzzy Hash: FB51B275A00117DBCF14DF68C9409BEB7A5BF66728B204229E426E72C4DF30DE48D790

Function 00CA372C Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32 ref: 00CA3774
CoUninitialize.OLE32 ref: 00CA377F
CoCreateInstance.OLE32(?,00000000,00000017,00CBFB78,?), ref: 00CA37D9
IIDFromString.OLE32(?,?), ref: 00CA384C
VariantInit.OLEAUT32(?), ref: 00CA38E4
VariantClear.OLEAUT32(?), ref: 00CA3936

Strings

NULL Pointer assignment, xrefs: 00CA381E
Invalid parameter, xrefs: 00CA3865
Failed to create object, xrefs: 00CA37E4, 00CA389A

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 636576611-1287834457
Opcode ID: d84cfc1304830885c8db52f31ec182dbf4f237eaa3956454b179e9be02fa0ab6
Instruction ID: f8ac361755493e765eba72c224ae481e437a38880799d9ca72a44e024b8e0fd5
Opcode Fuzzy Hash: d84cfc1304830885c8db52f31ec182dbf4f237eaa3956454b179e9be02fa0ab6
Instruction Fuzzy Hash: 5E61E170608342AFD310DF65D898F6AB7E4EF4A708F10091EF9959B291C774EE48CB92

Function 00C93388 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 149COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,?), ref: 00C933CF

Part of subcall function 00C29CB3: _wcslen.LIBCMT ref: 00C29CBD

LoadStringW.USER32(00000072,?,00000FFF,?), ref: 00C933F0

Strings

Incorrect parameters to object property !, xrefs: 00C934AB
"%s" (%d) : ==> %s:%s%s, xrefs: 00C93504
Error: , xrefs: 00C934D1
"%s" (%d) : ==> %s:, xrefs: 00C93522
Line %d (File "%s"):, xrefs: 00C93443, 00C9345C
^ ERROR , xrefs: 00C9349E

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-3080491070
Opcode ID: 2a85b96faa88ed20203f028d460c4ac96eaee2777cf62fc332e4c87b05b4ccb4
Instruction ID: 89d67aa84c3c43dcc2df64077b82a2787e0a6b38213b8788ccc70d1790d75720
Opcode Fuzzy Hash: 2a85b96faa88ed20203f028d460c4ac96eaee2777cf62fc332e4c87b05b4ccb4
Instruction Fuzzy Hash: 86519A72900259ABDF15EBA0ED46EFEB778EF18340F144065F405720A2EB316F58EB61

Function 00C8B5C8 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 142COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00C8B5FC
_wcslen.LIBCMT ref: 00C8B608
_wcslen.LIBCMT ref: 00C8B64D
_wcslen.LIBCMT ref: 00C8B68C
_wcslen.LIBCMT ref: 00C8B6C7

Strings

REMOVE, xrefs: 00C8B602, 00C8B607
KEYS, xrefs: 00C8B647, 00C8B64C
EXISTS, xrefs: 00C8B686, 00C8B68B
APPEND, xrefs: 00C8B6C1, 00C8B6C6

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 1256254125-769500911
Opcode ID: 66cf86fe18b150adf535456a2b1eae32aa2e870aa48c26b0bfc4bf2fa93dfe03
Instruction ID: 89acb396111e1b9b9c59bfa175aae280de60c382b7ff9ffbeaf0a2d01db211f8
Opcode Fuzzy Hash: 66cf86fe18b150adf535456a2b1eae32aa2e870aa48c26b0bfc4bf2fa93dfe03
Instruction Fuzzy Hash: BB41A432A101279ACB247F7D88905BEB7A5BF60798B254129F435D7284F731CE81D794

Function 00C95393 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 103COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00C953A0
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00C95416
GetLastError.KERNEL32 ref: 00C95420
SetErrorMode.KERNEL32(00000000,READY), ref: 00C954A7

Strings

READY, xrefs: 00C95460, 00C95468
READONLY, xrefs: 00C95452
UNKNOWN, xrefs: 00C95444
INVALID, xrefs: 00C95459
NOTREADY, xrefs: 00C9544B

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: 4fd0c2a3a39839699bfc4ac1ac993afd859018c70e92410a550eb5ed20e70500
Instruction ID: 3e661bfd007ff7c9f8755df69ee057df30a2a4b36b83b806e0d3f26b0ef8558d
Opcode Fuzzy Hash: 4fd0c2a3a39839699bfc4ac1ac993afd859018c70e92410a550eb5ed20e70500
Instruction Fuzzy Hash: 7931D075A006049FCF52DF69C888BAEBBB4FF54305F148069E416DB292DB30DE82CB90

Function 00CB3C46 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON

Download Yara Rule

APIs

CreateMenu.USER32 ref: 00CB3C79
SetMenu.USER32(?,00000000), ref: 00CB3C88
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00CB3D10
IsMenu.USER32(?), ref: 00CB3D24
CreatePopupMenu.USER32 ref: 00CB3D2E
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00CB3D5B
DrawMenuBar.USER32 ref: 00CB3D63

Strings

F, xrefs: 00CB3D4E
0, xrefs: 00CB3C54

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup
String ID: 0$F
API String ID: 161812096-3044882817
Opcode ID: e18038617d40727f61ae35341ab9800c2e64d2861b2e6fdce0e75afde42449db
Instruction ID: 0503c7cb8b1a68dca8f8df7d711a9d2f3eacc52b7d3a737e77f487d8c8a6600e
Opcode Fuzzy Hash: e18038617d40727f61ae35341ab9800c2e64d2861b2e6fdce0e75afde42449db
Instruction Fuzzy Hash: 70418778A01209EFDB24CFA4D888BEE7BB5FF59350F140129F956A7360D770AA14DB90

Function 00C81EDF Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00C29CB3: _wcslen.LIBCMT ref: 00C29CBD

Part of subcall function 00C83CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00C83CCA

SendMessageW.USER32(?,0000018C,000000FF,00020000), ref: 00C81F64
GetDlgCtrlID.USER32 ref: 00C81F6F
GetParent.USER32 ref: 00C81F8B
SendMessageW.USER32(00000000,?,00000111,?), ref: 00C81F8E
GetDlgCtrlID.USER32(?), ref: 00C81F97
GetParent.USER32(?), ref: 00C81FAB
SendMessageW.USER32(00000000,?,00000111,?), ref: 00C81FAE

Strings

ComboBox, xrefs: 00C81EEC
ListBox, xrefs: 00C81F21

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_wcslen
String ID: ComboBox$ListBox
API String ID: 711023334-1403004172
Opcode ID: 865ce91cb52471000397afd7187d85720660fa72595a2fb01ea9bce07c66270f
Instruction ID: 1e09d5854ecea650d9b6a9a6fddc23aacedfe39dde8737e192f9103c84a6a55c
Opcode Fuzzy Hash: 865ce91cb52471000397afd7187d85720660fa72595a2fb01ea9bce07c66270f
Instruction Fuzzy Hash: 7421C274E00214BBCF04AFA0DC85EEEBBB8EF09354F040215FA61672D1DB745905DB64

Function 00C81FC0 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00C29CB3: _wcslen.LIBCMT ref: 00C29CBD

Part of subcall function 00C83CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00C83CCA

SendMessageW.USER32(?,00000186,00020000,00000000), ref: 00C82043
GetDlgCtrlID.USER32 ref: 00C8204E
GetParent.USER32 ref: 00C8206A
SendMessageW.USER32(00000000,?,00000111,?), ref: 00C8206D
GetDlgCtrlID.USER32(?), ref: 00C82076
GetParent.USER32(?), ref: 00C8208A
SendMessageW.USER32(00000000,?,00000111,?), ref: 00C8208D

Strings

ComboBox, xrefs: 00C81FCD
ListBox, xrefs: 00C82002

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_wcslen
String ID: ComboBox$ListBox
API String ID: 711023334-1403004172
Opcode ID: 08c18a318623fc94e1c31106319741834715e2e548f0f46531ea2116790328da
Instruction ID: f414ccf583ffd6c59411584aaab69047b538de2754cb36ecceb01dcf867b6b18
Opcode Fuzzy Hash: 08c18a318623fc94e1c31106319741834715e2e548f0f46531ea2116790328da
Instruction Fuzzy Hash: 2421A1B5E00218BBCF10BFA0DC89FEEBBB8EF09344F004116B951A71A1DB755915EB64

Function 00CB3A23 Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00CB3A9D
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00CB3AA0
GetWindowLongW.USER32(?,000000F0), ref: 00CB3AC7
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00CB3AEA
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00CB3B62
SendMessageW.USER32(?,00001074,00000000,00000007), ref: 00CB3BAC
SendMessageW.USER32(?,00001057,00000000,00000000), ref: 00CB3BC7
SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 00CB3BE2
SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 00CB3BF6
SendMessageW.USER32(?,00001008,00000000,00000007), ref: 00CB3C13

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: MessageSend$LongWindow
String ID:
API String ID: 312131281-0
Opcode ID: 1de8ee6d98eec10aeb1869292dd9b6b82c4fbdab4e1029d8a15efb90af0f1016
Instruction ID: 2d3811d4a9126d16be6f247543df47f7312bd22c84ceaeb0372b148a74f92713
Opcode Fuzzy Hash: 1de8ee6d98eec10aeb1869292dd9b6b82c4fbdab4e1029d8a15efb90af0f1016
Instruction Fuzzy Hash: D5617975A00288AFDB10DFA8CC81FEE77B8EB09710F140199FA15A72A1D770AE45DB50

Function 00C8B12F Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00C8B151
GetForegroundWindow.USER32(00000000,?,?,?,?,?,00C8A1E1,?,00000001), ref: 00C8B165
GetWindowThreadProcessId.USER32(00000000), ref: 00C8B16C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00C8A1E1,?,00000001), ref: 00C8B17B
GetWindowThreadProcessId.USER32(?,00000000), ref: 00C8B18D
AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,00C8A1E1,?,00000001), ref: 00C8B1A6
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00C8A1E1,?,00000001), ref: 00C8B1B8
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,00C8A1E1,?,00000001), ref: 00C8B1FD
AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,00C8A1E1,?,00000001), ref: 00C8B212
AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,00C8A1E1,?,00000001), ref: 00C8B21D

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: a2cb8d413fe8b82804418f325515e8bb1096c12c4975cc5f0e0a434b618c3cac
Instruction ID: 17d763ca71d212e6e262ca8e47475cddcf4d0f9ba9459d19b3b3f7220df34e72
Opcode Fuzzy Hash: a2cb8d413fe8b82804418f325515e8bb1096c12c4975cc5f0e0a434b618c3cac
Instruction Fuzzy Hash: 703180B5500204BFDB10AF64DC88FBD7BA9BB51319F104116FA15D7190DBB8AE40CF69

Function 00C52C80 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00C52C94

Part of subcall function 00C529C8: HeapFree.KERNEL32(00000000,00000000,?,00C5D7D1,00000000,00000000,00000000,00000000,?,00C5D7F8,00000000,00000007,00000000,?,00C5DBF5,00000000), ref: 00C529DE
Part of subcall function 00C529C8: GetLastError.KERNEL32(00000000,?,00C5D7D1,00000000,00000000,00000000,00000000,?,00C5D7F8,00000000,00000007,00000000,?,00C5DBF5,00000000,00000000), ref: 00C529F0

_free.LIBCMT ref: 00C52CA0
_free.LIBCMT ref: 00C52CAB
_free.LIBCMT ref: 00C52CB6
_free.LIBCMT ref: 00C52CC1
_free.LIBCMT ref: 00C52CCC
_free.LIBCMT ref: 00C52CD7
_free.LIBCMT ref: 00C52CE2
_free.LIBCMT ref: 00C52CED
_free.LIBCMT ref: 00C52CFB

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 9f5925d2634d728156da5c27dd0d8cd3628cde83164d2659813fdc1dd0e0e53b
Instruction ID: 475d4439ecaff2a83591c0f78b651abd765da17238fe8a82fb61854a4e436bb1
Opcode Fuzzy Hash: 9f5925d2634d728156da5c27dd0d8cd3628cde83164d2659813fdc1dd0e0e53b
Instruction Fuzzy Hash: D311A47A100108AFCB02EF54D882CDD3BA5FF16351F5144A5FE48AF322DA31EE94AB94

Function 00C97DF0 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00C97FAD
SetCurrentDirectoryW.KERNEL32(?), ref: 00C97FC1
GetFileAttributesW.KERNEL32(?), ref: 00C97FEB
SetFileAttributesW.KERNEL32(?,00000000), ref: 00C98005
SetCurrentDirectoryW.KERNEL32(?), ref: 00C98017
SetCurrentDirectoryW.KERNEL32(?), ref: 00C98060
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00C980B0

Strings

*.*, xrefs: 00C98066

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile
String ID: *.*
API String ID: 769691225-438819550
Opcode ID: 7eed7f3ac911d5fcb845a17e8eeae6875b8fec6c8bbb3700e153d79d0bb954bb
Instruction ID: 3ecb994b092f22caaa36d416c6b3050faef87061c7df8efdbe6fc527eb3e8baf
Opcode Fuzzy Hash: 7eed7f3ac911d5fcb845a17e8eeae6875b8fec6c8bbb3700e153d79d0bb954bb
Instruction Fuzzy Hash: 1B81B1715182419FCF20EF55C888AAEB3E8BF89310F144D6EF895D7250EB34DE498B52

Function 00C25BEA Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 00C25C7A

Part of subcall function 00C25D0A: GetClientRect.USER32(?,?), ref: 00C25D30
Part of subcall function 00C25D0A: GetWindowRect.USER32(?,?), ref: 00C25D71
Part of subcall function 00C25D0A: ScreenToClient.USER32(?,?), ref: 00C25D99

GetDC.USER32 ref: 00C646F5
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00C64708
SelectObject.GDI32(00000000,00000000), ref: 00C64716
SelectObject.GDI32(00000000,00000000), ref: 00C6472B
ReleaseDC.USER32(?,00000000), ref: 00C64733
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 00C647C4

Strings

U, xrefs: 00C64693

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: 8189253f17f5a3d04637a1ec66b9aee3043ca7ac69506612e1448e955a189878
Instruction ID: c477a644dfbec6314441404d75c1e6d8822da729e65c2d8880a3e66f55294443
Opcode Fuzzy Hash: 8189253f17f5a3d04637a1ec66b9aee3043ca7ac69506612e1448e955a189878
Instruction Fuzzy Hash: 7771BC31400205DFCF398F64C9C4ABA7BB5FF4A360F184269FD665A2A6D7319A41DF60

Function 00C9359C Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 150COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 00C935E4

Part of subcall function 00C29CB3: _wcslen.LIBCMT ref: 00C29CBD

LoadStringW.USER32(00CF2390,?,00000FFF,?), ref: 00C9360A

Strings

"%s" (%d) : ==> %s:%s%s, xrefs: 00C93724
Error: , xrefs: 00C936EF
"%s" (%d) : ==> %s:, xrefs: 00C93742
^ ERROR, xrefs: 00C936C9
Line %d (File "%s"):, xrefs: 00C9366B

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-2391861430
Opcode ID: 9fc4ea60aad681e230c0c93c37be3610821bbf63813d22821ec0d91070e7722d
Instruction ID: 1073e612bd997d89c26381f627256ef5283069313e4ed13fe2899b9d3cabd3ac
Opcode Fuzzy Hash: 9fc4ea60aad681e230c0c93c37be3610821bbf63813d22821ec0d91070e7722d
Instruction Fuzzy Hash: AE517B7290025AABCF14EBE0DC86EEEBB78EF14344F084125F505724A1EB305B99EB61

Function 00CB8B02 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 149windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00C39BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00C39BB2

Part of subcall function 00C3912D: GetCursorPos.USER32(?), ref: 00C39141
Part of subcall function 00C3912D: ScreenToClient.USER32(00000000,?), ref: 00C3915E
Part of subcall function 00C3912D: GetAsyncKeyState.USER32(00000001), ref: 00C39183
Part of subcall function 00C3912D: GetAsyncKeyState.USER32(00000002), ref: 00C3919D

ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?,?,?), ref: 00CB8B6B
ImageList_EndDrag.COMCTL32 ref: 00CB8B71
ReleaseCapture.USER32 ref: 00CB8B77
SetWindowTextW.USER32(?,00000000), ref: 00CB8C12
SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 00CB8C25
DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?,?,?), ref: 00CB8CFF

Strings

@GUI_DRAGFILE, xrefs: 00CB8C9A
@GUI_DROPID, xrefs: 00CB8C51

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
String ID: @GUI_DRAGFILE$@GUI_DROPID
API String ID: 1924731296-2107944366
Opcode ID: fedc9656d6fb4b40dbfe3e6c977114c467720e05910ba13bd05bbf4cc5cc7f58
Instruction ID: accb2aa7598fc39d9044e838417d5aba29f04e76468f561ca409ccc3eac69604
Opcode Fuzzy Hash: fedc9656d6fb4b40dbfe3e6c977114c467720e05910ba13bd05bbf4cc5cc7f58
Instruction Fuzzy Hash: F4516C71104214AFD704EF14DC95FAE77E4FB88714F04062DF956972E1CB71AA48DBA2

Function 00C9C253 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00C9C272
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00C9C29A
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00C9C2CA
GetLastError.KERNEL32 ref: 00C9C322
SetEvent.KERNEL32(?), ref: 00C9C336
InternetCloseHandle.WININET(00000000), ref: 00C9C341

Strings

, xrefs: 00C9C2BB

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: 126f9ace626a41a8e899b250aca631845a88db60397ea8ff2f4fd22ebc0df087
Instruction ID: 3aaefd0fcdae68b1ac0dfc4014ea53ed24d70bd59fcc983aa111d73cebb9ce6c
Opcode Fuzzy Hash: 126f9ace626a41a8e899b250aca631845a88db60397ea8ff2f4fd22ebc0df087
Instruction Fuzzy Hash: 75314BB1600608AFDB219FA58CC8BAB7AFCFB49744F14851EF456E2211DB34DE049B61

Function 00C8989B Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00C63AAF,?,?,Bad directive syntax error,00CBCC08,00000000,00000010,?,?,>>>AUTOIT SCRIPT<<<), ref: 00C898BC
LoadStringW.USER32(00000000,?,00C63AAF,?), ref: 00C898C3

Part of subcall function 00C29CB3: _wcslen.LIBCMT ref: 00C29CBD

MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 00C89987

Strings

., xrefs: 00C8996D
%s (%d) : ==> %s.: %s %s, xrefs: 00C898F1
Line %d (File "%s"):, xrefs: 00C8992D
Line %d:, xrefs: 00C89912
Error: , xrefs: 00C89955

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: HandleLoadMessageModuleString_wcslen
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 858772685-4153970271
Opcode ID: d52f94a9fdc818700f8efd7d78f01628dccaa0ee9f850a049ffbd233664687a1
Instruction ID: 6d76e7114af3bc9ea09e794ddf34a2dc454046cb4dcf7789129c07ad83b100df
Opcode Fuzzy Hash: d52f94a9fdc818700f8efd7d78f01628dccaa0ee9f850a049ffbd233664687a1
Instruction Fuzzy Hash: D6218031D5025EABCF11EF90DC46EEE7739FF28304F084469F519620A2EB719618EB11

Function 00C8209F Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 00C820AB
GetClassNameW.USER32(00000000,?,00000100), ref: 00C820C0
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00C8214D

Strings

SHELLDLL_DefView, xrefs: 00C820CC
largeicons, xrefs: 00C820E1
smallicons, xrefs: 00C82115
list, xrefs: 00C8212F
details, xrefs: 00C820FB

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: ClassMessageNameParentSend
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1290815626-3381328864
Opcode ID: 0c1808f8af3cdab1def5f7389e1b5f4c9342918b70b0b5eb11f349dbe5a6bea3
Instruction ID: dc067fa5594b420f903aeaccf0c3dfdddc4a83aa3f3903e1036fe3ee6ea1508e
Opcode Fuzzy Hash: 0c1808f8af3cdab1def5f7389e1b5f4c9342918b70b0b5eb11f349dbe5a6bea3
Instruction Fuzzy Hash: 8C110676688706BAF6157221DC0EEAF379CEB0432CF301126FB05A50D1FEA16D016718

Function 00C58D45 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7334fd3f7713cc131145a63c6fead313a6354a2ebceb73be651155604d4959ba
Instruction ID: b9ec7c85bbae5aba758a9002e1b8993248a181f93a31e7a7833589753f77459c
Opcode Fuzzy Hash: 7334fd3f7713cc131145a63c6fead313a6354a2ebceb73be651155604d4959ba
Instruction Fuzzy Hash: 4DC1E278904249EFCF21DFA8C841BADBBB0FF4D311F144199E825A7292C7748A89CB65

Function 00C5CE90 Relevance: 13.7, APIs: 9, Instructions: 209COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 00C5CEB7
_free.LIBCMT ref: 00C5CF22
_free.LIBCMT ref: 00C5CF48
_free.LIBCMT ref: 00C5CF71
_free.LIBCMT ref: 00C5CFA9
_free.LIBCMT ref: 00C5CFDA
_free.LIBCMT ref: 00C5D01B
SetEnvironmentVariableA.KERNEL32(00000000,00000000), ref: 00C5D09C
_free.LIBCMT ref: 00C5D0B5

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: _free$EnvironmentVariable___from_strstr_to_strchr
String ID:
API String ID: 1282221369-0
Opcode ID: 25514bd597fdc84317225b3df39ff6ce46edfdd5a0dbe34fe06d2e128bdc7c22
Instruction ID: 666fd567b1bf1079b4264ef13d4931217a7b4cfb50573cba79b68fc1b289d38d
Opcode Fuzzy Hash: 25514bd597fdc84317225b3df39ff6ce46edfdd5a0dbe34fe06d2e128bdc7c22
Instruction Fuzzy Hash: EB614579904300AFDB21AFF4D8C1B6E7BE5AF01722F14026DFC11A7282D6319AC9D799

Function 00CB50D4 Relevance: 13.7, APIs: 9, Instructions: 162windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00002001,00000000,00000000), ref: 00CB5186
ShowWindow.USER32(?,00000000), ref: 00CB51C7
ShowWindow.USER32(?,00000005,?,00000000), ref: 00CB51CD
SetFocus.USER32(?,?,00000005,?,00000000), ref: 00CB51D1

Part of subcall function 00CB6FBA: DeleteObject.GDI32(00000000), ref: 00CB6FE6

GetWindowLongW.USER32(?,000000F0), ref: 00CB520D
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00CB521A
InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 00CB524D
SendMessageW.USER32(?,00001001,00000000,000000FE), ref: 00CB5287
SendMessageW.USER32(?,00001026,00000000,000000FE), ref: 00CB5296

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: Window$MessageSend$LongShow$DeleteFocusInvalidateObjectRect
String ID:
API String ID: 3210457359-0
Opcode ID: 7e51287f106a520c57f53a6449854ae331c2918cb7da501b65925c2d9e431662
Instruction ID: 3dfb4f195d79f793b2ebee0268d8f8bf5834106c8340b4b8f765b85cedf736ee
Opcode Fuzzy Hash: 7e51287f106a520c57f53a6449854ae331c2918cb7da501b65925c2d9e431662
Instruction Fuzzy Hash: 1651A330A52A08FFEF249F69DC4ABDD3B65FB05321F144112F525962E0C7B5AE80DB41

Function 00C38B06 Relevance: 13.7, APIs: 9, Instructions: 155windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 00C76890
ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 00C768A9
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 00C768B9
ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 00C768D1
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 00C768F2
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00C38874,00000000,00000000,00000000,000000FF,00000000), ref: 00C76901
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 00C7691E
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00C38874,00000000,00000000,00000000,000000FF,00000000), ref: 00C7692D

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend
String ID:
API String ID: 1268354404-0
Opcode ID: a50def95b58a68e41ffe438ac3a5736c23e6b89579a29ba555e8b72d164634f2
Instruction ID: e26b536befb2e89e2ba51560b69fb3a8dc937c86fafaf9f25e3b63fbd1760317
Opcode Fuzzy Hash: a50def95b58a68e41ffe438ac3a5736c23e6b89579a29ba555e8b72d164634f2
Instruction Fuzzy Hash: 67518B7061070AEFDB20CF25CC95FAABBB5EB48364F144518F956972E0DB70EA50DB50

Function 00C9C143 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00C9C182
GetLastError.KERNEL32 ref: 00C9C195
SetEvent.KERNEL32(?), ref: 00C9C1A9

Part of subcall function 00C9C253: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00C9C272
Part of subcall function 00C9C253: GetLastError.KERNEL32 ref: 00C9C322
Part of subcall function 00C9C253: SetEvent.KERNEL32(?), ref: 00C9C336
Part of subcall function 00C9C253: InternetCloseHandle.WININET(00000000), ref: 00C9C341

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
String ID:
API String ID: 337547030-0
Opcode ID: ff403cb43d23a92f3d6ac5773857f680b423e023c01e6a47b4699844e464bdbd
Instruction ID: f3bf25ccea99aca2c773b88b372b4e4420a845acc1474b4daa45a846775d18a5
Opcode Fuzzy Hash: ff403cb43d23a92f3d6ac5773857f680b423e023c01e6a47b4699844e464bdbd
Instruction Fuzzy Hash: F0318C71200A41AFDF259FA5DC88B6ABBF8FF58300B10451DF96682620DB30E914ABA0

Function 00C825A2 Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00C83A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00C83A57
Part of subcall function 00C83A3D: GetCurrentThreadId.KERNEL32 ref: 00C83A5E
Part of subcall function 00C83A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00C825B3), ref: 00C83A65

MapVirtualKeyW.USER32(00000025,00000000), ref: 00C825BD
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 00C825DB
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 00C825DF
MapVirtualKeyW.USER32(00000025,00000000), ref: 00C825E9
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00C82601
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 00C82605
MapVirtualKeyW.USER32(00000025,00000000), ref: 00C8260F
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00C82623
Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 00C82627

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: 8b60f0044c24a9a80dac2c1e5dfdf1da568775b189d7d2aaa794c7286ff0e2ed
Instruction ID: 40ae556efb14eca111ccbf6d9eb20dbf36d6da401440cdbb5423888bb1a5cfd9
Opcode Fuzzy Hash: 8b60f0044c24a9a80dac2c1e5dfdf1da568775b189d7d2aaa794c7286ff0e2ed
Instruction Fuzzy Hash: 8F01BC70290610BBFB2067699CCAF9D3F59DB5EB16F100102F358AF0E1C9F224449AAA

Function 00C81803 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,00C81449,?,?,00000000), ref: 00C8180C
HeapAlloc.KERNEL32(00000000,?,00C81449,?,?,00000000), ref: 00C81813
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00C81449,?,?,00000000), ref: 00C81828
GetCurrentProcess.KERNEL32(?,00000000,?,00C81449,?,?,00000000), ref: 00C81830
DuplicateHandle.KERNEL32(00000000,?,00C81449,?,?,00000000), ref: 00C81833
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00C81449,?,?,00000000), ref: 00C81843
GetCurrentProcess.KERNEL32(00C81449,00000000,?,00C81449,?,?,00000000), ref: 00C8184B
DuplicateHandle.KERNEL32(00000000,?,00C81449,?,?,00000000), ref: 00C8184E
CreateThread.KERNEL32(00000000,00000000,00C81874,00000000,00000000,00000000), ref: 00C81868

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: ba3a6985519ce7059cc40244e91f796abc8a1126bf9a81d608339a3d01acc36f
Instruction ID: c7e58f9a43465c68fdf24034495d76dcfa2807b22fa1b7784328f02c2be779f6
Opcode Fuzzy Hash: ba3a6985519ce7059cc40244e91f796abc8a1126bf9a81d608339a3d01acc36f
Instruction Fuzzy Hash: 1401BFB5240304BFE710AFA5DC8DF5F3BACEB89B11F414521FA05EB1A1C6709810CB20

Function 00CAA0E2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON

Download Yara Rule

APIs

Part of subcall function 00C8D4DC: CreateToolhelp32Snapshot.KERNEL32 ref: 00C8D501
Part of subcall function 00C8D4DC: Process32FirstW.KERNEL32(00000000,?), ref: 00C8D50F
Part of subcall function 00C8D4DC: CloseHandle.KERNEL32(00000000), ref: 00C8D5DC

OpenProcess.KERNEL32(00000001,00000000,?), ref: 00CAA16D
GetLastError.KERNEL32 ref: 00CAA180
OpenProcess.KERNEL32(00000001,00000000,?), ref: 00CAA1B3
TerminateProcess.KERNEL32(00000000,00000000), ref: 00CAA268
GetLastError.KERNEL32(00000000), ref: 00CAA273
CloseHandle.KERNEL32(00000000), ref: 00CAA2C4

Strings

SeDebugPrivilege, xrefs: 00CAA18F

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: 4da1acc658823427920ff7d866b7a2864fc6bd4efc7446b7b63ef102f4c3d5ea
Instruction ID: 6c11b5a72e2c708ef6521ce9b3cba037201537a083e78c2093832165c70c5b10
Opcode Fuzzy Hash: 4da1acc658823427920ff7d866b7a2864fc6bd4efc7446b7b63ef102f4c3d5ea
Instruction Fuzzy Hash: 77618E70204242AFD720DF19C494F1ABBE1AF4531CF14859CE46A8BBA3C772ED45CB92

Function 00CB3886 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00CB3925
SendMessageW.USER32(00000000,00001036,00000000,?), ref: 00CB393A
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00CB3954
_wcslen.LIBCMT ref: 00CB3999
SendMessageW.USER32(?,00001057,00000000,?), ref: 00CB39C6
SendMessageW.USER32(?,00001061,?,0000000F), ref: 00CB39F4

Strings

SysListView32, xrefs: 00CB38F7

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: MessageSend$Window_wcslen
String ID: SysListView32
API String ID: 2147712094-78025650
Opcode ID: cad4ef81cc0c0b332aaa56952bd3d1e28dd194797d47dd7501210d1c03cb9139
Instruction ID: 590a7383bf4e4869b3eaa1117359884fb30506b35153bc3245496f30b202788f
Opcode Fuzzy Hash: cad4ef81cc0c0b332aaa56952bd3d1e28dd194797d47dd7501210d1c03cb9139
Instruction Fuzzy Hash: DA41A571A00258ABEF219FA4CC45FEE77A9EF18350F140526F954E7281D7B19E80DB90

Function 00C8BC5E Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00C8BCFD
IsMenu.USER32(00000000), ref: 00C8BD1D
CreatePopupMenu.USER32 ref: 00C8BD53
GetMenuItemCount.USER32(012B64E0), ref: 00C8BDA4
InsertMenuItemW.USER32(012B64E0,?,00000001,00000030), ref: 00C8BDCC

Strings

2, xrefs: 00C8BD37
0, xrefs: 00C8BCA8

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup
String ID: 0$2
API String ID: 93392585-3793063076
Opcode ID: 6f4e4a6a41d45ddead3b14ce12eb7347b0c532abc1c2d7bd961d424cceeb9d64
Instruction ID: 3de101d3e3036f6e64d2a50301c9c2d70aeeefc31850b9fff6e424b6607944ec
Opcode Fuzzy Hash: 6f4e4a6a41d45ddead3b14ce12eb7347b0c532abc1c2d7bd961d424cceeb9d64
Instruction Fuzzy Hash: 5A51A070600205EBDF20EFA9D8C4BAEBBF4BF45318F14421AF46197295D770AE45CB69

Function 00C8C874 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 00C8C913

Strings

info, xrefs: 00C8C8B4
blank, xrefs: 00C8C895
question, xrefs: 00C8C8CC
warning, xrefs: 00C8C8FC
stop, xrefs: 00C8C8E4

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: 72ce99cf580c15dcb8e3bc92f7be8e03472230cac520bb337c5cdca487cb5d89
Instruction ID: f1efa5eba0a6b45b29a3c9c6bbc0f6fe8fc5244b51eb826c37dfb631b4a5c77c
Opcode Fuzzy Hash: 72ce99cf580c15dcb8e3bc92f7be8e03472230cac520bb337c5cdca487cb5d89
Instruction Fuzzy Hash: 45112B32689706BAA7047B159CC2DAE279CEF2536CB20007BF500A62C2E7745E40637D

Function 00C8DE27 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 70networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00C8DE42
gethostname.WSOCK32(?,00000100), ref: 00C8DE5C
gethostbyname.WSOCK32(?), ref: 00C8DE69
inet_ntoa.WSOCK32(?), ref: 00C8DEAB
_strcat.LIBCMT ref: 00C8DEB9
WSACleanup.WSOCK32 ref: 00C8DEDE

Strings

0.0.0.0, xrefs: 00C8DE87

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: CleanupStartup_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 642191829-3771769585
Opcode ID: 8dd28decdc2af679810e4e73356d64712693d820f65efbe710a36ab9a8bab901
Instruction ID: 3a189c6961229dcf1632c25c9e7f2d0b452b92a4074fa2b525061c0b304edd7d
Opcode Fuzzy Hash: 8dd28decdc2af679810e4e73356d64712693d820f65efbe710a36ab9a8bab901
Instruction Fuzzy Hash: C2115971900114AFCB24BB20DC4AFEE37ACEF10315F1001B9F146AA0D1EF719A819B64

Function 00CB9F86 Relevance: 12.3, APIs: 8, Instructions: 260windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00C39BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00C39BB2

GetSystemMetrics.USER32(0000000F), ref: 00CB9FC7
GetSystemMetrics.USER32(0000000F), ref: 00CB9FE7
MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 00CBA224
SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 00CBA242
SendMessageW.USER32(00000003,00000469,?,00000000), ref: 00CBA263
ShowWindow.USER32(00000003,00000000), ref: 00CBA282
InvalidateRect.USER32(?,00000000,00000001), ref: 00CBA2A7
DefDlgProcW.USER32(?,00000005,?,?), ref: 00CBA2CA

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
String ID:
API String ID: 1211466189-0
Opcode ID: 5275b22d094b8cc553dc720b25528cc21dc2ee997f695ab1bb341b48fc3bb65e
Instruction ID: 1df0b9feaf004147c0fedb983580c88e2365516dc00d973cc334246d321b1cfc
Opcode Fuzzy Hash: 5275b22d094b8cc553dc720b25528cc21dc2ee997f695ab1bb341b48fc3bb65e
Instruction Fuzzy Hash: 5CB17931600215DBDF14CF68C9C57EE7BB2FF44711F098069ED99AB295DB31AA40CB52

Function 00C8ED19 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 00C8ED2A
_wcslen.LIBCMT ref: 00C8ED3B
_wcslen.LIBCMT ref: 00C8ED79
_wcslen.LIBCMT ref: 00C8EDAF
_wcslen.LIBCMT ref: 00C8EDDF
_wcslen.LIBCMT ref: 00C8EDEF
_wcslen.LIBCMT ref: 00C8EE2B
_wcslen.LIBCMT ref: 00C8EE5A

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: _wcslen$LocalTime
String ID:
API String ID: 952045576-0
Opcode ID: e18a6b724dc1fffb1ae1350a55d4194a82ffd188a2c275b3e9c99370bef244ca
Instruction ID: 7a40bdabe331e384dd52ef5cfb12b9d20c5dae186db1634e31cd3bd1c8657882
Opcode Fuzzy Hash: e18a6b724dc1fffb1ae1350a55d4194a82ffd188a2c275b3e9c99370bef244ca
Instruction Fuzzy Hash: 51418065C1021876CB21FBB4C88AACFB7ACBF45710F508562E518F3121FB34E656D3AA

Function 00C3F8D8 Relevance: 12.1, APIs: 8, Instructions: 124COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,00C7682C,00000004,00000000,00000000), ref: 00C3F953
ShowWindow.USER32(FFFFFFFF,00000006,?,00000000,?,00C7682C,00000004,00000000,00000000), ref: 00C7F3D1
ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,00C7682C,00000004,00000000,00000000), ref: 00C7F454

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: dd15b91559f3562e8af21066e60ddca2e6371ca629758afff0c5d11897d6c1f1
Instruction ID: 58c7a4a0aa701df1d0d58157b2ec289248fdf2ccc1cb8ac0405ef8a2c3115c17
Opcode Fuzzy Hash: dd15b91559f3562e8af21066e60ddca2e6371ca629758afff0c5d11897d6c1f1
Instruction Fuzzy Hash: 1D410D31924740BBC7358B2DC8C877E7B91AF56324F148D3CE09B56660C671AA83D751

Function 00CB2D03 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00CB2D1B
GetDC.USER32(00000000), ref: 00CB2D23
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00CB2D2E
ReleaseDC.USER32(00000000,00000000), ref: 00CB2D3A
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00CB2D76
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00CB2D87
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00CB5A65,?,?,000000FF,00000000,?,000000FF,?), ref: 00CB2DC2
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00CB2DE1

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: 6a1bd92460d976b4e6b8d53ebe58826b5556d85967f0ef44718fb4a08316dc57
Instruction ID: c71d0bd30a13bbee39730a5068bed730f2e30956d4e561b2a6910cfd45f14afb
Opcode Fuzzy Hash: 6a1bd92460d976b4e6b8d53ebe58826b5556d85967f0ef44718fb4a08316dc57
Instruction Fuzzy Hash: 64317A72201214BFEB218F64DC8AFEB3BADEF49715F044155FE08AA291C6B59C51CBB4

Function 00C85622 Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00C85637
_memcmp.LIBVCRUNTIME ref: 00C85659
_memcmp.LIBVCRUNTIME ref: 00C85671
_memcmp.LIBVCRUNTIME ref: 00C85684
_memcmp.LIBVCRUNTIME ref: 00C8569E
_memcmp.LIBVCRUNTIME ref: 00C856B1
_memcmp.LIBVCRUNTIME ref: 00C856C9
_memcmp.LIBVCRUNTIME ref: 00C856E4

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: bef7f36de8066bbe6393575b13be2d1f5e65c0c30aa53da5ac1e92a044fb8c2e
Instruction ID: e7fa8825f1aa7decfa2e1c48e233f09c50b3fb936d39f33be4a2e2debf4110be
Opcode Fuzzy Hash: bef7f36de8066bbe6393575b13be2d1f5e65c0c30aa53da5ac1e92a044fb8c2e
Instruction Fuzzy Hash: FA21A461650A09BBD6147A218E82FFB335CBF20399F584034FD059A781F7A1EE5193AD

Function 00CA4FAE Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON

Download Yara Rule

Strings

Not an Object type, xrefs: 00CA5007
NULL Pointer assignment, xrefs: 00CA502E, 00CA5383

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: 7013c0cc2dda550348c4590a2f0553bab0dc564cc44bc445e085c419f6c3171e
Instruction ID: d61a21e56877c4bb47108df6e7632494c154abe8d63588842c7a8b8514707875
Opcode Fuzzy Hash: 7013c0cc2dda550348c4590a2f0553bab0dc564cc44bc445e085c419f6c3171e
Instruction Fuzzy Hash: 35D1B271A0060BAFDF10CFA8C881BAEB7B5BF49348F14C569E915AB291E770DE45CB50

Function 00C61522 Relevance: 10.8, APIs: 7, Instructions: 268COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(00000000,00000000,?,7FFFFFFF,?,?,00C617FB,00000000,00000000,?,00000000,?,?,?,?,00000000), ref: 00C615CE
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,00C617FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00C61651
MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00C617FB,?,00C617FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00C616E4
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,00C617FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00C616FB

Part of subcall function 00C53820: RtlAllocateHeap.NTDLL(00000000,?,00CF1444,?,00C3FDF5,?,?,00C2A976,00000010,00CF1440,00C213FC,?,00C213C6,?,00C21129), ref: 00C53852

MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,00C617FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00C61777
__freea.LIBCMT ref: 00C617A2
__freea.LIBCMT ref: 00C617AE

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
String ID:
API String ID: 2829977744-0
Opcode ID: 14882b56a5c897c4577e5b25a147d82e669e6a625fb7954caf3b484d65d246df
Instruction ID: 5dc09338d0bfeac252390a12958333360c6e9e26592b31845ae39c1eeb6caed2
Opcode Fuzzy Hash: 14882b56a5c897c4577e5b25a147d82e669e6a625fb7954caf3b484d65d246df
Instruction Fuzzy Hash: 6B91AF72E002169ADB308E75C8C1AEEBBB5EF49312F1C4659EC12E7191DB35DE44DBA0

Function 00CA4523 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00CA4648
VariantInit.OLEAUT32(?), ref: 00CA4749
VariantClear.OLEAUT32(?), ref: 00CA4753
VariantClear.OLEAUT32(?), ref: 00CA47B0

Strings

Incorrect Object type in FOR..IN loop, xrefs: 00CA472C
Null Object assignment in FOR..IN loop, xrefs: 00CA45D8, 00CA4706, 00CA47BE

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: Variant$ClearInit
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2610073882-625585964
Opcode ID: 35c2b80f49da84cdf6baf65f4ec8fe84421562fea089ef706e0934fc15c398f7
Instruction ID: 1e14d2780d22aef0f2675d75f0b83b769de82f3a099f7a56586d5f4910d8598a
Opcode Fuzzy Hash: 35c2b80f49da84cdf6baf65f4ec8fe84421562fea089ef706e0934fc15c398f7
Instruction Fuzzy Hash: 2A919371A00216ABDF24CFA5D884FAE77B8EF86718F108559F515EB281D7B09A41CFA0

Function 00C91187 Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000001,?), ref: 00C9125C
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00C91284
SafeArrayUnaccessData.OLEAUT32(00000001), ref: 00C912A8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00C912D8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00C9135F
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00C913C4
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00C91430

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: ArraySafe$Data$Access$UnaccessVartype
String ID:
API String ID: 2550207440-0
Opcode ID: b049afae81499d452f7c6463219705ab3b0087be12048b22a7a06dea623049ec
Instruction ID: 06013543f7294e20975c4f192fe1d5af1aceb7f22a9b8eaeedb620516fb24a91
Opcode Fuzzy Hash: b049afae81499d452f7c6463219705ab3b0087be12048b22a7a06dea623049ec
Instruction Fuzzy Hash: 7791F275A0021AAFDF00DF94C88ABBEB7B5FF44310F194429E910EB291D774EA41DB90

Function 00C3948A Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 2a359caa0e51528e68789725d87d414bf0367bba96ee7ee7471012d88899bbaf
Instruction ID: 25d24148f3bc6943af56a7674fc69419cae7b4bd5c87a74ef0dc406d3955c8f7
Opcode Fuzzy Hash: 2a359caa0e51528e68789725d87d414bf0367bba96ee7ee7471012d88899bbaf
Instruction Fuzzy Hash: 1F911671D00219EFCB11CFA9CC84AEEBBB8FF49320F148659E515B7251D774AA82DB60

Function 00CA3947 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00CA396B
CharUpperBuffW.USER32(?,?), ref: 00CA3A7A
_wcslen.LIBCMT ref: 00CA3A8A
VariantClear.OLEAUT32(?), ref: 00CA3C1F

Part of subcall function 00C90CDF: VariantInit.OLEAUT32(00000000), ref: 00C90D1F
Part of subcall function 00C90CDF: VariantCopy.OLEAUT32(?,?), ref: 00C90D28
Part of subcall function 00C90CDF: VariantClear.OLEAUT32(?), ref: 00C90D34

Strings

Incorrect Parameter format, xrefs: 00CA39A6, 00CA3BA1
AUTOIT.ERROR, xrefs: 00CA3A80, 00CA3A85

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4137639002-1221869570
Opcode ID: 7cce23442aa97f91cfc717a28b25c0b96315c4a408e10fa874ed8112c6444537
Instruction ID: 72a9c54ba6e5a729a392d8903d15118c6dc79bd38e6e0dc7af23a8d2815d5973
Opcode Fuzzy Hash: 7cce23442aa97f91cfc717a28b25c0b96315c4a408e10fa874ed8112c6444537
Instruction Fuzzy Hash: CA919A746083469FC704EF68C49096AB7E5FF89318F14892DF89A9B351DB30EE05DB92

Function 00CA4BAD Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

APIs

Part of subcall function 00C8000E: CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,00C7FF41,80070057,?,?,?,00C8035E), ref: 00C8002B
Part of subcall function 00C8000E: ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00C7FF41,80070057,?,?), ref: 00C80046
Part of subcall function 00C8000E: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00C7FF41,80070057,?,?), ref: 00C80054
Part of subcall function 00C8000E: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00C7FF41,80070057,?), ref: 00C80064

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,00000001,?,?), ref: 00CA4C51
_wcslen.LIBCMT ref: 00CA4D59
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 00CA4DCF
CoTaskMemFree.OLE32(?), ref: 00CA4DDA

Strings

NULL Pointer assignment, xrefs: 00CA4E23, 00CA4E52

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
String ID: NULL Pointer assignment
API String ID: 614568839-2785691316
Opcode ID: eeab4ee4bdf6f295ecb1473041e2db946d2e3f82c608d5bb3f7b98ac55bd617f
Instruction ID: 9e888029353b678da4c9c4d9958810fde2a8873635867dc9ab318f196c59a9ca
Opcode Fuzzy Hash: eeab4ee4bdf6f295ecb1473041e2db946d2e3f82c608d5bb3f7b98ac55bd617f
Instruction Fuzzy Hash: 88912671D0022DEFDF14DFA4D881AEEB7B8BF49314F108169E915A7291EB709A44DF60

Function 00CB20FD Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 00CB2183
GetMenuItemCount.USER32(00000000), ref: 00CB21B5
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 00CB21DD
_wcslen.LIBCMT ref: 00CB2213
GetMenuItemID.USER32(?,?), ref: 00CB224D
GetSubMenu.USER32(?,?), ref: 00CB225B

Part of subcall function 00C83A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00C83A57
Part of subcall function 00C83A3D: GetCurrentThreadId.KERNEL32 ref: 00C83A5E
Part of subcall function 00C83A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00C825B3), ref: 00C83A65

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00CB22E3

Part of subcall function 00C8E97B: Sleep.KERNEL32 ref: 00C8E9F3

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
String ID:
API String ID: 4196846111-0
Opcode ID: 8e17ebefaa6546ede935a3fbcd4c6607ecde501694216be485eec7bd7b3300c5
Instruction ID: f82c55b7e94a6a8c3175c7479c75d5c7df81f6a71c46d134ebdbb7eda143548c
Opcode Fuzzy Hash: 8e17ebefaa6546ede935a3fbcd4c6607ecde501694216be485eec7bd7b3300c5
Instruction Fuzzy Hash: 72719175E00215AFCB10DFA9C885AEEB7F5EF48320F108459E826EB351D734EE429B91

Function 00CB7E9E Relevance: 10.7, APIs: 7, Instructions: 193windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(012B6210), ref: 00CB7F37
IsWindowEnabled.USER32(012B6210), ref: 00CB7F43
SendMessageW.USER32(00000000,0000041C,00000000,00000000), ref: 00CB801E
SendMessageW.USER32(012B6210,000000B0,?,?), ref: 00CB8051
IsDlgButtonChecked.USER32(?,?), ref: 00CB8089
GetWindowLongW.USER32(012B6210,000000EC), ref: 00CB80AB
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 00CB80C3

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID:
API String ID: 4072528602-0
Opcode ID: 018e507425cdce6aba77556511df4c77aa56dd7d0a3d72a89b8191042466983a
Instruction ID: a66d0516bfd26e2021c76f2d4149dfc4045f212b00425df69e728319c95ae82c
Opcode Fuzzy Hash: 018e507425cdce6aba77556511df4c77aa56dd7d0a3d72a89b8191042466983a
Instruction Fuzzy Hash: 4A71AE34609204AFEF209F94C884FFABBB9EF49340F140559FD65972A1CB31AE45DB24

Function 00C8AEBA Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 00C8AEF9
GetKeyboardState.USER32(?), ref: 00C8AF0E
SetKeyboardState.USER32(?), ref: 00C8AF6F
PostMessageW.USER32(?,00000101,00000010,?), ref: 00C8AF9D
PostMessageW.USER32(?,00000101,00000011,?), ref: 00C8AFBC
PostMessageW.USER32(?,00000101,00000012,?), ref: 00C8AFFD
PostMessageW.USER32(?,00000101,0000005B,?), ref: 00C8B020

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: be7004bac885188845bf3309c529bc3d80066976d5adc85cada2ddb8dc546804
Instruction ID: 79c149c97e03f907b4b4f65dc23031dd1e43e2e8ff0f83f3ed9b51a18e39e2ad
Opcode Fuzzy Hash: be7004bac885188845bf3309c529bc3d80066976d5adc85cada2ddb8dc546804
Instruction Fuzzy Hash: F25103F06047D13DFB36A2748C45BBBBEA95B06308F08858AF2E9454C2D3D8AED4D759

Function 00C8ACDA Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 00C8AD19
GetKeyboardState.USER32(?), ref: 00C8AD2E
SetKeyboardState.USER32(?), ref: 00C8AD8F
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00C8ADBB
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00C8ADD8
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 00C8AE17
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 00C8AE38

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: f246c993cedf010b928891080552d2f41f4c76e805bc6cd9e952e2ec2c1528bd
Instruction ID: 23044cdd6cd0a04a669df5c750bfb84f15a13e42bcd13b1429a87aa5a0dde1bc
Opcode Fuzzy Hash: f246c993cedf010b928891080552d2f41f4c76e805bc6cd9e952e2ec2c1528bd
Instruction Fuzzy Hash: 75512AA05047D13DFB3363348C85B7ABE985B06309F08898AF1E5868C2C394ED94E75A

Function 00C5542E Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(00C63CD6,?,?,?,?,?,?,?,?,00C55BA3,?,?,00C63CD6,?,?), ref: 00C55470
__fassign.LIBCMT ref: 00C554EB
__fassign.LIBCMT ref: 00C55506
WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,00C63CD6,00000005,00000000,00000000), ref: 00C5552C
WriteFile.KERNEL32(?,00C63CD6,00000000,00C55BA3,00000000,?,?,?,?,?,?,?,?,?,00C55BA3,?), ref: 00C5554B
WriteFile.KERNEL32(?,?,00000001,00C55BA3,00000000,?,?,?,?,?,?,?,?,?,00C55BA3,?), ref: 00C55584

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: 9b622a2616059f8140783b82c6b0630c0cb964ae184d8ca7d6bb54ab141eb04e
Instruction ID: 817ec145bb7d238a50bdbd988008dd76080019b1772c78e83c7561b94d331252
Opcode Fuzzy Hash: 9b622a2616059f8140783b82c6b0630c0cb964ae184d8ca7d6bb54ab141eb04e
Instruction Fuzzy Hash: 455107B59006499FCB10CFA8D891BEEBBF9EF18301F14411AF955E7291E730DA85CB64

Function 00C42D20 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00C42D4B
___except_validate_context_record.LIBVCRUNTIME ref: 00C42D53
_ValidateLocalCookies.LIBCMT ref: 00C42DE1
__IsNonwritableInCurrentImage.LIBCMT ref: 00C42E0C
_ValidateLocalCookies.LIBCMT ref: 00C42E61

Strings

csm, xrefs: 00C42DF6

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: 777162e1a9e29bc6b5e3c18b56ce1448f000ae5022c7882befbeaf6f7fed058b
Instruction ID: 734d3e05bba83fa0471af0813c72340929434d72df4fe6b771dac37410ee5829
Opcode Fuzzy Hash: 777162e1a9e29bc6b5e3c18b56ce1448f000ae5022c7882befbeaf6f7fed058b
Instruction Fuzzy Hash: 8D41B234E00249EBCF10DF69CC86A9EBBB5BF44324F548165F825AB392D731AA05CBD0

Function 00CA10B8 Relevance: 10.6, APIs: 7, Instructions: 110networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00CA304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 00CA307A
Part of subcall function 00CA304E: _wcslen.LIBCMT ref: 00CA309B

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00CA1112
WSAGetLastError.WSOCK32 ref: 00CA1121
WSAGetLastError.WSOCK32 ref: 00CA11C9
closesocket.WSOCK32(00000000), ref: 00CA11F9

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: ErrorLast$_wcslenclosesocketinet_addrsocket
String ID:
API String ID: 2675159561-0
Opcode ID: b385e8ac237ea3493b801d76e34689cda3b1ee48d0d7a7a526456d6c34a24047
Instruction ID: a5a48dcd7e8db27acad2ad9c834fc8ccbc0cdc3003ead16a936a3826087911db
Opcode Fuzzy Hash: b385e8ac237ea3493b801d76e34689cda3b1ee48d0d7a7a526456d6c34a24047
Instruction Fuzzy Hash: 04410531600215AFDB109F54D884BAEB7E9EF46368F188159FE15AB292C770EE41CBE0

Function 00C8CF00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00C8DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00C8CF22,?), ref: 00C8DDFD

Part of subcall function 00C8DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00C8CF22,?), ref: 00C8DE16

lstrcmpiW.KERNEL32(?,?), ref: 00C8CF45
MoveFileW.KERNEL32(?,?), ref: 00C8CF7F
_wcslen.LIBCMT ref: 00C8D005
_wcslen.LIBCMT ref: 00C8D01B
SHFileOperationW.SHELL32(?), ref: 00C8D061

Strings

\*.*, xrefs: 00C8CFF3

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
String ID: \*.*
API String ID: 3164238972-1173974218
Opcode ID: 33864b0ce03ecbb73b3f78c3fe39ff13d5385fbdad79a670f8e267196b6a45ab
Instruction ID: ec851b21ca98f5d8de4db1b373d88b5bbd3a9b6fbf38f9b9a3629751a93c2f3a
Opcode Fuzzy Hash: 33864b0ce03ecbb73b3f78c3fe39ff13d5385fbdad79a670f8e267196b6a45ab
Instruction Fuzzy Hash: F94142719052185FDF12FBA4D9C1ADEB7B8AF18384F1000E6E605EB142EB34AB44DF64

Function 00CB2DFD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 00CB2E1C
GetWindowLongW.USER32(?,000000F0), ref: 00CB2E4F
GetWindowLongW.USER32(?,000000F0), ref: 00CB2E84
SendMessageW.USER32(?,000000F1,00000000,00000000), ref: 00CB2EB6
SendMessageW.USER32(?,000000F1,00000001,00000000), ref: 00CB2EE0
GetWindowLongW.USER32(?,000000F0), ref: 00CB2EF1
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00CB2F0B

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: dfe2adee70f4252a8a1ebc0ca0af840716d7cfacc9d7056c111c27fcebed74a0
Instruction ID: b773c070c3dd81be481303d0d5673783dd881a86863e7c892a9c5563b647ba69
Opcode Fuzzy Hash: dfe2adee70f4252a8a1ebc0ca0af840716d7cfacc9d7056c111c27fcebed74a0
Instruction Fuzzy Hash: 4231F230644290EFDB218F59DC84FA937E5EB9A721F190164F9118B2B1CBB1EE40DB51

Function 00C87726 Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00C87769
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00C8778F
SysAllocString.OLEAUT32(00000000), ref: 00C87792
SysAllocString.OLEAUT32(?), ref: 00C877B0
SysFreeString.OLEAUT32(?), ref: 00C877B9
StringFromGUID2.OLE32(?,?,00000028), ref: 00C877DE
SysAllocString.OLEAUT32(?), ref: 00C877EC

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 4963c883e98c19c0563b16eb64680fae7605bd9ebf666487bd6c8adac24b2d9d
Instruction ID: ba4dd7e2ac651319be5aabdf89f64f56cbe4f870b502e1f591294d158b0bff94
Opcode Fuzzy Hash: 4963c883e98c19c0563b16eb64680fae7605bd9ebf666487bd6c8adac24b2d9d
Instruction Fuzzy Hash: 7E21C476604219AFDF11EFA8CC88EBF73ACEB09768B148625F914DB150E670DD41CB64

Function 00C877FD Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00C87842
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00C87868
SysAllocString.OLEAUT32(00000000), ref: 00C8786B
SysAllocString.OLEAUT32 ref: 00C8788C
SysFreeString.OLEAUT32 ref: 00C87895
StringFromGUID2.OLE32(?,?,00000028), ref: 00C878AF
SysAllocString.OLEAUT32(?), ref: 00C878BD

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: f3c7d75aa6fc5cfec7d04f39115a01b65ce88100bad083892cf60ccb99ac813e
Instruction ID: 81f0c56ade281ecec909af2e6a17aa281accd95b5e1c76c2b895da5a2c83ab8e
Opcode Fuzzy Hash: f3c7d75aa6fc5cfec7d04f39115a01b65ce88100bad083892cf60ccb99ac813e
Instruction Fuzzy Hash: 74217731608104AFDB10AFA9DC88EBA77ECEB09764B108225F915DB2E1E674DD41CB78

Function 00C904D2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 00C904F2
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00C9052E

Strings

nul, xrefs: 00C90567

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 25482ccf42341fd1376964e22218eeaa6db31b8675d4ddaa4643318e5559c703
Instruction ID: 0d0c56e262bad4b07d5f85011f993a57a3ee5089444e860e165eadcd6fc1ebee
Opcode Fuzzy Hash: 25482ccf42341fd1376964e22218eeaa6db31b8675d4ddaa4643318e5559c703
Instruction Fuzzy Hash: AE215A75500305AFDF209F69D849B9A7BA8AF44B64F714A29E8B1E62E0D7709A40CF24

Function 00C905A7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 00C905C6
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00C90601

Strings

nul, xrefs: 00C90639

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: c90c62a8fb0311744f27c4b592f609754ecd3fe115c9a244ce69c7e55e561dd5
Instruction ID: 2b1bd377f3759cd1f754cf6fbf5df1e47d2dfcffb5228585d74c9917071e9448
Opcode Fuzzy Hash: c90c62a8fb0311744f27c4b592f609754ecd3fe115c9a244ce69c7e55e561dd5
Instruction Fuzzy Hash: 36213D755003059FDF209F699848A9A77A8AF95B25F300B19FCB1E72E0D7709A60CB20

Function 00CB40AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00C2600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00C2604C
Part of subcall function 00C2600E: GetStockObject.GDI32(00000011), ref: 00C26060
Part of subcall function 00C2600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 00C2606A

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00CB4112
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 00CB411F
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 00CB412A
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00CB4139
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00CB4145

Strings

Msctls_Progress32, xrefs: 00CB40E3

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: fbacac303d39f4192a24773a1fad3606a4cc7d34fd85d09893180e8a083bb309
Instruction ID: a9f89588de6ba830235d910e587e3bcaf50dc2f61fa1ae16de9eeb24fc2b388e
Opcode Fuzzy Hash: fbacac303d39f4192a24773a1fad3606a4cc7d34fd85d09893180e8a083bb309
Instruction Fuzzy Hash: 4611B2B2150219BEEF119F65CC85EEB7F6DEF08798F014111FA18A2090CA729C21DBA4

Function 00C5D7DF Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00C5D7A3: _free.LIBCMT ref: 00C5D7CC

_free.LIBCMT ref: 00C5D82D

Part of subcall function 00C529C8: HeapFree.KERNEL32(00000000,00000000,?,00C5D7D1,00000000,00000000,00000000,00000000,?,00C5D7F8,00000000,00000007,00000000,?,00C5DBF5,00000000), ref: 00C529DE
Part of subcall function 00C529C8: GetLastError.KERNEL32(00000000,?,00C5D7D1,00000000,00000000,00000000,00000000,?,00C5D7F8,00000000,00000007,00000000,?,00C5DBF5,00000000,00000000), ref: 00C529F0

_free.LIBCMT ref: 00C5D838
_free.LIBCMT ref: 00C5D843
_free.LIBCMT ref: 00C5D897
_free.LIBCMT ref: 00C5D8A2
_free.LIBCMT ref: 00C5D8AD
_free.LIBCMT ref: 00C5D8B8

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction ID: 66ba420e65a1cf823148204d515842b2114572188afea480502a81a2c306e6ff
Opcode Fuzzy Hash: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction Fuzzy Hash: DF11B135540B04AAD531BFB0CC07FCB7BDCEF19342F400824BA9AE6992CA24B5896654

Function 00C8DA5A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00C8DA74
LoadStringW.USER32(00000000), ref: 00C8DA7B
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 00C8DA91
LoadStringW.USER32(00000000), ref: 00C8DA98
MessageBoxW.USER32(00000000,?,?,00011010), ref: 00C8DADC

Strings

%s (%d) : ==> %s: %s %s, xrefs: 00C8DAB9

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: HandleLoadModuleString$Message
String ID: %s (%d) : ==> %s: %s %s
API String ID: 4072794657-3128320259
Opcode ID: 737da4218315c4ee19ae2d14e7367e58b65cd84e957ecab61dfd978f7c1917f1
Instruction ID: e1e19340adbcf361551ba28f83b119c2777deb050517fed3a7d9481aa1a63ef5
Opcode Fuzzy Hash: 737da4218315c4ee19ae2d14e7367e58b65cd84e957ecab61dfd978f7c1917f1
Instruction Fuzzy Hash: 8D0162F29402087FE711ABA49DC9FFB376CE708705F400591B706E2081EA749E844F74

Function 00C9096B Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(012AF9F8,012AF9F8), ref: 00C9097B
EnterCriticalSection.KERNEL32(012AF9D8,00000000), ref: 00C9098D
TerminateThread.KERNEL32(?,000001F6), ref: 00C9099B
WaitForSingleObject.KERNEL32(?,000003E8), ref: 00C909A9
CloseHandle.KERNEL32(?), ref: 00C909B8
InterlockedExchange.KERNEL32(012AF9F8,000001F6), ref: 00C909C8
LeaveCriticalSection.KERNEL32(012AF9D8), ref: 00C909CF

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: 1ca8d29a572ae3b7ff8c76547e4d65170e758091c5f4f47da2260b7b83d0dcdb
Instruction ID: fff644f1f1e00a205ed09ee00d4dfdbafb0d2cc3055f575070397b793bdfeb5a
Opcode Fuzzy Hash: 1ca8d29a572ae3b7ff8c76547e4d65170e758091c5f4f47da2260b7b83d0dcdb
Instruction Fuzzy Hash: 34F01932442A12ABDB455FA4EECCBDABA29BF01702F502226F202908A1C7749975CF91

Function 00CA1C60 Relevance: 9.3, APIs: 6, Instructions: 298networkCOMMON

Download Yara Rule

APIs

__WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 00CA1DC0
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00CA1DE1
WSAGetLastError.WSOCK32 ref: 00CA1DF2
htons.WSOCK32(?,?,?,?,?), ref: 00CA1EDB
inet_ntoa.WSOCK32(?), ref: 00CA1E8C

Part of subcall function 00C839E8: _strlen.LIBCMT ref: 00C839F2

Part of subcall function 00CA3224: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000000,?,?,?,?,00C9EC0C), ref: 00CA3240

_strlen.LIBCMT ref: 00CA1F35

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: _strlen$ByteCharErrorLastMultiWidehtonsinet_ntoa
String ID:
API String ID: 3203458085-0
Opcode ID: a16fe138196fb144e61b3d3ff9256aeba944822f72f7eddf0cbd613955cace18
Instruction ID: 56a822797fc48b0473d92e91b6000b71533f2b9532db1c972e8e197014d30fc4
Opcode Fuzzy Hash: a16fe138196fb144e61b3d3ff9256aeba944822f72f7eddf0cbd613955cace18
Instruction Fuzzy Hash: 1BB1CE31604341AFC324DF64C895F2A7BE5AF85318F58895CF8665B2E2DB31EE42CB91

Function 00C25D0A Relevance: 9.3, APIs: 6, Instructions: 276COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 00C25D30
GetWindowRect.USER32(?,?), ref: 00C25D71
ScreenToClient.USER32(?,?), ref: 00C25D99
GetClientRect.USER32(?,?), ref: 00C25ED7
GetWindowRect.USER32(?,?), ref: 00C25EF8

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: Rect$Client$Window$Screen
String ID:
API String ID: 1296646539-0
Opcode ID: b2d628629851a71abe5f436a9866d2b5a3d1b085cc691245937b099c67b91e87
Instruction ID: 7417e87ca0848837d54a78f6b5668353b15c20f217c3c9ad36fddc0b7ada4003
Opcode Fuzzy Hash: b2d628629851a71abe5f436a9866d2b5a3d1b085cc691245937b099c67b91e87
Instruction Fuzzy Hash: 11B17874A00B4ADBDB24CFA9C4807EEB7F1FF58310F14851AE8A9D7690DB34AA51DB50

Function 00C501B7 Relevance: 9.3, APIs: 6, Instructions: 269COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 00C500BA
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00C500D6
__allrem.LIBCMT ref: 00C500ED
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00C5010B
__allrem.LIBCMT ref: 00C50122
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00C50140

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
Instruction ID: 1204c1b6e124a4d6e77624994844cdb107d0186a3f21ac1fad389749a2a5002b
Opcode Fuzzy Hash: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
Instruction Fuzzy Hash: DB81087AA00B069BE7209F68CC42B6F77E8AF41325F24413EFC21D6681E770DA899755

Function 00C561FE Relevance: 9.2, APIs: 6, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,00C482D9,00C482D9,?,?,?,00C5644F,00000001,00000001,8BE85006), ref: 00C56258
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,00C5644F,00000001,00000001,8BE85006,?,?,?), ref: 00C562DE
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00C563D8
__freea.LIBCMT ref: 00C563E5

Part of subcall function 00C53820: RtlAllocateHeap.NTDLL(00000000,?,00CF1444,?,00C3FDF5,?,?,00C2A976,00000010,00CF1440,00C213FC,?,00C213C6,?,00C21129), ref: 00C53852

__freea.LIBCMT ref: 00C563EE
__freea.LIBCMT ref: 00C56413

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: eb6297cff7d4217afb6b086fc972d790ce0573bd6f99cc5f815b4b73de2210b2
Instruction ID: 54b887fd6fa2180423730db8a81e5e33e25cd9e73069f8a996c8404f625376ba
Opcode Fuzzy Hash: eb6297cff7d4217afb6b086fc972d790ce0573bd6f99cc5f815b4b73de2210b2
Instruction Fuzzy Hash: A0514276600206ABEB258F64CC81FAF7BA9EF40752F540228FD15D7150EB30DDC8D668

Function 00CABBDB Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00C29CB3: _wcslen.LIBCMT ref: 00C29CBD

Part of subcall function 00CAC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00CAB6AE,?,?), ref: 00CAC9B5
Part of subcall function 00CAC998: _wcslen.LIBCMT ref: 00CAC9F1
Part of subcall function 00CAC998: _wcslen.LIBCMT ref: 00CACA68
Part of subcall function 00CAC998: _wcslen.LIBCMT ref: 00CACA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00CABCCA
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00CABD25
RegCloseKey.ADVAPI32(00000000), ref: 00CABD6A
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 00CABD99
RegCloseKey.ADVAPI32(?,?,00000000), ref: 00CABDF3
RegCloseKey.ADVAPI32(?), ref: 00CABDFF

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
String ID:
API String ID: 1120388591-0
Opcode ID: f81f7fb950ae44c069d55eeeb0973eef2688b124d2cb03d94f20be8806125b5a
Instruction ID: 08228a92749da6389b8dec1a2391c65e22f42f665e77cfd887a1bdfb405cb1ca
Opcode Fuzzy Hash: f81f7fb950ae44c069d55eeeb0973eef2688b124d2cb03d94f20be8806125b5a
Instruction Fuzzy Hash: 8B819030608242EFD714DF24C895E2ABBE5FF85308F14896CF45A4B2A2DB31ED45DB92

Function 00C7F7AD Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000035), ref: 00C7F7B9
SysAllocString.OLEAUT32(00000001), ref: 00C7F860
VariantCopy.OLEAUT32(00C7FA64,00000000), ref: 00C7F889
VariantClear.OLEAUT32(00C7FA64), ref: 00C7F8AD
VariantCopy.OLEAUT32(00C7FA64,00000000), ref: 00C7F8B1
VariantClear.OLEAUT32(?), ref: 00C7F8BB

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: Variant$ClearCopy$AllocInitString
String ID:
API String ID: 3859894641-0
Opcode ID: 715156d23e9db85d67cf7d0738aa2646f3e0af8d994bca3160dcb7194bfdae6d
Instruction ID: 990e37dac8d1bbf010a18450e8c51687961d76f34644beff303bfc776984eb10
Opcode Fuzzy Hash: 715156d23e9db85d67cf7d0738aa2646f3e0af8d994bca3160dcb7194bfdae6d
Instruction Fuzzy Hash: 7851A431510310AACF24AF66D8D5B69B3A4FF45310F24D46EE909EF291DB708D42DB66

Function 00C9910C Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 383COMMON

Download Yara Rule

APIs

Part of subcall function 00C27620: _wcslen.LIBCMT ref: 00C27625

Part of subcall function 00C26B57: _wcslen.LIBCMT ref: 00C26B6A

GetOpenFileNameW.COMDLG32(00000058), ref: 00C994E5
_wcslen.LIBCMT ref: 00C99506
_wcslen.LIBCMT ref: 00C9952D
GetSaveFileNameW.COMDLG32(00000058), ref: 00C99585

Strings

X, xrefs: 00C99412

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: _wcslen$FileName$OpenSave
String ID: X
API String ID: 83654149-3081909835
Opcode ID: a473a3afc738e1e2ac36a3d1a655367d17a001a050d0b1c024ceec6240a5a038
Instruction ID: 20f26777dacd9138a649f68ff72ee51f90cd663b514d1dcf9649090f1d9d4e05
Opcode Fuzzy Hash: a473a3afc738e1e2ac36a3d1a655367d17a001a050d0b1c024ceec6240a5a038
Instruction Fuzzy Hash: 3DE1B2315083519FCB24EF28D485B6AB7E4FF85310F04896DF8999B2A2DB31DD05CB92

Function 00C3920C Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00C39BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00C39BB2

BeginPaint.USER32(?,?,?), ref: 00C39241
GetWindowRect.USER32(?,?), ref: 00C392A5
ScreenToClient.USER32(?,?), ref: 00C392C2
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00C392D3
EndPaint.USER32(?,?,?,?,?), ref: 00C39321
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 00C771EA

Part of subcall function 00C39339: BeginPath.GDI32(00000000), ref: 00C39357

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
String ID:
API String ID: 3050599898-0
Opcode ID: adf8c78dc13431891a6aa79961793355daf014d0d4803785ac40ed104481342e
Instruction ID: a4705835bcde36f9d4a0b90625ac400f8eb97127c83331f0854cf097d2d16234
Opcode Fuzzy Hash: adf8c78dc13431891a6aa79961793355daf014d0d4803785ac40ed104481342e
Instruction Fuzzy Hash: 5341AC70104200EFD721DF25DCC4FBA7BB8EB45324F040269F9A9972B1C7B19945DBA2

Function 00C907EF Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 00C9080C
ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 00C90847
EnterCriticalSection.KERNEL32(?), ref: 00C90863
LeaveCriticalSection.KERNEL32(?), ref: 00C908DC
ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 00C908F3
InterlockedExchange.KERNEL32(?,000001F6), ref: 00C90921

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
String ID:
API String ID: 3368777196-0
Opcode ID: 5d646208330328db5445c3b3b65f225c6fff1d24bb4a6e8670bc01f28f0fabd3
Instruction ID: b6f6c1e65d4c285d3e685e472c2a45b3fd74e5234dbae69bdfe51df2a36fc2ee
Opcode Fuzzy Hash: 5d646208330328db5445c3b3b65f225c6fff1d24bb4a6e8670bc01f28f0fabd3
Instruction Fuzzy Hash: 1A416871A00205EFDF14AF54DC85AAA77B8FF04300F2440A9ED00AA297DB30DE65DBA4

Function 00CB81DB Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,00C7F3AB,00000000,?,?,00000000,?,00C7682C,00000004,00000000,00000000), ref: 00CB824C
EnableWindow.USER32(?,00000000), ref: 00CB8272
ShowWindow.USER32(FFFFFFFF,00000000), ref: 00CB82D1
ShowWindow.USER32(?,00000004), ref: 00CB82E5
EnableWindow.USER32(?,00000001), ref: 00CB830B
SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 00CB832F

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: 825c9dc925f7c1c0182efeaf11900bb516e2e15922d6801eea108be3978c4236
Instruction ID: 4a80379c8908f9b9f9b210089d09961daea0fee67ef84f02f58cae23bdd6ba2b
Opcode Fuzzy Hash: 825c9dc925f7c1c0182efeaf11900bb516e2e15922d6801eea108be3978c4236
Instruction Fuzzy Hash: 27419434601644EFDF11CF15C899BE87BE4BB1A714F1842A9E9184F272CB71AE49CB52

Function 00C84C7D Relevance: 9.1, APIs: 6, Instructions: 87windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00C84C95
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00C84CB2
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00C84CEA
_wcslen.LIBCMT ref: 00C84D08
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00C84D10
_wcsstr.LIBVCRUNTIME ref: 00C84D1A

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
String ID:
API String ID: 72514467-0
Opcode ID: 2f1d4bcf972422ac1747d078771c7ddcff91bbd75166e4197ad3fe6b1c7e170b
Instruction ID: 4656be4d90b0af2b7b4eb8087158d82014da3003959322e8cfc53af23865882e
Opcode Fuzzy Hash: 2f1d4bcf972422ac1747d078771c7ddcff91bbd75166e4197ad3fe6b1c7e170b
Instruction Fuzzy Hash: 79210872604211BBEB196B3AEC49F7F7BACDF45754F10803EF805CA191EA61DD0197A4

Function 00C9581E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON

Download Yara Rule

APIs

Part of subcall function 00C23AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00C23A97,?,?,00C22E7F,?,?,?,00000000), ref: 00C23AC2

_wcslen.LIBCMT ref: 00C9587B
CoInitialize.OLE32(00000000), ref: 00C95995
CoCreateInstance.OLE32(00CBFCF8,00000000,00000001,00CBFB68,?), ref: 00C959AE
CoUninitialize.OLE32 ref: 00C959CC

Strings

.lnk, xrefs: 00C95876, 00C958C1, 00C95985

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
String ID: .lnk
API String ID: 3172280962-24824748
Opcode ID: 4b0946db0a68d778cf594eed7df4c750d4c3f99f9992e00af05e0b8fbe04b079
Instruction ID: e22d39b16fb5e12e03e240869af5bf18fad8fc768d51ed5b84a399aa9146ce26
Opcode Fuzzy Hash: 4b0946db0a68d778cf594eed7df4c750d4c3f99f9992e00af05e0b8fbe04b079
Instruction Fuzzy Hash: B4D164716047119FCB14DF28C488A2ABBE1FF89710F14896DF8999B361DB31ED46CB92

Function 00C8175D Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00C80FB4: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00C80FCA
Part of subcall function 00C80FB4: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00C80FD6
Part of subcall function 00C80FB4: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00C80FE5
Part of subcall function 00C80FB4: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00C80FEC
Part of subcall function 00C80FB4: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00C81002

GetLengthSid.ADVAPI32(?,00000000,00C81335), ref: 00C817AE
GetProcessHeap.KERNEL32(00000008,00000000), ref: 00C817BA
HeapAlloc.KERNEL32(00000000), ref: 00C817C1
CopySid.ADVAPI32(00000000,00000000,?), ref: 00C817DA
GetProcessHeap.KERNEL32(00000000,00000000,00C81335), ref: 00C817EE
HeapFree.KERNEL32(00000000), ref: 00C817F5

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: 461e2410121c2f70899a3c652562ad7e41e8d14b9c031eb39232218fe05e4491
Instruction ID: 7cfab86b4829dc61cfed4071c72a26bfb71d5cccdcb666b337f77d58bf156137
Opcode Fuzzy Hash: 461e2410121c2f70899a3c652562ad7e41e8d14b9c031eb39232218fe05e4491
Instruction Fuzzy Hash: C411AC72500205FFDB10AFA8DC89BAE7BEDEB41359F18411DF881A7210C735AA45CB64

Function 00C814CE Relevance: 9.1, APIs: 6, Instructions: 64processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 00C814FF
OpenProcessToken.ADVAPI32(00000000), ref: 00C81506
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00C81515
CloseHandle.KERNEL32(00000004), ref: 00C81520
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00C8154F
DestroyEnvironmentBlock.USERENV(00000000), ref: 00C81563

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: ddc5305e40b9db596df9c2b3fdb167aafbecd34bc706a54a30e18f2bf6b562e1
Instruction ID: 51db26dc862fea9ff23dfbae7a1e2c3be45b2de6c767b7b7e4a2ba2341f1fefd
Opcode Fuzzy Hash: ddc5305e40b9db596df9c2b3fdb167aafbecd34bc706a54a30e18f2bf6b562e1
Instruction Fuzzy Hash: 88115972504209ABDF119F98ED89FDE7BADEF48718F088124FE15A2060C3758E61DB60

Function 00C43382 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00C43379,00C42FE5), ref: 00C43390
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00C4339E
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00C433B7
SetLastError.KERNEL32(00000000,?,00C43379,00C42FE5), ref: 00C43409

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: ecee6721194a9c5420c8892544ace85d73ad21b92701af42802b2389c108ea41
Instruction ID: c4eea27888a31e2114a075bdc8d7b112f357a0fa3e7d7e84051fe99241149b2c
Opcode Fuzzy Hash: ecee6721194a9c5420c8892544ace85d73ad21b92701af42802b2389c108ea41
Instruction Fuzzy Hash: 4E01D4336093A2BEA6292B757CC5BAF2EA4FB957797200229F530852F1EF114F036544

Function 00C52D74 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00C55686,00C63CD6,?,00000000,?,00C55B6A,?,?,?,?,?,00C4E6D1,?,00CE8A48), ref: 00C52D78
_free.LIBCMT ref: 00C52DAB
_free.LIBCMT ref: 00C52DD3
SetLastError.KERNEL32(00000000,?,?,?,?,00C4E6D1,?,00CE8A48,00000010,00C24F4A,?,?,00000000,00C63CD6), ref: 00C52DE0
SetLastError.KERNEL32(00000000,?,?,?,?,00C4E6D1,?,00CE8A48,00000010,00C24F4A,?,?,00000000,00C63CD6), ref: 00C52DEC
_abort.LIBCMT ref: 00C52DF2

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: 9c0464613d2ccae15dedbf6a6573479cab6ee0190a1f5d47c54718cf470ab030
Instruction ID: 86dbce0b7ecbd49f5b152023c23c40247a3b84725771b1304143fe33be48a725
Opcode Fuzzy Hash: 9c0464613d2ccae15dedbf6a6573479cab6ee0190a1f5d47c54718cf470ab030
Instruction Fuzzy Hash: BBF0A43E504A0027C2122735AC46F5E26E9ABD37A3F244519FC34A21E2EF2489CEA168

Function 00C851FD Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00C85218
GetDeviceCaps.GDI32(00000000,00000058), ref: 00C85229
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00C85230
ReleaseDC.USER32(00000000,00000000), ref: 00C85238
MulDiv.KERNEL32(000009EC,?,00000000), ref: 00C8524F
MulDiv.KERNEL32(000009EC,00000001,?), ref: 00C85261

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: 8ba81f0e943880d26276a8ae79dbcd80dab63389c56c69099340ca5cfc8770e8
Instruction ID: c3434d36a12fc9dedc797d275c028cb886714c15cd83d2ca59f358335ea2cd9d
Opcode Fuzzy Hash: 8ba81f0e943880d26276a8ae79dbcd80dab63389c56c69099340ca5cfc8770e8
Instruction Fuzzy Hash: E2016275E00718BBEB10ABE99C89F5EBFB8EF48751F044165FA04A7281DA709D00CFA0

Function 00CB8A24 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 00C39639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00C39693
Part of subcall function 00C39639: SelectObject.GDI32(?,00000000), ref: 00C396A2
Part of subcall function 00C39639: BeginPath.GDI32(?), ref: 00C396B9
Part of subcall function 00C39639: SelectObject.GDI32(?,00000000), ref: 00C396E2

MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 00CB8A4E
LineTo.GDI32(?,00000003,00000000), ref: 00CB8A62
MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 00CB8A70
LineTo.GDI32(?,00000000,00000003), ref: 00CB8A80
EndPath.GDI32(?), ref: 00CB8A90
StrokePath.GDI32(?), ref: 00CB8AA0

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: 072e375aa9d0e5509b3b769cf4533be92b086fad1b58be6c271eab74bdfd6f95
Instruction ID: 3875a33408708700cb102ed4ff8591a79e8b0c7f7285bc2b7f8f4cec42199d64
Opcode Fuzzy Hash: 072e375aa9d0e5509b3b769cf4533be92b086fad1b58be6c271eab74bdfd6f95
Instruction Fuzzy Hash: EC11C576400109FFEB129F94EC88FAE7F6DEB08354F048122BA599A1A1C7719E55DFA0

Function 00C21BC3 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 00C21BF4
MapVirtualKeyW.USER32(00000010,00000000), ref: 00C21BFC
MapVirtualKeyW.USER32(000000A0,00000000), ref: 00C21C07
MapVirtualKeyW.USER32(000000A1,00000000), ref: 00C21C12
MapVirtualKeyW.USER32(00000011,00000000), ref: 00C21C1A
MapVirtualKeyW.USER32(00000012,00000000), ref: 00C21C22

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: ffeb1182f14e4a45a2d66d06e94a39a89cb9b7c21d0db16fef00c89b947cb706
Instruction ID: 704efd70c65d88b3e04932edc29a776e81e5efe5fc46c7c9c06412d8aec0d335
Opcode Fuzzy Hash: ffeb1182f14e4a45a2d66d06e94a39a89cb9b7c21d0db16fef00c89b947cb706
Instruction Fuzzy Hash: 060167B0902B5ABDE3008F6A8C85B56FFA8FF19354F00411BA15C4BA42C7F5A864CBE5

Function 00C8EB20 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00C8EB30
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 00C8EB46
GetWindowThreadProcessId.USER32(?,?), ref: 00C8EB55
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00C8EB64
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00C8EB6E
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00C8EB75

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: 55168f2f87710c6150d6b37b4a3d370785e376a7e3343969c130587beced3a62
Instruction ID: 264ca7c181da8c3a7205939ad5ea3ce53967bb88866d715157cd861d18d9d054
Opcode Fuzzy Hash: 55168f2f87710c6150d6b37b4a3d370785e376a7e3343969c130587beced3a62
Instruction Fuzzy Hash: 20F03A72240158BBE7215B629C4EFEF3B7CEFCAB11F000269FA11E1091E7A05A01C6B5

Function 00C81874 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 00C8187F
UnloadUserProfile.USERENV(?,?), ref: 00C8188B
CloseHandle.KERNEL32(?), ref: 00C81894
CloseHandle.KERNEL32(?), ref: 00C8189C
GetProcessHeap.KERNEL32(00000000,?), ref: 00C818A5
HeapFree.KERNEL32(00000000), ref: 00C818AC

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: 1937814c491f310dfce94804b11af9fabcb9a98d55a597651c2198325cc39676
Instruction ID: 3d0ed40f6cd388fde6f4f9e5b0b4d6c3040d4634f6f61a7f5dda520443dd3c1c
Opcode Fuzzy Hash: 1937814c491f310dfce94804b11af9fabcb9a98d55a597651c2198325cc39676
Instruction Fuzzy Hash: 6FE0C276004101BBDA015FA5ED4CB4EBB69FB59B22B508321F225A1070CB329420DB60

Function 00C8C5D0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00C27620: _wcslen.LIBCMT ref: 00C27625

GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00C8C6EE
_wcslen.LIBCMT ref: 00C8C735
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00C8C79C
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00C8C7CA

Strings

0, xrefs: 00C8C6AF

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: ItemMenu$Info_wcslen$Default
String ID: 0
API String ID: 1227352736-4108050209
Opcode ID: c78fe0d62dd49511db3953763addc73a329956a33bb74ab087686381ecfaf31d
Instruction ID: b1d13fe02fbcbae4711c023bf531008b19547a43ad5a23d264aa879322e6da09
Opcode Fuzzy Hash: c78fe0d62dd49511db3953763addc73a329956a33bb74ab087686381ecfaf31d
Instruction Fuzzy Hash: CD51BF716143019BD754AF28C8C5B6B77E8AF49318F040A2DF9A5D31A0DB70DE04DB6A

Function 00CAAD64 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(0000003C), ref: 00CAAEA3

Part of subcall function 00C27620: _wcslen.LIBCMT ref: 00C27625

GetProcessId.KERNEL32(00000000), ref: 00CAAF38
CloseHandle.KERNEL32(00000000), ref: 00CAAF67

Strings

<, xrefs: 00CAAE6B
@, xrefs: 00CAAE72

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: CloseExecuteHandleProcessShell_wcslen
String ID: <$@
API String ID: 146682121-1426351568
Opcode ID: 5e6a9a652de988d6429e4d12ff333358213c1080310a0456877466d5304983e4
Instruction ID: 420956a3af846b1422a6071e3b0ce03a80321c2eddbd9f664b29274757692016
Opcode Fuzzy Hash: 5e6a9a652de988d6429e4d12ff333358213c1080310a0456877466d5304983e4
Instruction Fuzzy Hash: D9718D71A00226DFCB14DF94D484A9EBBF0FF09314F0484A9E856AB7A2C774EE45DB91

Function 00C8719E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00C87206
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 00C8723C
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 00C8724D
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00C872CF

Strings

DllGetClassObject, xrefs: 00C87242

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: 8626f16b3ceddf59b46abf067799d27547c56d3f55f638253bf5aaea1336d9b7
Instruction ID: d5b0327e33027e95160419cd793e17905278c56e79f1119325ee889534c93e0b
Opcode Fuzzy Hash: 8626f16b3ceddf59b46abf067799d27547c56d3f55f638253bf5aaea1336d9b7
Instruction Fuzzy Hash: 8A419171604204EFDB15DF54C884B9A7BA9EF84318F2582ADBD05DF21AE7B0DE40CBA4

Function 00CB3D7C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00CB3E35
IsMenu.USER32(?), ref: 00CB3E4A
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00CB3E92
DrawMenuBar.USER32 ref: 00CB3EA5

Strings

0, xrefs: 00CB3D89

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert
String ID: 0
API String ID: 3076010158-4108050209
Opcode ID: 2726f13dd9ce251c10ba3be92781daf299793c3b9ece2bd58accb1bb94bb52bf
Instruction ID: 723a0875e36b81cfef6f410394e85ef5233f00417bd0e0c17f795028d8d2dcf7
Opcode Fuzzy Hash: 2726f13dd9ce251c10ba3be92781daf299793c3b9ece2bd58accb1bb94bb52bf
Instruction Fuzzy Hash: 7A413875A01289EFDB20DF50D884AEABBB9FF49354F04412AF915AB250D730EE44DFA0

Function 00C81DE2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00C29CB3: _wcslen.LIBCMT ref: 00C29CBD

Part of subcall function 00C83CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00C83CCA

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00C81E66
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00C81E79
SendMessageW.USER32(?,00000189,?,00000000), ref: 00C81EA9

Part of subcall function 00C26B57: _wcslen.LIBCMT ref: 00C26B6A

Strings

ComboBox, xrefs: 00C81DF0
ListBox, xrefs: 00C81E25

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: MessageSend$_wcslen$ClassName
String ID: ComboBox$ListBox
API String ID: 2081771294-1403004172
Opcode ID: 63c118e17c7985a0ac6326c817651f8637019f8808af24da4e0f5202fc412ab1
Instruction ID: 190b53c57860b573a1d2c21e9f7f58d268fb9b74cfd176db29d972e718209322
Opcode Fuzzy Hash: 63c118e17c7985a0ac6326c817651f8637019f8808af24da4e0f5202fc412ab1
Instruction Fuzzy Hash: 0321F371A00104ABDB14AB65EC89DFFB7BCEF45358F184129FC25A71E1DB744A0AA720

Function 00CB2F17 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00CB2F8D
LoadLibraryW.KERNEL32(?), ref: 00CB2F94
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00CB2FA9
DestroyWindow.USER32(?), ref: 00CB2FB1

Strings

SysAnimate32, xrefs: 00CB2F68

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: MessageSend$DestroyLibraryLoadWindow
String ID: SysAnimate32
API String ID: 3529120543-1011021900
Opcode ID: dcea72db2825194ad4f7ec727a141ad12504f1bfe48e89d3da448d58ab682c37
Instruction ID: ef1b9fd6872bc488d48e9b8832c1660ad87fb75d83f654c22765bab5adffea3e
Opcode Fuzzy Hash: dcea72db2825194ad4f7ec727a141ad12504f1bfe48e89d3da448d58ab682c37
Instruction Fuzzy Hash: D2218C71204225ABEF104FE4DC84FFB77B9EB59364F104628F960D6190D771DD51A760

Function 00C44D6D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00C44D1E,00C528E9,?,00C44CBE,00C528E9,00CE88B8,0000000C,00C44E15,00C528E9,00000002), ref: 00C44D8D
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00C44DA0
FreeLibrary.KERNEL32(00000000,?,?,?,00C44D1E,00C528E9,?,00C44CBE,00C528E9,00CE88B8,0000000C,00C44E15,00C528E9,00000002,00000000), ref: 00C44DC3

Strings

CorExitProcess, xrefs: 00C44D98
mscoree.dll, xrefs: 00C44D86

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: cffedbc6aaea02fc72162c64b9067c22c7d900c0c63523aa67cf7ab52288c137
Instruction ID: 3ef9e3f13c2ad85737da8d371171721b8a92b8cd12a6dfa89cd5f92035d3a3f4
Opcode Fuzzy Hash: cffedbc6aaea02fc72162c64b9067c22c7d900c0c63523aa67cf7ab52288c137
Instruction Fuzzy Hash: 00F04F35A40208BBDB159F94DC89BADBFF9FF44751F1001A8F90AA2260CB715A41DB90

Function 00C24E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00C24EDD,?,00CF1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00C24E9C
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00C24EAE
FreeLibrary.KERNEL32(00000000,?,?,00C24EDD,?,00CF1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00C24EC0

Strings

Wow64DisableWow64FsRedirection, xrefs: 00C24EA8
kernel32.dll, xrefs: 00C24E94

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 145871493-3689287502
Opcode ID: c5f2c85021aabc99e4f7f02e8ff8f2dfe8014a6d421370201af247701179a96a
Instruction ID: 901ca83ae5cfce3ee241049e18614def399806c5e381ebb96be0e521fb73f435
Opcode Fuzzy Hash: c5f2c85021aabc99e4f7f02e8ff8f2dfe8014a6d421370201af247701179a96a
Instruction Fuzzy Hash: A5E0CD36A027325BE2311729BC5CB5FA558AF81F62F060225FC10F3240DBA0CE0240B0

Function 00C24E59 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00C63CDE,?,00CF1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00C24E62
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00C24E74
FreeLibrary.KERNEL32(00000000,?,?,00C63CDE,?,00CF1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00C24E87

Strings

kernel32.dll, xrefs: 00C24E5B
Wow64RevertWow64FsRedirection, xrefs: 00C24E6E

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 145871493-1355242751
Opcode ID: 5174a198e616a4289d098b1745ab0250853107833725d91125d1cbac01d7cfbe
Instruction ID: a5619f825b3202c7654cb2528b62bbfbad0e8ebf1541256f2a11a554996a19ee
Opcode Fuzzy Hash: 5174a198e616a4289d098b1745ab0250853107833725d91125d1cbac01d7cfbe
Instruction Fuzzy Hash: 4DD01236502632576A261B297C5CF8FAA18AF85B517060625F915B6124CF60CE0285E0

Function 00C92947 Relevance: 7.8, APIs: 5, Instructions: 313fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00C92C05
DeleteFileW.KERNEL32(?), ref: 00C92C87
CopyFileW.KERNEL32(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00C92C9D
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00C92CAE
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00C92CC0

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: File$Delete$Copy
String ID:
API String ID: 3226157194-0
Opcode ID: e45384abf45d282e9469ed4bf0fcb54fb8f680924baa2957777ecec688374fb1
Instruction ID: 8f92a7e2bd3797693fa224c90f3c0d2f7934701e2185a50d4c872ad6cbf7b6a5
Opcode Fuzzy Hash: e45384abf45d282e9469ed4bf0fcb54fb8f680924baa2957777ecec688374fb1
Instruction Fuzzy Hash: 61B14D72E00129ABDF25EFA4CC89EDEB7BDEF48350F1040A6F509E6141EA319E449F61

Function 00CAA387 Relevance: 7.8, APIs: 5, Instructions: 256COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 00CAA427
OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 00CAA435
GetProcessIoCounters.KERNEL32(00000000,?), ref: 00CAA468
CloseHandle.KERNEL32(?), ref: 00CAA63D

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: Process$CloseCountersCurrentHandleOpen
String ID:
API String ID: 3488606520-0
Opcode ID: a5af9121cc88de65248ccd133af68acafd4298c577b1710cd156b974e1c249e9
Instruction ID: ec09c4db732b0c6441e6fa26cac67dc63ae4671e9459b09d1ddbb43e268893ba
Opcode Fuzzy Hash: a5af9121cc88de65248ccd133af68acafd4298c577b1710cd156b974e1c249e9
Instruction Fuzzy Hash: 6FA1A171604301AFD720DF28D886F2AB7E5AF88714F14881DF56A9B6D2D7B0ED41CB92

Function 00C5BB27 Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,00CC3700), ref: 00C5BB91
WideCharToMultiByte.KERNEL32(00000000,00000000,00CF121C,000000FF,00000000,0000003F,00000000,?,?), ref: 00C5BC09
WideCharToMultiByte.KERNEL32(00000000,00000000,00CF1270,000000FF,?,0000003F,00000000,?), ref: 00C5BC36
_free.LIBCMT ref: 00C5BB7F

Part of subcall function 00C529C8: HeapFree.KERNEL32(00000000,00000000,?,00C5D7D1,00000000,00000000,00000000,00000000,?,00C5D7F8,00000000,00000007,00000000,?,00C5DBF5,00000000), ref: 00C529DE
Part of subcall function 00C529C8: GetLastError.KERNEL32(00000000,?,00C5D7D1,00000000,00000000,00000000,00000000,?,00C5D7F8,00000000,00000007,00000000,?,00C5DBF5,00000000,00000000), ref: 00C529F0

_free.LIBCMT ref: 00C5BD4B

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
String ID:
API String ID: 1286116820-0
Opcode ID: 795204dc61ba270fd77a27bd0e1ffc9e0a6aaa323f7592ecd5f5cb8f6605a213
Instruction ID: 087778ad96951e2e493daedd1b08e11f2ea3e394ad88eb525be2748437475db2
Opcode Fuzzy Hash: 795204dc61ba270fd77a27bd0e1ffc9e0a6aaa323f7592ecd5f5cb8f6605a213
Instruction Fuzzy Hash: 03510B75900209DFCB10DFA5DC81ABEBFB8EF41321B14026AED64E71A1EB705E89D758

Function 00C8E3FB Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00C8DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00C8CF22,?), ref: 00C8DDFD

Part of subcall function 00C8DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00C8CF22,?), ref: 00C8DE16

Part of subcall function 00C8E199: GetFileAttributesW.KERNEL32(?,00C8CF95), ref: 00C8E19A

lstrcmpiW.KERNEL32(?,?), ref: 00C8E473
MoveFileW.KERNEL32(?,?), ref: 00C8E4AC
_wcslen.LIBCMT ref: 00C8E5EB
_wcslen.LIBCMT ref: 00C8E603
SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 00C8E650

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
String ID:
API String ID: 3183298772-0
Opcode ID: 9e6ccad7b17ae10b1744d05f60225ec2a22b1fdf689d29d48c79238b2854f51b
Instruction ID: 0d7b04cf528491938c7e8f9b9c2b1d8296b9ecc82edb081d8ea9710c7b7d6fca
Opcode Fuzzy Hash: 9e6ccad7b17ae10b1744d05f60225ec2a22b1fdf689d29d48c79238b2854f51b
Instruction Fuzzy Hash: D25162B25083455BC734FBA0D8819DFB3ECAF85344F00492EF599D3191EF74A688976A

Function 00CAB9C9 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00C29CB3: _wcslen.LIBCMT ref: 00C29CBD

Part of subcall function 00CAC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00CAB6AE,?,?), ref: 00CAC9B5
Part of subcall function 00CAC998: _wcslen.LIBCMT ref: 00CAC9F1
Part of subcall function 00CAC998: _wcslen.LIBCMT ref: 00CACA68
Part of subcall function 00CAC998: _wcslen.LIBCMT ref: 00CACA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00CABAA5
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00CABB00
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00CABB63
RegCloseKey.ADVAPI32(?,?), ref: 00CABBA6
RegCloseKey.ADVAPI32(00000000), ref: 00CABBB3

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
String ID:
API String ID: 826366716-0
Opcode ID: 65b3c7e08afc9e73e330d63865dafd95d972c6741cea6e20e3813cd6332642b7
Instruction ID: 0e51ba610f2c69ceff7108e5640af7435c938647d8611ec391168127b6003ac3
Opcode Fuzzy Hash: 65b3c7e08afc9e73e330d63865dafd95d972c6741cea6e20e3813cd6332642b7
Instruction Fuzzy Hash: F661A131208242AFD314DF64D490E2ABBE5FF85308F14856CF49A8B2A2DB31ED45DB92

Function 00C88BB0 Relevance: 7.7, APIs: 5, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00C88BCD
VariantClear.OLEAUT32 ref: 00C88C3E
VariantClear.OLEAUT32 ref: 00C88C9D
VariantClear.OLEAUT32(?), ref: 00C88D10
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00C88D3B

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType
String ID:
API String ID: 4136290138-0
Opcode ID: 2261bc14d92bbf0f751a94d42746f91dff2d27ef3141a4ebddcdbc67b7e122fc
Instruction ID: 79db256667961928e3af625c272c57da4ed6100eeeaec7d2c61862a287287907
Opcode Fuzzy Hash: 2261bc14d92bbf0f751a94d42746f91dff2d27ef3141a4ebddcdbc67b7e122fc
Instruction Fuzzy Hash: B5518AB5A0021AEFCB10DF28C884AAAB7F8FF89314F11855AE915DB350E730E911CF94

Function 00C98AFB Relevance: 7.6, APIs: 5, Instructions: 143COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00C98BAE
GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 00C98BDA
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00C98C32
WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00C98C57
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00C98C5F

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String
String ID:
API String ID: 2832842796-0
Opcode ID: 241285ab430ef7a83e9764580fd3996278ff712e72f4a4208e47b876c3b01f3d
Instruction ID: 1f6a759f03e27b13732a94f7a076f7e26aeac0697b75a2cae83ece984eb85130
Opcode Fuzzy Hash: 241285ab430ef7a83e9764580fd3996278ff712e72f4a4208e47b876c3b01f3d
Instruction Fuzzy Hash: 65515A35A002159FCF00DF64C884A6EBBF5FF49314F088468E849AB362CB31ED51DB90

Function 00CA8EE4 Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(?,00000000,?), ref: 00CA8F40
GetProcAddress.KERNEL32(00000000,?), ref: 00CA8FD0
GetProcAddress.KERNEL32(00000000,00000000), ref: 00CA8FEC
GetProcAddress.KERNEL32(00000000,?), ref: 00CA9032
FreeLibrary.KERNEL32(00000000), ref: 00CA9052

Part of subcall function 00C3F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,00C91043,?,7529E610), ref: 00C3F6E6
Part of subcall function 00C3F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00C7FA64,00000000,00000000,?,?,00C91043,?,7529E610,?,00C7FA64), ref: 00C3F70D

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
String ID:
API String ID: 666041331-0
Opcode ID: 044190eb21e5ff67484744808899c1ff6d698d6fd9aee086071604373f0b6c54
Instruction ID: 95fb4ae09491532de56f239156d98b2db445f80c15e3c0d8ac890f92ded92e69
Opcode Fuzzy Hash: 044190eb21e5ff67484744808899c1ff6d698d6fd9aee086071604373f0b6c54
Instruction Fuzzy Hash: FC515E35600216DFC715DF58C4959ADBBF1FF4A318F0481A8E815AB762DB31EE85CB90

Function 00CB6B76 Relevance: 7.6, APIs: 5, Instructions: 131windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(00000002,000000F0,?), ref: 00CB6C33
SetWindowLongW.USER32(?,000000EC,?), ref: 00CB6C4A
SendMessageW.USER32(00000002,00001036,00000000,?), ref: 00CB6C73
ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,00C9AB79,00000000,00000000), ref: 00CB6C98
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 00CB6CC7

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: Window$Long$MessageSendShow
String ID:
API String ID: 3688381893-0
Opcode ID: 2364f42d8c6bff2af8aa53c012939faf70840343515a4c9584f07c3cab478535
Instruction ID: 8c29f325cf4171fc246e56ff97eb63392fdbef5253930a8cbb112eb0c425f808
Opcode Fuzzy Hash: 2364f42d8c6bff2af8aa53c012939faf70840343515a4c9584f07c3cab478535
Instruction Fuzzy Hash: DA41C335604104AFDB24CF68CC98FF97FA9EB09360F150268F9A5A72E0C775EE41DA90

Function 00C52051 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00C520C3
_free.LIBCMT ref: 00C520E3

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: e1dd813f3641a48ce2b5ab09fe81710fb601c21ddce7a51f57748d023ca6789c
Instruction ID: fa6b7377ab81cdf116e6791d22d187a618dc94ccb7abf54804f5678439df67c2
Opcode Fuzzy Hash: e1dd813f3641a48ce2b5ab09fe81710fb601c21ddce7a51f57748d023ca6789c
Instruction Fuzzy Hash: 59410436E002009FCB24DF78C980A5EB3F5EF8A310F154568E916EB392D731AE45DB84

Function 00C3912D Relevance: 7.6, APIs: 5, Instructions: 121keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00C39141
ScreenToClient.USER32(00000000,?), ref: 00C3915E
GetAsyncKeyState.USER32(00000001), ref: 00C39183
GetAsyncKeyState.USER32(00000002), ref: 00C3919D

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: f2d612f701c97f06d2b8780d38e7cd092456866c84bf14511da0517f6a5ab381
Instruction ID: e74605a7a727a6151b12fb8545cd6f26cd1c114154e10a2975436e5db215fb13
Opcode Fuzzy Hash: f2d612f701c97f06d2b8780d38e7cd092456866c84bf14511da0517f6a5ab381
Instruction Fuzzy Hash: C7414D31A0861AFBDF159F64C848BEEB774FB05320F208329E429A7290C7746A54DF91

Function 00C93874 Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 00C938CB
TranslateAcceleratorW.USER32(?,00000000,?), ref: 00C93922
TranslateMessage.USER32(?), ref: 00C9394B
DispatchMessageW.USER32(?), ref: 00C93955
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00C93966

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchInputPeekState
String ID:
API String ID: 2256411358-0
Opcode ID: ab40de2c3a6090db0d6602c00e178db672a361a6a78d7fc7acdd916a4ab448dc
Instruction ID: 8577350ef7c361c7d814541fe9dc876dafab58491d0d1d0c1c820e59ae937fd9
Opcode Fuzzy Hash: ab40de2c3a6090db0d6602c00e178db672a361a6a78d7fc7acdd916a4ab448dc
Instruction Fuzzy Hash: C231A6705043C1DEEF35CB35984CBBA37A8AB15314F09056DE876D61E0E7B49B89CB12

Function 00C81901 Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00C81915
PostMessageW.USER32(00000001,00000201,00000001), ref: 00C819C1
Sleep.KERNEL32(00000000,?,?,?), ref: 00C819C9
PostMessageW.USER32(00000001,00000202,00000000), ref: 00C819DA
Sleep.KERNEL32(00000000,?,?,?,?), ref: 00C819E2

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: 24ad7681d6d28e5a518b5a1aa97d9b77bc3f38d12625533356681e7e4bf75236
Instruction ID: de934a41853c575cfbf6008a010772be3037958bbea362d57ffe7479242bf160
Opcode Fuzzy Hash: 24ad7681d6d28e5a518b5a1aa97d9b77bc3f38d12625533356681e7e4bf75236
Instruction Fuzzy Hash: 2231AF71900219EFCB00DFA8C999BEE3BB9EB04319F144225FD61A72D1C7709A55CB90

Function 00C9CF1A Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,00000000,?,?,?,00C9C21E,00000000), ref: 00C9CF38
InternetReadFile.WININET(?,00000000,?,?), ref: 00C9CF6F
GetLastError.KERNEL32(?,00000000,?,?,?,00C9C21E,00000000), ref: 00C9CFB4
SetEvent.KERNEL32(?,?,00000000,?,?,?,00C9C21E,00000000), ref: 00C9CFC8
SetEvent.KERNEL32(?,?,00000000,?,?,?,00C9C21E,00000000), ref: 00C9CFF2

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: EventInternet$AvailableDataErrorFileLastQueryRead
String ID:
API String ID: 3191363074-0
Opcode ID: e22840ce42bac53fc4b0fc0fac5a212e755d32a9c4948229b95fa02d9d47ef05
Instruction ID: d981a4ed833a411e63613fcaef027b6d30dc8d11ff99f16fbacfc34443f09247
Opcode Fuzzy Hash: e22840ce42bac53fc4b0fc0fac5a212e755d32a9c4948229b95fa02d9d47ef05
Instruction Fuzzy Hash: 5B312971A04605AFDF20DFE5C9C8AAFBBF9EB14355F10442EF516E2151EB30AE419B60

Function 00CA0930 Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00CA0951
GetForegroundWindow.USER32 ref: 00CA0968
GetDC.USER32(00000000), ref: 00CA09A4
GetPixel.GDI32(00000000,?,00000003), ref: 00CA09B0
ReleaseDC.USER32(00000000,00000003), ref: 00CA09E8

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: cb9e4b6263bf9a6f59439a046ed40ddb98e28c991965ba4a68bfe0ca01ea5896
Instruction ID: 3b8a1dacc6c7e91be5d177b28ab438985382047424de9241227c49206b8f2437
Opcode Fuzzy Hash: cb9e4b6263bf9a6f59439a046ed40ddb98e28c991965ba4a68bfe0ca01ea5896
Instruction Fuzzy Hash: 64218135600214AFD704EF69D889BAFBBE9EF49740F148168F85AA7752CB30AD04DB50

Function 00C5CDBD Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 00C5CDC6
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00C5CDE9

Part of subcall function 00C53820: RtlAllocateHeap.NTDLL(00000000,?,00CF1444,?,00C3FDF5,?,?,00C2A976,00000010,00CF1440,00C213FC,?,00C213C6,?,00C21129), ref: 00C53852

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 00C5CE0F
_free.LIBCMT ref: 00C5CE22
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00C5CE31

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: 86e3c37363521e5b11a341ed05abdc6f805c05f630c736e7a14e43cb629d9288
Instruction ID: a1eaf97c756b08e9f063084f6969a596fd3b4dabe1391eb5e7688ae939a25b5d
Opcode Fuzzy Hash: 86e3c37363521e5b11a341ed05abdc6f805c05f630c736e7a14e43cb629d9288
Instruction Fuzzy Hash: F701477A6013113F232116BA6CCEE7F7A6CDEC2BA23140229FD11D3200EAA08E4591B8

Function 00C39639 Relevance: 7.6, APIs: 5, Instructions: 66COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00C39693
SelectObject.GDI32(?,00000000), ref: 00C396A2
BeginPath.GDI32(?), ref: 00C396B9
SelectObject.GDI32(?,00000000), ref: 00C396E2

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 01d79d2d89401c2bd767414774377aa2c63c6438f491ab09274717003f241725
Instruction ID: 80b4ae2ee391a818f498802a5a2857f0966baa072bc58bda4f513b4c0a75a7f6
Opcode Fuzzy Hash: 01d79d2d89401c2bd767414774377aa2c63c6438f491ab09274717003f241725
Instruction Fuzzy Hash: 7E216A30812205EBDB119F29EC597BD3BB8FB10325F184216F820A61B0D3F09A91CFD1

Function 00C85711 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00C85726
_memcmp.LIBVCRUNTIME ref: 00C85744
_memcmp.LIBVCRUNTIME ref: 00C85757
_memcmp.LIBVCRUNTIME ref: 00C8576F
_memcmp.LIBVCRUNTIME ref: 00C85787

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: e51b6eee96deb609b295629cd9b944d3373404a860da93e7abb859755e491bc1
Instruction ID: 8bb9640f6008dfafbca6b85944314ccd121ca11750a7040626992fd0c23ad42d
Opcode Fuzzy Hash: e51b6eee96deb609b295629cd9b944d3373404a860da93e7abb859755e491bc1
Instruction Fuzzy Hash: C701B5A5661609BBE2186511DD82FFB735CAB21398F448034FD149B241F7A0EE9193A8

Function 00C8000E Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,00C7FF41,80070057,?,?,?,00C8035E), ref: 00C8002B
ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00C7FF41,80070057,?,?), ref: 00C80046
lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00C7FF41,80070057,?,?), ref: 00C80054
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00C7FF41,80070057,?), ref: 00C80064
CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00C7FF41,80070057,?,?), ref: 00C80070

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: 1e9447ea1817f109f5c86e7bde08b8ce4b2f814d7d975e9b1ca87d048f1c0d09
Instruction ID: 7d8332a6af61c0c82c3134e204095ce6ca8c1b8de23f9561fff56f4de46a8ae7
Opcode Fuzzy Hash: 1e9447ea1817f109f5c86e7bde08b8ce4b2f814d7d975e9b1ca87d048f1c0d09
Instruction Fuzzy Hash: 1601DB72600204BFDB506F68DC88BAE7BEDEF44396F244224F805D2210E776CE449BA0

Function 00C8E97B Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?), ref: 00C8E997
QueryPerformanceFrequency.KERNEL32(?), ref: 00C8E9A5
Sleep.KERNEL32(00000000), ref: 00C8E9AD
QueryPerformanceCounter.KERNEL32(?), ref: 00C8E9B7
Sleep.KERNEL32 ref: 00C8E9F3

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: 636e757794cfeaf8f44bf716827dfab26f3d2c41321166d4c4643ac45ea105d7
Instruction ID: 8aebc772cc028b41bdb66911ece180ede6dd95224caefbf24a29ebb0f28d84e6
Opcode Fuzzy Hash: 636e757794cfeaf8f44bf716827dfab26f3d2c41321166d4c4643ac45ea105d7
Instruction Fuzzy Hash: 70016931C01629DBCF00AFE9DC89BEDBB78FF08305F000656E952B2250CB709651CBA5

Function 00C810F9 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00C81114
GetLastError.KERNEL32(?,00000000,00000000,?,?,00C80B9B,?,?,?), ref: 00C81120
GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00C80B9B,?,?,?), ref: 00C8112F
HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00C80B9B,?,?,?), ref: 00C81136
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00C8114D

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: 52c6cd12589608198fea65056eba3658f9205864f215dd97056ea64c49d7048e
Instruction ID: a5a96bfed977e70e1e3e8b5d1173b901074d89a05c9299d53b463c763e1e4c45
Opcode Fuzzy Hash: 52c6cd12589608198fea65056eba3658f9205864f215dd97056ea64c49d7048e
Instruction Fuzzy Hash: 00016975200205BFDB115FA8DC8DBAE3BAEEF893A4F240419FA41E3360DA31DD008B60

Function 00C81014 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00C8102A
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00C81036
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00C81045
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00C8104C
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00C81062

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 01ad53a931b0eef192c954e8e6c1a5570afdc72da632ebe925ad2212d4b7a7ac
Instruction ID: 41d9bfcbcbb42c1fe285f4225cde11ca0ae5ff8f382ed207c7f0c0f1b8b3b751
Opcode Fuzzy Hash: 01ad53a931b0eef192c954e8e6c1a5570afdc72da632ebe925ad2212d4b7a7ac
Instruction Fuzzy Hash: 8BF04975200301ABDB216FA8EC89F5B3BADEF89761F140525FA45D6250CA70DD518A60

Function 00C80FB4 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00C80FCA
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00C80FD6
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00C80FE5
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00C80FEC
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00C81002

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: b83bebce97224d677c9b0a4a941627420811ce93ebe289e3ab92dc7485d66f4d
Instruction ID: b9857c1b89ebd7ffa35d2dea853aa375aa2625471c154ad9379295789c3b9cee
Opcode Fuzzy Hash: b83bebce97224d677c9b0a4a941627420811ce93ebe289e3ab92dc7485d66f4d
Instruction Fuzzy Hash: FFF04975200301AFDB216FA8AC89F5A3BADEF89762F144525FA45D6251CA70DC518A60

Function 00C9030F Relevance: 7.5, APIs: 6, Instructions: 41COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,?,?,00C9017D,?,00C932FC,?,00000001,00C62592,?), ref: 00C90324
CloseHandle.KERNEL32(?,?,?,?,00C9017D,?,00C932FC,?,00000001,00C62592,?), ref: 00C90331
CloseHandle.KERNEL32(?,?,?,?,00C9017D,?,00C932FC,?,00000001,00C62592,?), ref: 00C9033E
CloseHandle.KERNEL32(?,?,?,?,00C9017D,?,00C932FC,?,00000001,00C62592,?), ref: 00C9034B
CloseHandle.KERNEL32(?,?,?,?,00C9017D,?,00C932FC,?,00000001,00C62592,?), ref: 00C90358
CloseHandle.KERNEL32(?,?,?,?,00C9017D,?,00C932FC,?,00000001,00C62592,?), ref: 00C90365

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: e639e0d65164dd435dd071801506fdbb70ccd9281283453a171a4c96dd6d0c65
Instruction ID: 9d9a029a0a73f742030d0c069d8e41445c799f0015b8f0fda99a440b208366d5
Opcode Fuzzy Hash: e639e0d65164dd435dd071801506fdbb70ccd9281283453a171a4c96dd6d0c65
Instruction Fuzzy Hash: 4F01AE72800B159FCB30AF66D880816FBF9BF603153258A3FD1A652931C3B1AA58DF80

Function 00C5D73A Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00C5D752

Part of subcall function 00C529C8: HeapFree.KERNEL32(00000000,00000000,?,00C5D7D1,00000000,00000000,00000000,00000000,?,00C5D7F8,00000000,00000007,00000000,?,00C5DBF5,00000000), ref: 00C529DE
Part of subcall function 00C529C8: GetLastError.KERNEL32(00000000,?,00C5D7D1,00000000,00000000,00000000,00000000,?,00C5D7F8,00000000,00000007,00000000,?,00C5DBF5,00000000,00000000), ref: 00C529F0

_free.LIBCMT ref: 00C5D764
_free.LIBCMT ref: 00C5D776
_free.LIBCMT ref: 00C5D788
_free.LIBCMT ref: 00C5D79A

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: b1fd1881c668d293e30926661fc738ab50a48054fdd12b7051d8dc920a1b9ef9
Instruction ID: 472eb8eb85b3daf3c88c5f24c546d970b07b7a774f6fa2600a3cec82fcb018fc
Opcode Fuzzy Hash: b1fd1881c668d293e30926661fc738ab50a48054fdd12b7051d8dc920a1b9ef9
Instruction Fuzzy Hash: D5F06236500348AB8635EB64F9C2E5A7BDDBB093527A40805F869EB646C730FCC48668

Function 00C85C44 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 00C85C58
GetWindowTextW.USER32(00000000,?,00000100), ref: 00C85C6F
MessageBeep.USER32(00000000), ref: 00C85C87
KillTimer.USER32(?,0000040A), ref: 00C85CA3
EndDialog.USER32(?,00000001), ref: 00C85CBD

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: 81451ff8501fb15d66fe3a44180c9e859300550bdea01e6097441f6124372be9
Instruction ID: 378738cdd5c124679f733f53a77ba13db381091ea2debcd477bd74601b7693f5
Opcode Fuzzy Hash: 81451ff8501fb15d66fe3a44180c9e859300550bdea01e6097441f6124372be9
Instruction Fuzzy Hash: B501A930540B14ABEB316B10DD8EFAA77B8BF04B05F001659B593A14E1DBF0AE84DF94

Function 00C522A0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00C522BE

Part of subcall function 00C529C8: HeapFree.KERNEL32(00000000,00000000,?,00C5D7D1,00000000,00000000,00000000,00000000,?,00C5D7F8,00000000,00000007,00000000,?,00C5DBF5,00000000), ref: 00C529DE
Part of subcall function 00C529C8: GetLastError.KERNEL32(00000000,?,00C5D7D1,00000000,00000000,00000000,00000000,?,00C5D7F8,00000000,00000007,00000000,?,00C5DBF5,00000000,00000000), ref: 00C529F0

_free.LIBCMT ref: 00C522D0
_free.LIBCMT ref: 00C522E3
_free.LIBCMT ref: 00C522F4
_free.LIBCMT ref: 00C52305

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 4f2708820bac889967c55303abb1d2d8b47ee58090f29525164d7c59bc039b88
Instruction ID: e77823686d73591dcdfbc2d53df0d5c9147389195ab7d494ecc6f3c889c26f25
Opcode Fuzzy Hash: 4f2708820bac889967c55303abb1d2d8b47ee58090f29525164d7c59bc039b88
Instruction Fuzzy Hash: 09F0FB794111119B8612AF94BC41BED3BD5F7257627150506FC20E63B1C7310595EFDA

Function 00C395C5 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 00C395D4
StrokeAndFillPath.GDI32(?,?,00C771F7,00000000,?,?,?), ref: 00C395F0
SelectObject.GDI32(?,00000000), ref: 00C39603
DeleteObject.GDI32 ref: 00C39616
StrokePath.GDI32(?), ref: 00C39631

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: 5aff354424f3d81019fbd99b098c32347a0eaa76bc3ba93d52a88806027d2414
Instruction ID: b2ae26f280753327c0760b03f8d42429fc2735982475f9f690f0949710afaf5b
Opcode Fuzzy Hash: 5aff354424f3d81019fbd99b098c32347a0eaa76bc3ba93d52a88806027d2414
Instruction Fuzzy Hash: D3F03C30006204EBDB126F69ED5C7BD3B75EB10322F088314F866550F0C7B08A91DFA2

Function 00C50F47 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE

Download Yara Rule

APIs

__freea.LIBCMT ref: 00C510F9
__freea.LIBCMT ref: 00C51117

Part of subcall function 00C51537: _free.LIBCMT ref: 00C5154F

Strings

am/pm, xrefs: 00C5117A
a/p, xrefs: 00C511DE

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: __freea$_free
String ID: a/p$am/pm
API String ID: 3432400110-3206640213
Opcode ID: 57fbddcf6fac9872d618ce68da1f9be16913f50233e6cc9a335457ff2a151c66
Instruction ID: 8200fdc860db1ebf36e024221dc27c4da8a9ae564bc36e13b413b450d38a4c38
Opcode Fuzzy Hash: 57fbddcf6fac9872d618ce68da1f9be16913f50233e6cc9a335457ff2a151c66
Instruction Fuzzy Hash: C1D1F339900246DACB249F69C86DBBEB7B0FF05702F2C0159ED219B661D3359EC8CB59

Function 00CA7B7E Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 230COMMON

Download Yara Rule

APIs

Part of subcall function 00C40242: EnterCriticalSection.KERNEL32(00CF070C,00CF1884,?,?,00C3198B,00CF2518,?,?,?,00C212F9,00000000), ref: 00C4024D
Part of subcall function 00C40242: LeaveCriticalSection.KERNEL32(00CF070C,?,00C3198B,00CF2518,?,?,?,00C212F9,00000000), ref: 00C4028A

Part of subcall function 00C29CB3: _wcslen.LIBCMT ref: 00C29CBD

Part of subcall function 00C400A3: __onexit.LIBCMT ref: 00C400A9

__Init_thread_footer.LIBCMT ref: 00CA7BFB

Part of subcall function 00C401F8: EnterCriticalSection.KERNEL32(00CF070C,?,?,00C38747,00CF2514), ref: 00C40202
Part of subcall function 00C401F8: LeaveCriticalSection.KERNEL32(00CF070C,?,00C38747,00CF2514), ref: 00C40235

Strings

Variable must be of type 'Object'., xrefs: 00CA7C3A
G, xrefs: 00CA7C7F
5, xrefs: 00CA7C78

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit_wcslen
String ID: 5$G$Variable must be of type 'Object'.
API String ID: 535116098-3733170431
Opcode ID: 6a57d1d170540209b1fe3b465fce510da38f71264f08ca460e12d7010d5d3994
Instruction ID: e57555218613fc021f4ea0d3c51cb577b50df93a4dc0164ed5a8aa3d0557da14
Opcode Fuzzy Hash: 6a57d1d170540209b1fe3b465fce510da38f71264f08ca460e12d7010d5d3994
Instruction Fuzzy Hash: 2091AC70A0420AEFCB14EF94D891DBDB7B1FF4A308F108159F8169B292DB71AE45DB51

Function 00C82716 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00C8B403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00C821D0,?,?,00000034,00000800,?,00000034), ref: 00C8B42D

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00C82760

Part of subcall function 00C8B3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00C821FF,?,?,00000800,?,00001073,00000000,?,?), ref: 00C8B3F8

Part of subcall function 00C8B32A: GetWindowThreadProcessId.USER32(?,?), ref: 00C8B355
Part of subcall function 00C8B32A: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00C82194,00000034,?,?,00001004,00000000,00000000), ref: 00C8B365
Part of subcall function 00C8B32A: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00C82194,00000034,?,?,00001004,00000000,00000000), ref: 00C8B37B

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00C827CD
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00C8281A

Strings

@, xrefs: 00C82832

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: 1e2cba21dfdfd25aeef0149a4273950440a0e8e37135c695d476f6ef76b61441
Instruction ID: 08a186a50396027fcbce642f3c923d29e2735ecdc3354602cbb11d1e35219dc0
Opcode Fuzzy Hash: 1e2cba21dfdfd25aeef0149a4273950440a0e8e37135c695d476f6ef76b61441
Instruction Fuzzy Hash: 35413C72900218BFDB10EBA4CD86BEEBBB8AF09304F004059FA55B7191DB706E45DBA0

Function 00C5172E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\file.exe,00000104), ref: 00C51769
_free.LIBCMT ref: 00C51834
_free.LIBCMT ref: 00C5183E

Strings

C:\Users\user\Desktop\file.exe, xrefs: 00C51760, 00C51767, 00C51796, 00C517CE

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\file.exe
API String ID: 2506810119-517116171
Opcode ID: 45f80e817b811bbb32b91ca53948c0ba399a16164ff13af3e638104d1be3a88a
Instruction ID: 583e65ce548ff54fba9f8a4f5f60501bbe8621e0f3a07fcb54ebec54ba36e82b
Opcode Fuzzy Hash: 45f80e817b811bbb32b91ca53948c0ba399a16164ff13af3e638104d1be3a88a
Instruction Fuzzy Hash: F631C279A00218EFCB21DF99DC88FAEBBFCEB89351B184166FC1097211D6704E84DB94

Function 00C8C27D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 00C8C306
DeleteMenu.USER32(?,00000007,00000000), ref: 00C8C34C
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00CF1990,012B64E0), ref: 00C8C395

Strings

0, xrefs: 00C8C2DF

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: Menu$Delete$InfoItem
String ID: 0
API String ID: 135850232-4108050209
Opcode ID: 8ab16d83ec5ca79354d68259b71b27f9285d27aad7b228416bed62541359ffb1
Instruction ID: b72f24847629e6b305b1a0d47d9ae9d2a6eeb05f77d4d9b7955477161648c0b4
Opcode Fuzzy Hash: 8ab16d83ec5ca79354d68259b71b27f9285d27aad7b228416bed62541359ffb1
Instruction Fuzzy Hash: 3141A2312043019FD720EF25D8C5B9ABBE4EF85318F14861EF9A5972E1D730E905DB66

Function 00CB4416 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,00CBCC08,00000000,?,?,?,?), ref: 00CB44AA
GetWindowLongW.USER32 ref: 00CB44C7
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00CB44D7

Strings

SysTreeView32, xrefs: 00CB447C

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: 57bd664e60bafdf1bbca4f9119d64188bedea955091b65b8d762964f95f35ef2
Instruction ID: 527ff18724a87e3c11300896e12dca0dddf150471d4104942baf8b13b8912c54
Opcode Fuzzy Hash: 57bd664e60bafdf1bbca4f9119d64188bedea955091b65b8d762964f95f35ef2
Instruction Fuzzy Hash: 33319C31214605AFDF248E78DC85FEA7BA9EB08334F204725F975921E1DB70ED649B60

Function 00CA304E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00CA335B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,00CA3077,?,?), ref: 00CA3378

inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 00CA307A
_wcslen.LIBCMT ref: 00CA309B
htons.WSOCK32(00000000,?,?,00000000), ref: 00CA3106

Strings

255.255.255.255, xrefs: 00CA3095, 00CA309A

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: ByteCharMultiWide_wcslenhtonsinet_addr
String ID: 255.255.255.255
API String ID: 946324512-2422070025
Opcode ID: 6addc51691c43af53b4c76a80cdd3a42362e1279a362843241e59db925a2058e
Instruction ID: 2de59981f65b42272864d5c29bbd33ab3535122dbaa740f17704e8e095da5d9f
Opcode Fuzzy Hash: 6addc51691c43af53b4c76a80cdd3a42362e1279a362843241e59db925a2058e
Instruction Fuzzy Hash: 9931C4392042869FCB10CF69C595E6977F0EF56318F248059F9258B392DB32DF41C760

Function 00CB3EB8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00CB3F40
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00CB3F54
SendMessageW.USER32(?,00001002,00000000,?), ref: 00CB3F78

Strings

SysMonthCal32, xrefs: 00CB3F0B

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: e580e0477e8daa585ffbfdd660ffeaf7b9fd1194ecc2afcfb4aa25d40b515eb5
Instruction ID: 89df45c748bb144209af6cb3cfa6d6887f8e87aabd9266f8001e49b56be91f1f
Opcode Fuzzy Hash: e580e0477e8daa585ffbfdd660ffeaf7b9fd1194ecc2afcfb4aa25d40b515eb5
Instruction Fuzzy Hash: CC21AB32600259BBDF218E90CC86FEE3B79EB48714F110254FA156B1D0D6B1AD50DBA0

Function 00CB4653 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00CB4705
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00CB4713
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00CB471A

Strings

msctls_updown32, xrefs: 00CB4684

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: 01c85fcc463ab991ca5e8c81fa428e274b227124f3b762aed33eb63613da82c5
Instruction ID: fb368d12f8501018889586659e63a619366b764a6627a8665868bbd6d9d0378d
Opcode Fuzzy Hash: 01c85fcc463ab991ca5e8c81fa428e274b227124f3b762aed33eb63613da82c5
Instruction Fuzzy Hash: D62171B5604208AFDB14DF64DCC1EBB37ADEF5A3A4F040159FA10AB251CB71ED11DA60

Function 00C895AD Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 85COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00C8961D

Strings

#notrayicon, xrefs: 00C895B7
#requireadmin, xrefs: 00C895D9
#OnAutoItStartRegister, xrefs: 00C895F3

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: _wcslen
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 176396367-2734436370
Opcode ID: b894363dc47922ba2e8ac541b422decede0aafbfcc880f5345aa4822099efdd3
Instruction ID: 1152486669d2a52b377487f02c82876c91d3aa8f13a0bd50849e79c8a1dd4eaf
Opcode Fuzzy Hash: b894363dc47922ba2e8ac541b422decede0aafbfcc880f5345aa4822099efdd3
Instruction Fuzzy Hash: C8213832204520A6C331BA259C02FBB7398EF51308F18403AF95997141FB719E46D399

Function 00CB37B7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00CB3840
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00CB3850
MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00CB3876

Strings

Listbox, xrefs: 00CB380F

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: a7cd9d8943bb04b182764855278e56525f904bda9befebf13b865ed8064555e4
Instruction ID: b7141bd8571c175f061d30fc9cef9b0d462b647c4626a3deba368136910b3ef9
Opcode Fuzzy Hash: a7cd9d8943bb04b182764855278e56525f904bda9befebf13b865ed8064555e4
Instruction Fuzzy Hash: 8D21AC72610258BBEB218E55DC85FFB376EEF89750F118125F910AB190CA729D5287A0

Function 00C949F4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00C94A08
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00C94A5C
SetErrorMode.KERNEL32(00000000,?,?,00CBCC08), ref: 00C94AD0

Strings

%lu, xrefs: 00C94A6F

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: ErrorMode$InformationVolume
String ID: %lu
API String ID: 2507767853-685833217
Opcode ID: 755af88ccea3dac25f414996c642bd0847bdaaa6476e82a6de67784ff28f4b5f
Instruction ID: b632729fcaa4ebdc4184192042ab5c95c59fee3dce088eb547f63f51305c0578
Opcode Fuzzy Hash: 755af88ccea3dac25f414996c642bd0847bdaaa6476e82a6de67784ff28f4b5f
Instruction Fuzzy Hash: 3A316171A00108AFDB10DF54C885EAE7BF8EF04308F1440A5F905EB252DB71EE46DB61

Function 00CB41EB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00CB424F
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00CB4264
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00CB4271

Strings

msctls_trackbar32, xrefs: 00CB4226

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: a1d256d1c7f38e378317aa344228323ccf7a3333c03e1cfab9c414f3548f7d53
Instruction ID: bcb9a6ce6161802c9a92494900e5c4034272600b286a1d5d70e3f33ce662992f
Opcode Fuzzy Hash: a1d256d1c7f38e378317aa344228323ccf7a3333c03e1cfab9c414f3548f7d53
Instruction Fuzzy Hash: EA11E371244248BEEF205E29CC06FEB3BACEF95B54F010124FA55E2091D671DC11EB60

Function 00C82F52 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00C26B57: _wcslen.LIBCMT ref: 00C26B6A

Part of subcall function 00C82DA7: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00C82DC5
Part of subcall function 00C82DA7: GetWindowThreadProcessId.USER32(?,00000000), ref: 00C82DD6
Part of subcall function 00C82DA7: GetCurrentThreadId.KERNEL32 ref: 00C82DDD
Part of subcall function 00C82DA7: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00C82DE4

GetFocus.USER32 ref: 00C82F78

Part of subcall function 00C82DEE: GetParent.USER32(00000000), ref: 00C82DF9

GetClassNameW.USER32(?,?,00000100), ref: 00C82FC3
EnumChildWindows.USER32(?,00C8303B), ref: 00C82FEB

Strings

%s%d, xrefs: 00C82FFF

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
String ID: %s%d
API String ID: 1272988791-1110647743
Opcode ID: 4df6a50dfb6eada78930b0ba2ea5f56304c966a66f1e646d8a95c937842ec579
Instruction ID: 41d9cab23e5ebb749590e3a49f4440735d70c767bc3a0e836db79ad679b33f41
Opcode Fuzzy Hash: 4df6a50dfb6eada78930b0ba2ea5f56304c966a66f1e646d8a95c937842ec579
Instruction Fuzzy Hash: 9011AF756002056BCF157F609CC9FEE3B6AAF94708F04507AF9099B292DF309A49EB74

Function 00C8007F Relevance: 6.3, APIs: 4, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bfc75a902bf94f212be07ba9b7b8e86d352def20b5b45c693d6a2f1751718df
Instruction ID: 8970e6eec0366e84c36c7a018a5cdac31f949e0dc93f93932e03d5dc575a240f
Opcode Fuzzy Hash: 4bfc75a902bf94f212be07ba9b7b8e86d352def20b5b45c693d6a2f1751718df
Instruction Fuzzy Hash: D6C17D75A00206EFDB54DF94C888BAEB7B5FF48318F218598E415EB261C770EE85CB94

Function 00C53E80 Relevance: 6.3, APIs: 4, Instructions: 305COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 00C53F0B
__alldvrm.LIBCMT ref: 00C5410C
__alldvrm.LIBCMT ref: 00C5412E

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: __alldvrm$_strrchr
String ID:
API String ID: 1036877536-0
Opcode ID: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
Instruction ID: 0cc9959e3afb0dc990c6e2cfaf2cdb24a7291ec58918b1334c3e2cbc5a76df86
Opcode Fuzzy Hash: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
Instruction Fuzzy Hash: F5A1AB79D007869FD729CF18C8817AEBBE4EF61385F2841ADED559B281C2348EC9C758

Function 00CA342E Relevance: 6.3, APIs: 4, Instructions: 257COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00CA3459
CoUninitialize.OLE32 ref: 00CA3463
VariantInit.OLEAUT32(?), ref: 00CA346E
VariantClear.OLEAUT32(?), ref: 00CA371B

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: Variant$ClearInitInitializeUninitialize
String ID:
API String ID: 1998397398-0
Opcode ID: fcf4c9626df300ec5f5dcc04ea16f08fb91bbef677df92b18876ec31d263193e
Instruction ID: 89945e3d7303bf230652d2070dcd8b6dfd81c0fa239fc69f45102cecd4f58d84
Opcode Fuzzy Hash: fcf4c9626df300ec5f5dcc04ea16f08fb91bbef677df92b18876ec31d263193e
Instruction Fuzzy Hash: F0A17A756043119FCB00DF28C595A2AB7E5FF89314F14895DF98AAB362DB30EE01DB92

Function 00C80436 Relevance: 6.2, APIs: 4, Instructions: 230COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,00CBFC08,?), ref: 00C805F0
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,00CBFC08,?), ref: 00C80608
CLSIDFromProgID.OLE32(?,?,00000000,00CBCC40,000000FF,?,00000000,00000800,00000000,?,00CBFC08,?), ref: 00C8062D
_memcmp.LIBVCRUNTIME ref: 00C8064E

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: cf195bdc2b298372d0ac3e4db55bfd462d2ce0d7a43f2dad782f4ca91632741e
Instruction ID: 2d447f4610de215ed31724cd7b8c18a1ae88cdd4d254f9f52d9f7b96f9ec5a2f
Opcode Fuzzy Hash: cf195bdc2b298372d0ac3e4db55bfd462d2ce0d7a43f2dad782f4ca91632741e
Instruction Fuzzy Hash: BA814B71A00109EFCB44DF94C988EEEB7B9FF89315F204158F516AB250DB71AE0ACB64

Function 00C61391 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00C614C0

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: c8face580194e9d2e66050003c0414b6928fdd3653c27cd1af8a1cebba277054
Instruction ID: a7001e6c995b1d305ac1ae2af2c01525e1ac49643df84597e45a1c2a3392f30d
Opcode Fuzzy Hash: c8face580194e9d2e66050003c0414b6928fdd3653c27cd1af8a1cebba277054
Instruction Fuzzy Hash: C4412C35900110ABDB317BB98CC66BE3AA4FF41372F1C4225FC29D7291EA748A417272

Function 00CB6278 Relevance: 6.1, APIs: 4, Instructions: 138COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00CB62E2
ScreenToClient.USER32(?,?), ref: 00CB6315
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 00CB6382

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: c6a598d314ebf808d2a0bd756dbcc02080a0c302c284f950a9c04a58805d03db
Instruction ID: d25de83d15725a21196ab2f33f17bc4bed8de9084787cc8d26fe26fc78cae2ed
Opcode Fuzzy Hash: c6a598d314ebf808d2a0bd756dbcc02080a0c302c284f950a9c04a58805d03db
Instruction Fuzzy Hash: 3D512B74900209EFDF10DF58D880AEE7BF5EB55360F148269F925972A0D734EE41CB90

Function 00CA1AD6 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 00CA1AFD
WSAGetLastError.WSOCK32 ref: 00CA1B0B
#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00CA1B8A
WSAGetLastError.WSOCK32 ref: 00CA1B94

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: ErrorLast$socket
String ID:
API String ID: 1881357543-0
Opcode ID: 5df4a8d10f80826135b1bd2490316c9c3c689d6373573f3e0ee2561a518d7984
Instruction ID: 9c2aa0a79615e4b9f61078dac4a18a7f3449af9ac1f14840ad7689530013ae07
Opcode Fuzzy Hash: 5df4a8d10f80826135b1bd2490316c9c3c689d6373573f3e0ee2561a518d7984
Instruction Fuzzy Hash: 19411474600201AFE720AF24D886F2977E5AF48718F588048F91A9F7D3D772DE41CBA0

Function 00C5B41F Relevance: 6.1, APIs: 4, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fb72f3cc61660019e7d9849559d85fe7220ceab715afbccc7e689121e6bcdc0
Instruction ID: 5b73f3e190ebf00ccba6c670a20126f8f9b73d109ec7c9a11ff5fbaaad733bd5
Opcode Fuzzy Hash: 2fb72f3cc61660019e7d9849559d85fe7220ceab715afbccc7e689121e6bcdc0
Instruction Fuzzy Hash: 25412879A00314AFD7349F38CC41BAABFE9EB88711F20452EF911DB281D3719D859794

Function 00C956D9 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00C95783
GetLastError.KERNEL32(?,00000000), ref: 00C957A9
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 00C957CE
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 00C957FA

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: 40c32c6f53f491a892a3ec2325f8e53f863a2663b668f44207f571d6f4f74a1d
Instruction ID: 48bd66e3202c51e8eb8790ef0e1fb071e95e22f3edf5d2a95d177443444763fa
Opcode Fuzzy Hash: 40c32c6f53f491a892a3ec2325f8e53f863a2663b668f44207f571d6f4f74a1d
Instruction Fuzzy Hash: 6E412F35600610DFCF11EF55D584A5EBBE1EF89320B198498E85AAF762CB34FD40DB91

Function 00C5D8C3 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,8BE85006,00C46D71,00000000,00000000,00C482D9,?,00C482D9,?,00000001,00C46D71,8BE85006,00000001,00C482D9,00C482D9), ref: 00C5D910
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00C5D999
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 00C5D9AB
__freea.LIBCMT ref: 00C5D9B4

Part of subcall function 00C53820: RtlAllocateHeap.NTDLL(00000000,?,00CF1444,?,00C3FDF5,?,?,00C2A976,00000010,00CF1440,00C213FC,?,00C213C6,?,00C21129), ref: 00C53852

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: b5cca259d5b6c4ca5fe50e36246da934a75ba6e1515b392ea1c207a3f67d3bc9
Instruction ID: 5eaeac83cd4f4171ac8c3472825f0a67a89cf300ee86ffc21f0e855871dccfc7
Opcode Fuzzy Hash: b5cca259d5b6c4ca5fe50e36246da934a75ba6e1515b392ea1c207a3f67d3bc9
Instruction Fuzzy Hash: 7531EE72A1030AABDF24DF64DC81EAE7BA5EB41311F050268FC15E6151EB35CE98DB90

Function 00CB52C1 Relevance: 6.1, APIs: 4, Instructions: 104windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001024,00000000,?), ref: 00CB5352
GetWindowLongW.USER32(?,000000F0), ref: 00CB5375
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00CB5382
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00CB53A8

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: LongWindow$InvalidateMessageRectSend
String ID:
API String ID: 3340791633-0
Opcode ID: 11205848080a7cc8b7307cc2f7b437c325a038dbb3d85430a1ce1fa510017287
Instruction ID: f6f18952b6e9982c441bc9e6cb64f4c8479c028f81e569b71370310cb4815419
Opcode Fuzzy Hash: 11205848080a7cc8b7307cc2f7b437c325a038dbb3d85430a1ce1fa510017287
Instruction Fuzzy Hash: B431A334A55A08EFEB309E14CC55FE977E5AB04390F584102FA21963F1C7F59E80EB52

Function 00C8AB9C Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,75A8C0D0,?,00008000), ref: 00C8ABF1
SetKeyboardState.USER32(00000080,?,00008000), ref: 00C8AC0D
PostMessageW.USER32(00000000,00000101,00000000), ref: 00C8AC74
SendInput.USER32(00000001,?,0000001C,75A8C0D0,?,00008000), ref: 00C8ACC6

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 89bcb66e2ab25335401a0153857a14c3f92a06057e196ee1706344424a206ddb
Instruction ID: 84374333fcb9ddf3ec7f0b4cc0e1c1f29efe5baeb716b5613f32056187180ba2
Opcode Fuzzy Hash: 89bcb66e2ab25335401a0153857a14c3f92a06057e196ee1706344424a206ddb
Instruction Fuzzy Hash: A9312B70A007186FFF35EB698C04BFE7BA5AB49318F08431BE495521D1C3768E85975A

Function 00CB7674 Relevance: 6.1, APIs: 4, Instructions: 102windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 00CB769A
GetWindowRect.USER32(?,?), ref: 00CB7710
PtInRect.USER32(?,?,00CB8B89), ref: 00CB7720
MessageBeep.USER32(00000000), ref: 00CB778C

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: a19e3e8fbe9ceed77f939153740a62e0d42815e03056df53bdd21442a93eb24f
Instruction ID: 4c1a1293e03dd773ef55b33e31cf9b02a390a4437ad5c86fb7de93f869b10a97
Opcode Fuzzy Hash: a19e3e8fbe9ceed77f939153740a62e0d42815e03056df53bdd21442a93eb24f
Instruction Fuzzy Hash: 3E416B34A09214DFCB12CF59C894FED77F5FB89314F1942A8EC25AB261CB71AA41CB90

Function 00CB16DA Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 00CB16EB

Part of subcall function 00C83A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00C83A57
Part of subcall function 00C83A3D: GetCurrentThreadId.KERNEL32 ref: 00C83A5E
Part of subcall function 00C83A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00C825B3), ref: 00C83A65

GetCaretPos.USER32(?), ref: 00CB16FF
ClientToScreen.USER32(00000000,?), ref: 00CB174C
GetForegroundWindow.USER32 ref: 00CB1752

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: 4212ffcd9f9d0afd1aa801c246a426a6aea2facf62b35c6946ca4ccc12e6c99b
Instruction ID: 7171403627ed9d3dba83609429d81b9e82f9416c8d63812aad5209a5e00f5eb6
Opcode Fuzzy Hash: 4212ffcd9f9d0afd1aa801c246a426a6aea2facf62b35c6946ca4ccc12e6c99b
Instruction Fuzzy Hash: 98315071D00159AFCB04EFA9D8C1DEEBBF9EF48304B5480AAE415E7611DB319E45DBA0

Function 00C8DF95 Relevance: 6.1, APIs: 4, Instructions: 87COMMON

Download Yara Rule

APIs

Part of subcall function 00C27620: _wcslen.LIBCMT ref: 00C27625

_wcslen.LIBCMT ref: 00C8DFCB
_wcslen.LIBCMT ref: 00C8DFE2
_wcslen.LIBCMT ref: 00C8E00D
GetTextExtentPoint32W.GDI32(?,00000000,00000000,?), ref: 00C8E018

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: _wcslen$ExtentPoint32Text
String ID:
API String ID: 3763101759-0
Opcode ID: 3c2b3a440415fbcc87e0cad78a01e0525d06b95ef4ad4bbdd22723529c67ff8f
Instruction ID: 61bb42573b90de8680886a1f93ffde38831e64cae6343a19a08e256d68990a28
Opcode Fuzzy Hash: 3c2b3a440415fbcc87e0cad78a01e0525d06b95ef4ad4bbdd22723529c67ff8f
Instruction Fuzzy Hash: C421D171900214AFCB20AFA8D881BAEB7F8EF45724F144068E905BB285D7709E41EBA1

Function 00C8D4DC Relevance: 6.1, APIs: 4, Instructions: 86processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00C8D501
Process32FirstW.KERNEL32(00000000,?), ref: 00C8D50F
Process32NextW.KERNEL32(00000000,?), ref: 00C8D52F
CloseHandle.KERNEL32(00000000), ref: 00C8D5DC

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: 78998eb209254bd539a24003a26a2fe1ad175320e446738283e1611e60ef4980
Instruction ID: 590048f85dd6ca1ca63e158975a11d27f885f25e48db3ada6ca8d9e8005e6406
Opcode Fuzzy Hash: 78998eb209254bd539a24003a26a2fe1ad175320e446738283e1611e60ef4980
Instruction Fuzzy Hash: 3E31A0711083009FD300EF54D881BAFBBF8EF99358F14092DF582961E1EB719A48DBA2

Function 00C8D2C1 Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,00CBCB68), ref: 00C8D2FB
GetLastError.KERNEL32 ref: 00C8D30A
CreateDirectoryW.KERNEL32(?,00000000), ref: 00C8D319
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,00CBCB68), ref: 00C8D376

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: 939b612ac445e158af4c902d9bb0a09376c17e7503cf9e55027ca44ead99ebec
Instruction ID: 4f81beb62d63a4a2c1b35ee8f3ec06b1b067fccc62654d18a4b5701e98df4893
Opcode Fuzzy Hash: 939b612ac445e158af4c902d9bb0a09376c17e7503cf9e55027ca44ead99ebec
Instruction Fuzzy Hash: 132191705043119F8700EF28D8815AEB7F4EE5A328F104A2DF4AAC72E1D730DA45CB97

Function 00C81571 Relevance: 6.1, APIs: 4, Instructions: 78memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00C81014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00C8102A
Part of subcall function 00C81014: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00C81036
Part of subcall function 00C81014: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00C81045
Part of subcall function 00C81014: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00C8104C
Part of subcall function 00C81014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00C81062

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 00C815BE
_memcmp.LIBVCRUNTIME ref: 00C815E1
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00C81617
HeapFree.KERNEL32(00000000), ref: 00C8161E

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: 23899468c4139f065ba0ea1e2ec6fd023f533c2541bebf129f3eef6ff32c211c
Instruction ID: 1702600f4c9a0a5f5b16af652c9c77881a373e3996a15f75d18e33a7ab01b310
Opcode Fuzzy Hash: 23899468c4139f065ba0ea1e2ec6fd023f533c2541bebf129f3eef6ff32c211c
Instruction Fuzzy Hash: 84214A71E00109EFDB10EFA4C945BEEB7F8FF44359F184459E891AB241E730AA46DBA4

Function 00CB8FC9 Relevance: 6.1, APIs: 4, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00C39BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00C39BB2

GetCursorPos.USER32(?), ref: 00CB9001
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00C77711,?,?,?,?,?), ref: 00CB9016
GetCursorPos.USER32(?), ref: 00CB905E
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00C77711,?,?,?), ref: 00CB9094

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: addecab5eb42efa9c88dc5dd8a887116f84d91b81b36704e236ba4ee8ad93faa
Instruction ID: 1dc229fd2e308fe4cf531e887b1fdf40ba8c8458c2cce9ca3e65a0ae444e469b
Opcode Fuzzy Hash: addecab5eb42efa9c88dc5dd8a887116f84d91b81b36704e236ba4ee8ad93faa
Instruction Fuzzy Hash: CB219F35600018EFCB259F94D898FFE7BB9EB4A361F044155FA1547261C7719A50EB60

Function 00CB2782 Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 00CB280A
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00CB2824
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00CB2832
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 00CB2840

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: 9879630242f7489bc9b4bf60a20b603339b01402470c0f424e793a67c352ce75
Instruction ID: 6cb079a79dc1b8e73fc2b2884132fa4d833fa0277e4f1cea56fe8d524b2efd50
Opcode Fuzzy Hash: 9879630242f7489bc9b4bf60a20b603339b01402470c0f424e793a67c352ce75
Instruction Fuzzy Hash: 3921B031204521AFD7149B24C885FEA7B99EF85324F148258F4268B6E2CB72FD82CBD0

Function 00C878F5 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00C88D7D: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,00C8790A,?,000000FF,?,00C88754,00000000,?,0000001C,?,?), ref: 00C88D8C
Part of subcall function 00C88D7D: lstrcpyW.KERNEL32(00000000,?,?,00C8790A,?,000000FF,?,00C88754,00000000,?,0000001C,?,?,00000000), ref: 00C88DB2
Part of subcall function 00C88D7D: lstrcmpiW.KERNEL32(00000000,?,00C8790A,?,000000FF,?,00C88754,00000000,?,0000001C,?,?), ref: 00C88DE3

lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,00C88754,00000000,?,0000001C,?,?,00000000), ref: 00C87923
lstrcpyW.KERNEL32(00000000,?,?,00C88754,00000000,?,0000001C,?,?,00000000), ref: 00C87949
lstrcmpiW.KERNEL32(00000002,cdecl,?,00C88754,00000000,?,0000001C,?,?,00000000), ref: 00C87984

Strings

cdecl, xrefs: 00C8797B

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: 5e22e268bcb997f39498bfbd02fd1bcb77202c9cb636194c51065547ee411ed1
Instruction ID: 396a50b473ee59098d3ea7ad3d896d23ffa3674f7a27f039a136165770370fb0
Opcode Fuzzy Hash: 5e22e268bcb997f39498bfbd02fd1bcb77202c9cb636194c51065547ee411ed1
Instruction Fuzzy Hash: F411033A200242ABCF15BF39D844E7A77A9FF95394B50412AF842CB2A4FF31D901D7A5

Function 00CB7CC2 Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 00CB7D0B
SetWindowLongW.USER32(00000000,000000F0,?), ref: 00CB7D2A
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 00CB7D42
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,00C9B7AD,00000000), ref: 00CB7D6B

Part of subcall function 00C39BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00C39BB2

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: Window$Long
String ID:
API String ID: 847901565-0
Opcode ID: 794542b85310248ca9826f5e35b3bd3f235cedf7e740632983e6c958c2e99456
Instruction ID: e7f1b3b0ed7e3fa5e510101ae60706d5c4cbe50bb71c88c4e948118aff639460
Opcode Fuzzy Hash: 794542b85310248ca9826f5e35b3bd3f235cedf7e740632983e6c958c2e99456
Instruction Fuzzy Hash: E2116D31615615AFCB109F68CC44BBA3BA5AF853A0F254728FC3AD72F0E7319A51DB90

Function 00C51D09 Relevance: 6.1, APIs: 4, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0d4b1b3c908a36eb0c3f0c45c99200e6b03f52ebdec037b3252d3d82a68ad68
Instruction ID: aa63605ff37a50b7ead82bc03b19efc113f6a28d16ab599c1bb9961516bad69c
Opcode Fuzzy Hash: f0d4b1b3c908a36eb0c3f0c45c99200e6b03f52ebdec037b3252d3d82a68ad68
Instruction Fuzzy Hash: 1C01A2BA20561A3EF62226786CC4F6B676CDF813BAF380325FD31611D2DB609D885168

Function 00C81A27 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00C81A47
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00C81A59
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00C81A6F
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00C81A8A

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: e78a74af2e1627c43e8f72ddfd826d4072b8d9971109cefb5d388923f4ffc125
Instruction ID: 5d9d8afbd35a9af5373dc1a42991617b454bfa34148d9f520f8ee4dde1751fe1
Opcode Fuzzy Hash: e78a74af2e1627c43e8f72ddfd826d4072b8d9971109cefb5d388923f4ffc125
Instruction Fuzzy Hash: 80112A3A901219FFEB109BA5C985FEDBBB8EB08754F240091EA10B7290D6716E51EB94

Function 00C4D1CC Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,?,00C4CFF9,00000000,00000004,00000000), ref: 00C4D218
GetLastError.KERNEL32 ref: 00C4D224
__dosmaperr.LIBCMT ref: 00C4D22B
ResumeThread.KERNEL32(00000000), ref: 00C4D249

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: Thread$CreateErrorLastResume__dosmaperr
String ID:
API String ID: 173952441-0
Opcode ID: a41815c1307d9f2b1d96a49826a4f802e87337af06143638f882d58a2f91c9e1
Instruction ID: f843c62e530a8d951989ff9ce82d985505e6887c7333524625b92e2c41645595
Opcode Fuzzy Hash: a41815c1307d9f2b1d96a49826a4f802e87337af06143638f882d58a2f91c9e1
Instruction Fuzzy Hash: 1201D276805214BBDB216BA5DC49BAF7AA9FF81331F100329F926921E0CBB0CD41D6A0

Function 00C8E1D6 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00C8E1FD
MessageBoxW.USER32(?,?,?,?), ref: 00C8E230
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00C8E246
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00C8E24D

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait
String ID:
API String ID: 2880819207-0
Opcode ID: 4d9acf4ababf7f2b512151070ecccf5bff3349f075fbb7d090b1f8711cbbb0b4
Instruction ID: 06d75030491b9471f9e05302175721e1afa96e727db224a98b64b3f6d8f5cfbc
Opcode Fuzzy Hash: 4d9acf4ababf7f2b512151070ecccf5bff3349f075fbb7d090b1f8711cbbb0b4
Instruction Fuzzy Hash: 4C11DB76904254BBC701AFA89C45BAE7FADAB45324F144365F925E32A1D6B0CE04C7A1

Function 00CB9EF3 Relevance: 6.1, APIs: 4, Instructions: 55COMMON

Download Yara Rule

APIs

Part of subcall function 00C39BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00C39BB2

GetClientRect.USER32(?,?), ref: 00CB9F31
GetCursorPos.USER32(?), ref: 00CB9F3B
ScreenToClient.USER32(?,?), ref: 00CB9F46
DefDlgProcW.USER32(?,00000020,?,00000000,?,?,?), ref: 00CB9F7A

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID:
API String ID: 4127811313-0
Opcode ID: 4d66e0c55381674ed5fb96949f763c6604eb39dfc9f947683af75f034839132e
Instruction ID: e859a3a67911de5345ae3b8a8d2c1bfa28530f3b7a6c70984e20fbcf857b7b37
Opcode Fuzzy Hash: 4d66e0c55381674ed5fb96949f763c6604eb39dfc9f947683af75f034839132e
Instruction Fuzzy Hash: 7711153290011AEBDB10EFA8D889AFEB7B9FB46321F000555FA11E3150D770BB95DBA1

Function 00C2600E Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00C2604C
GetStockObject.GDI32(00000011), ref: 00C26060
SendMessageW.USER32(00000000,00000030,00000000), ref: 00C2606A

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID:
API String ID: 3970641297-0
Opcode ID: 0e2f5d1de65431e0cd179008fa6248c785ea942171e269e43d916adf9427a13e
Instruction ID: 59fdcfade2f05c98271b2c96fac80f9b7b5363a8833f1ca335eaa14e8badaf51
Opcode Fuzzy Hash: 0e2f5d1de65431e0cd179008fa6248c785ea942171e269e43d916adf9427a13e
Instruction Fuzzy Hash: 47115B72501558BFEF124FA4AC84FEEBF69EF193A4F040215FA1456110DB329D60EBA4

Function 00C43B3C Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 00C43B56

Part of subcall function 00C43AA3: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 00C43AD2
Part of subcall function 00C43AA3: ___AdjustPointer.LIBCMT ref: 00C43AED

_UnwindNestedFrames.LIBCMT ref: 00C43B6B
__FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 00C43B7C
CallCatchBlock.LIBVCRUNTIME ref: 00C43BA4

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
String ID:
API String ID: 737400349-0
Opcode ID: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction ID: 1f23833b79da191246154232d75c935f8cacf8ffbf5520cd3fd12a0041a929da
Opcode Fuzzy Hash: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction Fuzzy Hash: 47010C32100189BBDF126E95CC46EEB7F6EFF98754F044114FE5896121C732E961EBA0

Function 00C53073 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00C213C6,00000000,00000000,?,00C5301A,00C213C6,00000000,00000000,00000000,?,00C5328B,00000006,FlsSetValue), ref: 00C530A5
GetLastError.KERNEL32(?,00C5301A,00C213C6,00000000,00000000,00000000,?,00C5328B,00000006,FlsSetValue,00CC2290,FlsSetValue,00000000,00000364,?,00C52E46), ref: 00C530B1
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,00C5301A,00C213C6,00000000,00000000,00000000,?,00C5328B,00000006,FlsSetValue,00CC2290,FlsSetValue,00000000), ref: 00C530BF

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 85c08fbbd0c3f9ffb6eee7088a75e05580072d1221a375ad905982878cc47cba
Instruction ID: 698b5007c9aff69fe39bab40976c43227e71d03330d8242b0e9daf39640f59bf
Opcode Fuzzy Hash: 85c08fbbd0c3f9ffb6eee7088a75e05580072d1221a375ad905982878cc47cba
Instruction Fuzzy Hash: 8201FC3A301362ABCB324B799C84B6B77989F85BE2B100720FD15E31C0C721DE49C6E4

Function 00C87464 Relevance: 6.1, APIs: 4, Instructions: 51registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000), ref: 00C8747F
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 00C87497
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 00C874AC
RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 00C874CA

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: c5be5420d89e7410b27e27df54aac6a7f24c0b86169757a8f21911a5d8989840
Instruction ID: fa27c44b6cb83ccf4cd8e3230e64038edee82f98c2a54cffcc203c9237bb11f5
Opcode Fuzzy Hash: c5be5420d89e7410b27e27df54aac6a7f24c0b86169757a8f21911a5d8989840
Instruction Fuzzy Hash: 9111A1B1205310ABE7209F54DC48BA67FFCEB80B18F208669A666D6151E770E944DF64

Function 00C8B0A8 Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,00C8ACD3,?,00008000), ref: 00C8B0C4
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,00C8ACD3,?,00008000), ref: 00C8B0E9
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,00C8ACD3,?,00008000), ref: 00C8B0F3
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,00C8ACD3,?,00008000), ref: 00C8B126

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: e1b09e706da19bcaad6b5ae61c05cbd0084ab73bc964840f76ba49b7be8119bd
Instruction ID: 94a4f7795b5090d2a15d087e5f7cede9182c4b9c01c334dd90e4fa6c1f6c8c78
Opcode Fuzzy Hash: e1b09e706da19bcaad6b5ae61c05cbd0084ab73bc964840f76ba49b7be8119bd
Instruction Fuzzy Hash: 0D115B71C0192CE7CF00EFE9E9987EEBB78FF19715F10418AD991B6181CB305A508B59

Function 00CB7E14 Relevance: 6.0, APIs: 4, Instructions: 46COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00CB7E33
ScreenToClient.USER32(?,?), ref: 00CB7E4B
ScreenToClient.USER32(?,?), ref: 00CB7E6F
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00CB7E8A

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: cf7665f6081254f1dbc0b54861dfcaaaec85560a5c73123a54109257d2d3747a
Instruction ID: a661a35b540bf8485ce04c36039174190c933cd8b23d2e6f120db8ee6551b249
Opcode Fuzzy Hash: cf7665f6081254f1dbc0b54861dfcaaaec85560a5c73123a54109257d2d3747a
Instruction Fuzzy Hash: C81114B9D0024AAFDB41DF98C884AEEBBF5FF08310F505166E915E3210D735AA55CF50

Function 00C82DA7 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00C82DC5
GetWindowThreadProcessId.USER32(?,00000000), ref: 00C82DD6
GetCurrentThreadId.KERNEL32 ref: 00C82DDD
AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00C82DE4

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: ecf76087285482e1924c0010b7a6a467f9c689beed336877af1ac201864b1130
Instruction ID: ec1f2d7a074b4aa7f971560d9c8d10cbff0b87987c12e7d2ca3b58676ff7d13a
Opcode Fuzzy Hash: ecf76087285482e1924c0010b7a6a467f9c689beed336877af1ac201864b1130
Instruction Fuzzy Hash: 93E0ED72501224BBD7202B669C8DFEF7F6CEB56BA6F400216B505D10919AA58941C6B0

Function 00CB8863 Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00C39639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00C39693
Part of subcall function 00C39639: SelectObject.GDI32(?,00000000), ref: 00C396A2
Part of subcall function 00C39639: BeginPath.GDI32(?), ref: 00C396B9
Part of subcall function 00C39639: SelectObject.GDI32(?,00000000), ref: 00C396E2

MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 00CB8887
LineTo.GDI32(?,?,?), ref: 00CB8894
EndPath.GDI32(?), ref: 00CB88A4
StrokePath.GDI32(?), ref: 00CB88B2

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: 884ec7d6fc1915daeb807bdd50472687010f5bca0e30fe3fd245f9701c0d31ea
Instruction ID: b910d585a54ad66bff0562cfe12fc27df8d2895e35d9669a5ec75e3368952757
Opcode Fuzzy Hash: 884ec7d6fc1915daeb807bdd50472687010f5bca0e30fe3fd245f9701c0d31ea
Instruction Fuzzy Hash: 72F05E36041259FBDB126F94AC4AFDE3F69AF06710F048100FA11650E1C7B65611DFE5

Function 00C398B0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 00C398CC
SetTextColor.GDI32(?,?), ref: 00C398D6
SetBkMode.GDI32(?,00000001), ref: 00C398E9
GetStockObject.GDI32(00000005), ref: 00C398F1

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: Color$ModeObjectStockText
String ID:
API String ID: 4037423528-0
Opcode ID: 0b1e4757055e241957eb1b081cc0b0c2b75f6da6b4eed684e8ac64254da6df07
Instruction ID: 092e64274ea8f1de1bc9a1cc593f2ff2df8add78339019ebe75020d9dda8a096
Opcode Fuzzy Hash: 0b1e4757055e241957eb1b081cc0b0c2b75f6da6b4eed684e8ac64254da6df07
Instruction Fuzzy Hash: 8CE06D31284284AADB215B78AC49BED3F20EB12336F04C319F6FA680E1C37246409B20

Function 00C8162B Relevance: 6.0, APIs: 4, Instructions: 22threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 00C81634
OpenThreadToken.ADVAPI32(00000000,?,?,?,00C811D9), ref: 00C8163B
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,00C811D9), ref: 00C81648
OpenProcessToken.ADVAPI32(00000000,?,?,?,00C811D9), ref: 00C8164F

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: ce32d391f6325174f0a1299ad74313c28ef5dc95c7e97e98ce17dacf0d286144
Instruction ID: 71ae102eb1a226f425e4affd64f7c4c6eb233308ef4ad0499a9e31bd98a4e38d
Opcode Fuzzy Hash: ce32d391f6325174f0a1299ad74313c28ef5dc95c7e97e98ce17dacf0d286144
Instruction Fuzzy Hash: D7E08631601211DBD7202FA0AD4DB8B3BBCEF44795F184918F695C9090E6344541C764

Function 00C94D87 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON

Download Yara Rule

APIs

Part of subcall function 00C27620: _wcslen.LIBCMT ref: 00C27625

WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 00C94ED4

Strings

*, xrefs: 00C94E10
LPT, xrefs: 00C94DFB

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: Connection_wcslen
String ID: *$LPT
API String ID: 1725874428-3443410124
Opcode ID: 572a7510b68735ad22428c3b497f9a4320f3f6d4448dd51e7916033567301ffe
Instruction ID: 00014f47dbe0a50d65437e3cb1b390a5d5d37cc8de3c0f641da928015057ffbe
Opcode Fuzzy Hash: 572a7510b68735ad22428c3b497f9a4320f3f6d4448dd51e7916033567301ffe
Instruction Fuzzy Hash: 36916275A002159FCB18DF98C4C8EAABBF5BF44304F148099E41A9F762D735EE86CB91

Function 00C4E27D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 00C4E30D

Strings

pow, xrefs: 00C4E2E5, 00C4E302

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: a626eccf4640b53ebe843d754a1ea6bf06e1f5919d055f5484905b40561913d1
Instruction ID: 3cd1b5163ee0d1acd02a268b10e20a4341d160b4ed817262c4302d3faaedf727
Opcode Fuzzy Hash: a626eccf4640b53ebe843d754a1ea6bf06e1f5919d055f5484905b40561913d1
Instruction Fuzzy Hash: 99519065A0C2029ACB167B14ED0277D3BA4FF40742F344B58E8F5422F9DB758DC9AA4E

Function 00C3E187 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON

Download Yara Rule

Strings

#, xrefs: 00C3E1B1

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: e1a5b8ec31f5ff3c2b260c0667bf1900e83d3ddc748ced8d149c54aced0605f2
Instruction ID: f021e469c420ab02482364e8826107c7a1b45d77d0d237517df7fcdf40e3c196
Opcode Fuzzy Hash: e1a5b8ec31f5ff3c2b260c0667bf1900e83d3ddc748ced8d149c54aced0605f2
Instruction Fuzzy Hash: 2B512376500346DFDB19DF68C481ABA7BA8EF19310F248095FCA59B2D0D7349E52DBA0

Function 00C3F291 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 00C3F2A2
GlobalMemoryStatusEx.KERNEL32(?), ref: 00C3F2BB

Strings

@, xrefs: 00C3F2AF

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: 13c655d19ca53e4e0f79c1423a75ec3c27161209c99d234a530f31b066cff04b
Instruction ID: 0b7190e95f1b18c1b0312fbfcbcdc392ea08fce9ed6c5a3b61feb012188a6ea6
Opcode Fuzzy Hash: 13c655d19ca53e4e0f79c1423a75ec3c27161209c99d234a530f31b066cff04b
Instruction Fuzzy Hash: 1D512372408744ABD320AF54E886BAFBBF8FB84300F81895DF1D9411A5EB719529CB66

Function 00CA5745 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,00000003,?,?), ref: 00CA57E0
_wcslen.LIBCMT ref: 00CA57EC

Strings

CALLARGARRAY, xrefs: 00CA57E6, 00CA57EB

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: BuffCharUpper_wcslen
String ID: CALLARGARRAY
API String ID: 157775604-1150593374
Opcode ID: cf808792137ac24827d64eebd58ecf3ca299d1805101067afe8875fa2bd3961a
Instruction ID: 162561f9cee836ceb322a6fa252ebc117468cf362b878f275c20024719621fa4
Opcode Fuzzy Hash: cf808792137ac24827d64eebd58ecf3ca299d1805101067afe8875fa2bd3961a
Instruction Fuzzy Hash: B041B271E0020A9FCB14DFA9C8819BEBBB5FF5A318F148129E515A7291E7349E81DB90

Function 00C9D0F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98networkCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00C9D130
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 00C9D13A

Strings

|, xrefs: 00C9D10B

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: CrackInternet_wcslen
String ID: |
API String ID: 596671847-2343686810
Opcode ID: 9b545daa06d70d3c142eb4f9e8b44babd9281b0c3d2909d9ce1ba9790df53eda
Instruction ID: f7dc08d6ff230b6f1630f6f09851438176061917788d389396bd87d99a8c7a48
Opcode Fuzzy Hash: 9b545daa06d70d3c142eb4f9e8b44babd9281b0c3d2909d9ce1ba9790df53eda
Instruction Fuzzy Hash: CE313C71D01219ABCF15EFA5DC85AEEBFB9FF04310F100019F816B6162EB31AA56DB60

Function 00CB356C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 00CB3621
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 00CB365C

Strings

static, xrefs: 00CB35BC

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: fc0a04d9e0f255de8359dd899433661f428ecc807175565c836a3870484f2851
Instruction ID: a34427ba8459311ad88bd00c5f4dc40a68e359b6c36eded3609a579258040027
Opcode Fuzzy Hash: fc0a04d9e0f255de8359dd899433661f428ecc807175565c836a3870484f2851
Instruction Fuzzy Hash: 86319A71110644AEDB24DF68DC80FFB73A9FF88720F109619F9A597290DA30AE81DB64

Function 00CB4537 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000027,00001132,00000000,?), ref: 00CB461F
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00CB4634

Strings

', xrefs: 00CB458E

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: 3d7235f0f547f6dc71eee5760a6d95939fcb14974d3977241dda068316d96a4f
Instruction ID: 679c948faf46f589bb96944be08f332ca6114f5bc75679565d923a8d64960a5f
Opcode Fuzzy Hash: 3d7235f0f547f6dc71eee5760a6d95939fcb14974d3977241dda068316d96a4f
Instruction Fuzzy Hash: B1313974A047199FDF18CFA9C980BEA7BB5FF09300F14406AE904AB342D770AA45CF90

Function 00CB31EF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00CB327C
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00CB3287

Strings

Combobox, xrefs: 00CB3249

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: ff78d3aa93e4afabb5f694cd8f1462974de7f9841a604bc1206afd8f0fe280b8
Instruction ID: 8409c285dfa7f8dfb0eb30f2d30a4fdf3ee27836c8227c0f65a17255b1a755ed
Opcode Fuzzy Hash: ff78d3aa93e4afabb5f694cd8f1462974de7f9841a604bc1206afd8f0fe280b8
Instruction Fuzzy Hash: 3A11B2713002487FEF259E94DC81FFB376AEB983A4F104228F92897292D6719E519761

Function 00CB3710 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 00C2600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00C2604C
Part of subcall function 00C2600E: GetStockObject.GDI32(00000011), ref: 00C26060
Part of subcall function 00C2600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 00C2606A

GetWindowRect.USER32(00000000,?), ref: 00CB377A
GetSysColor.USER32(00000012), ref: 00CB3794

Strings

static, xrefs: 00CB3757

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: 3eff7c72b6e372020d9002bf15ab1ab6a57ead791e86394c7b7c68ebd014f9ea
Instruction ID: 64b377f68f4ab8518b15988a3f3e58967abbf78c061df8f30b9d826f6579c884
Opcode Fuzzy Hash: 3eff7c72b6e372020d9002bf15ab1ab6a57ead791e86394c7b7c68ebd014f9ea
Instruction Fuzzy Hash: 2A1129B2610209AFDF00DFA8CD85EEE7BB8EB08354F004624F965E2250EB35E951DB60

Function 00C9CD1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00C9CD7D
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00C9CDA6

Strings

<local>, xrefs: 00C9CD66

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: 9073e51ad43e5ec2ff13b18c1aa1cee6a0d7a8701c88845d8b83987b153abe7b
Instruction ID: 01d50f0c0fec5baa94fc2111d01bdd28edf872bfc3ca528a7e4fa5e187516f5b
Opcode Fuzzy Hash: 9073e51ad43e5ec2ff13b18c1aa1cee6a0d7a8701c88845d8b83987b153abe7b
Instruction Fuzzy Hash: 3311A3B22056317ADB244B668CC9FE7BE6CEB127A4F004226F11993080D6609950D6F0

Function 00CB3429 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 00CB34AB
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 00CB34BA

Strings

edit, xrefs: 00CB348F

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: c1d045caeb186d939c0eac2486b21c82f76b3f323d9ceaeff5ed69f95fec8c4a
Instruction ID: 51cc92700323fe289533ef8531a75c5ce6f8e64b7b38d1824e8acded62fbc36e
Opcode Fuzzy Hash: c1d045caeb186d939c0eac2486b21c82f76b3f323d9ceaeff5ed69f95fec8c4a
Instruction Fuzzy Hash: 9D118C71200248ABEB228E68DC84BFB3B6AEF15374F504724F971971E0C771DE55AB60

Function 00C86C86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 00C29CB3: _wcslen.LIBCMT ref: 00C29CBD

CharUpperBuffW.USER32(?,?,?), ref: 00C86CB6
_wcslen.LIBCMT ref: 00C86CC2

Strings

STOP, xrefs: 00C86CBC, 00C86CC1

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: STOP
API String ID: 1256254125-2411985666
Opcode ID: 00efce601bd455f20c2ccc2920d5c4d9e7cdfa185e60db9d13f67c1d11d5c4d7
Instruction ID: 7bbd57035349d102d62d64ec4d7b37cef6bd63eee92224e240b24c4dcc935eed
Opcode Fuzzy Hash: 00efce601bd455f20c2ccc2920d5c4d9e7cdfa185e60db9d13f67c1d11d5c4d7
Instruction Fuzzy Hash: 3101C032A105268BCB21BFFEDC809BF77B5FB61718B100529E86296190EA31DA00D754

Function 00C81CDE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00C29CB3: _wcslen.LIBCMT ref: 00C29CBD

Part of subcall function 00C83CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00C83CCA

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00C81D4C

Strings

ComboBox, xrefs: 00C81CEB
ListBox, xrefs: 00C81D16

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 096c171d6baf84c474f5195a6f32ab2442e4e52e5108c86e8b6ebaa0956381be
Instruction ID: 6dfe83445a83c584c0be63e3ab8f186335a496ca4c9963d19210426bb027ccfd
Opcode Fuzzy Hash: 096c171d6baf84c474f5195a6f32ab2442e4e52e5108c86e8b6ebaa0956381be
Instruction Fuzzy Hash: C201D875601228ABCB05FBA4DC51EFE73A8FB46354F08062AFC32572C1EA3059099764

Function 00C81BD8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00C29CB3: _wcslen.LIBCMT ref: 00C29CBD

Part of subcall function 00C83CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00C83CCA

SendMessageW.USER32(?,00000180,00000000,?), ref: 00C81C46

Strings

ComboBox, xrefs: 00C81BE5
ListBox, xrefs: 00C81C10

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 1306a4fd50b7b1e077aaae99f306bebdcf76616779a5efd9ee2121e48f36af76
Instruction ID: 87bc8c4073c9e14535991a93a2b7bc5ee7b4b11fac8707e24cefe84e23335bee
Opcode Fuzzy Hash: 1306a4fd50b7b1e077aaae99f306bebdcf76616779a5efd9ee2121e48f36af76
Instruction Fuzzy Hash: 9901A775B8111867CB04FB90D951EFF77ECEB16344F180029B816672C1EA209F0997B5

Function 00C81C5C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00C29CB3: _wcslen.LIBCMT ref: 00C29CBD

Part of subcall function 00C83CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00C83CCA

SendMessageW.USER32(?,00000182,?,00000000), ref: 00C81CC8

Strings

ComboBox, xrefs: 00C81C69
ListBox, xrefs: 00C81C94

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 3f58b7ea96728459980a92a67f9f8182009ff3c4a8a97c8d729ec9f4fe0e637d
Instruction ID: aab7fdd9d05f85698c8440c27cd2b5aaa0a1596e44693cb8386e77ddf37ba8ee
Opcode Fuzzy Hash: 3f58b7ea96728459980a92a67f9f8182009ff3c4a8a97c8d729ec9f4fe0e637d
Instruction Fuzzy Hash: 9201D6B5B8012867CB04FBA5DA11EFE73ECAB12384F180025BC0273281EA709F09D775

Function 00C81D68 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00C29CB3: _wcslen.LIBCMT ref: 00C29CBD

Part of subcall function 00C83CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00C83CCA

SendMessageW.USER32(?,0000018B,00000000,00000000), ref: 00C81DD3

Strings

ComboBox, xrefs: 00C81D75
ListBox, xrefs: 00C81DA0

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 3d0512ba48e41f3f2d038564409d5f88ec26dc491533b911a083525dc660b943
Instruction ID: 05ec9f82461bd89be9f6652d633783835a52367c670794ba3eabfbd21dd62c34
Opcode Fuzzy Hash: 3d0512ba48e41f3f2d038564409d5f88ec26dc491533b911a083525dc660b943
Instruction Fuzzy Hash: EBF0C871B5122867DB05F7A5DC52FFF77BCEB02758F080926BC22632C1DA705A099364

Function 00C40D42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00C3F7C9: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00C40D71,?,?,?,00C2100A), ref: 00C3F7CE

IsDebuggerPresent.KERNEL32(?,?,?,00C2100A), ref: 00C40D75
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,00C2100A), ref: 00C40D84

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00C40D7F

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 55579361-631824599
Opcode ID: edff2717a90fb464c37e4c9cbf77bcb7f63eadd44c145f4e56bc184e3c2c6916
Instruction ID: 8dfdb904d801640124d22a3dd90f4617a64f257458a7c62d00a53e4b1139a81a
Opcode Fuzzy Hash: edff2717a90fb464c37e4c9cbf77bcb7f63eadd44c145f4e56bc184e3c2c6916
Instruction Fuzzy Hash: 80E092B06407518BD730AFBCE8487567BE0BF04740F104A2DE592C7751DBB5E449CBA2

Function 00C93017 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?,00000001), ref: 00C9302F
GetTempFileNameW.KERNEL32(?,aut,00000000,?), ref: 00C93044

Strings

aut, xrefs: 00C93038

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: 4cfc0f439c58a064e0e07eaac1eaf5b6df1db888825b952df3a087433b1bd047
Instruction ID: 8eed56b951182e1f6d5aed5838a7606e4e4cc4adf4d81b0a7d83f87c291df078
Opcode Fuzzy Hash: 4cfc0f439c58a064e0e07eaac1eaf5b6df1db888825b952df3a087433b1bd047
Instruction Fuzzy Hash: C9D05EB290032867DA20A7A5AC4EFCB3A6CDB04750F0002A1B755E3091DAB89984CBE1

Function 00C5BDFD Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,?,?,00000000,?,?,?,?,?,00000000,?), ref: 00C5BE93
GetLastError.KERNEL32 ref: 00C5BEA1
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00C5BEFC

Memory Dump Source

Source File: 00000000.00000002.2290919491.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2290907150.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2290966386.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291004500.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2291019903.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: 1bf374ca8a6fbda83f6c16bd702db06c2e2229f425b6eb339e13b41e635264d5
Instruction ID: de9daac9c2736b90df334ebd0d4837c898ec9576fc6691e498b4cf73ca5d510c
Opcode Fuzzy Hash: 1bf374ca8a6fbda83f6c16bd702db06c2e2229f425b6eb339e13b41e635264d5
Instruction Fuzzy Hash: 6941C63C600206AFCB21CFA5CC45BAA7FA5AF41312F144269FD69571A1DB708E89DB64

Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 172.202.163.200
Source: unknown	TCP traffic detected without corresponding DNS query: 172.202.163.200
Source: unknown	TCP traffic detected without corresponding DNS query: 172.202.163.200
Source: unknown	TCP traffic detected without corresponding DNS query: 172.202.163.200
Source: unknown	TCP traffic detected without corresponding DNS query: 172.202.163.200
Source: unknown	TCP traffic detected without corresponding DNS query: 172.202.163.200
Source: unknown	TCP traffic detected without corresponding DNS query: 172.202.163.200
Source: unknown	TCP traffic detected without corresponding DNS query: 172.202.163.200
Source: unknown	TCP traffic detected without corresponding DNS query: 172.202.163.200
Source: unknown	TCP traffic detected without corresponding DNS query: 172.202.163.200
Source: unknown	TCP traffic detected without corresponding DNS query: 172.202.163.200
Source: unknown	TCP traffic detected without corresponding DNS query: 172.202.163.200
Source: unknown	TCP traffic detected without corresponding DNS query: 172.202.163.200
Source: unknown	TCP traffic detected without corresponding DNS query: 172.202.163.200
Source: unknown	TCP traffic detected without corresponding DNS query: 172.202.163.200
Source: unknown	TCP traffic detected without corresponding DNS query: 172.202.163.200
Source: unknown	TCP traffic detected without corresponding DNS query: 172.202.163.200
Source: unknown	TCP traffic detected without corresponding DNS query: 172.202.163.200
Source: unknown	TCP traffic detected without corresponding DNS query: 172.202.163.200
Source: unknown	TCP traffic detected without corresponding DNS query: 172.202.163.200
Source: unknown	TCP traffic detected without corresponding DNS query: 172.202.163.200
Source: unknown	TCP traffic detected without corresponding DNS query: 172.202.163.200
Source: unknown	TCP traffic detected without corresponding DNS query: 172.202.163.200
Source: unknown	TCP traffic detected without corresponding DNS query: 172.202.163.200

Source: global traffic	HTTP traffic detected: GET /account?=https://accounts.google.com/v3/signin/challenge/pwd HTTP/1.1Host: youtube.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7X-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIkqHLAQiFoM0BCNy9zQEI2sPNAQjpxc0BCLnKzQEIv9HNAQiK080BCNDWzQEIqNjNAQj5wNQVGI/OzQEYutLNARjC2M0BGOuNpRc=Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /account?=https%3A%2F%2Faccounts.google.com%2Fv3%2Fsignin%2Fchallenge%2Fpwd HTTP/1.1Host: www.youtube.comConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7X-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIkqHLAQiFoM0BCNy9zQEI2sPNAQjpxc0BCLnKzQEIv9HNAQiK080BCNDWzQEIqNjNAQj5wNQVGI/OzQEYutLNARjC2M0BGOuNpRc=Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentsec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /fs/windows/config.json HTTP/1.1Connection: Keep-AliveAccept: /Accept-Encoding: identityIf-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMTRange: bytes=0-2147483646User-Agent: Microsoft BITS/7.8Host: fs.microsoft.com
Source: global traffic	HTTP traffic detected: GET /accounts/CheckConnection?pmpo=https%3A%2F%2Faccounts.google.com&v=-851070450&timestamp=1727959954890 HTTP/1.1Host: accounts.youtube.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-full-version: "117.0.5938.132"sec-ch-ua-arch: "x86"sec-ch-ua-platform: "Windows"sec-ch-ua-platform-version: "10.0.0"sec-ch-ua-model: ""sec-ch-ua-bitness: "64"sec-ch-ua-wow64: ?0sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7X-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIkqHLAQiFoM0BCNy9zQEI2sPNAQjpxc0BCLnKzQEIv9HNAQiK080BCNDWzQEIqNjNAQj5wNQVGI/OzQEYutLNARjC2M0BGOuNpRc=Sec-Fetch-Site: cross-siteSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: iframeReferer: https://accounts.google.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=urwy376vUoYwN9O&MD=cUCp41Hp HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic	HTTP traffic detected: GET /favicon.ico HTTP/1.1Host: www.google.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-arch: "x86"sec-ch-ua-full-version: "117.0.5938.132"sec-ch-ua-platform-version: "10.0.0"sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132"sec-ch-ua-bitness: "64"sec-ch-ua-model: ""sec-ch-ua-wow64: ?0sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8X-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIkqHLAQiFoM0BCNy9zQEI2sPNAQjpxc0BCLnKzQEIv9HNAQiK080BCNDWzQEIqNjNAQj5wNQVGI/OzQEYutLNARjC2M0BGOuNpRc=Sec-Fetch-Site: same-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://accounts.google.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: NID=518=ea-68rD4VqKg83ox4-Kh60EVPMtVqx7APOsIZWPCLJ4JZEDKXh8TZ2L-DL3W6pAIIGQSF1p1D7o0xwaz5hpKAb0Ix7RqwS15rUl3EO5JKxDqn6jbanyXrrT_gkfIe3nULd93tQmfblyQNgOSlSJ0YWut4EbeyarpAmFMXgZbqewiNsHb
Source: global traffic	HTTP traffic detected: GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=urwy376vUoYwN9O&MD=cUCp41Hp HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk

Chrome Cache Entry: 100

Chrome Cache Entry: 101

Chrome Cache Entry: 102

Chrome Cache Entry: 103

Chrome Cache Entry: 89

Chrome Cache Entry: 90

Chrome Cache Entry: 91

Chrome Cache Entry: 92

Chrome Cache Entry: 93

Chrome Cache Entry: 94

Chrome Cache Entry: 95

Windows Analysis Report
file.exe

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre