Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1523784
MD5:	84857d029b892796223a0388e578c717
SHA1:	035492bdbcf0e449294ae50eeace2ca2ba36923e
SHA256:	be9295fb6df84c5f65b777a04b1db541c15fe36fda341ad3c0f55d3b9ae17105
Tags:	exeuser-Bitsight
Infos:

Detection

Credential Flusher

Score:	72
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected Credential Flusher

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Found API chain indicative of sandbox detection

Machine Learning detection for sample

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected potential crypto function

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

OS version to string mapping found (often used in BOTs)

Potential key logger detected (key state polling based)

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

file.exe (PID: 6692 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 84857D029B892796223A0388E578C717)

chrome.exe (PID: 6744 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --app="https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --start-fullscreen --no-first-run --disable-session-crashed-bubble --disable-features=CrashRecovery MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 332 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2080 --field-trial-handle=1956,i,6848627385945716294,11725630218479906615,262144 --disable-features=CrashRecovery /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 7808 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5512 --field-trial-handle=1956,i,6848627385945716294,11725630218479906615,262144 --disable-features=CrashRecovery /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 7816 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5476 --field-trial-handle=1956,i,6848627385945716294,11725630218479906615,262144 --disable-features=CrashRecovery /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
Process Memory Space: file.exe PID: 6692	JoeSecurity_CredentialFlusher	Yara detected Credential Flusher	Joe Security

String found in binary or memory: _.fq(p)+"/familylink/privacy/notice/embedded?langCountry="+_.fq(p);break;case "PuZJUb":a+="https://www.youtube.com/t/terms?chromeless=1&hl="+_.fq(m);break;case "fxTQxb":a+="https://youtube.com/t/terms?gl="+_.fq(_.oq(c))+"&hl="+_.fq(d)+"&override_hl=1"+(f?"&linkless=1":"");break;case "prAmvd":a+="https://www.google.com/intl/"+_.fq(m)+"/chromebook/termsofservice.html?languageCode="+_.fq(d)+"&regionCode="+_.fq(c);break;case "NfnTze":a+="https://policies.google.com/privacy/google-partners"+(f?"/embedded": equals www.youtube.com (Youtube)

Source: global traffic	DNS traffic detected: DNS query: youtube.com
Source: global traffic	DNS traffic detected: DNS query: www.youtube.com
Source: global traffic	DNS traffic detected: DNS query: www.google.com
Source: global traffic	DNS traffic detected: DNS query: accounts.youtube.com
Source: global traffic	DNS traffic detected: DNS query: play.google.com

Source: unknown

HTTP traffic detected: POST /log?format=json&hasfast=true&authuser=0 HTTP/1.1Host: play.google.comConnection: keep-aliveContent-Length: 519sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-arch: "x86"Content-Type: application/x-www-form-urlencoded;charset=UTF-8sec-ch-ua-full-version: "117.0.5938.132"sec-ch-ua-platform-version: "10.0.0"X-Goog-AuthUser: 0sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132"sec-ch-ua-bitness: "64"sec-ch-ua-model: ""sec-ch-ua-wow64: ?0sec-ch-ua-platform: "Windows"Accept: */*Origin: https://accounts.google.comX-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiUocsBCJz+zAEIhaDNAQjcvc0BCLnKzQEIotHNAQiK080BCJ7WzQEIp9jNAQj5wNQVGPbJzQEYutLNARjrjaUXSec-Fetch-Site: same-siteSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: https://accounts.google.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9

Source: chromecache_76.3.dr	String found in binary or memory: https://accounts.google.com
Source: chromecache_76.3.dr	String found in binary or memory: https://accounts.google.com/TOS?loc=
Source: file.exe, 00000000.00000003.1681278327.0000000001414000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1682142216.0000000001415000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/v3/signin/challenge/pwd
Source: chromecache_82.3.dr	String found in binary or memory: https://apis.google.com/js/api.js
Source: chromecache_76.3.dr	String found in binary or memory: https://apis.google.com/js/rpc:shindig_random.js?onload=credentialservice.postMessage
Source: chromecache_76.3.dr	String found in binary or memory: https://families.google.com/intl/
Source: chromecache_82.3.dr	String found in binary or memory: https://fonts.gstatic.com/s/i/productlogos/drive_2020q4/v10/192px.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://fonts.gstatic.com/s/i/productlogos/gmail_2020q4/v10/web-48dp/logo_gmail_2020q4_color_2x_web_
Source: chromecache_82.3.dr	String found in binary or memory: https://fonts.gstatic.com/s/i/productlogos/maps/v7/192px.svg
Source: chromecache_76.3.dr	String found in binary or memory: https://g.co/recover
Source: chromecache_76.3.dr	String found in binary or memory: https://play.google.com/log?format=json&hasfast=true
Source: chromecache_76.3.dr	String found in binary or memory: https://play.google.com/work/enroll?identifier=
Source: chromecache_76.3.dr	String found in binary or memory: https://play.google/intl/
Source: chromecache_76.3.dr	String found in binary or memory: https://policies.google.com/privacy
Source: chromecache_76.3.dr	String found in binary or memory: https://policies.google.com/privacy/additional
Source: chromecache_76.3.dr	String found in binary or memory: https://policies.google.com/privacy/google-partners
Source: chromecache_76.3.dr	String found in binary or memory: https://policies.google.com/technologies/cookies
Source: chromecache_76.3.dr	String found in binary or memory: https://policies.google.com/technologies/location-data
Source: chromecache_76.3.dr	String found in binary or memory: https://policies.google.com/terms
Source: chromecache_76.3.dr	String found in binary or memory: https://policies.google.com/terms/location
Source: chromecache_76.3.dr	String found in binary or memory: https://policies.google.com/terms/service-specific
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/account-recovery-email-pin.gif
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/account-recovery-password.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/account-recovery-sms-or-voice-pin.gif
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/account-recovery-sms-pin.gif
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/account-recovery-stop-go-landing-page_1x.png
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/animation/
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/ble_device.png
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/ble_pin.png
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/contacts_backup_sync.png
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/contacts_backup_sync_1x.png
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/contacts_backup_sync_2x.png
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/contacts_backup_sync_darkmode_1x.png
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/continue_on_your_phone.png
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/device_phone_number_verification.png
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/device_prompt_silent_tap_yes_darkmode.gif
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/device_prompt_tap_yes.gif
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/device_prompt_tap_yes_darkmode.gif
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kid_success.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kid_success_darkmode.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidfork_who_will_use_dark_v2.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidfork_who_will_use_updated.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidfork_who_will_use_updated_darkmode.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidfork_who_will_use_v2.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignin_not_ready.png
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignin_stick_around_1.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignin_stick_around_dark_1.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_child_account_1.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_child_account_darkmode_1.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_child_privacy_1.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_child_privacy_darkmode_1.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_created.png
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_double_device.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_double_device_darkmode.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_full_house.png
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_link_accounts_1.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_link_accounts_darkmode_1.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_parent_app_decision.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_parent_app_decision_darkmode.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_parent_supervision_1.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_parent_supervision_darkmode_1.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_respect_others_1.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_respect_others_darkmode_1.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_single_device.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_single_device_darkmode.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_stop.png
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/personalization_reminders.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/phone_number_sign_in_2x.png
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/return_to_desktop.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/return_to_desktop_darkmode.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/security_key.gif
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/security_key_ios_center.png
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/security_key_laptop.gif
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/security_key_nfc_discovered.gif
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/security_key_nfc_discovered_darkmode.gif
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/security_key_phone.gif
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/signin_googleapp_ios.gif
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/signin_googleapp_pulldown.gif
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/signin_tapyes.gif
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/smart_lock_2x.png
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/usb_key.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/web_and_app_activity.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/who_will_be_using_this_device.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/you_tube_history.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/feature_not_available.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/feature_not_available_dark.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/gmail_ios_authzen.gif
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/paaskey.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_challenge.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_challenge_darkmode.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_darkmode.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_enrollment.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_enrollment_cross_device.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_enrollment_cross_device_darkmode.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_enrollment_darkmode.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_enrollment_error.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_enrollment_error_darkmode.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_enrollment_reauth.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_enrollment_reauth_darkmode.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_success.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_success_darkmode.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkeyerror.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkeyerror_darkmode.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/red_globe_dark.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/red_globe_light.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/screenlock.png
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/security_key_ipad.gif
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/security_key_iphone.gif
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/security_key_iphone_nfc.gif
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/security_key_iphone_usb.gif
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/security_key_phone.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/security_keys.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/success_checkmark_2.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/success_checkmark_2_darkmode.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/ui/loading_spinner_gm.gif
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/ui/progress_spinner_color_20dp_4x.gif
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/ui/success-gm-default_2x.png
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/apps/signup/resources/custom-email-address.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/images/hpp/shield_security_checkup_green_2x_web_96dp.png
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/chaptering/account_setup_chapter_dark_1.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/chaptering/account_setup_chapter_v1.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/chaptering/device_setup_chapter_dark_v1.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/chaptering/device_setup_chapter_v1.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/chaptering/parental_control_chapter_dark_v1.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/chaptering/parental_control_chapter_v1.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/conversion/conversion_accountslinked.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/conversion/conversion_accountslinked_dark.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/conversion/conversion_childneedshelp.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/conversion/conversion_childneedshelp_dark.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/conversion/conversion_nextstepsforparents.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/conversion/conversion_nextstepsforparents_dark.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_allset.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_allset_dark.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_apps_devices.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_apps_devices_darkmode.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_areyousurekid.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_areyousurekid_dark.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_birthdayemail.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_birthdayemail_dark.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_choose_apps.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_choose_apps_darkmode.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_confirmation.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_exploremore.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_exploremore_dark.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_intro.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_intro_darkmode.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_privacy_terms_a18.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_privacy_terms_a18_darkmode.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_privacyterms.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_privacyterms_dark.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_review_settings.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_review_settings_darkmode.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_safe_search.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_safe_search_darkmode.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_success_unchanged_a18.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_success_unchanged_a18_darkmode.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_success_update_a18.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_success_update_a18_darkmode.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_supervision_choice.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_supervision_choice_a18.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_supervision_choice_a18_darkmode.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_supervision_choice_darkmode.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_supervisiongrad.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_supervisiongrad_dark.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/guardianlinking/linking_complete_0.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/guardianlinking/linking_complete_dark_0.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/ads_personalization.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/ads_personalization_darkmode.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/confirmation.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/confirmation_darkmode.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/eligibility_error.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/eligibility_error_darkmode.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/fork.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/fork_darkmode.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/intro.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/intro_darkmode.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/personal_results.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/personal_results_darkmode.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/safe_search.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/safe_search_darkmode.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/check_notifications.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/check_notifications_dark.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/kid_watch_installing_family_link_2.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/kid_watch_installing_family_link_dark_2.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/kid_watch_set_up_location_sharing_2.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/kid_watch_set_up_location_sharing_dark_2.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/kid_watch_set_up_parental_controls_2.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/kid_watch_set_up_parental_controls_dark_2.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/kid_watch_set_up_school_time_2.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/kid_watch_set_up_school_time_dark_2.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/location_sharing_enabled_2.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/location_sharing_enabled_dark_3.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/parent_sign_in_prologue_1.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/parent_sign_in_prologue_dark_1.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/set_up_complete_1.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/set_up_complete_dark_1.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/set_up_contacts_2.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/set_up_contacts_dark_2.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/set_up_family_link_boy_1.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/set_up_family_link_boy_dark_1.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/set_up_family_link_girl_2.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/set_up_family_link_girl_dark_2.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/ulp_continue_without_gmail_dark_v2.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/ulp_continue_without_gmail_v2.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/all_set.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/all_set_dark.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/are_you_sure_parent.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/are_you_sure_parent_dark.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/content_restriction.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/content_restriction_dark.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/error.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/error_dark.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/how_controls_work.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/how_controls_work_dark.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/next_steps.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/next_steps_dark.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/setup_controls.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/setup_controls_dark.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/who_parent.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/who_parent_dark.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/who_teen.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/who_teen_dark.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teentoadultgraduation/supervision_choice.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teentoadultgraduation/supervision_choice_darkmode.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/ulp_appblock/kid_setup_parent_escalation.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/ulp_appblock/kid_setup_parent_escalation_dark.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/ulp_appblock/send_email_confirmation.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/ulp_appblock/send_email_confirmation_dark.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/ulp_appblock/success_sent_email.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/ulp_appblock/success_sent_email_dark.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/ulpupgrade/kidprofileupgrade_all_set.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/ulpupgrade/kidprofileupgrade_all_set_darkmode.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/all_set.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/all_set_dark.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/almost_done_kids_space_dark.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/almost_done_kids_space_v2.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/devices_connected_tablet_v2.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/devices_connected_tablet_v2_dark.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/devices_connected_v2.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/devices_connected_v2_dark.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/emailinstallfamilylink.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/emailinstallfamilylink_dark.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/familylinkinstalling.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/familylinkinstalling_dark.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/hand_over_device_dark_v2.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/hand_over_device_v2.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/linking_accounts_v2.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/linking_accounts_v2_dark.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/locationsetup.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/locationsetup_dark.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/manage_parental_controls_email.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/manage_parental_controls_email_v2.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/manage_parental_controls_email_v2_dark.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/manage_parental_controls_v2.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/manage_parental_controls_v2_dark.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/open_family_link_v2.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/open_family_link_v2_dark.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/parents_help.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/parents_help_dark.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/set_up_kids_space.png
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/set_up_kids_space_dark.png
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/setupcontrol.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/setupcontrol_dark.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/setuplocation.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/setuplocation_dark.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/setuptimelimits.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/setuptimelimits_dark.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/supervision_ready_v2.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/supervision_ready_v2_dark.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/youtubeaccess.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/youtubeaccess_dark.svg
Source: chromecache_76.3.dr	String found in binary or memory: https://support.google.com/accounts?hl=
Source: chromecache_76.3.dr	String found in binary or memory: https://support.google.com/accounts?p=new-si-ui
Source: chromecache_76.3.dr	String found in binary or memory: https://support.google.com/websearch/answer/4358949?hl=ko&ref_topic=3285072
Source: chromecache_82.3.dr	String found in binary or memory: https://uberproxy-pen-redirect.corp.google.com/uberproxy/pen?url=
Source: chromecache_76.3.dr	String found in binary or memory: https://www.google.com
Source: chromecache_76.3.dr	String found in binary or memory: https://www.google.com/intl/
Source: chromecache_82.3.dr	String found in binary or memory: https://www.gstatic.com/accounts/speedbump/authzen_optin_illustration.gif
Source: chromecache_82.3.dr	String found in binary or memory: https://www.gstatic.com/images/branding/product/2x/chrome_48dp.png
Source: chromecache_82.3.dr	String found in binary or memory: https://www.gstatic.com/images/branding/product/2x/googleg_48dp.png
Source: chromecache_82.3.dr	String found in binary or memory: https://www.gstatic.com/images/branding/product/2x/gsa_48dp.png
Source: chromecache_82.3.dr	String found in binary or memory: https://www.gstatic.com/images/branding/product/2x/play_prism_48dp.png
Source: chromecache_82.3.dr	String found in binary or memory: https://www.gstatic.com/images/branding/product/2x/youtube_48dp.png
Source: chromecache_76.3.dr	String found in binary or memory: https://www.gstatic.com/images/branding/productlogos/googleg/v6/36px.svg
Source: chromecache_76.3.dr	String found in binary or memory: https://www.youtube.com/t/terms?chromeless=1&hl=
Source: file.exe, 00000000.00000003.1681249615.000000000142A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1680477983.0000000001224000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1682189998.000000000142D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd
Source: chromecache_76.3.dr	String found in binary or memory: https://youtube.com/t/terms?gl=

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 49783 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49786
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49763
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49784
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49783
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49782
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49781
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49789 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49762 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49781 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49793 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49778 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49756
Source: unknown	Network traffic detected: HTTP traffic on port 49772 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49778
Source: unknown	Network traffic detected: HTTP traffic on port 49782 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49772
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49793
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49792
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49790
Source: unknown	Network traffic detected: HTTP traffic on port 49786 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49761 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49767 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49784 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49763 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49792 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49790 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49767
Source: unknown	Network traffic detected: HTTP traffic on port 49756 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49789

Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.4:49743 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.4:49745 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 4.245.163.56:443 -> 192.168.2.4:49772 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 4.245.163.56:443 -> 192.168.2.4:49784 version: TLS 1.2

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00BDEAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_00BDEAFF

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00BDED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_00BDED6A

Source: C:\Users\user\Desktop\file.exe

0_2_00BDEAFF

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00BCAA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,

0_2_00BCAA57

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00BF9576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_00BF9576

System Summary

Binary is likely a compiled AutoIt script file

Source: file.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: file.exe, 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_8b93f721-5
Source: file.exe, 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_adf54d3a-5
Source: file.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_c6f5272c-c
Source: file.exe	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_8dffd9ef-a

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00BCD5EB: CreateFileW,DeviceIoControl,CloseHandle,

0_2_00BCD5EB

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00BC1201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_00BC1201

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00BCE8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_00BCE8F6

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B68060	0_2_00B68060
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BD2046	0_2_00BD2046
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BC8298	0_2_00BC8298
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B9E4FF	0_2_00B9E4FF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B9676B	0_2_00B9676B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BF4873	0_2_00BF4873
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B8CAA0	0_2_00B8CAA0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B6CAF0	0_2_00B6CAF0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B7CC39	0_2_00B7CC39
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B96DD9	0_2_00B96DD9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B691C0	0_2_00B691C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B7B119	0_2_00B7B119
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B81394	0_2_00B81394
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B81706	0_2_00B81706
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B8781B	0_2_00B8781B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B819B0	0_2_00B819B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B67920	0_2_00B67920
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B7997D	0_2_00B7997D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B87A4A	0_2_00B87A4A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B87CA7	0_2_00B87CA7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B81C77	0_2_00B81C77
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B99EEE	0_2_00B99EEE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BEBE44	0_2_00BEBE44
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B81F32	0_2_00B81F32

Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00B80A30 appears 46 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00B7F9F2 appears 31 times

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: classification engine

Classification label: mal72.troj.evad.winEXE@31/30@12/9

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00BD37B5 GetLastError,FormatMessageW,

0_2_00BD37B5

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BC10BF AdjustTokenPrivileges,CloseHandle,		0_2_00BC10BF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BC16C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_00BC16C3

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00BD51CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_00BD51CD

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00BEA67C CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_00BEA67C

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00BD648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize,

0_2_00BD648E

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00B642A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_00B642A2

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: file.exe

ReversingLabs: Detection: 15%

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --app="https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --start-fullscreen --no-first-run --disable-session-crashed-bubble --disable-features=CrashRecovery
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2080 --field-trial-handle=1956,i,6848627385945716294,11725630218479906615,262144 --disable-features=CrashRecovery /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5512 --field-trial-handle=1956,i,6848627385945716294,11725630218479906615,262144 --disable-features=CrashRecovery /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5476 --field-trial-handle=1956,i,6848627385945716294,11725630218479906615,262144 --disable-features=CrashRecovery /prefetch:8
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --app="https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --start-fullscreen --no-first-run --disable-session-crashed-bubble --disable-features=CrashRecovery	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2080 --field-trial-handle=1956,i,6848627385945716294,11725630218479906615,262144 --disable-features=CrashRecovery /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5512 --field-trial-handle=1956,i,6848627385945716294,11725630218479906615,262144 --disable-features=CrashRecovery /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5476 --field-trial-handle=1956,i,6848627385945716294,11725630218479906615,262144 --disable-features=CrashRecovery /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior

Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00B642DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00B642DE

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00B80A76 push ecx; ret

0_2_00B80A89

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B7F98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_00B7F98E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BF1C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_00BF1C41

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior

Malware Analysis System Evasion

Found API chain indicative of sandbox detection

Source: C:\Users\user\Desktop\file.exe

Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep

graph_0-96448

Source: C:\Users\user\Desktop\file.exe

API coverage: 3.4 %

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BCDBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00BCDBBE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BD68EE FindFirstFileW,FindClose,	0_2_00BD68EE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BD698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	0_2_00BD698F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BCD076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00BCD076
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BCD3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00BCD3A9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BD9642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00BD9642
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BD979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00BD979D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BD9B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_00BD9B2B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BD5C97 FindFirstFileW,FindNextFileW,FindClose,	0_2_00BD5C97

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00B642DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00B642DE

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00BDEAA2 BlockInput,

0_2_00BDEAA2

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00B92622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00B92622

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00B642DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00B642DE

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00B84CE8 mov eax, dword ptr fs:[00000030h]

0_2_00B84CE8

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00BC0B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

0_2_00BC0B62

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B92622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00B92622
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B8083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00B8083F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B809D5 SetUnhandledExceptionFilter,	0_2_00B809D5
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B80C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00B80C21

Source: C:\Users\user\Desktop\file.exe

0_2_00BC1201

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00BA2BA5 KiUserCallbackDispatcher,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00BA2BA5

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00BCB226 SendInput,keybd_event,

0_2_00BCB226

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00BE22DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event,

0_2_00BE22DA

Source: C:\Users\user\Desktop\file.exe

0_2_00BC0B62

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00BC1663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_00BC1663

Source: file.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: file.exe	Binary or memory string: Shell_TrayWnd

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00B80698 cpuid

0_2_00B80698

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00BD8195 GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,

0_2_00BD8195

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00BBD27A GetUserNameW,

0_2_00BBD27A

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00B9BB6F _free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

0_2_00B9BB6F

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00B642DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00B642DE

Stealing of Sensitive Information

Yara detected Credential Flusher

Source: Yara match

File source: Process Memory Space: file.exe PID: 6692, type: MEMORYSTR

Source: file.exe	Binary or memory string: WIN_81
Source: file.exe	Binary or memory string: WIN_XP
Source: file.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]\|%%\|%[-+ 0#]?([0-9]\|\)?(\.[0-9]\|\.\)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: file.exe	Binary or memory string: WIN_XPe
Source: file.exe	Binary or memory string: WIN_VISTA
Source: file.exe	Binary or memory string: WIN_7
Source: file.exe	Binary or memory string: WIN_8

Remote Access Functionality

Yara detected Credential Flusher

Source: Yara match

File source: Process Memory Space: file.exe PID: 6692, type: MEMORYSTR

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BE1204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,		0_2_00BE1204
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BE1806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_00BE1806

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	1 Native API	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	1 Disable or Modify Tools	21 Input Capture	2 System Time Discovery	Remote Services	1 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	Scheduled Task/Job	2 Valid Accounts	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	21 Input Capture	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	2 Valid Accounts	2 Obfuscated Files or Information	Security Account Manager	1 File and Directory Discovery	SMB/Windows Admin Shares	3 Clipboard Data	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	21 Access Token Manipulation	1 DLL Side-Loading	NTDS	15 System Information Discovery	Distributed Component Object Model	Input Capture	4 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	2 Process Injection	2 Valid Accounts	LSA Secrets	12 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Virtualization/Sandbox Evasion	Cached Domain Credentials	1 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	21 Access Token Manipulation	DCSync	3 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	2 Process Injection	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	HTML Smuggling	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
file.exe	16%	ReversingLabs
file.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Link
www.google.com	0%	Virustotal	Browse
play.google.com	0%	Virustotal	Browse
youtube.com	0%	Virustotal	Browse
www.youtube.com	0%	Virustotal	Browse
youtube-ui.l.google.com	0%	Virustotal	Browse
www3.l.google.com	0%	Virustotal	Browse
accounts.youtube.com	0%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label	Link
https://play.google/intl/	0%	URL Reputation	safe
https://families.google.com/intl/	0%	URL Reputation	safe
https://policies.google.com/technologies/location-data	0%	URL Reputation	safe
https://apis.google.com/js/api.js	0%	URL Reputation	safe
https://policies.google.com/privacy/google-partners	0%	URL Reputation	safe
https://policies.google.com/terms/service-specific	0%	URL Reputation	safe
https://g.co/recover	0%	URL Reputation	safe
https://policies.google.com/privacy/additional	0%	URL Reputation	safe
https://support.google.com/websearch/answer/4358949?hl=ko&ref_topic=3285072	0%	URL Reputation	safe
https://policies.google.com/technologies/cookies	0%	URL Reputation	safe
https://policies.google.com/terms	0%	URL Reputation	safe
https://uberproxy-pen-redirect.corp.google.com/uberproxy/pen?url=	0%	URL Reputation	safe
https://support.google.com/accounts?hl=	0%	URL Reputation	safe
https://policies.google.com/terms/location	0%	URL Reputation	safe
https://policies.google.com/privacy	0%	URL Reputation	safe
https://support.google.com/accounts?p=new-si-ui	0%	URL Reputation	safe
https://apis.google.com/js/rpc:shindig_random.js?onload=credentialservice.postMessage	0%	URL Reputation	safe
https://www.google.com/intl/	1%	Virustotal		Browse
https://play.google.com/work/enroll?identifier=	0%	Virustotal		Browse
https://play.google.com/log?format=json&hasfast=true&authuser=0	0%	Virustotal		Browse
https://www.google.com/favicon.ico	0%	Virustotal		Browse
https://www.google.com	0%	Virustotal		Browse
https://play.google.com/log?format=json&hasfast=true	0%	Virustotal		Browse
https://www.youtube.com/t/terms?chromeless=1&hl=	0%	Virustotal		Browse
https://play.google.com/log?hasfast=true&authuser=0&format=json	0%	Virustotal		Browse
https://youtube.com/t/terms?gl=	0%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
youtube-ui.l.google.com	142.250.184.206	true	false	0%, Virustotal, Browse	unknown
www3.l.google.com	172.217.16.206	true	false	0%, Virustotal, Browse	unknown
play.google.com	142.250.185.142	true	false	0%, Virustotal, Browse	unknown
www.google.com	142.250.186.68	true	false	0%, Virustotal, Browse	unknown
youtube.com	142.250.186.46	true	false	0%, Virustotal, Browse	unknown
accounts.youtube.com	unknown	unknown	false	0%, Virustotal, Browse	unknown
www.youtube.com	unknown	unknown	false	0%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://play.google.com/log?format=json&hasfast=true&authuser=0	false	0%, Virustotal, Browse	unknown
https://www.google.com/favicon.ico	false	0%, Virustotal, Browse	unknown
https://play.google.com/log?hasfast=true&authuser=0&format=json	false	0%, Virustotal, Browse	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://play.google/intl/	chromecache_76.3.dr	false	URL Reputation: safe	unknown
https://families.google.com/intl/	chromecache_76.3.dr	false	URL Reputation: safe	unknown
https://youtube.com/t/terms?gl=	chromecache_76.3.dr	false	0%, Virustotal, Browse	unknown
https://policies.google.com/technologies/location-data	chromecache_76.3.dr	false	URL Reputation: safe	unknown
https://www.google.com/intl/	chromecache_76.3.dr	false	1%, Virustotal, Browse	unknown
https://apis.google.com/js/api.js	chromecache_82.3.dr	false	URL Reputation: safe	unknown
https://policies.google.com/privacy/google-partners	chromecache_76.3.dr	false	URL Reputation: safe	unknown
https://play.google.com/work/enroll?identifier=	chromecache_76.3.dr	false	0%, Virustotal, Browse	unknown
https://policies.google.com/terms/service-specific	chromecache_76.3.dr	false	URL Reputation: safe	unknown
https://g.co/recover	chromecache_76.3.dr	false	URL Reputation: safe	unknown
https://policies.google.com/privacy/additional	chromecache_76.3.dr	false	URL Reputation: safe	unknown
https://support.google.com/websearch/answer/4358949?hl=ko&ref_topic=3285072	chromecache_76.3.dr	false	URL Reputation: safe	unknown
https://policies.google.com/technologies/cookies	chromecache_76.3.dr	false	URL Reputation: safe	unknown
https://policies.google.com/terms	chromecache_76.3.dr	false	URL Reputation: safe	unknown
https://uberproxy-pen-redirect.corp.google.com/uberproxy/pen?url=	chromecache_82.3.dr	false	URL Reputation: safe	unknown
https://www.google.com	chromecache_76.3.dr	false	0%, Virustotal, Browse	unknown
https://play.google.com/log?format=json&hasfast=true	chromecache_76.3.dr	false	0%, Virustotal, Browse	unknown
https://www.youtube.com/t/terms?chromeless=1&hl=	chromecache_76.3.dr	false	0%, Virustotal, Browse	unknown
https://support.google.com/accounts?hl=	chromecache_76.3.dr	false	URL Reputation: safe	unknown
https://policies.google.com/terms/location	chromecache_76.3.dr	false	URL Reputation: safe	unknown
https://policies.google.com/privacy	chromecache_76.3.dr	false	URL Reputation: safe	unknown
https://support.google.com/accounts?p=new-si-ui	chromecache_76.3.dr	false	URL Reputation: safe	unknown
https://apis.google.com/js/rpc:shindig_random.js?onload=credentialservice.postMessage	chromecache_76.3.dr	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
142.250.186.46	youtube.com	United States	15169	GOOGLEUS	false
142.250.186.68	www.google.com	United States	15169	GOOGLEUS	false
172.217.16.206	www3.l.google.com	United States	15169	GOOGLEUS	false
142.250.185.110	unknown	United States	15169	GOOGLEUS	false
239.255.255.250	unknown	Reserved	unknown	unknown	false
142.250.185.142	play.google.com	United States	15169	GOOGLEUS	false
142.250.184.206	youtube-ui.l.google.com	United States	15169	GOOGLEUS	false

Private

IP
192.168.2.4
192.168.2.6

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1523784
Start date and time:	2024-10-02 02:42:08 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 37s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	11
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal72.troj.evad.winEXE@31/30@12/9
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 96% Number of executed functions: 37 Number of non-executed functions: 307
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 142.250.185.227, 216.58.212.142, 64.233.166.84, 34.104.35.123, 142.250.186.35, 142.250.186.131, 216.58.206.42, 142.250.185.138, 142.250.185.170, 172.217.18.10, 142.250.184.202, 142.250.185.106, 172.217.16.202, 142.250.186.170, 142.250.185.202, 142.250.185.234, 142.250.184.234, 142.250.186.106, 142.250.185.74, 142.250.186.74, 142.250.181.234, 142.250.186.42, 172.217.23.106, 216.58.206.74, 216.58.212.170, 142.250.186.138, 93.184.221.240, 192.229.221.95, 142.250.185.131, 74.125.206.84, 216.58.206.78
Excluded domains from analysis (whitelisted): clients1.google.com, fs.microsoft.com, accounts.google.com, content-autofill.googleapis.com, slscr.update.microsoft.com, fonts.gstatic.com, ctldl.windowsupdate.com, clientservices.googleapis.com, fe3cr.delivery.mp.microsoft.com, clients2.google.com, ocsp.digicert.com, edgedl.me.gvt1.com, update.googleapis.com, clients.l.google.com, www.gstatic.com, optimizationguide-pa.googleapis.com
Not all processes where analyzed, report is missing behavior information
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
239.255.255.250	http://tvsurf.jp/	Get hash	malicious	Unknown	Browse
	https://docs.google.com/forms/d/e/1FAIpQLSdpweVM1inxltc4AWxPatki3D8pgrAZSJz39loK6XS45S8Ubg/viewform?usp=pp_url	Get hash	malicious	Unknown	Browse
	http://racrodisaver.co.in/	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	https://files.constantcontact.com/2d77228b901/702368a5-3f96-4cb6-b61d-aab8728be1ff.pdf	Get hash	malicious	Unknown	Browse
	https://www.elightsailorsbank.uksfholdings.com/	Get hash	malicious	Unknown	Browse
	https://docs.google.com/presentation/d/e/2PACX-1vRuKBrQqA6BNfxZo0BAmhaaVHWHS5xGpGnvHJ3KKWtc6LdsEuOoWSlBNaOKZjp5GXLjhWJKRMb-grou/pub?start=false&loop=false&delayms=3000	Get hash	malicious	Unknown	Browse
	https://sanbernardinoscounty.telcom-info.com/	Get hash	malicious	HtmlDropper	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	https://memakers-my.sharepoint.com/:f:/p/saeed/EuiMdoZoPpVNthIaEwKAedkBDFKyUdriWNhHe2RDzQxMdQ?e=5hQMeB&xsdata=MDV8MDJ8cGhlcm1hbkBidXJiYW5rY2EuZ292fDU4NDFjYjVhMjQzNDQ2YjU2ODZmMDhkY2Q3ZjZlNzZlfDY0OGRhZTMxMTgyYjRkYTI5OWVmMjU4MWFiOGU4YmVhfDB8MHw2Mzg2MjI3MDI2NDY5MTMzMDB8VW5rbm93bnxUV0ZwYkdac2IzZDhleUpXSWpvaU1DNHdMakF3TURBaUxDSlFJam9pVjJsdU16SWlMQ0pCVGlJNklrMWhhV3dpTENKWFZDSTZNbjA9fDQwMDAwfHx8&sdata=STFxSjJFWXZ2WnFoSWJsSml1L3V4emhPdHNVTmE5OWJmbjZsSDRKcjlyND0%3d	Get hash	malicious	HTMLPhisher	Browse

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
28a2c9bd18a11de089ef85a160da29e4	http://tvsurf.jp/	Get hash	malicious	Unknown	Browse	4.245.163.56 184.28.90.27
	https://docs.google.com/forms/d/e/1FAIpQLSdpweVM1inxltc4AWxPatki3D8pgrAZSJz39loK6XS45S8Ubg/viewform?usp=pp_url	Get hash	malicious	Unknown	Browse	4.245.163.56 184.28.90.27
	http://racrodisaver.co.in/	Get hash	malicious	Unknown	Browse	4.245.163.56 184.28.90.27
	file.exe	Get hash	malicious	Credential Flusher	Browse	4.245.163.56 184.28.90.27
	https://files.constantcontact.com/2d77228b901/702368a5-3f96-4cb6-b61d-aab8728be1ff.pdf	Get hash	malicious	Unknown	Browse	4.245.163.56 184.28.90.27
	https://www.elightsailorsbank.uksfholdings.com/	Get hash	malicious	Unknown	Browse	4.245.163.56 184.28.90.27
	https://docs.google.com/presentation/d/e/2PACX-1vRuKBrQqA6BNfxZo0BAmhaaVHWHS5xGpGnvHJ3KKWtc6LdsEuOoWSlBNaOKZjp5GXLjhWJKRMb-grou/pub?start=false&loop=false&delayms=3000	Get hash	malicious	Unknown	Browse	4.245.163.56 184.28.90.27
	https://sanbernardinoscounty.telcom-info.com/	Get hash	malicious	HtmlDropper	Browse	4.245.163.56 184.28.90.27
	file.exe	Get hash	malicious	Credential Flusher	Browse	4.245.163.56 184.28.90.27
	Electronic_Receipt_ATT0001.htm	Get hash	malicious	Unknown	Browse	4.245.163.56 184.28.90.27

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (468)
Category:	downloaded
Size (bytes):	1858
Entropy (8bit):	5.298162049824456
Encrypted:	false
SSDEEP:	48:o7vGoolL3ALFKphnpiu7xOKAcfO/3d/rYh4vZorw:o/QLUFUL4KA+2y0Mw
MD5:	CE055F881BDAB4EF6C1C8AA4B3890348
SHA1:	2671741A70E9F5B608F690AAEEA4972003747654
SHA-256:	9B91C23691D6032CDFE28863E369624B2EDB033E1487A1D1BB0977E3590E5462
SHA-512:	8A22250628985C2E570E6FBADFC0D5CB6753F0735130F9E74962A409476C2859C5C81F8A0F5C427A9F13ED399C8E251FA43FF67AD5F16860640D45E7A538E857
Malicious:	false
Reputation:	low
URL:	"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en.RgRbaBHDctU.es5.O/ck=boq-identity.AccountsSignInUi.gAiX_O5afVA.L.B1.O/am=xIFgKBi2EQjEE54DekBRIOQAAAAAAAAAAKANAAB0DA/d=1/exm=A7fCU,AvtSve,CMcBD,E87wgc,EFQ78c,EIOG1e,EN3i8d,Fndnac,GwYlN,I6YDgd,IZT63,K0PMbc,K1ZKnb,KUM7Z,L1AAkb,L9OGUe,LDQI,LEikZe,MY7mZe,MpJwZc,NOeYWe,NTMZac,O6y8ed,P6sQOc,PHUIyb,PrPYRd,RMhBfe,Rkm0ef,RqjULd,SCuOPb,SD8Jgb,STuCOe,SpsfSb,Tbb4sb,UUJqVe,Uas9Hd,WpP9Yc,XVq9Qb,YHI3We,YTxL4,YgOFye,ZDZcre,ZZ4WUe,ZakeSe,ZwDk9d,_b,_tp,aC1iue,aW3pY,b3kMqb,bSspM,bTi8wc,byfTOb,cYShmd,eVCnO,f8Gu1e,gJzDyc,hc6Ubd,inNHtf,iyZMqd,lsjVmc,ltDFwf,lwddkf,m9oV,mvkUhe,mzzZzc,n73qwf,njlZCf,oLggrd,pxq3x,q0xTif,qPYxq,qPfo0c,qmdT9,rCcCxc,rmumx,sOXFj,siKnQd,soHxf,t2srLd,tUnxGc,vHEMJe,vfuNJf,vjKJJ,vvMGie,w9hDv,ws9Tlc,xBaz7b,xQtZb,xiZRqc,y5vRwf,yRXbo,ywOR5c,z0u0L,zbML3c,ziZ8Mc,zr1jrb,zy0vNb/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlG_aYNE-Dz95N0OV63231Yfi4Jf5g/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:GwYlN;EmZ2Bf:zr1jrb;JsbNhc:Xd8iUd;K5nYTd:ZDZcre;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;ScI3Yc:e7Hzgb;UpnZUd:nnwwYc;Uvc8o:VDovNc;XdiAjb:NLiXbe;YIZmRd:A1yn5d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;dowIGb:ebZ3mb;eBAeSb:zbML3c;iFQyKf:vfuNJf;lOO0Vd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qafBPd:yDVVkb;qddgKe:xQtZb;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=iAskyc,ziXSP"
Preview:	"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi\|\|{};(function(_){var window=this;.try{._.k("iAskyc");._.QZ=function(a){_.W.call(this,a.Fa);this.window=a.Ea.window.get();this.Nc=a.Ea.Nc};_.J(_.QZ,_.W);_.QZ.Ba=function(){return{Ea:{window:_.qu,Nc:_.DE}}};_.QZ.prototype.Po=function(){};_.QZ.prototype.addEncryptionRecoveryMethod=function(){};_.RZ=function(a){return(a==null?void 0:a.Jo)\|\|function(){}};_.SZ=function(a){return(a==null?void 0:a.m3)\|\|function(){}};_.GPb=function(a){return(a==null?void 0:a.Op)\|\|function(){}};._.HPb=function(a){return new Map(Array.from(a,function(b){var c=_.n(b);b=c.next().value;c=c.next().value;return[b,c.map(function(d){return{epoch:d.epoch,key:new Uint8Array(d.key)}})]}))};_.IPb=function(a){setTimeout(function(){throw a;},0)};_.QZ.prototype.kO=function(){return!0};_.nu(_.An,_.QZ);._.l();._.k("ziXSP");.var j_=function(a){_.QZ.call(this,a.Fa)};_.J(j_,_.QZ);j_.Ba=_.QZ.Ba;j_.prototype.Po=function(a,b,c){var d;if((d=this.window.chrome)==nu

Chrome Cache Entry: 74

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (683)
Category:	downloaded
Size (bytes):	3131
Entropy (8bit):	5.355381206612617
Encrypted:	false
SSDEEP:	48:o7FEEM3MtH15jNQ8jsK3rnw0dkckTrKEp/OqLE9xz0W5Bzv3M6hIHYA+JITbwrF8:oq675jOArwoAmI/DLaxNPL5m+m6w
MD5:	E2A7251AD83A0D0634FEA2703D10ED07
SHA1:	90D72011F31FC40D3DA3748F2817F90A29EB5C01
SHA-256:	1079B49C4AAF5C10E4F2E6A086623F40D200A71FF2A1F64E88AA6C91E4BE7A6F
SHA-512:	CD6D75580EA8BD97CF7C7C0E0BD9D9A54FB6EA7DF1DDB5A95E94D38B260F9EE1425C640839ECD229B8D01E145CF2786CA374D31EC537EB8FE17FF415D5B985F5
Malicious:	false
Reputation:	low
URL:	"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en.RgRbaBHDctU.es5.O/ck=boq-identity.AccountsSignInUi.gAiX_O5afVA.L.B1.O/am=xIFgKBi2EQjEE54DekBRIOQAAAAAAAAAAKANAAB0DA/d=1/exm=AvtSve,CMcBD,E87wgc,EFQ78c,EIOG1e,EN3i8d,Fndnac,GwYlN,I6YDgd,IZT63,K0PMbc,K1ZKnb,KUM7Z,L1AAkb,L9OGUe,LDQI,LEikZe,MY7mZe,MpJwZc,NOeYWe,NTMZac,O6y8ed,PHUIyb,PrPYRd,Rkm0ef,RqjULd,SCuOPb,SD8Jgb,STuCOe,SpsfSb,Tbb4sb,UUJqVe,Uas9Hd,WpP9Yc,XVq9Qb,YHI3We,YTxL4,YgOFye,ZakeSe,_b,_tp,aC1iue,aW3pY,b3kMqb,bSspM,bTi8wc,byfTOb,cYShmd,eVCnO,f8Gu1e,gJzDyc,hc6Ubd,inNHtf,iyZMqd,lsjVmc,ltDFwf,lwddkf,m9oV,mvkUhe,mzzZzc,n73qwf,njlZCf,oLggrd,pxq3x,qPYxq,qPfo0c,qmdT9,rCcCxc,rmumx,siKnQd,soHxf,t2srLd,tUnxGc,vHEMJe,vfuNJf,vjKJJ,vvMGie,ws9Tlc,xBaz7b,xQtZb,xiZRqc,y5vRwf,yRXbo,ywOR5c,z0u0L,zbML3c,ziZ8Mc,zr1jrb,zy0vNb/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlG_aYNE-Dz95N0OV63231Yfi4Jf5g/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:GwYlN;EmZ2Bf:zr1jrb;JsbNhc:Xd8iUd;K5nYTd:ZDZcre;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;ScI3Yc:e7Hzgb;UpnZUd:nnwwYc;Uvc8o:VDovNc;XdiAjb:NLiXbe;YIZmRd:A1yn5d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;dowIGb:ebZ3mb;eBAeSb:zbML3c;iFQyKf:vfuNJf;lOO0Vd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qafBPd:yDVVkb;qddgKe:xQtZb;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=ZwDk9d,RMhBfe"
Preview:	"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi\|\|{};(function(_){var window=this;.try{._.k("ZwDk9d");.var gA=function(a){_.W.call(this,a.Fa)};_.J(gA,_.W);gA.Ba=_.W.Ba;gA.prototype.eS=function(a){return _.Xe(this,{Xa:{gT:_.ll}}).then(function(b){var c=window._wjdd,d=window._wjdc;return!c&&d?new _.li(function(e){window._wjdc=function(f){d(f);e(ZJa(f,b,a))}}):ZJa(c,b,a)})};var ZJa=function(a,b,c){return(a=a&&a[c])?a:b.Xa.gT.eS(c)};.gA.prototype.aa=function(a,b){var c=_.Zra(b).Rj;if(c.startsWith("$")){var d=_.gm.get(a);_.uq[b]&&(d\|\|(d={},_.gm.set(a,d)),d[c]=_.uq[b],delete _.uq[b],_.vq--);if(d)if(a=d[c])b=_.af(a);else throw Error("Jb`"+b);else b=null}else b=null;return b};_.nu(_.Lfa,gA);._.l();._.k("SNUn3");._.YJa=new _.pf(_.wg);._.l();._.k("RMhBfe");.var $Ja=function(a){var b=_.tq(a);return b?new _.li(function(c,d){var e=function(){b=_.tq(a);var f=_.Sfa(a,b);f?c(f.getAttribute("jsdata")):window.document.readyState=="complete"?(f=["Unable to find deferred jsdata wit

Chrome Cache Entry: 75

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows icon resource - 2 icons, 16x16, 32 bits/pixel, 32x32, 32 bits/pixel
Category:	downloaded
Size (bytes):	5430
Entropy (8bit):	3.6534652184263736
Encrypted:	false
SSDEEP:	48:wIJct3xIAxG/7nvWDtZcdYLtX7B6QXL3aqG8Q:wIJct+A47v+rcqlBPG9B
MD5:	F3418A443E7D841097C714D69EC4BCB8
SHA1:	49263695F6B0CDD72F45CF1B775E660FDC36C606
SHA-256:	6DA5620880159634213E197FAFCA1DDE0272153BE3E4590818533FAB8D040770
SHA-512:	82D017C4B7EC8E0C46E8B75DA0CA6A52FD8BCE7FCF4E556CBDF16B49FC81BE9953FE7E25A05F63ECD41C7272E8BB0A9FD9AEDF0AC06CB6032330B096B3702563
Malicious:	false
Reputation:	high, very likely benign file
URL:	https://www.google.com/favicon.ico
Preview:	............ .h...&... .... .........(....... ..... ............................................0...................................................................................................................................v.].X.:.X.:.r.Y........................................q.X.S.4.S.4.S.4.S.4.S.4.S.4...X....................0........q.W.S.4.X.:.................J...A...g.........................K.H.V.8..........................F..B.....................,.......................................B..............................................B..B..B..B..B...u..........................................B..B..B..B..B...{.................5.......k...........................................................7R..8F.................................................2........Vb..5C..;I..................R^.....................0................Xc..5C..5C..5C..5C..5C..5C..lv..........................................]i..<J..:G..Zf....................................................

Chrome Cache Entry: 76

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (5693)
Category:	downloaded
Size (bytes):	698314
Entropy (8bit):	5.595120835898624
Encrypted:	false
SSDEEP:	6144:TJvaKtQfcxene0F2HhPM8RGYcBlKmd5r6XISxi7SlncOpYMSrBg5X3O4mAEFD7:TJyKtkIct842ISxXJ09
MD5:	F82438F9EAD5F57493C673008EED9E09
SHA1:	E4681E68FD66D8C76C6ACBC21E2C45F36FD645BC
SHA-256:	B4B092F54EAAA82BFAA159B8D61FB867B51C3067CBD60F4904A205A11F503250
SHA-512:	89027A7B1B3A080D40411F2E6E3B62BF57AC60879223566E71BD41D900C17051F0A058EFE04F8F1FED5E05DC54617D7A86F83D21BDED0F79347795C8B980B4B2
Malicious:	false
URL:	"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en.RgRbaBHDctU.es5.O/ck=boq-identity.AccountsSignInUi.gAiX_O5afVA.L.B1.O/am=xIFgKBi2EQjEE54DekBRIOQAAAAAAAAAAKANAAB0DA/d=1/exm=LEikZe,_b,_tp,byfTOb,lsjVmc/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlG_aYNE-Dz95N0OV63231Yfi4Jf5g/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:GwYlN;EmZ2Bf:zr1jrb;JsbNhc:Xd8iUd;K5nYTd:ZDZcre;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;ScI3Yc:e7Hzgb;UpnZUd:nnwwYc;Uvc8o:VDovNc;XdiAjb:NLiXbe;YIZmRd:A1yn5d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;dowIGb:ebZ3mb;eBAeSb:zbML3c;iFQyKf:vfuNJf;lOO0Vd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qafBPd:yDVVkb;qddgKe:xQtZb;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=n73qwf,SCuOPb,IZT63,vfuNJf,UUJqVe,ws9Tlc,siKnQd,XVq9Qb,STuCOe,njlZCf,m9oV,vjKJJ,y5vRwf,iyZMqd,NTMZac,mzzZzc,rCcCxc,vvMGie,K1ZKnb,ziZ8Mc,b3kMqb,mvkUhe,CMcBD,Fndnac,t2srLd,EN3i8d,z0u0L,xiZRqc,NOeYWe,O6y8ed,L9OGUe,PrPYRd,MpJwZc,qPfo0c,cYShmd,hc6Ubd,Rkm0ef,KUM7Z,oLggrd,inNHtf,L1AAkb,WpP9Yc,lwddkf,gJzDyc,SpsfSb,aC1iue,tUnxGc,aW3pY,ZakeSe,EFQ78c,xQtZb,I6YDgd,zbML3c,zr1jrb,vHEMJe,YHI3We,YTxL4,bSspM,Uas9Hd,zy0vNb,K0PMbc,AvtSve,qmdT9,MY7mZe,xBaz7b,GwYlN,eVCnO,EIOG1e,LDQI"
Preview:	"use strict";_F_installCss(".r4WGQb{position:relative}.Dl08I>:first-child{margin-top:0}.Dl08I>:last-child{margin-bottom:0}.IzwVE{color:#1f1f1f;color:var(--gm3-sys-color-on-surface,#1f1f1f);font-family:\"Google Sans\",roboto,\"Noto Sans Myanmar UI\",arial,sans-serif;font-size:1.25rem;font-weight:400;letter-spacing:0rem;line-height:1.2}.l5PPKe{color:#1f1f1f;color:var(--gm3-sys-color-on-surface,#1f1f1f);font-size:1rem}.l5PPKe .dMNVAe{margin:0;padding:0}.l5PPKe>:first-child{margin-top:0;padding-top:0}.l5PPKe>:last-child{margin-bottom:0;padding-bottom:0}.Dl08I{margin:0;padding:0;position:relative}.Dl08I>.SmR8:only-child{padding-top:1px}.Dl08I>.SmR8:only-child::before{top:0}.Dl08I>.SmR8:not(first-child){padding-bottom:1px}.Dl08I>.SmR8::after{bottom:0}.Dl08I>.SmR8:only-child::before,.Dl08I>.SmR8::after{border-bottom:1px solid #c4c7c5;border-bottom:1px solid var(--gm3-sys-color-outline-variant,#c4c7c5);content:\"\";height:0;left:0;position:absolute;width:100%}.aZvCDf{margin-top:8px;margin-left

Chrome Cache Entry: 77

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (2907)
Category:	downloaded
Size (bytes):	22833
Entropy (8bit):	5.425034548615223
Encrypted:	false
SSDEEP:	384:7lFo6ZEdpgtmyiPixV9OX9gMBpHkHnfst9lZulagGcwYHiRFjJzN7:77o6ZviPixV8xpEHn89l4IgGcwYCRtb7
MD5:	749B18538FE32BFE0815D75F899F5B21
SHA1:	AF95A019211AF69F752A43CAA54A83C2AFD41D28
SHA-256:	116B2687C1D5E00DB56A79894AB0C12D4E2E000B9379B7E7AD751B84DF611F3F
SHA-512:	E4B6F4556AA0FD9979BB52681508F5E26FFB256473803F74F7F5C8D93FA3636D7D0A5835618FBC6123022805CE0D9616A7451A0F302C665E28A6090B5D588505
Malicious:	false
URL:	"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en.RgRbaBHDctU.es5.O/ck=boq-identity.AccountsSignInUi.gAiX_O5afVA.L.B1.O/am=xIFgKBi2EQjEE54DekBRIOQAAAAAAAAAAKANAAB0DA/d=1/exm=AvtSve,CMcBD,E87wgc,EFQ78c,EIOG1e,EN3i8d,Fndnac,GwYlN,I6YDgd,IZT63,K0PMbc,K1ZKnb,KUM7Z,L1AAkb,L9OGUe,LDQI,LEikZe,MY7mZe,MpJwZc,NOeYWe,NTMZac,O6y8ed,PHUIyb,PrPYRd,Rkm0ef,SCuOPb,SD8Jgb,STuCOe,SpsfSb,Tbb4sb,UUJqVe,Uas9Hd,WpP9Yc,XVq9Qb,YHI3We,YTxL4,YgOFye,ZakeSe,_b,_tp,aC1iue,aW3pY,b3kMqb,bSspM,bTi8wc,byfTOb,cYShmd,eVCnO,f8Gu1e,gJzDyc,hc6Ubd,inNHtf,iyZMqd,lsjVmc,ltDFwf,lwddkf,m9oV,mvkUhe,mzzZzc,n73qwf,njlZCf,oLggrd,pxq3x,qPYxq,qPfo0c,qmdT9,rCcCxc,rmumx,siKnQd,soHxf,t2srLd,tUnxGc,vHEMJe,vfuNJf,vjKJJ,vvMGie,ws9Tlc,xBaz7b,xQtZb,xiZRqc,y5vRwf,yRXbo,ywOR5c,z0u0L,zbML3c,ziZ8Mc,zr1jrb,zy0vNb/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlG_aYNE-Dz95N0OV63231Yfi4Jf5g/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:GwYlN;EmZ2Bf:zr1jrb;JsbNhc:Xd8iUd;K5nYTd:ZDZcre;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;ScI3Yc:e7Hzgb;UpnZUd:nnwwYc;Uvc8o:VDovNc;XdiAjb:NLiXbe;YIZmRd:A1yn5d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;dowIGb:ebZ3mb;eBAeSb:zbML3c;iFQyKf:vfuNJf;lOO0Vd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qafBPd:yDVVkb;qddgKe:xQtZb;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=RqjULd"
Preview:	"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi\|\|{};(function(_){var window=this;.try{._.uu.prototype.da=_.ca(40,function(){return _.rj(this,3)});_.$y=function(a,b){this.key=a;this.defaultValue=!1;this.flagName=b};_.$y.prototype.ctor=function(a){return typeof a==="boolean"?a:this.defaultValue};_.az=function(){this.ka=!0;var a=_.vj(_.dk(_.Be("TSDtV",window),_.zya),_.uu,1,_.qj())[0];if(a){var b={};for(var c=_.n(_.vj(a,_.Aya,2,_.qj())),d=c.next();!d.done;d=c.next()){d=d.value;var e=_.Jj(d,1).toString();switch(_.tj(d,_.vu)){case 3:b[e]=_.Hj(d,_.lj(d,_.vu,3));break;case 2:b[e]=_.Jj(d,_.lj(d,_.vu,2));break;case 4:b[e]=_.Kj(d,_.lj(d,_.vu,4));break;case 5:b[e]=_.Lj(d,_.lj(d,_.vu,5));break;case 6:b[e]=_.Pj(d,_.ff,6,_.vu);break;default:throw Error("jd`"+_.tj(d,_.vu));}}}else b={};this.ea=b;this.token=.a?a.da():null};_.az.prototype.aa=function(a){if(!this.ka\|\|a.key in this.ea)a=a.ctor(this.ea[a.key]);else if(_.Be("nQyAE",window)){var b=_.Cya(a.flagName);if(b===null)a=a.de

Chrome Cache Entry: 78

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	HTML document, ASCII text, with very long lines (681)
Category:	downloaded
Size (bytes):	4066
Entropy (8bit):	5.363016925556486
Encrypted:	false
SSDEEP:	96:G2CiFZX5BReR68ujioIRVrqtyzBeTV6SfyAKLif9c7w:bCMZXVeR6jiosVrqtyzBaImyAKw9x
MD5:	FC5E597D923838E10390DADD12651A81
SHA1:	C9959F8D539DB5DF07B8246EC12539B6A9CC101F
SHA-256:	A7EBD5280C50AE93C061EAE1E9727329E015E97531F8F2D82D0E3EA76ADB37B4
SHA-512:	784CA572808F184A849388723FBB3701E6981D885BBA8A330A933F90BF0B36A2E4A491D4463A27911B1D9F7A7134F23E15F187FC7CB4554EAE9BC252513EED7C
Malicious:	false
URL:	"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en.RgRbaBHDctU.es5.O/ck=boq-identity.AccountsSignInUi.gAiX_O5afVA.L.B1.O/am=xIFgKBi2EQjEE54DekBRIOQAAAAAAAAAAKANAAB0DA/d=1/exm=A7fCU,AvtSve,CMcBD,E87wgc,EFQ78c,EIOG1e,EN3i8d,Fndnac,GwYlN,I6YDgd,IZT63,K0PMbc,K1ZKnb,KUM7Z,L1AAkb,L9OGUe,LDQI,LEikZe,MY7mZe,MpJwZc,NOeYWe,NTMZac,O6y8ed,P6sQOc,PHUIyb,PrPYRd,RMhBfe,Rkm0ef,RqjULd,SCuOPb,SD8Jgb,STuCOe,SpsfSb,Tbb4sb,UUJqVe,Uas9Hd,WpP9Yc,XVq9Qb,YHI3We,YTxL4,YgOFye,ZDZcre,ZakeSe,ZwDk9d,_b,_tp,aC1iue,aW3pY,b3kMqb,bSspM,bTi8wc,byfTOb,cYShmd,eVCnO,f8Gu1e,gJzDyc,hc6Ubd,inNHtf,iyZMqd,lsjVmc,ltDFwf,lwddkf,m9oV,mvkUhe,mzzZzc,n73qwf,njlZCf,oLggrd,pxq3x,qPYxq,qPfo0c,qmdT9,rCcCxc,rmumx,siKnQd,soHxf,t2srLd,tUnxGc,vHEMJe,vfuNJf,vjKJJ,vvMGie,w9hDv,ws9Tlc,xBaz7b,xQtZb,xiZRqc,y5vRwf,yRXbo,ywOR5c,z0u0L,zbML3c,ziZ8Mc,zr1jrb,zy0vNb/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlG_aYNE-Dz95N0OV63231Yfi4Jf5g/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:GwYlN;EmZ2Bf:zr1jrb;JsbNhc:Xd8iUd;K5nYTd:ZDZcre;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;ScI3Yc:e7Hzgb;UpnZUd:nnwwYc;Uvc8o:VDovNc;XdiAjb:NLiXbe;YIZmRd:A1yn5d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;dowIGb:ebZ3mb;eBAeSb:zbML3c;iFQyKf:vfuNJf;lOO0Vd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qafBPd:yDVVkb;qddgKe:xQtZb;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=sOXFj,q0xTif,ZZ4WUe"
Preview:	"use strict";_F_installCss(".N7rBcd{overflow-x:auto}sentinel{}");.this.default_AccountsSignInUi=this.default_AccountsSignInUi\|\|{};(function(_){var window=this;.try{._.vg(_.aqa);._.k("sOXFj");.var tu=function(a){_.W.call(this,a.Fa)};_.J(tu,_.W);tu.Ba=_.W.Ba;tu.prototype.aa=function(a){return a()};_.nu(_.$pa,tu);._.l();._.k("oGtAuc");._.yya=new _.pf(_.aqa);._.l();._.k("q0xTif");.var sza=function(a){var b=function(d){_.Sn(d)&&(_.Sn(d).Jc=null,_.Du(d,null));d.XyHi9&&(d.XyHi9=null)};b(a);a=a.querySelectorAll("[c-wiz]");for(var c=0;c<a.length;c++)b(a[c])},Pu=function(a){_.kt.call(this,a.Fa);this.Qa=this.dom=null;if(this.kl()){var b=_.zm(this.Ug(),[_.Em,_.Dm]);b=_.ni([b[_.Em],b[_.Dm]]).then(function(c){this.Qa=c[0];this.dom=c[1]},null,this);_.hu(this,b)}this.Ra=a.lm.zea};_.J(Pu,_.kt);Pu.Ba=function(){return{lm:{zea:function(a){return _.Ue(a)}}}};Pu.prototype.zp=function(a){return this.Ra.zp(a)};.Pu.prototype.getData=function(a){return this.Ra.getData(a)};Pu.prototype.qo=function(){_.Kt(this.d

Chrome Cache Entry: 79

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	Web Open Font Format (Version 2), TrueType, length 52280, version 1.0
Category:	downloaded
Size (bytes):	52280
Entropy (8bit):	7.995413196679271
Encrypted:	true
SSDEEP:	1536:1rvqtK8DZilXxwJ8mMwAZy7phqsFLdG3B4d:xytBZits8bw4wzbFxG3B4d
MD5:	F61F0D4D0F968D5BBA39A84C76277E1A
SHA1:	AA3693EA140ECA418B4B2A30F6A68F6F43B4BEB2
SHA-256:	57147F08949ABABE7DEEF611435AE418475A693E3823769A25C2A39B6EAD9CCC
SHA-512:	6C3BD90F709BCF9151C9ED9FFEA55C4F6883E7FDA2A4E26BF018C83FE1CFBE4F4AA0DB080D6D024070D53B2257472C399C8AC44EEFD38B9445640EFA85D5C487
Malicious:	false
URL:	https://fonts.gstatic.com/s/googlesans/v58/4UaRrENHsxJlGDuGo1OIlJfC6l_24rlCK1Yo_Iq2vgCI.woff2
Preview:	wOF2.......8.....................................^...$..4?HVAR..?MVAR9.`?STAT.',..J/.......`..(..Z.0..R.6.$.... .....K..[..q..c..T.....>.P.j.`.w..#...%......N.".....$..3.0.6......... .L.rX/r[j.y.\|(.4.%#.....2.v.m..-..%.....;-.Y.{..&..O=#l@...k..7g..ZI...#.Z./+T..r7...M..3).Z%.x....s..sL..[A!.51w'/.8V..2Z..%.X.h.o.).]..9..Q`.$.....7..kZ.~O........d..g.n.d.Rw+&....Cz..uy#..fz,(.J....v.%..`..9.....h...?O..:...c%.....6s....xl..#...5..._......1.>.)"U.4 W....?%......6//!$...!.n9C@n...........!""^.....W..Z<.7.x.."UT.T....E.."R>.R..t.....H d..e_.K../.+8.Q.P.ZQ....;...U....]......._.e......71.?.7.ORv.?...l...G\|.P...\|:...I.X..2.,.L........d.g.]}W#uW]QnuP-s.;.-Y.....].......C..j_.M0...y.......J..........NY..@A...,....-.F......'..w./j5g.vUS...U..0.&...y7.LP.....%.....Y......Y..D. e.A..G.?.$.......6...eaK.n5.m...N...,...+BCl..L> .E9~.b[.w.x....6<...}.e...%V....O.......*.?...a..#[eE.4..p..$...].....%......o._......N.._~..El....b..A.0.r8.....\|..D.d..

Chrome Cache Entry: 80

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (533)
Category:	downloaded
Size (bytes):	9210
Entropy (8bit):	5.404371326611379
Encrypted:	false
SSDEEP:	192:EEFZpeip4HzZlY0If0Ma23jcUcrhCx6VD1TYPi8:Es/p4jgjUhtD1TY68
MD5:	21E893B65627B397E22619A9F5BB9662
SHA1:	F561B0F66211C1E7B22F94B4935C312AB7087E85
SHA-256:	FFA9B8BC8EF2CDFF5EB4BA1A0BA1710A253A5B42535E2A369D5026967DCF4673
SHA-512:	3DE3CD6A4E9B06AB3EB324E90A40B5F2AEEA8D7D6A2651C310E993CF79EEB5AC6E2E33C587F46B2DD20CC862354FD1A61AEBB9B990E6805F6629404BA285F8FA
Malicious:	false
URL:	"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en.RgRbaBHDctU.es5.O/ck=boq-identity.AccountsSignInUi.gAiX_O5afVA.L.B1.O/am=xIFgKBi2EQjEE54DekBRIOQAAAAAAAAAAKANAAB0DA/d=1/exm=AvtSve,CMcBD,EFQ78c,EIOG1e,EN3i8d,Fndnac,GwYlN,I6YDgd,IZT63,K0PMbc,K1ZKnb,KUM7Z,L1AAkb,L9OGUe,LDQI,LEikZe,MY7mZe,MpJwZc,NOeYWe,NTMZac,O6y8ed,PrPYRd,Rkm0ef,SCuOPb,STuCOe,SpsfSb,UUJqVe,Uas9Hd,WpP9Yc,XVq9Qb,YHI3We,YTxL4,ZakeSe,_b,_tp,aC1iue,aW3pY,b3kMqb,bSspM,byfTOb,cYShmd,eVCnO,gJzDyc,hc6Ubd,inNHtf,iyZMqd,lsjVmc,lwddkf,m9oV,mvkUhe,mzzZzc,n73qwf,njlZCf,oLggrd,qPfo0c,qmdT9,rCcCxc,siKnQd,t2srLd,tUnxGc,vHEMJe,vfuNJf,vjKJJ,vvMGie,ws9Tlc,xBaz7b,xQtZb,xiZRqc,y5vRwf,z0u0L,zbML3c,ziZ8Mc,zr1jrb,zy0vNb/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlG_aYNE-Dz95N0OV63231Yfi4Jf5g/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:GwYlN;EmZ2Bf:zr1jrb;JsbNhc:Xd8iUd;K5nYTd:ZDZcre;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;ScI3Yc:e7Hzgb;UpnZUd:nnwwYc;Uvc8o:VDovNc;XdiAjb:NLiXbe;YIZmRd:A1yn5d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;dowIGb:ebZ3mb;eBAeSb:zbML3c;iFQyKf:vfuNJf;lOO0Vd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qafBPd:yDVVkb;qddgKe:xQtZb;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=ltDFwf,SD8Jgb,rmumx,E87wgc,qPYxq,Tbb4sb,pxq3x,f8Gu1e,soHxf,YgOFye,yRXbo,bTi8wc,ywOR5c,PHUIyb"
Preview:	"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi\|\|{};(function(_){var window=this;.try{._.qNa=_.y("SD8Jgb",[]);._.GX=function(a,b){if(typeof b==="string")a.Lc(b);else if(b instanceof _.Fp&&b.ia&&b.ia===_.A)b=_.Ya(b.Lw()),a.empty().append(b);else if(b instanceof _.Ua)b=_.Ya(b),a.empty().append(b);else if(b instanceof Node)a.empty().append(b);else throw Error("Vf");};_.HX=function(a){var b=_.Io(a,"[jsslot]");if(b.size()>0)return b;b=new _.Go([_.Kk("span")]);_.Jo(b,"jsslot","");a.empty().append(b);return b};_.NLb=function(a){return a===null\|\|typeof a==="string"&&_.Hi(a)};._.k("SD8Jgb");._.MX=function(a){_.X.call(this,a.Fa);this.Ua=a.controller.Ua;this.od=a.controllers.od[0]\|\|null;this.header=a.controller.header;this.nav=a.controller.nav;var b;(b=this.oa().find("button:not([type])").el())==null\|\|b.setAttribute("type","button")};_.J(_.MX,_.X);_.MX.Ba=function(){return{controller:{Ua:{jsname:"n7vHCb",ctor:_.mv},header:{jsname:"tJHJj",ctor:_.mv},nav:{jsname:"DH6Rkf",ct

Chrome Cache Entry: 81

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (755)
Category:	downloaded
Size (bytes):	1460
Entropy (8bit):	5.291808298251231
Encrypted:	false
SSDEEP:	24:kMYD7DuZvuhqCsNRxoYTY9/qoVk7hz1l2p6vDMW94uEQOeGbCx4VGbgCSFBV87OU:o7DuZWhv6oy12kvwKEeGbC6GbHSh/Hrw
MD5:	4CA7ADFE744A690411EA4D3EA8DB9E4B
SHA1:	2CF1777A199E25378D330DA68BED1871B5C5BC32
SHA-256:	128129BA736B3094323499B0498A5B3A909C1529717461C34B70080A5B1603BD
SHA-512:	8BD3477AF41D1F0FE74AFFCB177BEC0F5F4FDCBBA6BD29D9C2567E6FFDEF5DEB7FF74BF348F33209C39D7BB4958E748DF6731D3DC8F6947352276BC92EAF9E79
Malicious:	false
URL:	"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en.RgRbaBHDctU.es5.O/ck=boq-identity.AccountsSignInUi.gAiX_O5afVA.L.B1.O/am=xIFgKBi2EQjEE54DekBRIOQAAAAAAAAAAKANAAB0DA/d=1/exm=AvtSve,CMcBD,E87wgc,EFQ78c,EIOG1e,EN3i8d,Fndnac,GwYlN,I6YDgd,IZT63,K0PMbc,K1ZKnb,KUM7Z,L1AAkb,L9OGUe,LDQI,LEikZe,MY7mZe,MpJwZc,NOeYWe,NTMZac,O6y8ed,PHUIyb,PrPYRd,RMhBfe,Rkm0ef,RqjULd,SCuOPb,SD8Jgb,STuCOe,SpsfSb,Tbb4sb,UUJqVe,Uas9Hd,WpP9Yc,XVq9Qb,YHI3We,YTxL4,YgOFye,ZakeSe,ZwDk9d,_b,_tp,aC1iue,aW3pY,b3kMqb,bSspM,bTi8wc,byfTOb,cYShmd,eVCnO,f8Gu1e,gJzDyc,hc6Ubd,inNHtf,iyZMqd,lsjVmc,ltDFwf,lwddkf,m9oV,mvkUhe,mzzZzc,n73qwf,njlZCf,oLggrd,pxq3x,qPYxq,qPfo0c,qmdT9,rCcCxc,rmumx,siKnQd,soHxf,t2srLd,tUnxGc,vHEMJe,vfuNJf,vjKJJ,vvMGie,ws9Tlc,xBaz7b,xQtZb,xiZRqc,y5vRwf,yRXbo,ywOR5c,z0u0L,zbML3c,ziZ8Mc,zr1jrb,zy0vNb/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlG_aYNE-Dz95N0OV63231Yfi4Jf5g/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:GwYlN;EmZ2Bf:zr1jrb;JsbNhc:Xd8iUd;K5nYTd:ZDZcre;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;ScI3Yc:e7Hzgb;UpnZUd:nnwwYc;Uvc8o:VDovNc;XdiAjb:NLiXbe;YIZmRd:A1yn5d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;dowIGb:ebZ3mb;eBAeSb:zbML3c;iFQyKf:vfuNJf;lOO0Vd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qafBPd:yDVVkb;qddgKe:xQtZb;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=P6sQOc"
Preview:	"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi\|\|{};(function(_){var window=this;.try{._.k("lOO0Vd");._.VZa=new _.pf(_.Am);._.l();._.k("P6sQOc");.var $Za=!!(_.Kh[1]&16);var b_a=function(a,b,c,d,e){this.ea=a;this.wa=b;this.ka=c;this.Ca=d;this.Ga=e;this.aa=0;this.da=a_a(this)},c_a=function(a){var b={};_.La(a.yS(),function(e){b[e]=!0});var c=a.pS(),d=a.tS();return new b_a(a.qP(),c.aa()1E3,a.WR(),d.aa()1E3,b)},a_a=function(a){return Math.random()Math.min(a.waMath.pow(a.ka,a.aa),a.Ca)},OG=function(a,b){return a.aa>=a.ea?!1:b!=null?!!a.Ga[b]:!0};var PG=function(a){_.W.call(this,a.Fa);this.da=a.Ea.EV;this.ea=a.Ea.metadata;a=a.Ea.Xga;this.fetch=a.fetch.bind(a)};_.J(PG,_.W);PG.Ba=function(){return{Ea:{EV:_.YZa,metadata:_.VZa,Xga:_.OZa}}};PG.prototype.aa=function(a,b){if(this.ea.getType(a.Od())!==1)return _.Sm(a);var c=this.da.eV;return(c=c?c_a(c):null)&&OG(c)?_.wya(a,d_a(this,a,b,c)):_.Sm(a)};.var d_a=function(a,b,c,d){return c.then(function(e){return e},function(e)

Chrome Cache Entry: 82

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (553)
Category:	downloaded
Size (bytes):	743936
Entropy (8bit):	5.791086230020914
Encrypted:	false
SSDEEP:	6144:YVXWBQkPdzg5pTX1ROv/duPzd8C3s891/N:Nfd8j91/N
MD5:	1A3606C746E7B1C949D9078E8E8C1244
SHA1:	56A3EB1E93E61ACD7AAD39DC3526CB60E23651B1
SHA-256:	5F49AE5162183E2EF6F082B29EC99F18DB0212B8ADDB03699B1BFB0AC7869742
SHA-512:	F2D15243311C472331C5F3F083BB6C18D38EC0247A3F3CBAFD96DBA40E4EAE489CDA04176672E39FE3760EF7347596B2A5EAB0FB0125E881EF514475C99863B9
Malicious:	false
URL:	"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en.RgRbaBHDctU.es5.O/am=xIFgKBi2EQjEE54DekBRIOQAAAAAAAAAAKANAAB0DA/d=1/excm=_b,_tp,identifierview/ed=1/dg=0/wt=2/ujg=1/rs=AOaEmlE6O04h0gj7Nu50q-nmaRKM6WWcJw/m=_b,_tp"
Preview:	"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi\|\|{};(function(_){var window=this;.try{._._F_toggles_initialize=function(a){(typeof globalThis!=="undefined"?globalThis:typeof self!=="undefined"?self:this)._F_toggles=a\|\|[]};(0,_._F_toggles_initialize)([0x286081c4, 0x2046d860, 0x39e13c40, 0x14501e80, 0xe420, 0x0, 0x1a000000, 0x1d000003, 0xc, ]);./.. Copyright The Closure Library Authors.. SPDX-License-Identifier: Apache-2.0././.. Copyright Google LLC. SPDX-License-Identifier: Apache-2.0././.. Copyright 2024 Google, Inc. SPDX-License-Identifier: MIT././. SPDX-License-Identifier: Apache-2.0././. Copyright The Closure Library Authors.. SPDX-License-Identifier: Apache-2.0./.var baa,daa,Ma,Sa,gaa,iaa,jb,qaa,waa,Caa,Haa,Kaa,Jb,Laa,Ob,Qb,Rb,Maa,Naa,Sb,Oaa,Paa,Qaa,Yb,Vaa,Xaa,ec,fc,gc,bba,cba,gba,jba,lba,mba,qba,tba,nba,sba,rba,pba,oba,uba,yba,Cba,Dba,Aba,Hc,Ic,Gba,Iba,Mba,Nba,Oba,Pba,Lba,Qba,Sba,dd,Uba,Vba,Xba,Zba,Yba,aca,bca,cca,dca,fca,eca,hca,ica,jca,kca,nca,

Chrome Cache Entry: 83

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (570)
Category:	downloaded
Size (bytes):	3467
Entropy (8bit):	5.514745431912774
Encrypted:	false
SSDEEP:	96:ozbld2fNUmeqJNizhNtt1W8t//loyIpXmdVE2w:onSKE8PWe/Cy4X3j
MD5:	8DEF399E8355ABC23E64505281005099
SHA1:	24FF74C3AEFD7696D84FF148465DF4B1B60B1696
SHA-256:	F128D7218E1286B05DF11310AD3C8F4CF781402698E45448850D2A3A22F5F185
SHA-512:	33721DD47658D8E12ADF6BD9E9316EB89F5B6297927F7FD60F954E04B829DCBF0E1AE6DDD9A3401F45E0011AE4B1397B960C218238A3D0F633A2173D8E604082
Malicious:	false
URL:	"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en.RgRbaBHDctU.es5.O/ck=boq-identity.AccountsSignInUi.gAiX_O5afVA.L.B1.O/am=xIFgKBi2EQjEE54DekBRIOQAAAAAAAAAAKANAAB0DA/d=1/exm=A7fCU,AvtSve,CMcBD,E87wgc,EFQ78c,EIOG1e,EN3i8d,Fndnac,GwYlN,I6YDgd,IZT63,K0PMbc,K1ZKnb,KUM7Z,L1AAkb,L9OGUe,LDQI,LEikZe,MY7mZe,MpJwZc,NOeYWe,NTMZac,O6y8ed,P6sQOc,PHUIyb,PrPYRd,RMhBfe,Rkm0ef,RqjULd,SCuOPb,SD8Jgb,STuCOe,SpsfSb,Tbb4sb,UUJqVe,Uas9Hd,WpP9Yc,XVq9Qb,YHI3We,YTxL4,YgOFye,ZDZcre,ZZ4WUe,ZakeSe,ZwDk9d,_b,_tp,aC1iue,aW3pY,b3kMqb,bSspM,bTi8wc,byfTOb,cYShmd,eVCnO,f8Gu1e,gJzDyc,hc6Ubd,iAskyc,inNHtf,iyZMqd,lsjVmc,ltDFwf,lwddkf,m9oV,mvkUhe,mzzZzc,n73qwf,njlZCf,oLggrd,pxq3x,q0xTif,qPYxq,qPfo0c,qmdT9,rCcCxc,rmumx,sOXFj,siKnQd,soHxf,t2srLd,tUnxGc,vHEMJe,vfuNJf,vjKJJ,vvMGie,w9hDv,wg1P6b,ws9Tlc,xBaz7b,xQtZb,xiZRqc,y5vRwf,yRXbo,ywOR5c,z0u0L,zbML3c,ziXSP,ziZ8Mc,zr1jrb,zy0vNb/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlG_aYNE-Dz95N0OV63231Yfi4Jf5g/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:GwYlN;EmZ2Bf:zr1jrb;JsbNhc:Xd8iUd;K5nYTd:ZDZcre;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;ScI3Yc:e7Hzgb;UpnZUd:nnwwYc;Uvc8o:VDovNc;XdiAjb:NLiXbe;YIZmRd:A1yn5d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;dowIGb:ebZ3mb;eBAeSb:zbML3c;iFQyKf:vfuNJf;lOO0Vd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qafBPd:yDVVkb;qddgKe:xQtZb;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=Wt6vjf,hhhU8,FCpbqb,WhJNk"
Preview:	"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi\|\|{};(function(_){var window=this;.try{._.k("Wt6vjf");.var cya=function(){var a=_.He();return _.Lj(a,1)},Yt=function(a){this.Da=_.t(a,0,Yt.messageId)};_.J(Yt,_.w);Yt.prototype.Ha=function(){return _.Dj(this,1)};Yt.prototype.Va=function(a){return _.Vj(this,1,a)};Yt.messageId="f.bo";var Zt=function(){_.hm.call(this)};_.J(Zt,_.hm);Zt.prototype.xd=function(){this.CT=!1;dya(this);_.hm.prototype.xd.call(this)};Zt.prototype.aa=function(){eya(this);if(this.wC)return fya(this),!1;if(!this.KV)return $t(this),!0;this.dispatchEvent("p");if(!this.zP)return $t(this),!0;this.wM?(this.dispatchEvent("r"),$t(this)):fya(this);return!1};.var gya=function(a){var b=new _.ap(a.W4);a.qQ!=null&&_.Jn(b,"authuser",a.qQ);return b},fya=function(a){a.wC=!0;var b=gya(a),c="rt=r&f_uid="+_.pk(a.zP);_.cn(b,(0,_.bg)(a.ea,a),"POST",c)};.Zt.prototype.ea=function(a){a=a.target;eya(this);if(_.fn(a)){this.cK=0;if(this.wM)this.wC=!1,this.dispatchEvent("r"

Chrome Cache Entry: 84

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with no line terminators
Category:	downloaded
Size (bytes):	84
Entropy (8bit):	4.875266466142591
Encrypted:	false
SSDEEP:	3:DZFJu0+WVTBCq2Bjdw2KsJJuYHSKnZ:lFJuuVTBudw29nu4SKZ
MD5:	87B6333E98B7620EA1FF98D1A837A39E
SHA1:	105DE6815B0885357DE1414BFC0D77FCC9E924EF
SHA-256:	DCD3C133C5C40BECD4100BBE6EDAE84C9735E778E4234A5E8395C56FF8A733BA
SHA-512:	867D7943D813685FAA76394E53199750C55817E836FD19C933F74D11E9657CE66719A6D6B2E39EE1DE62358BCE364E38A55F4E138DF92337DE6985DDCD5D0994
Malicious:	false
URL:	https://content-autofill.googleapis.com/v1/pages/ChVDaHJvbWUvMTE3LjAuNTkzOC4xMzISHgmA6QC9dWevzxIFDRkBE_oSBQ3oIX6GEgUN05ioBw==?alt=proto
Preview:	Cj0KBw0ZARP6GgAKKQ3oIX6GGgQISxgCKhwIClIYCg5AIS4jJF8qLSY/Ky8lLBABGP////8PCgcN05ioBxoA

Chrome Cache Entry: 85

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (395)
Category:	downloaded
Size (bytes):	1608
Entropy (8bit):	5.257113147606035
Encrypted:	false
SSDEEP:	48:o72ZrNZ4yNAbU+15fMxIdf5WENoBCbw7DbG2bEJrw:oyNNAY+1i4HoBNG2Ilw
MD5:	F06E2DC5CC446B39F878B5F8E4D78418
SHA1:	9F1F34FDD8F8DAB942A9B95D9F720587B6F6AD48
SHA-256:	118E4D2FE7CEF205F9AFC87636554C6D8220882B158333EE3D1990282D158B8F
SHA-512:	893C4F883CD1C88C6AAF5A6E7F232D62823A53E1FFDE5C1C52BB066D75781DD041F4D281CDBF18070D921CE862652D8863E2B9D5E0190CFA4128890D62C44168
Malicious:	false
URL:	"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en.RgRbaBHDctU.es5.O/ck=boq-identity.AccountsSignInUi.gAiX_O5afVA.L.B1.O/am=xIFgKBi2EQjEE54DekBRIOQAAAAAAAAAAKANAAB0DA/d=1/exm=AvtSve,CMcBD,E87wgc,EFQ78c,EIOG1e,EN3i8d,Fndnac,GwYlN,I6YDgd,IZT63,K0PMbc,K1ZKnb,KUM7Z,L1AAkb,L9OGUe,LDQI,LEikZe,MY7mZe,MpJwZc,NOeYWe,NTMZac,O6y8ed,P6sQOc,PHUIyb,PrPYRd,RMhBfe,Rkm0ef,RqjULd,SCuOPb,SD8Jgb,STuCOe,SpsfSb,Tbb4sb,UUJqVe,Uas9Hd,WpP9Yc,XVq9Qb,YHI3We,YTxL4,YgOFye,ZakeSe,ZwDk9d,_b,_tp,aC1iue,aW3pY,b3kMqb,bSspM,bTi8wc,byfTOb,cYShmd,eVCnO,f8Gu1e,gJzDyc,hc6Ubd,inNHtf,iyZMqd,lsjVmc,ltDFwf,lwddkf,m9oV,mvkUhe,mzzZzc,n73qwf,njlZCf,oLggrd,pxq3x,qPYxq,qPfo0c,qmdT9,rCcCxc,rmumx,siKnQd,soHxf,t2srLd,tUnxGc,vHEMJe,vfuNJf,vjKJJ,vvMGie,ws9Tlc,xBaz7b,xQtZb,xiZRqc,y5vRwf,yRXbo,ywOR5c,z0u0L,zbML3c,ziZ8Mc,zr1jrb,zy0vNb/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlG_aYNE-Dz95N0OV63231Yfi4Jf5g/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:GwYlN;EmZ2Bf:zr1jrb;JsbNhc:Xd8iUd;K5nYTd:ZDZcre;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;ScI3Yc:e7Hzgb;UpnZUd:nnwwYc;Uvc8o:VDovNc;XdiAjb:NLiXbe;YIZmRd:A1yn5d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;dowIGb:ebZ3mb;eBAeSb:zbML3c;iFQyKf:vfuNJf;lOO0Vd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qafBPd:yDVVkb;qddgKe:xQtZb;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=w9hDv,ZDZcre,A7fCU"
Preview:	"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi\|\|{};(function(_){var window=this;.try{._.k("w9hDv");._.vg(_.Hla);_.eA=function(a){_.W.call(this,a.Fa);this.aa=a.Xa.cache};_.J(_.eA,_.W);_.eA.Ba=function(){return{Xa:{cache:_.dt}}};_.eA.prototype.execute=function(a){_.Bb(a,function(b){var c;_.$e(b)&&(c=b.eb.kc(b.kb));c&&this.aa.xG(c)},this);return{}};_.nu(_.Nla,_.eA);._.l();._.k("ZDZcre");.var fH=function(a){_.W.call(this,a.Fa);this.Wl=a.Ea.Wl;this.d4=a.Ea.metadata;this.aa=a.Ea.ot};_.J(fH,_.W);fH.Ba=function(){return{Ea:{Wl:_.KG,metadata:_.VZa,ot:_.HG}}};fH.prototype.execute=function(a){var b=this;a=this.aa.create(a);return _.Bb(a,function(c){var d=b.d4.getType(c.Od())===2?b.Wl.Rb(c):b.Wl.fetch(c);return _.yl(c,_.LG)?d.then(function(e){return _.Dd(e)}):d},this)};_.nu(_.Sla,fH);._.l();._.k("K5nYTd");._.UZa=new _.pf(_.Ola);._.l();._.k("sP4Vbe");.._.l();._.k("kMFpHd");.._.l();._.k("A7fCU");.var NG=function(a){_.W.call(this,a.Fa);this.aa=a.Ea.tQ};_.J(NG,_.W);NG.Ba=func

Chrome Cache Entry: 86

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (522)
Category:	downloaded
Size (bytes):	5050
Entropy (8bit):	5.289052544075544
Encrypted:	false
SSDEEP:	96:o4We0hP7OBFXYvB1sig3Fd8HkaXzLmUrv8Vh1WJlLQXT2v2gqw:655758Fd8HkaPZ0GmAD
MD5:	26E26FD11772DFF5C7004BEA334289CC
SHA1:	638DAAF541BDE31E95AEE4F8ADA677434D7051DB
SHA-256:	ADFE3E4960982F5EF4C043052A9990D8683C5FC2B590E817B6B1A5774DDE2CE3
SHA-512:	C31929EB6D1C60D6A84A2574FF60490394A6D6F9B354972F3328952F570D80B3F2AEC916B0E1B66DDB1AC056EB75BFAC477E7AF631D0AD1810EDBAF025465D66
Malicious:	false
URL:	"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en.RgRbaBHDctU.es5.O/ck=boq-identity.AccountsSignInUi.gAiX_O5afVA.L.B1.O/am=xIFgKBi2EQjEE54DekBRIOQAAAAAAAAAAKANAAB0DA/d=1/exm=A7fCU,AvtSve,CMcBD,E87wgc,EFQ78c,EIOG1e,EN3i8d,Fndnac,GwYlN,I6YDgd,IZT63,K0PMbc,K1ZKnb,KUM7Z,L1AAkb,L9OGUe,LDQI,LEikZe,MY7mZe,MpJwZc,NOeYWe,NTMZac,O6y8ed,P6sQOc,PHUIyb,PrPYRd,RMhBfe,Rkm0ef,RqjULd,SCuOPb,SD8Jgb,STuCOe,SpsfSb,Tbb4sb,UUJqVe,Uas9Hd,WpP9Yc,XVq9Qb,YHI3We,YTxL4,YgOFye,ZDZcre,ZZ4WUe,ZakeSe,ZwDk9d,_b,_tp,aC1iue,aW3pY,b3kMqb,bSspM,bTi8wc,byfTOb,cYShmd,eVCnO,f8Gu1e,gJzDyc,hc6Ubd,iAskyc,inNHtf,iyZMqd,lsjVmc,ltDFwf,lwddkf,m9oV,mvkUhe,mzzZzc,n73qwf,njlZCf,oLggrd,pxq3x,q0xTif,qPYxq,qPfo0c,qmdT9,rCcCxc,rmumx,sOXFj,siKnQd,soHxf,t2srLd,tUnxGc,vHEMJe,vfuNJf,vjKJJ,vvMGie,w9hDv,ws9Tlc,xBaz7b,xQtZb,xiZRqc,y5vRwf,yRXbo,ywOR5c,z0u0L,zbML3c,ziXSP,ziZ8Mc,zr1jrb,zy0vNb/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlG_aYNE-Dz95N0OV63231Yfi4Jf5g/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:GwYlN;EmZ2Bf:zr1jrb;JsbNhc:Xd8iUd;K5nYTd:ZDZcre;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;ScI3Yc:e7Hzgb;UpnZUd:nnwwYc;Uvc8o:VDovNc;XdiAjb:NLiXbe;YIZmRd:A1yn5d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;dowIGb:ebZ3mb;eBAeSb:zbML3c;iFQyKf:vfuNJf;lOO0Vd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qafBPd:yDVVkb;qddgKe:xQtZb;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=wg1P6b"
Preview:	"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi\|\|{};(function(_){var window=this;.try{._.jNa=_.y("wg1P6b",[_.TA,_.Cn,_.Kn]);._.k("wg1P6b");.var Z5a;Z5a=_.mh(["aria-"]);._.uJ=function(a){_.X.call(this,a.Fa);this.Ka=this.wa=this.aa=this.viewportElement=this.Na=null;this.Hc=a.Ea.ff;this.ab=a.Ea.focus;this.Fc=a.Ea.Fc;this.ea=this.Pi();a=-1*parseInt(_.Co(this.Pi().el(),"marginTop")\|\|"0",10);var b=parseInt(_.Co(this.Pi().el(),"marginBottom")\|\|"0",10);this.Ta={top:a,right:0,bottom:b,left:0};a=_.cf(this.getData("isMenuDynamic"),!1);b=_.cf(this.getData("isMenuHoisted"),!1);this.Ga=a?1:b?2:0;this.ka=!1;this.Ca=1;this.Ga!==1&&(this.aa=this.Sa("U0exHf").children().Wc(0),_.ku(this,.$5a(this,this.aa.el())));_.kF(this.oa())&&(a=this.oa().el(),b=this.we.bind(this),a.__soy_skip_handler=b)};_.J(_.uJ,_.X);_.uJ.Ba=function(){return{Ea:{ff:_.ZE,focus:_.KE,Fc:_.ru}}};_.uJ.prototype.xF=function(a){var b=a.source;this.Na=b;var c;((c=a.data)==null?0:c.fz)?(a=a.data.fz,this.Ca=a==="MOUS

Chrome Cache Entry: 87

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (1694)
Category:	downloaded
Size (bytes):	32500
Entropy (8bit):	5.378903546681047
Encrypted:	false
SSDEEP:	768:zYlbuROstb0e39nKGrkysU0smpu4OLOdzIf1p/5GeSsngurz6aKEEEGo/:zYl61Cysbu4OLOdzIfrIen72ZFo/
MD5:	BF4BF9728A7C302FBA5B14F3D0F1878B
SHA1:	2607CA7A93710D629400077FF3602CB207E6F53D
SHA-256:	8981E7B228DF7D6A8797C0CD1E9B0F1F88337D5F0E1C27A04E7A57D2C4309798
SHA-512:	AC9E170FC3AFDC0CF6BB8E926B93EF129A5FAD1BBA51B60BABCF3555E9B652E98F86A00FB099879DED35DD3FFE72ECFA597E20E6CA8CF402BEDEC40F78412EDA
Malicious:	false
URL:	"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en.RgRbaBHDctU.es5.O/ck=boq-identity.AccountsSignInUi.gAiX_O5afVA.L.B1.O/am=xIFgKBi2EQjEE54DekBRIOQAAAAAAAAAAKANAAB0DA/d=1/exm=_b,_tp/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlG_aYNE-Dz95N0OV63231Yfi4Jf5g/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:GwYlN;EmZ2Bf:zr1jrb;JsbNhc:Xd8iUd;K5nYTd:ZDZcre;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;ScI3Yc:e7Hzgb;UpnZUd:nnwwYc;Uvc8o:VDovNc;XdiAjb:NLiXbe;YIZmRd:A1yn5d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;dowIGb:ebZ3mb;eBAeSb:zbML3c;iFQyKf:vfuNJf;lOO0Vd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qafBPd:yDVVkb;qddgKe:xQtZb;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=byfTOb,lsjVmc,LEikZe"
Preview:	"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi\|\|{};(function(_){var window=this;.try{.var Aua=function(a,b){this.da=a;this.ea=b;if(!c){var c=new _.ap("//www.google.com/images/cleardot.gif");_.op(c)}this.ka=c};_.h=Aua.prototype;_.h.Zc=null;_.h.lZ=1E4;_.h.bA=!1;_.h.nQ=0;_.h.zJ=null;_.h.bV=null;_.h.setTimeout=function(a){this.lZ=a};_.h.start=function(){if(this.bA)throw Error("dc");this.bA=!0;this.nQ=0;Bua(this)};_.h.stop=function(){Cua(this);this.bA=!1};.var Bua=function(a){a.nQ++;navigator!==null&&"onLine"in navigator&&!navigator.onLine?_.km((0,_.bg)(a.aH,a,!1),0):(a.aa=new Image,a.aa.onload=(0,_.bg)(a.Fja,a),a.aa.onerror=(0,_.bg)(a.Eja,a),a.aa.onabort=(0,_.bg)(a.Dja,a),a.zJ=_.km(a.Gja,a.lZ,a),a.aa.src=String(a.ka))};_.h=Aua.prototype;_.h.Fja=function(){this.aH(!0)};_.h.Eja=function(){this.aH(!1)};_.h.Dja=function(){this.aH(!1)};_.h.Gja=function(){this.aH(!1)};._.h.aH=function(a){Cua(this);a?(this.bA=!1,this.da.call(this.ea,!0)):this.nQ<=0?Bua(this):(this.bA=!1,

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.581959378023776
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	918'528 bytes
MD5:	84857d029b892796223a0388e578c717
SHA1:	035492bdbcf0e449294ae50eeace2ca2ba36923e
SHA256:	be9295fb6df84c5f65b777a04b1db541c15fe36fda341ad3c0f55d3b9ae17105
SHA512:	4dc55ddeb1ed7785dbbb674d5cf3a6f21aee22a64db1a7fa99bac284a4ca50dd270b399d722a89f3cc5905e72c44b6990c83fdfbdffbc006955349403f681bf9
SSDEEP:	12288:IqDEvFo+yo4DdbbMWu/jrQu4M9lBAlKhQcDGB3cuBNGE6iOrpfe4JdaDgaKTs:IqDEvCTbMWu7rQYlBQcBiT6rprG8aas
TLSH:	A8159E0273D1C062FFAB92334B5AF6515BBC69260123E61F13A81D79BE701B1563E7A3
File Content Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......................j:......j:..C...j:......@.*...............................n.......~.............{.......{.......{.........z....

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x420577
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x66FC969F [Wed Oct 2 00:41:03 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	948cc502fe9226992dce9417f952fce3

Entrypoint Preview

Instruction
call 00007F3519019923h
jmp 00007F351901922Fh
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F351901940Dh
mov dword ptr [esi], 0049FDF0h
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FDF8h
mov dword ptr [ecx], 0049FDF0h
ret
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F35190193DAh
mov dword ptr [esi], 0049FE0Ch
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FE14h
mov dword ptr [ecx], 0049FE0Ch
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
and dword ptr [eax], 00000000h
and dword ptr [eax+04h], 00000000h
push eax
mov eax, dword ptr [ebp+08h]
add eax, 04h
push eax
call 00007F351901BFCDh
pop ecx
pop ecx
mov eax, esi
pop esi
pop ebp
retn 0004h
lea eax, dword ptr [ecx+04h]
mov dword ptr [ecx], 0049FDD0h
push eax
call 00007F351901C018h
pop ecx
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
push eax
call 00007F351901C001h
test byte ptr [ebp+08h], 00000001h
pop ecx

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc8e64	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xd4000	0x9858	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xde000	0x7594	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xb0ff0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xc3400	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xb1010	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x9c000	0x894	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x9ab1d	0x9ac00	0a1473f3064dcbc32ef93c5c8a90f3a6	False	0.565500681542811	data	6.668273581389308	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x9c000	0x2fb82	0x2fc00	c9cf2468b60bf4f80f136ed54b3989fb	False	0.35289185209424084	data	5.691811547483722	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xcc000	0x706c	0x4800	53b9025d545d65e23295e30afdbd16d9	False	0.04356553819444445	DOS executable (block device driver @\273\)	0.5846666986982398	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xd4000	0x9858	0x9a00	1f621cbff6b10415f2b0374ae7f2804f	False	0.29740767045454547	data	5.272517032491642	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xde000	0x7594	0x7600	c68ee8931a32d45eb82dc450ee40efc3	False	0.7628111758474576	data	6.7972128181359786	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xd45a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xd46d0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xd47f8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xd4920	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xd4c08	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xd4d30	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xd5bd8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xd6480	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xd69e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xd8f90	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xda038	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xda4a0	0x50	data	English	Great Britain	0.9
RT_STRING	0xda4f0	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xdaa84	0x68a	data	English	Great Britain	0.2735961768219833
RT_STRING	0xdb110	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xdb5a0	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xdbb9c	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xdc1f8	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xdc660	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xdc7b8	0xb1e	data			1.0038650737877723
RT_GROUP_ICON	0xdd2d8	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0xdd350	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0xdd364	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0xdd378	0x14	data	English	Great Britain	1.25
RT_VERSION	0xdd38c	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0xdd468	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	gethostbyname, recv, send, socket, inet_ntoa, setsockopt, ntohs, WSACleanup, WSAStartup, sendto, htons, __WSAFDIsSet, select, accept, listen, bind, inet_addr, ioctlsocket, recvfrom, WSAGetLastError, closesocket, gethostname, connect
VERSION.dll	GetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetGetConnectionW, WNetCancelConnection2W, WNetUseConnectionW, WNetAddConnection2W
WININET.dll	HttpOpenRequestW, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, InternetConnectW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetQueryDataAvailable
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpSendEcho, IcmpCloseHandle, IcmpCreateFile
USERENV.dll	DestroyEnvironmentBlock, LoadUserProfileW, CreateEnvironmentBlock, UnloadUserProfile
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetShortPathNameW, DeleteFileW, IsDebuggerPresent, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, LoadResource, LockResource, SizeofResource, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, LoadLibraryW, GetLocalTime, CompareStringW, GetCurrentThread, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, VirtualAlloc, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, ResetEvent, WaitForSingleObjectEx, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, CloseHandle, GetFullPathNameW, GetStartupInfoW, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, SetLastError, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, ResumeThread, FreeLibraryAndExitThread, GetACP, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetStringTypeW, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, ReadConsoleW, GetTimeZoneInformation, FindFirstFileExW, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableA, SetCurrentDirectoryW, FindNextFileW, WriteConsoleW
USER32.dll	GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, PeekMessageW, GetInputState, UnregisterHotKey, CharLowerBuffW, MonitorFromPoint, MonitorFromRect, LoadImageW, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, ClientToScreen, GetCursorPos, DeleteMenu, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, LockWindowUpdate, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, RegisterHotKey, GetCursorInfo, SetWindowPos, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, TrackPopupMenuEx, GetMessageW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, DispatchMessageW, keybd_event, TranslateMessage, ScreenToClient
GDI32.dll	EndPath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, GetDeviceCaps, SetPixel, CloseFigure, LineTo, AngleArc, MoveToEx, Ellipse, CreateCompatibleBitmap, CreateCompatibleDC, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, SelectObject, StretchBlt, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, GetDIBits, StrokePath
COMDLG32.dll	GetSaveFileNameW, GetOpenFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, RegCreateKeyExW, GetSecurityDescriptorDacl, GetAclInformation, GetUserNameW, AddAce, SetSecurityDescriptorDacl, InitiateSystemShutdownExW
SHELL32.dll	DragFinish, DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
OLEAUT32.dll	CreateStdDispatch, CreateDispTypeInfo, UnRegisterTypeLib, UnRegisterTypeLibForUser, RegisterTypeLibForUser, RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, VariantChangeType, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysStringLen, QueryPathOfRegTypeLib, SysAllocString, VariantInit, VariantClear, DispCallFunc, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, SafeArrayDestroyDescriptor, VariantCopy, OleLoadPicture

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 2, 2024 02:43:02.964214087 CEST	49732	443	192.168.2.4	142.250.186.46
Oct 2, 2024 02:43:02.964282036 CEST	443	49732	142.250.186.46	192.168.2.4
Oct 2, 2024 02:43:02.964340925 CEST	49732	443	192.168.2.4	142.250.186.46
Oct 2, 2024 02:43:02.965341091 CEST	49732	443	192.168.2.4	142.250.186.46
Oct 2, 2024 02:43:02.965367079 CEST	443	49732	142.250.186.46	192.168.2.4
Oct 2, 2024 02:43:03.612587929 CEST	443	49732	142.250.186.46	192.168.2.4
Oct 2, 2024 02:43:03.663609028 CEST	49732	443	192.168.2.4	142.250.186.46
Oct 2, 2024 02:43:03.693545103 CEST	49732	443	192.168.2.4	142.250.186.46
Oct 2, 2024 02:43:03.693562984 CEST	443	49732	142.250.186.46	192.168.2.4
Oct 2, 2024 02:43:03.694360018 CEST	443	49732	142.250.186.46	192.168.2.4
Oct 2, 2024 02:43:03.694453955 CEST	49732	443	192.168.2.4	142.250.186.46
Oct 2, 2024 02:43:03.695450068 CEST	443	49732	142.250.186.46	192.168.2.4
Oct 2, 2024 02:43:03.695502043 CEST	49732	443	192.168.2.4	142.250.186.46
Oct 2, 2024 02:43:03.723858118 CEST	49732	443	192.168.2.4	142.250.186.46
Oct 2, 2024 02:43:03.723985910 CEST	443	49732	142.250.186.46	192.168.2.4
Oct 2, 2024 02:43:03.724961996 CEST	49732	443	192.168.2.4	142.250.186.46
Oct 2, 2024 02:43:03.724978924 CEST	443	49732	142.250.186.46	192.168.2.4
Oct 2, 2024 02:43:03.772988081 CEST	49732	443	192.168.2.4	142.250.186.46
Oct 2, 2024 02:43:03.918370008 CEST	443	49732	142.250.186.46	192.168.2.4
Oct 2, 2024 02:43:03.918473005 CEST	443	49732	142.250.186.46	192.168.2.4
Oct 2, 2024 02:43:03.918530941 CEST	49732	443	192.168.2.4	142.250.186.46
Oct 2, 2024 02:43:03.949712038 CEST	49732	443	192.168.2.4	142.250.186.46
Oct 2, 2024 02:43:03.949743986 CEST	443	49732	142.250.186.46	192.168.2.4
Oct 2, 2024 02:43:03.962764025 CEST	49736	443	192.168.2.4	142.250.184.206
Oct 2, 2024 02:43:03.962789059 CEST	443	49736	142.250.184.206	192.168.2.4
Oct 2, 2024 02:43:03.962856054 CEST	49736	443	192.168.2.4	142.250.184.206
Oct 2, 2024 02:43:03.963166952 CEST	49736	443	192.168.2.4	142.250.184.206
Oct 2, 2024 02:43:03.963181019 CEST	443	49736	142.250.184.206	192.168.2.4
Oct 2, 2024 02:43:04.710526943 CEST	443	49736	142.250.184.206	192.168.2.4
Oct 2, 2024 02:43:04.710877895 CEST	49736	443	192.168.2.4	142.250.184.206
Oct 2, 2024 02:43:04.710905075 CEST	443	49736	142.250.184.206	192.168.2.4
Oct 2, 2024 02:43:04.711344004 CEST	443	49736	142.250.184.206	192.168.2.4
Oct 2, 2024 02:43:04.711421967 CEST	49736	443	192.168.2.4	142.250.184.206
Oct 2, 2024 02:43:04.712074041 CEST	443	49736	142.250.184.206	192.168.2.4
Oct 2, 2024 02:43:04.712143898 CEST	49736	443	192.168.2.4	142.250.184.206
Oct 2, 2024 02:43:04.713468075 CEST	49736	443	192.168.2.4	142.250.184.206
Oct 2, 2024 02:43:04.713526964 CEST	443	49736	142.250.184.206	192.168.2.4
Oct 2, 2024 02:43:04.713835955 CEST	49736	443	192.168.2.4	142.250.184.206
Oct 2, 2024 02:43:04.713843107 CEST	443	49736	142.250.184.206	192.168.2.4
Oct 2, 2024 02:43:04.756944895 CEST	49736	443	192.168.2.4	142.250.184.206
Oct 2, 2024 02:43:05.017296076 CEST	443	49736	142.250.184.206	192.168.2.4
Oct 2, 2024 02:43:05.017319918 CEST	443	49736	142.250.184.206	192.168.2.4
Oct 2, 2024 02:43:05.017385006 CEST	49736	443	192.168.2.4	142.250.184.206
Oct 2, 2024 02:43:05.017405033 CEST	443	49736	142.250.184.206	192.168.2.4
Oct 2, 2024 02:43:05.017460108 CEST	443	49736	142.250.184.206	192.168.2.4
Oct 2, 2024 02:43:05.018806934 CEST	49736	443	192.168.2.4	142.250.184.206
Oct 2, 2024 02:43:05.019918919 CEST	49736	443	192.168.2.4	142.250.184.206
Oct 2, 2024 02:43:05.019932032 CEST	443	49736	142.250.184.206	192.168.2.4
Oct 2, 2024 02:43:05.019941092 CEST	49736	443	192.168.2.4	142.250.184.206
Oct 2, 2024 02:43:05.020925999 CEST	49736	443	192.168.2.4	142.250.184.206
Oct 2, 2024 02:43:05.085105896 CEST	49675	443	192.168.2.4	173.222.162.32
Oct 2, 2024 02:43:07.454338074 CEST	49741	443	192.168.2.4	142.250.186.68
Oct 2, 2024 02:43:07.454399109 CEST	443	49741	142.250.186.68	192.168.2.4
Oct 2, 2024 02:43:07.454480886 CEST	49741	443	192.168.2.4	142.250.186.68
Oct 2, 2024 02:43:07.454689980 CEST	49741	443	192.168.2.4	142.250.186.68
Oct 2, 2024 02:43:07.454710007 CEST	443	49741	142.250.186.68	192.168.2.4
Oct 2, 2024 02:43:07.904032946 CEST	49743	443	192.168.2.4	184.28.90.27
Oct 2, 2024 02:43:07.904061079 CEST	443	49743	184.28.90.27	192.168.2.4
Oct 2, 2024 02:43:07.904117107 CEST	49743	443	192.168.2.4	184.28.90.27
Oct 2, 2024 02:43:07.906419039 CEST	49743	443	192.168.2.4	184.28.90.27
Oct 2, 2024 02:43:07.906430960 CEST	443	49743	184.28.90.27	192.168.2.4
Oct 2, 2024 02:43:08.086111069 CEST	443	49741	142.250.186.68	192.168.2.4
Oct 2, 2024 02:43:08.086397886 CEST	49741	443	192.168.2.4	142.250.186.68
Oct 2, 2024 02:43:08.086431026 CEST	443	49741	142.250.186.68	192.168.2.4
Oct 2, 2024 02:43:08.087284088 CEST	443	49741	142.250.186.68	192.168.2.4
Oct 2, 2024 02:43:08.087368965 CEST	49741	443	192.168.2.4	142.250.186.68
Oct 2, 2024 02:43:08.088893890 CEST	49741	443	192.168.2.4	142.250.186.68
Oct 2, 2024 02:43:08.088958025 CEST	443	49741	142.250.186.68	192.168.2.4
Oct 2, 2024 02:43:08.132400036 CEST	49741	443	192.168.2.4	142.250.186.68
Oct 2, 2024 02:43:08.132414103 CEST	443	49741	142.250.186.68	192.168.2.4
Oct 2, 2024 02:43:08.179280043 CEST	49741	443	192.168.2.4	142.250.186.68
Oct 2, 2024 02:43:08.540647984 CEST	443	49743	184.28.90.27	192.168.2.4
Oct 2, 2024 02:43:08.541006088 CEST	49743	443	192.168.2.4	184.28.90.27
Oct 2, 2024 02:43:08.559458017 CEST	49743	443	192.168.2.4	184.28.90.27
Oct 2, 2024 02:43:08.559472084 CEST	443	49743	184.28.90.27	192.168.2.4
Oct 2, 2024 02:43:08.559706926 CEST	443	49743	184.28.90.27	192.168.2.4
Oct 2, 2024 02:43:08.602931023 CEST	49743	443	192.168.2.4	184.28.90.27
Oct 2, 2024 02:43:08.814265013 CEST	49743	443	192.168.2.4	184.28.90.27
Oct 2, 2024 02:43:08.859402895 CEST	443	49743	184.28.90.27	192.168.2.4
Oct 2, 2024 02:43:08.998100042 CEST	443	49743	184.28.90.27	192.168.2.4
Oct 2, 2024 02:43:08.998290062 CEST	49743	443	192.168.2.4	184.28.90.27
Oct 2, 2024 02:43:08.998301983 CEST	443	49743	184.28.90.27	192.168.2.4
Oct 2, 2024 02:43:08.998336077 CEST	49743	443	192.168.2.4	184.28.90.27
Oct 2, 2024 02:43:08.998428106 CEST	443	49743	184.28.90.27	192.168.2.4
Oct 2, 2024 02:43:08.998455048 CEST	443	49743	184.28.90.27	192.168.2.4
Oct 2, 2024 02:43:08.998509884 CEST	49743	443	192.168.2.4	184.28.90.27
Oct 2, 2024 02:43:09.036515951 CEST	49745	443	192.168.2.4	184.28.90.27
Oct 2, 2024 02:43:09.036572933 CEST	443	49745	184.28.90.27	192.168.2.4
Oct 2, 2024 02:43:09.036669970 CEST	49745	443	192.168.2.4	184.28.90.27
Oct 2, 2024 02:43:09.036931038 CEST	49745	443	192.168.2.4	184.28.90.27
Oct 2, 2024 02:43:09.036950111 CEST	443	49745	184.28.90.27	192.168.2.4
Oct 2, 2024 02:43:09.669725895 CEST	443	49745	184.28.90.27	192.168.2.4
Oct 2, 2024 02:43:09.669807911 CEST	49745	443	192.168.2.4	184.28.90.27
Oct 2, 2024 02:43:09.671305895 CEST	49745	443	192.168.2.4	184.28.90.27
Oct 2, 2024 02:43:09.671319008 CEST	443	49745	184.28.90.27	192.168.2.4
Oct 2, 2024 02:43:09.671593904 CEST	443	49745	184.28.90.27	192.168.2.4
Oct 2, 2024 02:43:09.672854900 CEST	49745	443	192.168.2.4	184.28.90.27
Oct 2, 2024 02:43:09.715442896 CEST	443	49745	184.28.90.27	192.168.2.4
Oct 2, 2024 02:43:09.948031902 CEST	443	49745	184.28.90.27	192.168.2.4
Oct 2, 2024 02:43:09.948079109 CEST	443	49745	184.28.90.27	192.168.2.4
Oct 2, 2024 02:43:09.948290110 CEST	49745	443	192.168.2.4	184.28.90.27
Oct 2, 2024 02:43:09.948956966 CEST	49745	443	192.168.2.4	184.28.90.27
Oct 2, 2024 02:43:09.948976994 CEST	443	49745	184.28.90.27	192.168.2.4
Oct 2, 2024 02:43:09.948993921 CEST	49745	443	192.168.2.4	184.28.90.27
Oct 2, 2024 02:43:09.949001074 CEST	443	49745	184.28.90.27	192.168.2.4
Oct 2, 2024 02:43:11.961756945 CEST	49756	443	192.168.2.4	172.217.16.206
Oct 2, 2024 02:43:11.961781979 CEST	443	49756	172.217.16.206	192.168.2.4
Oct 2, 2024 02:43:11.961973906 CEST	49756	443	192.168.2.4	172.217.16.206
Oct 2, 2024 02:43:11.969295979 CEST	49756	443	192.168.2.4	172.217.16.206
Oct 2, 2024 02:43:11.969307899 CEST	443	49756	172.217.16.206	192.168.2.4
Oct 2, 2024 02:43:12.635162115 CEST	443	49756	172.217.16.206	192.168.2.4
Oct 2, 2024 02:43:12.635389090 CEST	49756	443	192.168.2.4	172.217.16.206
Oct 2, 2024 02:43:12.635401011 CEST	443	49756	172.217.16.206	192.168.2.4
Oct 2, 2024 02:43:12.635793924 CEST	443	49756	172.217.16.206	192.168.2.4
Oct 2, 2024 02:43:12.635854006 CEST	49756	443	192.168.2.4	172.217.16.206
Oct 2, 2024 02:43:12.636498928 CEST	443	49756	172.217.16.206	192.168.2.4
Oct 2, 2024 02:43:12.636548996 CEST	49756	443	192.168.2.4	172.217.16.206
Oct 2, 2024 02:43:12.637548923 CEST	49756	443	192.168.2.4	172.217.16.206
Oct 2, 2024 02:43:12.637615919 CEST	443	49756	172.217.16.206	192.168.2.4
Oct 2, 2024 02:43:12.637877941 CEST	49756	443	192.168.2.4	172.217.16.206
Oct 2, 2024 02:43:12.637885094 CEST	443	49756	172.217.16.206	192.168.2.4
Oct 2, 2024 02:43:12.680598974 CEST	49756	443	192.168.2.4	172.217.16.206
Oct 2, 2024 02:43:12.959248066 CEST	443	49756	172.217.16.206	192.168.2.4
Oct 2, 2024 02:43:12.959302902 CEST	443	49756	172.217.16.206	192.168.2.4
Oct 2, 2024 02:43:12.959336996 CEST	443	49756	172.217.16.206	192.168.2.4
Oct 2, 2024 02:43:12.959398985 CEST	49756	443	192.168.2.4	172.217.16.206
Oct 2, 2024 02:43:12.959398985 CEST	49756	443	192.168.2.4	172.217.16.206
Oct 2, 2024 02:43:12.959417105 CEST	443	49756	172.217.16.206	192.168.2.4
Oct 2, 2024 02:43:12.965260029 CEST	443	49756	172.217.16.206	192.168.2.4
Oct 2, 2024 02:43:12.965327978 CEST	49756	443	192.168.2.4	172.217.16.206
Oct 2, 2024 02:43:12.965333939 CEST	443	49756	172.217.16.206	192.168.2.4
Oct 2, 2024 02:43:12.971509933 CEST	443	49756	172.217.16.206	192.168.2.4
Oct 2, 2024 02:43:12.971563101 CEST	443	49756	172.217.16.206	192.168.2.4
Oct 2, 2024 02:43:12.971621037 CEST	49756	443	192.168.2.4	172.217.16.206
Oct 2, 2024 02:43:12.971633911 CEST	443	49756	172.217.16.206	192.168.2.4
Oct 2, 2024 02:43:12.971817017 CEST	49756	443	192.168.2.4	172.217.16.206
Oct 2, 2024 02:43:12.978039026 CEST	443	49756	172.217.16.206	192.168.2.4
Oct 2, 2024 02:43:12.978111982 CEST	49756	443	192.168.2.4	172.217.16.206
Oct 2, 2024 02:43:12.984262943 CEST	443	49756	172.217.16.206	192.168.2.4
Oct 2, 2024 02:43:12.984308958 CEST	443	49756	172.217.16.206	192.168.2.4
Oct 2, 2024 02:43:12.984318972 CEST	49756	443	192.168.2.4	172.217.16.206
Oct 2, 2024 02:43:12.984324932 CEST	443	49756	172.217.16.206	192.168.2.4
Oct 2, 2024 02:43:12.984369993 CEST	49756	443	192.168.2.4	172.217.16.206
Oct 2, 2024 02:43:13.051610947 CEST	443	49756	172.217.16.206	192.168.2.4
Oct 2, 2024 02:43:13.051661015 CEST	443	49756	172.217.16.206	192.168.2.4
Oct 2, 2024 02:43:13.051691055 CEST	49756	443	192.168.2.4	172.217.16.206
Oct 2, 2024 02:43:13.051692963 CEST	443	49756	172.217.16.206	192.168.2.4
Oct 2, 2024 02:43:13.051703930 CEST	443	49756	172.217.16.206	192.168.2.4
Oct 2, 2024 02:43:13.051747084 CEST	49756	443	192.168.2.4	172.217.16.206
Oct 2, 2024 02:43:13.052455902 CEST	49761	443	192.168.2.4	142.250.185.142
Oct 2, 2024 02:43:13.052495956 CEST	443	49761	142.250.185.142	192.168.2.4
Oct 2, 2024 02:43:13.052553892 CEST	49761	443	192.168.2.4	142.250.185.142
Oct 2, 2024 02:43:13.053318024 CEST	49761	443	192.168.2.4	142.250.185.142
Oct 2, 2024 02:43:13.053328991 CEST	443	49761	142.250.185.142	192.168.2.4
Oct 2, 2024 02:43:13.054835081 CEST	443	49756	172.217.16.206	192.168.2.4
Oct 2, 2024 02:43:13.054877996 CEST	443	49756	172.217.16.206	192.168.2.4
Oct 2, 2024 02:43:13.054900885 CEST	49756	443	192.168.2.4	172.217.16.206
Oct 2, 2024 02:43:13.054908991 CEST	443	49756	172.217.16.206	192.168.2.4
Oct 2, 2024 02:43:13.054939985 CEST	49756	443	192.168.2.4	172.217.16.206
Oct 2, 2024 02:43:13.061213017 CEST	443	49756	172.217.16.206	192.168.2.4
Oct 2, 2024 02:43:13.061275959 CEST	49756	443	192.168.2.4	172.217.16.206
Oct 2, 2024 02:43:13.061283112 CEST	443	49756	172.217.16.206	192.168.2.4
Oct 2, 2024 02:43:13.072484970 CEST	443	49756	172.217.16.206	192.168.2.4
Oct 2, 2024 02:43:13.072534084 CEST	49756	443	192.168.2.4	172.217.16.206
Oct 2, 2024 02:43:13.072540998 CEST	443	49756	172.217.16.206	192.168.2.4
Oct 2, 2024 02:43:13.073951006 CEST	443	49756	172.217.16.206	192.168.2.4
Oct 2, 2024 02:43:13.074007034 CEST	49756	443	192.168.2.4	172.217.16.206
Oct 2, 2024 02:43:13.074012995 CEST	443	49756	172.217.16.206	192.168.2.4
Oct 2, 2024 02:43:13.080188990 CEST	443	49756	172.217.16.206	192.168.2.4
Oct 2, 2024 02:43:13.080240965 CEST	49756	443	192.168.2.4	172.217.16.206
Oct 2, 2024 02:43:13.080245972 CEST	443	49756	172.217.16.206	192.168.2.4
Oct 2, 2024 02:43:13.080332041 CEST	443	49756	172.217.16.206	192.168.2.4
Oct 2, 2024 02:43:13.080378056 CEST	49756	443	192.168.2.4	172.217.16.206
Oct 2, 2024 02:43:13.097253084 CEST	49756	443	192.168.2.4	172.217.16.206
Oct 2, 2024 02:43:13.097268105 CEST	443	49756	172.217.16.206	192.168.2.4
Oct 2, 2024 02:43:13.139600992 CEST	49762	443	192.168.2.4	142.250.185.142
Oct 2, 2024 02:43:13.139642954 CEST	443	49762	142.250.185.142	192.168.2.4
Oct 2, 2024 02:43:13.139705896 CEST	49762	443	192.168.2.4	142.250.185.142
Oct 2, 2024 02:43:13.140049934 CEST	49762	443	192.168.2.4	142.250.185.142
Oct 2, 2024 02:43:13.140060902 CEST	443	49762	142.250.185.142	192.168.2.4
Oct 2, 2024 02:43:13.688714027 CEST	443	49761	142.250.185.142	192.168.2.4
Oct 2, 2024 02:43:13.702554941 CEST	49761	443	192.168.2.4	142.250.185.142
Oct 2, 2024 02:43:13.702570915 CEST	443	49761	142.250.185.142	192.168.2.4
Oct 2, 2024 02:43:13.702958107 CEST	443	49761	142.250.185.142	192.168.2.4
Oct 2, 2024 02:43:13.703017950 CEST	49761	443	192.168.2.4	142.250.185.142
Oct 2, 2024 02:43:13.703640938 CEST	443	49761	142.250.185.142	192.168.2.4
Oct 2, 2024 02:43:13.703687906 CEST	49761	443	192.168.2.4	142.250.185.142
Oct 2, 2024 02:43:13.738703012 CEST	49761	443	192.168.2.4	142.250.185.142
Oct 2, 2024 02:43:13.738806963 CEST	443	49761	142.250.185.142	192.168.2.4
Oct 2, 2024 02:43:13.753684998 CEST	49761	443	192.168.2.4	142.250.185.142
Oct 2, 2024 02:43:13.753699064 CEST	443	49761	142.250.185.142	192.168.2.4
Oct 2, 2024 02:43:13.776969910 CEST	443	49762	142.250.185.142	192.168.2.4
Oct 2, 2024 02:43:13.783088923 CEST	49762	443	192.168.2.4	142.250.185.142
Oct 2, 2024 02:43:13.783098936 CEST	443	49762	142.250.185.142	192.168.2.4
Oct 2, 2024 02:43:13.783502102 CEST	443	49762	142.250.185.142	192.168.2.4
Oct 2, 2024 02:43:13.783567905 CEST	49762	443	192.168.2.4	142.250.185.142
Oct 2, 2024 02:43:13.784221888 CEST	443	49762	142.250.185.142	192.168.2.4
Oct 2, 2024 02:43:13.784276962 CEST	49762	443	192.168.2.4	142.250.185.142
Oct 2, 2024 02:43:13.784704924 CEST	49762	443	192.168.2.4	142.250.185.142
Oct 2, 2024 02:43:13.784765005 CEST	443	49762	142.250.185.142	192.168.2.4
Oct 2, 2024 02:43:13.785036087 CEST	49762	443	192.168.2.4	142.250.185.142
Oct 2, 2024 02:43:13.785041094 CEST	443	49762	142.250.185.142	192.168.2.4
Oct 2, 2024 02:43:13.805041075 CEST	49761	443	192.168.2.4	142.250.185.142
Oct 2, 2024 02:43:13.835242987 CEST	49762	443	192.168.2.4	142.250.185.142
Oct 2, 2024 02:43:13.988529921 CEST	443	49761	142.250.185.142	192.168.2.4
Oct 2, 2024 02:43:13.989042997 CEST	443	49761	142.250.185.142	192.168.2.4
Oct 2, 2024 02:43:13.989101887 CEST	49761	443	192.168.2.4	142.250.185.142
Oct 2, 2024 02:43:13.989162922 CEST	49761	443	192.168.2.4	142.250.185.142
Oct 2, 2024 02:43:13.989183903 CEST	443	49761	142.250.185.142	192.168.2.4
Oct 2, 2024 02:43:13.989193916 CEST	49761	443	192.168.2.4	142.250.185.142
Oct 2, 2024 02:43:13.989231110 CEST	49761	443	192.168.2.4	142.250.185.142
Oct 2, 2024 02:43:13.990253925 CEST	49763	443	192.168.2.4	142.250.185.142
Oct 2, 2024 02:43:13.990283966 CEST	443	49763	142.250.185.142	192.168.2.4
Oct 2, 2024 02:43:13.990364075 CEST	49763	443	192.168.2.4	142.250.185.142
Oct 2, 2024 02:43:13.990711927 CEST	49763	443	192.168.2.4	142.250.185.142
Oct 2, 2024 02:43:13.990725994 CEST	443	49763	142.250.185.142	192.168.2.4
Oct 2, 2024 02:43:14.079238892 CEST	443	49762	142.250.185.142	192.168.2.4
Oct 2, 2024 02:43:14.079315901 CEST	443	49762	142.250.185.142	192.168.2.4
Oct 2, 2024 02:43:14.079368114 CEST	49762	443	192.168.2.4	142.250.185.142
Oct 2, 2024 02:43:14.079673052 CEST	49762	443	192.168.2.4	142.250.185.142
Oct 2, 2024 02:43:14.079684019 CEST	443	49762	142.250.185.142	192.168.2.4
Oct 2, 2024 02:43:14.079693079 CEST	49762	443	192.168.2.4	142.250.185.142
Oct 2, 2024 02:43:14.079729080 CEST	49762	443	192.168.2.4	142.250.185.142
Oct 2, 2024 02:43:14.080579042 CEST	49767	443	192.168.2.4	142.250.185.142
Oct 2, 2024 02:43:14.080627918 CEST	443	49767	142.250.185.142	192.168.2.4
Oct 2, 2024 02:43:14.080698967 CEST	49767	443	192.168.2.4	142.250.185.142
Oct 2, 2024 02:43:14.081001043 CEST	49767	443	192.168.2.4	142.250.185.142
Oct 2, 2024 02:43:14.081015110 CEST	443	49767	142.250.185.142	192.168.2.4
Oct 2, 2024 02:43:14.618292093 CEST	443	49763	142.250.185.142	192.168.2.4
Oct 2, 2024 02:43:14.618499041 CEST	49763	443	192.168.2.4	142.250.185.142
Oct 2, 2024 02:43:14.618519068 CEST	443	49763	142.250.185.142	192.168.2.4
Oct 2, 2024 02:43:14.618907928 CEST	443	49763	142.250.185.142	192.168.2.4
Oct 2, 2024 02:43:14.618967056 CEST	49763	443	192.168.2.4	142.250.185.142
Oct 2, 2024 02:43:14.619627953 CEST	443	49763	142.250.185.142	192.168.2.4
Oct 2, 2024 02:43:14.619709969 CEST	49763	443	192.168.2.4	142.250.185.142
Oct 2, 2024 02:43:14.619827986 CEST	49763	443	192.168.2.4	142.250.185.142
Oct 2, 2024 02:43:14.619889975 CEST	443	49763	142.250.185.142	192.168.2.4
Oct 2, 2024 02:43:14.619998932 CEST	49763	443	192.168.2.4	142.250.185.142
Oct 2, 2024 02:43:14.620007038 CEST	443	49763	142.250.185.142	192.168.2.4
Oct 2, 2024 02:43:14.620023966 CEST	49763	443	192.168.2.4	142.250.185.142
Oct 2, 2024 02:43:14.663403988 CEST	443	49763	142.250.185.142	192.168.2.4
Oct 2, 2024 02:43:14.664036036 CEST	49763	443	192.168.2.4	142.250.185.142
Oct 2, 2024 02:43:14.708203077 CEST	443	49767	142.250.185.142	192.168.2.4
Oct 2, 2024 02:43:14.708493948 CEST	49767	443	192.168.2.4	142.250.185.142
Oct 2, 2024 02:43:14.708512068 CEST	443	49767	142.250.185.142	192.168.2.4
Oct 2, 2024 02:43:14.708865881 CEST	443	49767	142.250.185.142	192.168.2.4
Oct 2, 2024 02:43:14.709018946 CEST	49767	443	192.168.2.4	142.250.185.142
Oct 2, 2024 02:43:14.709556103 CEST	443	49767	142.250.185.142	192.168.2.4
Oct 2, 2024 02:43:14.709614038 CEST	49767	443	192.168.2.4	142.250.185.142
Oct 2, 2024 02:43:14.709767103 CEST	49767	443	192.168.2.4	142.250.185.142
Oct 2, 2024 02:43:14.709825993 CEST	443	49767	142.250.185.142	192.168.2.4
Oct 2, 2024 02:43:14.709893942 CEST	49767	443	192.168.2.4	142.250.185.142
Oct 2, 2024 02:43:14.709903002 CEST	443	49767	142.250.185.142	192.168.2.4
Oct 2, 2024 02:43:14.709918022 CEST	49767	443	192.168.2.4	142.250.185.142
Oct 2, 2024 02:43:14.755409002 CEST	443	49767	142.250.185.142	192.168.2.4
Oct 2, 2024 02:43:14.757246971 CEST	49767	443	192.168.2.4	142.250.185.142
Oct 2, 2024 02:43:14.837023020 CEST	443	49763	142.250.185.142	192.168.2.4
Oct 2, 2024 02:43:14.837506056 CEST	443	49763	142.250.185.142	192.168.2.4
Oct 2, 2024 02:43:14.837582111 CEST	49763	443	192.168.2.4	142.250.185.142
Oct 2, 2024 02:43:14.838186979 CEST	49763	443	192.168.2.4	142.250.185.142
Oct 2, 2024 02:43:14.838203907 CEST	443	49763	142.250.185.142	192.168.2.4
Oct 2, 2024 02:43:14.924989939 CEST	443	49767	142.250.185.142	192.168.2.4
Oct 2, 2024 02:43:14.925899982 CEST	443	49767	142.250.185.142	192.168.2.4
Oct 2, 2024 02:43:14.925973892 CEST	49767	443	192.168.2.4	142.250.185.142
Oct 2, 2024 02:43:14.926651001 CEST	49767	443	192.168.2.4	142.250.185.142
Oct 2, 2024 02:43:14.926661015 CEST	443	49767	142.250.185.142	192.168.2.4
Oct 2, 2024 02:43:14.954698086 CEST	49741	443	192.168.2.4	142.250.186.68
Oct 2, 2024 02:43:14.995405912 CEST	443	49741	142.250.186.68	192.168.2.4
Oct 2, 2024 02:43:15.221538067 CEST	443	49741	142.250.186.68	192.168.2.4
Oct 2, 2024 02:43:15.221581936 CEST	443	49741	142.250.186.68	192.168.2.4
Oct 2, 2024 02:43:15.221613884 CEST	443	49741	142.250.186.68	192.168.2.4
Oct 2, 2024 02:43:15.221638918 CEST	49741	443	192.168.2.4	142.250.186.68
Oct 2, 2024 02:43:15.221642017 CEST	443	49741	142.250.186.68	192.168.2.4
Oct 2, 2024 02:43:15.221658945 CEST	443	49741	142.250.186.68	192.168.2.4
Oct 2, 2024 02:43:15.221684933 CEST	49741	443	192.168.2.4	142.250.186.68
Oct 2, 2024 02:43:15.221755981 CEST	443	49741	142.250.186.68	192.168.2.4
Oct 2, 2024 02:43:15.221803904 CEST	49741	443	192.168.2.4	142.250.186.68
Oct 2, 2024 02:43:15.223220110 CEST	49741	443	192.168.2.4	142.250.186.68
Oct 2, 2024 02:43:15.223232985 CEST	443	49741	142.250.186.68	192.168.2.4
Oct 2, 2024 02:43:18.366503000 CEST	49772	443	192.168.2.4	4.245.163.56
Oct 2, 2024 02:43:18.366532087 CEST	443	49772	4.245.163.56	192.168.2.4
Oct 2, 2024 02:43:18.366782904 CEST	49772	443	192.168.2.4	4.245.163.56
Oct 2, 2024 02:43:18.367949009 CEST	49772	443	192.168.2.4	4.245.163.56
Oct 2, 2024 02:43:18.367964029 CEST	443	49772	4.245.163.56	192.168.2.4
Oct 2, 2024 02:43:19.134576082 CEST	443	49772	4.245.163.56	192.168.2.4
Oct 2, 2024 02:43:19.134653091 CEST	49772	443	192.168.2.4	4.245.163.56
Oct 2, 2024 02:43:19.138536930 CEST	49772	443	192.168.2.4	4.245.163.56
Oct 2, 2024 02:43:19.138550997 CEST	443	49772	4.245.163.56	192.168.2.4
Oct 2, 2024 02:43:19.138943911 CEST	443	49772	4.245.163.56	192.168.2.4
Oct 2, 2024 02:43:19.181551933 CEST	49772	443	192.168.2.4	4.245.163.56
Oct 2, 2024 02:43:19.897006989 CEST	49772	443	192.168.2.4	4.245.163.56
Oct 2, 2024 02:43:19.939414978 CEST	443	49772	4.245.163.56	192.168.2.4
Oct 2, 2024 02:43:20.148494959 CEST	443	49772	4.245.163.56	192.168.2.4
Oct 2, 2024 02:43:20.148524046 CEST	443	49772	4.245.163.56	192.168.2.4
Oct 2, 2024 02:43:20.148533106 CEST	443	49772	4.245.163.56	192.168.2.4
Oct 2, 2024 02:43:20.148549080 CEST	443	49772	4.245.163.56	192.168.2.4
Oct 2, 2024 02:43:20.148574114 CEST	49772	443	192.168.2.4	4.245.163.56
Oct 2, 2024 02:43:20.148592949 CEST	443	49772	4.245.163.56	192.168.2.4
Oct 2, 2024 02:43:20.148602009 CEST	443	49772	4.245.163.56	192.168.2.4
Oct 2, 2024 02:43:20.148616076 CEST	49772	443	192.168.2.4	4.245.163.56
Oct 2, 2024 02:43:20.148629904 CEST	49772	443	192.168.2.4	4.245.163.56
Oct 2, 2024 02:43:20.148644924 CEST	49772	443	192.168.2.4	4.245.163.56
Oct 2, 2024 02:43:20.149421930 CEST	443	49772	4.245.163.56	192.168.2.4
Oct 2, 2024 02:43:20.149491072 CEST	49772	443	192.168.2.4	4.245.163.56
Oct 2, 2024 02:43:20.149497032 CEST	443	49772	4.245.163.56	192.168.2.4
Oct 2, 2024 02:43:20.149558067 CEST	443	49772	4.245.163.56	192.168.2.4
Oct 2, 2024 02:43:20.149663925 CEST	49772	443	192.168.2.4	4.245.163.56
Oct 2, 2024 02:43:20.847126007 CEST	49772	443	192.168.2.4	4.245.163.56
Oct 2, 2024 02:43:20.847146988 CEST	443	49772	4.245.163.56	192.168.2.4
Oct 2, 2024 02:43:20.847157001 CEST	49772	443	192.168.2.4	4.245.163.56
Oct 2, 2024 02:43:20.847163916 CEST	443	49772	4.245.163.56	192.168.2.4
Oct 2, 2024 02:43:21.047301054 CEST	49778	443	192.168.2.4	142.250.185.142
Oct 2, 2024 02:43:21.047348976 CEST	443	49778	142.250.185.142	192.168.2.4
Oct 2, 2024 02:43:21.047420025 CEST	49778	443	192.168.2.4	142.250.185.142
Oct 2, 2024 02:43:21.049586058 CEST	49778	443	192.168.2.4	142.250.185.142
Oct 2, 2024 02:43:21.049602032 CEST	443	49778	142.250.185.142	192.168.2.4
Oct 2, 2024 02:43:21.679079056 CEST	443	49778	142.250.185.142	192.168.2.4
Oct 2, 2024 02:43:21.679553032 CEST	49778	443	192.168.2.4	142.250.185.142
Oct 2, 2024 02:43:21.679580927 CEST	443	49778	142.250.185.142	192.168.2.4
Oct 2, 2024 02:43:21.680156946 CEST	443	49778	142.250.185.142	192.168.2.4
Oct 2, 2024 02:43:21.681370020 CEST	49778	443	192.168.2.4	142.250.185.142
Oct 2, 2024 02:43:21.681452036 CEST	443	49778	142.250.185.142	192.168.2.4
Oct 2, 2024 02:43:21.681581974 CEST	49778	443	192.168.2.4	142.250.185.142
Oct 2, 2024 02:43:21.681581974 CEST	49778	443	192.168.2.4	142.250.185.142
Oct 2, 2024 02:43:21.681611061 CEST	443	49778	142.250.185.142	192.168.2.4
Oct 2, 2024 02:43:22.015031099 CEST	443	49778	142.250.185.142	192.168.2.4
Oct 2, 2024 02:43:22.015203953 CEST	443	49778	142.250.185.142	192.168.2.4
Oct 2, 2024 02:43:22.015256882 CEST	49778	443	192.168.2.4	142.250.185.142
Oct 2, 2024 02:43:22.017833948 CEST	49778	443	192.168.2.4	142.250.185.142
Oct 2, 2024 02:43:22.017857075 CEST	443	49778	142.250.185.142	192.168.2.4
Oct 2, 2024 02:43:43.108872890 CEST	49781	443	192.168.2.4	142.250.185.142
Oct 2, 2024 02:43:43.108920097 CEST	443	49781	142.250.185.142	192.168.2.4
Oct 2, 2024 02:43:43.109004021 CEST	49781	443	192.168.2.4	142.250.185.142
Oct 2, 2024 02:43:43.111710072 CEST	49781	443	192.168.2.4	142.250.185.142
Oct 2, 2024 02:43:43.111728907 CEST	443	49781	142.250.185.142	192.168.2.4
Oct 2, 2024 02:43:43.767321110 CEST	443	49781	142.250.185.142	192.168.2.4
Oct 2, 2024 02:43:43.767683029 CEST	49781	443	192.168.2.4	142.250.185.142
Oct 2, 2024 02:43:43.767699957 CEST	443	49781	142.250.185.142	192.168.2.4
Oct 2, 2024 02:43:43.768018961 CEST	443	49781	142.250.185.142	192.168.2.4
Oct 2, 2024 02:43:43.768352985 CEST	49781	443	192.168.2.4	142.250.185.142
Oct 2, 2024 02:43:43.768409967 CEST	443	49781	142.250.185.142	192.168.2.4
Oct 2, 2024 02:43:43.768532038 CEST	49781	443	192.168.2.4	142.250.185.142
Oct 2, 2024 02:43:43.768532038 CEST	49781	443	192.168.2.4	142.250.185.142
Oct 2, 2024 02:43:43.768560886 CEST	443	49781	142.250.185.142	192.168.2.4
Oct 2, 2024 02:43:43.854372025 CEST	49782	443	192.168.2.4	142.250.185.142
Oct 2, 2024 02:43:43.854413033 CEST	443	49782	142.250.185.142	192.168.2.4
Oct 2, 2024 02:43:43.854543924 CEST	49782	443	192.168.2.4	142.250.185.142
Oct 2, 2024 02:43:43.854765892 CEST	49782	443	192.168.2.4	142.250.185.142
Oct 2, 2024 02:43:43.854779959 CEST	443	49782	142.250.185.142	192.168.2.4
Oct 2, 2024 02:43:44.041425943 CEST	49783	443	192.168.2.4	142.250.185.142
Oct 2, 2024 02:43:44.041462898 CEST	443	49783	142.250.185.142	192.168.2.4
Oct 2, 2024 02:43:44.041563988 CEST	49783	443	192.168.2.4	142.250.185.142
Oct 2, 2024 02:43:44.041930914 CEST	49783	443	192.168.2.4	142.250.185.142
Oct 2, 2024 02:43:44.041944981 CEST	443	49783	142.250.185.142	192.168.2.4
Oct 2, 2024 02:43:44.071907997 CEST	443	49781	142.250.185.142	192.168.2.4
Oct 2, 2024 02:43:44.072020054 CEST	443	49781	142.250.185.142	192.168.2.4
Oct 2, 2024 02:43:44.072137117 CEST	49781	443	192.168.2.4	142.250.185.142
Oct 2, 2024 02:43:44.072523117 CEST	49781	443	192.168.2.4	142.250.185.142
Oct 2, 2024 02:43:44.072539091 CEST	443	49781	142.250.185.142	192.168.2.4
Oct 2, 2024 02:43:44.483100891 CEST	443	49782	142.250.185.142	192.168.2.4
Oct 2, 2024 02:43:44.483409882 CEST	49782	443	192.168.2.4	142.250.185.142
Oct 2, 2024 02:43:44.483422995 CEST	443	49782	142.250.185.142	192.168.2.4
Oct 2, 2024 02:43:44.483786106 CEST	443	49782	142.250.185.142	192.168.2.4
Oct 2, 2024 02:43:44.484080076 CEST	49782	443	192.168.2.4	142.250.185.142
Oct 2, 2024 02:43:44.484143972 CEST	443	49782	142.250.185.142	192.168.2.4
Oct 2, 2024 02:43:44.484241009 CEST	49782	443	192.168.2.4	142.250.185.142
Oct 2, 2024 02:43:44.484258890 CEST	49782	443	192.168.2.4	142.250.185.142
Oct 2, 2024 02:43:44.484271049 CEST	443	49782	142.250.185.142	192.168.2.4
Oct 2, 2024 02:43:44.669008017 CEST	443	49783	142.250.185.142	192.168.2.4
Oct 2, 2024 02:43:44.669308901 CEST	49783	443	192.168.2.4	142.250.185.142
Oct 2, 2024 02:43:44.669327021 CEST	443	49783	142.250.185.142	192.168.2.4
Oct 2, 2024 02:43:44.669683933 CEST	443	49783	142.250.185.142	192.168.2.4
Oct 2, 2024 02:43:44.669986963 CEST	49783	443	192.168.2.4	142.250.185.142
Oct 2, 2024 02:43:44.670051098 CEST	443	49783	142.250.185.142	192.168.2.4
Oct 2, 2024 02:43:44.670160055 CEST	49783	443	192.168.2.4	142.250.185.142
Oct 2, 2024 02:43:44.670180082 CEST	49783	443	192.168.2.4	142.250.185.142
Oct 2, 2024 02:43:44.670192003 CEST	443	49783	142.250.185.142	192.168.2.4
Oct 2, 2024 02:43:44.780859947 CEST	443	49782	142.250.185.142	192.168.2.4
Oct 2, 2024 02:43:44.781409979 CEST	443	49782	142.250.185.142	192.168.2.4
Oct 2, 2024 02:43:44.781487942 CEST	49782	443	192.168.2.4	142.250.185.142
Oct 2, 2024 02:43:44.781938076 CEST	49782	443	192.168.2.4	142.250.185.142
Oct 2, 2024 02:43:44.781960011 CEST	443	49782	142.250.185.142	192.168.2.4
Oct 2, 2024 02:43:44.883948088 CEST	443	49783	142.250.185.142	192.168.2.4
Oct 2, 2024 02:43:44.884656906 CEST	443	49783	142.250.185.142	192.168.2.4
Oct 2, 2024 02:43:44.884814978 CEST	49783	443	192.168.2.4	142.250.185.142
Oct 2, 2024 02:43:44.906411886 CEST	49783	443	192.168.2.4	142.250.185.142
Oct 2, 2024 02:43:44.906430006 CEST	443	49783	142.250.185.142	192.168.2.4
Oct 2, 2024 02:43:57.425740957 CEST	49784	443	192.168.2.4	4.245.163.56
Oct 2, 2024 02:43:57.425883055 CEST	443	49784	4.245.163.56	192.168.2.4
Oct 2, 2024 02:43:57.425992012 CEST	49784	443	192.168.2.4	4.245.163.56
Oct 2, 2024 02:43:57.426347017 CEST	49784	443	192.168.2.4	4.245.163.56
Oct 2, 2024 02:43:57.426388025 CEST	443	49784	4.245.163.56	192.168.2.4
Oct 2, 2024 02:43:58.208673954 CEST	443	49784	4.245.163.56	192.168.2.4
Oct 2, 2024 02:43:58.208765984 CEST	49784	443	192.168.2.4	4.245.163.56
Oct 2, 2024 02:43:58.213767052 CEST	49784	443	192.168.2.4	4.245.163.56
Oct 2, 2024 02:43:58.213803053 CEST	443	49784	4.245.163.56	192.168.2.4
Oct 2, 2024 02:43:58.214052916 CEST	443	49784	4.245.163.56	192.168.2.4
Oct 2, 2024 02:43:58.225533009 CEST	49784	443	192.168.2.4	4.245.163.56
Oct 2, 2024 02:43:58.267410040 CEST	443	49784	4.245.163.56	192.168.2.4
Oct 2, 2024 02:43:58.538583994 CEST	443	49784	4.245.163.56	192.168.2.4
Oct 2, 2024 02:43:58.538608074 CEST	443	49784	4.245.163.56	192.168.2.4
Oct 2, 2024 02:43:58.538621902 CEST	443	49784	4.245.163.56	192.168.2.4
Oct 2, 2024 02:43:58.538721085 CEST	49784	443	192.168.2.4	4.245.163.56
Oct 2, 2024 02:43:58.538774967 CEST	443	49784	4.245.163.56	192.168.2.4
Oct 2, 2024 02:43:58.538840055 CEST	49784	443	192.168.2.4	4.245.163.56
Oct 2, 2024 02:43:58.538976908 CEST	443	49784	4.245.163.56	192.168.2.4
Oct 2, 2024 02:43:58.539016962 CEST	443	49784	4.245.163.56	192.168.2.4
Oct 2, 2024 02:43:58.539048910 CEST	49784	443	192.168.2.4	4.245.163.56
Oct 2, 2024 02:43:58.539057970 CEST	443	49784	4.245.163.56	192.168.2.4
Oct 2, 2024 02:43:58.539072037 CEST	49784	443	192.168.2.4	4.245.163.56
Oct 2, 2024 02:43:58.539119959 CEST	49784	443	192.168.2.4	4.245.163.56
Oct 2, 2024 02:43:58.544670105 CEST	49784	443	192.168.2.4	4.245.163.56
Oct 2, 2024 02:43:58.544713020 CEST	443	49784	4.245.163.56	192.168.2.4
Oct 2, 2024 02:43:58.544755936 CEST	49784	443	192.168.2.4	4.245.163.56
Oct 2, 2024 02:43:58.544783115 CEST	443	49784	4.245.163.56	192.168.2.4
Oct 2, 2024 02:44:07.506372929 CEST	49786	443	192.168.2.4	142.250.186.68
Oct 2, 2024 02:44:07.506428957 CEST	443	49786	142.250.186.68	192.168.2.4
Oct 2, 2024 02:44:07.506504059 CEST	49786	443	192.168.2.4	142.250.186.68
Oct 2, 2024 02:44:07.506810904 CEST	49786	443	192.168.2.4	142.250.186.68
Oct 2, 2024 02:44:07.506824970 CEST	443	49786	142.250.186.68	192.168.2.4
Oct 2, 2024 02:44:08.166867018 CEST	443	49786	142.250.186.68	192.168.2.4
Oct 2, 2024 02:44:08.167181015 CEST	49786	443	192.168.2.4	142.250.186.68
Oct 2, 2024 02:44:08.167207956 CEST	443	49786	142.250.186.68	192.168.2.4
Oct 2, 2024 02:44:08.167537928 CEST	443	49786	142.250.186.68	192.168.2.4
Oct 2, 2024 02:44:08.167833090 CEST	49786	443	192.168.2.4	142.250.186.68
Oct 2, 2024 02:44:08.167891979 CEST	443	49786	142.250.186.68	192.168.2.4
Oct 2, 2024 02:44:08.210731983 CEST	49786	443	192.168.2.4	142.250.186.68
Oct 2, 2024 02:44:14.829464912 CEST	49789	443	192.168.2.4	142.250.185.110
Oct 2, 2024 02:44:14.829567909 CEST	443	49789	142.250.185.110	192.168.2.4
Oct 2, 2024 02:44:14.829746962 CEST	49789	443	192.168.2.4	142.250.185.110
Oct 2, 2024 02:44:14.830008984 CEST	49789	443	192.168.2.4	142.250.185.110
Oct 2, 2024 02:44:14.830045938 CEST	443	49789	142.250.185.110	192.168.2.4
Oct 2, 2024 02:44:14.994019032 CEST	49790	443	192.168.2.4	142.250.185.110
Oct 2, 2024 02:44:14.994070053 CEST	443	49790	142.250.185.110	192.168.2.4
Oct 2, 2024 02:44:14.994153023 CEST	49790	443	192.168.2.4	142.250.185.110
Oct 2, 2024 02:44:14.994452953 CEST	49790	443	192.168.2.4	142.250.185.110
Oct 2, 2024 02:44:14.994484901 CEST	443	49790	142.250.185.110	192.168.2.4
Oct 2, 2024 02:44:15.476994991 CEST	443	49789	142.250.185.110	192.168.2.4
Oct 2, 2024 02:44:15.477699995 CEST	49789	443	192.168.2.4	142.250.185.110
Oct 2, 2024 02:44:15.477754116 CEST	443	49789	142.250.185.110	192.168.2.4
Oct 2, 2024 02:44:15.478152990 CEST	443	49789	142.250.185.110	192.168.2.4
Oct 2, 2024 02:44:15.478523016 CEST	49789	443	192.168.2.4	142.250.185.110
Oct 2, 2024 02:44:15.478596926 CEST	443	49789	142.250.185.110	192.168.2.4
Oct 2, 2024 02:44:15.478691101 CEST	49789	443	192.168.2.4	142.250.185.110
Oct 2, 2024 02:44:15.478724957 CEST	49789	443	192.168.2.4	142.250.185.110
Oct 2, 2024 02:44:15.478738070 CEST	443	49789	142.250.185.110	192.168.2.4
Oct 2, 2024 02:44:15.644197941 CEST	443	49790	142.250.185.110	192.168.2.4
Oct 2, 2024 02:44:15.644501925 CEST	49790	443	192.168.2.4	142.250.185.110
Oct 2, 2024 02:44:15.644532919 CEST	443	49790	142.250.185.110	192.168.2.4
Oct 2, 2024 02:44:15.644912004 CEST	443	49790	142.250.185.110	192.168.2.4
Oct 2, 2024 02:44:15.645251989 CEST	49790	443	192.168.2.4	142.250.185.110
Oct 2, 2024 02:44:15.645334959 CEST	443	49790	142.250.185.110	192.168.2.4
Oct 2, 2024 02:44:15.645428896 CEST	49790	443	192.168.2.4	142.250.185.110
Oct 2, 2024 02:44:15.645428896 CEST	49790	443	192.168.2.4	142.250.185.110
Oct 2, 2024 02:44:15.645467043 CEST	443	49790	142.250.185.110	192.168.2.4
Oct 2, 2024 02:44:15.778891087 CEST	443	49789	142.250.185.110	192.168.2.4
Oct 2, 2024 02:44:15.779335022 CEST	443	49789	142.250.185.110	192.168.2.4
Oct 2, 2024 02:44:15.779423952 CEST	49789	443	192.168.2.4	142.250.185.110
Oct 2, 2024 02:44:15.779809952 CEST	49789	443	192.168.2.4	142.250.185.110
Oct 2, 2024 02:44:15.779855967 CEST	443	49789	142.250.185.110	192.168.2.4
Oct 2, 2024 02:44:15.946830988 CEST	443	49790	142.250.185.110	192.168.2.4
Oct 2, 2024 02:44:15.948066950 CEST	443	49790	142.250.185.110	192.168.2.4
Oct 2, 2024 02:44:15.948143959 CEST	49790	443	192.168.2.4	142.250.185.110
Oct 2, 2024 02:44:15.948280096 CEST	49790	443	192.168.2.4	142.250.185.110
Oct 2, 2024 02:44:15.948301077 CEST	443	49790	142.250.185.110	192.168.2.4
Oct 2, 2024 02:44:18.108202934 CEST	443	49786	142.250.186.68	192.168.2.4
Oct 2, 2024 02:44:18.108267069 CEST	443	49786	142.250.186.68	192.168.2.4
Oct 2, 2024 02:44:18.108342886 CEST	49786	443	192.168.2.4	142.250.186.68
Oct 2, 2024 02:44:30.570988894 CEST	49786	443	192.168.2.4	142.250.186.68
Oct 2, 2024 02:44:30.571064949 CEST	443	49786	142.250.186.68	192.168.2.4
Oct 2, 2024 02:44:45.432447910 CEST	49792	443	192.168.2.4	142.250.185.110
Oct 2, 2024 02:44:45.432477951 CEST	443	49792	142.250.185.110	192.168.2.4
Oct 2, 2024 02:44:45.432557106 CEST	49792	443	192.168.2.4	142.250.185.110
Oct 2, 2024 02:44:45.432838917 CEST	49792	443	192.168.2.4	142.250.185.110
Oct 2, 2024 02:44:45.432849884 CEST	443	49792	142.250.185.110	192.168.2.4
Oct 2, 2024 02:44:45.619293928 CEST	49793	443	192.168.2.4	142.250.185.110
Oct 2, 2024 02:44:45.619333982 CEST	443	49793	142.250.185.110	192.168.2.4
Oct 2, 2024 02:44:45.619404078 CEST	49793	443	192.168.2.4	142.250.185.110
Oct 2, 2024 02:44:45.619642019 CEST	49793	443	192.168.2.4	142.250.185.110
Oct 2, 2024 02:44:45.619657040 CEST	443	49793	142.250.185.110	192.168.2.4
Oct 2, 2024 02:44:46.079808950 CEST	443	49792	142.250.185.110	192.168.2.4
Oct 2, 2024 02:44:46.084095001 CEST	49792	443	192.168.2.4	142.250.185.110
Oct 2, 2024 02:44:46.084109068 CEST	443	49792	142.250.185.110	192.168.2.4
Oct 2, 2024 02:44:46.084436893 CEST	443	49792	142.250.185.110	192.168.2.4
Oct 2, 2024 02:44:46.118390083 CEST	49792	443	192.168.2.4	142.250.185.110
Oct 2, 2024 02:44:46.118501902 CEST	443	49792	142.250.185.110	192.168.2.4
Oct 2, 2024 02:44:46.118623018 CEST	49792	443	192.168.2.4	142.250.185.110
Oct 2, 2024 02:44:46.118649006 CEST	49792	443	192.168.2.4	142.250.185.110
Oct 2, 2024 02:44:46.118657112 CEST	443	49792	142.250.185.110	192.168.2.4
Oct 2, 2024 02:44:46.265876055 CEST	443	49793	142.250.185.110	192.168.2.4
Oct 2, 2024 02:44:46.266170025 CEST	49793	443	192.168.2.4	142.250.185.110
Oct 2, 2024 02:44:46.266182899 CEST	443	49793	142.250.185.110	192.168.2.4
Oct 2, 2024 02:44:46.266494989 CEST	443	49793	142.250.185.110	192.168.2.4
Oct 2, 2024 02:44:46.266850948 CEST	49793	443	192.168.2.4	142.250.185.110
Oct 2, 2024 02:44:46.266907930 CEST	443	49793	142.250.185.110	192.168.2.4
Oct 2, 2024 02:44:46.266968012 CEST	49793	443	192.168.2.4	142.250.185.110
Oct 2, 2024 02:44:46.266999960 CEST	49793	443	192.168.2.4	142.250.185.110
Oct 2, 2024 02:44:46.267004967 CEST	443	49793	142.250.185.110	192.168.2.4
Oct 2, 2024 02:44:46.383430958 CEST	443	49792	142.250.185.110	192.168.2.4
Oct 2, 2024 02:44:46.384159088 CEST	443	49792	142.250.185.110	192.168.2.4
Oct 2, 2024 02:44:46.384213924 CEST	49792	443	192.168.2.4	142.250.185.110
Oct 2, 2024 02:44:46.384432077 CEST	49792	443	192.168.2.4	142.250.185.110
Oct 2, 2024 02:44:46.384450912 CEST	443	49792	142.250.185.110	192.168.2.4
Oct 2, 2024 02:44:46.564894915 CEST	443	49793	142.250.185.110	192.168.2.4
Oct 2, 2024 02:44:46.565717936 CEST	443	49793	142.250.185.110	192.168.2.4
Oct 2, 2024 02:44:46.565774918 CEST	49793	443	192.168.2.4	142.250.185.110
Oct 2, 2024 02:44:46.566067934 CEST	49793	443	192.168.2.4	142.250.185.110
Oct 2, 2024 02:44:46.566092014 CEST	443	49793	142.250.185.110	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 2, 2024 02:43:02.857319117 CEST	53	61499	1.1.1.1	192.168.2.4
Oct 2, 2024 02:43:02.876127005 CEST	51344	53	192.168.2.4	1.1.1.1
Oct 2, 2024 02:43:02.876281977 CEST	57058	53	192.168.2.4	1.1.1.1
Oct 2, 2024 02:43:02.882730007 CEST	53	51344	1.1.1.1	192.168.2.4
Oct 2, 2024 02:43:02.883133888 CEST	53	57058	1.1.1.1	192.168.2.4
Oct 2, 2024 02:43:02.888607025 CEST	53	52043	1.1.1.1	192.168.2.4
Oct 2, 2024 02:43:03.953578949 CEST	54638	53	192.168.2.4	1.1.1.1
Oct 2, 2024 02:43:03.954029083 CEST	53123	53	192.168.2.4	1.1.1.1
Oct 2, 2024 02:43:03.960181952 CEST	53	54638	1.1.1.1	192.168.2.4
Oct 2, 2024 02:43:03.960412025 CEST	53	53123	1.1.1.1	192.168.2.4
Oct 2, 2024 02:43:04.007971048 CEST	53	58533	1.1.1.1	192.168.2.4
Oct 2, 2024 02:43:07.446774006 CEST	58930	53	192.168.2.4	1.1.1.1
Oct 2, 2024 02:43:07.446974993 CEST	57962	53	192.168.2.4	1.1.1.1
Oct 2, 2024 02:43:07.453411102 CEST	53	58930	1.1.1.1	192.168.2.4
Oct 2, 2024 02:43:07.453627110 CEST	53	57962	1.1.1.1	192.168.2.4
Oct 2, 2024 02:43:09.353461981 CEST	53	63949	1.1.1.1	192.168.2.4
Oct 2, 2024 02:43:11.949759007 CEST	63784	53	192.168.2.4	1.1.1.1
Oct 2, 2024 02:43:11.949954987 CEST	56283	53	192.168.2.4	1.1.1.1
Oct 2, 2024 02:43:11.956439972 CEST	53	63784	1.1.1.1	192.168.2.4
Oct 2, 2024 02:43:11.958594084 CEST	53	56283	1.1.1.1	192.168.2.4
Oct 2, 2024 02:43:13.002660990 CEST	53165	53	192.168.2.4	1.1.1.1
Oct 2, 2024 02:43:13.003297091 CEST	55051	53	192.168.2.4	1.1.1.1
Oct 2, 2024 02:43:13.009382010 CEST	53	53165	1.1.1.1	192.168.2.4
Oct 2, 2024 02:43:13.009802103 CEST	53	55051	1.1.1.1	192.168.2.4
Oct 2, 2024 02:43:15.327188015 CEST	53	63438	1.1.1.1	192.168.2.4
Oct 2, 2024 02:43:21.005423069 CEST	53	57530	1.1.1.1	192.168.2.4
Oct 2, 2024 02:43:22.373460054 CEST	138	138	192.168.2.4	192.168.2.255
Oct 2, 2024 02:43:40.077313900 CEST	53	58325	1.1.1.1	192.168.2.4
Oct 2, 2024 02:44:02.453198910 CEST	53	50101	1.1.1.1	192.168.2.4
Oct 2, 2024 02:44:02.813770056 CEST	53	64181	1.1.1.1	192.168.2.4
Oct 2, 2024 02:44:10.988600016 CEST	53	55537	1.1.1.1	192.168.2.4
Oct 2, 2024 02:44:14.822284937 CEST	62724	53	192.168.2.4	1.1.1.1
Oct 2, 2024 02:44:14.822448969 CEST	60102	53	192.168.2.4	1.1.1.1
Oct 2, 2024 02:44:14.828860998 CEST	53	60102	1.1.1.1	192.168.2.4
Oct 2, 2024 02:44:14.828885078 CEST	53	62724	1.1.1.1	192.168.2.4
Oct 2, 2024 02:44:30.578619003 CEST	53	65370	1.1.1.1	192.168.2.4

ICMP Packets

Timestamp	Source IP	Dest IP	Checksum	Code	Type
Oct 2, 2024 02:44:32.493345022 CEST	192.168.2.4	1.1.1.1	c233	(Port unreachable)	Destination Unreachable

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 2, 2024 02:43:02.876127005 CEST	192.168.2.4	1.1.1.1	0xfcce	Standard query (0)	youtube.com	A (IP address)	IN (0x0001)	false
Oct 2, 2024 02:43:02.876281977 CEST	192.168.2.4	1.1.1.1	0x409	Standard query (0)	youtube.com	65	IN (0x0001)	false
Oct 2, 2024 02:43:03.953578949 CEST	192.168.2.4	1.1.1.1	0x8eef	Standard query (0)	www.youtube.com	A (IP address)	IN (0x0001)	false
Oct 2, 2024 02:43:03.954029083 CEST	192.168.2.4	1.1.1.1	0x9872	Standard query (0)	www.youtube.com	65	IN (0x0001)	false
Oct 2, 2024 02:43:07.446774006 CEST	192.168.2.4	1.1.1.1	0x5af	Standard query (0)	www.google.com	A (IP address)	IN (0x0001)	false
Oct 2, 2024 02:43:07.446974993 CEST	192.168.2.4	1.1.1.1	0xeac2	Standard query (0)	www.google.com	65	IN (0x0001)	false
Oct 2, 2024 02:43:11.949759007 CEST	192.168.2.4	1.1.1.1	0x4564	Standard query (0)	accounts.youtube.com	A (IP address)	IN (0x0001)	false
Oct 2, 2024 02:43:11.949954987 CEST	192.168.2.4	1.1.1.1	0x17cc	Standard query (0)	accounts.youtube.com	65	IN (0x0001)	false
Oct 2, 2024 02:43:13.002660990 CEST	192.168.2.4	1.1.1.1	0x994d	Standard query (0)	play.google.com	A (IP address)	IN (0x0001)	false
Oct 2, 2024 02:43:13.003297091 CEST	192.168.2.4	1.1.1.1	0x7e0	Standard query (0)	play.google.com	65	IN (0x0001)	false
Oct 2, 2024 02:44:14.822284937 CEST	192.168.2.4	1.1.1.1	0xd5e6	Standard query (0)	play.google.com	A (IP address)	IN (0x0001)	false
Oct 2, 2024 02:44:14.822448969 CEST	192.168.2.4	1.1.1.1	0xe702	Standard query (0)	play.google.com	65	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 2, 2024 02:43:02.882730007 CEST	1.1.1.1	192.168.2.4	0xfcce	No error (0)	youtube.com		142.250.186.46	A (IP address)	IN (0x0001)	false
Oct 2, 2024 02:43:02.883133888 CEST	1.1.1.1	192.168.2.4	0x409	No error (0)	youtube.com			65	IN (0x0001)	false
Oct 2, 2024 02:43:03.960181952 CEST	1.1.1.1	192.168.2.4	0x8eef	No error (0)	www.youtube.com	youtube-ui.l.google.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 2, 2024 02:43:03.960181952 CEST	1.1.1.1	192.168.2.4	0x8eef	No error (0)	youtube-ui.l.google.com		142.250.184.206	A (IP address)	IN (0x0001)	false
Oct 2, 2024 02:43:03.960181952 CEST	1.1.1.1	192.168.2.4	0x8eef	No error (0)	youtube-ui.l.google.com		172.217.23.110	A (IP address)	IN (0x0001)	false
Oct 2, 2024 02:43:03.960181952 CEST	1.1.1.1	192.168.2.4	0x8eef	No error (0)	youtube-ui.l.google.com		142.250.186.78	A (IP address)	IN (0x0001)	false
Oct 2, 2024 02:43:03.960181952 CEST	1.1.1.1	192.168.2.4	0x8eef	No error (0)	youtube-ui.l.google.com		142.250.186.174	A (IP address)	IN (0x0001)	false
Oct 2, 2024 02:43:03.960181952 CEST	1.1.1.1	192.168.2.4	0x8eef	No error (0)	youtube-ui.l.google.com		142.250.185.110	A (IP address)	IN (0x0001)	false
Oct 2, 2024 02:43:03.960181952 CEST	1.1.1.1	192.168.2.4	0x8eef	No error (0)	youtube-ui.l.google.com		142.250.185.78	A (IP address)	IN (0x0001)	false
Oct 2, 2024 02:43:03.960181952 CEST	1.1.1.1	192.168.2.4	0x8eef	No error (0)	youtube-ui.l.google.com		142.250.185.206	A (IP address)	IN (0x0001)	false
Oct 2, 2024 02:43:03.960181952 CEST	1.1.1.1	192.168.2.4	0x8eef	No error (0)	youtube-ui.l.google.com		142.250.185.174	A (IP address)	IN (0x0001)	false
Oct 2, 2024 02:43:03.960181952 CEST	1.1.1.1	192.168.2.4	0x8eef	No error (0)	youtube-ui.l.google.com		142.250.186.46	A (IP address)	IN (0x0001)	false
Oct 2, 2024 02:43:03.960181952 CEST	1.1.1.1	192.168.2.4	0x8eef	No error (0)	youtube-ui.l.google.com		142.250.181.238	A (IP address)	IN (0x0001)	false
Oct 2, 2024 02:43:03.960181952 CEST	1.1.1.1	192.168.2.4	0x8eef	No error (0)	youtube-ui.l.google.com		142.250.185.142	A (IP address)	IN (0x0001)	false
Oct 2, 2024 02:43:03.960181952 CEST	1.1.1.1	192.168.2.4	0x8eef	No error (0)	youtube-ui.l.google.com		142.250.185.238	A (IP address)	IN (0x0001)	false
Oct 2, 2024 02:43:03.960181952 CEST	1.1.1.1	192.168.2.4	0x8eef	No error (0)	youtube-ui.l.google.com		142.250.184.238	A (IP address)	IN (0x0001)	false
Oct 2, 2024 02:43:03.960181952 CEST	1.1.1.1	192.168.2.4	0x8eef	No error (0)	youtube-ui.l.google.com		216.58.206.46	A (IP address)	IN (0x0001)	false
Oct 2, 2024 02:43:03.960181952 CEST	1.1.1.1	192.168.2.4	0x8eef	No error (0)	youtube-ui.l.google.com		172.217.18.14	A (IP address)	IN (0x0001)	false
Oct 2, 2024 02:43:03.960181952 CEST	1.1.1.1	192.168.2.4	0x8eef	No error (0)	youtube-ui.l.google.com		216.58.212.174	A (IP address)	IN (0x0001)	false
Oct 2, 2024 02:43:03.960412025 CEST	1.1.1.1	192.168.2.4	0x9872	No error (0)	www.youtube.com	youtube-ui.l.google.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 2, 2024 02:43:03.960412025 CEST	1.1.1.1	192.168.2.4	0x9872	No error (0)	youtube-ui.l.google.com			65	IN (0x0001)	false
Oct 2, 2024 02:43:07.453411102 CEST	1.1.1.1	192.168.2.4	0x5af	No error (0)	www.google.com		142.250.186.68	A (IP address)	IN (0x0001)	false
Oct 2, 2024 02:43:07.453627110 CEST	1.1.1.1	192.168.2.4	0xeac2	No error (0)	www.google.com			65	IN (0x0001)	false
Oct 2, 2024 02:43:11.956439972 CEST	1.1.1.1	192.168.2.4	0x4564	No error (0)	accounts.youtube.com	www3.l.google.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 2, 2024 02:43:11.956439972 CEST	1.1.1.1	192.168.2.4	0x4564	No error (0)	www3.l.google.com		172.217.16.206	A (IP address)	IN (0x0001)	false
Oct 2, 2024 02:43:11.958594084 CEST	1.1.1.1	192.168.2.4	0x17cc	No error (0)	accounts.youtube.com	www3.l.google.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 2, 2024 02:43:13.009382010 CEST	1.1.1.1	192.168.2.4	0x994d	No error (0)	play.google.com		142.250.185.142	A (IP address)	IN (0x0001)	false
Oct 2, 2024 02:44:14.828885078 CEST	1.1.1.1	192.168.2.4	0xd5e6	No error (0)	play.google.com		142.250.185.110	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

youtube.com

www.youtube.com

fs.microsoft.com

https:

accounts.youtube.com

play.google.com

www.google.com

slscr.update.microsoft.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49732	142.250.186.46	443	332	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-02 00:43:03 UTC	851	OUT	GET /account?=https://accounts.google.com/v3/signin/challenge/pwd HTTP/1.1 Host: youtube.com Connection: keep-alive sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "Windows" Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 X-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiUocsBCJz+zAEIhaDNAQjcvc0BCLnKzQEIotHNAQiK080BCJ7WzQEIp9jNAQj5wNQVGPbJzQEYutLNARjrjaUX Sec-Fetch-Site: none Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-10-02 00:43:03 UTC	1704	IN	HTTP/1.1 301 Moved Permanently Content-Type: application/binary X-Content-Type-Options: nosniff Expires: Wed, 02 Oct 2024 00:43:03 GMT Date: Wed, 02 Oct 2024 00:43:03 GMT Cache-Control: private, max-age=31536000 Location: https://www.youtube.com/account?=https%3A%2F%2Faccounts.google.com%2Fv3%2Fsignin%2Fchallenge%2Fpwd Strict-Transport-Security: max-age=31536000; includeSubDomains; preload X-Frame-Options: SAMEORIGIN Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Cross-Origin-Opener-Policy: same-origin-allow-popups; report-to="youtube_main" Origin-Trial: AmhMBR6zCLzDDxpW+HfpP67BqwIknWnyMOXOQGfzYswFmJe+fgaI6XZgAzcxOrzNtP7hEDsOo1jdjFnVr2IdxQ4AAAB4eyJvcmlnaW4iOiJodHRwczovL3lvdXR1YmUuY29tOjQ0MyIsImZlYXR1cmUiOiJXZWJWaWV3WFJlcXVlc3RlZFdpdGhEZXByZWNhdGlvbiIsImV4cGlyeSI6MTc1ODA2NzE5OSwiaXNTdWJkb21haW4iOnRydWV9 Content-Security-Policy: require-trusted-types-for 'script' Report-To: {"group":"youtube_main","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/youtube_main"}]} Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Vary: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Server: ESF Content-Length: 0 X-XSS-Protection: 0 Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49736	142.250.184.206	443	332	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-02 00:43:04 UTC	869	OUT	GET /account?=https%3A%2F%2Faccounts.google.com%2Fv3%2Fsignin%2Fchallenge%2Fpwd HTTP/1.1 Host: www.youtube.com Connection: keep-alive Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 X-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiUocsBCJz+zAEIhaDNAQjcvc0BCLnKzQEIotHNAQiK080BCJ7WzQEIp9jNAQj5wNQVGPbJzQEYutLNARjrjaUX Sec-Fetch-Site: none Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "Windows" Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-10-02 00:43:05 UTC	2634	IN	HTTP/1.1 303 See Other Content-Type: application/binary X-Content-Type-Options: nosniff Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Wed, 02 Oct 2024 00:43:04 GMT Location: https://accounts.google.com/ServiceLogin?service=youtube&uilel=3&passive=true&continue=https%3A%2F%2Fwww.youtube.com%2Fsignin%3Faction_handle_signin%3Dtrue%26app%3Ddesktop%26hl%3Den%26next%3Dhttps%253A%252F%252Fwww.youtube.com%252Faccount%253F%253Dhttps%25253A%25252F%25252Faccounts.google.com%25252Fv3%25252Fsignin%25252Fchallenge%25252Fpwd%26feature%3Dredirect_login&hl=en X-Frame-Options: SAMEORIGIN Strict-Transport-Security: max-age=31536000 Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Origin-Trial: AmhMBR6zCLzDDxpW+HfpP67BqwIknWnyMOXOQGfzYswFmJe+fgaI6XZgAzcxOrzNtP7hEDsOo1jdjFnVr2IdxQ4AAAB4eyJvcmlnaW4iOiJodHRwczovL3lvdXR1YmUuY29tOjQ0MyIsImZlYXR1cmUiOiJXZWJWaWV3WFJlcXVlc3RlZFdpdGhEZXByZWNhdGlvbiIsImV4cGlyeSI6MTc1ODA2NzE5OSwiaXNTdWJkb21haW4iOnRydWV9 Content-Security-Policy: require-trusted-types-for 'script' Cross-Origin-Opener-Policy: same-origin-allow-popups; report-to="youtube_main" Report-To: {"group":"youtube_main","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/youtube_main"}]} Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Vary: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version P3P: CP="This is not a P3P policy! See http://support.google.com/accounts/answer/151657?hl=en for more info." Server: ESF Content-Length: 0 X-XSS-Protection: 0 Set-Cookie: GPS=1; Domain=.youtube.com; Expires=Wed, 02-Oct-2024 01:13:04 GMT; Path=/; Secure; HttpOnly Set-Cookie: YSC=Zt-3p84Rs4s; Domain=.youtube.com; Path=/; Secure; HttpOnly; SameSite=none; Partitioned Set-Cookie: VISITOR_INFO1_LIVE=HMXzWF-xIoo; Domain=.youtube.com; Expires=Mon, 31-Mar-2025 00:43:04 GMT; Path=/; Secure; HttpOnly; SameSite=none; Partitioned Set-Cookie: VISITOR_PRIVACY_METADATA=CgJVUxIEGgAgYw%3D%3D; Domain=.youtube.com; Expires=Mon, 31-Mar-2025 00:43:04 GMT; Path=/; Secure; HttpOnly; SameSite=none; Partitioned Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49743	184.28.90.27	443

Timestamp	Bytes transferred	Direction	Data
2024-10-02 00:43:08 UTC	161	OUT	HEAD /fs/windows/config.json HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Encoding: identity User-Agent: Microsoft BITS/7.8 Host: fs.microsoft.com
2024-10-02 00:43:08 UTC	467	IN	HTTP/1.1 200 OK Content-Disposition: attachment; filename=config.json; filename*=UTF-8''config.json Content-Type: application/octet-stream ETag: "0x64667F707FF07D62B733DBCB79EFE3855E6886C9975B0C0B467D46231B3FA5E7" Last-Modified: Tue, 16 May 2017 22:58:00 GMT Server: ECAcc (lpl/EF06) X-CID: 11 X-Ms-ApiVersion: Distribute 1.2 X-Ms-Region: prod-neu-z1 Cache-Control: public, max-age=144162 Date: Wed, 02 Oct 2024 00:43:08 GMT Connection: close X-CID: 2

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49745	184.28.90.27	443

Timestamp	Bytes transferred	Direction	Data
2024-10-02 00:43:09 UTC	239	OUT	GET /fs/windows/config.json HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Encoding: identity If-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMT Range: bytes=0-2147483646 User-Agent: Microsoft BITS/7.8 Host: fs.microsoft.com
2024-10-02 00:43:09 UTC	515	IN	HTTP/1.1 200 OK ApiVersion: Distribute 1.1 Content-Disposition: attachment; filename=config.json; filename*=UTF-8''config.json Content-Type: application/octet-stream ETag: "0x64667F707FF07D62B733DBCB79EFE3855E6886C9975B0C0B467D46231B3FA5E7" Last-Modified: Tue, 16 May 2017 22:58:00 GMT Server: ECAcc (lpl/EF06) X-CID: 11 X-Ms-ApiVersion: Distribute 1.2 X-Ms-Region: prod-weu-z1 Cache-Control: public, max-age=144105 Date: Wed, 02 Oct 2024 00:43:09 GMT Content-Length: 55 Connection: close X-CID: 2
2024-10-02 00:43:09 UTC	55	IN	Data Raw: 7b 22 66 6f 6e 74 53 65 74 55 72 69 22 3a 22 66 6f 6e 74 73 65 74 2d 32 30 31 37 2d 30 34 2e 6a 73 6f 6e 22 2c 22 62 61 73 65 55 72 69 22 3a 22 66 6f 6e 74 73 22 7d Data Ascii: {"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49756	172.217.16.206	443	332	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-02 00:43:12 UTC	1236	OUT	GET /accounts/CheckConnection?pmpo=https%3A%2F%2Faccounts.google.com&v=1746766885&timestamp=1727829790934 HTTP/1.1 Host: accounts.youtube.com Connection: keep-alive sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 sec-ch-ua-full-version: "117.0.5938.132" sec-ch-ua-arch: "x86" sec-ch-ua-platform: "Windows" sec-ch-ua-platform-version: "10.0.0" sec-ch-ua-model: "" sec-ch-ua-bitness: "64" sec-ch-ua-wow64: ?0 sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132" Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 X-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiUocsBCJz+zAEIhaDNAQjcvc0BCLnKzQEIotHNAQiK080BCJ7WzQEIp9jNAQj5wNQVGPbJzQEYutLNARjrjaUX Sec-Fetch-Site: cross-site Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: iframe Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-10-02 00:43:12 UTC	1969	IN	HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 X-Frame-Options: ALLOW-FROM https://accounts.google.com Content-Security-Policy: frame-ancestors https://accounts.google.com Content-Security-Policy: script-src 'report-sample' 'nonce-iJnJpptvxJ-14omA4pDaaA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/AccountsDomainCookiesCheckConnectionHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/AccountsDomainCookiesCheckConnectionHttp/cspreport/allowlist Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/AccountsDomainCookiesCheckConnectionHttp/cspreport Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Wed, 02 Oct 2024 00:43:12 GMT Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Cross-Origin-Opener-Policy: same-origin Cross-Origin-Resource-Policy: cross-origin Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version reporting-endpoints: default="/_/AccountsDomainCookiesCheckConnectionHttp/web-reports?context=eJzjstDikmLw1pBikPj6kkkDiJ3SZ7AGAXHSv_OsRUB8ufsS63UgVu25xGoKxEUSV1ibgFiIh2PBuk_b2QQOfJk1iVlJLym_MD4zJTWvJLOkMiU_NzEzLzk_Pzsztbg4tagstSjeyMDIxMDSyEjPwCK-wAAA4jktjA" Server: ESF X-XSS-Protection: 0 X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2024-10-02 00:43:12 UTC	1969	IN	Data Raw: 37 36 31 39 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 20 6e 6f 6e 63 65 3d 22 69 4a 6e 4a 70 70 74 76 78 4a 2d 31 34 6f 6d 41 34 70 44 61 61 41 22 3e 22 75 73 65 20 73 74 72 69 63 74 22 3b 74 68 69 73 2e 64 65 66 61 75 6c 74 5f 41 63 63 6f 75 6e 74 73 44 6f 6d 61 69 6e 63 6f 6f 6b 69 65 73 43 68 65 63 6b 63 6f 6e 6e 65 63 74 69 6f 6e 4a 73 3d 74 68 69 73 2e 64 65 66 61 75 6c 74 5f 41 63 63 6f 75 6e 74 73 44 6f 6d 61 69 6e 63 6f 6f 6b 69 65 73 43 68 65 63 6b 63 6f 6e 6e 65 63 74 69 6f 6e 4a 73 7c 7c 7b 7d 3b 28 66 75 6e 63 74 69 6f 6e 28 5f 29 7b 76 61 72 20 77 69 6e 64 6f 77 3d 74 68 69 73 3b 0a 74 72 79 7b 0a 5f 2e 5f 46 5f 74 6f 67 67 6c 65 73 5f 69 6e 69 74 69 61 6c 69 7a 65 3d 66 75 6e 63 74 69 6f 6e 28 61 29 7b 28 74 79 70 65 6f Data Ascii: 7619<html><head><script nonce="iJnJpptvxJ-14omA4pDaaA">"use strict";this.default_AccountsDomaincookiesCheckconnectionJs=this.default_AccountsDomaincookiesCheckconnectionJs\|\|{};(function(_){var window=this;try{_._F_toggles_initialize=function(a){(typeo
2024-10-02 00:43:12 UTC	1969	IN	Data Raw: 54 72 69 64 65 6e 74 5c 2f 28 5c 64 2e 5c 64 29 2f 2e 65 78 65 63 28 62 29 2c 0a 63 5b 31 5d 3d 3d 22 37 2e 30 22 29 69 66 28 62 26 26 62 5b 31 5d 29 73 77 69 74 63 68 28 62 5b 31 5d 29 7b 63 61 73 65 20 22 34 2e 30 22 3a 61 3d 22 38 2e 30 22 3b 62 72 65 61 6b 3b 63 61 73 65 20 22 35 2e 30 22 3a 61 3d 22 39 2e 30 22 3b 62 72 65 61 6b 3b 63 61 73 65 20 22 36 2e 30 22 3a 61 3d 22 31 30 2e 30 22 3b 62 72 65 61 6b 3b 63 61 73 65 20 22 37 2e 30 22 3a 61 3d 22 31 31 2e 30 22 7d 65 6c 73 65 20 61 3d 22 37 2e 30 22 3b 65 6c 73 65 20 61 3d 63 5b 31 5d 3b 62 3d 61 7d 65 6c 73 65 20 62 3d 22 22 3b 72 65 74 75 72 6e 20 62 7d 76 61 72 20 64 3d 52 65 67 45 78 70 28 22 28 5b 41 2d 5a 5d 5b 5c 5c 77 20 5d 2b 29 2f 28 5b 5e 5c 5c 73 5d 2b 29 5c 5c 73 2a 28 3f 3a 5c 5c 28 Data Ascii: Trident\/(\d.\d)/.exec(b),c[1]=="7.0")if(b&&b[1])switch(b[1]){case "4.0":a="8.0";break;case "5.0":a="9.0";break;case "6.0":a="10.0";break;case "7.0":a="11.0"}else a="7.0";else a=c[1];b=a}else b="";return b}var d=RegExp("([A-Z][\\w ]+)/([^\\s]+)\\s*(?:\\(
2024-10-02 00:43:12 UTC	1969	IN	Data Raw: 74 63 68 28 74 79 70 65 6f 66 20 61 29 7b 63 61 73 65 20 22 6e 75 6d 62 65 72 22 3a 72 65 74 75 72 6e 20 69 73 46 69 6e 69 74 65 28 61 29 3f 61 3a 53 74 72 69 6e 67 28 61 29 3b 63 61 73 65 20 22 62 69 67 69 6e 74 22 3a 72 65 74 75 72 6e 28 41 61 3f 0a 61 3e 3d 42 61 26 26 61 3c 3d 43 61 3a 61 5b 30 5d 3d 3d 3d 22 2d 22 3f 75 61 28 61 2c 44 61 29 3a 75 61 28 61 2c 45 61 29 29 3f 4e 75 6d 62 65 72 28 61 29 3a 53 74 72 69 6e 67 28 61 29 3b 63 61 73 65 20 22 62 6f 6f 6c 65 61 6e 22 3a 72 65 74 75 72 6e 20 61 3f 31 3a 30 3b 63 61 73 65 20 22 6f 62 6a 65 63 74 22 3a 69 66 28 61 29 69 66 28 41 72 72 61 79 2e 69 73 41 72 72 61 79 28 61 29 29 7b 69 66 28 43 28 61 29 29 72 65 74 75 72 6e 7d 65 6c 73 65 20 69 66 28 46 61 26 26 61 21 3d 6e 75 6c 6c 26 26 61 20 69 6e Data Ascii: tch(typeof a){case "number":return isFinite(a)?a:String(a);case "bigint":return(Aa?a>=Ba&&a<=Ca:a[0]==="-"?ua(a,Da):ua(a,Ea))?Number(a):String(a);case "boolean":return a?1:0;case "object":if(a)if(Array.isArray(a)){if(C(a))return}else if(Fa&&a!=null&&a in
2024-10-02 00:43:12 UTC	1969	IN	Data Raw: 7b 76 61 72 20 62 3b 69 66 28 61 26 26 28 62 3d 51 61 29 21 3d 6e 75 6c 6c 26 26 62 2e 68 61 73 28 61 29 26 26 28 62 3d 61 2e 43 29 29 66 6f 72 28 76 61 72 20 63 3d 30 3b 63 3c 62 2e 6c 65 6e 67 74 68 3b 63 2b 2b 29 7b 76 61 72 20 64 3d 62 5b 63 5d 3b 69 66 28 63 3d 3d 3d 62 2e 6c 65 6e 67 74 68 2d 31 26 26 41 28 64 29 29 66 6f 72 28 76 61 72 20 65 20 69 6e 20 64 29 7b 76 61 72 20 66 3d 64 5b 65 5d 3b 41 72 72 61 79 2e 69 73 41 72 72 61 79 28 66 29 26 26 0a 52 61 28 66 2c 61 29 7d 65 6c 73 65 20 41 72 72 61 79 2e 69 73 41 72 72 61 79 28 64 29 26 26 52 61 28 64 2c 61 29 7d 61 3d 45 3f 61 2e 43 3a 4d 61 28 61 2e 43 2c 50 61 2c 76 6f 69 64 20 30 2c 76 6f 69 64 20 30 2c 21 31 29 3b 65 3d 21 45 3b 69 66 28 62 3d 61 2e 6c 65 6e 67 74 68 29 7b 64 3d 61 5b 62 2d Data Ascii: {var b;if(a&&(b=Qa)!=null&&b.has(a)&&(b=a.C))for(var c=0;c<b.length;c++){var d=b[c];if(c===b.length-1&&A(d))for(var e in d){var f=d[e];Array.isArray(f)&&Ra(f,a)}else Array.isArray(d)&&Ra(d,a)}a=E?a.C:Ma(a.C,Pa,void 0,void 0,!1);e=!E;if(b=a.length){d=a[b-
2024-10-02 00:43:12 UTC	1969	IN	Data Raw: 6f 6c 2e 69 74 65 72 61 74 6f 72 22 2c 66 75 6e 63 74 69 6f 6e 28 61 29 7b 69 66 28 61 29 72 65 74 75 72 6e 20 61 3b 61 3d 53 79 6d 62 6f 6c 28 22 63 22 29 3b 66 6f 72 28 76 61 72 20 62 3d 22 41 72 72 61 79 20 49 6e 74 38 41 72 72 61 79 20 55 69 6e 74 38 41 72 72 61 79 20 55 69 6e 74 38 43 6c 61 6d 70 65 64 41 72 72 61 79 20 49 6e 74 31 36 41 72 72 61 79 20 55 69 6e 74 31 36 41 72 72 61 79 20 49 6e 74 33 32 41 72 72 61 79 20 55 69 6e 74 33 32 41 72 72 61 79 20 46 6c 6f 61 74 33 32 41 72 72 61 79 20 46 6c 6f 61 74 36 34 41 72 72 61 79 22 2e 73 70 6c 69 74 28 22 20 22 29 2c 63 3d 30 3b 63 3c 62 2e 6c 65 6e 67 74 68 3b 63 2b 2b 29 7b 76 61 72 20 64 3d 57 61 5b 62 5b 63 5d 5d 3b 74 79 70 65 6f 66 20 64 3d 3d 3d 22 66 75 6e 63 74 69 6f 6e 22 26 26 74 79 70 65 Data Ascii: ol.iterator",function(a){if(a)return a;a=Symbol("c");for(var b="Array Int8Array Uint8Array Uint8ClampedArray Int16Array Uint16Array Int32Array Uint32Array Float32Array Float64Array".split(" "),c=0;c<b.length;c++){var d=Wa[b[c]];typeof d==="function"&&type
2024-10-02 00:43:12 UTC	1969	IN	Data Raw: 29 3b 65 28 22 66 72 65 65 7a 65 22 29 3b 65 28 22 70 72 65 76 65 6e 74 45 78 74 65 6e 73 69 6f 6e 73 22 29 3b 65 28 22 73 65 61 6c 22 29 3b 76 61 72 20 68 3d 30 2c 67 3d 66 75 6e 63 74 69 6f 6e 28 6b 29 7b 74 68 69 73 2e 67 3d 28 68 2b 3d 4d 61 74 68 2e 72 61 6e 64 6f 6d 28 29 2b 31 29 2e 74 6f 53 74 72 69 6e 67 28 29 3b 69 66 28 6b 29 7b 6b 3d 48 28 6b 29 3b 66 6f 72 28 76 61 72 20 6c 3b 21 28 6c 3d 6b 2e 6e 65 78 74 28 29 29 2e 64 6f 6e 65 3b 29 6c 3d 6c 2e 76 61 6c 75 65 2c 74 68 69 73 2e 73 65 74 28 6c 5b 30 5d 2c 6c 5b 31 5d 29 7d 7d 3b 67 2e 70 72 6f 74 6f 74 79 70 65 2e 73 65 74 3d 66 75 6e 63 74 69 6f 6e 28 6b 2c 6c 29 7b 69 66 28 21 63 28 6b 29 29 74 68 72 6f 77 20 45 72 72 6f 72 28 22 69 22 29 3b 64 28 6b 29 3b 69 66 28 21 49 28 6b 2c 66 29 29 Data Ascii: );e("freeze");e("preventExtensions");e("seal");var h=0,g=function(k){this.g=(h+=Math.random()+1).toString();if(k){k=H(k);for(var l;!(l=k.next()).done;)l=l.value,this.set(l[0],l[1])}};g.prototype.set=function(k,l){if(!c(k))throw Error("i");d(k);if(!I(k,f))
2024-10-02 00:43:12 UTC	1969	IN	Data Raw: 75 72 6e 20 67 2e 76 61 6c 75 65 7d 29 7d 3b 63 2e 70 72 6f 74 6f 74 79 70 65 2e 66 6f 72 45 61 63 68 3d 66 75 6e 63 74 69 6f 6e 28 67 2c 6b 29 7b 66 6f 72 28 76 61 72 20 6c 3d 74 68 69 73 2e 65 6e 74 72 69 65 73 28 29 2c 6d 3b 21 28 6d 3d 6c 2e 6e 65 78 74 28 29 29 2e 64 6f 6e 65 3b 29 6d 3d 0a 6d 2e 76 61 6c 75 65 2c 67 2e 63 61 6c 6c 28 6b 2c 6d 5b 31 5d 2c 6d 5b 30 5d 2c 74 68 69 73 29 7d 3b 63 2e 70 72 6f 74 6f 74 79 70 65 5b 53 79 6d 62 6f 6c 2e 69 74 65 72 61 74 6f 72 5d 3d 63 2e 70 72 6f 74 6f 74 79 70 65 2e 65 6e 74 72 69 65 73 3b 76 61 72 20 64 3d 66 75 6e 63 74 69 6f 6e 28 67 2c 6b 29 7b 76 61 72 20 6c 3d 6b 26 26 74 79 70 65 6f 66 20 6b 3b 6c 3d 3d 22 6f 62 6a 65 63 74 22 7c 7c 6c 3d 3d 22 66 75 6e 63 74 69 6f 6e 22 3f 62 2e 68 61 73 28 6b 29 Data Ascii: urn g.value})};c.prototype.forEach=function(g,k){for(var l=this.entries(),m;!(m=l.next()).done;)m=m.value,g.call(k,m[1],m[0],this)};c.prototype[Symbol.iterator]=c.prototype.entries;var d=function(g,k){var l=k&&typeof k;l=="object"\|\|l=="function"?b.has(k)
2024-10-02 00:43:12 UTC	1969	IN	Data Raw: 6f 6e 28 61 29 7b 72 65 74 75 72 6e 20 61 3f 61 3a 66 75 6e 63 74 69 6f 6e 28 62 29 7b 72 65 74 75 72 6e 20 74 79 70 65 6f 66 20 62 3d 3d 3d 22 6e 75 6d 62 65 72 22 26 26 69 73 4e 61 4e 28 62 29 7d 7d 29 3b 76 61 72 20 66 62 3d 66 62 7c 7c 7b 7d 2c 71 3d 74 68 69 73 7c 7c 73 65 6c 66 2c 67 62 3d 71 2e 5f 46 5f 74 6f 67 67 6c 65 73 7c 7c 5b 5d 2c 68 62 3d 66 75 6e 63 74 69 6f 6e 28 61 29 7b 61 3d 61 2e 73 70 6c 69 74 28 22 2e 22 29 3b 66 6f 72 28 76 61 72 20 62 3d 71 2c 63 3d 30 3b 63 3c 61 2e 6c 65 6e 67 74 68 3b 63 2b 2b 29 69 66 28 62 3d 62 5b 61 5b 63 5d 5d 2c 62 3d 3d 6e 75 6c 6c 29 72 65 74 75 72 6e 20 6e 75 6c 6c 3b 72 65 74 75 72 6e 20 62 7d 2c 69 62 3d 22 63 6c 6f 73 75 72 65 5f 75 69 64 5f 22 2b 28 4d 61 74 68 2e 72 61 6e 64 6f 6d 28 29 2a 31 45 Data Ascii: on(a){return a?a:function(b){return typeof b==="number"&&isNaN(b)}});var fb=fb\|\|{},q=this\|\|self,gb=q._F_toggles\|\|[],hb=function(a){a=a.split(".");for(var b=q,c=0;c<a.length;c++)if(b=b[a[c]],b==null)return null;return b},ib="closure_uid_"+(Math.random()*1E
2024-10-02 00:43:13 UTC	1969	IN	Data Raw: 74 65 78 74 5f 5f 39 38 34 33 38 32 3d 7b 7d 29 3b 61 2e 5f 5f 63 6c 6f 73 75 72 65 5f 5f 65 72 72 6f 72 5f 5f 63 6f 6e 74 65 78 74 5f 5f 39 38 34 33 38 32 2e 73 65 76 65 72 69 74 79 3d 62 7d 3b 76 61 72 20 71 62 3d 66 75 6e 63 74 69 6f 6e 28 61 2c 62 2c 63 29 7b 63 3d 63 7c 7c 71 3b 76 61 72 20 64 3d 63 2e 6f 6e 65 72 72 6f 72 2c 65 3d 21 21 62 3b 63 2e 6f 6e 65 72 72 6f 72 3d 66 75 6e 63 74 69 6f 6e 28 66 2c 68 2c 67 2c 6b 2c 6c 29 7b 64 26 26 64 28 66 2c 68 2c 67 2c 6b 2c 6c 29 3b 61 28 7b 6d 65 73 73 61 67 65 3a 66 2c 66 69 6c 65 4e 61 6d 65 3a 68 2c 6c 69 6e 65 3a 67 2c 6c 69 6e 65 4e 75 6d 62 65 72 3a 67 2c 63 61 3a 6b 2c 65 72 72 6f 72 3a 6c 7d 29 3b 72 65 74 75 72 6e 20 65 7d 7d 2c 74 62 3d 66 75 6e 63 74 69 6f 6e 28 61 29 7b 76 61 72 20 62 3d 68 Data Ascii: text__984382={});a.__closure__error__context__984382.severity=b};var qb=function(a,b,c){c=c\|\|q;var d=c.onerror,e=!!b;c.onerror=function(f,h,g,k,l){d&&d(f,h,g,k,l);a({message:f,fileName:h,line:g,lineNumber:g,ca:k,error:l});return e}},tb=function(a){var b=h
2024-10-02 00:43:13 UTC	1969	IN	Data Raw: 22 6e 75 6d 62 65 72 22 3a 66 3d 53 74 72 69 6e 67 28 66 29 3b 62 72 65 61 6b 3b 63 61 73 65 20 22 62 6f 6f 6c 65 61 6e 22 3a 66 3d 66 3f 22 74 72 75 65 22 3a 22 66 61 6c 73 65 22 3b 62 72 65 61 6b 3b 63 61 73 65 20 22 66 75 6e 63 74 69 6f 6e 22 3a 66 3d 28 66 3d 73 62 28 66 29 29 3f 66 3a 22 5b 66 6e 5d 22 3b 62 72 65 61 6b 3b 64 65 66 61 75 6c 74 3a 66 3d 0a 74 79 70 65 6f 66 20 66 7d 66 2e 6c 65 6e 67 74 68 3e 34 30 26 26 28 66 3d 66 2e 73 6c 69 63 65 28 30 2c 34 30 29 2b 22 2e 2e 2e 22 29 3b 63 2e 70 75 73 68 28 66 29 7d 62 2e 70 75 73 68 28 61 29 3b 63 2e 70 75 73 68 28 22 29 5c 6e 22 29 3b 74 72 79 7b 63 2e 70 75 73 68 28 77 62 28 61 2e 63 61 6c 6c 65 72 2c 62 29 29 7d 63 61 74 63 68 28 68 29 7b 63 2e 70 75 73 68 28 22 5b 65 78 63 65 70 74 69 6f 6e Data Ascii: "number":f=String(f);break;case "boolean":f=f?"true":"false";break;case "function":f=(f=sb(f))?f:"[fn]";break;default:f=typeof f}f.length>40&&(f=f.slice(0,40)+"...");c.push(f)}b.push(a);c.push(")\n");try{c.push(wb(a.caller,b))}catch(h){c.push("[exception

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49761	142.250.185.142	443	332	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-02 00:43:13 UTC	549	OUT	OPTIONS /log?format=json&hasfast=true&authuser=0 HTTP/1.1 Host: play.google.com Connection: keep-alive Accept: / Access-Control-Request-Method: POST Access-Control-Request-Headers: x-goog-authuser Origin: https://accounts.google.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Sec-Fetch-Mode: cors Sec-Fetch-Site: same-site Sec-Fetch-Dest: empty Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-10-02 00:43:13 UTC	520	IN	HTTP/1.1 200 OK Access-Control-Allow-Origin: https://accounts.google.com Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Max-Age: 86400 Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: X-Playlog-Web,authorization,origin,x-goog-authuser Content-Type: text/plain; charset=UTF-8 Date: Wed, 02 Oct 2024 00:43:13 GMT Server: Playlog Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	49762	142.250.185.142	443	332	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-02 00:43:13 UTC	549	OUT	OPTIONS /log?format=json&hasfast=true&authuser=0 HTTP/1.1 Host: play.google.com Connection: keep-alive Accept: / Access-Control-Request-Method: POST Access-Control-Request-Headers: x-goog-authuser Origin: https://accounts.google.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Sec-Fetch-Mode: cors Sec-Fetch-Site: same-site Sec-Fetch-Dest: empty Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-10-02 00:43:14 UTC	520	IN	HTTP/1.1 200 OK Access-Control-Allow-Origin: https://accounts.google.com Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Max-Age: 86400 Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: X-Playlog-Web,authorization,origin,x-goog-authuser Content-Type: text/plain; charset=UTF-8 Date: Wed, 02 Oct 2024 00:43:13 GMT Server: Playlog Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.4	49763	142.250.185.142	443	332	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-02 00:43:14 UTC	1124	OUT	POST /log?format=json&hasfast=true&authuser=0 HTTP/1.1 Host: play.google.com Connection: keep-alive Content-Length: 519 sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-arch: "x86" Content-Type: application/x-www-form-urlencoded;charset=UTF-8 sec-ch-ua-full-version: "117.0.5938.132" sec-ch-ua-platform-version: "10.0.0" X-Goog-AuthUser: 0 sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132" sec-ch-ua-bitness: "64" sec-ch-ua-model: "" sec-ch-ua-wow64: ?0 sec-ch-ua-platform: "Windows" Accept: / Origin: https://accounts.google.com X-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiUocsBCJz+zAEIhaDNAQjcvc0BCLnKzQEIotHNAQiK080BCJ7WzQEIp9jNAQj5wNQVGPbJzQEYutLNARjrjaUX Sec-Fetch-Site: same-site Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-10-02 00:43:14 UTC	519	OUT	Data Raw: 5b 5b 31 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 5b 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 22 65 6e 22 2c 6e 75 6c 6c 2c 22 33 30 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 47 6f 6f 67 6c 65 20 43 68 72 6f 6d 65 22 2c 22 31 31 37 22 5d 2c 5b 22 4e 6f 74 3b 41 3d 42 72 61 6e 64 22 2c 22 38 22 5d 2c 5b 22 43 68 72 6f 6d 69 75 6d 22 2c 22 31 31 37 22 5d 5d 2c 30 2c 22 57 69 6e 64 6f 77 73 22 2c 22 31 30 2e 30 2e 30 22 2c 22 78 38 36 22 2c 22 22 2c 22 31 31 37 2e 30 2e 35 39 33 38 2e 31 33 32 22 5d 2c 5b 31 2c 30 2c 30 2c 30 2c 30 5d 5d 5d 2c 31 38 32 38 2c 5b 5b 22 31 37 32 37 38 32 39 37 39 31 39 38 37 22 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c Data Ascii: [[1,null,null,null,null,null,null,null,null,null,[null,null,null,null,"en",null,"30",null,[[["Google Chrome","117"],["Not;A=Brand","8"],["Chromium","117"]],0,"Windows","10.0.0","x86","","117.0.5938.132"],[1,0,0,0,0]]],1828,[["1727829791987",null,null,null
2024-10-02 00:43:14 UTC	932	IN	HTTP/1.1 200 OK Access-Control-Allow-Origin: https://accounts.google.com Cross-Origin-Resource-Policy: cross-origin Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: X-Playlog-Web Set-Cookie: NID=518=oW78kRsCltQ8i4CVyZem2_RGJl9Gaxc8KP2lxT-9Jvi4Vk4D0UPgdkoM7COmarTO0OX5vZBOH6Qcw0EPaHwHFYz2UmzJ8YdGUHBlGTj23srsn2RcfbI4q4yfd-weYwRuLk3eVts15LC85BD1gig3pX0REQDo88eTsUbCG4RqIYORyiZIxA; expires=Thu, 03-Apr-2025 00:43:14 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=none P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info." Content-Type: text/plain; charset=UTF-8 Date: Wed, 02 Oct 2024 00:43:14 GMT Server: Playlog Cache-Control: private X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Expires: Wed, 02 Oct 2024 00:43:14 GMT Connection: close Transfer-Encoding: chunked
2024-10-02 00:43:14 UTC	137	IN	Data Raw: 38 33 0d 0a 5b 22 2d 31 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 41 4e 44 52 4f 49 44 5f 42 41 43 4b 55 50 22 2c 30 5d 2c 5b 22 42 41 54 54 45 52 59 5f 53 54 41 54 53 22 2c 30 5d 2c 5b 22 53 4d 41 52 54 5f 53 45 54 55 50 22 2c 30 5d 2c 5b 22 54 52 4f 4e 22 2c 30 5d 5d 2c 2d 33 33 33 34 37 33 37 35 39 34 30 32 34 39 37 31 32 32 35 5d 2c 5b 5d 2c 7b 22 31 37 35 32 33 37 33 37 35 22 3a 5b 31 30 30 30 30 5d 7d 5d 0d 0a Data Ascii: 83["-1",null,[[["ANDROID_BACKUP",0],["BATTERY_STATS",0],["SMART_SETUP",0],["TRON",0]],-3334737594024971225],[],{"175237375":[10000]}]
2024-10-02 00:43:14 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.4	49767	142.250.185.142	443	332	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-02 00:43:14 UTC	1124	OUT	POST /log?format=json&hasfast=true&authuser=0 HTTP/1.1 Host: play.google.com Connection: keep-alive Content-Length: 519 sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-arch: "x86" Content-Type: application/x-www-form-urlencoded;charset=UTF-8 sec-ch-ua-full-version: "117.0.5938.132" sec-ch-ua-platform-version: "10.0.0" X-Goog-AuthUser: 0 sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132" sec-ch-ua-bitness: "64" sec-ch-ua-model: "" sec-ch-ua-wow64: ?0 sec-ch-ua-platform: "Windows" Accept: / Origin: https://accounts.google.com X-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiUocsBCJz+zAEIhaDNAQjcvc0BCLnKzQEIotHNAQiK080BCJ7WzQEIp9jNAQj5wNQVGPbJzQEYutLNARjrjaUX Sec-Fetch-Site: same-site Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-10-02 00:43:14 UTC	519	OUT	Data Raw: 5b 5b 31 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 5b 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 22 65 6e 22 2c 6e 75 6c 6c 2c 22 33 30 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 47 6f 6f 67 6c 65 20 43 68 72 6f 6d 65 22 2c 22 31 31 37 22 5d 2c 5b 22 4e 6f 74 3b 41 3d 42 72 61 6e 64 22 2c 22 38 22 5d 2c 5b 22 43 68 72 6f 6d 69 75 6d 22 2c 22 31 31 37 22 5d 5d 2c 30 2c 22 57 69 6e 64 6f 77 73 22 2c 22 31 30 2e 30 2e 30 22 2c 22 78 38 36 22 2c 22 22 2c 22 31 31 37 2e 30 2e 35 39 33 38 2e 31 33 32 22 5d 2c 5b 31 2c 30 2c 30 2c 30 2c 30 5d 5d 5d 2c 31 38 32 38 2c 5b 5b 22 31 37 32 37 38 32 39 37 39 32 30 37 37 22 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c Data Ascii: [[1,null,null,null,null,null,null,null,null,null,[null,null,null,null,"en",null,"30",null,[[["Google Chrome","117"],["Not;A=Brand","8"],["Chromium","117"]],0,"Windows","10.0.0","x86","","117.0.5938.132"],[1,0,0,0,0]]],1828,[["1727829792077",null,null,null
2024-10-02 00:43:14 UTC	933	IN	HTTP/1.1 200 OK Access-Control-Allow-Origin: https://accounts.google.com Cross-Origin-Resource-Policy: cross-origin Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: X-Playlog-Web Set-Cookie: NID=518=td3USADiuf4UJFR-rJ_nTV1nXxZ6JwH1b9VaIPLV5MHB_GegnsH3teqxUNiAEiXsc_rsLKUBt-l26GXIdDHPn5tH36lsp42jq2CNB5snErn29dckqMQRGpXIEEeyKU_KDA6l2b9nm8uGgGs9AlNIWzO2oC83ds-nIV0404CvTj4AG6B6-4c; expires=Thu, 03-Apr-2025 00:43:14 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=none P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info." Content-Type: text/plain; charset=UTF-8 Date: Wed, 02 Oct 2024 00:43:14 GMT Server: Playlog Cache-Control: private X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Expires: Wed, 02 Oct 2024 00:43:14 GMT Connection: close Transfer-Encoding: chunked
2024-10-02 00:43:14 UTC	137	IN	Data Raw: 38 33 0d 0a 5b 22 2d 31 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 41 4e 44 52 4f 49 44 5f 42 41 43 4b 55 50 22 2c 30 5d 2c 5b 22 42 41 54 54 45 52 59 5f 53 54 41 54 53 22 2c 30 5d 2c 5b 22 53 4d 41 52 54 5f 53 45 54 55 50 22 2c 30 5d 2c 5b 22 54 52 4f 4e 22 2c 30 5d 5d 2c 2d 33 33 33 34 37 33 37 35 39 34 30 32 34 39 37 31 32 32 35 5d 2c 5b 5d 2c 7b 22 31 37 35 32 33 37 33 37 35 22 3a 5b 31 30 30 30 30 5d 7d 5d 0d 0a Data Ascii: 83["-1",null,[[["ANDROID_BACKUP",0],["BATTERY_STATS",0],["SMART_SETUP",0],["TRON",0]],-3334737594024971225],[],{"175237375":[10000]}]
2024-10-02 00:43:14 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.4	49741	142.250.186.68	443	332	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-02 00:43:14 UTC	1214	OUT	GET /favicon.ico HTTP/1.1 Host: www.google.com Connection: keep-alive sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-arch: "x86" sec-ch-ua-full-version: "117.0.5938.132" sec-ch-ua-platform-version: "10.0.0" sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132" sec-ch-ua-bitness: "64" sec-ch-ua-model: "" sec-ch-ua-wow64: ?0 sec-ch-ua-platform: "Windows" Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8 X-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiUocsBCJz+zAEIhaDNAQjcvc0BCLnKzQEIotHNAQiK080BCJ7WzQEIp9jNAQj5wNQVGPbJzQEYutLNARjrjaUX Sec-Fetch-Site: same-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: image Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: NID=518=td3USADiuf4UJFR-rJ_nTV1nXxZ6JwH1b9VaIPLV5MHB_GegnsH3teqxUNiAEiXsc_rsLKUBt-l26GXIdDHPn5tH36lsp42jq2CNB5snErn29dckqMQRGpXIEEeyKU_KDA6l2b9nm8uGgGs9AlNIWzO2oC83ds-nIV0404CvTj4AG6B6-4c
2024-10-02 00:43:15 UTC	705	IN	HTTP/1.1 200 OK Accept-Ranges: bytes Cross-Origin-Resource-Policy: cross-origin Cross-Origin-Opener-Policy-Report-Only: same-origin; report-to="static-on-bigtable" Report-To: {"group":"static-on-bigtable","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/static-on-bigtable"}]} Content-Length: 5430 X-Content-Type-Options: nosniff Server: sffe X-XSS-Protection: 0 Date: Wed, 02 Oct 2024 00:12:30 GMT Expires: Thu, 10 Oct 2024 00:12:30 GMT Cache-Control: public, max-age=691200 Last-Modified: Tue, 22 Oct 2019 18:30:00 GMT Content-Type: image/x-icon Vary: Accept-Encoding Age: 1845 Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-10-02 00:43:15 UTC	685	IN	Data Raw: 00 00 01 00 02 00 10 10 00 00 01 00 20 00 68 04 00 00 26 00 00 00 20 20 00 00 01 00 20 00 a8 10 00 00 8e 04 00 00 28 00 00 00 10 00 00 00 20 00 00 00 01 00 20 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff ff ff 30 fd fd fd 96 fd fd fd d8 fd fd fd f9 fd fd fd f9 fd fd fd d7 fd fd fd 94 fe fe fe 2e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fe fe fe 09 fd fd fd 99 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd 95 ff ff ff 08 00 00 00 00 00 00 00 00 00 00 00 00 fe fe fe 09 fd fd fd c1 ff ff ff ff fa fd f9 ff b4 d9 a7 ff 76 ba 5d ff 58 ab 3a ff 58 aa 3a ff 72 b8 59 ff ac d5 9d ff f8 fb f6 ff ff Data Ascii: h& ( 0.v]X:X:rY
2024-10-02 00:43:15 UTC	1390	IN	Data Raw: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd d8 fd fd fd 99 ff ff ff ff 92 cf fb ff 37 52 ec ff 38 46 ea ff d0 d4 fa ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd 96 fe fe fe 32 ff ff ff ff f9 f9 fe ff 56 62 ed ff 35 43 ea ff 3b 49 eb ff 95 9c f4 ff cf d2 fa ff d1 d4 fa ff 96 9d f4 ff 52 5e ed ff e1 e3 fc ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 30 00 00 00 00 fd fd fd 9d ff ff ff ff e8 ea fd ff 58 63 ee ff 35 43 ea ff 35 43 ea ff 35 43 ea ff 35 43 ea ff 35 43 ea ff 35 43 ea ff 6c 76 f0 ff ff ff ff ff ff ff ff ff fd fd fd 98 00 00 00 00 00 00 00 00 ff ff ff 0a fd fd fd c3 ff ff ff ff f9 f9 fe ff a5 ac f6 ff 5d 69 ee ff 3c 4a Data Ascii: 7R8F2Vb5C;IR^0Xc5C5C5C5C5C5Clv]i<J
2024-10-02 00:43:15 UTC	1390	IN	Data Raw: ff ff ff ff ff ff ff ff ff ff ff fd fd fd d0 ff ff ff 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fd fd fd 8b ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff b1 d8 a3 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 60 a5 35 ff ca 8e 3e ff f9 c1 9f ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd 87 00 00 00 00 00 00 00 00 00 00 00 00 fe fe fe 25 fd fd fd fb ff ff ff ff ff ff ff ff ff ff ff ff c2 e0 b7 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 6e b6 54 ff 9f ce 8d ff b7 da aa ff b8 db ab ff a5 d2 95 ff 7b bc 64 ff 54 a8 35 ff 53 a8 34 ff 77 a0 37 ff e3 89 41 ff f4 85 42 ff f4 85 42 ff Data Ascii: S4S4S4S4S4S4S4S4S4S4S4S4S4S4`5>%S4S4S4S4S4S4nT{dT5S4w7ABB
2024-10-02 00:43:15 UTC	1390	IN	Data Raw: ff f4 85 42 ff f4 85 42 ff f4 85 42 ff f4 85 42 ff f4 85 42 ff f4 85 42 ff fb d5 bf ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd ea fd fd fd cb ff ff ff ff ff ff ff ff ff ff ff ff 46 cd fc ff 05 bc fb ff 05 bc fb ff 05 bc fb ff 21 ae f9 ff fb fb ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd c8 fd fd fd 9c ff ff ff ff ff ff ff ff ff ff ff ff 86 df fd ff 05 bc fb ff 05 bc fb ff 15 93 f5 ff 34 49 eb ff b3 b8 f7 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff Data Ascii: BBBBBBF!4I
2024-10-02 00:43:15 UTC	575	IN	Data Raw: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd d2 fe fe fe 24 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff ff ff 0a fd fd fd 8d fd fd fd fc ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd fb fd fd fd 8b fe fe fe 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fe fe fe 27 fd fd fd 9f fd fd fd f7 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff Data Ascii: $'

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.4	49772	4.245.163.56	443

Timestamp	Bytes transferred	Direction	Data
2024-10-02 00:43:19 UTC	306	OUT	GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=3NwXhwVSFcfTD3u&MD=OOTO6bEG HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33 Host: slscr.update.microsoft.com
2024-10-02 00:43:20 UTC	560	IN	HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Type: application/octet-stream Expires: -1 Last-Modified: Mon, 01 Jan 0001 00:00:00 GMT ETag: "XAopazV00XDWnJCwkmEWRv6JkbjRA9QSSZ2+e/3MzEk=_2880" MS-CorrelationId: 303d0dc2-e22d-424b-b697-b1144dafd485 MS-RequestId: af2d807d-2e2b-4d53-a7dc-4812ab50060f MS-CV: 7ojEMXLsSUSFZ39a.0 X-Microsoft-SLSClientCache: 2880 Content-Disposition: attachment; filename=environment.cab X-Content-Type-Options: nosniff Date: Wed, 02 Oct 2024 00:43:19 GMT Connection: close Content-Length: 24490
2024-10-02 00:43:20 UTC	15824	IN	Data Raw: 4d 53 43 46 00 00 00 00 92 1e 00 00 00 00 00 00 44 00 00 00 00 00 00 00 03 01 01 00 01 00 04 00 23 d0 00 00 14 00 00 00 00 00 10 00 92 1e 00 00 18 41 00 00 00 00 00 00 00 00 00 00 64 00 00 00 01 00 01 00 e6 42 00 00 00 00 00 00 00 00 00 00 00 00 80 00 65 6e 76 69 72 6f 6e 6d 65 6e 74 2e 63 61 62 00 78 cf 8d 5c 26 1e e6 42 43 4b ed 5c 07 54 13 db d6 4e a3 f7 2e d5 d0 3b 4c 42 af 4a 57 10 e9 20 bd 77 21 94 80 88 08 24 2a 02 02 d2 55 10 a4 a8 88 97 22 8a 0a d2 11 04 95 ae d2 8b 20 28 0a 88 20 45 05 f4 9f 80 05 bd ed dd f7 ff 77 dd f7 bf 65 d6 4a 66 ce 99 33 67 4e d9 7b 7f fb db 7b 56 f4 4d 34 b4 21 e0 a7 03 0a d9 fc 68 6e 1d 20 70 28 14 02 85 20 20 ad 61 10 08 e3 66 0d ed 66 9b 1d 6a 90 af 1f 17 f0 4b 68 35 01 83 6c fb 44 42 5c 7d 83 3d 03 30 be 3e ae be 58 Data Ascii: MSCFD#AdBenvironment.cabx\&BCK\TN.;LBJW w!$*U" ( EweJf3gN{{VM4!hn p( affjKh5lDB\}=0>X
2024-10-02 00:43:20 UTC	8666	IN	Data Raw: 04 01 31 2f 30 2d 30 0a 02 05 00 e1 2b 8a 50 02 01 00 30 0a 02 01 00 02 02 12 fe 02 01 ff 30 07 02 01 00 02 02 11 e6 30 0a 02 05 00 e1 2c db d0 02 01 00 30 36 06 0a 2b 06 01 04 01 84 59 0a 04 02 31 28 30 26 30 0c 06 0a 2b 06 01 04 01 84 59 0a 03 02 a0 0a 30 08 02 01 00 02 03 07 a1 20 a1 0a 30 08 02 01 00 02 03 01 86 a0 30 0d 06 09 2a 86 48 86 f7 0d 01 01 05 05 00 03 81 81 00 0c d9 08 df 48 94 57 65 3e ad e7 f2 17 9c 1f ca 3d 4d 6c cd 51 e1 ed 9c 17 a5 52 35 0f fd de 4b bd 22 92 c5 69 e5 d7 9f 29 23 72 40 7a ca 55 9d 8d 11 ad d5 54 00 bb 53 b4 87 7b 72 84 da 2d f6 e3 2c 4f 7e ba 1a 58 88 6e d6 b9 6d 16 ae 85 5b b5 c2 81 a8 e0 ee 0a 9c 60 51 3a 7b e4 61 f8 c3 e4 38 bd 7d 28 17 d6 79 f0 c8 58 c6 ef 1f f7 88 65 b1 ea 0a c0 df f7 ee 5c 23 c2 27 fd 98 63 08 31 Data Ascii: 1/0-0+P000,06+Y1(0&0+Y0 00*HHWe>=MlQR5K"i)#r@zUTS{r-,O~Xnm[`Q:{a8}(yXe\#'c1

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.4	49778	142.250.185.142	443	332	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-02 00:43:21 UTC	1299	OUT	POST /log?format=json&hasfast=true&authuser=0 HTTP/1.1 Host: play.google.com Connection: keep-alive Content-Length: 1224 sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-arch: "x86" Content-Type: text/plain;charset=UTF-8 sec-ch-ua-full-version: "117.0.5938.132" sec-ch-ua-platform-version: "10.0.0" X-Goog-AuthUser: 0 sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132" sec-ch-ua-bitness: "64" sec-ch-ua-model: "" sec-ch-ua-wow64: ?0 sec-ch-ua-platform: "Windows" Accept: / Origin: https://accounts.google.com X-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiUocsBCJz+zAEIhaDNAQjcvc0BCLnKzQEIotHNAQiK080BCJ7WzQEIp9jNAQj5wNQVGPbJzQEYutLNARjrjaUX Sec-Fetch-Site: same-site Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: NID=518=td3USADiuf4UJFR-rJ_nTV1nXxZ6JwH1b9VaIPLV5MHB_GegnsH3teqxUNiAEiXsc_rsLKUBt-l26GXIdDHPn5tH36lsp42jq2CNB5snErn29dckqMQRGpXIEEeyKU_KDA6l2b9nm8uGgGs9AlNIWzO2oC83ds-nIV0404CvTj4AG6B6-4c
2024-10-02 00:43:21 UTC	1224	OUT	Data Raw: 5b 5b 31 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 5b 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 22 65 6e 22 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 5b 5b 5b 22 47 6f 6f 67 6c 65 20 43 68 72 6f 6d 65 22 2c 22 31 31 37 22 5d 2c 5b 22 4e 6f 74 3b 41 3d 42 72 61 6e 64 22 2c 22 38 22 5d 2c 5b 22 43 68 72 6f 6d 69 75 6d 22 2c 22 31 31 37 22 5d 5d 2c 30 2c 22 57 69 6e 64 6f 77 73 22 2c 22 31 30 2e 30 2e 30 22 2c 22 78 38 36 22 2c 22 22 2c 22 31 31 37 2e 30 2e 35 39 33 38 2e 31 33 32 22 5d 2c 5b 34 2c 30 2c 30 2c 30 2c 30 5d 5d 5d 2c 35 35 38 2c 5b 5b 22 31 37 32 37 38 32 39 37 38 39 30 30 30 22 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c Data Ascii: [[1,null,null,null,null,null,null,null,null,null,[null,null,null,null,"en",null,null,null,[[["Google Chrome","117"],["Not;A=Brand","8"],["Chromium","117"]],0,"Windows","10.0.0","x86","","117.0.5938.132"],[4,0,0,0,0]]],558,[["1727829789000",null,null,null,
2024-10-02 00:43:22 UTC	941	IN	HTTP/1.1 200 OK Access-Control-Allow-Origin: https://accounts.google.com Cross-Origin-Resource-Policy: cross-origin Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: X-Playlog-Web Set-Cookie: NID=518=K15-HjuZmQqI6hD4tJ_8uljSmItYA_5jlE5tkgcvNLVqXhQpfesGqysLAN1wLnMbB2cSh8TSdhpbnIa7-yn4OE1_NG_4G2y85HuvaWwXV32iNfuy0s_CzBpCI1tGof5wTSioOiChh7UuR8uih6UVhSIxaY_5sF7iqnjQxBHUQeUKi63bv2Kq8yttoR4; expires=Thu, 03-Apr-2025 00:43:21 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=none P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info." Content-Type: text/plain; charset=UTF-8 Date: Wed, 02 Oct 2024 00:43:21 GMT Server: Playlog Cache-Control: private X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Expires: Wed, 02 Oct 2024 00:43:21 GMT Connection: close Transfer-Encoding: chunked
2024-10-02 00:43:22 UTC	137	IN	Data Raw: 38 33 0d 0a 5b 22 2d 31 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 41 4e 44 52 4f 49 44 5f 42 41 43 4b 55 50 22 2c 30 5d 2c 5b 22 42 41 54 54 45 52 59 5f 53 54 41 54 53 22 2c 30 5d 2c 5b 22 53 4d 41 52 54 5f 53 45 54 55 50 22 2c 30 5d 2c 5b 22 54 52 4f 4e 22 2c 30 5d 5d 2c 2d 33 33 33 34 37 33 37 35 39 34 30 32 34 39 37 31 32 32 35 5d 2c 5b 5d 2c 7b 22 31 37 35 32 33 37 33 37 35 22 3a 5b 31 30 30 30 30 5d 7d 5d 0d 0a Data Ascii: 83["-1",null,[[["ANDROID_BACKUP",0],["BATTERY_STATS",0],["SMART_SETUP",0],["TRON",0]],-3334737594024971225],[],{"175237375":[10000]}]
2024-10-02 00:43:22 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.4	49781	142.250.185.142	443	332	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-02 00:43:43 UTC	1330	OUT	POST /log?format=json&hasfast=true&authuser=0 HTTP/1.1 Host: play.google.com Connection: keep-alive Content-Length: 1165 sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-arch: "x86" Content-Type: application/x-www-form-urlencoded;charset=UTF-8 sec-ch-ua-full-version: "117.0.5938.132" sec-ch-ua-platform-version: "10.0.0" X-Goog-AuthUser: 0 sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132" sec-ch-ua-bitness: "64" sec-ch-ua-model: "" sec-ch-ua-wow64: ?0 sec-ch-ua-platform: "Windows" Accept: / Origin: https://accounts.google.com X-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiUocsBCJz+zAEIhaDNAQjcvc0BCLnKzQEIotHNAQiK080BCJ7WzQEIp9jNAQj5wNQVGPbJzQEYutLNARjrjaUX Sec-Fetch-Site: same-site Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: NID=518=K15-HjuZmQqI6hD4tJ_8uljSmItYA_5jlE5tkgcvNLVqXhQpfesGqysLAN1wLnMbB2cSh8TSdhpbnIa7-yn4OE1_NG_4G2y85HuvaWwXV32iNfuy0s_CzBpCI1tGof5wTSioOiChh7UuR8uih6UVhSIxaY_5sF7iqnjQxBHUQeUKi63bv2Kq8yttoR4
2024-10-02 00:43:43 UTC	1165	OUT	Data Raw: 5b 5b 31 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 5b 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 22 65 6e 22 2c 6e 75 6c 6c 2c 22 33 30 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 47 6f 6f 67 6c 65 20 43 68 72 6f 6d 65 22 2c 22 31 31 37 22 5d 2c 5b 22 4e 6f 74 3b 41 3d 42 72 61 6e 64 22 2c 22 38 22 5d 2c 5b 22 43 68 72 6f 6d 69 75 6d 22 2c 22 31 31 37 22 5d 5d 2c 30 2c 22 57 69 6e 64 6f 77 73 22 2c 22 31 30 2e 30 2e 30 22 2c 22 78 38 36 22 2c 22 22 2c 22 31 31 37 2e 30 2e 35 39 33 38 2e 31 33 32 22 5d 2c 5b 31 2c 30 2c 30 2c 30 2c 30 5d 5d 5d 2c 31 38 32 38 2c 5b 5b 22 31 37 32 37 38 32 39 38 32 32 31 31 34 22 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c Data Ascii: [[1,null,null,null,null,null,null,null,null,null,[null,null,null,null,"en",null,"30",null,[[["Google Chrome","117"],["Not;A=Brand","8"],["Chromium","117"]],0,"Windows","10.0.0","x86","","117.0.5938.132"],[1,0,0,0,0]]],1828,[["1727829822114",null,null,null
2024-10-02 00:43:44 UTC	523	IN	HTTP/1.1 200 OK Access-Control-Allow-Origin: https://accounts.google.com Cross-Origin-Resource-Policy: cross-origin Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: X-Playlog-Web Content-Type: text/plain; charset=UTF-8 Date: Wed, 02 Oct 2024 00:43:43 GMT Server: Playlog Cache-Control: private X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2024-10-02 00:43:44 UTC	137	IN	Data Raw: 38 33 0d 0a 5b 22 2d 31 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 41 4e 44 52 4f 49 44 5f 42 41 43 4b 55 50 22 2c 30 5d 2c 5b 22 42 41 54 54 45 52 59 5f 53 54 41 54 53 22 2c 30 5d 2c 5b 22 53 4d 41 52 54 5f 53 45 54 55 50 22 2c 30 5d 2c 5b 22 54 52 4f 4e 22 2c 30 5d 5d 2c 2d 33 33 33 34 37 33 37 35 39 34 30 32 34 39 37 31 32 32 35 5d 2c 5b 5d 2c 7b 22 31 37 35 32 33 37 33 37 35 22 3a 5b 31 30 30 30 30 5d 7d 5d 0d 0a Data Ascii: 83["-1",null,[[["ANDROID_BACKUP",0],["BATTERY_STATS",0],["SMART_SETUP",0],["TRON",0]],-3334737594024971225],[],{"175237375":[10000]}]
2024-10-02 00:43:44 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.4	49782	142.250.185.142	443	332	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-02 00:43:44 UTC	1330	OUT	POST /log?format=json&hasfast=true&authuser=0 HTTP/1.1 Host: play.google.com Connection: keep-alive Content-Length: 1327 sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-arch: "x86" Content-Type: application/x-www-form-urlencoded;charset=UTF-8 sec-ch-ua-full-version: "117.0.5938.132" sec-ch-ua-platform-version: "10.0.0" X-Goog-AuthUser: 0 sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132" sec-ch-ua-bitness: "64" sec-ch-ua-model: "" sec-ch-ua-wow64: ?0 sec-ch-ua-platform: "Windows" Accept: / Origin: https://accounts.google.com X-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiUocsBCJz+zAEIhaDNAQjcvc0BCLnKzQEIotHNAQiK080BCJ7WzQEIp9jNAQj5wNQVGPbJzQEYutLNARjrjaUX Sec-Fetch-Site: same-site Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: NID=518=K15-HjuZmQqI6hD4tJ_8uljSmItYA_5jlE5tkgcvNLVqXhQpfesGqysLAN1wLnMbB2cSh8TSdhpbnIa7-yn4OE1_NG_4G2y85HuvaWwXV32iNfuy0s_CzBpCI1tGof5wTSioOiChh7UuR8uih6UVhSIxaY_5sF7iqnjQxBHUQeUKi63bv2Kq8yttoR4
2024-10-02 00:43:44 UTC	1327	OUT	Data Raw: 5b 5b 31 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 5b 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 22 65 6e 22 2c 6e 75 6c 6c 2c 22 33 30 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 47 6f 6f 67 6c 65 20 43 68 72 6f 6d 65 22 2c 22 31 31 37 22 5d 2c 5b 22 4e 6f 74 3b 41 3d 42 72 61 6e 64 22 2c 22 38 22 5d 2c 5b 22 43 68 72 6f 6d 69 75 6d 22 2c 22 31 31 37 22 5d 5d 2c 30 2c 22 57 69 6e 64 6f 77 73 22 2c 22 31 30 2e 30 2e 30 22 2c 22 78 38 36 22 2c 22 22 2c 22 31 31 37 2e 30 2e 35 39 33 38 2e 31 33 32 22 5d 2c 5b 31 2c 30 2c 30 2c 30 2c 30 5d 5d 5d 2c 31 38 32 38 2c 5b 5b 22 31 37 32 37 38 32 39 38 32 32 38 36 30 22 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c Data Ascii: [[1,null,null,null,null,null,null,null,null,null,[null,null,null,null,"en",null,"30",null,[[["Google Chrome","117"],["Not;A=Brand","8"],["Chromium","117"]],0,"Windows","10.0.0","x86","","117.0.5938.132"],[1,0,0,0,0]]],1828,[["1727829822860",null,null,null
2024-10-02 00:43:44 UTC	523	IN	HTTP/1.1 200 OK Access-Control-Allow-Origin: https://accounts.google.com Cross-Origin-Resource-Policy: cross-origin Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: X-Playlog-Web Content-Type: text/plain; charset=UTF-8 Date: Wed, 02 Oct 2024 00:43:44 GMT Server: Playlog Cache-Control: private X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2024-10-02 00:43:44 UTC	137	IN	Data Raw: 38 33 0d 0a 5b 22 2d 31 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 41 4e 44 52 4f 49 44 5f 42 41 43 4b 55 50 22 2c 30 5d 2c 5b 22 42 41 54 54 45 52 59 5f 53 54 41 54 53 22 2c 30 5d 2c 5b 22 53 4d 41 52 54 5f 53 45 54 55 50 22 2c 30 5d 2c 5b 22 54 52 4f 4e 22 2c 30 5d 5d 2c 2d 33 33 33 34 37 33 37 35 39 34 30 32 34 39 37 31 32 32 35 5d 2c 5b 5d 2c 7b 22 31 37 35 32 33 37 33 37 35 22 3a 5b 31 30 30 30 30 5d 7d 5d 0d 0a Data Ascii: 83["-1",null,[[["ANDROID_BACKUP",0],["BATTERY_STATS",0],["SMART_SETUP",0],["TRON",0]],-3334737594024971225],[],{"175237375":[10000]}]
2024-10-02 00:43:44 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.4	49783	142.250.185.142	443	332	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-02 00:43:44 UTC	1290	OUT	POST /log?hasfast=true&authuser=0&format=json HTTP/1.1 Host: play.google.com Connection: keep-alive Content-Length: 1039 sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-arch: "x86" sec-ch-ua-full-version: "117.0.5938.132" Content-Type: text/plain;charset=UTF-8 sec-ch-ua-platform-version: "10.0.0" sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132" sec-ch-ua-bitness: "64" sec-ch-ua-model: "" sec-ch-ua-wow64: ?0 sec-ch-ua-platform: "Windows" Accept: / Origin: https://accounts.google.com X-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiUocsBCJz+zAEIhaDNAQjcvc0BCLnKzQEIotHNAQiK080BCJ7WzQEIp9jNAQj5wNQVGPbJzQEYutLNARjrjaUX Sec-Fetch-Site: same-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: NID=518=K15-HjuZmQqI6hD4tJ_8uljSmItYA_5jlE5tkgcvNLVqXhQpfesGqysLAN1wLnMbB2cSh8TSdhpbnIa7-yn4OE1_NG_4G2y85HuvaWwXV32iNfuy0s_CzBpCI1tGof5wTSioOiChh7UuR8uih6UVhSIxaY_5sF7iqnjQxBHUQeUKi63bv2Kq8yttoR4
2024-10-02 00:43:44 UTC	1039	OUT	Data Raw: 5b 5b 31 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 5b 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 22 65 6e 22 2c 6e 75 6c 6c 2c 22 62 6f 71 5f 69 64 65 6e 74 69 74 79 66 72 6f 6e 74 65 6e 64 61 75 74 68 75 69 73 65 72 76 65 72 5f 32 30 32 34 30 39 32 39 2e 30 37 5f 70 30 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 47 6f 6f 67 6c 65 20 43 68 72 6f 6d 65 22 2c 22 31 31 37 22 5d 2c 5b 22 4e 6f 74 3b 41 3d 42 72 61 6e 64 22 2c 22 38 22 5d 2c 5b 22 43 68 72 6f 6d 69 75 6d 22 2c 22 31 31 37 22 5d 5d 2c 30 2c 22 57 69 6e 64 6f 77 73 22 2c 22 31 30 2e 30 2e 30 22 2c 22 78 38 36 22 2c 22 22 2c 22 31 31 37 2e 30 2e 35 39 33 38 2e 31 33 32 22 5d 2c 5b 33 2c 30 2c 30 Data Ascii: [[1,null,null,null,null,null,null,null,null,null,[null,null,null,null,"en",null,"boq_identityfrontendauthuiserver_20240929.07_p0",null,[[["Google Chrome","117"],["Not;A=Brand","8"],["Chromium","117"]],0,"Windows","10.0.0","x86","","117.0.5938.132"],[3,0,0
2024-10-02 00:43:44 UTC	523	IN	HTTP/1.1 200 OK Access-Control-Allow-Origin: https://accounts.google.com Cross-Origin-Resource-Policy: cross-origin Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: X-Playlog-Web Content-Type: text/plain; charset=UTF-8 Date: Wed, 02 Oct 2024 00:43:44 GMT Server: Playlog Cache-Control: private X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2024-10-02 00:43:44 UTC	137	IN	Data Raw: 38 33 0d 0a 5b 22 2d 31 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 41 4e 44 52 4f 49 44 5f 42 41 43 4b 55 50 22 2c 30 5d 2c 5b 22 42 41 54 54 45 52 59 5f 53 54 41 54 53 22 2c 30 5d 2c 5b 22 53 4d 41 52 54 5f 53 45 54 55 50 22 2c 30 5d 2c 5b 22 54 52 4f 4e 22 2c 30 5d 5d 2c 2d 33 33 33 34 37 33 37 35 39 34 30 32 34 39 37 31 32 32 35 5d 2c 5b 5d 2c 7b 22 31 37 35 32 33 37 33 37 35 22 3a 5b 31 30 30 30 30 5d 7d 5d 0d 0a Data Ascii: 83["-1",null,[[["ANDROID_BACKUP",0],["BATTERY_STATS",0],["SMART_SETUP",0],["TRON",0]],-3334737594024971225],[],{"175237375":[10000]}]
2024-10-02 00:43:44 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.4	49784	4.245.163.56	443

Timestamp	Bytes transferred	Direction	Data
2024-10-02 00:43:58 UTC	306	OUT	GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=3NwXhwVSFcfTD3u&MD=OOTO6bEG HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33 Host: slscr.update.microsoft.com
2024-10-02 00:43:58 UTC	560	IN	HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Type: application/octet-stream Expires: -1 Last-Modified: Mon, 01 Jan 0001 00:00:00 GMT ETag: "vic+p1MiJJ+/WMnK08jaWnCBGDfvkGRzPk9f8ZadQHg=_1440" MS-CorrelationId: 253c193e-d983-4c0c-8a12-fa7b1d75b10b MS-RequestId: 09f73a39-85f0-498b-978d-811c1d8464c8 MS-CV: yDPMjtckjEKSVqjK.0 X-Microsoft-SLSClientCache: 1440 Content-Disposition: attachment; filename=environment.cab X-Content-Type-Options: nosniff Date: Wed, 02 Oct 2024 00:43:57 GMT Connection: close Content-Length: 30005
2024-10-02 00:43:58 UTC	15824	IN	Data Raw: 4d 53 43 46 00 00 00 00 8d 2b 00 00 00 00 00 00 44 00 00 00 00 00 00 00 03 01 01 00 01 00 04 00 5b 49 00 00 14 00 00 00 00 00 10 00 8d 2b 00 00 a8 49 00 00 00 00 00 00 00 00 00 00 64 00 00 00 01 00 01 00 72 4d 00 00 00 00 00 00 00 00 00 00 00 00 80 00 65 6e 76 69 72 6f 6e 6d 65 6e 74 2e 63 61 62 00 fe f6 51 be 21 2b 72 4d 43 4b ed 7c 05 58 54 eb da f6 14 43 49 37 0a 02 d2 b9 86 0e 41 52 a4 1b 24 a5 bb 43 24 44 18 94 90 92 52 41 3a 05 09 95 ee 54 b0 00 91 2e e9 12 10 04 11 c9 6f 10 b7 a2 67 9f bd cf 3e ff b7 ff b3 bf 73 ed e1 9a 99 f5 c6 7a d7 bb de f5 3e cf fd 3c f7 dc 17 4a 1a 52 e7 41 a8 97 1e 14 f4 e5 25 7d f4 05 82 82 c1 20 30 08 06 ba c3 05 02 11 7f a9 c1 ff d2 87 5c 1e f4 ed 65 8e 7a 1f f6 0a 40 03 1d 7b f9 83 2c 1c 2f db b8 3a 39 3a 58 38 ba 73 5e Data Ascii: MSCF+D[I+IdrMenvironment.cabQ!+rMCK\|XTCI7AR$C$DRA:T.og>sz><JRA%} 0\ez@{,/:9:X8s^
2024-10-02 00:43:58 UTC	14181	IN	Data Raw: 06 03 55 04 06 13 02 55 53 31 13 30 11 06 03 55 04 08 13 0a 57 61 73 68 69 6e 67 74 6f 6e 31 10 30 0e 06 03 55 04 07 13 07 52 65 64 6d 6f 6e 64 31 1e 30 1c 06 03 55 04 0a 13 15 4d 69 63 72 6f 73 6f 66 74 20 43 6f 72 70 6f 72 61 74 69 6f 6e 31 26 30 24 06 03 55 04 03 13 1d 4d 69 63 72 6f 73 6f 66 74 20 54 69 6d 65 2d 53 74 61 6d 70 20 50 43 41 20 32 30 31 30 30 1e 17 0d 32 33 31 30 31 32 31 39 30 37 32 35 5a 17 0d 32 35 30 31 31 30 31 39 30 37 32 35 5a 30 81 d2 31 0b 30 09 06 03 55 04 06 13 02 55 53 31 13 30 11 06 03 55 04 08 13 0a 57 61 73 68 69 6e 67 74 6f 6e 31 10 30 0e 06 03 55 04 07 13 07 52 65 64 6d 6f 6e 64 31 1e 30 1c 06 03 55 04 0a 13 15 4d 69 63 72 6f 73 6f 66 74 20 43 6f 72 70 6f 72 61 74 69 6f 6e 31 2d 30 2b 06 03 55 04 0b 13 24 4d 69 63 72 6f Data Ascii: UUS10UWashington10URedmond10UMicrosoft Corporation1&0$UMicrosoft Time-Stamp PCA 20100231012190725Z250110190725Z010UUS10UWashington10URedmond10UMicrosoft Corporation1-0+U$Micro

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.4	49789	142.250.185.110	443	332	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-02 00:44:15 UTC	1330	OUT	POST /log?format=json&hasfast=true&authuser=0 HTTP/1.1 Host: play.google.com Connection: keep-alive Content-Length: 1367 sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-arch: "x86" Content-Type: application/x-www-form-urlencoded;charset=UTF-8 sec-ch-ua-full-version: "117.0.5938.132" sec-ch-ua-platform-version: "10.0.0" X-Goog-AuthUser: 0 sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132" sec-ch-ua-bitness: "64" sec-ch-ua-model: "" sec-ch-ua-wow64: ?0 sec-ch-ua-platform: "Windows" Accept: / Origin: https://accounts.google.com X-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiUocsBCJz+zAEIhaDNAQjcvc0BCLnKzQEIotHNAQiK080BCJ7WzQEIp9jNAQj5wNQVGPbJzQEYutLNARjrjaUX Sec-Fetch-Site: same-site Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: NID=518=K15-HjuZmQqI6hD4tJ_8uljSmItYA_5jlE5tkgcvNLVqXhQpfesGqysLAN1wLnMbB2cSh8TSdhpbnIa7-yn4OE1_NG_4G2y85HuvaWwXV32iNfuy0s_CzBpCI1tGof5wTSioOiChh7UuR8uih6UVhSIxaY_5sF7iqnjQxBHUQeUKi63bv2Kq8yttoR4
2024-10-02 00:44:15 UTC	1367	OUT	Data Raw: 5b 5b 31 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 5b 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 22 65 6e 22 2c 6e 75 6c 6c 2c 22 33 30 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 47 6f 6f 67 6c 65 20 43 68 72 6f 6d 65 22 2c 22 31 31 37 22 5d 2c 5b 22 4e 6f 74 3b 41 3d 42 72 61 6e 64 22 2c 22 38 22 5d 2c 5b 22 43 68 72 6f 6d 69 75 6d 22 2c 22 31 31 37 22 5d 5d 2c 30 2c 22 57 69 6e 64 6f 77 73 22 2c 22 31 30 2e 30 2e 30 22 2c 22 78 38 36 22 2c 22 22 2c 22 31 31 37 2e 30 2e 35 39 33 38 2e 31 33 32 22 5d 2c 5b 31 2c 30 2c 30 2c 30 2c 30 5d 5d 5d 2c 31 38 32 38 2c 5b 5b 22 31 37 32 37 38 32 39 38 35 33 38 33 32 22 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c Data Ascii: [[1,null,null,null,null,null,null,null,null,null,[null,null,null,null,"en",null,"30",null,[[["Google Chrome","117"],["Not;A=Brand","8"],["Chromium","117"]],0,"Windows","10.0.0","x86","","117.0.5938.132"],[1,0,0,0,0]]],1828,[["1727829853832",null,null,null
2024-10-02 00:44:15 UTC	523	IN	HTTP/1.1 200 OK Access-Control-Allow-Origin: https://accounts.google.com Cross-Origin-Resource-Policy: cross-origin Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: X-Playlog-Web Content-Type: text/plain; charset=UTF-8 Date: Wed, 02 Oct 2024 00:44:15 GMT Server: Playlog Cache-Control: private X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2024-10-02 00:44:15 UTC	137	IN	Data Raw: 38 33 0d 0a 5b 22 2d 31 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 41 4e 44 52 4f 49 44 5f 42 41 43 4b 55 50 22 2c 30 5d 2c 5b 22 42 41 54 54 45 52 59 5f 53 54 41 54 53 22 2c 30 5d 2c 5b 22 53 4d 41 52 54 5f 53 45 54 55 50 22 2c 30 5d 2c 5b 22 54 52 4f 4e 22 2c 30 5d 5d 2c 2d 33 33 33 34 37 33 37 35 39 34 30 32 34 39 37 31 32 32 35 5d 2c 5b 5d 2c 7b 22 31 37 35 32 33 37 33 37 35 22 3a 5b 31 30 30 30 30 5d 7d 5d 0d 0a Data Ascii: 83["-1",null,[[["ANDROID_BACKUP",0],["BATTERY_STATS",0],["SMART_SETUP",0],["TRON",0]],-3334737594024971225],[],{"175237375":[10000]}]
2024-10-02 00:44:15 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.4	49790	142.250.185.110	443	332	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-02 00:44:15 UTC	1330	OUT	POST /log?format=json&hasfast=true&authuser=0 HTTP/1.1 Host: play.google.com Connection: keep-alive Content-Length: 1285 sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-arch: "x86" Content-Type: application/x-www-form-urlencoded;charset=UTF-8 sec-ch-ua-full-version: "117.0.5938.132" sec-ch-ua-platform-version: "10.0.0" X-Goog-AuthUser: 0 sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132" sec-ch-ua-bitness: "64" sec-ch-ua-model: "" sec-ch-ua-wow64: ?0 sec-ch-ua-platform: "Windows" Accept: / Origin: https://accounts.google.com X-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiUocsBCJz+zAEIhaDNAQjcvc0BCLnKzQEIotHNAQiK080BCJ7WzQEIp9jNAQj5wNQVGPbJzQEYutLNARjrjaUX Sec-Fetch-Site: same-site Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: NID=518=K15-HjuZmQqI6hD4tJ_8uljSmItYA_5jlE5tkgcvNLVqXhQpfesGqysLAN1wLnMbB2cSh8TSdhpbnIa7-yn4OE1_NG_4G2y85HuvaWwXV32iNfuy0s_CzBpCI1tGof5wTSioOiChh7UuR8uih6UVhSIxaY_5sF7iqnjQxBHUQeUKi63bv2Kq8yttoR4
2024-10-02 00:44:15 UTC	1285	OUT	Data Raw: 5b 5b 31 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 5b 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 22 65 6e 22 2c 6e 75 6c 6c 2c 22 33 30 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 47 6f 6f 67 6c 65 20 43 68 72 6f 6d 65 22 2c 22 31 31 37 22 5d 2c 5b 22 4e 6f 74 3b 41 3d 42 72 61 6e 64 22 2c 22 38 22 5d 2c 5b 22 43 68 72 6f 6d 69 75 6d 22 2c 22 31 31 37 22 5d 5d 2c 30 2c 22 57 69 6e 64 6f 77 73 22 2c 22 31 30 2e 30 2e 30 22 2c 22 78 38 36 22 2c 22 22 2c 22 31 31 37 2e 30 2e 35 39 33 38 2e 31 33 32 22 5d 2c 5b 31 2c 30 2c 30 2c 30 2c 30 5d 5d 5d 2c 31 38 32 38 2c 5b 5b 22 31 37 32 37 38 32 39 38 35 34 30 30 34 22 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c Data Ascii: [[1,null,null,null,null,null,null,null,null,null,[null,null,null,null,"en",null,"30",null,[[["Google Chrome","117"],["Not;A=Brand","8"],["Chromium","117"]],0,"Windows","10.0.0","x86","","117.0.5938.132"],[1,0,0,0,0]]],1828,[["1727829854004",null,null,null
2024-10-02 00:44:15 UTC	523	IN	HTTP/1.1 200 OK Access-Control-Allow-Origin: https://accounts.google.com Cross-Origin-Resource-Policy: cross-origin Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: X-Playlog-Web Content-Type: text/plain; charset=UTF-8 Date: Wed, 02 Oct 2024 00:44:15 GMT Server: Playlog Cache-Control: private X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2024-10-02 00:44:15 UTC	137	IN	Data Raw: 38 33 0d 0a 5b 22 2d 31 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 41 4e 44 52 4f 49 44 5f 42 41 43 4b 55 50 22 2c 30 5d 2c 5b 22 42 41 54 54 45 52 59 5f 53 54 41 54 53 22 2c 30 5d 2c 5b 22 53 4d 41 52 54 5f 53 45 54 55 50 22 2c 30 5d 2c 5b 22 54 52 4f 4e 22 2c 30 5d 5d 2c 2d 33 33 33 34 37 33 37 35 39 34 30 32 34 39 37 31 32 32 35 5d 2c 5b 5d 2c 7b 22 31 37 35 32 33 37 33 37 35 22 3a 5b 31 30 30 30 30 5d 7d 5d 0d 0a Data Ascii: 83["-1",null,[[["ANDROID_BACKUP",0],["BATTERY_STATS",0],["SMART_SETUP",0],["TRON",0]],-3334737594024971225],[],{"175237375":[10000]}]
2024-10-02 00:44:15 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.4	49792	142.250.185.110	443	332	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-02 00:44:46 UTC	1330	OUT	POST /log?format=json&hasfast=true&authuser=0 HTTP/1.1 Host: play.google.com Connection: keep-alive Content-Length: 1363 sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-arch: "x86" Content-Type: application/x-www-form-urlencoded;charset=UTF-8 sec-ch-ua-full-version: "117.0.5938.132" sec-ch-ua-platform-version: "10.0.0" X-Goog-AuthUser: 0 sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132" sec-ch-ua-bitness: "64" sec-ch-ua-model: "" sec-ch-ua-wow64: ?0 sec-ch-ua-platform: "Windows" Accept: / Origin: https://accounts.google.com X-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiUocsBCJz+zAEIhaDNAQjcvc0BCLnKzQEIotHNAQiK080BCJ7WzQEIp9jNAQj5wNQVGPbJzQEYutLNARjrjaUX Sec-Fetch-Site: same-site Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: NID=518=K15-HjuZmQqI6hD4tJ_8uljSmItYA_5jlE5tkgcvNLVqXhQpfesGqysLAN1wLnMbB2cSh8TSdhpbnIa7-yn4OE1_NG_4G2y85HuvaWwXV32iNfuy0s_CzBpCI1tGof5wTSioOiChh7UuR8uih6UVhSIxaY_5sF7iqnjQxBHUQeUKi63bv2Kq8yttoR4
2024-10-02 00:44:46 UTC	1363	OUT	Data Raw: 5b 5b 31 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 5b 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 22 65 6e 22 2c 6e 75 6c 6c 2c 22 33 30 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 47 6f 6f 67 6c 65 20 43 68 72 6f 6d 65 22 2c 22 31 31 37 22 5d 2c 5b 22 4e 6f 74 3b 41 3d 42 72 61 6e 64 22 2c 22 38 22 5d 2c 5b 22 43 68 72 6f 6d 69 75 6d 22 2c 22 31 31 37 22 5d 5d 2c 30 2c 22 57 69 6e 64 6f 77 73 22 2c 22 31 30 2e 30 2e 30 22 2c 22 78 38 36 22 2c 22 22 2c 22 31 31 37 2e 30 2e 35 39 33 38 2e 31 33 32 22 5d 2c 5b 31 2c 30 2c 30 2c 30 2c 30 5d 5d 5d 2c 31 38 32 38 2c 5b 5b 22 31 37 32 37 38 32 39 38 38 34 34 34 31 22 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c Data Ascii: [[1,null,null,null,null,null,null,null,null,null,[null,null,null,null,"en",null,"30",null,[[["Google Chrome","117"],["Not;A=Brand","8"],["Chromium","117"]],0,"Windows","10.0.0","x86","","117.0.5938.132"],[1,0,0,0,0]]],1828,[["1727829884441",null,null,null
2024-10-02 00:44:46 UTC	523	IN	HTTP/1.1 200 OK Access-Control-Allow-Origin: https://accounts.google.com Cross-Origin-Resource-Policy: cross-origin Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: X-Playlog-Web Content-Type: text/plain; charset=UTF-8 Date: Wed, 02 Oct 2024 00:44:46 GMT Server: Playlog Cache-Control: private X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2024-10-02 00:44:46 UTC	137	IN	Data Raw: 38 33 0d 0a 5b 22 2d 31 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 41 4e 44 52 4f 49 44 5f 42 41 43 4b 55 50 22 2c 30 5d 2c 5b 22 42 41 54 54 45 52 59 5f 53 54 41 54 53 22 2c 30 5d 2c 5b 22 53 4d 41 52 54 5f 53 45 54 55 50 22 2c 30 5d 2c 5b 22 54 52 4f 4e 22 2c 30 5d 5d 2c 2d 33 33 33 34 37 33 37 35 39 34 30 32 34 39 37 31 32 32 35 5d 2c 5b 5d 2c 7b 22 31 37 35 32 33 37 33 37 35 22 3a 5b 31 30 30 30 30 5d 7d 5d 0d 0a Data Ascii: 83["-1",null,[[["ANDROID_BACKUP",0],["BATTERY_STATS",0],["SMART_SETUP",0],["TRON",0]],-3334737594024971225],[],{"175237375":[10000]}]
2024-10-02 00:44:46 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.4	49793	142.250.185.110	443	332	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-02 00:44:46 UTC	1330	OUT	POST /log?format=json&hasfast=true&authuser=0 HTTP/1.1 Host: play.google.com Connection: keep-alive Content-Length: 1318 sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-arch: "x86" Content-Type: application/x-www-form-urlencoded;charset=UTF-8 sec-ch-ua-full-version: "117.0.5938.132" sec-ch-ua-platform-version: "10.0.0" X-Goog-AuthUser: 0 sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132" sec-ch-ua-bitness: "64" sec-ch-ua-model: "" sec-ch-ua-wow64: ?0 sec-ch-ua-platform: "Windows" Accept: / Origin: https://accounts.google.com X-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiUocsBCJz+zAEIhaDNAQjcvc0BCLnKzQEIotHNAQiK080BCJ7WzQEIp9jNAQj5wNQVGPbJzQEYutLNARjrjaUX Sec-Fetch-Site: same-site Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: NID=518=K15-HjuZmQqI6hD4tJ_8uljSmItYA_5jlE5tkgcvNLVqXhQpfesGqysLAN1wLnMbB2cSh8TSdhpbnIa7-yn4OE1_NG_4G2y85HuvaWwXV32iNfuy0s_CzBpCI1tGof5wTSioOiChh7UuR8uih6UVhSIxaY_5sF7iqnjQxBHUQeUKi63bv2Kq8yttoR4
2024-10-02 00:44:46 UTC	1318	OUT	Data Raw: 5b 5b 31 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 5b 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 22 65 6e 22 2c 6e 75 6c 6c 2c 22 33 30 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 47 6f 6f 67 6c 65 20 43 68 72 6f 6d 65 22 2c 22 31 31 37 22 5d 2c 5b 22 4e 6f 74 3b 41 3d 42 72 61 6e 64 22 2c 22 38 22 5d 2c 5b 22 43 68 72 6f 6d 69 75 6d 22 2c 22 31 31 37 22 5d 5d 2c 30 2c 22 57 69 6e 64 6f 77 73 22 2c 22 31 30 2e 30 2e 30 22 2c 22 78 38 36 22 2c 22 22 2c 22 31 31 37 2e 30 2e 35 39 33 38 2e 31 33 32 22 5d 2c 5b 31 2c 30 2c 30 2c 30 2c 30 5d 5d 5d 2c 31 38 32 38 2c 5b 5b 22 31 37 32 37 38 32 39 38 38 34 36 32 39 22 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c Data Ascii: [[1,null,null,null,null,null,null,null,null,null,[null,null,null,null,"en",null,"30",null,[[["Google Chrome","117"],["Not;A=Brand","8"],["Chromium","117"]],0,"Windows","10.0.0","x86","","117.0.5938.132"],[1,0,0,0,0]]],1828,[["1727829884629",null,null,null
2024-10-02 00:44:46 UTC	523	IN	HTTP/1.1 200 OK Access-Control-Allow-Origin: https://accounts.google.com Cross-Origin-Resource-Policy: cross-origin Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: X-Playlog-Web Content-Type: text/plain; charset=UTF-8 Date: Wed, 02 Oct 2024 00:44:46 GMT Server: Playlog Cache-Control: private X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2024-10-02 00:44:46 UTC	137	IN	Data Raw: 38 33 0d 0a 5b 22 2d 31 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 41 4e 44 52 4f 49 44 5f 42 41 43 4b 55 50 22 2c 30 5d 2c 5b 22 42 41 54 54 45 52 59 5f 53 54 41 54 53 22 2c 30 5d 2c 5b 22 53 4d 41 52 54 5f 53 45 54 55 50 22 2c 30 5d 2c 5b 22 54 52 4f 4e 22 2c 30 5d 5d 2c 2d 33 33 33 34 37 33 37 35 39 34 30 32 34 39 37 31 32 32 35 5d 2c 5b 5d 2c 7b 22 31 37 35 32 33 37 33 37 35 22 3a 5b 31 30 30 30 30 5d 7d 5d 0d 0a Data Ascii: 83["-1",null,[[["ANDROID_BACKUP",0],["BATTERY_STATS",0],["SMART_SETUP",0],["TRON",0]],-3334737594024971225],[],{"175237375":[10000]}]
2024-10-02 00:44:46 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Target ID:	0
Start time:	20:43:00
Start date:	01/10/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0xb60000
File size:	918'528 bytes
MD5 hash:	84857D029B892796223A0388E578C717
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	20:43:00
Start date:	01/10/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --app="https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --start-fullscreen --no-first-run --disable-session-crashed-bubble --disable-features=CrashRecovery
Imagebase:	0x7ff76e190000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	3
Start time:	20:43:01
Start date:	01/10/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2080 --field-trial-handle=1956,i,6848627385945716294,11725630218479906615,262144 --disable-features=CrashRecovery /prefetch:8
Imagebase:	0x7ff76e190000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	4
Start time:	20:43:12
Start date:	01/10/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5512 --field-trial-handle=1956,i,6848627385945716294,11725630218479906615,262144 --disable-features=CrashRecovery /prefetch:8
Imagebase:	0x7ff76e190000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	5
Start time:	20:43:12
Start date:	01/10/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5476 --field-trial-handle=1956,i,6848627385945716294,11725630218479906615,262144 --disable-features=CrashRecovery /prefetch:8
Imagebase:	0x7ff76e190000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	2%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	5.2%
Total number of Nodes:	1581
Total number of Limit Nodes:	40

Executed Functions

Function 00B642DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 00B6430D

Part of subcall function 00B66B57: _wcslen.LIBCMT ref: 00B66B6A

GetCurrentProcess.KERNEL32(?,00BFCB64,00000000,?,?), ref: 00B64422
IsWow64Process.KERNEL32(00000000,?,?), ref: 00B64429
LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 00B64454
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00B64466
GetNativeSystemInfo.KERNELBASE(?,?,?), ref: 00B64474
FreeLibrary.KERNEL32(00000000,?,?), ref: 00B6447B
GetSystemInfo.KERNEL32(?,?,?), ref: 00B644A0

Strings

GetNativeSystemInfo, xrefs: 00B64460
kernel32.dll, xrefs: 00B6444F
|O, xrefs: 00BA36F8

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
String ID: GetNativeSystemInfo$kernel32.dll$|O
API String ID: 3290436268-3101561225
Opcode ID: 240488dea82d6a38e135992f733709cc12d1ebec5fb41ed7f64fa84ccdd9905b
Instruction ID: 1dbe50aecfd7d6a5b96f91be9337c7c13af949a556d9d2477149b227072273ab
Opcode Fuzzy Hash: 240488dea82d6a38e135992f733709cc12d1ebec5fb41ed7f64fa84ccdd9905b
Instruction Fuzzy Hash: 69A1927597E6C4DFC791D7697C827AD7FE4AB27700B0C48D9E84193B32DA244A48CB21

Function 00B642A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,00B650AA,?,?,00000000,00000000), ref: 00B642B2
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00B650AA,?,?,00000000,00000000), ref: 00B642C9
LoadResource.KERNEL32(?,00000000,?,?,00B650AA,?,?,00000000,00000000,?,?,?,?,?,?,00B64F20), ref: 00BA35BE
SizeofResource.KERNEL32(?,00000000,?,?,00B650AA,?,?,00000000,00000000,?,?,?,?,?,?,00B64F20), ref: 00BA35D3
LockResource.KERNEL32(00B650AA,?,?,00B650AA,?,?,00000000,00000000,?,?,?,?,?,?,00B64F20,?), ref: 00BA35E6

Strings

SCRIPT, xrefs: 00B642BF

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: 72a85dec11a76bcc1c75d700aa10cde2a9275d423ee54c47c3c19422014f719f
Instruction ID: 90e7b3c68415bbf48626b3781c966682ce71b214e5e6dc4d7141d02f7402a949
Opcode Fuzzy Hash: 72a85dec11a76bcc1c75d700aa10cde2a9275d423ee54c47c3c19422014f719f
Instruction Fuzzy Hash: 6B115A70201604AFDB218B65DD58F277BB9EBC5B51F2081A9F40297260DB71D854CA20

Function 00BA2BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetCurrentDirectoryW.KERNEL32(?), ref: 00B62B6B

Part of subcall function 00B63A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00C31418,?,00B62E7F,?,?,?,00000000), ref: 00B63A78

Part of subcall function 00B69CB3: _wcslen.LIBCMT ref: 00B69CBD

GetForegroundWindow.USER32(runas,?,?,?,?,?,00C22224), ref: 00BA2C10
ShellExecuteW.SHELL32(00000000,?,?,00C22224), ref: 00BA2C17

Strings

runas, xrefs: 00BA2C0B

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: CurrentDirectoryExecuteFileForegroundModuleNameShellWindow_wcslen
String ID: runas
API String ID: 448630720-4000483414
Opcode ID: fe10c0ee35b586d766951257e9f0d56aaa364774622972bce80de1a1b53e83cf
Instruction ID: a09d71e5130bef8387738d0374481a7820e926ba06faff045e1ef62ae1cad406
Opcode Fuzzy Hash: fe10c0ee35b586d766951257e9f0d56aaa364774622972bce80de1a1b53e83cf
Instruction Fuzzy Hash: 8811E931208345AED704FF64D951ABEBBE4DF95750F4C04ADF582531A2CF39894AD712

Function 00BEA67C Relevance: 6.2, APIs: 4, Instructions: 175
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00BEA6AC
Process32FirstW.KERNEL32(00000000,?), ref: 00BEA6BA

Part of subcall function 00B69CB3: _wcslen.LIBCMT ref: 00B69CBD

Process32NextW.KERNEL32(00000000,?), ref: 00BEA79C
CloseHandle.KERNELBASE(00000000), ref: 00BEA7AB

Part of subcall function 00B7CE60: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,00BA3303,?), ref: 00B7CE8A

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
String ID:
API String ID: 1991900642-0
Opcode ID: 4484864f5451bc1caedf0731662982641eacb152e9cd4238f49b4e4542cbbc76
Instruction ID: 9e379616a46b1a419e7cdd80ea176a512aabf9c3996e3695fdc0da981411221c
Opcode Fuzzy Hash: 4484864f5451bc1caedf0731662982641eacb152e9cd4238f49b4e4542cbbc76
Instruction Fuzzy Hash: 94514D715083409FD710EF25C886E6BBBE8FF89754F00895DF599972A1EB34E904CB92

Function 00BCDBBE Relevance: 6.0, APIs: 4, Instructions: 29filestringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,00BA5222), ref: 00BCDBCE
GetFileAttributesW.KERNELBASE(?), ref: 00BCDBDD
FindFirstFileW.KERNEL32(?,?), ref: 00BCDBEE
FindClose.KERNEL32(00000000), ref: 00BCDBFA

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: FileFind$AttributesCloseFirstlstrlen
String ID:
API String ID: 2695905019-0
Opcode ID: 9df335126ff60e85b0ec6ac2244eda2f3f473665f98affeee918764d707cf5ac
Instruction ID: 20dcd2d4351e2390746503bd065cf1a66fb5f0a1e56caf8a70a798773b412206
Opcode Fuzzy Hash: 9df335126ff60e85b0ec6ac2244eda2f3f473665f98affeee918764d707cf5ac
Instruction Fuzzy Hash: 9BF0A0308109185782206F7CAE0D9BB3BACDE01334B104B5AF836C30E0EFB06994C695

Function 00B84CE8 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00B928E9,?,00B84CBE,00B928E9,00C288B8,0000000C,00B84E15,00B928E9,00000002,00000000,?,00B928E9), ref: 00B84D09
TerminateProcess.KERNEL32(00000000,?,00B84CBE,00B928E9,00C288B8,0000000C,00B84E15,00B928E9,00000002,00000000,?,00B928E9), ref: 00B84D10
ExitProcess.KERNEL32 ref: 00B84D22

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: ff4239efee954a8fc0e64c657ab7238aa7335141b341bfb3e11b0af841b1216d
Instruction ID: c7544d572e245b2563579628f0ef3d932c1a3500df1d4fda6ea8bec8bf7305d5
Opcode Fuzzy Hash: ff4239efee954a8fc0e64c657ab7238aa7335141b341bfb3e11b0af841b1216d
Instruction Fuzzy Hash: C4E0B631004149ABCF12BF54DE09A687FA9EB42781B104064FC059B132CB35EE92DB84

Function 00BEAFF9 Relevance: 24.4, APIs: 16, Instructions: 418
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_wcslen.LIBCMT ref: 00BEB198
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00BEB1B0
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00BEB1D4
_wcslen.LIBCMT ref: 00BEB200
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00BEB214
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00BEB236
_wcslen.LIBCMT ref: 00BEB332

Part of subcall function 00BD05A7: GetStdHandle.KERNEL32(000000F6), ref: 00BD05C6

_wcslen.LIBCMT ref: 00BEB34B
_wcslen.LIBCMT ref: 00BEB366
CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00BEB3B6
GetLastError.KERNEL32(00000000), ref: 00BEB407
CloseHandle.KERNEL32(?), ref: 00BEB439
CloseHandle.KERNEL32(00000000), ref: 00BEB44A
CloseHandle.KERNEL32(00000000), ref: 00BEB45C
CloseHandle.KERNEL32(00000000), ref: 00BEB46E
CloseHandle.KERNEL32(?), ref: 00BEB4E3

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
String ID:
API String ID: 2178637699-0
Opcode ID: 7437d15fe37a01cf24808a3aedd3837c7339c04144e8ede602434d8adf3b6f19
Instruction ID: e1f655454cecd9d4be42776e6c20774e61b2d3d983d99146565ce2dccf2789aa
Opcode Fuzzy Hash: 7437d15fe37a01cf24808a3aedd3837c7339c04144e8ede602434d8adf3b6f19
Instruction Fuzzy Hash: 5CF15A315082409FC714EF25C891F6BBBE5EF85314F14859DF89A9B2A2DB35EC44CB52

Function 00B6D730 Relevance: 21.6, APIs: 14, Instructions: 619windowsleeptimeCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 00B6D807
timeGetTime.WINMM ref: 00B6DA07
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00B6DB28
TranslateMessage.USER32(?), ref: 00B6DB7B
DispatchMessageW.USER32(?), ref: 00B6DB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00B6DB9F
Sleep.KERNEL32(0000000A), ref: 00B6DBB1

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Message$Peek$DispatchInputSleepStateTimeTranslatetime
String ID:
API String ID: 2189390790-0
Opcode ID: 125c3017819f751d7e94457192a717b96d962c61fe163d96ddafd110848e2ce2
Instruction ID: 8784bf7612ef82eebcbf1923cc9455d19caf12665127055079a5e6c0b8c19bf0
Opcode Fuzzy Hash: 125c3017819f751d7e94457192a717b96d962c61fe163d96ddafd110848e2ce2
Instruction Fuzzy Hash: 3A42C230B08645DFD728CF24C894BBABBE0FF45304F5886A9E56587291D7B4E844CB92

Function 00B62CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00B62D07
RegisterClassExW.USER32(00000030), ref: 00B62D31
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00B62D42
InitCommonControlsEx.COMCTL32(?), ref: 00B62D5F
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00B62D6F
LoadIconW.USER32(000000A9), ref: 00B62D85
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00B62D94

Strings

TaskbarCreated, xrefs: 00B62D37
0, xrefs: 00B62CE9
+, xrefs: 00B62CF0
AutoIt v3 GUI, xrefs: 00B62D23

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 179ab510fc8147eeb89b3e83c671cc28a1abe3d71664d6d1215da76b177899b7
Instruction ID: f2056b32ee1e4a781b05841c200f1e6994df85dfdda85d5862c7196bee0e9b74
Opcode Fuzzy Hash: 179ab510fc8147eeb89b3e83c671cc28a1abe3d71664d6d1215da76b177899b7
Instruction Fuzzy Hash: 4E21B2B591131CAFDB00DFA4E949BEDBFB4FB08700F04811AEA11A72A0DBB15584CF95

Function 00BA065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00BA039A: CreateFileW.KERNELBASE(00000000,00000000,?,00BA0704,?,?,00000000,?,00BA0704,00000000,0000000C), ref: 00BA03B7

GetLastError.KERNEL32 ref: 00BA076F
__dosmaperr.LIBCMT ref: 00BA0776
GetFileType.KERNELBASE(00000000), ref: 00BA0782
GetLastError.KERNEL32 ref: 00BA078C
__dosmaperr.LIBCMT ref: 00BA0795
CloseHandle.KERNEL32(00000000), ref: 00BA07B5
CloseHandle.KERNEL32(?), ref: 00BA08FF
GetLastError.KERNEL32 ref: 00BA0931
__dosmaperr.LIBCMT ref: 00BA0938

Strings

H, xrefs: 00BA08BD

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: 6429c32c6b80fef3c75d6eb9fe7be9dd49547499fa2e7c5cc2721c2d89c267b2
Instruction ID: 979a1bb38ae0285b910a144d3b9f93ce1600edeb5e661e73dcee0ea699b8e00f
Opcode Fuzzy Hash: 6429c32c6b80fef3c75d6eb9fe7be9dd49547499fa2e7c5cc2721c2d89c267b2
Instruction Fuzzy Hash: ABA10932A281098FDF19BF68D851BAE7BE0EB0A324F140199F815DB291DB359D12CB95

Function 00B6344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00B63A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00C31418,?,00B62E7F,?,?,?,00000000), ref: 00B63A78

Part of subcall function 00B63357: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00B63379

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 00B6356A
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 00BA318D
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 00BA31CE
RegCloseKey.ADVAPI32(?), ref: 00BA3210
_wcslen.LIBCMT ref: 00BA3277
_wcslen.LIBCMT ref: 00BA3286

Strings

Include, xrefs: 00BA3184, 00BA31C5
\, xrefs: 00BA328C
Software\AutoIt v3\AutoIt, xrefs: 00B63560
\Include\, xrefs: 00B63527

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 98802146-2727554177
Opcode ID: 5ea34c8b2a890822df022f5af6ab0ce319df22176301dd55c8adf697398691e3
Instruction ID: 7179be431f52bea53873614262637f4f1c3eae99d3b6385805afb7b0685b4c64
Opcode Fuzzy Hash: 5ea34c8b2a890822df022f5af6ab0ce319df22176301dd55c8adf697398691e3
Instruction Fuzzy Hash: C4718A714183059ECB54EF65EC82AAFBBE8FF95740F40486EF545931B0EB349A48CB62

Function 00B62B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00B62B8E
LoadCursorW.USER32(00000000,00007F00), ref: 00B62B9D
LoadIconW.USER32(00000063), ref: 00B62BB3
LoadIconW.USER32(000000A4), ref: 00B62BC5
LoadIconW.USER32(000000A2), ref: 00B62BD7
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00B62BEF
RegisterClassExW.USER32(?), ref: 00B62C40

Part of subcall function 00B62CD4: GetSysColorBrush.USER32(0000000F), ref: 00B62D07
Part of subcall function 00B62CD4: RegisterClassExW.USER32(00000030), ref: 00B62D31
Part of subcall function 00B62CD4: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00B62D42
Part of subcall function 00B62CD4: InitCommonControlsEx.COMCTL32(?), ref: 00B62D5F
Part of subcall function 00B62CD4: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00B62D6F
Part of subcall function 00B62CD4: LoadIconW.USER32(000000A9), ref: 00B62D85
Part of subcall function 00B62CD4: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00B62D94

Strings

AutoIt v3, xrefs: 00B62C2F
#, xrefs: 00B62C16
0, xrefs: 00B62C0F

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: adeb85f2559daa972195bc64698b0329e25fa52e0ece85d891a6edb9b6faf329
Instruction ID: 1645c6a3200eb7b17256c156a0bc03978a0a3553fafd9b23f7e1fa74b816f783
Opcode Fuzzy Hash: adeb85f2559daa972195bc64698b0329e25fa52e0ece85d891a6edb9b6faf329
Instruction Fuzzy Hash: E1214971E20318AFDB509FA6ED45BADBFB4FB08B50F08005AEA00A76B0D7B10954CF90

Function 00B63170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,00B6316A,?,?), ref: 00B631D8
KillTimer.USER32(?,00000001,?,?,?,?,?,00B6316A,?,?), ref: 00B63204
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00B63227
RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,00B6316A,?,?), ref: 00B63232
CreatePopupMenu.USER32 ref: 00B63246
PostQuitMessage.USER32(00000000), ref: 00B63267

Strings

TaskbarCreated, xrefs: 00B6322D

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: 06778734cc4fd0e5b547697575ff1ddec6904370acd2571ff0aa66a611ce0ed0
Instruction ID: 9579ef90e2b21c879097ff61bcd7ee2973574db7148cb20efdaeeef9ae15b4b5
Opcode Fuzzy Hash: 06778734cc4fd0e5b547697575ff1ddec6904370acd2571ff0aa66a611ce0ed0
Instruction Fuzzy Hash: 45411831264204ABDF146B7C9D99B7D3AD9EB06B50F0801A5FE02D72A1CB799E80DB61

Function 00B61410 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00B61459
CoUninitialize.COMBASE ref: 00B614F8
UnregisterHotKey.USER32(?), ref: 00B616DD
DestroyWindow.USER32(?), ref: 00BA24B9
FreeLibrary.KERNEL32(?), ref: 00BA251E
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00BA254B

Strings

close all, xrefs: 00B61454

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: ff54cfc35180db2699f4fb742c57cd24a8070bf55cbcc132add9fb27faaf3fc9
Instruction ID: 8bc636c9a8e1ea28f5bfa687a9a519c3b387635fdab19a097fa79ae7dc5e928f
Opcode Fuzzy Hash: ff54cfc35180db2699f4fb742c57cd24a8070bf55cbcc132add9fb27faaf3fc9
Instruction Fuzzy Hash: BBD17A31B062128FCB19EF19C995A29F7E4FF15700F1885EDE44A6B261DB30AD12CF50

Function 00B62C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00B62C91
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00B62CB2
ShowWindow.USER32(00000000,?,?,?,?,?,?,00B61CAD,?), ref: 00B62CC6
ShowWindow.USER32(00000000,?,?,?,?,?,?,00B61CAD,?), ref: 00B62CCF

Strings

AutoIt v3, xrefs: 00B62C89, 00B62C8E, 00B62C8F
edit, xrefs: 00B62CAC

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: 72857aebde6c4133cdd5abf6d09263425c8a72948dd9911b54173c89fc4d982f
Instruction ID: d152f9f95494e02e3bf0b5cc80681b2fbe1c219c39ed3e06aa4abd18e382f03f
Opcode Fuzzy Hash: 72857aebde6c4133cdd5abf6d09263425c8a72948dd9911b54173c89fc4d982f
Instruction Fuzzy Hash: AEF0DA755502987EEB711B17AC08FBB6EBDD7C6F50B04405AFE04A35B0C6615898DEB0

Function 00B63B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,00B63B0F,SwapMouseButtons,00000004,?), ref: 00B63B40
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,00B63B0F,SwapMouseButtons,00000004,?), ref: 00B63B61
RegCloseKey.KERNELBASE(00000000,?,?,?,80000001,80000001,?,00B63B0F,SwapMouseButtons,00000004,?), ref: 00B63B83

Strings

Control Panel\Mouse, xrefs: 00B63B3E

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: aaae925e4bdb2bb62a1dcf484e1f7ddcfc3709abebed9decafff858cacf06650
Instruction ID: fb74a1526914a202e27c69ab16e28094c7332741c717dea93dddd6565c40903a
Opcode Fuzzy Hash: aaae925e4bdb2bb62a1dcf484e1f7ddcfc3709abebed9decafff858cacf06650
Instruction Fuzzy Hash: 951157B1610208FFDB208FA4DC84EEEBBF8EF05B40B1484AAE901D7110E6319E409BA0

Function 00BCD4DC Relevance: 6.1, APIs: 4, Instructions: 86
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00BCD501
Process32FirstW.KERNEL32(00000000,?), ref: 00BCD50F
Process32NextW.KERNEL32(00000000,?), ref: 00BCD52F
CloseHandle.KERNELBASE(00000000), ref: 00BCD5DC

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: 1b2f936f26ba239cc5be3456853656a7a621514f3e7058b56a9083dbd775aac1
Instruction ID: 9a9cbc824439486fa0da18bf77fc843f520cee8daff6f58a676b808f01bd2563
Opcode Fuzzy Hash: 1b2f936f26ba239cc5be3456853656a7a621514f3e7058b56a9083dbd775aac1
Instruction Fuzzy Hash: DB319F711083009FD300EF54C881FAFBBE8EFA9354F14096DF585971A1EB719A88CBA2

Function 00B63923 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94windowCOMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 00BA33A2

Part of subcall function 00B66B57: _wcslen.LIBCMT ref: 00B66B6A

Shell_NotifyIconW.SHELL32(00000001,?), ref: 00B63A04

Strings

Line: , xrefs: 00BA33EB

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: IconLoadNotifyShell_String_wcslen
String ID: Line:
API String ID: 2289894680-1585850449
Opcode ID: 438139af449257a151c28303531e1b6aedd37a2f8b5ce0490b328c4d8f59f301
Instruction ID: 715ac9b7d6644f5ab6df6c8aecec7c74482d60e9d6f46bcb94b446fcd34da6b6
Opcode Fuzzy Hash: 438139af449257a151c28303531e1b6aedd37a2f8b5ce0490b328c4d8f59f301
Instruction Fuzzy Hash: 6831D271408304AED725EB20DC45BEFB7D8AF40B10F0845AAF59A931E1DF789A48CBC6

Function 00B7FDDB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 00B80668

Part of subcall function 00B832A4: RaiseException.KERNEL32(?,?,?,00B8068A,?,00C31444,?,?,?,?,?,?,00B8068A,00B61129,00C28738,00B61129), ref: 00B83304

__CxxThrowException@8.LIBVCRUNTIME ref: 00B80685

Strings

Unknown exception, xrefs: 00B80692

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID: Unknown exception
API String ID: 3476068407-410509341
Opcode ID: af1dc297fc7c23029b57602498e7627a6f23c24432b4a4fd4f552728e5a46549
Instruction ID: 47c005a4a9fa5d52c66e64da7983987cc9b6ec5b33b5b10ffdf733e99523b922
Opcode Fuzzy Hash: af1dc297fc7c23029b57602498e7627a6f23c24432b4a4fd4f552728e5a46549
Instruction Fuzzy Hash: FFF0C83490020EB78B14BA64E886CAD77EC9E00750B6085F1B928965B1EF71DA5DC794

Function 00B610F3 Relevance: 4.7, APIs: 3, Instructions: 153comCOMMON

Download Yara Rule

APIs

Part of subcall function 00B61BC3: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00B61BF4
Part of subcall function 00B61BC3: MapVirtualKeyW.USER32(00000010,00000000), ref: 00B61BFC
Part of subcall function 00B61BC3: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00B61C07
Part of subcall function 00B61BC3: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00B61C12
Part of subcall function 00B61BC3: MapVirtualKeyW.USER32(00000011,00000000), ref: 00B61C1A
Part of subcall function 00B61BC3: MapVirtualKeyW.USER32(00000012,00000000), ref: 00B61C22

Part of subcall function 00B61B4A: RegisterWindowMessageW.USER32(00000004,?,00B612C4), ref: 00B61BA2

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 00B6136A
OleInitialize.OLE32 ref: 00B61388
CloseHandle.KERNEL32(00000000,00000000), ref: 00BA24AB

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID:
API String ID: 1986988660-0
Opcode ID: 507f0b67267a72b3238378df9a496dd45689cfc0a174e6cf72b3e9de648dc282
Instruction ID: 714a5882653e6f94f6da1f85f4bf4e8df5c1b6bb42233e6c8945dfcfb7976d4f
Opcode Fuzzy Hash: 507f0b67267a72b3238378df9a496dd45689cfc0a174e6cf72b3e9de648dc282
Instruction Fuzzy Hash: DA71EAB59313048FC784EFB9A9457AD3AE0FB8934071D866AED0AC73A1EB344445CF59

Function 00B986AE Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE

Download Yara Rule

APIs

CloseHandle.KERNELBASE(00000000,00000000,?,?,00B985CC,?,00C28CC8,0000000C), ref: 00B98704
GetLastError.KERNEL32(?,00B985CC,?,00C28CC8,0000000C), ref: 00B9870E
__dosmaperr.LIBCMT ref: 00B98739

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: CloseErrorHandleLast__dosmaperr
String ID:
API String ID: 2583163307-0
Opcode ID: 553c994e8f7373f3f7f21b0869e6f368cc572bd964fad5be4d8063af49b39095
Instruction ID: f15f9d2fa204843af4b4d74f50e35f0100ef725e44a961ea1a5898a37b27a80b
Opcode Fuzzy Hash: 553c994e8f7373f3f7f21b0869e6f368cc572bd964fad5be4d8063af49b39095
Instruction Fuzzy Hash: B8012633A0962027DE356274A845B7E6BD98B83774F3901F9F9198F1D2DEB48C81C294

Function 00B71310 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 00B717F6

Strings

CALL, xrefs: 00B717C6

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID: CALL
API String ID: 1385522511-4196123274
Opcode ID: c22d3b2bc1cbbcdd16de1666c0f4321ad33fc8f9e1adbdec090d1e130dfe7b33
Instruction ID: 2eb3834fad85307dbf2d9587a7f03e02904d75c17e6e4ed2db7dfb29ea9422e3
Opcode Fuzzy Hash: c22d3b2bc1cbbcdd16de1666c0f4321ad33fc8f9e1adbdec090d1e130dfe7b33
Instruction Fuzzy Hash: 6C2289706082019FC714DF18C490A6ABBF1FF95314F1489ADF4AA8B3A1D775ED45CBA2

Function 00B62DE3 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 64COMMON

Download Yara Rule

APIs

GetOpenFileNameW.COMDLG32(?), ref: 00BA2C8C

Part of subcall function 00B63AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00B63A97,?,?,00B62E7F,?,?,?,00000000), ref: 00B63AC2

Part of subcall function 00B62DA5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00B62DC4

Strings

X, xrefs: 00BA2C5A

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen
String ID: X
API String ID: 779396738-3081909835
Opcode ID: 4b8f0f0ad114f48d95a5bb2956765d064aae98424fb37b41aec4e2000efaae3c
Instruction ID: 05bd0b9527b1892c66f3430bbf4c9182a476e0bd6b952cc424edbf4892f79365
Opcode Fuzzy Hash: 4b8f0f0ad114f48d95a5bb2956765d064aae98424fb37b41aec4e2000efaae3c
Instruction Fuzzy Hash: 3221A571A002989FDF41EF98D845BEE7BF8EF49714F008099E505A7241DFB85A89CF61

Function 00B63837 Relevance: 3.1, APIs: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000000,?), ref: 00B63908

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: 2b50c869292b1a38334fc95ce20d0bbc27ddd1aef90072eb4b5626604fa7d4df
Instruction ID: 65c30d81396580b22907a0cc207a648bdc697252df72aebf58ae6957c8e20dd9
Opcode Fuzzy Hash: 2b50c869292b1a38334fc95ce20d0bbc27ddd1aef90072eb4b5626604fa7d4df
Instruction Fuzzy Hash: 3831A2705047019FD760DF24D8847DBBBE8FB49B08F04096EFA9A83290E775AA44CB52

Function 00B6B710 Relevance: 2.1, APIs: 1, Instructions: 587COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 00B6BB4E

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID:
API String ID: 1385522511-0
Opcode ID: cd7608b4507235d6835cb08f2b5cac96e027737396dfd7f1340133acf96628eb
Instruction ID: d2da48bd98efa7b9dddadf040b4c292be68fbc304c1b8ed3eaf2080c03b82169
Opcode Fuzzy Hash: cd7608b4507235d6835cb08f2b5cac96e027737396dfd7f1340133acf96628eb
Instruction Fuzzy Hash: 2E327A71A102099FDF24DF58C894EBEB7F9EF44304F148099E915AB261D7B8ED81CB51

Function 00B64ECB Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00B64E90: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00B64EDD,?,00C31418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00B64E9C
Part of subcall function 00B64E90: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00B64EAE
Part of subcall function 00B64E90: FreeLibrary.KERNEL32(00000000,?,?,00B64EDD,?,00C31418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00B64EC0

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,00C31418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00B64EFD

Part of subcall function 00B64E59: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00BA3CDE,?,00C31418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00B64E62
Part of subcall function 00B64E59: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00B64E74
Part of subcall function 00B64E59: FreeLibrary.KERNEL32(00000000,?,?,00BA3CDE,?,00C31418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00B64E87

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Library$Load$AddressFreeProc
String ID:
API String ID: 2632591731-0
Opcode ID: 64711ae935146f381795a60ec3a3e9e38ff187543a5bfd6c90e33f28657b63b2
Instruction ID: bbf1136367744c18312e96bc89b6bfd968333a87e7f25c01dd4cd029ebe316c9
Opcode Fuzzy Hash: 64711ae935146f381795a60ec3a3e9e38ff187543a5bfd6c90e33f28657b63b2
Instruction Fuzzy Hash: 7E112332600705AACB25BB60DC02FED77E4AF40B10F2084AEF546A71D1EF799A459B90

Function 00B98402 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT ref: 00B98440

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: 8521b21c96813b3bb9dbf78b3aae857502d6818484b4ee006cdfcd4978753587
Instruction ID: 3cfaca47b8c41f26a7534fb45046bb09d2ad4ceb958e256927b467edb2852220
Opcode Fuzzy Hash: 8521b21c96813b3bb9dbf78b3aae857502d6818484b4ee006cdfcd4978753587
Instruction Fuzzy Hash: 5A11187590410AAFCF05DF58E941A9E7BF5EF49314F1040A9F808AB312DA31DA11CBA5

Function 00B95000 Relevance: 1.6, APIs: 1, Instructions: 52COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00B94C7D: RtlAllocateHeap.NTDLL(00000008,00B61129,00000000,?,00B92E29,00000001,00000364,?,?,?,00B8F2DE,00B93863,00C31444,?,00B7FDF5,?), ref: 00B94CBE

_free.LIBCMT ref: 00B9506C

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
Instruction ID: e46bc4a4a80094c2dddfd3812bb978b8aa564257df86e5c929dfed6acf3221a8
Opcode Fuzzy Hash: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
Instruction Fuzzy Hash: 4A0126726447056BEB328F659881A5AFBE8FB89370F25067DE18483280EA30A805C7B4

Function 00B8E602 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction ID: 843299ac119ce96f31a33c8428911f700e8bdf12ec91f8a774d7fa2e90c25d91
Opcode Fuzzy Hash: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction Fuzzy Hash: 89F0F432510A14A6DA313A69DC05B5A37D89F53330F1407F6F434962F2EB74D802CBA5

Function 00B94C7D Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,00B61129,00000000,?,00B92E29,00000001,00000364,?,?,?,00B8F2DE,00B93863,00C31444,?,00B7FDF5,?), ref: 00B94CBE

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 1c5fafb77ed47a9f1afd189897b69fd75b4b9fd7fcb9e14aeec473a838f656d5
Instruction ID: 0e1d47889ad0f31a23e5040a5e872804b21eb8cf756c011329229d7f10634d10
Opcode Fuzzy Hash: 1c5fafb77ed47a9f1afd189897b69fd75b4b9fd7fcb9e14aeec473a838f656d5
Instruction Fuzzy Hash: A6F0B4316022256EDF216F729C05F5B37E8FF417A1B1542B5B819A7191CB70D802C6A0

Function 00B93820 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,00C31444,?,00B7FDF5,?,?,00B6A976,00000010,00C31440,00B613FC,?,00B613C6,?,00B61129), ref: 00B93852

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: d55df8a9d889606ecbf539f54c179d0fdec8d30d75e6dfeb7738252080693856
Instruction ID: 9a57fe23ee88494276b1ea98af9a26c3360b1144ed6125eed39fb71ebca2468c
Opcode Fuzzy Hash: d55df8a9d889606ecbf539f54c179d0fdec8d30d75e6dfeb7738252080693856
Instruction Fuzzy Hash: A8E0E5311006259ADE213A679C84B9A36C9EF42FB0F1500F1BD05928A0DB10DE01D3E0

Function 00B64F39 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,00C31418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00B64F6D

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: df038e427abc4e16661d9b3b62f00030268ec8d5f240bc17efa231a0ce27bab4
Instruction ID: d00264b31117becdeeab14f33713bd587b4a4ba9b84c3e78c62e7e170cee7826
Opcode Fuzzy Hash: df038e427abc4e16661d9b3b62f00030268ec8d5f240bc17efa231a0ce27bab4
Instruction Fuzzy Hash: ACF03071105B51CFDB389F64D490822BBE4EF1431931089BEE1EE83521CB359844DF10

Function 00B630F2 Relevance: 1.5, APIs: 1, Instructions: 24windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000002,?), ref: 00B6314E

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: 6048af5b30f9d62287c145687e4cdb493b8c24eafe936436b5bfcd8134ddd0d8
Instruction ID: 87e34a5fdf57c5ff1f0df8bfb51420d300e4b1b119658307f29037de7c93e364
Opcode Fuzzy Hash: 6048af5b30f9d62287c145687e4cdb493b8c24eafe936436b5bfcd8134ddd0d8
Instruction Fuzzy Hash: 79F037709143189FEB929B24DC457D97BFCA701708F0400E5A54897291DB745788CF51

Function 00B62DA5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00B62DC4

Part of subcall function 00B66B57: _wcslen.LIBCMT ref: 00B66B6A

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: LongNamePath_wcslen
String ID:
API String ID: 541455249-0
Opcode ID: 9d0e406b374f023fc2157e9d73b6d7a5e726691cf60d717cfae38fd9141a09ac
Instruction ID: 41e37ecc4d51e391596d02710fb86e3fd042a8dc7651a1f20ea25244f9498668
Opcode Fuzzy Hash: 9d0e406b374f023fc2157e9d73b6d7a5e726691cf60d717cfae38fd9141a09ac
Instruction Fuzzy Hash: BEE0CD766041245BC710965C9C06FEA77DDDFC8790F0440B1FD09D7248D964AD80C550

Function 00B62B3D Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00B63837: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00B63908

Part of subcall function 00B6D730: GetInputState.USER32 ref: 00B6D807

SetCurrentDirectoryW.KERNEL32(?), ref: 00B62B6B

Part of subcall function 00B630F2: Shell_NotifyIconW.SHELL32(00000002,?), ref: 00B6314E

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: IconNotifyShell_$CurrentDirectoryInputState
String ID:
API String ID: 3667716007-0
Opcode ID: dc03a2e76bd189d9e2c288f5deb1099a980d50650c66a5b59df58a6f151cb402
Instruction ID: 59ec40c68d448488f95245932435815bc0040495fc7400094f295e4faf94ce1b
Opcode Fuzzy Hash: dc03a2e76bd189d9e2c288f5deb1099a980d50650c66a5b59df58a6f151cb402
Instruction Fuzzy Hash: 64E0CD317042840BCA08BB75A8526BDF7D9DBD1751F4419BEF546431A3CF3D49498352

Function 00BA039A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,00000000,?,00BA0704,?,?,00000000,?,00BA0704,00000000,0000000C), ref: 00BA03B7

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 6f87200e69c9e59d16f50962c195aeb5d46468cc2d8cb90337cedb4864f83cec
Instruction ID: 1536021126fcaccfb6c8da31c26aa86778ab0494f2377f1aa97fcf891fbedf8c
Opcode Fuzzy Hash: 6f87200e69c9e59d16f50962c195aeb5d46468cc2d8cb90337cedb4864f83cec
Instruction Fuzzy Hash: 36D06C3204010DBBDF028F84DD06EDA3FAAFB48714F014000BE1866020C732E971EB90

Function 00B61CAD Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00002001,00000000,00000002), ref: 00B61CBC

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: InfoParametersSystem
String ID:
API String ID: 3098949447-0
Opcode ID: 67cfda639c983899ccac04df6f097b47cbd51309ecbf4e043110c5cca879c57a
Instruction ID: 47db01a20c56d3fe3aaf6db96fe3e3f97650eb12e61011dd03924c4fb6945017
Opcode Fuzzy Hash: 67cfda639c983899ccac04df6f097b47cbd51309ecbf4e043110c5cca879c57a
Instruction Fuzzy Hash: 63C09236290308AFF6148B80BD4BF287B64A358B01F088001FA09AB5F3C7A22864EA50

Non-executed Functions

Function 00BF9576 Relevance: 72.4, APIs: 39, Strings: 2, Instructions: 625windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00B79BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00B79BB2

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 00BF961A
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00BF965B
GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 00BF969F
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00BF96C9
SendMessageW.USER32 ref: 00BF96F2
GetKeyState.USER32(00000011), ref: 00BF978B
GetKeyState.USER32(00000009), ref: 00BF9798
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00BF97AE
GetKeyState.USER32(00000010), ref: 00BF97B8
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00BF97E9
SendMessageW.USER32 ref: 00BF9810
SendMessageW.USER32(?,00001030,?,00BF7E95), ref: 00BF9918
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 00BF992E
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 00BF9941
SetCapture.USER32(?), ref: 00BF994A
ClientToScreen.USER32(?,?), ref: 00BF99AF
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 00BF99BC
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00BF99D6
ReleaseCapture.USER32 ref: 00BF99E1
GetCursorPos.USER32(?), ref: 00BF9A19
ScreenToClient.USER32(?,?), ref: 00BF9A26
SendMessageW.USER32(?,00001012,00000000,?), ref: 00BF9A80
SendMessageW.USER32 ref: 00BF9AAE
SendMessageW.USER32(?,00001111,00000000,?), ref: 00BF9AEB
SendMessageW.USER32 ref: 00BF9B1A
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00BF9B3B
SendMessageW.USER32(?,0000110B,00000009,?), ref: 00BF9B4A
GetCursorPos.USER32(?), ref: 00BF9B68
ScreenToClient.USER32(?,?), ref: 00BF9B75
GetParent.USER32(?), ref: 00BF9B93
SendMessageW.USER32(?,00001012,00000000,?), ref: 00BF9BFA
SendMessageW.USER32 ref: 00BF9C2B
ClientToScreen.USER32(?,?), ref: 00BF9C84
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00BF9CB4
SendMessageW.USER32(?,00001111,00000000,?), ref: 00BF9CDE
SendMessageW.USER32 ref: 00BF9D01
ClientToScreen.USER32(?,?), ref: 00BF9D4E
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00BF9D82

Part of subcall function 00B79944: GetWindowLongW.USER32(?,000000EB), ref: 00B79952

GetWindowLongW.USER32(?,000000F0), ref: 00BF9E05

Strings

@GUI_DRAGID, xrefs: 00BF997D
F, xrefs: 00BF9D07

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease
String ID: @GUI_DRAGID$F
API String ID: 3429851547-4164748364
Opcode ID: 69299c0cd9348b57a4038412ff8bf569a40accfcb2aae3bc1c22df08605d58f4
Instruction ID: bf1036f9883fc9924598a2981710cad81fa117034cbd3d62fa7faad7aafd9ba8
Opcode Fuzzy Hash: 69299c0cd9348b57a4038412ff8bf569a40accfcb2aae3bc1c22df08605d58f4
Instruction Fuzzy Hash: 7B428D34204209AFDB24DF24CD84BBABBE5FF49710F144699F699C72A1DB31A898CF51

Function 00BF4873 Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 566windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000408,00000000,00000000), ref: 00BF48F3
SendMessageW.USER32(00000000,00000188,00000000,00000000), ref: 00BF4908
SendMessageW.USER32(00000000,0000018A,00000000,00000000), ref: 00BF4927
SendMessageW.USER32(?,00000148,00000000,00000000), ref: 00BF494B
SendMessageW.USER32(00000000,00000147,00000000,00000000), ref: 00BF495C
SendMessageW.USER32(00000000,00000149,00000000,00000000), ref: 00BF497B
SendMessageW.USER32(00000000,0000130B,00000000,00000000), ref: 00BF49AE
SendMessageW.USER32(00000000,0000133C,00000000,?), ref: 00BF49D4
SendMessageW.USER32(00000000,0000110A,00000009,00000000), ref: 00BF4A0F
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00BF4A56
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00BF4A7E
IsMenu.USER32(?), ref: 00BF4A97
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00BF4AF2
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00BF4B20
GetWindowLongW.USER32(?,000000F0), ref: 00BF4B94
SendMessageW.USER32(?,0000113E,00000000,00000008), ref: 00BF4BE3
SendMessageW.USER32(00000000,00001001,00000000,?), ref: 00BF4C82
wsprintfW.USER32 ref: 00BF4CAE
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00BF4CC9
GetWindowTextW.USER32(?,00000000,00000001), ref: 00BF4CF1
SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00BF4D13
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00BF4D33
GetWindowTextW.USER32(?,00000000,00000001), ref: 00BF4D5A

Strings

%d/%02d/%02d, xrefs: 00BF4CA8

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: MessageSend$MenuWindow$InfoItemText$Longwsprintf
String ID: %d/%02d/%02d
API String ID: 4054740463-328681919
Opcode ID: 2369e5789fd66b3c0a44b9051cbcf4c96ae88f69d7351cb1150b7d997a975123
Instruction ID: f0acfa45b78fd4878151f6dd17c84209c81f0449f8b871a0477bc1a19d350465
Opcode Fuzzy Hash: 2369e5789fd66b3c0a44b9051cbcf4c96ae88f69d7351cb1150b7d997a975123
Instruction Fuzzy Hash: 6812CF71600259ABEB248F28CC49FBF7BF8EF45710F1041A9FA1ADB2A1DB749945CB50

Function 00B7F98E Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,00000000,00000000), ref: 00B7F998
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00BBF474
IsIconic.USER32(00000000), ref: 00BBF47D
ShowWindow.USER32(00000000,00000009), ref: 00BBF48A
SetForegroundWindow.USER32(00000000), ref: 00BBF494
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00BBF4AA
GetCurrentThreadId.KERNEL32 ref: 00BBF4B1
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00BBF4BD
AttachThreadInput.USER32(?,00000000,00000001), ref: 00BBF4CE
AttachThreadInput.USER32(?,00000000,00000001), ref: 00BBF4D6
AttachThreadInput.USER32(00000000,000000FF,00000001), ref: 00BBF4DE
SetForegroundWindow.USER32(00000000), ref: 00BBF4E1
MapVirtualKeyW.USER32(00000012,00000000), ref: 00BBF4F6
keybd_event.USER32(00000012,00000000), ref: 00BBF501
MapVirtualKeyW.USER32(00000012,00000000), ref: 00BBF50B
keybd_event.USER32(00000012,00000000), ref: 00BBF510
MapVirtualKeyW.USER32(00000012,00000000), ref: 00BBF519
keybd_event.USER32(00000012,00000000), ref: 00BBF51E
MapVirtualKeyW.USER32(00000012,00000000), ref: 00BBF528
keybd_event.USER32(00000012,00000000), ref: 00BBF52D
SetForegroundWindow.USER32(00000000), ref: 00BBF530
AttachThreadInput.USER32(?,000000FF,00000000), ref: 00BBF557

Strings

Shell_TrayWnd, xrefs: 00BBF46F

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: a58526e032f09001e4f02b988ab7dccf14ff4e7434b6c84609cbc9d18f5a1cab
Instruction ID: 6f2303501006fc0fbbe1594c6e0819deafddc60eb9b4ac265eb85b1f339215d6
Opcode Fuzzy Hash: a58526e032f09001e4f02b988ab7dccf14ff4e7434b6c84609cbc9d18f5a1cab
Instruction Fuzzy Hash: E2314F71A4021DBBEB206BB55D4AFBF7EACEB44B50F100065FA01E71D1CBB19D40EAA0

Function 00BC1201 Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 241COMMON

Download Yara Rule

APIs

Part of subcall function 00BC16C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00BC170D
Part of subcall function 00BC16C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00BC173A
Part of subcall function 00BC16C3: GetLastError.KERNEL32 ref: 00BC174A

LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 00BC1286
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 00BC12A8
CloseHandle.KERNEL32(?), ref: 00BC12B9
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 00BC12D1
GetProcessWindowStation.USER32 ref: 00BC12EA
SetProcessWindowStation.USER32(00000000), ref: 00BC12F4
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00BC1310

Part of subcall function 00BC10BF: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00BC11FC), ref: 00BC10D4
Part of subcall function 00BC10BF: CloseHandle.KERNEL32(?,?,00BC11FC), ref: 00BC10E9

Strings

, xrefs: 00BC125A
winsta0, xrefs: 00BC12CC
default, xrefs: 00BC130B

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
String ID: $default$winsta0
API String ID: 22674027-1027155976
Opcode ID: ef29a3118719d85d635ae1d95020f9d724fe7e24f0cceaf968a9ea776031d089
Instruction ID: 9b73bf645e1938dbf2bd310cc06b289795f79b91475d494bc70968c617f2892a
Opcode Fuzzy Hash: ef29a3118719d85d635ae1d95020f9d724fe7e24f0cceaf968a9ea776031d089
Instruction Fuzzy Hash: 15817871900209ABDF259FA8DD49FEE7BB9EF05704F1445A9F910B72A2DB308984CF60

Function 00BC0B62 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00BC10F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00BC1114
Part of subcall function 00BC10F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00BC0B9B,?,?,?), ref: 00BC1120
Part of subcall function 00BC10F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00BC0B9B,?,?,?), ref: 00BC112F
Part of subcall function 00BC10F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00BC0B9B,?,?,?), ref: 00BC1136
Part of subcall function 00BC10F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00BC114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00BC0BCC
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00BC0C00
GetLengthSid.ADVAPI32(?), ref: 00BC0C17
GetAce.ADVAPI32(?,00000000,?), ref: 00BC0C51
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00BC0C6D
GetLengthSid.ADVAPI32(?), ref: 00BC0C84
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00BC0C8C
HeapAlloc.KERNEL32(00000000), ref: 00BC0C93
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00BC0CB4
CopySid.ADVAPI32(00000000), ref: 00BC0CBB
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00BC0CEA
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00BC0D0C
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00BC0D1E
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00BC0D45
HeapFree.KERNEL32(00000000), ref: 00BC0D4C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00BC0D55
HeapFree.KERNEL32(00000000), ref: 00BC0D5C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00BC0D65
HeapFree.KERNEL32(00000000), ref: 00BC0D6C
GetProcessHeap.KERNEL32(00000000,?), ref: 00BC0D78
HeapFree.KERNEL32(00000000), ref: 00BC0D7F

Part of subcall function 00BC1193: GetProcessHeap.KERNEL32(00000008,00BC0BB1,?,00000000,?,00BC0BB1,?), ref: 00BC11A1
Part of subcall function 00BC1193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00BC0BB1,?), ref: 00BC11A8
Part of subcall function 00BC1193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00BC0BB1,?), ref: 00BC11B7

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: bee75659effae38db4e7c3d1bea5d66397d80bd5e63f545998313108dd802cc6
Instruction ID: 59750d439d50d0531e688b5e40e1e8dd2db01ed4be20587950c4ef35a9dbb9c0
Opcode Fuzzy Hash: bee75659effae38db4e7c3d1bea5d66397d80bd5e63f545998313108dd802cc6
Instruction Fuzzy Hash: 2E715C7290020AEBDF10EFA4DD44FAEBBB8FF04700F1446A9E915E7191DB71AA45CB60

Function 00BDEAFF Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(00BFCC08), ref: 00BDEB29
IsClipboardFormatAvailable.USER32(0000000D), ref: 00BDEB37
GetClipboardData.USER32(0000000D), ref: 00BDEB43
CloseClipboard.USER32 ref: 00BDEB4F
GlobalLock.KERNEL32(00000000), ref: 00BDEB87
CloseClipboard.USER32 ref: 00BDEB91
GlobalUnlock.KERNEL32(00000000), ref: 00BDEBBC
IsClipboardFormatAvailable.USER32(00000001), ref: 00BDEBC9
GetClipboardData.USER32(00000001), ref: 00BDEBD1
GlobalLock.KERNEL32(00000000), ref: 00BDEBE2
GlobalUnlock.KERNEL32(00000000), ref: 00BDEC22
IsClipboardFormatAvailable.USER32(0000000F), ref: 00BDEC38
GetClipboardData.USER32(0000000F), ref: 00BDEC44
GlobalLock.KERNEL32(00000000), ref: 00BDEC55
DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 00BDEC77
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 00BDEC94
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 00BDECD2
GlobalUnlock.KERNEL32(00000000), ref: 00BDECF3
CountClipboardFormats.USER32 ref: 00BDED14
CloseClipboard.USER32 ref: 00BDED59

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
String ID:
API String ID: 420908878-0
Opcode ID: cc394dfb89e49c42bf0c498ad99efe7ad7c0482d89abcdc560db912d4f2f5805
Instruction ID: dba7c4042ec047c30d9c36c963c0e20cf1a280dc140eeed80a5a3810300274c7
Opcode Fuzzy Hash: cc394dfb89e49c42bf0c498ad99efe7ad7c0482d89abcdc560db912d4f2f5805
Instruction Fuzzy Hash: C6619F34204206AFD300EF24D985F3ABBE4EF84714F14459AF4669B3A1EF31E949CB62

Function 00BD698F Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00BD69BE
FindClose.KERNEL32(00000000), ref: 00BD6A12
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00BD6A4E
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00BD6A75

Part of subcall function 00B69CB3: _wcslen.LIBCMT ref: 00B69CBD

FileTimeToSystemTime.KERNEL32(?,?), ref: 00BD6AB2
FileTimeToSystemTime.KERNEL32(?,?), ref: 00BD6ADF

Strings

%4d%02d%02d%02d%02d%02d%03d, xrefs: 00BD6B32
%4d%02d%02d%02d%02d%02d, xrefs: 00BD6B6A
%02d, xrefs: 00BD6C00, 00BD6C0A, 00BD6C5A, 00BD6CAA, 00BD6CFA, 00BD6D4A
%4d, xrefs: 00BD6BB1
%03d, xrefs: 00BD6DA2

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
API String ID: 3830820486-3289030164
Opcode ID: 4b21bd78aa07d8724e9fd26a382377ec281be50a824e355eded18b7659227a1b
Instruction ID: 645c0ce30bd43c8367799652124b65aff21d8a1558a4cb0429122284c0f19f3c
Opcode Fuzzy Hash: 4b21bd78aa07d8724e9fd26a382377ec281be50a824e355eded18b7659227a1b
Instruction Fuzzy Hash: 2FD14171508340AFC714DBA4C981EABB7ECEF98704F04495EF589D7251EB78DA44CB62

Function 00BD9642 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 00BD9663
GetFileAttributesW.KERNEL32(?), ref: 00BD96A1
SetFileAttributesW.KERNEL32(?,?), ref: 00BD96BB
FindNextFileW.KERNEL32(00000000,?), ref: 00BD96D3
FindClose.KERNEL32(00000000), ref: 00BD96DE
FindFirstFileW.KERNEL32(*.*,?), ref: 00BD96FA
SetCurrentDirectoryW.KERNEL32(?), ref: 00BD974A
SetCurrentDirectoryW.KERNEL32(00C26B7C), ref: 00BD9768
FindNextFileW.KERNEL32(00000000,00000010), ref: 00BD9772
FindClose.KERNEL32(00000000), ref: 00BD977F
FindClose.KERNEL32(00000000), ref: 00BD978F

Strings

*.*, xrefs: 00BD96F5

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1409584000-438819550
Opcode ID: e154f76431f341df7f276a8585639fa8809e0614b46b093f81c3f73891a9f261
Instruction ID: 3802f2f8b2500d5cc324c8c7da13e69db583ed3d9f16f293c0f1980c314bbeae
Opcode Fuzzy Hash: e154f76431f341df7f276a8585639fa8809e0614b46b093f81c3f73891a9f261
Instruction Fuzzy Hash: 0331843254121D6ADF14AFB4ED49AEEBBECDF49321F1041A6E915E31A0EB30DD84CB64

Function 00BD979D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 00BD97BE
FindNextFileW.KERNEL32(00000000,?), ref: 00BD9819
FindClose.KERNEL32(00000000), ref: 00BD9824
FindFirstFileW.KERNEL32(*.*,?), ref: 00BD9840
SetCurrentDirectoryW.KERNEL32(?), ref: 00BD9890
SetCurrentDirectoryW.KERNEL32(00C26B7C), ref: 00BD98AE
FindNextFileW.KERNEL32(00000000,00000010), ref: 00BD98B8
FindClose.KERNEL32(00000000), ref: 00BD98C5
FindClose.KERNEL32(00000000), ref: 00BD98D5

Part of subcall function 00BCDAE5: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 00BCDB00

Strings

*.*, xrefs: 00BD983B

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 2640511053-438819550
Opcode ID: 4f0c41848de4fdc4b112b2ee1d7da99793cbe06622dfcd6ed0a76fe101179fc0
Instruction ID: 06acc43bdf9c90ac78a539326e5383b2bcfb94e433be96e5f94f689513cca1b1
Opcode Fuzzy Hash: 4f0c41848de4fdc4b112b2ee1d7da99793cbe06622dfcd6ed0a76fe101179fc0
Instruction Fuzzy Hash: 9A31953254061D6ADF14AFA4EC48AEEB7ECDF06760F1441A6E514A32A0EB31D984DB64

Function 00BEBE44 Relevance: 17.0, APIs: 11, Instructions: 456registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00BEC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00BEB6AE,?,?), ref: 00BEC9B5
Part of subcall function 00BEC998: _wcslen.LIBCMT ref: 00BEC9F1
Part of subcall function 00BEC998: _wcslen.LIBCMT ref: 00BECA68
Part of subcall function 00BEC998: _wcslen.LIBCMT ref: 00BECA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00BEBF3E
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?), ref: 00BEBFA9
RegCloseKey.ADVAPI32(00000000), ref: 00BEBFCD
RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 00BEC02C
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 00BEC0E7
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 00BEC154
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 00BEC1E9
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,?,?,?,00000000), ref: 00BEC23A
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 00BEC2E3
RegCloseKey.ADVAPI32(?,?,00000000), ref: 00BEC382
RegCloseKey.ADVAPI32(00000000), ref: 00BEC38F

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: QueryValue$Close_wcslen$BuffCharConnectOpenRegistryUpper
String ID:
API String ID: 3102970594-0
Opcode ID: 4556669faaf6529b798aaff35956358e67b6b68b5f461c468667c6f4481739d9
Instruction ID: 781062b2849992882ec6afd5a9eff0a122259ff3536bb8d36b17e81eba50f3da
Opcode Fuzzy Hash: 4556669faaf6529b798aaff35956358e67b6b68b5f461c468667c6f4481739d9
Instruction Fuzzy Hash: 97025F716042409FD714DF29C895E2ABBE5EF49318F18C49DF84ADB2A2DB31EC46CB91

Function 00BD8195 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00BD8257
SystemTimeToFileTime.KERNEL32(?,?), ref: 00BD8267
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00BD8273
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00BD8310
SetCurrentDirectoryW.KERNEL32(?), ref: 00BD8324
SetCurrentDirectoryW.KERNEL32(?), ref: 00BD8356
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00BD838C
SetCurrentDirectoryW.KERNEL32(?), ref: 00BD8395

Strings

*.*, xrefs: 00BD839B

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local$System
String ID: *.*
API String ID: 1464919966-438819550
Opcode ID: e08682bf7fa7f5c27d2f0aefaef63608c3eccf636cf71eba06364e83c1ab9e6c
Instruction ID: 846e28686d7d291e0eac49c05aa694f81e4a8ddc7ce4d3d0ecb6e323d9c34ecb
Opcode Fuzzy Hash: e08682bf7fa7f5c27d2f0aefaef63608c3eccf636cf71eba06364e83c1ab9e6c
Instruction Fuzzy Hash: 3E616A725043459FCB10EF64C8409AEF7E8FF89320F0449AEF99997251EB35E949CB92

Function 00BCD076 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00B63AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00B63A97,?,?,00B62E7F,?,?,?,00000000), ref: 00B63AC2

Part of subcall function 00BCE199: GetFileAttributesW.KERNEL32(?,00BCCF95), ref: 00BCE19A

FindFirstFileW.KERNEL32(?,?), ref: 00BCD122
DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 00BCD1DD
MoveFileW.KERNEL32(?,?), ref: 00BCD1F0
DeleteFileW.KERNEL32(?,?,?,?), ref: 00BCD20D
FindNextFileW.KERNEL32(00000000,00000010), ref: 00BCD237

Part of subcall function 00BCD29C: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,00BCD21C,?,?), ref: 00BCD2B2

FindClose.KERNEL32(00000000,?,?,?), ref: 00BCD253
FindClose.KERNEL32(00000000), ref: 00BCD264

Strings

\*.*, xrefs: 00BCD0CD, 00BCD0D6, 00BCD0EB

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 1946585618-1173974218
Opcode ID: 3dc20f966c8374256df98fe0bcef510557e3d722cecd442928a1ac7ee0b0b8be
Instruction ID: 0f9df49f36ff4b1f5c8a01381ecf26534b93cb55c5bfb3b56a8ab6d3cdeb75ae
Opcode Fuzzy Hash: 3dc20f966c8374256df98fe0bcef510557e3d722cecd442928a1ac7ee0b0b8be
Instruction Fuzzy Hash: A8614A3580110DAACF15EBE0DA92EEDBBF9EF55340F2441A9E40277191EB34AF09DB60

Function 00BDED6A Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00BDED91
EmptyClipboard.USER32 ref: 00BDED97
GlobalAlloc.KERNEL32(00000002,?), ref: 00BDEDAC
CloseClipboard.USER32 ref: 00BDEEA3

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: f427fa83fe91071ab2e059e678da7d8c57e802360ea937c0843102a7a87dac76
Instruction ID: dea957120ca64b81f18dd9d7defb68b477c078336b303ca6975bb761bcee941b
Opcode Fuzzy Hash: f427fa83fe91071ab2e059e678da7d8c57e802360ea937c0843102a7a87dac76
Instruction Fuzzy Hash: BF417E35604651EFE720EF15D888B29BBE5EF44318F14C09AE4698F762DB75EC81CB90

Function 00BCE8F6 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 00BC16C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00BC170D
Part of subcall function 00BC16C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00BC173A
Part of subcall function 00BC16C3: GetLastError.KERNEL32 ref: 00BC174A

ExitWindowsEx.USER32(?,00000000), ref: 00BCE932

Strings

, xrefs: 00BCE95C
@, xrefs: 00BCE925
SeShutdownPrivilege, xrefs: 00BCE902
, xrefs: 00BCE920

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $ $@$SeShutdownPrivilege
API String ID: 2234035333-3163812486
Opcode ID: e14636d0395f863603d176309c70270b07fe734be64bf14527057eb69349e6c8
Instruction ID: c97b96fc8b158dc47dd9723b14ebd420d51ab259cfc1121c6ea16d1b9bd82622
Opcode Fuzzy Hash: e14636d0395f863603d176309c70270b07fe734be64bf14527057eb69349e6c8
Instruction Fuzzy Hash: BF012B32610215EBEB5426789C8AFBF72DCD714740F1449A9F823E30D2DAF09C808294

Function 00BE1204 Relevance: 12.1, APIs: 8, Instructions: 113networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00BE1276
WSAGetLastError.WSOCK32 ref: 00BE1283
bind.WSOCK32(00000000,?,00000010), ref: 00BE12BA
WSAGetLastError.WSOCK32 ref: 00BE12C5
closesocket.WSOCK32(00000000), ref: 00BE12F4
listen.WSOCK32(00000000,00000005), ref: 00BE1303
WSAGetLastError.WSOCK32 ref: 00BE130D
closesocket.WSOCK32(00000000), ref: 00BE133C

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: ErrorLast$closesocket$bindlistensocket
String ID:
API String ID: 540024437-0
Opcode ID: d17324ca274b8626ad967931a48bbd4487c17ef4bcc3cb969f28caeb4e3cbe1c
Instruction ID: 3e8fce062dff851083819e4196f7a228e2af60742076ff7a326a35dda1ef8cf3
Opcode Fuzzy Hash: d17324ca274b8626ad967931a48bbd4487c17ef4bcc3cb969f28caeb4e3cbe1c
Instruction Fuzzy Hash: 2E41AF31600140AFD710DF69C988B69BBE5EF46318F2885D8E9569F292C771EC85CBA1

Function 00BCD3A9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00B63AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00B63A97,?,?,00B62E7F,?,?,?,00000000), ref: 00B63AC2

Part of subcall function 00BCE199: GetFileAttributesW.KERNEL32(?,00BCCF95), ref: 00BCE19A

FindFirstFileW.KERNEL32(?,?), ref: 00BCD420
DeleteFileW.KERNEL32(?,?,?,?), ref: 00BCD470
FindNextFileW.KERNEL32(00000000,00000010), ref: 00BCD481
FindClose.KERNEL32(00000000), ref: 00BCD498
FindClose.KERNEL32(00000000), ref: 00BCD4A1

Strings

\*.*, xrefs: 00BCD3F2

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: f5b92c669c34b2ef90edde96b91bc5cb7031018b8f50e207e9a313bbae6dfa6f
Instruction ID: b1f783e2c30c718a8c620bd41616648644d91c5edbb044200b0da55fa938b894
Opcode Fuzzy Hash: f5b92c669c34b2ef90edde96b91bc5cb7031018b8f50e207e9a313bbae6dfa6f
Instruction Fuzzy Hash: 45318E310083459BC304EF64D9919AFBBE8EE92304F444AADF4D593291EB34AA09DB63

Function 00B9E4FF Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 00B9E645

Strings

1#INF, xrefs: 00B9F852
1#SNAN, xrefs: 00B9F844
1#IND, xrefs: 00B9F83D
1#QNAN, xrefs: 00B9F84B

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: 1f6c801120bc4068196bc4f341b3781c2bf94b493670789bbd9facb6a7258f06
Instruction ID: 02afb6e3410a8773bd34bb290138d20ae3f0a8f9b4045c9aaef4227ec5dd1c3f
Opcode Fuzzy Hash: 1f6c801120bc4068196bc4f341b3781c2bf94b493670789bbd9facb6a7258f06
Instruction Fuzzy Hash: 29C23771E086298BDF25CE289D807EAB7F5EB48315F1541FAD85DE7240E778AE818F40

Function 00BD648E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00BD64DC
CoInitialize.OLE32(00000000), ref: 00BD6639
CoCreateInstance.OLE32(00BFFCF8,00000000,00000001,00BFFB68,?), ref: 00BD6650
CoUninitialize.OLE32 ref: 00BD68D4

Strings

.lnk, xrefs: 00BD64BA, 00BD6524, 00BD65E0

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_wcslen
String ID: .lnk
API String ID: 886957087-24824748
Opcode ID: d97b45ed7f4cf8222e7fc2f071e79aea7633fa338d1480b31ef950b105641600
Instruction ID: 07a56de05b624f83f2ad96c9b11f03594df98d0e44711ade279a2f3ee5ec75e7
Opcode Fuzzy Hash: d97b45ed7f4cf8222e7fc2f071e79aea7633fa338d1480b31ef950b105641600
Instruction Fuzzy Hash: A9D14A71508205AFC304EF24C88196BB7E9FF94708F1049ADF5958B2A1EB71ED49CBA2

Function 00BE22DA Relevance: 9.1, APIs: 6, Instructions: 103COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,00000000), ref: 00BE22E8

Part of subcall function 00BDE4EC: GetWindowRect.USER32(?,?), ref: 00BDE504

GetDesktopWindow.USER32 ref: 00BE2312
GetWindowRect.USER32(00000000), ref: 00BE2319
mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 00BE2355
GetCursorPos.USER32(?), ref: 00BE2381
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00BE23DF

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForeground
String ID:
API String ID: 2387181109-0
Opcode ID: f00da6cb8d2a56b6adc5fe803e1d1ac7bff0fba0b502da2a9a4e09db4d2a1700
Instruction ID: 96217207541fb0085d242e9517a1ce0bfddb6af096d6f299531065162ddbfde8
Opcode Fuzzy Hash: f00da6cb8d2a56b6adc5fe803e1d1ac7bff0fba0b502da2a9a4e09db4d2a1700
Instruction Fuzzy Hash: 0631DE72504345AFC720DF15C845B6BBBEAFB84310F000A1AF89497181DB34EA48CB92

Function 00BD9B2B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00B69CB3: _wcslen.LIBCMT ref: 00B69CBD

FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 00BD9B78
FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 00BD9C8B

Part of subcall function 00BD3874: GetInputState.USER32 ref: 00BD38CB
Part of subcall function 00BD3874: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00BD3966

Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 00BD9BA8
FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 00BD9C75

Strings

*.*, xrefs: 00BD9B5D

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
String ID: *.*
API String ID: 1972594611-438819550
Opcode ID: 20a8891374eee40daff57cdb3dd22483a7a475f564d4561b99190d0105c85c5e
Instruction ID: e1001d0b5d2441cb800aa8c685cc667bc2df7401fd477690f0c80b33cfe5a64d
Opcode Fuzzy Hash: 20a8891374eee40daff57cdb3dd22483a7a475f564d4561b99190d0105c85c5e
Instruction Fuzzy Hash: 8841537194420EAFDF15DF64C985AEEBBF8EF05310F244196E405A32A1EB319E84DF60

Function 00B7997D Relevance: 7.9, APIs: 5, Instructions: 375COMMON

Download Yara Rule

APIs

Part of subcall function 00B79BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00B79BB2

DefDlgProcW.USER32(?,?,?,?,?), ref: 00B79A4E
GetSysColor.USER32(0000000F), ref: 00B79B23
SetBkColor.GDI32(?,00000000), ref: 00B79B36

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Color$LongProcWindow
String ID:
API String ID: 3131106179-0
Opcode ID: 2f85edf201aefd4a0da9d3bbe58c7599857bc6eb50c97f8f61ffef9485ddabe4
Instruction ID: 450c7bb0fc26557edde3a87d9b36edff64e8fbdec65a79a283d1d9f94e9dd02d
Opcode Fuzzy Hash: 2f85edf201aefd4a0da9d3bbe58c7599857bc6eb50c97f8f61ffef9485ddabe4
Instruction Fuzzy Hash: 12A13570249508AFE728AA3D8C88FBF2ADDDB82300F2581C9F526C7695CE619D01D372

Function 00BE1806 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00BE304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 00BE307A
Part of subcall function 00BE304E: _wcslen.LIBCMT ref: 00BE309B

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 00BE185D
WSAGetLastError.WSOCK32 ref: 00BE1884
bind.WSOCK32(00000000,?,00000010), ref: 00BE18DB
WSAGetLastError.WSOCK32 ref: 00BE18E6
closesocket.WSOCK32(00000000), ref: 00BE1915

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
String ID:
API String ID: 1601658205-0
Opcode ID: 40028d8a7ab03d57c936cf25a997caa3ccf2324adac135e3cf27094c4cebb671
Instruction ID: 4107e7c7a7625050523983100a3cd2d36c6cfa52e82e956699904ca042a66d36
Opcode Fuzzy Hash: 40028d8a7ab03d57c936cf25a997caa3ccf2324adac135e3cf27094c4cebb671
Instruction Fuzzy Hash: 5851B275A002009FD710AF24C896F7A77E5EB44718F1884D8F95A9F393CB75AD41CBA1

Function 00BF1C41 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 00BF1CC0
IsWindowEnabled.USER32 ref: 00BF1CCE
GetForegroundWindow.USER32(?,?,00000001,?), ref: 00BF1CDB
IsIconic.USER32 ref: 00BF1CE9
IsZoomed.USER32 ref: 00BF1CF7

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: ea7fcf3f077466249d2dfd20b0de70d159507d6af05649d08e8d36164543ee17
Instruction ID: a6149eaed73ab25ff5986cc59745079c4f4789642eec689b994b0aa696b0c797
Opcode Fuzzy Hash: ea7fcf3f077466249d2dfd20b0de70d159507d6af05649d08e8d36164543ee17
Instruction Fuzzy Hash: D72194317402189FD7208F1ED884B767BE5EF95314B1988A8E945CF351CB71DC4ACB90

Function 00B68060 Relevance: 7.4, Strings: 5, Instructions: 1151COMMON

Download Yara Rule

Strings

VUUU, xrefs: 00BA5DF0
VUUU, xrefs: 00B683FA
ERCP, xrefs: 00B6813C
VUUU, xrefs: 00B683E8
VUUU, xrefs: 00B6843C

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID:
String ID: ERCP$VUUU$VUUU$VUUU$VUUU
API String ID: 0-1546025612
Opcode ID: 17c3ea6eebff8612e6cecf1db8f813f6f2e80c99084de3e5d91d88ee75a14ef2
Instruction ID: c9ab7858ab5eb2e8573949feb7aec456f32d056d485054044b06adb50f09d949
Opcode Fuzzy Hash: 17c3ea6eebff8612e6cecf1db8f813f6f2e80c99084de3e5d91d88ee75a14ef2
Instruction Fuzzy Hash: D8A24C71A0461ACBDF34CF58C8807ADB7F1FB55314F2482EAE855A7285EB749E81CB90

Function 00BCAA57 Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 00BCAAAC
SetKeyboardState.USER32(00000080), ref: 00BCAAC8
PostMessageW.USER32(?,00000102,00000001,00000001), ref: 00BCAB36
SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 00BCAB88

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 21fefd155f87ce77fd2557b2d601db2afd205a2994bd974327cc63bd2b64fe1b
Instruction ID: 55e9f83f6b31eea4c4731c1872742fff2bb012893d2a26f3d76b51b04e5aab66
Opcode Fuzzy Hash: 21fefd155f87ce77fd2557b2d601db2afd205a2994bd974327cc63bd2b64fe1b
Instruction Fuzzy Hash: 62310370A8020CAEFB359A68CC49FFA7BF6EB44328F04429EF581961D1D7758D85C762

Function 00B9BB6F Relevance: 6.1, APIs: 4, Instructions: 90timeCOMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00B9BB7F

Part of subcall function 00B929C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00B9D7D1,00000000,00000000,00000000,00000000,?,00B9D7F8,00000000,00000007,00000000,?,00B9DBF5,00000000), ref: 00B929DE
Part of subcall function 00B929C8: GetLastError.KERNEL32(00000000,?,00B9D7D1,00000000,00000000,00000000,00000000,?,00B9D7F8,00000000,00000007,00000000,?,00B9DBF5,00000000,00000000), ref: 00B929F0

GetTimeZoneInformation.KERNEL32 ref: 00B9BB91
WideCharToMultiByte.KERNEL32(00000000,?,00C3121C,000000FF,?,0000003F,?,?), ref: 00B9BC09
WideCharToMultiByte.KERNEL32(00000000,?,00C31270,000000FF,?,0000003F,?,?,?,00C3121C,000000FF,?,0000003F,?,?), ref: 00B9BC36

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorFreeHeapInformationLastTimeZone_free
String ID:
API String ID: 806657224-0
Opcode ID: afc95a30ad7a73384c111ba9b3faebfc0f44037aac1774d5362593fb6f9508a0
Instruction ID: 9f0a6dc521812ea9b76c9440f0216fbce91fda61070bf28450176c5071cc562d
Opcode Fuzzy Hash: afc95a30ad7a73384c111ba9b3faebfc0f44037aac1774d5362593fb6f9508a0
Instruction Fuzzy Hash: 5C31A070904205DFCF15DF69ED80A6EBBF8FF45760B1882BAE855D72A1D7319A40CB90

Function 00BDCE44 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON

Download Yara Rule

APIs

InternetReadFile.WININET(?,?,00000400,?), ref: 00BDCE89
GetLastError.KERNEL32(?,00000000), ref: 00BDCEEA
SetEvent.KERNEL32(?,?,00000000), ref: 00BDCEFE

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: ErrorEventFileInternetLastRead
String ID:
API String ID: 234945975-0
Opcode ID: e87f2be227b45ffa17166b39c9826c647f2b0907be33afa5723e937478b68bad
Instruction ID: 21b0e008b684adf23f8426bb1e659623be42867440a3cea896a703b0d12c34e8
Opcode Fuzzy Hash: e87f2be227b45ffa17166b39c9826c647f2b0907be33afa5723e937478b68bad
Instruction Fuzzy Hash: 632190B15003069BD720DFA5C985BA7BBFCEB50354F1044AEE546D3251EB70ED48DB54

Function 00BC8298 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 568stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 00BC82AA

Strings

|, xrefs: 00BC82DA
(, xrefs: 00BC82F0

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: lstrlen
String ID: ($|
API String ID: 1659193697-1631851259
Opcode ID: 9ec2cc479a2ad6ecb29e87930d75d9a4ca2c6938cee2a8cd15beb39edf582ada
Instruction ID: cd0937ec0e3f1f3286a2820bbc1b0a619a647fccecdb1b187942583335d17b91
Opcode Fuzzy Hash: 9ec2cc479a2ad6ecb29e87930d75d9a4ca2c6938cee2a8cd15beb39edf582ada
Instruction Fuzzy Hash: 8F322474A006059FCB28CF59C481E6AB7F0FF48710B15C5AEE49ADB7A1EB70E981CB54

Function 00BD5C97 Relevance: 4.6, APIs: 3, Instructions: 138fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00BD5CC1
FindNextFileW.KERNEL32(00000000,?), ref: 00BD5D17
FindClose.KERNEL32(?), ref: 00BD5D5F

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Find$File$CloseFirstNext
String ID:
API String ID: 3541575487-0
Opcode ID: 22886eec9a8c9a2e7744bfdef65ba42fa8c38f75234cb281a8101377fa9d7b07
Instruction ID: ec3bddc853572c6aa82c59373408f77287ef1108d6e5fa641f619e49f32609ad
Opcode Fuzzy Hash: 22886eec9a8c9a2e7744bfdef65ba42fa8c38f75234cb281a8101377fa9d7b07
Instruction Fuzzy Hash: FD517A746046019FC724DF28C494EA6FBE5FF49314F1485AEE99A8B3A1DB30E944CBA1

Function 00B92622 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 00B9271A
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00B92724
UnhandledExceptionFilter.KERNEL32(?), ref: 00B92731

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 2e67734d0c5f8905583287ec1a8b3a0d7881de191bfd74dfa6492463a3b61108
Instruction ID: e7ef3c6ae6936ef3fb0ba136dbb8ca79a1fdf124770022becde1f78f64052b17
Opcode Fuzzy Hash: 2e67734d0c5f8905583287ec1a8b3a0d7881de191bfd74dfa6492463a3b61108
Instruction Fuzzy Hash: 0D31C37491121CABCF21EF68D98879CBBF8AF08310F5041EAE41CA7260EB349F858F44

Function 00BD51CD Relevance: 4.6, APIs: 3, Instructions: 76COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00BD51DA
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00BD5238
SetErrorMode.KERNEL32(00000000), ref: 00BD52A1

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: 9368520dde16f7e09904d6c840474d73db367784a7acdbfd7b66f90dab76bd01
Instruction ID: 45697b266bbed8c548c111d55dfade78b754bba9686d53372a7624593a33eacd
Opcode Fuzzy Hash: 9368520dde16f7e09904d6c840474d73db367784a7acdbfd7b66f90dab76bd01
Instruction Fuzzy Hash: E1314B75A10518DFDB00DF94D884EADBBF4FF48314F048099E849AB3A2DB35E85ACB90

Function 00BC16C3 Relevance: 4.6, APIs: 3, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 00B7FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00B80668
Part of subcall function 00B7FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00B80685

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00BC170D
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00BC173A
GetLastError.KERNEL32 ref: 00BC174A

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
String ID:
API String ID: 577356006-0
Opcode ID: 07a060bf57fcaecffbca7c2dd80310e6191831aba5ebe07f38c29b413efa86c3
Instruction ID: 161fc92f2faf2b536b94c7cbbe043c59d0eecc097bce01653f0e23be54544a4c
Opcode Fuzzy Hash: 07a060bf57fcaecffbca7c2dd80310e6191831aba5ebe07f38c29b413efa86c3
Instruction Fuzzy Hash: 7B11C1B2400309FFD7289F68DCC6E7ABBF9EB04714B20856EE05693241EB70BC41CA24

Function 00BCD5EB Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 00BCD608
DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 00BCD645
CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 00BCD650

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle
String ID:
API String ID: 33631002-0
Opcode ID: a5766de444cc56cd989766b8806b3c635839a49af4dd702b1f77664d45903e41
Instruction ID: 9e5570266ee72b423bb61c886a6d44300fa696df221290ef446ed8e4a9c2070c
Opcode Fuzzy Hash: a5766de444cc56cd989766b8806b3c635839a49af4dd702b1f77664d45903e41
Instruction Fuzzy Hash: B5113C75E05228BBDB108F999D45FAFBFBCEB45B50F108166F904E7290D6704A05CBA1

Function 00BC1663 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 00BC168C
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 00BC16A1
FreeSid.ADVAPI32(?), ref: 00BC16B1

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: 6510ad21920b25c17a3586966737dd971d5461c647443d29eee9412f7fba026d
Instruction ID: 3f232d9a7ff76cb14c4eb3fc5a25eede0e6d63e213c429471962b5bf17516cad
Opcode Fuzzy Hash: 6510ad21920b25c17a3586966737dd971d5461c647443d29eee9412f7fba026d
Instruction Fuzzy Hash: F5F0F47195030DFBDB00DFF49D89EAEBBBCEB08604F5049A5E501E3181EB74AA449A54

Function 00BBD27A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 00BBD28C

Strings

X64, xrefs: 00BBD2A8

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: NameUser
String ID: X64
API String ID: 2645101109-893830106
Opcode ID: 8e166ed3641cfb796d2ae91aec90655be7f4013e63f9c9453c1f31c288fa8536
Instruction ID: e40e4ccba7fb3e70d5935cd327355c7e068567a092ce9623ef601e640cc7dc07
Opcode Fuzzy Hash: 8e166ed3641cfb796d2ae91aec90655be7f4013e63f9c9453c1f31c288fa8536
Instruction Fuzzy Hash: 4AD0C9B480111DEBCB94CBA0DCC8DE9B7BCBF04345F104195F106A2000DB7495498F10

Function 00B8CAA0 Relevance: 3.5, APIs: 2, Instructions: 464COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction ID: 4721ac9dbf9fea738e2bb59410ca960eb5300eeea12fc41919ea2b5993f36347
Opcode Fuzzy Hash: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction Fuzzy Hash: B9022CB1E002199BDF14DFA9C8806ADBBF1FF48314F2581AAD919E7390D730AE45CB94

Function 00BD68EE Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00BD6918
FindClose.KERNEL32(00000000), ref: 00BD6961

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 80779c5cb204b44458d96e91ab2edaa95eb58ac5323192d59903469c3f739b81
Instruction ID: d47419fe1dfd89771b89c43f2edfd6683c0b0f06145a76083391112eff65c1aa
Opcode Fuzzy Hash: 80779c5cb204b44458d96e91ab2edaa95eb58ac5323192d59903469c3f739b81
Instruction Fuzzy Hash: AE1190316142019FC710DF69D498A26FBE5FF89328F14C69AE4698F3A2DB34EC45CB91

Function 00BD37B5 Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,00BE4891,?,?,00000035,?), ref: 00BD37E4
FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,00BE4891,?,?,00000035,?), ref: 00BD37F4

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 9537781985b58d9603cca919668b029517a6def4bfdcca04c1f9b53a73e3751b
Instruction ID: f7dd40965790d0438766163b78336542935fb23030463a7b24e35a2fb23e8598
Opcode Fuzzy Hash: 9537781985b58d9603cca919668b029517a6def4bfdcca04c1f9b53a73e3751b
Instruction Fuzzy Hash: 54F0E5B06052296AE72017668C4DFEB7AEEEFC5B61F0001A6F509E3281D9709D44C6B1

Function 00BCB226 Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 00BCB25D
keybd_event.USER32(?,75C0C0D0,?,00000000), ref: 00BCB270

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: InputSendkeybd_event
String ID:
API String ID: 3536248340-0
Opcode ID: 43d0719f3b449608d8a51df73ebe5ac92bc84e0ff85bb18f9bbf62eb95cd17c2
Instruction ID: 0ae93a5626d214616b734dc8bc388fe724c16cd31942d97eb3047aa6f584c9c1
Opcode Fuzzy Hash: 43d0719f3b449608d8a51df73ebe5ac92bc84e0ff85bb18f9bbf62eb95cd17c2
Instruction Fuzzy Hash: 07F01D7180424DABDB059FA0C806BBE7FB4FF04305F008449F965AA191C7799655DF94

Function 00BC10BF Relevance: 3.0, APIs: 2, Instructions: 24COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00BC11FC), ref: 00BC10D4
CloseHandle.KERNEL32(?,?,00BC11FC), ref: 00BC10E9

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: 4ae4cc1fc6b6fca9c8ac23b353ed4c866c3b3d3ce34130eaa1eb6c7c5f72cb04
Instruction ID: 7d6c8ec21f93348cc5946b43f2e306c4a6eea0ffd5469ed64d777cbc0286bbf9
Opcode Fuzzy Hash: 4ae4cc1fc6b6fca9c8ac23b353ed4c866c3b3d3ce34130eaa1eb6c7c5f72cb04
Instruction Fuzzy Hash: 75E04F32008601AEE7252B21FC05E737BE9EF04310F10C86DF4A5814B1DF626CE0DB18

Function 00B6CAF0 Relevance: 1.9, Strings: 1, Instructions: 659COMMON

Download Yara Rule

Strings

Variable is not of type 'Object'., xrefs: 00BB0C40

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID:
String ID: Variable is not of type 'Object'.
API String ID: 0-1840281001
Opcode ID: e0f1e4703b74554d391302c3dde85a6887cb8e825e431b276ec97a3328bfe8fb
Instruction ID: 8edb92843887b353c4df61863509edfd3f544504acb670ef815904ad75bec719
Opcode Fuzzy Hash: e0f1e4703b74554d391302c3dde85a6887cb8e825e431b276ec97a3328bfe8fb
Instruction Fuzzy Hash: D9326C70910218DBCF14EF94C895AFEBBF5FF04304F1480A9E846AB292D779AD49CB60

Function 00B9676B Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00B96766,?,?,00000008,?,?,00B9FEFE,00000000), ref: 00B96998

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: fc83978f4e01ac5b52c6acc852b88ac933473bedf58aada1dc2b9b8436b7e6d2
Instruction ID: f65479bcdbb78743831e29474c54f0773bfd80066aef1ccd05e3da0d7066a8af
Opcode Fuzzy Hash: fc83978f4e01ac5b52c6acc852b88ac933473bedf58aada1dc2b9b8436b7e6d2
Instruction Fuzzy Hash: ACB12A316106099FDB19CF28C48AB657BE0FF45364F2586A9E899CF2A2C735E991CB40

Function 00B7B119 Relevance: 1.8, Strings: 1, Instructions: 511COMMON

Download Yara Rule

Strings

, xrefs: 00BB851F

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: e9776c3998b694a09e8fdeaca5719c9fadbc8b6e6296276e6d12121792e32185
Instruction ID: 99e1a7ad360c0980c2858703d081952b4b75072a5b127634aeb6048db449e968
Opcode Fuzzy Hash: e9776c3998b694a09e8fdeaca5719c9fadbc8b6e6296276e6d12121792e32185
Instruction Fuzzy Hash: 1D124D759002299BCB24CF58C880BFEB7F9FF48710F14819AE859EB255DB749A81CF94

Function 00BDEAA2 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 00BDEABD

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: 7417da719dc58e48402b8693fb79a68008ac890cf133fba011e17ae43278f7c7
Instruction ID: 4c8b3fe6e137eb95ac62165c05e32162644877b717a3381ee5248a37a609ee35
Opcode Fuzzy Hash: 7417da719dc58e48402b8693fb79a68008ac890cf133fba011e17ae43278f7c7
Instruction Fuzzy Hash: 64E048312102059FC710EF59D444D9AFBE9EF58760F008457FC49CB351DB74E8448B90

Function 00B809D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_000209E1,00B803EE), ref: 00B809DA

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 5a6572cd282b2e93488ca2bd0e7d4765ec021ab5c177012a07edf983bdc518da
Instruction ID: def020990cbccbadfad65955ebe5339d95faa1ba63fa53974f77520b3abc1cf9
Opcode Fuzzy Hash: 5a6572cd282b2e93488ca2bd0e7d4765ec021ab5c177012a07edf983bdc518da
Instruction Fuzzy Hash:

Function 00B8781B Relevance: 1.5, Strings: 1, Instructions: 214COMMON

Download Yara Rule

Strings

0, xrefs: 00B8798B

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction ID: 604f760ad32741bf505ba461c7c7bc7f6228d3acbf347af20f6fff4c172bb15b
Opcode Fuzzy Hash: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction Fuzzy Hash: 4F518A616CC605A7DB38B52A889DBBE27C9DB1234CF3805C9D886C72B2DE11DE01D352

Function 00B96DD9 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b44fd09c448c81afafb33fff2e3039d7b3a0cf142eacb3370665ec6a3e404a39
Instruction ID: 5a13b5ddf974f91503e75dd440b02b21623b00ea61894b510d65c8584e11fde2
Opcode Fuzzy Hash: b44fd09c448c81afafb33fff2e3039d7b3a0cf142eacb3370665ec6a3e404a39
Instruction Fuzzy Hash: D232F421D79F014DDB239634CC663396689AFB73C5F16D737E81AB5AA6EF29C4838100

Function 00B7CC39 Relevance: .6, Instructions: 635COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f150253a4e41588b0850ca66d8436c7da024ee4c05e0ac20131962c7e3d9dbba
Instruction ID: 2bde3b97f17b8ea0c93448b7ee7501e1a4b22614d886172aec9aa2b28c45c5fa
Opcode Fuzzy Hash: f150253a4e41588b0850ca66d8436c7da024ee4c05e0ac20131962c7e3d9dbba
Instruction Fuzzy Hash: 9C32F231A001498BDF39CE29C4D06FD7FE1EB45300F2885EED4AA9B696D6B4DD81DB81

Function 00B67920 Relevance: .6, Instructions: 563COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 120718cd36aecdea9278c53471edcb110337c95d5010044a8974254151151c79
Instruction ID: eecbcce771ee25419d8881cf7a261f61acaef317015b5abd9a2aba0ecd1c1405
Opcode Fuzzy Hash: 120718cd36aecdea9278c53471edcb110337c95d5010044a8974254151151c79
Instruction Fuzzy Hash: 8922C470A0460ADFDF14CFA4C881BAEB3F5FF49304F2445A9E816A7291EB399E15CB54

Function 00B691C0 Relevance: .5, Instructions: 475COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b95cecf6ebcc61dec423329fd3d54613026f50ad0da038e7670cad0048dfe440
Instruction ID: 466ee13c983ec448c551b236999d771c207dbcf06ef7b9afba4681c5635c25ca
Opcode Fuzzy Hash: b95cecf6ebcc61dec423329fd3d54613026f50ad0da038e7670cad0048dfe440
Instruction Fuzzy Hash: 7602B5B0E04206EBDB14DF54D881BAEB7F5FF45300F1081A9E816DB291EB35EA15CB95

Function 00B99EEE Relevance: .3, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e925e682e42c0db982995cd9d2316f673c0b809f3b4da5a23b661c4049a7a734
Instruction ID: 5046e8efa85e9bfbc4ce4a479d7d6993edbfa50ad49c7190dfd43a3d23f8a020
Opcode Fuzzy Hash: e925e682e42c0db982995cd9d2316f673c0b809f3b4da5a23b661c4049a7a734
Instruction Fuzzy Hash: EBB10520D2AF904DD7239639887133AB69CAFBB6D5F92D71BFC1674D72EB2185838140

Function 00B81C77 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction ID: 4b3f423485deba2eebd47f18c1bf825fc4af16a122c4a586f63b08f7aad1a92b
Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction Fuzzy Hash: 5791A97210A0A34ADB29563E847417DFFE5DA523A231A0FEDD4F2CA1E5FE10C956D720

Function 00B81F32 Relevance: .2, Instructions: 244COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
Instruction ID: 001e13c70ac2c54668ffe992fe6020efb3fd3e63435ce930e71acbe4f458df78
Opcode Fuzzy Hash: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
Instruction Fuzzy Hash: F79175722090A34EEB69633D847803EFFE19A923A131A07DDD4F2DB1E5EE24C555E720

Function 00B819B0 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction ID: 07a9b698cfb56c44e8ffe69022fd542ad59dc8afed20e1310dba686c93151962
Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction Fuzzy Hash: 2E91737220B0A34ADB2D567E857403DFFE99A923A131A0BDED4F2CA1E1FD24C556D720

Function 00B87A4A Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ed6ff0d3cd0f8e333a91cfe5c1f53391dade4d23e868ead03dc7b92c620f927
Instruction ID: 11e3f5d73547f9a1074e6ce5af8e18877ffdba934b1a2aca47af071af0a76c5b
Opcode Fuzzy Hash: 7ed6ff0d3cd0f8e333a91cfe5c1f53391dade4d23e868ead03dc7b92c620f927
Instruction Fuzzy Hash: AF6168212C830997DA38BA2889E5BBE63D6DF5170CF3409D9E842DB2B1DE21DE42C755

Function 00B87CA7 Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96350a68e69f0eddea575a7d9c68ad78eb9792f9b4b87a66244969c71e4124a4
Instruction ID: 7005ca1d47976b202de1766167191e09ddc0f15bbbd0a57e0944d4a0e770b88a
Opcode Fuzzy Hash: 96350a68e69f0eddea575a7d9c68ad78eb9792f9b4b87a66244969c71e4124a4
Instruction Fuzzy Hash: 36615BB16C870997DA38B9288895BBE23C8DF5274CF3419E9E842DB2B1DE11DD41C355

Function 00B81706 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction ID: bf8dad1d7f97ef9aaf2f9ac9583bc0cfb09003e8f939591053aadc98d047b5ee
Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction Fuzzy Hash: 2581C87660A0A309DB2D523E847443EFFE59A923A131A0FDDD4F2CB1E1EE24C956D720

Function 00BD2046 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44208767a20d661adcb41b1e684fbc2e4b04c3c6e4811ee1f01e9ab9631e8ff7
Instruction ID: c29b38aafecd6e2ea1d4a80c6955f4f5108efe1755982a229d4796361fa04613
Opcode Fuzzy Hash: 44208767a20d661adcb41b1e684fbc2e4b04c3c6e4811ee1f01e9ab9631e8ff7
Instruction Fuzzy Hash: 5B21A8326205118BDB28CF79C92377EB3E5A764310F15866EE4A7C37D0DE35A904C740

Function 00BE2ADE Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 486filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00BE2B30
DeleteObject.GDI32(00000000), ref: 00BE2B43
DestroyWindow.USER32 ref: 00BE2B52
GetDesktopWindow.USER32 ref: 00BE2B6D
GetWindowRect.USER32(00000000), ref: 00BE2B74
SetRect.USER32(?,00000000,00000000,00000007,00000002), ref: 00BE2CA3
AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 00BE2CB1
CreateWindowExW.USER32(?,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00BE2CF8
GetClientRect.USER32(00000000,?), ref: 00BE2D04
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00BE2D40
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00BE2D62
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00BE2D75
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00BE2D80
GlobalLock.KERNEL32(00000000), ref: 00BE2D89
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00BE2D98
GlobalUnlock.KERNEL32(00000000), ref: 00BE2DA1
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00BE2DA8
GlobalFree.KERNEL32(00000000), ref: 00BE2DB3
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00BE2DC5
OleLoadPicture.OLEAUT32(?,00000000,00000000,00BFFC38,00000000), ref: 00BE2DDB
GlobalFree.KERNEL32(00000000), ref: 00BE2DEB
CopyImage.USER32(00000007,00000000,00000000,00000000,00002000), ref: 00BE2E11
SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 00BE2E30
SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00BE2E52
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00BE303F

Strings

AutoIt v3, xrefs: 00BE2CF2
DISPLAY, xrefs: 00BE2EA2
, xrefs: 00BE2FC5
static, xrefs: 00BE2D3A, 00BE2E91

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: 89d3d04d02b1e00ef6e8decc58f304c69c1fc6bb808d5b07acbd9ac0226c7a0d
Instruction ID: 1b438a38889c78148e88a17f93639f4ca3d1348b2382b67763b4f26f061333d0
Opcode Fuzzy Hash: 89d3d04d02b1e00ef6e8decc58f304c69c1fc6bb808d5b07acbd9ac0226c7a0d
Instruction Fuzzy Hash: 2F028A71910209AFDB14DFA4CD89EAE7BF9EF48710F048198F915AB2A1DB74ED41CB60

Function 00BF70D5 Relevance: 49.8, APIs: 33, Instructions: 273COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 00BF712F
GetSysColorBrush.USER32(0000000F), ref: 00BF7160
GetSysColor.USER32(0000000F), ref: 00BF716C
SetBkColor.GDI32(?,000000FF), ref: 00BF7186
SelectObject.GDI32(?,?), ref: 00BF7195
InflateRect.USER32(?,000000FF,000000FF), ref: 00BF71C0
GetSysColor.USER32(00000010), ref: 00BF71C8
CreateSolidBrush.GDI32(00000000), ref: 00BF71CF
FrameRect.USER32(?,?,00000000), ref: 00BF71DE
DeleteObject.GDI32(00000000), ref: 00BF71E5
InflateRect.USER32(?,000000FE,000000FE), ref: 00BF7230
FillRect.USER32(?,?,?), ref: 00BF7262
GetWindowLongW.USER32(?,000000F0), ref: 00BF7284

Part of subcall function 00BF73E8: GetSysColor.USER32(00000012), ref: 00BF7421
Part of subcall function 00BF73E8: SetTextColor.GDI32(?,?), ref: 00BF7425
Part of subcall function 00BF73E8: GetSysColorBrush.USER32(0000000F), ref: 00BF743B
Part of subcall function 00BF73E8: GetSysColor.USER32(0000000F), ref: 00BF7446
Part of subcall function 00BF73E8: GetSysColor.USER32(00000011), ref: 00BF7463
Part of subcall function 00BF73E8: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00BF7471
Part of subcall function 00BF73E8: SelectObject.GDI32(?,00000000), ref: 00BF7482
Part of subcall function 00BF73E8: SetBkColor.GDI32(?,00000000), ref: 00BF748B
Part of subcall function 00BF73E8: SelectObject.GDI32(?,?), ref: 00BF7498
Part of subcall function 00BF73E8: InflateRect.USER32(?,000000FF,000000FF), ref: 00BF74B7
Part of subcall function 00BF73E8: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00BF74CE
Part of subcall function 00BF73E8: GetWindowLongW.USER32(00000000,000000F0), ref: 00BF74DB

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
String ID:
API String ID: 4124339563-0
Opcode ID: 9c814e6e6a0136c4daa964e345a75e5b07430e905139f41cf9d3f7a3bbcd2c1a
Instruction ID: 49fbb7c9ae34901ee1dcfd7f4c2abcfe8a998779082d7de587ac5428db4a6278
Opcode Fuzzy Hash: 9c814e6e6a0136c4daa964e345a75e5b07430e905139f41cf9d3f7a3bbcd2c1a
Instruction Fuzzy Hash: F3A18F72008309AFD7009F64DD49E7A7BE9FB49320F100A59FA62A71A1DB71E989CB51

Function 00B78D85 Relevance: 47.7, APIs: 26, Strings: 1, Instructions: 480windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?), ref: 00B78E14
SendMessageW.USER32(?,00001308,?,00000000), ref: 00BB6AC5
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 00BB6AFE
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00BB6F43

Part of subcall function 00B78F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00B78BE8,?,00000000,?,?,?,?,00B78BBA,00000000,?), ref: 00B78FC5

SendMessageW.USER32(?,00001053), ref: 00BB6F7F
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00BB6F96
ImageList_Destroy.COMCTL32(00000000,?), ref: 00BB6FAC
ImageList_Destroy.COMCTL32(00000000,?), ref: 00BB6FB7

Strings

0, xrefs: 00BB6DCF

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: DestroyImageList_MessageSend$Window$InvalidateMoveRectRemove
String ID: 0
API String ID: 2760611726-4108050209
Opcode ID: f0dcaa88e47453d8e7726ec0ab2ccb31165e961e7636bc1ccf19d66fb19c7f8c
Instruction ID: ea83692bbbb5e1444c95a915b3b254eff2d659dcf1b492109011a1ce34e96c4c
Opcode Fuzzy Hash: f0dcaa88e47453d8e7726ec0ab2ccb31165e961e7636bc1ccf19d66fb19c7f8c
Instruction Fuzzy Hash: 54129C30605201EFDB25CF24C998BB9BBE5FB44310F1884A9E499CB261CB75EC92DB51

Function 00BE2711 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 330windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 00BE273E
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00BE286A
SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 00BE28A9
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 00BE28B9
CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 00BE2900
GetClientRect.USER32(00000000,?), ref: 00BE290C
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 00BE2955
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00BE2964
GetStockObject.GDI32(00000011), ref: 00BE2974
SelectObject.GDI32(00000000,00000000), ref: 00BE2978
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 00BE2988
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00BE2991
DeleteDC.GDI32(00000000), ref: 00BE299A
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 00BE29C6
SendMessageW.USER32(00000030,00000000,00000001), ref: 00BE29DD
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 00BE2A1D
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00BE2A31
SendMessageW.USER32(00000404,00000001,00000000), ref: 00BE2A42
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 00BE2A77
GetStockObject.GDI32(00000011), ref: 00BE2A82
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00BE2A8D
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 00BE2A97

Strings

AutoIt v3, xrefs: 00BE28F8
DISPLAY, xrefs: 00BE295A
static, xrefs: 00BE294F, 00BE2A71
msctls_progress32, xrefs: 00BE2A13

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: 71ec643c22d8c21b1fd7f63c1c18ad8ca0b8b6afb18140050e49b7706ef0e5e8
Instruction ID: 4ac21d7c651fd518bf3c08487b9a7635407a995dfc0b80e9eb73b99a156367a1
Opcode Fuzzy Hash: 71ec643c22d8c21b1fd7f63c1c18ad8ca0b8b6afb18140050e49b7706ef0e5e8
Instruction Fuzzy Hash: AFB16E71A50219AFEB14DF68CD89FAE7BB9EB08710F004155F915E72A0DB74ED40CBA0

Function 00BD4ADF Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00BD4AED
GetDriveTypeW.KERNEL32(?,00BFCB68,?,\\.\,00BFCC08), ref: 00BD4BCA
SetErrorMode.KERNEL32(00000000,00BFCB68,?,\\.\,00BFCC08), ref: 00BD4D36

Strings

FileBackedVirtual, xrefs: 00BD4CEC
SCSI, xrefs: 00BD4C8A
Fibre, xrefs: 00BD4CAD
SSD, xrefs: 00BD4C4A
CDROM, xrefs: 00BD4BFB
SATA, xrefs: 00BD4CD0
SSA, xrefs: 00BD4CA6
Virtual, xrefs: 00BD4CE5
ATAPI, xrefs: 00BD4C91
\\.\, xrefs: 00BD4B3F
Fixed, xrefs: 00BD4C09
Network, xrefs: 00BD4C02
1394, xrefs: 00BD4C9F
Removable, xrefs: 00BD4C10, 00BD4C15
iSCSI, xrefs: 00BD4CC2
USB, xrefs: 00BD4CB4
MMC, xrefs: 00BD4CDE
ATA, xrefs: 00BD4C98
RAMDisk, xrefs: 00BD4BF4
RAID, xrefs: 00BD4CBB
PhysicalDrive, xrefs: 00BD4B76
SAS, xrefs: 00BD4CC9
Unknown, xrefs: 00BD4BED, 00BD4C83

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: 5bc4a12107a534d784fe816151d3706052793618261a6d90674fe61d7100e8d8
Instruction ID: 9db6e8ab3eb797e380fe12a45fa931bcad339738035de1ee020b085145006a47
Opcode Fuzzy Hash: 5bc4a12107a534d784fe816151d3706052793618261a6d90674fe61d7100e8d8
Instruction Fuzzy Hash: A561AF30616109ABCB04DF24DAC1978F7F1EB44304B2884E7F806ABB91EB35ED41DB51

Function 00BF73E8 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 00BF7421
SetTextColor.GDI32(?,?), ref: 00BF7425
GetSysColorBrush.USER32(0000000F), ref: 00BF743B
GetSysColor.USER32(0000000F), ref: 00BF7446
CreateSolidBrush.GDI32(?), ref: 00BF744B
GetSysColor.USER32(00000011), ref: 00BF7463
CreatePen.GDI32(00000000,00000001,00743C00), ref: 00BF7471
SelectObject.GDI32(?,00000000), ref: 00BF7482
SetBkColor.GDI32(?,00000000), ref: 00BF748B
SelectObject.GDI32(?,?), ref: 00BF7498
InflateRect.USER32(?,000000FF,000000FF), ref: 00BF74B7
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00BF74CE
GetWindowLongW.USER32(00000000,000000F0), ref: 00BF74DB
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00BF752A
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00BF7554
InflateRect.USER32(?,000000FD,000000FD), ref: 00BF7572
DrawFocusRect.USER32(?,?), ref: 00BF757D
GetSysColor.USER32(00000011), ref: 00BF758E
SetTextColor.GDI32(?,00000000), ref: 00BF7596
DrawTextW.USER32(?,00BF70F5,000000FF,?,00000000), ref: 00BF75A8
SelectObject.GDI32(?,?), ref: 00BF75BF
DeleteObject.GDI32(?), ref: 00BF75CA
SelectObject.GDI32(?,?), ref: 00BF75D0
DeleteObject.GDI32(?), ref: 00BF75D5
SetTextColor.GDI32(?,?), ref: 00BF75DB
SetBkColor.GDI32(?,?), ref: 00BF75E5

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: ddc83781afad9450cc96c7a9caf0a37ac62ccf6b0b5d0484a3135725ad1652f6
Instruction ID: c76f206bd528cd12ae29fb2638edbaa5cfd9196399fd904d37605b2b543f0ed1
Opcode Fuzzy Hash: ddc83781afad9450cc96c7a9caf0a37ac62ccf6b0b5d0484a3135725ad1652f6
Instruction Fuzzy Hash: 01615C7290421CAFDB019FA4DD49EEEBFB9EB08320F114155FA15BB2A1DB709980CB90

Function 00BF0FF3 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00BF1128
GetDesktopWindow.USER32 ref: 00BF113D
GetWindowRect.USER32(00000000), ref: 00BF1144
GetWindowLongW.USER32(?,000000F0), ref: 00BF1199
DestroyWindow.USER32(?), ref: 00BF11B9
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00BF11ED
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00BF120B
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00BF121D
SendMessageW.USER32(00000000,00000421,?,?), ref: 00BF1232
SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 00BF1245
IsWindowVisible.USER32(00000000), ref: 00BF12A1
SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 00BF12BC
SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 00BF12D0
GetWindowRect.USER32(00000000,?), ref: 00BF12E8
MonitorFromPoint.USER32(?,?,00000002), ref: 00BF130E
GetMonitorInfoW.USER32(00000000,?), ref: 00BF1328
CopyRect.USER32(?,?), ref: 00BF133F
SendMessageW.USER32(00000000,00000412,00000000), ref: 00BF13AA

Strings

(, xrefs: 00BF131B
0, xrefs: 00BF10D3
tooltips_class32, xrefs: 00BF11E6

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: 090093980d1167743b301287aa3c8d20d0fffd08811173beed319fe61046f6fc
Instruction ID: f7c5db6dd904ab3d7eb41b8dd0d7962df1a5fc0471954f771a5abce72e38f9fc
Opcode Fuzzy Hash: 090093980d1167743b301287aa3c8d20d0fffd08811173beed319fe61046f6fc
Instruction Fuzzy Hash: C0B16A71608345EFD704DF68C984B6ABBE4EF84750F008D5CFA99AB261DB71E848CB91

Function 00B78891 Relevance: 35.3, APIs: 18, Strings: 2, Instructions: 282windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00B78968
GetSystemMetrics.USER32(00000007), ref: 00B78970
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00B7899B
GetSystemMetrics.USER32(00000008), ref: 00B789A3
GetSystemMetrics.USER32(00000004), ref: 00B789C8
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00B789E5
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00B789F5
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00B78A28
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00B78A3C
GetClientRect.USER32(00000000,000000FF), ref: 00B78A5A
GetStockObject.GDI32(00000011), ref: 00B78A76
SendMessageW.USER32(00000000,00000030,00000000), ref: 00B78A81

Part of subcall function 00B7912D: GetCursorPos.USER32(?), ref: 00B79141
Part of subcall function 00B7912D: ScreenToClient.USER32(00000000,?), ref: 00B7915E
Part of subcall function 00B7912D: GetAsyncKeyState.USER32(00000001), ref: 00B79183
Part of subcall function 00B7912D: GetAsyncKeyState.USER32(00000002), ref: 00B7919D

SetTimer.USER32(00000000,00000000,00000028,00B790FC), ref: 00B78AA8

Strings

InitializeCriticalSectionEx, xrefs: 00BB67BA
AutoIt v3 GUI, xrefs: 00B78A20

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI$InitializeCriticalSectionEx
API String ID: 1458621304-260769550
Opcode ID: 9a3517a41e1fb00fe4d0d1e1a282af96af096d69a5611876325daeda957a7ff7
Instruction ID: 52d852041fc21f473dfb0a22a678a7ca8fed55448d428f3e5a61b9741d040ecd
Opcode Fuzzy Hash: 9a3517a41e1fb00fe4d0d1e1a282af96af096d69a5611876325daeda957a7ff7
Instruction Fuzzy Hash: DDB16B71A00209AFDB14DFA8CD89BFE3BF5FB48314F158169FA19A7290DB74A840CB51

Function 00BC0D8B Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00BC10F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00BC1114
Part of subcall function 00BC10F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00BC0B9B,?,?,?), ref: 00BC1120
Part of subcall function 00BC10F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00BC0B9B,?,?,?), ref: 00BC112F
Part of subcall function 00BC10F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00BC0B9B,?,?,?), ref: 00BC1136
Part of subcall function 00BC10F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00BC114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00BC0DF5
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00BC0E29
GetLengthSid.ADVAPI32(?), ref: 00BC0E40
GetAce.ADVAPI32(?,00000000,?), ref: 00BC0E7A
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00BC0E96
GetLengthSid.ADVAPI32(?), ref: 00BC0EAD
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00BC0EB5
HeapAlloc.KERNEL32(00000000), ref: 00BC0EBC
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00BC0EDD
CopySid.ADVAPI32(00000000), ref: 00BC0EE4
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00BC0F13
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00BC0F35
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00BC0F47
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00BC0F6E
HeapFree.KERNEL32(00000000), ref: 00BC0F75
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00BC0F7E
HeapFree.KERNEL32(00000000), ref: 00BC0F85
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00BC0F8E
HeapFree.KERNEL32(00000000), ref: 00BC0F95
GetProcessHeap.KERNEL32(00000000,?), ref: 00BC0FA1
HeapFree.KERNEL32(00000000), ref: 00BC0FA8

Part of subcall function 00BC1193: GetProcessHeap.KERNEL32(00000008,00BC0BB1,?,00000000,?,00BC0BB1,?), ref: 00BC11A1
Part of subcall function 00BC1193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00BC0BB1,?), ref: 00BC11A8
Part of subcall function 00BC1193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00BC0BB1,?), ref: 00BC11B7

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 98cf8f45d0ef1077563c95b4a98f4ed6ab9b33ae5ea1dadbbb3e7e0b948ad4e3
Instruction ID: 7a20f3b2ac873d0bc491dfa7fc784f56200633f1154fb1feef9224be3ee7a670
Opcode Fuzzy Hash: 98cf8f45d0ef1077563c95b4a98f4ed6ab9b33ae5ea1dadbbb3e7e0b948ad4e3
Instruction Fuzzy Hash: C5715A7290020AEBDF20AFA4DD48FAEBBB8FF05300F144199F919E7191DB319A55CB60

Function 00BEC3B7 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00BEC4BD
RegCreateKeyExW.ADVAPI32(?,?,00000000,00BFCC08,00000000,?,00000000,?,?), ref: 00BEC544
RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 00BEC5A4
_wcslen.LIBCMT ref: 00BEC5F4
_wcslen.LIBCMT ref: 00BEC66F
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 00BEC6B2
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 00BEC7C1
RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 00BEC84D
RegCloseKey.ADVAPI32(?), ref: 00BEC881
RegCloseKey.ADVAPI32(00000000), ref: 00BEC88E
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 00BEC960

Strings

REG_SZ, xrefs: 00BEC644
REG_MULTI_SZ, xrefs: 00BEC6F5
REG_DWORD, xrefs: 00BEC804
REG_BINARY, xrefs: 00BEC913
REG_EXPAND_SZ, xrefs: 00BEC5CD
REG_QWORD, xrefs: 00BEC8C3

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Value$Close$_wcslen$ConnectCreateRegistry
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 9721498-966354055
Opcode ID: b5e9db4e49e4633936c1c5e68bf2af691b5416e635cf3ba794ec9e5f12f05e38
Instruction ID: 8a9d08f2768952418015cc9c743438067ebfff396f8616379787dd996bcf813c
Opcode Fuzzy Hash: b5e9db4e49e4633936c1c5e68bf2af691b5416e635cf3ba794ec9e5f12f05e38
Instruction Fuzzy Hash: 25127A356042419FD714DF25C891A2ABBE5FF88714F14889DF88A9B3A2DB35FD42CB81

Function 00BF091E Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 372windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00BF09C6
_wcslen.LIBCMT ref: 00BF0A01
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00BF0A54
_wcslen.LIBCMT ref: 00BF0A8A
_wcslen.LIBCMT ref: 00BF0B06
_wcslen.LIBCMT ref: 00BF0B81

Part of subcall function 00B7F9F2: _wcslen.LIBCMT ref: 00B7F9FD

Part of subcall function 00BC2BE8: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00BC2BFA

Strings

COLLAPSE, xrefs: 00BF0B01, 00BF0B1C
EXPAND, xrefs: 00BF0BF8
GETTEXT, xrefs: 00BF0C97
ISCHECKED, xrefs: 00BF0CE1
CHECK, xrefs: 00BF0A85, 00BF0AA0
GETITEMCOUNT, xrefs: 00BF0C1E
SELECT, xrefs: 00BF0D11
GETTOTALCOUNT, xrefs: 00BF09F2, 00BF0A17
EXISTS, xrefs: 00BF0B7C, 00BF0B97
UNCHECK, xrefs: 00BF0D3E
GETSELECTED, xrefs: 00BF0C4E

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 1103490817-4258414348
Opcode ID: 4e15270eccbe3f0fa94402fc30cab8318d735c1ba942c9d519daf50e24400053
Instruction ID: f490d7ab301cce3437eb8fd7ac08333ec8b17bec0a3aee3979abfe7d53d3c590
Opcode Fuzzy Hash: 4e15270eccbe3f0fa94402fc30cab8318d735c1ba942c9d519daf50e24400053
Instruction Fuzzy Hash: C8E17B352183058FCB14EF24C49093AB7E1FF98314B14899DF99A9B762DB30ED49CB81

Function 00BEC998 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,00BEB6AE,?,?), ref: 00BEC9B5
_wcslen.LIBCMT ref: 00BEC9F1
_wcslen.LIBCMT ref: 00BECA68
_wcslen.LIBCMT ref: 00BECA9E
_wcslen.LIBCMT ref: 00BECAF9
_wcslen.LIBCMT ref: 00BECB2F
_wcslen.LIBCMT ref: 00BECB7F

Strings

HKU, xrefs: 00BECBF0
HKEY_CURRENT_CONFIG, xrefs: 00BECB79, 00BECB7E
HKEY_USERS, xrefs: 00BECBDF
HKCC, xrefs: 00BECBAC
HKEY_CLASSES_ROOT, xrefs: 00BECAF3, 00BECAF8
HKCU, xrefs: 00BECBCE
HKCR, xrefs: 00BECB29, 00BECB2E
HKLM, xrefs: 00BECA98, 00BECA9D
HKEY_LOCAL_MACHINE, xrefs: 00BECA62, 00BECA67
HKEY_CURRENT_USER, xrefs: 00BECBBD

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 1256254125-909552448
Opcode ID: 2bc31d8413435a1fd8d8b191700c593ab2944a44dae209574e88ed9d509e6d3d
Instruction ID: bc92e83746bbf64929cedc6a4046ffa3949817970c9f381fe283d88a96c409cf
Opcode Fuzzy Hash: 2bc31d8413435a1fd8d8b191700c593ab2944a44dae209574e88ed9d509e6d3d
Instruction Fuzzy Hash: 707108326001AA8BCF20DE7ED9815BE3BE5EF60754B2512B4F86697294E735CD46C390

Function 00BF833C Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 196windowlibraryCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00BF835A
_wcslen.LIBCMT ref: 00BF836E
_wcslen.LIBCMT ref: 00BF8391
_wcslen.LIBCMT ref: 00BF83B4
LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 00BF83F2
LoadLibraryExW.KERNEL32(?,00000000,00000032,?,?,00000001,?,?,?,00BF361A,?), ref: 00BF844E
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00BF8487
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 00BF84CA
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00BF8501
FreeLibrary.KERNEL32(?), ref: 00BF850D
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00BF851D
DestroyIcon.USER32(?), ref: 00BF852C
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00BF8549
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00BF8555

Strings

.dll, xrefs: 00BF83AB
.icl, xrefs: 00BF8368
.exe, xrefs: 00BF8388

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
String ID: .dll$.exe$.icl
API String ID: 799131459-1154884017
Opcode ID: f040236962922eca4da5667498301e0a72ff1c61973bff19965b731efa8aca1d
Instruction ID: 5e4449e03b03f5067fc948f130650cf302e73759625b37c598727ca7338a54b1
Opcode Fuzzy Hash: f040236962922eca4da5667498301e0a72ff1c61973bff19965b731efa8aca1d
Instruction Fuzzy Hash: 9561DE7150021ABEEB14DF64CC82BBE7BA8FB14710F10468AF915DB1E1DF74A994CBA0

Function 00B67778 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 273COMMON

Download Yara Rule

Strings

#comments-end, xrefs: 00B678D9
Unterminated group of comments, xrefs: 00BA528C
Cannot parse #include, xrefs: 00BA5279
#cs, xrefs: 00B67873, 00B678C5
#requireadmin, xrefs: 00B677FF
#OnAutoItStartRegister, xrefs: 00B67817
Bad directive syntax error, xrefs: 00BA519A
', xrefs: 00BA5169
#include, xrefs: 00B67847
#pragma compile, xrefs: 00B677D3
#notrayicon, xrefs: 00B677E7
#ce, xrefs: 00B678ED
#include-once, xrefs: 00B6782F
#comments-start, xrefs: 00B6785F, 00B678B1
", xrefs: 00BA5153

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID:
String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 0-1645009161
Opcode ID: b31e7f665a649d5273cb23e54874394defd82aeee334a67de38000351d7b4b92
Instruction ID: cc20e234a9ea55484877ed2fb71a39c5150e8d31881617ab6e667514f6f7cfa1
Opcode Fuzzy Hash: b31e7f665a649d5273cb23e54874394defd82aeee334a67de38000351d7b4b92
Instruction Fuzzy Hash: 7381C171684209ABDB20AF64CC82FBE37E8EF15304F1440E4F905AB1A6EB749A45C7A5

Function 00BD3E79 Relevance: 28.2, APIs: 8, Strings: 8, Instructions: 205COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 00BD3EF8
_wcslen.LIBCMT ref: 00BD3F03
_wcslen.LIBCMT ref: 00BD3F5A
_wcslen.LIBCMT ref: 00BD3F98
GetDriveTypeW.KERNEL32(?), ref: 00BD3FD6
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00BD401E
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00BD4059
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00BD4087

Strings

open , xrefs: 00BD3FE5
close cd wait, xrefs: 00BD4072
set cd door , xrefs: 00BD4028
type cdaudio alias cd wait, xrefs: 00BD4001
wait, xrefs: 00BD4044
open, xrefs: 00BD3F54, 00BD3F59
close, xrefs: 00BD3EFE, 00BD3F18
closed, xrefs: 00BD3F08, 00BD3F2D, 00BD3F46, 00BD3F7E, 00BD3F97

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: SendString_wcslen$BuffCharDriveLowerType
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 1839972693-4113822522
Opcode ID: 4e143887ea77a20b2506532a14e4898c69dc371f88f4a46f7d8ed4f00a99f0d5
Instruction ID: 38a2c30cc63a4c4a2696494c8c6b8f906050ee792b0a530e82f39f569406c329
Opcode Fuzzy Hash: 4e143887ea77a20b2506532a14e4898c69dc371f88f4a46f7d8ed4f00a99f0d5
Instruction Fuzzy Hash: 6B71F2726042169FC710EF24C88186AF7F4EF94758F1049AEF89697351EB34ED45CB92

Function 00BC5A1B Relevance: 27.2, APIs: 18, Instructions: 198windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 00BC5A2E
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00BC5A40
SetWindowTextW.USER32(?,?), ref: 00BC5A57
GetDlgItem.USER32(?,000003EA), ref: 00BC5A6C
SetWindowTextW.USER32(00000000,?), ref: 00BC5A72
GetDlgItem.USER32(?,000003E9), ref: 00BC5A82
SetWindowTextW.USER32(00000000,?), ref: 00BC5A88
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00BC5AA9
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00BC5AC3
GetWindowRect.USER32(?,?), ref: 00BC5ACC
_wcslen.LIBCMT ref: 00BC5B33
SetWindowTextW.USER32(?,?), ref: 00BC5B6F
GetDesktopWindow.USER32 ref: 00BC5B75
GetWindowRect.USER32(00000000), ref: 00BC5B7C
MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 00BC5BD3
GetClientRect.USER32(?,?), ref: 00BC5BE0
PostMessageW.USER32(?,00000005,00000000,?), ref: 00BC5C05
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00BC5C2F

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
String ID:
API String ID: 895679908-0
Opcode ID: f09551332adb77909ce0735343e5b1b93c8d9e7fd68cb77d35e1ba2e81b418bb
Instruction ID: dcb54ff35199f2f16dffb254b4a92b8fc6a62a5c6702f7f767401f369ed094bc
Opcode Fuzzy Hash: f09551332adb77909ce0735343e5b1b93c8d9e7fd68cb77d35e1ba2e81b418bb
Instruction Fuzzy Hash: 22711A31900A09AFDB20DFA9CE85FAEBBF5EB48704F10455CE546A35A0DB75BD84CB50

Function 00BDFE0E Relevance: 27.1, APIs: 18, Instructions: 128COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F89), ref: 00BDFE27
LoadCursorW.USER32(00000000,00007F8A), ref: 00BDFE32
LoadCursorW.USER32(00000000,00007F00), ref: 00BDFE3D
LoadCursorW.USER32(00000000,00007F03), ref: 00BDFE48
LoadCursorW.USER32(00000000,00007F8B), ref: 00BDFE53
LoadCursorW.USER32(00000000,00007F01), ref: 00BDFE5E
LoadCursorW.USER32(00000000,00007F81), ref: 00BDFE69
LoadCursorW.USER32(00000000,00007F88), ref: 00BDFE74
LoadCursorW.USER32(00000000,00007F80), ref: 00BDFE7F
LoadCursorW.USER32(00000000,00007F86), ref: 00BDFE8A
LoadCursorW.USER32(00000000,00007F83), ref: 00BDFE95
LoadCursorW.USER32(00000000,00007F85), ref: 00BDFEA0
LoadCursorW.USER32(00000000,00007F82), ref: 00BDFEAB
LoadCursorW.USER32(00000000,00007F84), ref: 00BDFEB6
LoadCursorW.USER32(00000000,00007F04), ref: 00BDFEC1
LoadCursorW.USER32(00000000,00007F02), ref: 00BDFECC
GetCursorInfo.USER32(?), ref: 00BDFEDC
GetLastError.KERNEL32 ref: 00BDFF1E

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Cursor$Load$ErrorInfoLast
String ID:
API String ID: 3215588206-0
Opcode ID: 020fc3d61c2affb9231b430f24c66a80d8dbb4a6a032da22efe82647f6f313de
Instruction ID: 56c9844f893bb87033c82da5311713e574005a04de0079d135737e5f99e25a49
Opcode Fuzzy Hash: 020fc3d61c2affb9231b430f24c66a80d8dbb4a6a032da22efe82647f6f313de
Instruction Fuzzy Hash: 644124B0D0931AAADB109FBA8C8586EBFE8FF04754B50456AE11DE7281DB789901CF91

Function 00B800C6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON

Download Yara Rule

APIs

__scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 00B800C6

Part of subcall function 00B800ED: InitializeCriticalSectionAndSpinCount.KERNEL32(00C3070C,00000FA0,62CD19E7,?,?,?,?,00BA23B3,000000FF), ref: 00B8011C
Part of subcall function 00B800ED: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,00BA23B3,000000FF), ref: 00B80127
Part of subcall function 00B800ED: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,00BA23B3,000000FF), ref: 00B80138
Part of subcall function 00B800ED: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 00B8014E
Part of subcall function 00B800ED: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 00B8015C
Part of subcall function 00B800ED: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 00B8016A
Part of subcall function 00B800ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00B80195
Part of subcall function 00B800ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00B801A0

___scrt_fastfail.LIBCMT ref: 00B800E7

Part of subcall function 00B800A3: __onexit.LIBCMT ref: 00B800A9

Strings

SleepConditionVariableCS, xrefs: 00B80154
WakeAllConditionVariable, xrefs: 00B80162
api-ms-win-core-synch-l1-2-0.dll, xrefs: 00B80122
InitializeConditionVariable, xrefs: 00B80148
kernel32.dll, xrefs: 00B80133

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 66158676-1714406822
Opcode ID: c21aaf78ce44e191dcbc0a2b737ce8746933ad68c9e349c73c79cdc054c20432
Instruction ID: 97a3f3e0a058ea0c0185dbb1f912e6f3a4c54a10533cd9c54530bc026c974fd9
Opcode Fuzzy Hash: c21aaf78ce44e191dcbc0a2b737ce8746933ad68c9e349c73c79cdc054c20432
Instruction Fuzzy Hash: 5521F53365470A6BE7507B64AC49B3D76D4DF06BA0F1001B9F905B32B1DF609844CB94

Function 00BC30F7 Relevance: 24.9, APIs: 8, Strings: 6, Instructions: 400COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00BC318D
_wcslen.LIBCMT ref: 00BC31F8

Strings

NAME, xrefs: 00BC3335, 00BC3346
TEXT, xrefs: 00BC347C
INSTANCE, xrefs: 00BC3453
CLASS, xrefs: 00BC3188, 00BC31A5
CLASSNN, xrefs: 00BC31F3, 00BC3204
REGEXPCLASS, xrefs: 00BC3255, 00BC3266

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: _wcslen
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 176396367-1603158881
Opcode ID: 1a7770dac8fb02493774def20a0ca9ef1f7690b2ba329a5c8ffaecf756ea31f8
Instruction ID: c728bf71f633bb521140366b49d2d2fff210435b034310894740503f688535df
Opcode Fuzzy Hash: 1a7770dac8fb02493774def20a0ca9ef1f7690b2ba329a5c8ffaecf756ea31f8
Instruction Fuzzy Hash: BCE18331A005169BCF189FA8C491BEEBBE4FF54B10F94C1ADE456F7250DB30AE859790

Function 00BD44C0 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(00000000,00000000,00BFCC08), ref: 00BD4527
_wcslen.LIBCMT ref: 00BD453B
_wcslen.LIBCMT ref: 00BD4599
_wcslen.LIBCMT ref: 00BD45F4
_wcslen.LIBCMT ref: 00BD463F
_wcslen.LIBCMT ref: 00BD46A7

Part of subcall function 00B7F9F2: _wcslen.LIBCMT ref: 00B7F9FD

GetDriveTypeW.KERNEL32(?,00C26BF0,00000061), ref: 00BD4743

Strings

unknown, xrefs: 00BD4708
all, xrefs: 00BD4531, 00BD4536
cdrom, xrefs: 00BD458F, 00BD4594
network, xrefs: 00BD469D, 00BD46A2
fixed, xrefs: 00BD4635, 00BD463A
ramdisk, xrefs: 00BD46F1
removable, xrefs: 00BD45EA, 00BD45EF

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: _wcslen$BuffCharDriveLowerType
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2055661098-1000479233
Opcode ID: 39ebfdd4f920b1277b2f9568e87173ab5401172b1ae70dd98311046e38617c37
Instruction ID: d8e071243d06fe6be01191e69bbe35beeb4de87875279bc18ddfdf595d76c00d
Opcode Fuzzy Hash: 39ebfdd4f920b1277b2f9568e87173ab5401172b1ae70dd98311046e38617c37
Instruction Fuzzy Hash: 2FB1AD716083029FC710DF28D890A6AF7E5EFA5764F5049AEF49A87391E730D844CBA2

Function 00BE3FE9 Relevance: 23.2, APIs: 11, Strings: 2, Instructions: 478libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00BFCC08), ref: 00BE40BB
GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 00BE40CD
GetModuleFileNameW.KERNEL32(?,?,00000104,?,?,?,00BFCC08), ref: 00BE40F2
FreeLibrary.KERNEL32(00000000,?,00BFCC08), ref: 00BE413E
StringFromGUID2.OLE32(?,?,00000028,?,00BFCC08), ref: 00BE41A8
SysFreeString.OLEAUT32(00000009), ref: 00BE4262
QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 00BE42C8
SysFreeString.OLEAUT32(?), ref: 00BE42F2

Strings

GetModuleHandleExW, xrefs: 00BE40C7
kernel32.dll, xrefs: 00BE40B6

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: FreeString$Library$AddressFileFromLoadModuleNamePathProcQueryType
String ID: GetModuleHandleExW$kernel32.dll
API String ID: 354098117-199464113
Opcode ID: 5dbe3c29196f607b1131e1916d34aa9e2b48ca3d4f0e35f6b65e62a977bb289b
Instruction ID: d750eceddc63f7eb2de1589928ddef5f12008970e75d3c534a8b935574038afb
Opcode Fuzzy Hash: 5dbe3c29196f607b1131e1916d34aa9e2b48ca3d4f0e35f6b65e62a977bb289b
Instruction Fuzzy Hash: 98125C75A00159EFDB14DF95C884EAEBBF9FF45314F248098E905AB251CB31ED86CBA0

Function 00B6326F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(00C31990), ref: 00BA2F8D
GetMenuItemCount.USER32(00C31990), ref: 00BA303D
GetCursorPos.USER32(?), ref: 00BA3081
SetForegroundWindow.USER32(00000000), ref: 00BA308A
TrackPopupMenuEx.USER32(00C31990,00000000,?,00000000,00000000,00000000), ref: 00BA309D
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00BA30A9

Strings

0, xrefs: 00B6327D

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
String ID: 0
API String ID: 36266755-4108050209
Opcode ID: c76b75e57083edfff18e83ec6adde1debde03d5b93d0ba02d3498d4f60c2e4d6
Instruction ID: 4c277ed7251c99af30be6711ad1839dccce98079379d6e21d775da293be8a8c1
Opcode Fuzzy Hash: c76b75e57083edfff18e83ec6adde1debde03d5b93d0ba02d3498d4f60c2e4d6
Instruction Fuzzy Hash: 39711970648205BEEB258F28CC89FAABFE4FF05724F204296F5156B1E0C7B5A954DB90

Function 00BF6CD9 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 194windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,?), ref: 00BF6DEB

Part of subcall function 00B66B57: _wcslen.LIBCMT ref: 00B66B6A

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00BF6E5F
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00BF6E81
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00BF6E94
DestroyWindow.USER32(?), ref: 00BF6EB5
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00B60000,00000000), ref: 00BF6EE4
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00BF6EFD
GetDesktopWindow.USER32 ref: 00BF6F16
GetWindowRect.USER32(00000000), ref: 00BF6F1D
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00BF6F35
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00BF6F4D

Part of subcall function 00B79944: GetWindowLongW.USER32(?,000000EB), ref: 00B79952

Strings

0, xrefs: 00BF6D98
tooltips_class32, xrefs: 00BF6E58, 00BF6EDD

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
String ID: 0$tooltips_class32
API String ID: 2429346358-3619404913
Opcode ID: 5825ca4e6dc1906f70b43e1e0cc19739df25e43491880eb0448800ff752a4a35
Instruction ID: b36a28470a82cccfd5bbdafd4fae0b6cc43c1dfe2d9774cff19ca81e3649ed62
Opcode Fuzzy Hash: 5825ca4e6dc1906f70b43e1e0cc19739df25e43491880eb0448800ff752a4a35
Instruction Fuzzy Hash: 8F715675104348AFDB21CF18D844BBABBE9FB89304F08495DFA9987261CB70AD4ADB11

Function 00BF911E Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00B79BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00B79BB2

DragQueryPoint.SHELL32(?,?), ref: 00BF9147

Part of subcall function 00BF7674: ClientToScreen.USER32(?,?), ref: 00BF769A
Part of subcall function 00BF7674: GetWindowRect.USER32(?,?), ref: 00BF7710
Part of subcall function 00BF7674: PtInRect.USER32(?,?,00BF8B89), ref: 00BF7720

SendMessageW.USER32(?,000000B0,?,?), ref: 00BF91B0
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 00BF91BB
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 00BF91DE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 00BF9225
SendMessageW.USER32(?,000000B0,?,?), ref: 00BF923E
SendMessageW.USER32(?,000000B1,?,?), ref: 00BF9255
SendMessageW.USER32(?,000000B1,?,?), ref: 00BF9277
DragFinish.SHELL32(?), ref: 00BF927E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 00BF9371

Strings

@GUI_DRAGFILE, xrefs: 00BF9320
@GUI_DROPID, xrefs: 00BF929E
@GUI_DRAGID, xrefs: 00BF92E9

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
API String ID: 221274066-3440237614
Opcode ID: 86145720abbf3c85a2524ea132f1030ee2a0606ade79eb18700002888b75b028
Instruction ID: 5f5594649756cc1d1396499d132d371f2fee20a2ee0116df104b3d3219a25de2
Opcode Fuzzy Hash: 86145720abbf3c85a2524ea132f1030ee2a0606ade79eb18700002888b75b028
Instruction Fuzzy Hash: 06617B71108305AFD701DF64DD85EAFBBE8EF88750F00096EF695931A1DB709A49CB52

Function 00BDC476 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00BDC4B0
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 00BDC4C3
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 00BDC4D7
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 00BDC4F0
InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 00BDC533
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 00BDC549
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00BDC554
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00BDC584
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 00BDC5DC
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 00BDC5F0
InternetCloseHandle.WININET(00000000), ref: 00BDC5FB

Strings

, xrefs: 00BDC575

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
String ID:
API String ID: 3800310941-3916222277
Opcode ID: 24f5551f418558914bec63cf352f7d6a182e3702bf5d553c08a59fba3a57b094
Instruction ID: bdde50084b292b0f1f387848384df2a3f0bfe00ac6dbbc5476fd8b5518f0c1e9
Opcode Fuzzy Hash: 24f5551f418558914bec63cf352f7d6a182e3702bf5d553c08a59fba3a57b094
Instruction Fuzzy Hash: EF515AB150020ABFDB219F60D989ABBBFFCFB18744F00445AF94697210EB30E944DB60

Function 00BF856F Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,00000000,?), ref: 00BF8592
GetFileSize.KERNEL32(00000000,00000000), ref: 00BF85A2
GlobalAlloc.KERNEL32(00000002,00000000), ref: 00BF85AD
CloseHandle.KERNEL32(00000000), ref: 00BF85BA
GlobalLock.KERNEL32(00000000), ref: 00BF85C8
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00BF85D7
GlobalUnlock.KERNEL32(00000000), ref: 00BF85E0
CloseHandle.KERNEL32(00000000), ref: 00BF85E7
CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 00BF85F8
OleLoadPicture.OLEAUT32(?,00000000,00000000,00BFFC38,?), ref: 00BF8611
GlobalFree.KERNEL32(00000000), ref: 00BF8621
GetObjectW.GDI32(?,00000018,000000FF), ref: 00BF8641
CopyImage.USER32(?,00000000,00000000,?,00002000), ref: 00BF8671
DeleteObject.GDI32(00000000), ref: 00BF8699
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 00BF86AF

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: cab483ad0dccfbf5e499a7dfdc73b44ddb55e0287f320b009edf86d2459080f7
Instruction ID: cf8d626c54c4239c89a7fe56677ce23052ba4648d55510651f6377527985e75a
Opcode Fuzzy Hash: cab483ad0dccfbf5e499a7dfdc73b44ddb55e0287f320b009edf86d2459080f7
Instruction Fuzzy Hash: FC41F875600208BFDB11DFA5DD88EBA7BB8EF89B55F104058F905EB260DB309D45DB60

Function 00BD14BD Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 360timeCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000000), ref: 00BD1502
VariantCopy.OLEAUT32(?,?), ref: 00BD150B
VariantClear.OLEAUT32(?), ref: 00BD1517
VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 00BD15FB
VarR8FromDec.OLEAUT32(?,?), ref: 00BD1657
VariantInit.OLEAUT32(?), ref: 00BD1708
SysFreeString.OLEAUT32(?), ref: 00BD178C
VariantClear.OLEAUT32(?), ref: 00BD17D8
VariantClear.OLEAUT32(?), ref: 00BD17E7
VariantInit.OLEAUT32(00000000), ref: 00BD1823

Strings

%4d%02d%02d%02d%02d%02d, xrefs: 00BD1625
Default, xrefs: 00BD16AF

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem
String ID: %4d%02d%02d%02d%02d%02d$Default
API String ID: 1234038744-3931177956
Opcode ID: 7a6667ffff728fbf15160877e4956fa941f4e7a8af240440e12d73c11dfdbef1
Instruction ID: b010d487acfb64268e93db804ca526d8e3279e9cc726d059d92d5c4802d7b0a7
Opcode Fuzzy Hash: 7a6667ffff728fbf15160877e4956fa941f4e7a8af240440e12d73c11dfdbef1
Instruction Fuzzy Hash: B6D1CC71A00505EBDB109F69E885B79F7F5FF45704F1088E6E406AB290EB38EC45DB62

Function 00BEB60E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00B69CB3: _wcslen.LIBCMT ref: 00B69CBD

Part of subcall function 00BEC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00BEB6AE,?,?), ref: 00BEC9B5
Part of subcall function 00BEC998: _wcslen.LIBCMT ref: 00BEC9F1
Part of subcall function 00BEC998: _wcslen.LIBCMT ref: 00BECA68
Part of subcall function 00BEC998: _wcslen.LIBCMT ref: 00BECA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00BEB6F4
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00BEB772
RegDeleteValueW.ADVAPI32(?,?), ref: 00BEB80A
RegCloseKey.ADVAPI32(?), ref: 00BEB87E
RegCloseKey.ADVAPI32(?), ref: 00BEB89C
LoadLibraryA.KERNEL32(advapi32.dll), ref: 00BEB8F2
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00BEB904
RegDeleteKeyW.ADVAPI32(?,?), ref: 00BEB922
FreeLibrary.KERNEL32(00000000), ref: 00BEB983
RegCloseKey.ADVAPI32(00000000), ref: 00BEB994

Strings

advapi32.dll, xrefs: 00BEB8ED
RegDeleteKeyExW, xrefs: 00BEB8FE

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 146587525-4033151799
Opcode ID: 15ba3e19a02d7609fad9156b64b3f549bc9349fe3ae5c2ce534c98ff53ca5434
Instruction ID: 6703167818452e5f8b681d648ccc242fded752a270b92f630bd77d2be05a0bb3
Opcode Fuzzy Hash: 15ba3e19a02d7609fad9156b64b3f549bc9349fe3ae5c2ce534c98ff53ca5434
Instruction Fuzzy Hash: 52C18934208281AFD710DF25C495F2ABBE5FF84308F14859CE49A8B7A2CB75ED46CB91

Function 00BE255C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00BE25D8
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 00BE25E8
CreateCompatibleDC.GDI32(?), ref: 00BE25F4
SelectObject.GDI32(00000000,?), ref: 00BE2601
StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 00BE266D
GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 00BE26AC
GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 00BE26D0
SelectObject.GDI32(?,?), ref: 00BE26D8
DeleteObject.GDI32(?), ref: 00BE26E1
DeleteDC.GDI32(?), ref: 00BE26E8
ReleaseDC.USER32(00000000,?), ref: 00BE26F3

Strings

(, xrefs: 00BE268D

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: 2e7984a8c31ecf2fbd2bb9c8c7086f6b76fbb47045c0371057f9e7c40eb5b16e
Instruction ID: 6a41e0af216bcd2845d06204222d27b7b5ae54753f2e26e065b2969cbe6eaa99
Opcode Fuzzy Hash: 2e7984a8c31ecf2fbd2bb9c8c7086f6b76fbb47045c0371057f9e7c40eb5b16e
Instruction Fuzzy Hash: 5A61C075D00219EFCF04CFA8D984AAEBBF9FF48310F248569E955A7250D770A951CF50

Function 00B9DA5D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 00B9DAA1

Part of subcall function 00B9D63C: _free.LIBCMT ref: 00B9D659
Part of subcall function 00B9D63C: _free.LIBCMT ref: 00B9D66B
Part of subcall function 00B9D63C: _free.LIBCMT ref: 00B9D67D
Part of subcall function 00B9D63C: _free.LIBCMT ref: 00B9D68F
Part of subcall function 00B9D63C: _free.LIBCMT ref: 00B9D6A1
Part of subcall function 00B9D63C: _free.LIBCMT ref: 00B9D6B3
Part of subcall function 00B9D63C: _free.LIBCMT ref: 00B9D6C5
Part of subcall function 00B9D63C: _free.LIBCMT ref: 00B9D6D7
Part of subcall function 00B9D63C: _free.LIBCMT ref: 00B9D6E9
Part of subcall function 00B9D63C: _free.LIBCMT ref: 00B9D6FB
Part of subcall function 00B9D63C: _free.LIBCMT ref: 00B9D70D
Part of subcall function 00B9D63C: _free.LIBCMT ref: 00B9D71F
Part of subcall function 00B9D63C: _free.LIBCMT ref: 00B9D731

_free.LIBCMT ref: 00B9DA96

Part of subcall function 00B929C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00B9D7D1,00000000,00000000,00000000,00000000,?,00B9D7F8,00000000,00000007,00000000,?,00B9DBF5,00000000), ref: 00B929DE
Part of subcall function 00B929C8: GetLastError.KERNEL32(00000000,?,00B9D7D1,00000000,00000000,00000000,00000000,?,00B9D7F8,00000000,00000007,00000000,?,00B9DBF5,00000000,00000000), ref: 00B929F0

_free.LIBCMT ref: 00B9DAB8
_free.LIBCMT ref: 00B9DACD
_free.LIBCMT ref: 00B9DAD8
_free.LIBCMT ref: 00B9DAFA
_free.LIBCMT ref: 00B9DB0D
_free.LIBCMT ref: 00B9DB1B
_free.LIBCMT ref: 00B9DB26
_free.LIBCMT ref: 00B9DB5E
_free.LIBCMT ref: 00B9DB65
_free.LIBCMT ref: 00B9DB82
_free.LIBCMT ref: 00B9DB9A

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 4bd014ba321d88124a7dbdd45b642f2899972074cdc682dac13b78eb384d3a7a
Instruction ID: 57a75b513357fd144cf34a461a6d2d62a15299e3d09b27498330ce3485c1d5ba
Opcode Fuzzy Hash: 4bd014ba321d88124a7dbdd45b642f2899972074cdc682dac13b78eb384d3a7a
Instruction Fuzzy Hash: 84314971A04305AFEF21AB3AE845B5AB7E9FF10320F5544B9E549D7291DF31AC90CB60

Function 00BC365B Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 267windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 00BC369C
_wcslen.LIBCMT ref: 00BC36A7
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00BC3797
GetClassNameW.USER32(?,?,00000400), ref: 00BC380C
GetDlgCtrlID.USER32(?), ref: 00BC385D
GetWindowRect.USER32(?,?), ref: 00BC3882
GetParent.USER32(?), ref: 00BC38A0
ScreenToClient.USER32(00000000), ref: 00BC38A7
GetClassNameW.USER32(?,?,00000100), ref: 00BC3921
GetWindowTextW.USER32(?,?,00000400), ref: 00BC395D

Strings

%s%u, xrefs: 00BC3734

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout_wcslen
String ID: %s%u
API String ID: 4010501982-679674701
Opcode ID: 790a6a4450617e511a34203c7c6fa63763b167877bd9ecad1f1f3115deda026e
Instruction ID: 0a662418cb9910609298a9c48058cbcb8780fd87313954375e2a878c4f0ce010
Opcode Fuzzy Hash: 790a6a4450617e511a34203c7c6fa63763b167877bd9ecad1f1f3115deda026e
Instruction Fuzzy Hash: 6491AF71204606AFDB18DF24C885FAAF7E8FF44750F40856DF99AD3190DB70AA45CB91

Function 00BC4954 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 253COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000400), ref: 00BC4994
GetWindowTextW.USER32(?,?,00000400), ref: 00BC49DA
_wcslen.LIBCMT ref: 00BC49EB
CharUpperBuffW.USER32(?,00000000), ref: 00BC49F7
_wcsstr.LIBVCRUNTIME ref: 00BC4A2C
GetClassNameW.USER32(00000018,?,00000400), ref: 00BC4A64
GetWindowTextW.USER32(?,?,00000400), ref: 00BC4A9D
GetClassNameW.USER32(00000018,?,00000400), ref: 00BC4AE6
GetClassNameW.USER32(?,?,00000400), ref: 00BC4B20
GetWindowRect.USER32(?,?), ref: 00BC4B8B

Strings

ThumbnailClass, xrefs: 00BC4A6F, 00BC4AF1

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
String ID: ThumbnailClass
API String ID: 1311036022-1241985126
Opcode ID: e12977a9eaa9ad212d57a7c8f696c00e4125d8825f3dbc0e7e7e14163e7b65ad
Instruction ID: 37c9ef074b078e9307f6b2a8dc1c1c3c36836a7c4ed69cdb2fe3d8dc6515a5cf
Opcode Fuzzy Hash: e12977a9eaa9ad212d57a7c8f696c00e4125d8825f3dbc0e7e7e14163e7b65ad
Instruction Fuzzy Hash: 72919D71108209AFDB14DF14C995FAA7BE8EF44314F0484ADFD859B1A6DB30EE45CBA1

Function 00BCBF30 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 190windowsleepCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00C31990,000000FF,00000000,00000030), ref: 00BCBFAC
SetMenuItemInfoW.USER32(00C31990,00000004,00000000,00000030), ref: 00BCBFE1
Sleep.KERNEL32(000001F4), ref: 00BCBFF3
GetMenuItemCount.USER32(?), ref: 00BCC039
GetMenuItemID.USER32(?,00000000), ref: 00BCC056
GetMenuItemID.USER32(?,-00000001), ref: 00BCC082
GetMenuItemID.USER32(?,?), ref: 00BCC0C9
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00BCC10F
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00BCC124
SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00BCC145

Strings

0, xrefs: 00BCBF3D

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep
String ID: 0
API String ID: 1460738036-4108050209
Opcode ID: 9bdb9a522c246b2445942449ee988ee496203b3c9b270fc11679975e74a28103
Instruction ID: 28c0d7886eb05e668a3ea4087a510ee2bcf8daa64c02a8cf68daa55645b942d4
Opcode Fuzzy Hash: 9bdb9a522c246b2445942449ee988ee496203b3c9b270fc11679975e74a28103
Instruction Fuzzy Hash: 44617BB090024AAFDF11CF64DD89FBE7FE8EB25344F144099E859A3291CB35AD45CB60

Function 00BECC34 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 00BECC64
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 00BECC8D
FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 00BECD48

Part of subcall function 00BECC34: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 00BECCAA
Part of subcall function 00BECC34: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 00BECCBD
Part of subcall function 00BECC34: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00BECCCF
Part of subcall function 00BECC34: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 00BECD05
Part of subcall function 00BECC34: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 00BECD28

RegDeleteKeyW.ADVAPI32(?,?), ref: 00BECCF3

Strings

advapi32.dll, xrefs: 00BECCB8
RegDeleteKeyExW, xrefs: 00BECCC9

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2734957052-4033151799
Opcode ID: d3124abdd6ea17dffa7763f1a39bba5687e4cc0940e5914d5ea29e26156cbdd7
Instruction ID: 27e5ab802335025db3c95aba6cad8122f5cc05c2737dbfe5d13e6fae390e326f
Opcode Fuzzy Hash: d3124abdd6ea17dffa7763f1a39bba5687e4cc0940e5914d5ea29e26156cbdd7
Instruction Fuzzy Hash: F9316E7190112DBBDB208B65DC88EFFBFBCEF55750F1041B5A906E3240DB349A86DAA0

Function 00BD3D1E Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 101fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00BD3D40
_wcslen.LIBCMT ref: 00BD3D6D
CreateDirectoryW.KERNEL32(?,00000000), ref: 00BD3D9D
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00BD3DBE
RemoveDirectoryW.KERNEL32(?), ref: 00BD3DCE
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 00BD3E55
CloseHandle.KERNEL32(00000000), ref: 00BD3E60
CloseHandle.KERNEL32(00000000), ref: 00BD3E6B

Strings

:, xrefs: 00BD3D82
\??\%s, xrefs: 00BD3D5B
\, xrefs: 00BD3D77

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove_wcslen
String ID: :$\$\??\%s
API String ID: 1149970189-3457252023
Opcode ID: 7104db0bb2e9958d92563cee96f0c5dbcc7d5f8996ff6f133fbe657f48d00d71
Instruction ID: bcaf2bba3ea48977bd45f4e33fee99229993a83f452359c4b44add3dc6192e28
Opcode Fuzzy Hash: 7104db0bb2e9958d92563cee96f0c5dbcc7d5f8996ff6f133fbe657f48d00d71
Instruction Fuzzy Hash: 35318C7290020AAADB209FA0DC49FEB77F9EF88B40F1040B6F50997161EB709784CB25

Function 00BCE6B0 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 00BCE6B4

Part of subcall function 00B7E551: timeGetTime.WINMM(?,?,00BCE6D4), ref: 00B7E555

Sleep.KERNEL32(0000000A), ref: 00BCE6E1
EnumThreadWindows.USER32(?,Function_0006E665,00000000), ref: 00BCE705
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 00BCE727
SetActiveWindow.USER32 ref: 00BCE746
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00BCE754
SendMessageW.USER32(00000010,00000000,00000000), ref: 00BCE773
Sleep.KERNEL32(000000FA), ref: 00BCE77E
IsWindow.USER32 ref: 00BCE78A
EndDialog.USER32(00000000), ref: 00BCE79B

Strings

BUTTON, xrefs: 00BCE719

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: 0b4a14146a00afacf17ba9b289493d3e64045bf247d44c7a0484eb4fbfc0a380
Instruction ID: dc28bba8e1343ebfa98157170e139c23c78aa59cf18839b2481e3e4fd162253f
Opcode Fuzzy Hash: 0b4a14146a00afacf17ba9b289493d3e64045bf247d44c7a0484eb4fbfc0a380
Instruction Fuzzy Hash: BE216DB1210A08EFEB005F21ED8AF3A3FA9EB54748B105469F925C31B1DF71EC50CA64

Function 00BCE9FC Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 00B69CB3: _wcslen.LIBCMT ref: 00B69CBD

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00BCEA5D
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00BCEA73
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00BCEA84
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00BCEA96
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 00BCEAA7

Strings

open , xrefs: 00BCEA0C
play PlayMe wait, xrefs: 00BCEA91
play PlayMe, xrefs: 00BCEAA2
status PlayMe mode, xrefs: 00BCEA58
alias PlayMe, xrefs: 00BCEA36
close PlayMe, xrefs: 00BCEA6E, 00BCEA9B

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: SendString$_wcslen
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2420728520-1007645807
Opcode ID: ff0d345cef54acdce3586803bf630d89c417ccb6db8489065df14ad319cdc079
Instruction ID: f7e86c7d370909a048b63aaabd87f79ceaf36342c84149c50ada864687ac4a4d
Opcode Fuzzy Hash: ff0d345cef54acdce3586803bf630d89c417ccb6db8489065df14ad319cdc079
Instruction Fuzzy Hash: 54112131A90269BDD720B7A5ED4AEFF6AFCEBD2B40F440479B411A20D1EEB05945C9B0

Function 00BC9F91 Relevance: 18.2, APIs: 12, Instructions: 188keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00BCA012
SetKeyboardState.USER32(?), ref: 00BCA07D
GetAsyncKeyState.USER32(000000A0), ref: 00BCA09D
GetKeyState.USER32(000000A0), ref: 00BCA0B4
GetAsyncKeyState.USER32(000000A1), ref: 00BCA0E3
GetKeyState.USER32(000000A1), ref: 00BCA0F4
GetAsyncKeyState.USER32(00000011), ref: 00BCA120
GetKeyState.USER32(00000011), ref: 00BCA12E
GetAsyncKeyState.USER32(00000012), ref: 00BCA157
GetKeyState.USER32(00000012), ref: 00BCA165
GetAsyncKeyState.USER32(0000005B), ref: 00BCA18E
GetKeyState.USER32(0000005B), ref: 00BCA19C

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 4ec21a27239eb749155da2cf4239256efb1002a474e6b8eae0f37846f4518810
Instruction ID: 5f3a675c79d6195c5f591beb2b72937045cc51d1649982671cc1cd5ad63e1d88
Opcode Fuzzy Hash: 4ec21a27239eb749155da2cf4239256efb1002a474e6b8eae0f37846f4518810
Instruction Fuzzy Hash: 3E51672090478C29FB35DBB08955FEAAFF5DF12384F0845DDD5C25B1C2DA54AA4CC762

Function 00BC5CC6 Relevance: 18.2, APIs: 12, Instructions: 173COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 00BC5CE2
GetWindowRect.USER32(00000000,?), ref: 00BC5CFB
MoveWindow.USER32(?,0000000A,00000004,?,?,00000004,00000000), ref: 00BC5D59
GetDlgItem.USER32(?,00000002), ref: 00BC5D69
GetWindowRect.USER32(00000000,?), ref: 00BC5D7B
MoveWindow.USER32(?,?,00000004,00000000,?,00000004,00000000), ref: 00BC5DCF
GetDlgItem.USER32(?,000003E9), ref: 00BC5DDD
GetWindowRect.USER32(00000000,?), ref: 00BC5DEF
MoveWindow.USER32(?,0000000A,00000000,?,00000004,00000000), ref: 00BC5E31
GetDlgItem.USER32(?,000003EA), ref: 00BC5E44
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00BC5E5A
InvalidateRect.USER32(?,00000000,00000001), ref: 00BC5E67

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: 1e493fa428e2224faba850f9c3cae1a5d4038f258812ca2414ae799ad6d41dc7
Instruction ID: 891c7065b1ae8d8cf97da349696c03a5058da28a989064e055eac45085f62604
Opcode Fuzzy Hash: 1e493fa428e2224faba850f9c3cae1a5d4038f258812ca2414ae799ad6d41dc7
Instruction Fuzzy Hash: 0151FF71A00609AFDF18DF68DD89EAEBBF5EB48310F148169F516E7290DB70AE44CB50

Function 00B78BCD Relevance: 18.2, APIs: 12, Instructions: 168timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00B78F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00B78BE8,?,00000000,?,?,?,?,00B78BBA,00000000,?), ref: 00B78FC5

DestroyWindow.USER32(?), ref: 00B78C81
KillTimer.USER32(00000000,?,?,?,?,00B78BBA,00000000,?), ref: 00B78D1B
DestroyAcceleratorTable.USER32(00000000), ref: 00BB6973
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,00B78BBA,00000000,?), ref: 00BB69A1
ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,00B78BBA,00000000,?), ref: 00BB69B8
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,00B78BBA,00000000), ref: 00BB69D4
DeleteObject.GDI32(00000000), ref: 00BB69E6

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: f820765fa0d69c0082d3d76d4636a2b1de96791a85b5ebad4dae3e37e8c4b396
Instruction ID: 1d58fb3908dd22fbbf287fc3437e0c1efd649b0c3320c94e03221350a25c6554
Opcode Fuzzy Hash: f820765fa0d69c0082d3d76d4636a2b1de96791a85b5ebad4dae3e37e8c4b396
Instruction Fuzzy Hash: 78618C30511704DFCB269F24DA48B79BBF1FB44322F1885A8E45A9B5A0CB75AD80CF90

Function 00B79838 Relevance: 18.1, APIs: 12, Instructions: 137COMMON

Download Yara Rule

APIs

Part of subcall function 00B79944: GetWindowLongW.USER32(?,000000EB), ref: 00B79952

GetSysColor.USER32(0000000F), ref: 00B79862

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: 23463b65e64f6aecd5b9fd0479f3527a8e9a09d6eabc6e3ffbcfcadf894bb5a2
Instruction ID: 7afd25e9c8058e520969a49217bcdd0378fc6e7d2a2ff5f3215eaf09e80250dd
Opcode Fuzzy Hash: 23463b65e64f6aecd5b9fd0479f3527a8e9a09d6eabc6e3ffbcfcadf894bb5a2
Instruction Fuzzy Hash: 9B41F331104604AFDB209F389C84BB93BE5EB57370F148685F9B69B2E1CB709D82DB11

Function 00BC96E2 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,?,?,00BAF7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?), ref: 00BC9717
LoadStringW.USER32(00000000,?,00BAF7F8,00000001), ref: 00BC9720

Part of subcall function 00B69CB3: _wcslen.LIBCMT ref: 00B69CBD

GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,00BAF7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?,00000000), ref: 00BC9742
LoadStringW.USER32(00000000,?,00BAF7F8,00000001), ref: 00BC9745
MessageBoxW.USER32(00000000,00000000,?,00011010), ref: 00BC9866

Strings

^ ERROR, xrefs: 00BC97FB
Line %d:, xrefs: 00BC97A0
Line %d (File "%s"):, xrefs: 00BC978F
Error: , xrefs: 00BC981D
%s (%d) : ==> %s: %s %s, xrefs: 00BC984A

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wcslen
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 747408836-2268648507
Opcode ID: fb209b2ad537a4242fbb015c1517c1e5cbb35a7454d38f9070d214e57f8f0308
Instruction ID: 5b177e8965de2d9531b11a0e3b4f725bf0c3118af132cfaffa8970d88fba2e9e
Opcode Fuzzy Hash: fb209b2ad537a4242fbb015c1517c1e5cbb35a7454d38f9070d214e57f8f0308
Instruction Fuzzy Hash: DE412B72800219AADF04EBE0DE86EEE77BCAF55740F1400A5F60573192EB396F48CB61

Function 00BC06DE Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 00B66B57: _wcslen.LIBCMT ref: 00B66B6A

WNetAddConnection2W.MPR(?,?,?,00000000), ref: 00BC07A2
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 00BC07BE
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 00BC07DA
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00BC0804
CLSIDFromString.OLE32(?,000001FE,?,SOFTWARE\Classes\), ref: 00BC082C
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00BC0837
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00BC083C

Strings

\IPC$, xrefs: 00BC0784
SOFTWARE\Classes\, xrefs: 00BC070E
\CLSID, xrefs: 00BC0724

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 323675364-22481851
Opcode ID: 253b4144dd9bc3aa79c8370a7379ac7ab5a96b0c0ee67f866b8c460c1fe32909
Instruction ID: 765cd345092acfeac217650a872825a334d4bca824c32c65d4658395a2d91791
Opcode Fuzzy Hash: 253b4144dd9bc3aa79c8370a7379ac7ab5a96b0c0ee67f866b8c460c1fe32909
Instruction Fuzzy Hash: 8C41F572C10229EBDF15EFA4DC95DEEB7B8FF04750B1441A9E901A31A1EB349E45CBA0

Function 00BF3F98 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 00BF403B
CreateCompatibleDC.GDI32(00000000), ref: 00BF4042
SendMessageW.USER32(?,00000173,00000000,00000000), ref: 00BF4055
SelectObject.GDI32(00000000,00000000), ref: 00BF405D
GetPixel.GDI32(00000000,00000000,00000000), ref: 00BF4068
DeleteDC.GDI32(00000000), ref: 00BF4072
GetWindowLongW.USER32(?,000000EC), ref: 00BF407C
SetLayeredWindowAttributes.USER32(?,?,00000000,00000001,?,00000000,?), ref: 00BF4092
DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?), ref: 00BF409E

Strings

static, xrefs: 00BF3FD3

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
String ID: static
API String ID: 2559357485-2160076837
Opcode ID: 326501705ad5b7a252ee2443509c74f932b216790e7620f6d01333b1a44209f7
Instruction ID: 620c669df98aa99a98119690d6054aaa41760c629b2d1a283296b8550bf1a02b
Opcode Fuzzy Hash: 326501705ad5b7a252ee2443509c74f932b216790e7620f6d01333b1a44209f7
Instruction Fuzzy Hash: 9C313832501219ABDF219FA8CD49FEA3FA8EF09720F110251FA14A71A0CB75D864DB54

Function 00BE3C30 Relevance: 16.8, APIs: 11, Instructions: 344fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00BE3C5C
CoInitialize.OLE32(00000000), ref: 00BE3C8A
CoUninitialize.OLE32 ref: 00BE3C94
_wcslen.LIBCMT ref: 00BE3D2D
GetRunningObjectTable.OLE32(00000000,?), ref: 00BE3DB1
SetErrorMode.KERNEL32(00000001,00000029), ref: 00BE3ED5
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,?), ref: 00BE3F0E
CoGetObject.OLE32(?,00000000,00BFFB98,?), ref: 00BE3F2D
SetErrorMode.KERNEL32(00000000), ref: 00BE3F40
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00BE3FC4
VariantClear.OLEAUT32(?), ref: 00BE3FD8

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize_wcslen
String ID:
API String ID: 429561992-0
Opcode ID: 91a03ca3e12774f30e65a3ef3cd89c2a5bee6bc5c0a41b3d64d73ef449e2e553
Instruction ID: 216e34a8160e0a9b40aa2056b066288e5848fdb8d5656ac16159a470928ead39
Opcode Fuzzy Hash: 91a03ca3e12774f30e65a3ef3cd89c2a5bee6bc5c0a41b3d64d73ef449e2e553
Instruction Fuzzy Hash: 9CC159716043459FC700DF65C88892BBBE9FF89B44F1049ADF98A9B210DB31ED45CB92

Function 00BD7A96 Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00BD7AF3
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00BD7B8F
SHGetDesktopFolder.SHELL32(?), ref: 00BD7BA3
CoCreateInstance.OLE32(00BFFD08,00000000,00000001,00C26E6C,?), ref: 00BD7BEF
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00BD7C74
CoTaskMemFree.OLE32(?,?), ref: 00BD7CCC
SHBrowseForFolderW.SHELL32(?), ref: 00BD7D57
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00BD7D7A
CoTaskMemFree.OLE32(00000000), ref: 00BD7D81
CoTaskMemFree.OLE32(00000000), ref: 00BD7DD6
CoUninitialize.OLE32 ref: 00BD7DDC

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
String ID:
API String ID: 2762341140-0
Opcode ID: 97b4f2a4f31150a1398acb4da069ae3c49fdb3a5678ce003394befc3b099db1d
Instruction ID: 9f08d36b25f48149c1256ff8b8dec8f91dce544d6d1a6abef0ab97c70d2ccbc3
Opcode Fuzzy Hash: 97b4f2a4f31150a1398acb4da069ae3c49fdb3a5678ce003394befc3b099db1d
Instruction Fuzzy Hash: 64C10C75A04109AFCB14DF64C894DAEBBF9FF48314B1484A9E91ADB361EB30ED45CB90

Function 00BF541D Relevance: 16.7, APIs: 11, Instructions: 191windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00BF5504
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00BF5515
CharNextW.USER32(00000158), ref: 00BF5544
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00BF5585
SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 00BF559B
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00BF55AC

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: MessageSend$CharNext
String ID:
API String ID: 1350042424-0
Opcode ID: 1d8a1de4e893f2ca7fbf5dce260fdc2a6c7de5778b149ed5036e003fb64a1bf6
Instruction ID: ff663bc63516b987272200feecd80f30fa07b2e4a43b5f9f8967a202d2f02ad6
Opcode Fuzzy Hash: 1d8a1de4e893f2ca7fbf5dce260fdc2a6c7de5778b149ed5036e003fb64a1bf6
Instruction Fuzzy Hash: A5616D7490460CAFDF209F54CC85AFE7BF9EB09721F108189FB25A7290D7749A89DB60

Function 00BBFA88 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 00BBFAAF
SafeArrayAllocData.OLEAUT32(?), ref: 00BBFB08
VariantInit.OLEAUT32(?), ref: 00BBFB1A
SafeArrayAccessData.OLEAUT32(?,?), ref: 00BBFB3A
VariantCopy.OLEAUT32(?,?), ref: 00BBFB8D
SafeArrayUnaccessData.OLEAUT32(?), ref: 00BBFBA1
VariantClear.OLEAUT32(?), ref: 00BBFBB6
SafeArrayDestroyData.OLEAUT32(?), ref: 00BBFBC3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00BBFBCC
VariantClear.OLEAUT32(?), ref: 00BBFBDE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00BBFBE9

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: ca216a0e7bc95e964baa73813ea88536ba216326fadb3fee4cb9f0815865858e
Instruction ID: 8265da55002ce7133f9c8214815f0655a37a4159dc8eae9c77b6807f2f3845ac
Opcode Fuzzy Hash: ca216a0e7bc95e964baa73813ea88536ba216326fadb3fee4cb9f0815865858e
Instruction Fuzzy Hash: 82415E35A0021A9FCF14DF68DC549FEBFB9EF48344F0084A9E955A7361CB70A945CBA0

Function 00BC9C79 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00BC9CA1
GetAsyncKeyState.USER32(000000A0), ref: 00BC9D22
GetKeyState.USER32(000000A0), ref: 00BC9D3D
GetAsyncKeyState.USER32(000000A1), ref: 00BC9D57
GetKeyState.USER32(000000A1), ref: 00BC9D6C
GetAsyncKeyState.USER32(00000011), ref: 00BC9D84
GetKeyState.USER32(00000011), ref: 00BC9D96
GetAsyncKeyState.USER32(00000012), ref: 00BC9DAE
GetKeyState.USER32(00000012), ref: 00BC9DC0
GetAsyncKeyState.USER32(0000005B), ref: 00BC9DD8
GetKeyState.USER32(0000005B), ref: 00BC9DEA

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: b2e1262326d2f528547808ed1bab58024cefe50e77390c7b666a80d93b419b2a
Instruction ID: 36d09c95fb2711e6824339c3e967ece0b7d0e2590941d5b10b5238342ab89232
Opcode Fuzzy Hash: b2e1262326d2f528547808ed1bab58024cefe50e77390c7b666a80d93b419b2a
Instruction Fuzzy Hash: C141D8745047CA69FF308764940CBB6BEE0EB21344F0480EEDAC7675C2DBA499C8C7A2

Function 00BE055B Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00BE05BC
inet_addr.WSOCK32(?), ref: 00BE061C
gethostbyname.WSOCK32(?), ref: 00BE0628
IcmpCreateFile.IPHLPAPI ref: 00BE0636
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00BE06C6
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00BE06E5
IcmpCloseHandle.IPHLPAPI(?), ref: 00BE07B9
WSACleanup.WSOCK32 ref: 00BE07BF

Strings

Ping, xrefs: 00BE0676

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: 776a59e9f0b5caf81f65ed3af605222104b73f536039018fa149d77534a6a628
Instruction ID: 201c9e1b33f2991045f88ab0262f536df5c1965d5fcda0d615152e037ee83714
Opcode Fuzzy Hash: 776a59e9f0b5caf81f65ed3af605222104b73f536039018fa149d77534a6a628
Instruction Fuzzy Hash: 0A919F356182419FD320EF16C588F2ABBE0EF44318F1485E9F4699B6A2C7B4ED85CF91

Function 00BE8CD3 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,00000000,?), ref: 00BE8CF3

Part of subcall function 00BC8E54: _wcslen.LIBCMT ref: 00BC8E77

_wcslen.LIBCMT ref: 00BE8D4E
_wcslen.LIBCMT ref: 00BE8D9C
_wcslen.LIBCMT ref: 00BE8DDC
_wcslen.LIBCMT ref: 00BE8E6E

Strings

winapi, xrefs: 00BE8D96, 00BE8D9B
stdcall, xrefs: 00BE8DD6, 00BE8DDB
cdecl, xrefs: 00BE8D48, 00BE8D4D
none, xrefs: 00BE8E65, 00BE8E6A

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: _wcslen$BuffCharLower
String ID: cdecl$none$stdcall$winapi
API String ID: 707087890-567219261
Opcode ID: 8ed325ab5350143b18be1294fe5866ff4a02ba69e28961df2e36062799c4d419
Instruction ID: d5733c1c03ac805bc5e4bdbe85cddb98f2a487dc56176a52ed420dcaeff5112e
Opcode Fuzzy Hash: 8ed325ab5350143b18be1294fe5866ff4a02ba69e28961df2e36062799c4d419
Instruction Fuzzy Hash: 62519031A009569BCF24DF6DC9819BEB7E6FF64724B2042A9E42AE72C4DB35DD40C790

Function 00BE372C Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32 ref: 00BE3774
CoUninitialize.OLE32 ref: 00BE377F
CoCreateInstance.OLE32(?,00000000,00000017,00BFFB78,?), ref: 00BE37D9
IIDFromString.OLE32(?,?), ref: 00BE384C
VariantInit.OLEAUT32(?), ref: 00BE38E4
VariantClear.OLEAUT32(?), ref: 00BE3936

Strings

NULL Pointer assignment, xrefs: 00BE381E
Invalid parameter, xrefs: 00BE3865
Failed to create object, xrefs: 00BE37E4, 00BE389A

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 636576611-1287834457
Opcode ID: 90ea7ed92e0bafbb27b4e8a7616963eacf18a0cc7e1c1404a5ac2c505d49b3a1
Instruction ID: e2073eada117a9c2a2c5c5b2987e0eb5aae28cb445ce8f0e3f869abb87e58550
Opcode Fuzzy Hash: 90ea7ed92e0bafbb27b4e8a7616963eacf18a0cc7e1c1404a5ac2c505d49b3a1
Instruction Fuzzy Hash: BF61B071608341AFD310DF55D888F6ABBE8EF48B14F10499DF9859B291DB70EE48CB92

Function 00BD3388 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 149COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,?), ref: 00BD33CF

Part of subcall function 00B69CB3: _wcslen.LIBCMT ref: 00B69CBD

LoadStringW.USER32(00000072,?,00000FFF,?), ref: 00BD33F0

Strings

^ ERROR , xrefs: 00BD349E
"%s" (%d) : ==> %s:%s%s, xrefs: 00BD3504
"%s" (%d) : ==> %s:, xrefs: 00BD3522
Incorrect parameters to object property !, xrefs: 00BD34AB
Line %d (File "%s"):, xrefs: 00BD3443, 00BD345C
Error: , xrefs: 00BD34D1

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-3080491070
Opcode ID: 1021da21d7cf67635a916b2b9e4d69ec07e40c61f3ddbd33acbaeba1a4fa85aa
Instruction ID: a73d9087b3bc17a119c731022e256a8966f9d1737dc87da015606f3abaf6f485
Opcode Fuzzy Hash: 1021da21d7cf67635a916b2b9e4d69ec07e40c61f3ddbd33acbaeba1a4fa85aa
Instruction Fuzzy Hash: C9516D32900209AADF15EBA0DE46EEEB7F8EF14740F1440A5F505731A2EB356F58DB61

Function 00BCB5C8 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 142COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00BCB5FC
_wcslen.LIBCMT ref: 00BCB608
_wcslen.LIBCMT ref: 00BCB64D
_wcslen.LIBCMT ref: 00BCB68C
_wcslen.LIBCMT ref: 00BCB6C7

Strings

KEYS, xrefs: 00BCB647, 00BCB64C
APPEND, xrefs: 00BCB6C1, 00BCB6C6
REMOVE, xrefs: 00BCB602, 00BCB607
EXISTS, xrefs: 00BCB686, 00BCB68B

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 1256254125-769500911
Opcode ID: d9546f7bc442abeed0ea8c49412d81e2219a8897b1ff29d753fa868c14e7dd75
Instruction ID: deb569baf99b114b1f480b418f0ceaa914ae0e1c369699c2e3dc712b622511ed
Opcode Fuzzy Hash: d9546f7bc442abeed0ea8c49412d81e2219a8897b1ff29d753fa868c14e7dd75
Instruction Fuzzy Hash: 2A419532A001269ACB206F7DC992EBEB7E5EB60B54F2441BEE465D7284E735CD81C790

Function 00BD5393 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 103COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00BD53A0
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00BD5416
GetLastError.KERNEL32 ref: 00BD5420
SetErrorMode.KERNEL32(00000000,READY), ref: 00BD54A7

Strings

NOTREADY, xrefs: 00BD544B
READY, xrefs: 00BD5460, 00BD5468
READONLY, xrefs: 00BD5452
UNKNOWN, xrefs: 00BD5444
INVALID, xrefs: 00BD5459

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: d5665ad8c3d6ceda33fbff2253d2a469f4a833990c42944c53e55f11b33c0707
Instruction ID: aca7c217db1df24fcdc5ca9ffc764b825101cdb2380c6d8bd46a4ccbb700a511
Opcode Fuzzy Hash: d5665ad8c3d6ceda33fbff2253d2a469f4a833990c42944c53e55f11b33c0707
Instruction Fuzzy Hash: 18319375A005089FCB20DF68C584AAABBF4EF45305F1480AAE405DB356EB71DD86CF92

Function 00BF3C46 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON

Download Yara Rule

APIs

CreateMenu.USER32 ref: 00BF3C79
SetMenu.USER32(?,00000000), ref: 00BF3C88
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00BF3D10
IsMenu.USER32(?), ref: 00BF3D24
CreatePopupMenu.USER32 ref: 00BF3D2E
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00BF3D5B
DrawMenuBar.USER32 ref: 00BF3D63

Strings

0, xrefs: 00BF3C54
F, xrefs: 00BF3D4E

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup
String ID: 0$F
API String ID: 161812096-3044882817
Opcode ID: 1423eb9fd20769e4a489113b912db91430b3fd6b384a323d8b09a5ce325d0fee
Instruction ID: f93e26c0566d58c56abc9ee8d4bdac78d67dc44f5a2b13ae1b4507b5e3051035
Opcode Fuzzy Hash: 1423eb9fd20769e4a489113b912db91430b3fd6b384a323d8b09a5ce325d0fee
Instruction Fuzzy Hash: 0B416779A01209EFDB14DF64D884BAA7BF5FF49750F140068EA56A7360D730AA18CF94

Function 00BC1EDF Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00B69CB3: _wcslen.LIBCMT ref: 00B69CBD

Part of subcall function 00BC3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00BC3CCA

SendMessageW.USER32(?,0000018C,000000FF,00020000), ref: 00BC1F64
GetDlgCtrlID.USER32 ref: 00BC1F6F
GetParent.USER32 ref: 00BC1F8B
SendMessageW.USER32(00000000,?,00000111,?), ref: 00BC1F8E
GetDlgCtrlID.USER32(?), ref: 00BC1F97
GetParent.USER32(?), ref: 00BC1FAB
SendMessageW.USER32(00000000,?,00000111,?), ref: 00BC1FAE

Strings

ComboBox, xrefs: 00BC1EEC
ListBox, xrefs: 00BC1F21

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_wcslen
String ID: ComboBox$ListBox
API String ID: 711023334-1403004172
Opcode ID: 87c46047cda797fd875bd6ca598a57ebc4142eb7c37ec318fc02c1e2f93a898f
Instruction ID: f4e65f321312a423ec6b77be12c54819ab2b56f22216e13f33b99035e8f8a7fb
Opcode Fuzzy Hash: 87c46047cda797fd875bd6ca598a57ebc4142eb7c37ec318fc02c1e2f93a898f
Instruction Fuzzy Hash: E821C270A00218BBCF04AFA4DC85EFEBBF8EF16350F004599F961A7291CB385958DB60

Function 00BC1FC0 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00B69CB3: _wcslen.LIBCMT ref: 00B69CBD

Part of subcall function 00BC3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00BC3CCA

SendMessageW.USER32(?,00000186,00020000,00000000), ref: 00BC2043
GetDlgCtrlID.USER32 ref: 00BC204E
GetParent.USER32 ref: 00BC206A
SendMessageW.USER32(00000000,?,00000111,?), ref: 00BC206D
GetDlgCtrlID.USER32(?), ref: 00BC2076
GetParent.USER32(?), ref: 00BC208A
SendMessageW.USER32(00000000,?,00000111,?), ref: 00BC208D

Strings

ComboBox, xrefs: 00BC1FCD
ListBox, xrefs: 00BC2002

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_wcslen
String ID: ComboBox$ListBox
API String ID: 711023334-1403004172
Opcode ID: ccab9642058b3b477b78173ff4b128b6d8fc68d07f747fc095de7e34476702a0
Instruction ID: d6d51195d1ca378cfbb03194bfdd7cf89c9f0add173faa15aae51255b8ecec58
Opcode Fuzzy Hash: ccab9642058b3b477b78173ff4b128b6d8fc68d07f747fc095de7e34476702a0
Instruction Fuzzy Hash: 3521C375A00218BBCF14AFA0DD85EFEBFF8EF15340F00409AF951A71A1DA798954DB60

Function 00BF3A23 Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00BF3A9D
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00BF3AA0
GetWindowLongW.USER32(?,000000F0), ref: 00BF3AC7
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00BF3AEA
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00BF3B62
SendMessageW.USER32(?,00001074,00000000,00000007), ref: 00BF3BAC
SendMessageW.USER32(?,00001057,00000000,00000000), ref: 00BF3BC7
SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 00BF3BE2
SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 00BF3BF6
SendMessageW.USER32(?,00001008,00000000,00000007), ref: 00BF3C13

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: MessageSend$LongWindow
String ID:
API String ID: 312131281-0
Opcode ID: b381c857980687635a5d1beaf54e1a525b642591a3b31675fcb9c2574ac1aa13
Instruction ID: 623e301219065cf71ad0b4a94211fcffedb686c07a877f92bba4d723f1b3fbb5
Opcode Fuzzy Hash: b381c857980687635a5d1beaf54e1a525b642591a3b31675fcb9c2574ac1aa13
Instruction Fuzzy Hash: 60613775A00248AFDB10DFA8CC81FFE77F8EB09710F144199FA15A72A2D774AA45DB50

Function 00B92C80 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00B92C94

Part of subcall function 00B929C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00B9D7D1,00000000,00000000,00000000,00000000,?,00B9D7F8,00000000,00000007,00000000,?,00B9DBF5,00000000), ref: 00B929DE
Part of subcall function 00B929C8: GetLastError.KERNEL32(00000000,?,00B9D7D1,00000000,00000000,00000000,00000000,?,00B9D7F8,00000000,00000007,00000000,?,00B9DBF5,00000000,00000000), ref: 00B929F0

_free.LIBCMT ref: 00B92CA0
_free.LIBCMT ref: 00B92CAB
_free.LIBCMT ref: 00B92CB6
_free.LIBCMT ref: 00B92CC1
_free.LIBCMT ref: 00B92CCC
_free.LIBCMT ref: 00B92CD7
_free.LIBCMT ref: 00B92CE2
_free.LIBCMT ref: 00B92CED
_free.LIBCMT ref: 00B92CFB

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 21bc71fa06f005f563a6c4ab7db46d3d14216f72aa6341639c71d8a6980c9fe2
Instruction ID: 8444479e3de099674d58b9a10b088086dd399b6f3f3e1445aa0d5de05fa5705c
Opcode Fuzzy Hash: 21bc71fa06f005f563a6c4ab7db46d3d14216f72aa6341639c71d8a6980c9fe2
Instruction Fuzzy Hash: DE114076910108BFCF02EF94D982CDD7BA9FF05350F9145B5FA489B322DA31EA509B90

Function 00BD7DF0 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00BD7FAD
SetCurrentDirectoryW.KERNEL32(?), ref: 00BD7FC1
GetFileAttributesW.KERNEL32(?), ref: 00BD7FEB
SetFileAttributesW.KERNEL32(?,00000000), ref: 00BD8005
SetCurrentDirectoryW.KERNEL32(?), ref: 00BD8017
SetCurrentDirectoryW.KERNEL32(?), ref: 00BD8060
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00BD80B0

Strings

*.*, xrefs: 00BD8066

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile
String ID: *.*
API String ID: 769691225-438819550
Opcode ID: d8cfafaa19be46b49621509ab89ace4912c1473b33e71195b094938aa5365614
Instruction ID: f34d7d00ec18bda9e99ad0354551049f2a8be8618df09bbe4d4ed6e6317e13dd
Opcode Fuzzy Hash: d8cfafaa19be46b49621509ab89ace4912c1473b33e71195b094938aa5365614
Instruction Fuzzy Hash: 998180715482459BCB20EF54C8849AAF7E8EB88314F14489FF889D7351FB35DD49CB92

Function 00B65BEA Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 00B65C7A

Part of subcall function 00B65D0A: GetClientRect.USER32(?,?), ref: 00B65D30
Part of subcall function 00B65D0A: GetWindowRect.USER32(?,?), ref: 00B65D71
Part of subcall function 00B65D0A: ScreenToClient.USER32(?,?), ref: 00B65D99

GetDC.USER32 ref: 00BA46F5
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00BA4708
SelectObject.GDI32(00000000,00000000), ref: 00BA4716
SelectObject.GDI32(00000000,00000000), ref: 00BA472B
ReleaseDC.USER32(?,00000000), ref: 00BA4733
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 00BA47C4

Strings

U, xrefs: 00BA4693

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: 3e67e69b4e77a465b32157cff37ea7e4a46cfe6813176aca97ca3775dbf4cc19
Instruction ID: 0d09926c3da35a362d789e787ac76fb9331e6d5bcad8216702e6ff3ec2284211
Opcode Fuzzy Hash: 3e67e69b4e77a465b32157cff37ea7e4a46cfe6813176aca97ca3775dbf4cc19
Instruction Fuzzy Hash: DB71D031408249DFCF218F68C984ABA7BF5FF8A320F1842E9ED555A1A6C7B49C91DF50

Function 00BD359C Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 150COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 00BD35E4

Part of subcall function 00B69CB3: _wcslen.LIBCMT ref: 00B69CBD

LoadStringW.USER32(00C32390,?,00000FFF,?), ref: 00BD360A

Strings

"%s" (%d) : ==> %s:%s%s, xrefs: 00BD3724
"%s" (%d) : ==> %s:, xrefs: 00BD3742
^ ERROR, xrefs: 00BD36C9
Line %d (File "%s"):, xrefs: 00BD366B
Error: , xrefs: 00BD36EF

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-2391861430
Opcode ID: 5a91b6b1a2a56e700a45a02ff256892a261427ce0b78bdfed9cc84347b8dde91
Instruction ID: 8491cd3d8cfe838364c74644932389faac0254ca149e3cc9e1e194e0e90c5011
Opcode Fuzzy Hash: 5a91b6b1a2a56e700a45a02ff256892a261427ce0b78bdfed9cc84347b8dde91
Instruction Fuzzy Hash: 73518F72800209BADF14EBA0DD42EEDBBF8EF14700F1441A5F505721A2EB345B98DFA5

Function 00BDC253 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00BDC272
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00BDC29A
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00BDC2CA
GetLastError.KERNEL32 ref: 00BDC322
SetEvent.KERNEL32(?), ref: 00BDC336
InternetCloseHandle.WININET(00000000), ref: 00BDC341

Strings

, xrefs: 00BDC2BB

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: 8f196d55576fafb7e670897eae903ee893fd7e53ef8b9b7b4c3c5046e0a9df96
Instruction ID: 3efc66c9eb69827050057f14b0bef1072f5dcce8d440809031c876df6ee020a5
Opcode Fuzzy Hash: 8f196d55576fafb7e670897eae903ee893fd7e53ef8b9b7b4c3c5046e0a9df96
Instruction Fuzzy Hash: 93316BB1600609AFDB21AF658988ABBBFFCEB49754B10855EF44693310EB30ED44DB64

Function 00BC989B Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00BA3AAF,?,?,Bad directive syntax error,00BFCC08,00000000,00000010,?,?,>>>AUTOIT SCRIPT<<<), ref: 00BC98BC
LoadStringW.USER32(00000000,?,00BA3AAF,?), ref: 00BC98C3

Part of subcall function 00B69CB3: _wcslen.LIBCMT ref: 00B69CBD

MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 00BC9987

Strings

Error: , xrefs: 00BC9955
., xrefs: 00BC996D
%s (%d) : ==> %s.: %s %s, xrefs: 00BC98F1
Line %d:, xrefs: 00BC9912
Line %d (File "%s"):, xrefs: 00BC992D

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: HandleLoadMessageModuleString_wcslen
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 858772685-4153970271
Opcode ID: 028af32b8cbf6d446da098dae3bb73f36fb323de8c702f4e1a9749007fd528ee
Instruction ID: 743e5ce878b0df147e7a0b418b0506e6ba4638a948c80711cda7375568f7982a
Opcode Fuzzy Hash: 028af32b8cbf6d446da098dae3bb73f36fb323de8c702f4e1a9749007fd528ee
Instruction Fuzzy Hash: A021803180021EABDF11EF90CC0AEFE77B9FF18700F0444A9F515620A2EB759A58DB60

Function 00BC209F Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 00BC20AB
GetClassNameW.USER32(00000000,?,00000100), ref: 00BC20C0
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00BC214D

Strings

details, xrefs: 00BC20FB
list, xrefs: 00BC212F
SHELLDLL_DefView, xrefs: 00BC20CC
largeicons, xrefs: 00BC20E1
smallicons, xrefs: 00BC2115

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: ClassMessageNameParentSend
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1290815626-3381328864
Opcode ID: 76bd63e64d11535e195845196cd2637c88c1cd937fb83069e505a2472a0fb40d
Instruction ID: a3442e7a54a616f781eb62f36f1282e39662e0d8762f4e06af52822231b3a9b9
Opcode Fuzzy Hash: 76bd63e64d11535e195845196cd2637c88c1cd937fb83069e505a2472a0fb40d
Instruction Fuzzy Hash: 4411C676688717BAFA157720EC06EB777DCDF05725B2001BAFB04FA0E1EE7168419A14

Function 00B98D45 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d569d7e095ecfa9189968394314080498e5d56d931f76af64e254cc24438add
Instruction ID: b2aa85dac2e3af061b5ffb18d17f7ba6a7ca4622392b47d9d1a46720936c66d7
Opcode Fuzzy Hash: 8d569d7e095ecfa9189968394314080498e5d56d931f76af64e254cc24438add
Instruction Fuzzy Hash: 74C1BE75D04249AFDF11EFACC891BADBBF0AF0A310F1440E9F425A7292D7309941CB61

Function 00B9CE90 Relevance: 13.7, APIs: 9, Instructions: 209COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 00B9CEB7
_free.LIBCMT ref: 00B9CF22
_free.LIBCMT ref: 00B9CF48
_free.LIBCMT ref: 00B9CF71
_free.LIBCMT ref: 00B9CFA9
_free.LIBCMT ref: 00B9CFDA
_free.LIBCMT ref: 00B9D01B
SetEnvironmentVariableA.KERNEL32(00000000,00000000), ref: 00B9D09C
_free.LIBCMT ref: 00B9D0B5

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: _free$EnvironmentVariable___from_strstr_to_strchr
String ID:
API String ID: 1282221369-0
Opcode ID: c44f3277601b8f797dffcc2bf3285e7fa44c9a2c8e3378df2db363b699683b60
Instruction ID: 8e7351d4a81bbdfbbe08626227bf8c22a3db63cd793d5e8120135a86d15f4e72
Opcode Fuzzy Hash: c44f3277601b8f797dffcc2bf3285e7fa44c9a2c8e3378df2db363b699683b60
Instruction Fuzzy Hash: DC61E072A04205AFDF21AFB49891BAE7FE5EF05360F1441FDF945A7282E7329D098790

Function 00BF50D4 Relevance: 13.7, APIs: 9, Instructions: 162windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00002001,00000000,00000000), ref: 00BF5186
ShowWindow.USER32(?,00000000), ref: 00BF51C7
ShowWindow.USER32(?,00000005,?,00000000), ref: 00BF51CD
SetFocus.USER32(?,?,00000005,?,00000000), ref: 00BF51D1

Part of subcall function 00BF6FBA: DeleteObject.GDI32(00000000), ref: 00BF6FE6

GetWindowLongW.USER32(?,000000F0), ref: 00BF520D
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00BF521A
InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 00BF524D
SendMessageW.USER32(?,00001001,00000000,000000FE), ref: 00BF5287
SendMessageW.USER32(?,00001026,00000000,000000FE), ref: 00BF5296

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Window$MessageSend$LongShow$DeleteFocusInvalidateObjectRect
String ID:
API String ID: 3210457359-0
Opcode ID: 81e7e7359001964423f0593e9b4f3599324a198b12bdf673b64175bbfa590f85
Instruction ID: 4cb7ba2e3496301ab1b49bcaea5292b2c656bbd9963c68e0d36c3a8914108a60
Opcode Fuzzy Hash: 81e7e7359001964423f0593e9b4f3599324a198b12bdf673b64175bbfa590f85
Instruction Fuzzy Hash: 0D516F30A50A0CBEEF349F24CC45BB97BE5EB05321F148291F725A72E0C775AA98DB41

Function 00B78B06 Relevance: 13.7, APIs: 9, Instructions: 155windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 00BB6890
ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 00BB68A9
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 00BB68B9
ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 00BB68D1
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 00BB68F2
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00B78874,00000000,00000000,00000000,000000FF,00000000), ref: 00BB6901
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 00BB691E
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00B78874,00000000,00000000,00000000,000000FF,00000000), ref: 00BB692D

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend
String ID:
API String ID: 1268354404-0
Opcode ID: 339bf5e69b7ac45d1be17f0c12ee32762add0f5a9142d3c51b935f2f97dd28fb
Instruction ID: 75301d2f0f70e593cb4c113fbceaea3f3e7efc9587810cf17ce7463fa9180001
Opcode Fuzzy Hash: 339bf5e69b7ac45d1be17f0c12ee32762add0f5a9142d3c51b935f2f97dd28fb
Instruction Fuzzy Hash: 08518A70600209EFDB20CF24CC95BBA7BF5EB48760F108558F95A972A0DBB1ED90DB50

Function 00BDC143 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00BDC182
GetLastError.KERNEL32 ref: 00BDC195
SetEvent.KERNEL32(?), ref: 00BDC1A9

Part of subcall function 00BDC253: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00BDC272
Part of subcall function 00BDC253: GetLastError.KERNEL32 ref: 00BDC322
Part of subcall function 00BDC253: SetEvent.KERNEL32(?), ref: 00BDC336
Part of subcall function 00BDC253: InternetCloseHandle.WININET(00000000), ref: 00BDC341

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
String ID:
API String ID: 337547030-0
Opcode ID: 303f5bbfffe902531f33a7845081d9255065a7d540cad9b9a4803c39803717da
Instruction ID: 5513cb2c31a5d7f73f52bb89bad3d47f3984a741ea2f456787b4b0d177a88380
Opcode Fuzzy Hash: 303f5bbfffe902531f33a7845081d9255065a7d540cad9b9a4803c39803717da
Instruction Fuzzy Hash: A1314771600A06AFDB219FA59D44A76FFE9FF18300B14446EF95A93710EB31E854DBA0

Function 00BC25A2 Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00BC3A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00BC3A57
Part of subcall function 00BC3A3D: GetCurrentThreadId.KERNEL32 ref: 00BC3A5E
Part of subcall function 00BC3A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00BC25B3), ref: 00BC3A65

MapVirtualKeyW.USER32(00000025,00000000), ref: 00BC25BD
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 00BC25DB
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 00BC25DF
MapVirtualKeyW.USER32(00000025,00000000), ref: 00BC25E9
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00BC2601
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 00BC2605
MapVirtualKeyW.USER32(00000025,00000000), ref: 00BC260F
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00BC2623
Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 00BC2627

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: 6053fe05029f5726704e8a7c6c9ed0ad16d8df85ee582f15e889d9eb894ef6da
Instruction ID: 304151a10dfd8c92194e63de886a9292f9a94674b4f5ea51ee7696dac245cd4b
Opcode Fuzzy Hash: 6053fe05029f5726704e8a7c6c9ed0ad16d8df85ee582f15e889d9eb894ef6da
Instruction Fuzzy Hash: C801D430394214BBFB1067689C8AF693F99DF4EB12F600015F318AF0D1CDF26494CA69

Function 00BC1803 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,00BC1449,?,?,00000000), ref: 00BC180C
HeapAlloc.KERNEL32(00000000,?,00BC1449,?,?,00000000), ref: 00BC1813
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00BC1449,?,?,00000000), ref: 00BC1828
GetCurrentProcess.KERNEL32(?,00000000,?,00BC1449,?,?,00000000), ref: 00BC1830
DuplicateHandle.KERNEL32(00000000,?,00BC1449,?,?,00000000), ref: 00BC1833
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00BC1449,?,?,00000000), ref: 00BC1843
GetCurrentProcess.KERNEL32(00BC1449,00000000,?,00BC1449,?,?,00000000), ref: 00BC184B
DuplicateHandle.KERNEL32(00000000,?,00BC1449,?,?,00000000), ref: 00BC184E
CreateThread.KERNEL32(00000000,00000000,00BC1874,00000000,00000000,00000000), ref: 00BC1868

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: 190588a69bdee4f7d3d48346bcd83d82e356f76403443114547dd8dc268186a7
Instruction ID: 606141d915eacb2bccd0f5b83b8abfa18ebd4183ca8f91eddd1a1ff491c9a547
Opcode Fuzzy Hash: 190588a69bdee4f7d3d48346bcd83d82e356f76403443114547dd8dc268186a7
Instruction Fuzzy Hash: C901BBB5240308BFE710ABA5DD4DF6B3FACEB89B11F104411FA05EB1A2CA709950DB60

Function 00BEA0E2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON

Download Yara Rule

APIs

Part of subcall function 00BCD4DC: CreateToolhelp32Snapshot.KERNEL32 ref: 00BCD501
Part of subcall function 00BCD4DC: Process32FirstW.KERNEL32(00000000,?), ref: 00BCD50F
Part of subcall function 00BCD4DC: CloseHandle.KERNELBASE(00000000), ref: 00BCD5DC

OpenProcess.KERNEL32(00000001,00000000,?), ref: 00BEA16D
GetLastError.KERNEL32 ref: 00BEA180
OpenProcess.KERNEL32(00000001,00000000,?), ref: 00BEA1B3
TerminateProcess.KERNEL32(00000000,00000000), ref: 00BEA268
GetLastError.KERNEL32(00000000), ref: 00BEA273
CloseHandle.KERNEL32(00000000), ref: 00BEA2C4

Strings

SeDebugPrivilege, xrefs: 00BEA18F

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: 425108eaf639c1a4c993e7d07674cc68e1446e6ffd3ce97fe366a3ab5e248728
Instruction ID: 7c616e683ae85e4fd78e0518455f45d9fd70f9f8df1d240a5d5ffc79d562d765
Opcode Fuzzy Hash: 425108eaf639c1a4c993e7d07674cc68e1446e6ffd3ce97fe366a3ab5e248728
Instruction Fuzzy Hash: 1C617A302042829FD710DF19C494F25BBE5AF44318F1484DCE56A9B7A3C776ED89CB92

Function 00BF3886 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00BF3925
SendMessageW.USER32(00000000,00001036,00000000,?), ref: 00BF393A
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00BF3954
_wcslen.LIBCMT ref: 00BF3999
SendMessageW.USER32(?,00001057,00000000,?), ref: 00BF39C6
SendMessageW.USER32(?,00001061,?,0000000F), ref: 00BF39F4

Strings

SysListView32, xrefs: 00BF38F7

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: MessageSend$Window_wcslen
String ID: SysListView32
API String ID: 2147712094-78025650
Opcode ID: 0159503e845be8baab70f1521e95bd95da2cea71f1dde515e835d84f88782261
Instruction ID: d049b83cc5f7e5b82a73512a447a945b8b74efa5de25825fd0a1a01bab62203e
Opcode Fuzzy Hash: 0159503e845be8baab70f1521e95bd95da2cea71f1dde515e835d84f88782261
Instruction Fuzzy Hash: 5641C231A0021CABDF219F64CC45BFA7BE9EF08750F100566FA49E7281D7B59A84CB90

Function 00BCBC5E Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00BCBCFD
IsMenu.USER32(00000000), ref: 00BCBD1D
CreatePopupMenu.USER32 ref: 00BCBD53
GetMenuItemCount.USER32(01405668), ref: 00BCBDA4
InsertMenuItemW.USER32(01405668,?,00000001,00000030), ref: 00BCBDCC

Strings

2, xrefs: 00BCBD37
0, xrefs: 00BCBCA8

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup
String ID: 0$2
API String ID: 93392585-3793063076
Opcode ID: 2126d93e4768ef5a9ada0c9937b9dad1b23dcc45eac39a1e0d853a2d00931fbb
Instruction ID: 4e7c3768990505f8585a67135a639e6b8b64e22221766fc71f604a1dbeae0d82
Opcode Fuzzy Hash: 2126d93e4768ef5a9ada0c9937b9dad1b23dcc45eac39a1e0d853a2d00931fbb
Instruction Fuzzy Hash: 2951BC70A00209ABDB10CFA8D8C6FAEBBF8FF55314F2441ADE452EB290D7709945CB61

Function 00BCC874 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 00BCC913

Strings

warning, xrefs: 00BCC8FC
info, xrefs: 00BCC8B4
blank, xrefs: 00BCC895
question, xrefs: 00BCC8CC
stop, xrefs: 00BCC8E4

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: e20b02f3a68267f948b97e098d4b48ed905a9c0e82286c899685397f32532764
Instruction ID: ebe80c66337142715050f04b7cb591ee244a20fc2bc08b4ab48bf177b9d92e32
Opcode Fuzzy Hash: e20b02f3a68267f948b97e098d4b48ed905a9c0e82286c899685397f32532764
Instruction Fuzzy Hash: 35110D31689317BAE705AB54AC83EAB6BECDF25754B1000BEF508A62D2D7F09D409365

Function 00BCDE27 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 70networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00BCDE42
gethostname.WSOCK32(?,00000100), ref: 00BCDE5C
gethostbyname.WSOCK32(?), ref: 00BCDE69
inet_ntoa.WSOCK32(?), ref: 00BCDEAB
_strcat.LIBCMT ref: 00BCDEB9
WSACleanup.WSOCK32 ref: 00BCDEDE

Strings

0.0.0.0, xrefs: 00BCDE87

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: CleanupStartup_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 642191829-3771769585
Opcode ID: f8da6706823f9bd6ae48153e415ef113e10f65d2f1c79d5abc14baba4c988c45
Instruction ID: 667017a02837bf1d224c82395bb0f8784442a58cb6d1a5a07f982677e7756e3c
Opcode Fuzzy Hash: f8da6706823f9bd6ae48153e415ef113e10f65d2f1c79d5abc14baba4c988c45
Instruction Fuzzy Hash: 6911D53590411AAFCB207B249C4AEEA77ECDB14711F0101FEF509970A1EF708A85CB60

Function 00BF9F86 Relevance: 12.3, APIs: 8, Instructions: 260windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00B79BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00B79BB2

GetSystemMetrics.USER32(0000000F), ref: 00BF9FC7
GetSystemMetrics.USER32(0000000F), ref: 00BF9FE7
MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 00BFA224
SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 00BFA242
SendMessageW.USER32(00000003,00000469,?,00000000), ref: 00BFA263
ShowWindow.USER32(00000003,00000000), ref: 00BFA282
InvalidateRect.USER32(?,00000000,00000001), ref: 00BFA2A7
DefDlgProcW.USER32(?,00000005,?,?), ref: 00BFA2CA

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
String ID:
API String ID: 1211466189-0
Opcode ID: 4463c9b604474054d3863e0cfe01bafa9965d13d91f02c9cbd180eaf879cc0c0
Instruction ID: 1a7f220199eca48cb7a02757bd77fae59af984a3dee1b9260376b0ea55e27211
Opcode Fuzzy Hash: 4463c9b604474054d3863e0cfe01bafa9965d13d91f02c9cbd180eaf879cc0c0
Instruction Fuzzy Hash: AFB18B716002199FDF18CF68C9857BE7BF2FF44701F0980A9EE49AB295D731AA44CB51

Function 00BCED19 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 00BCED2A
_wcslen.LIBCMT ref: 00BCED3B
_wcslen.LIBCMT ref: 00BCED79
_wcslen.LIBCMT ref: 00BCEDAF
_wcslen.LIBCMT ref: 00BCEDDF
_wcslen.LIBCMT ref: 00BCEDEF
_wcslen.LIBCMT ref: 00BCEE2B
_wcslen.LIBCMT ref: 00BCEE5A

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: _wcslen$LocalTime
String ID:
API String ID: 952045576-0
Opcode ID: cc29b8e023ce0fc8fff1297bba620e47201b3d98fcb793194db202c5fd376237
Instruction ID: f2bd29289de704be0bf733d6b79551ad65d479a58ca0ddfb7f38bef225dd3758
Opcode Fuzzy Hash: cc29b8e023ce0fc8fff1297bba620e47201b3d98fcb793194db202c5fd376237
Instruction Fuzzy Hash: BB418365C10119B6CB21FBB4C88AACFB7E8AF45710F5084A7E528E3172FB34D655C3A5

Function 00B7F8D8 Relevance: 12.1, APIs: 8, Instructions: 124COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,00BB682C,00000004,00000000,00000000), ref: 00B7F953
ShowWindow.USER32(FFFFFFFF,00000006,?,00000000,?,00BB682C,00000004,00000000,00000000), ref: 00BBF3D1
ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,00BB682C,00000004,00000000,00000000), ref: 00BBF454

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 76d1cc5174ab850c2e64f49eb4f4d03495febd78eb9e249f66e0cc35852c02dd
Instruction ID: dced9dd6682ce9a39781d1d660f8e1c8ddac22809183e66c86f6e5e2d71fd03b
Opcode Fuzzy Hash: 76d1cc5174ab850c2e64f49eb4f4d03495febd78eb9e249f66e0cc35852c02dd
Instruction Fuzzy Hash: 9C41F831608642BBC7399B2D8DC87BA7BD2EB56310F14C4BCE66F57660DA71E880CB15

Function 00BF2D03 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00BF2D1B
GetDC.USER32(00000000), ref: 00BF2D23
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00BF2D2E
ReleaseDC.USER32(00000000,00000000), ref: 00BF2D3A
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00BF2D76
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00BF2D87
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00BF5A65,?,?,000000FF,00000000,?,000000FF,?), ref: 00BF2DC2
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00BF2DE1

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: d82331c70930a2e59056d8741134deae886f41c1d011bdb9a7dd6daa419c73c0
Instruction ID: 613d5b36c4ff6a7eea2501f5d643b411f537d021f8f459bc4b868a3e6b165938
Opcode Fuzzy Hash: d82331c70930a2e59056d8741134deae886f41c1d011bdb9a7dd6daa419c73c0
Instruction Fuzzy Hash: 91317C76201618BBEB118F50CC89FBB3FA9EB09711F044065FE08DB291CA759C95C7A0

Function 00BC5622 Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00BC5637
_memcmp.LIBVCRUNTIME ref: 00BC5659
_memcmp.LIBVCRUNTIME ref: 00BC5671
_memcmp.LIBVCRUNTIME ref: 00BC5684
_memcmp.LIBVCRUNTIME ref: 00BC569E
_memcmp.LIBVCRUNTIME ref: 00BC56B1
_memcmp.LIBVCRUNTIME ref: 00BC56C9
_memcmp.LIBVCRUNTIME ref: 00BC56E4

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 938d8fa97ffa333bdb66455a3f433932943f92d119dfdebac5534f5312d2196b
Instruction ID: 10d0d7793e72490df4f11d1104a24b9d657e36314f92b375968173210a135cf4
Opcode Fuzzy Hash: 938d8fa97ffa333bdb66455a3f433932943f92d119dfdebac5534f5312d2196b
Instruction Fuzzy Hash: B521A761641A1A77D624AE248D82FBA33DCEF21384F4404F9FE049B591F721FD95C2A9

Function 00BE4FAE Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON

Download Yara Rule

Strings

NULL Pointer assignment, xrefs: 00BE502E, 00BE5383
Not an Object type, xrefs: 00BE5007

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: d8d41ce020985458f196b693ac8f3fde3e7a2c608e7c60064a660996300d80ac
Instruction ID: ac2fdc356ff952315e573d323f962a4986ab324afa8414d2bc5f1ec2e213f01f
Opcode Fuzzy Hash: d8d41ce020985458f196b693ac8f3fde3e7a2c608e7c60064a660996300d80ac
Instruction Fuzzy Hash: 30D1B371A0064A9FDF20CF99C881BAEB7F5FF48358F1481A9E915AB281E770DD45CB50

Function 00BA1522 Relevance: 10.8, APIs: 7, Instructions: 268COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(?,?), ref: 00BA15CE
MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 00BA1651
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00BA16E4
MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 00BA16FB

Part of subcall function 00B93820: RtlAllocateHeap.NTDLL(00000000,?,00C31444,?,00B7FDF5,?,?,00B6A976,00000010,00C31440,00B613FC,?,00B613C6,?,00B61129), ref: 00B93852

MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00BA1777
__freea.LIBCMT ref: 00BA17A2
__freea.LIBCMT ref: 00BA17AE

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
String ID:
API String ID: 2829977744-0
Opcode ID: 9a23e65992c7ca0c7672f64fce822725ae70a034ad371052dd16c617fae4244f
Instruction ID: bf60ec053638ef62ee9cdbfd8ad0e1fba2925c1b3753182f89bac65c82ac3a8b
Opcode Fuzzy Hash: 9a23e65992c7ca0c7672f64fce822725ae70a034ad371052dd16c617fae4244f
Instruction Fuzzy Hash: D991C571E082169ADF648E7CC881EEE7BF5DF5A710F184AA9E802E7181DB35DD40CB60

Function 00BE4523 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00BE4648
VariantInit.OLEAUT32(?), ref: 00BE4749
VariantClear.OLEAUT32(?), ref: 00BE4753
VariantClear.OLEAUT32(?), ref: 00BE47B0

Strings

Incorrect Object type in FOR..IN loop, xrefs: 00BE472C
Null Object assignment in FOR..IN loop, xrefs: 00BE45D8, 00BE4706, 00BE47BE

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Variant$ClearInit
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2610073882-625585964
Opcode ID: ef0fe8d4f1553411c980ed8f4ed45de944a902ebfa60e776a06b902462beaeee
Instruction ID: 4784eb15f87aa7c2332968a474570f57347111e2528e92ca192fed2518548a86
Opcode Fuzzy Hash: ef0fe8d4f1553411c980ed8f4ed45de944a902ebfa60e776a06b902462beaeee
Instruction Fuzzy Hash: 1A917F71A00259AFDF20CFA6D884FAEBBF8EF46714F108599F515AB280D7709D45CBA0

Function 00BD1187 Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000001,?), ref: 00BD125C
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00BD1284
SafeArrayUnaccessData.OLEAUT32(00000001), ref: 00BD12A8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00BD12D8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00BD135F
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00BD13C4
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00BD1430

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: ArraySafe$Data$Access$UnaccessVartype
String ID:
API String ID: 2550207440-0
Opcode ID: 05a24d38d145c4eeea7177ffc3bcddf0031e3500015e3f4f17eeeb62e54df7b4
Instruction ID: 05dcdb139bf826fc901a052c3850097aba3dd4a4eb93897ff1c4104956f300ce
Opcode Fuzzy Hash: 05a24d38d145c4eeea7177ffc3bcddf0031e3500015e3f4f17eeeb62e54df7b4
Instruction Fuzzy Hash: 5491AF71A00209AFDB009F98C885BBEB7F5FF45325F1488AAE910E7391E775A941CF94

Function 00B7948A Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 20f52b5242d2c8aca5a0fc8db78c598802b7526467f84aae4834beea3381aaf3
Instruction ID: 7e0f5f80849f88698f780e25daf0d9980e83fc5a7025ac35b65323ce7dfb073a
Opcode Fuzzy Hash: 20f52b5242d2c8aca5a0fc8db78c598802b7526467f84aae4834beea3381aaf3
Instruction Fuzzy Hash: 8E911571D44219EFCB10CFA9C884AEEBBF8FF89320F148595E525B7251D774AA42CB60

Function 00BE3947 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00BE396B
CharUpperBuffW.USER32(?,?), ref: 00BE3A7A
_wcslen.LIBCMT ref: 00BE3A8A
VariantClear.OLEAUT32(?), ref: 00BE3C1F

Part of subcall function 00BD0CDF: VariantInit.OLEAUT32(00000000), ref: 00BD0D1F
Part of subcall function 00BD0CDF: VariantCopy.OLEAUT32(?,?), ref: 00BD0D28
Part of subcall function 00BD0CDF: VariantClear.OLEAUT32(?), ref: 00BD0D34

Strings

Incorrect Parameter format, xrefs: 00BE39A6, 00BE3BA1
AUTOIT.ERROR, xrefs: 00BE3A80, 00BE3A85

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4137639002-1221869570
Opcode ID: 09504ff35b931a626e4ba75e7e40683f60ca362f8769b2f81d613029944d3f09
Instruction ID: fe477084ab3aa2942362a2812249800ce5f61d8af616535cc425329bdf147282
Opcode Fuzzy Hash: 09504ff35b931a626e4ba75e7e40683f60ca362f8769b2f81d613029944d3f09
Instruction Fuzzy Hash: 37918B746083459FC700DF29C58496AB7E4FF88714F1488AEF88A9B351DB31EE45CB92

Function 00BE4BAD Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

APIs

Part of subcall function 00BC000E: CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,00BBFF41,80070057,?,?,?,00BC035E), ref: 00BC002B
Part of subcall function 00BC000E: ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00BBFF41,80070057,?,?), ref: 00BC0046
Part of subcall function 00BC000E: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00BBFF41,80070057,?,?), ref: 00BC0054
Part of subcall function 00BC000E: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00BBFF41,80070057,?), ref: 00BC0064

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,00000001,?,?), ref: 00BE4C51
_wcslen.LIBCMT ref: 00BE4D59
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 00BE4DCF
CoTaskMemFree.OLE32(?), ref: 00BE4DDA

Strings

NULL Pointer assignment, xrefs: 00BE4E23, 00BE4E52

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
String ID: NULL Pointer assignment
API String ID: 614568839-2785691316
Opcode ID: 6defa4a1fc88a2fd9ba0e56d4b2eb8cf282caea402dc7ea7fc74cb32c8d27545
Instruction ID: de88e52f17a56de4ae72d9372a387f2defdd04dd0f202cc3a4db50950f8bba51
Opcode Fuzzy Hash: 6defa4a1fc88a2fd9ba0e56d4b2eb8cf282caea402dc7ea7fc74cb32c8d27545
Instruction Fuzzy Hash: 49910471D0025DAFDF14DFA5D891AEEBBB8FF08300F1085A9E915A7291EB749A44CF60

Function 00BF20FD Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 00BF2183
GetMenuItemCount.USER32(00000000), ref: 00BF21B5
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 00BF21DD
_wcslen.LIBCMT ref: 00BF2213
GetMenuItemID.USER32(?,?), ref: 00BF224D
GetSubMenu.USER32(?,?), ref: 00BF225B

Part of subcall function 00BC3A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00BC3A57
Part of subcall function 00BC3A3D: GetCurrentThreadId.KERNEL32 ref: 00BC3A5E
Part of subcall function 00BC3A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00BC25B3), ref: 00BC3A65

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00BF22E3

Part of subcall function 00BCE97B: Sleep.KERNEL32 ref: 00BCE9F3

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
String ID:
API String ID: 4196846111-0
Opcode ID: 37325ec205f061584f089eb0aceb3b5d86d20bf12b0f0396d69ccc9532952e50
Instruction ID: ddd7979de55ee07af6c4959d8520a24ef909db7ec5ba5baf360e9900f26db47a
Opcode Fuzzy Hash: 37325ec205f061584f089eb0aceb3b5d86d20bf12b0f0396d69ccc9532952e50
Instruction Fuzzy Hash: 30714E75A00209AFCB14DFA4C885ABEBBF5EF48310F148499E956EB351DB34EE45CB90

Function 00BF7E9E Relevance: 10.7, APIs: 7, Instructions: 193windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(01405780), ref: 00BF7F37
IsWindowEnabled.USER32(01405780), ref: 00BF7F43
SendMessageW.USER32(00000000,0000041C,00000000,00000000), ref: 00BF801E
SendMessageW.USER32(01405780,000000B0,?,?), ref: 00BF8051
IsDlgButtonChecked.USER32(?,?), ref: 00BF8089
GetWindowLongW.USER32(01405780,000000EC), ref: 00BF80AB
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 00BF80C3

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID:
API String ID: 4072528602-0
Opcode ID: a7082954fe187c4fa6857d1cd91af081781db5546297be8fffbd1268ca1e88ad
Instruction ID: 04d9626f55bfff08a8ae17f42585e7e823280b1daba2f402153c2301ea3bea05
Opcode Fuzzy Hash: a7082954fe187c4fa6857d1cd91af081781db5546297be8fffbd1268ca1e88ad
Instruction Fuzzy Hash: 37717D3464824DAFEB219F64C884FFABBF9EF19300F1444D9EA45972A1CF31A949DB50

Function 00BCAEBA Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 00BCAEF9
GetKeyboardState.USER32(?), ref: 00BCAF0E
SetKeyboardState.USER32(?), ref: 00BCAF6F
PostMessageW.USER32(?,00000101,00000010,?), ref: 00BCAF9D
PostMessageW.USER32(?,00000101,00000011,?), ref: 00BCAFBC
PostMessageW.USER32(?,00000101,00000012,?), ref: 00BCAFFD
PostMessageW.USER32(?,00000101,0000005B,?), ref: 00BCB020

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 0f44895ca20cb1f9d6363384e78c3b6732fbf3c71687d0aafb281eaf8c0448df
Instruction ID: 44dab5380b61decde1b2667889c437abb2c498baf5f7e3f75ab7e1f71d826201
Opcode Fuzzy Hash: 0f44895ca20cb1f9d6363384e78c3b6732fbf3c71687d0aafb281eaf8c0448df
Instruction Fuzzy Hash: 2F5192A06046D93DFB3652348C46FBE7EE99B06308F0885CDE1D5968C2D7A9ACC4D752

Function 00BCACDA Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 00BCAD19
GetKeyboardState.USER32(?), ref: 00BCAD2E
SetKeyboardState.USER32(?), ref: 00BCAD8F
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00BCADBB
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00BCADD8
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 00BCAE17
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 00BCAE38

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 1c6fbea113725d3e65dc7c496383735b0b49fdffcc88a16578e95761a1eddf4a
Instruction ID: 4ac61b30f1aab688da738adc49e129bdf5e42709dbda6ec14ac173848e07fa56
Opcode Fuzzy Hash: 1c6fbea113725d3e65dc7c496383735b0b49fdffcc88a16578e95761a1eddf4a
Instruction Fuzzy Hash: FB51E6A15047DA3DFB3283348C85F7ABEE89B45309F0884DCE1D6968C3C694EC84D7A2

Function 00B9542E Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(00BA3CD6,?,?,?,?,?,?,?,?,00B95BA3,?,?,00BA3CD6,?,?), ref: 00B95470
__fassign.LIBCMT ref: 00B954EB
__fassign.LIBCMT ref: 00B95506
WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,00BA3CD6,00000005,00000000,00000000), ref: 00B9552C
WriteFile.KERNEL32(?,00BA3CD6,00000000,00B95BA3,00000000,?,?,?,?,?,?,?,?,?,00B95BA3,?), ref: 00B9554B
WriteFile.KERNEL32(?,?,00000001,00B95BA3,00000000,?,?,?,?,?,?,?,?,?,00B95BA3,?), ref: 00B95584

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: 1674fec7c898b2e5c991e4f0af44a96eeac21a51c66c2ed311893efc215f128a
Instruction ID: 0a278ce0bdc047bed412c5ec7e6f9c2ae2abcb15ca8b8bf63413664988776301
Opcode Fuzzy Hash: 1674fec7c898b2e5c991e4f0af44a96eeac21a51c66c2ed311893efc215f128a
Instruction Fuzzy Hash: 9551D471A006099FDF21CFA8D885BEEBBF9EF19300F1541AAF555E7292D7309A41CB60

Function 00B82D20 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00B82D4B
___except_validate_context_record.LIBVCRUNTIME ref: 00B82D53
_ValidateLocalCookies.LIBCMT ref: 00B82DE1
__IsNonwritableInCurrentImage.LIBCMT ref: 00B82E0C
_ValidateLocalCookies.LIBCMT ref: 00B82E61

Strings

csm, xrefs: 00B82DF6

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: 298818f65833379b2e4e7318679e50d1d115c487f2c9566d1446ffc0b33e30c0
Instruction ID: 728a610ab9a0c00dbdf6108306ff88c35d47b9eea178f02f16bdb945ee8367be
Opcode Fuzzy Hash: 298818f65833379b2e4e7318679e50d1d115c487f2c9566d1446ffc0b33e30c0
Instruction Fuzzy Hash: 51418434A00209ABCF10EF68C885A9EBFF5FF45724F1481A5E8156B3B2D7759A15CBD0

Function 00BE10B8 Relevance: 10.6, APIs: 7, Instructions: 110networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00BE304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 00BE307A
Part of subcall function 00BE304E: _wcslen.LIBCMT ref: 00BE309B

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00BE1112
WSAGetLastError.WSOCK32 ref: 00BE1121
WSAGetLastError.WSOCK32 ref: 00BE11C9
closesocket.WSOCK32(00000000), ref: 00BE11F9

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: ErrorLast$_wcslenclosesocketinet_addrsocket
String ID:
API String ID: 2675159561-0
Opcode ID: bb3c34883fe33be57e19f99cae1a1b6caa95d5b657b3777c125d0268922837cf
Instruction ID: 178760ef1a448ab2add51490d1e508bf99e404e67b8e2be4be6fad29c6336f54
Opcode Fuzzy Hash: bb3c34883fe33be57e19f99cae1a1b6caa95d5b657b3777c125d0268922837cf
Instruction Fuzzy Hash: F7411A31600144AFDB109F59C884BB9BBE9FF45354F248499FD05AB291CB74ED85CBE2

Function 00BCCF00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00BCDDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00BCCF22,?), ref: 00BCDDFD

Part of subcall function 00BCDDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00BCCF22,?), ref: 00BCDE16

lstrcmpiW.KERNEL32(?,?), ref: 00BCCF45
MoveFileW.KERNEL32(?,?), ref: 00BCCF7F
_wcslen.LIBCMT ref: 00BCD005
_wcslen.LIBCMT ref: 00BCD01B
SHFileOperationW.SHELL32(?), ref: 00BCD061

Strings

\*.*, xrefs: 00BCCFF3

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
String ID: \*.*
API String ID: 3164238972-1173974218
Opcode ID: 5d61f9c1b35af916270c271e9d96351e8ad6711e2bdba58130cb1b380fc5658b
Instruction ID: 96a9312dcedbbef6d34e3d54b5aa2a3607b9f0f5da5eb45fbde109f639f702f2
Opcode Fuzzy Hash: 5d61f9c1b35af916270c271e9d96351e8ad6711e2bdba58130cb1b380fc5658b
Instruction Fuzzy Hash: 084143759052189EDF12EBA4C981FDDB7F8EF18380F0000EEE509EB141EA34A688CB50

Function 00BF2DFD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 00BF2E1C
GetWindowLongW.USER32(?,000000F0), ref: 00BF2E4F
GetWindowLongW.USER32(?,000000F0), ref: 00BF2E84
SendMessageW.USER32(?,000000F1,00000000,00000000), ref: 00BF2EB6
SendMessageW.USER32(?,000000F1,00000001,00000000), ref: 00BF2EE0
GetWindowLongW.USER32(?,000000F0), ref: 00BF2EF1
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00BF2F0B

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: 8e41bca9ddd2d1a2ececaaad011cb0d036b35b56258a52b8299bfef9a7126969
Instruction ID: 5283d219c2857174a77466762a577f6b29e53b22423390235bf35208ac44c10a
Opcode Fuzzy Hash: 8e41bca9ddd2d1a2ececaaad011cb0d036b35b56258a52b8299bfef9a7126969
Instruction Fuzzy Hash: 4031F630654258EFDB218F58DD85F793BE1EB5A720F2901A4FA00CF2B1CB71A848DB41

Function 00BC7726 Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00BC7769
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00BC778F
SysAllocString.OLEAUT32(00000000), ref: 00BC7792
SysAllocString.OLEAUT32(?), ref: 00BC77B0
SysFreeString.OLEAUT32(?), ref: 00BC77B9
StringFromGUID2.OLE32(?,?,00000028), ref: 00BC77DE
SysAllocString.OLEAUT32(?), ref: 00BC77EC

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: ef05b90abebca45230d2f372628729952ae480990120e6ef56262b1d58a36253
Instruction ID: 822dbbe826ae9475395a4b68bf0b75ea139edadf68f7f03b6913acaffc19c3ca
Opcode Fuzzy Hash: ef05b90abebca45230d2f372628729952ae480990120e6ef56262b1d58a36253
Instruction Fuzzy Hash: F821B27660421DAFDB10DFA8CC88DBB77ECEB09364700806AF914DB250DA70DC85CBA4

Function 00BC77FD Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00BC7842
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00BC7868
SysAllocString.OLEAUT32(00000000), ref: 00BC786B
SysAllocString.OLEAUT32 ref: 00BC788C
SysFreeString.OLEAUT32 ref: 00BC7895
StringFromGUID2.OLE32(?,?,00000028), ref: 00BC78AF
SysAllocString.OLEAUT32(?), ref: 00BC78BD

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: af957b23be6238b73ef5304e3954314368e72997ca91d8664745635095578f01
Instruction ID: 83ffa6d2e784f7297a58d6582b2d49a25ea08bc8789b2e16b557d8f26b79dacb
Opcode Fuzzy Hash: af957b23be6238b73ef5304e3954314368e72997ca91d8664745635095578f01
Instruction Fuzzy Hash: DD214735604109AFDB109FA9DC8DEBA7BECEB097607108169FA15CB2A1DE74DC41CB64

Function 00BD04D2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 00BD04F2
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00BD052E

Strings

nul, xrefs: 00BD0567

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 44a3fae4aadc80ca9fe2d3e7c5e53d8e9519a81449a17f2b109b6a29f660dc8a
Instruction ID: 342fd00cc89bdbd42cacd7480db5d3186b9712561f22af3560d750a5c7c60eb9
Opcode Fuzzy Hash: 44a3fae4aadc80ca9fe2d3e7c5e53d8e9519a81449a17f2b109b6a29f660dc8a
Instruction Fuzzy Hash: 3E215175510305DBDB20AF29E885B5ABBF4EF54728F204A5AECA1D72E0E7709950DF20

Function 00BD05A7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 00BD05C6
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00BD0601

Strings

nul, xrefs: 00BD0639

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 49207d3eb4eed52e4c087f90ebd99865c52a00a456db0109f904b399409a6b64
Instruction ID: 3587786f35b7ec6815b5e14d395a1af839df1fe66bc1f7fe985b89f489608e3f
Opcode Fuzzy Hash: 49207d3eb4eed52e4c087f90ebd99865c52a00a456db0109f904b399409a6b64
Instruction Fuzzy Hash: 6D2144755103059BDB20AF799C44B5AB7E4EF95724F200A9AE8A1E73D0E770D960CB10

Function 00BF40AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00B6600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00B6604C
Part of subcall function 00B6600E: GetStockObject.GDI32(00000011), ref: 00B66060
Part of subcall function 00B6600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 00B6606A

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00BF4112
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 00BF411F
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 00BF412A
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00BF4139
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00BF4145

Strings

Msctls_Progress32, xrefs: 00BF40E3

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: 430d87b5db8039b733a1c62fe98d17b35f8ac72e2d0627e2df1395276f91d410
Instruction ID: 05421f643ad82d52a49812f3a427ac5dbf58bfa20cd516cf30d69e4c86a24ba2
Opcode Fuzzy Hash: 430d87b5db8039b733a1c62fe98d17b35f8ac72e2d0627e2df1395276f91d410
Instruction Fuzzy Hash: B2118EB215021DBEEF118E64CC85EE77F9DEF08798F014110BB18A7090CB729C61DBA4

Function 00B9D7DF Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00B9D7A3: _free.LIBCMT ref: 00B9D7CC

_free.LIBCMT ref: 00B9D82D

Part of subcall function 00B929C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00B9D7D1,00000000,00000000,00000000,00000000,?,00B9D7F8,00000000,00000007,00000000,?,00B9DBF5,00000000), ref: 00B929DE
Part of subcall function 00B929C8: GetLastError.KERNEL32(00000000,?,00B9D7D1,00000000,00000000,00000000,00000000,?,00B9D7F8,00000000,00000007,00000000,?,00B9DBF5,00000000,00000000), ref: 00B929F0

_free.LIBCMT ref: 00B9D838
_free.LIBCMT ref: 00B9D843
_free.LIBCMT ref: 00B9D897
_free.LIBCMT ref: 00B9D8A2
_free.LIBCMT ref: 00B9D8AD
_free.LIBCMT ref: 00B9D8B8

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction ID: 92cd939704d49c68216578c674035423cf9d4060196888192ea6c8844692a1be
Opcode Fuzzy Hash: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction Fuzzy Hash: 33112B71940B04BADE21FFF1CC47FCB7BDCAF04700F4148B5B29DA6592DA69B90586A0

Function 00BCDA5A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00BCDA74
LoadStringW.USER32(00000000), ref: 00BCDA7B
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 00BCDA91
LoadStringW.USER32(00000000), ref: 00BCDA98
MessageBoxW.USER32(00000000,?,?,00011010), ref: 00BCDADC

Strings

%s (%d) : ==> %s: %s %s, xrefs: 00BCDAB9

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: HandleLoadModuleString$Message
String ID: %s (%d) : ==> %s: %s %s
API String ID: 4072794657-3128320259
Opcode ID: 138e56dbda104e7ee105c574f21f29be7fe1050a26865bbd4532e1fd39b84ae5
Instruction ID: 644244fd1f52abecd460ef13b69c2c8a6f4b70d819f95df686f9875255324ff5
Opcode Fuzzy Hash: 138e56dbda104e7ee105c574f21f29be7fe1050a26865bbd4532e1fd39b84ae5
Instruction Fuzzy Hash: 880162F650020C7FE750ABA49E89EF7766CE708701F4004A5B746E3041EA749EC48F74

Function 00BD096B Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(013FE8D8,013FE8D8), ref: 00BD097B
EnterCriticalSection.KERNEL32(013FE8B8,00000000), ref: 00BD098D
TerminateThread.KERNEL32(?,000001F6), ref: 00BD099B
WaitForSingleObject.KERNEL32(?,000003E8), ref: 00BD09A9
CloseHandle.KERNEL32(?), ref: 00BD09B8
InterlockedExchange.KERNEL32(013FE8D8,000001F6), ref: 00BD09C8
LeaveCriticalSection.KERNEL32(013FE8B8), ref: 00BD09CF

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: c595e68e132ce3e507036ecb0f50c8b340c8c6451729c17a28b8845f472e66bb
Instruction ID: e6b52668b84aa7a284f2734b90cb95db28f99b3390085713a84c6fef983a6f9b
Opcode Fuzzy Hash: c595e68e132ce3e507036ecb0f50c8b340c8c6451729c17a28b8845f472e66bb
Instruction Fuzzy Hash: 84F01D31442506ABD7415B94EF88BE6BA25FF01702F501016F101928A0DB7494A5DF90

Function 00B65D0A Relevance: 9.3, APIs: 6, Instructions: 276COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 00B65D30
GetWindowRect.USER32(?,?), ref: 00B65D71
ScreenToClient.USER32(?,?), ref: 00B65D99
GetClientRect.USER32(?,?), ref: 00B65ED7
GetWindowRect.USER32(?,?), ref: 00B65EF8

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Rect$Client$Window$Screen
String ID:
API String ID: 1296646539-0
Opcode ID: 6a58de99e7ba4e720471cf613b1d6e4d21ad30164529f388395ca975073bd219
Instruction ID: e098f947d25a4f1485226cc08f9921528fedaae72109c9d756d527279d0251f7
Opcode Fuzzy Hash: 6a58de99e7ba4e720471cf613b1d6e4d21ad30164529f388395ca975073bd219
Instruction Fuzzy Hash: 3BB17A34A0464ADFDB20CFA8C4807EEB7F1FF58310F14845AE8A9D7250DB78AA61DB50

Function 00B901B7 Relevance: 9.3, APIs: 6, Instructions: 269COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 00B900BA
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00B900D6
__allrem.LIBCMT ref: 00B900ED
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00B9010B
__allrem.LIBCMT ref: 00B90122
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00B90140

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: c0aa086816e9a6b10c8594d9af3fc1b6618250ddc70608c46d0048b3e4fbc764
Instruction ID: c7a4d79a12cd9cddd16cb0ee4c1e0667e016db6e5ee0e07ef3345d6209432145
Opcode Fuzzy Hash: c0aa086816e9a6b10c8594d9af3fc1b6618250ddc70608c46d0048b3e4fbc764
Instruction Fuzzy Hash: 6181E572A017169FEB24BF68CC81B6BB3E9EF41724F2445BAF551D6291E770D900CB90

Function 00BE1D10 Relevance: 9.3, APIs: 6, Instructions: 254networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00BE3149: select.WSOCK32(00000000,?,00000000,00000000,?,?,?,00000000,?,?,?,00BE101C,00000000,?,?,00000000), ref: 00BE3195

__WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 00BE1DC0
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00BE1DE1
WSAGetLastError.WSOCK32 ref: 00BE1DF2
inet_ntoa.WSOCK32(?), ref: 00BE1E8C
htons.WSOCK32(?,?,?,?,?), ref: 00BE1EDB
_strlen.LIBCMT ref: 00BE1F35

Part of subcall function 00BC39E8: _strlen.LIBCMT ref: 00BC39F2

Part of subcall function 00B66D9E: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000002,?,?,?,?,00B7CF58,?,?,?), ref: 00B66DBA
Part of subcall function 00B66D9E: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,?,?,?,00B7CF58,?,?,?), ref: 00B66DED

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: ByteCharMultiWide_strlen$ErrorLasthtonsinet_ntoaselect
String ID:
API String ID: 1923757996-0
Opcode ID: 143233f2124c84838d70f4c156cabb93b1799bcbfb9286b9aa486cf5621465f6
Instruction ID: 84be378d1463c8a254dbc1ab3221a481c24d5cf3a75329132ef5c82b34f0905b
Opcode Fuzzy Hash: 143233f2124c84838d70f4c156cabb93b1799bcbfb9286b9aa486cf5621465f6
Instruction Fuzzy Hash: 31A1B131104380AFC324DF29C895F2A7BE5EF84318F64899CF4569B2A2DB71ED85CB91

Function 00B961FE Relevance: 9.2, APIs: 6, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,00B882D9,00B882D9,?,?,?,00B9644F,00000001,00000001,8BE85006), ref: 00B96258
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,00B9644F,00000001,00000001,8BE85006,?,?,?), ref: 00B962DE
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00B963D8
__freea.LIBCMT ref: 00B963E5

Part of subcall function 00B93820: RtlAllocateHeap.NTDLL(00000000,?,00C31444,?,00B7FDF5,?,?,00B6A976,00000010,00C31440,00B613FC,?,00B613C6,?,00B61129), ref: 00B93852

__freea.LIBCMT ref: 00B963EE
__freea.LIBCMT ref: 00B96413

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: 3e503fa73bdb211c55b68cdbdf18da1dbe0a2f157913ab0ca7e1eccc259fc775
Instruction ID: ea4978aee00d3f5a66997484be552d2524c8bfe2efb2833054e53c7826f36015
Opcode Fuzzy Hash: 3e503fa73bdb211c55b68cdbdf18da1dbe0a2f157913ab0ca7e1eccc259fc775
Instruction Fuzzy Hash: A451CF72A04216ABEF268F68CC81EAF7BE9EB44750F1546B9F805D7140EB34DC50D664

Function 00BEBBDB Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00B69CB3: _wcslen.LIBCMT ref: 00B69CBD

Part of subcall function 00BEC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00BEB6AE,?,?), ref: 00BEC9B5
Part of subcall function 00BEC998: _wcslen.LIBCMT ref: 00BEC9F1
Part of subcall function 00BEC998: _wcslen.LIBCMT ref: 00BECA68
Part of subcall function 00BEC998: _wcslen.LIBCMT ref: 00BECA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00BEBCCA
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00BEBD25
RegCloseKey.ADVAPI32(00000000), ref: 00BEBD6A
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 00BEBD99
RegCloseKey.ADVAPI32(?,?,00000000), ref: 00BEBDF3
RegCloseKey.ADVAPI32(?), ref: 00BEBDFF

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
String ID:
API String ID: 1120388591-0
Opcode ID: 64c4569a5d977097e496f9eb0113a0c2cf2a20b2b6ce966d03d2353f3be2887a
Instruction ID: a16a8b3298521ecb86673f712827c83a6546bfe9b57734365195ddd9200e5bd6
Opcode Fuzzy Hash: 64c4569a5d977097e496f9eb0113a0c2cf2a20b2b6ce966d03d2353f3be2887a
Instruction Fuzzy Hash: D3816F31118241AFD714DF25C895E2BBBE5FF84308F1489ACF55A4B2A2DB31ED45CB92

Function 00BBF7AD Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000035), ref: 00BBF7B9
SysAllocString.OLEAUT32(00000001), ref: 00BBF860
VariantCopy.OLEAUT32(00BBFA64,00000000), ref: 00BBF889
VariantClear.OLEAUT32(00BBFA64), ref: 00BBF8AD
VariantCopy.OLEAUT32(00BBFA64,00000000), ref: 00BBF8B1
VariantClear.OLEAUT32(?), ref: 00BBF8BB

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Variant$ClearCopy$AllocInitString
String ID:
API String ID: 3859894641-0
Opcode ID: d0a07fe738af5b72af6e5569b00fe814cd3ef2d3ab714ad4d06e9d4742cfc5b1
Instruction ID: dde9eef3057df425278935626b781da9cf32d06906812d368c6e3b19ca9abbc3
Opcode Fuzzy Hash: d0a07fe738af5b72af6e5569b00fe814cd3ef2d3ab714ad4d06e9d4742cfc5b1
Instruction Fuzzy Hash: E6519E31600312BBCF24AB65DC95BB9B3E8EF45710B2494F7E906DF291DAB08C40CB96

Function 00BD910C Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 383COMMON

Download Yara Rule

APIs

Part of subcall function 00B67620: _wcslen.LIBCMT ref: 00B67625

Part of subcall function 00B66B57: _wcslen.LIBCMT ref: 00B66B6A

GetOpenFileNameW.COMDLG32(00000058), ref: 00BD94E5
_wcslen.LIBCMT ref: 00BD9506
_wcslen.LIBCMT ref: 00BD952D
GetSaveFileNameW.COMDLG32(00000058), ref: 00BD9585

Strings

X, xrefs: 00BD9412

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: _wcslen$FileName$OpenSave
String ID: X
API String ID: 83654149-3081909835
Opcode ID: 3533dd7ece567bb553e2a8cfa60c933e96d16cbed5d7c875d93d8cbebd85bac9
Instruction ID: 584c3c7a00f78273f104e760d8b5fcb326d78d65d90af0731ca50cc3a25b8b07
Opcode Fuzzy Hash: 3533dd7ece567bb553e2a8cfa60c933e96d16cbed5d7c875d93d8cbebd85bac9
Instruction Fuzzy Hash: 25E1A2315043009FD724EF24C881A6AB7E4FF95314F1489AEF8999B3A2EB31DD45CB92

Function 00B7920C Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00B79BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00B79BB2

BeginPaint.USER32(?,?,?), ref: 00B79241
GetWindowRect.USER32(?,?), ref: 00B792A5
ScreenToClient.USER32(?,?), ref: 00B792C2
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00B792D3
EndPaint.USER32(?,?,?,?,?), ref: 00B79321
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 00BB71EA

Part of subcall function 00B79339: BeginPath.GDI32(00000000), ref: 00B79357

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
String ID:
API String ID: 3050599898-0
Opcode ID: 3d322bc52137260b679e7604c641a8a3d31ff6d2a727a39541148276263cbe29
Instruction ID: 7d86c8ae4e42f309bfd45307eb9c9f27d410ebf6ade2e62de31476b87927a25b
Opcode Fuzzy Hash: 3d322bc52137260b679e7604c641a8a3d31ff6d2a727a39541148276263cbe29
Instruction Fuzzy Hash: FA41AD70108300AFD710DF28DC84FBA7BE8EF85320F1442A9F9A9972A2CB719845DB61

Function 00BD07EF Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 00BD080C
ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 00BD0847
EnterCriticalSection.KERNEL32(?), ref: 00BD0863
LeaveCriticalSection.KERNEL32(?), ref: 00BD08DC
ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 00BD08F3
InterlockedExchange.KERNEL32(?,000001F6), ref: 00BD0921

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
String ID:
API String ID: 3368777196-0
Opcode ID: bc92e66e7eeda0261391d16d4699ef2505aa4ab0afbe0923eb368776f5f3464b
Instruction ID: 9db1c0a9fbf72fcb768f456900bb8eb1392b3fd88f20d8c9afd803c623774bc1
Opcode Fuzzy Hash: bc92e66e7eeda0261391d16d4699ef2505aa4ab0afbe0923eb368776f5f3464b
Instruction Fuzzy Hash: 17417C71910205EBDF14AF54DC85B6ABBB8FF04300F1480A5ED04AB297EB31DE65DBA4

Function 00BF81DB Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,00BBF3AB,00000000,?,?,00000000,?,00BB682C,00000004,00000000,00000000), ref: 00BF824C
EnableWindow.USER32(?,00000000), ref: 00BF8272
ShowWindow.USER32(FFFFFFFF,00000000), ref: 00BF82D1
ShowWindow.USER32(?,00000004), ref: 00BF82E5
EnableWindow.USER32(?,00000001), ref: 00BF830B
SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 00BF832F

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: db0b944bde3579417e84244d78c08606f022c8f7999c88ad9192916f89449613
Instruction ID: 515ab2914329974fea48a7b2ff0ce42810cccc390e0771bb2fe8b574a935e470
Opcode Fuzzy Hash: db0b944bde3579417e84244d78c08606f022c8f7999c88ad9192916f89449613
Instruction Fuzzy Hash: F9413234601648EFDB16CF15D999BF87BE1FB4A714F1841A9EA084B272CB31A849CF54

Function 00BC4C7D Relevance: 9.1, APIs: 6, Instructions: 87windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00BC4C95
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00BC4CB2
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00BC4CEA
_wcslen.LIBCMT ref: 00BC4D08
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00BC4D10
_wcsstr.LIBVCRUNTIME ref: 00BC4D1A

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
String ID:
API String ID: 72514467-0
Opcode ID: 10d8cab9f9a56103f435dbd719126044b3fd6d2ef1b44f131bfd63d88a687b48
Instruction ID: 2c63171db84ee437f95b903624d8dee3750b38071dbefdd816830d5d77d28236
Opcode Fuzzy Hash: 10d8cab9f9a56103f435dbd719126044b3fd6d2ef1b44f131bfd63d88a687b48
Instruction Fuzzy Hash: 3421C5326042057BEB256B299D59F7B7BE8DF45750F1080BDF80ACB1A1EB61DD40D6A0

Function 00BD581E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON

Download Yara Rule

APIs

Part of subcall function 00B63AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00B63A97,?,?,00B62E7F,?,?,?,00000000), ref: 00B63AC2

_wcslen.LIBCMT ref: 00BD587B
CoInitialize.OLE32(00000000), ref: 00BD5995
CoCreateInstance.OLE32(00BFFCF8,00000000,00000001,00BFFB68,?), ref: 00BD59AE
CoUninitialize.OLE32 ref: 00BD59CC

Strings

.lnk, xrefs: 00BD5876, 00BD58C1, 00BD5985

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
String ID: .lnk
API String ID: 3172280962-24824748
Opcode ID: 0bc86a027a8cf54faaffde3444f2545e9efc12f2a6d729f3303af093f9abdc6f
Instruction ID: a3ee5d9709c4a83cf9aceb63a00e9f42b3d97be1b823ca1c2d6c8a1d7061d08f
Opcode Fuzzy Hash: 0bc86a027a8cf54faaffde3444f2545e9efc12f2a6d729f3303af093f9abdc6f
Instruction Fuzzy Hash: CDD154716047019FC724DF24C490A2AFBE5EF89714F14889EF88A9B361EB35EC45CB92

Function 00BC175D Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00BC0FB4: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00BC0FCA
Part of subcall function 00BC0FB4: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00BC0FD6
Part of subcall function 00BC0FB4: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00BC0FE5
Part of subcall function 00BC0FB4: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00BC0FEC
Part of subcall function 00BC0FB4: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00BC1002

GetLengthSid.ADVAPI32(?,00000000,00BC1335), ref: 00BC17AE
GetProcessHeap.KERNEL32(00000008,00000000), ref: 00BC17BA
HeapAlloc.KERNEL32(00000000), ref: 00BC17C1
CopySid.ADVAPI32(00000000,00000000,?), ref: 00BC17DA
GetProcessHeap.KERNEL32(00000000,00000000,00BC1335), ref: 00BC17EE
HeapFree.KERNEL32(00000000), ref: 00BC17F5

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: 7a0bac7c0c966abb5cbd259a161d76c912078d5fe6f40f6caf718aed1f615309
Instruction ID: 4e0b49b38e720cc359cd8a23dce4f66657bd9b27626dde9761a68ec64a3cc5c2
Opcode Fuzzy Hash: 7a0bac7c0c966abb5cbd259a161d76c912078d5fe6f40f6caf718aed1f615309
Instruction Fuzzy Hash: 10118C71500209EFDB109FA8CD49FAE7BE9EF42355F10485DE441A7211CB359D95CB60

Function 00BC14CE Relevance: 9.1, APIs: 6, Instructions: 64processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 00BC14FF
OpenProcessToken.ADVAPI32(00000000), ref: 00BC1506
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00BC1515
CloseHandle.KERNEL32(00000004), ref: 00BC1520
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00BC154F
DestroyEnvironmentBlock.USERENV(00000000), ref: 00BC1563

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: b31095102a73a5da545ff9d438654744a7f795b3effcc9d9ac27af2a8db7aa99
Instruction ID: 130f9bef2bc3f02b651f40dd5428dda9b7566cdcacc9cc889831d1bd6a213091
Opcode Fuzzy Hash: b31095102a73a5da545ff9d438654744a7f795b3effcc9d9ac27af2a8db7aa99
Instruction Fuzzy Hash: 6D11597250020DABDF11CFA8DE49FEE7BA9EF49744F044058FA05A2160C771CEA5EB60

Function 00B83382 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00B83379,00B82FE5), ref: 00B83390
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00B8339E
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00B833B7
SetLastError.KERNEL32(00000000,?,00B83379,00B82FE5), ref: 00B83409

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 44b70313d998117bb025fbd839a05390d87ec317444e214f0957379f45fb77f8
Instruction ID: d0e2358e1caa019ecfcc505d96e39735c58ea9f8761cb98bb1ac4c60f0ab9cc8
Opcode Fuzzy Hash: 44b70313d998117bb025fbd839a05390d87ec317444e214f0957379f45fb77f8
Instruction Fuzzy Hash: 3601D43261D311BEAA2537B8BCC5B6E2AD4EB05F7972002A9F410822F1EF114E02D788

Function 00B92D74 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00B95686,00BA3CD6,?,00000000,?,00B95B6A,?,?,?,?,?,00B8E6D1,?,00C28A48), ref: 00B92D78
_free.LIBCMT ref: 00B92DAB
_free.LIBCMT ref: 00B92DD3
SetLastError.KERNEL32(00000000,?,?,?,?,00B8E6D1,?,00C28A48,00000010,00B64F4A,?,?,00000000,00BA3CD6), ref: 00B92DE0
SetLastError.KERNEL32(00000000,?,?,?,?,00B8E6D1,?,00C28A48,00000010,00B64F4A,?,?,00000000,00BA3CD6), ref: 00B92DEC
_abort.LIBCMT ref: 00B92DF2

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: a143a439da81c05d4d07b3c38238b145a5ce406d604cb91b71ff899a1185d2a1
Instruction ID: 9b5849caaac8cd4e276f359096ef2949949d83b9e82681affa0352a4513cc1dd
Opcode Fuzzy Hash: a143a439da81c05d4d07b3c38238b145a5ce406d604cb91b71ff899a1185d2a1
Instruction Fuzzy Hash: 56F0A436D0560037CE226738AC46F2E29E9EFC27A1F2505B9F824932A2EE34884241A0

Function 00BF8A24 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 00B79639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00B79693
Part of subcall function 00B79639: SelectObject.GDI32(?,00000000), ref: 00B796A2
Part of subcall function 00B79639: BeginPath.GDI32(?), ref: 00B796B9
Part of subcall function 00B79639: SelectObject.GDI32(?,00000000), ref: 00B796E2

MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 00BF8A4E
LineTo.GDI32(?,00000003,00000000), ref: 00BF8A62
MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 00BF8A70
LineTo.GDI32(?,00000000,00000003), ref: 00BF8A80
EndPath.GDI32(?), ref: 00BF8A90
StrokePath.GDI32(?), ref: 00BF8AA0

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: 78bf04cc8f7ce7ec9003ccabc6fa8e9e3effc5c792bb9130602c6aa0aae12700
Instruction ID: a4f0c500e77750c55e7ce9d60acc84c35834f009bc996b8f0f842d0217b79591
Opcode Fuzzy Hash: 78bf04cc8f7ce7ec9003ccabc6fa8e9e3effc5c792bb9130602c6aa0aae12700
Instruction Fuzzy Hash: 1E11C97600010DFFDB129F94DD88FAA7FADEB08354F048052BA199B1A1DB719D95DBA0

Function 00BC51FD Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00BC5218
GetDeviceCaps.GDI32(00000000,00000058), ref: 00BC5229
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00BC5230
ReleaseDC.USER32(00000000,00000000), ref: 00BC5238
MulDiv.KERNEL32(000009EC,?,00000000), ref: 00BC524F
MulDiv.KERNEL32(000009EC,00000001,?), ref: 00BC5261

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: 5f04c63ee24f6239d48db4e1521d1f1a710b76d5f55b84ee21d9cac9dc18eabf
Instruction ID: 12390649eb028f6a91a75c3d3eef5b661f1fb75106c8442db70dc2c8f1d382ab
Opcode Fuzzy Hash: 5f04c63ee24f6239d48db4e1521d1f1a710b76d5f55b84ee21d9cac9dc18eabf
Instruction Fuzzy Hash: 9C018F75A00708BBEB109BA59D49F6EBFB8EB48351F044065FA04EB380DA709850CBA0

Function 00B61BC3 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 00B61BF4
MapVirtualKeyW.USER32(00000010,00000000), ref: 00B61BFC
MapVirtualKeyW.USER32(000000A0,00000000), ref: 00B61C07
MapVirtualKeyW.USER32(000000A1,00000000), ref: 00B61C12
MapVirtualKeyW.USER32(00000011,00000000), ref: 00B61C1A
MapVirtualKeyW.USER32(00000012,00000000), ref: 00B61C22

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: f0f65917348a286a9d721dca1227baca62466f0b9dc45aa6a7076a32fe05225d
Instruction ID: e7ec3db64bf007369be1484dda33aed18ca5ecd60fb317313d04a77bc7b2ed6a
Opcode Fuzzy Hash: f0f65917348a286a9d721dca1227baca62466f0b9dc45aa6a7076a32fe05225d
Instruction Fuzzy Hash: D5016CB09027597DE3008F5A8C85B52FFA8FF19354F00411B915C47941C7F5A864CBE5

Function 00BCEB20 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00BCEB30
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 00BCEB46
GetWindowThreadProcessId.USER32(?,?), ref: 00BCEB55
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00BCEB64
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00BCEB6E
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00BCEB75

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: 1cb417ab88f70b97c87315c1c40cc94aba8d91c8224abc4f0a118cc41a8fe71b
Instruction ID: fb9115e4b6dc9fa0d6b187e19d71a22c91b993787f9eb2de9eb7c11bdd7d950d
Opcode Fuzzy Hash: 1cb417ab88f70b97c87315c1c40cc94aba8d91c8224abc4f0a118cc41a8fe71b
Instruction Fuzzy Hash: 49F01772240158BBE7215B629D0EEFB3E7CEFCAB11F000158F611E30919BA05A41D6B5

Function 00BB7439 Relevance: 9.0, APIs: 6, Instructions: 37windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?), ref: 00BB7452
SendMessageW.USER32(?,00001328,00000000,?), ref: 00BB7469
GetWindowDC.USER32(?), ref: 00BB7475
GetPixel.GDI32(00000000,?,?), ref: 00BB7484
ReleaseDC.USER32(?,00000000), ref: 00BB7496
GetSysColor.USER32(00000005), ref: 00BB74B0

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: ClientColorMessagePixelRectReleaseSendWindow
String ID:
API String ID: 272304278-0
Opcode ID: 3e7ea766de640aa8ed81f92d89451bcb9db2bf8946fdd86c87026cfc1f5e26b1
Instruction ID: 70aac4c39f47842a9a5437f909f4ca8c252afc03c7aeaa1e930484fb1075ca58
Opcode Fuzzy Hash: 3e7ea766de640aa8ed81f92d89451bcb9db2bf8946fdd86c87026cfc1f5e26b1
Instruction Fuzzy Hash: 08014031404209EFEB505BA4DE09BBA7EB5FB04322F2400A0E926A32A0CF311E91EB10

Function 00BC1874 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 00BC187F
UnloadUserProfile.USERENV(?,?), ref: 00BC188B
CloseHandle.KERNEL32(?), ref: 00BC1894
CloseHandle.KERNEL32(?), ref: 00BC189C
GetProcessHeap.KERNEL32(00000000,?), ref: 00BC18A5
HeapFree.KERNEL32(00000000), ref: 00BC18AC

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: 5b8cd7b2282abcf9d9b55b85b60f92b3e93368151b2af008d33e6ba6d73bcb2c
Instruction ID: a9d707b0d2b30bf5ac819f359464e056480c78b574b2bf929c7154cf26a746fd
Opcode Fuzzy Hash: 5b8cd7b2282abcf9d9b55b85b60f92b3e93368151b2af008d33e6ba6d73bcb2c
Instruction Fuzzy Hash: 7DE0C236004109BBDA016BA1EE0CD1ABF29FF49B22B108220F22593070CF3294B0EB50

Function 00BCC5D0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00B67620: _wcslen.LIBCMT ref: 00B67625

GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00BCC6EE
_wcslen.LIBCMT ref: 00BCC735
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00BCC79C
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00BCC7CA

Strings

0, xrefs: 00BCC6AF

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: ItemMenu$Info_wcslen$Default
String ID: 0
API String ID: 1227352736-4108050209
Opcode ID: 344f6f28c0a94d168d3b176125820168e85b769fe076e29c404fbe3580685dfc
Instruction ID: 0fa090313945fc4dfd1c7dde76c8d17c3c6360e14bb3786779de5da33e15dfa2
Opcode Fuzzy Hash: 344f6f28c0a94d168d3b176125820168e85b769fe076e29c404fbe3580685dfc
Instruction Fuzzy Hash: D551BE716143019BD7119F28C985F6BBBE4EB69310F080AAEF999D31A0DB74DD04CB56

Function 00BEAD64 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(0000003C), ref: 00BEAEA3

Part of subcall function 00B67620: _wcslen.LIBCMT ref: 00B67625

GetProcessId.KERNEL32(00000000), ref: 00BEAF38
CloseHandle.KERNEL32(00000000), ref: 00BEAF67

Strings

@, xrefs: 00BEAE72
<, xrefs: 00BEAE6B

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: CloseExecuteHandleProcessShell_wcslen
String ID: <$@
API String ID: 146682121-1426351568
Opcode ID: 2ce7cf4688661287cf69ddc2ea4607cf3443d622fcad61451d01218836d360c4
Instruction ID: ddec7bcabedff63ca9ecce53857f19a07013b881a314e2686aa5939d9e327e96
Opcode Fuzzy Hash: 2ce7cf4688661287cf69ddc2ea4607cf3443d622fcad61451d01218836d360c4
Instruction Fuzzy Hash: 59715670A00259DFCB14EF55C494A9EBBF4FF08314F148499E81AAB3A2CB74ED45CB91

Function 00BC719E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00BC7206
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 00BC723C
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 00BC724D
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00BC72CF

Strings

DllGetClassObject, xrefs: 00BC7242

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: c797d73879f708d6ac1b41da0c128a1c28d2b321324fb9322b4397f591c095f7
Instruction ID: 212bc71b234119c132469deefe61589ad35dc7d2369b277f7d638a7480410086
Opcode Fuzzy Hash: c797d73879f708d6ac1b41da0c128a1c28d2b321324fb9322b4397f591c095f7
Instruction Fuzzy Hash: 6D411A71A44204AFDB15CF54C984FAA7BE9EF45310B2480ADBD099F20ADBB1DA45CFA0

Function 00BF3D7C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00BF3E35
IsMenu.USER32(?), ref: 00BF3E4A
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00BF3E92
DrawMenuBar.USER32 ref: 00BF3EA5

Strings

0, xrefs: 00BF3D89

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert
String ID: 0
API String ID: 3076010158-4108050209
Opcode ID: 5d65b27fff5db33f3b56fad76d58d20dd0845f8670274fb1c807e107055e31f8
Instruction ID: 099920541fdd8f7566eaa677b0b17bc342731ab6ed43834f63ac86a7688e3257
Opcode Fuzzy Hash: 5d65b27fff5db33f3b56fad76d58d20dd0845f8670274fb1c807e107055e31f8
Instruction Fuzzy Hash: DC412475A1120DEFDF10DF60D884AEABBF9FF48764F0441A9EA05A7250D730AE49CB60

Function 00BC1DE2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00B69CB3: _wcslen.LIBCMT ref: 00B69CBD

Part of subcall function 00BC3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00BC3CCA

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00BC1E66
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00BC1E79
SendMessageW.USER32(?,00000189,?,00000000), ref: 00BC1EA9

Part of subcall function 00B66B57: _wcslen.LIBCMT ref: 00B66B6A

Strings

ComboBox, xrefs: 00BC1DF0
ListBox, xrefs: 00BC1E25

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: MessageSend$_wcslen$ClassName
String ID: ComboBox$ListBox
API String ID: 2081771294-1403004172
Opcode ID: 79eca3d7993e35931f7a549e491df4cab62cb1a387d6a8e230cf5f3f6dfce2a2
Instruction ID: a85e5f4f829e58b650c2d12a6f94db08c946ab4b2b9efa15d6ccd132cb3bebfe
Opcode Fuzzy Hash: 79eca3d7993e35931f7a549e491df4cab62cb1a387d6a8e230cf5f3f6dfce2a2
Instruction Fuzzy Hash: 6C213571A00109BBDB14AB68DD46DFFBBF8DF46350B1485ADF825E31E2DB38494AC620

Function 00BEC9EA Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 91COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00BEC9F1
_wcslen.LIBCMT ref: 00BECA68
_wcslen.LIBCMT ref: 00BECA9E
_wcslen.LIBCMT ref: 00BECAF9
_wcslen.LIBCMT ref: 00BECB2F
_wcslen.LIBCMT ref: 00BECB7F

Strings

HKLM, xrefs: 00BECA98, 00BECA9D
HKEY_LOCAL_MACHINE, xrefs: 00BECA62, 00BECA67

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: _wcslen
String ID: HKEY_LOCAL_MACHINE$HKLM
API String ID: 176396367-4004644295
Opcode ID: 170a358b91a15e6add61e656fdbd599091c565b0f613df1084efa702c0cb7a78
Instruction ID: a92c32a58d94df218fa3f3750c36948e8448ac97437072c5e4d1be153df503db
Opcode Fuzzy Hash: 170a358b91a15e6add61e656fdbd599091c565b0f613df1084efa702c0cb7a78
Instruction Fuzzy Hash: 44310673A001EA4BCB20EF2ED9805BE3BD1DBA1750B1561B9F855AB25DE770CD42D3A0

Function 00BF2F17 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00BF2F8D
LoadLibraryW.KERNEL32(?), ref: 00BF2F94
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00BF2FA9
DestroyWindow.USER32(?), ref: 00BF2FB1

Strings

SysAnimate32, xrefs: 00BF2F68

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: MessageSend$DestroyLibraryLoadWindow
String ID: SysAnimate32
API String ID: 3529120543-1011021900
Opcode ID: 6034d1f6c542770ac4193e8bb5f04b981f61065badb8f7d509cfc4832cde167d
Instruction ID: 382ad4b961e5294a09213c52082f864c75dc6c5e3272bf45d15c21c246e04562
Opcode Fuzzy Hash: 6034d1f6c542770ac4193e8bb5f04b981f61065badb8f7d509cfc4832cde167d
Instruction Fuzzy Hash: 2721977222420AABEB104FA4DC80EBB37F9EB69364F104668FA50D31A0D771DC959760

Function 00B84D6D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00B84D1E,00B928E9,?,00B84CBE,00B928E9,00C288B8,0000000C,00B84E15,00B928E9,00000002), ref: 00B84D8D
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00B84DA0
FreeLibrary.KERNEL32(00000000,?,?,?,00B84D1E,00B928E9,?,00B84CBE,00B928E9,00C288B8,0000000C,00B84E15,00B928E9,00000002,00000000), ref: 00B84DC3

Strings

mscoree.dll, xrefs: 00B84D86
CorExitProcess, xrefs: 00B84D98

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 4c58a28c722a5ccbffa1faf875c6c25a8ab1ceaf6dd2c3e25eaa41fb45a62465
Instruction ID: 7985d461c7e29fb880a7633de9cce7ee5cbea796bffa3bfaff8a75aeb089338d
Opcode Fuzzy Hash: 4c58a28c722a5ccbffa1faf875c6c25a8ab1ceaf6dd2c3e25eaa41fb45a62465
Instruction Fuzzy Hash: B4F03C34A40219ABDB11AB94DD49BAEBFF5EF44751F0000A4A809A36A0CF745E94CB91

Function 00B64E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00B64EDD,?,00C31418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00B64E9C
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00B64EAE
FreeLibrary.KERNEL32(00000000,?,?,00B64EDD,?,00C31418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00B64EC0

Strings

kernel32.dll, xrefs: 00B64E94
Wow64DisableWow64FsRedirection, xrefs: 00B64EA8

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 145871493-3689287502
Opcode ID: d77d8c085f3bcca413307422f9e50021e30f2b33103bc6a9a171fbe987f62046
Instruction ID: 04bb6d0d7d370203b3e571386688a4f5af7010cfa1fac1893f1aadaaed79cadb
Opcode Fuzzy Hash: d77d8c085f3bcca413307422f9e50021e30f2b33103bc6a9a171fbe987f62046
Instruction Fuzzy Hash: 09E0CD35E019365BD23117257D18B7F69D4EF81F627050165FD04F3111DF68CE45C4A0

Function 00B64E59 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00BA3CDE,?,00C31418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00B64E62
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00B64E74
FreeLibrary.KERNEL32(00000000,?,?,00BA3CDE,?,00C31418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00B64E87

Strings

kernel32.dll, xrefs: 00B64E5B
Wow64RevertWow64FsRedirection, xrefs: 00B64E6E

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 145871493-1355242751
Opcode ID: 657966b4e0b9391d8d7dd75778a5639409031f19dc425a0a7e956a67133886c6
Instruction ID: 45dffb9b90085b16ba97048670ef24e25219371248e47046fb9115fd399583db
Opcode Fuzzy Hash: 657966b4e0b9391d8d7dd75778a5639409031f19dc425a0a7e956a67133886c6
Instruction Fuzzy Hash: C7D0C239502A365B46221B247C08EAB6E58EF81B113050161B904B3110CF29CE52C1D0

Function 00BD2947 Relevance: 7.8, APIs: 5, Instructions: 313fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00BD2C05
DeleteFileW.KERNEL32(?), ref: 00BD2C87
CopyFileW.KERNEL32(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00BD2C9D
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00BD2CAE
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00BD2CC0

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: File$Delete$Copy
String ID:
API String ID: 3226157194-0
Opcode ID: dfdec838243e40d52a82a043f08064648b65e67eba9a0637e811cf1bb0192400
Instruction ID: 06b4200732f028a7c8d19594177911e6bc17313dc5ee00d6cd9bd35ac5abf4bb
Opcode Fuzzy Hash: dfdec838243e40d52a82a043f08064648b65e67eba9a0637e811cf1bb0192400
Instruction Fuzzy Hash: 21B13C71D00119ABDF21EBA4CC85EEEBBBDEF59350F1040E6F909A7251EA349E44CB61

Function 00BEA387 Relevance: 7.8, APIs: 5, Instructions: 256COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 00BEA427
OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 00BEA435
GetProcessIoCounters.KERNEL32(00000000,?), ref: 00BEA468
CloseHandle.KERNEL32(?), ref: 00BEA63D

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Process$CloseCountersCurrentHandleOpen
String ID:
API String ID: 3488606520-0
Opcode ID: 580f5a3bab08eb919c49f71fe34b650059b0de3eceb49bd65b11678b1acce516
Instruction ID: b4d22cbb12453d829f53fa9c8f11ca24eb3cb4e312b159805aaf30972bb2d28b
Opcode Fuzzy Hash: 580f5a3bab08eb919c49f71fe34b650059b0de3eceb49bd65b11678b1acce516
Instruction Fuzzy Hash: 9EA18E71604340AFD720DF25C886F2AB7E5AF84714F14889DF59A9B392DBB4EC41CB92

Function 00BCE3FB Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00BCDDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00BCCF22,?), ref: 00BCDDFD

Part of subcall function 00BCDDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00BCCF22,?), ref: 00BCDE16

Part of subcall function 00BCE199: GetFileAttributesW.KERNEL32(?,00BCCF95), ref: 00BCE19A

lstrcmpiW.KERNEL32(?,?), ref: 00BCE473
MoveFileW.KERNEL32(?,?), ref: 00BCE4AC
_wcslen.LIBCMT ref: 00BCE5EB
_wcslen.LIBCMT ref: 00BCE603
SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 00BCE650

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
String ID:
API String ID: 3183298772-0
Opcode ID: 143d765cb7846b330ad04736f1e3a607c28e5951ada430c1ac29dbb5a26b9db1
Instruction ID: b09171b5480c546f82863b7ba67dbc14c80fac2e78afc5afaeba31addfd6922a
Opcode Fuzzy Hash: 143d765cb7846b330ad04736f1e3a607c28e5951ada430c1ac29dbb5a26b9db1
Instruction Fuzzy Hash: 46514FB24087459BC724EB90D881EDFB7ECEF94340F00496EF59993191EE74E688CB66

Function 00BEB9C9 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00B69CB3: _wcslen.LIBCMT ref: 00B69CBD

Part of subcall function 00BEC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00BEB6AE,?,?), ref: 00BEC9B5
Part of subcall function 00BEC998: _wcslen.LIBCMT ref: 00BEC9F1
Part of subcall function 00BEC998: _wcslen.LIBCMT ref: 00BECA68
Part of subcall function 00BEC998: _wcslen.LIBCMT ref: 00BECA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00BEBAA5
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00BEBB00
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00BEBB63
RegCloseKey.ADVAPI32(?,?), ref: 00BEBBA6
RegCloseKey.ADVAPI32(00000000), ref: 00BEBBB3

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
String ID:
API String ID: 826366716-0
Opcode ID: 347f532e24463c481a67deb9dace676a55c364d769326daec6b0936bf4a00fee
Instruction ID: 9fa35ac41d19b13a34fbaaea0ac02d3e34490cb526495f10b8069032d1dfea74
Opcode Fuzzy Hash: 347f532e24463c481a67deb9dace676a55c364d769326daec6b0936bf4a00fee
Instruction Fuzzy Hash: 25618131208241AFD714DF25C890E2BBBE5FF84348F5495ACF4998B2A2DB35ED45CB92

Function 00BC8BB0 Relevance: 7.7, APIs: 5, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00BC8BCD
VariantClear.OLEAUT32 ref: 00BC8C3E
VariantClear.OLEAUT32 ref: 00BC8C9D
VariantClear.OLEAUT32(?), ref: 00BC8D10
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00BC8D3B

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType
String ID:
API String ID: 4136290138-0
Opcode ID: ea2f38f77451a6e484b91f11472ea0c620b94ac91a57ea151065f53377315a84
Instruction ID: 257a24d76785055fa94d7b2b900574b8a7f99b29993b93b253bc904a12c619f2
Opcode Fuzzy Hash: ea2f38f77451a6e484b91f11472ea0c620b94ac91a57ea151065f53377315a84
Instruction Fuzzy Hash: B0515BB5A00219EFCB14CF58D894EAABBF5FF89310B15856DE906DB350E730E911CB90

Function 00BD8AFB Relevance: 7.6, APIs: 5, Instructions: 143COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00BD8BAE
GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 00BD8BDA
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00BD8C32
WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00BD8C57
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00BD8C5F

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String
String ID:
API String ID: 2832842796-0
Opcode ID: ddfd02369cbf677064887979e99534040475003ac5bfd569248c255e5ccbd7f2
Instruction ID: 7a6acc52a455250e220334d9d30c85e5c854eb337b498718bf04898a9b7a85c4
Opcode Fuzzy Hash: ddfd02369cbf677064887979e99534040475003ac5bfd569248c255e5ccbd7f2
Instruction Fuzzy Hash: 3A515A35A10219EFCB05DF64C880A6DBBF5FF48314F088099E84AAB362DB35ED51CB90

Function 00BE8EE4 Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(?,00000000,?), ref: 00BE8F40
GetProcAddress.KERNEL32(00000000,?), ref: 00BE8FD0
GetProcAddress.KERNEL32(00000000,00000000), ref: 00BE8FEC
GetProcAddress.KERNEL32(00000000,?), ref: 00BE9032
FreeLibrary.KERNEL32(00000000), ref: 00BE9052

Part of subcall function 00B7F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,00BD1043,?,753CE610), ref: 00B7F6E6
Part of subcall function 00B7F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00BBFA64,00000000,00000000,?,?,00BD1043,?,753CE610,?,00BBFA64), ref: 00B7F70D

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
String ID:
API String ID: 666041331-0
Opcode ID: 3b0805eac6c84ed49ce590193140337fcb75576026ce52c55fa49256b09a6e40
Instruction ID: ce72ddf07ffb619fa484046b561da2ae6ec0ee74c7dcebf335a6ebb61b405c85
Opcode Fuzzy Hash: 3b0805eac6c84ed49ce590193140337fcb75576026ce52c55fa49256b09a6e40
Instruction Fuzzy Hash: 11513835600645DFCB11DF59C4948ADBBF1FF59324B0480E9E80AAB362DB31ED85CB90

Function 00BF6B76 Relevance: 7.6, APIs: 5, Instructions: 131windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(00000002,000000F0,?), ref: 00BF6C33
SetWindowLongW.USER32(?,000000EC,?), ref: 00BF6C4A
SendMessageW.USER32(00000002,00001036,00000000,?), ref: 00BF6C73
ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,00BDAB79,00000000,00000000), ref: 00BF6C98
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 00BF6CC7

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Window$Long$MessageSendShow
String ID:
API String ID: 3688381893-0
Opcode ID: 626ff1ee4e8029142c522ca9cf36d1410532ea3751f8d785316362d80282b7c6
Instruction ID: 4fa8cf00e02610c1c98bf31e2b48553f849cc0f4d94e99fdc34c898c725b1a11
Opcode Fuzzy Hash: 626ff1ee4e8029142c522ca9cf36d1410532ea3751f8d785316362d80282b7c6
Instruction Fuzzy Hash: B941AF35A04108AFDB24CF68CD99FB97BE5EB09360F1502A8EE95E72A1C771AD45CA40

Function 00B92051 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00B920C3
_free.LIBCMT ref: 00B920E3

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: c59e0398f1c20ccf84b78b4d21f438ba11cdbada708ddaf19d8bbf5bd38b20ca
Instruction ID: bf089363635f7fa964a4b40d5d3d1993e19ed568f7a343aafa5b36af7d96a6a5
Opcode Fuzzy Hash: c59e0398f1c20ccf84b78b4d21f438ba11cdbada708ddaf19d8bbf5bd38b20ca
Instruction Fuzzy Hash: 8241AF32E00210AFCF24DF78C881A6DB7E5EF89314F1585B9E615EB392DA31AD01CB81

Function 00B7912D Relevance: 7.6, APIs: 5, Instructions: 121keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00B79141
ScreenToClient.USER32(00000000,?), ref: 00B7915E
GetAsyncKeyState.USER32(00000001), ref: 00B79183
GetAsyncKeyState.USER32(00000002), ref: 00B7919D

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: bdda7b454c86e7539a06be4d4a908f87d1cd7eb0dccd7496594005b74bf8291c
Instruction ID: f6933155710367d3133cc1a196fbd9de9ef1e65793b959a437478036545e2e48
Opcode Fuzzy Hash: bdda7b454c86e7539a06be4d4a908f87d1cd7eb0dccd7496594005b74bf8291c
Instruction Fuzzy Hash: 7D416E7190850ABBDF059F68C844BFEB7B4FB45320F208295E429B72D0CB745954DBA1

Function 00BD3874 Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 00BD38CB
TranslateAcceleratorW.USER32(?,00000000,?), ref: 00BD3922
TranslateMessage.USER32(?), ref: 00BD394B
DispatchMessageW.USER32(?), ref: 00BD3955
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00BD3966

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchInputPeekState
String ID:
API String ID: 2256411358-0
Opcode ID: 4b98ec6da0f0593bc7613cc22c9cea3923fa53c700a82442e1a619babfdbfb94
Instruction ID: 5e79f1c35f966855a9d6d4d8edfeb7beda31f368aee9c6cb5997400793ccd23f
Opcode Fuzzy Hash: 4b98ec6da0f0593bc7613cc22c9cea3923fa53c700a82442e1a619babfdbfb94
Instruction Fuzzy Hash: FB31FB705143419EEB35CB349898B76BBE4DB05710F0805ABE463832E2F7F99A84DB13

Function 00BDCF1A Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,00000000,?,?,?,00BDC21E,00000000), ref: 00BDCF38
InternetReadFile.WININET(?,00000000,?,?), ref: 00BDCF6F
GetLastError.KERNEL32(?,00000000,?,?,?,00BDC21E,00000000), ref: 00BDCFB4
SetEvent.KERNEL32(?,?,00000000,?,?,?,00BDC21E,00000000), ref: 00BDCFC8
SetEvent.KERNEL32(?,?,00000000,?,?,?,00BDC21E,00000000), ref: 00BDCFF2

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: EventInternet$AvailableDataErrorFileLastQueryRead
String ID:
API String ID: 3191363074-0
Opcode ID: d37d1c2774be22fe6d36135898787a050624b162a6477f7c0a7bcab08570b65a
Instruction ID: fad84aafe533676f2a08b15ed646965d53ff12a239306c0620b9260f55ad508f
Opcode Fuzzy Hash: d37d1c2774be22fe6d36135898787a050624b162a6477f7c0a7bcab08570b65a
Instruction Fuzzy Hash: F4312F71504206AFDB20DFA5C9849ABBFF9EB14351B1044AEF51AD3251EB30AD49DB60

Function 00BC1901 Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00BC1915
PostMessageW.USER32(00000001,00000201,00000001), ref: 00BC19C1
Sleep.KERNEL32(00000000,?,?,?), ref: 00BC19C9
PostMessageW.USER32(00000001,00000202,00000000), ref: 00BC19DA
Sleep.KERNEL32(00000000,?,?,?,?), ref: 00BC19E2

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: 3ae4c43f1d29fe559be876aad6e0f0e14372aceb9f6de411ebac2edd2b86c8e6
Instruction ID: fa263ea4d20b9ff15390b8633494e508820ee7d44931ea3395d833d455e8124c
Opcode Fuzzy Hash: 3ae4c43f1d29fe559be876aad6e0f0e14372aceb9f6de411ebac2edd2b86c8e6
Instruction Fuzzy Hash: F731CF71A00219EFCB00CFACC998BEE7BB5EB05314F108669F921E72D1C7B09955CB90

Function 00BF5706 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001053,000000FF,?), ref: 00BF5745
SendMessageW.USER32(?,00001074,?,00000001), ref: 00BF579D
_wcslen.LIBCMT ref: 00BF57AF
_wcslen.LIBCMT ref: 00BF57BA
SendMessageW.USER32(?,00001002,00000000,?), ref: 00BF5816

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: MessageSend$_wcslen
String ID:
API String ID: 763830540-0
Opcode ID: 5855abe6ee3dd5c84b2f7edab7d9c400760b1a2c82711f19973a92897ce4c1c4
Instruction ID: 20ea9a62e8c37ddf25d34b1d7fce10280fbe2276e367a7b5c893d778a73a63ae
Opcode Fuzzy Hash: 5855abe6ee3dd5c84b2f7edab7d9c400760b1a2c82711f19973a92897ce4c1c4
Instruction Fuzzy Hash: F521307190461CAADB309F64CC85AFDBBF8EF04724F108296EB29EB194D7709989CF50

Function 00BE0930 Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00BE0951
GetForegroundWindow.USER32 ref: 00BE0968
GetDC.USER32(00000000), ref: 00BE09A4
GetPixel.GDI32(00000000,?,00000003), ref: 00BE09B0
ReleaseDC.USER32(00000000,00000003), ref: 00BE09E8

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: b3d5d251b33e81f544bc9fc23685e74d6a010a897067fe7b4eda70c495bf6514
Instruction ID: 2cdd91d11ba6004a2fabb7a7077e68ba4f44e4c411aa0241662e14c011f1bfe5
Opcode Fuzzy Hash: b3d5d251b33e81f544bc9fc23685e74d6a010a897067fe7b4eda70c495bf6514
Instruction Fuzzy Hash: FA219335600204AFD704EF69D984AAEBBF5EF44700F0484ADF84AD7362DB74AD44CB50

Function 00B9CDBD Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 00B9CDC6
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00B9CDE9

Part of subcall function 00B93820: RtlAllocateHeap.NTDLL(00000000,?,00C31444,?,00B7FDF5,?,?,00B6A976,00000010,00C31440,00B613FC,?,00B613C6,?,00B61129), ref: 00B93852

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 00B9CE0F
_free.LIBCMT ref: 00B9CE22
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00B9CE31

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: 275461099c054bf378a9320df33f2de97eda8e09029a4deed161e7844112cdd0
Instruction ID: 17d637374272fa676da1ee0ad5a1826ccd3785572fa2fb1932679dd6ed5cb9a0
Opcode Fuzzy Hash: 275461099c054bf378a9320df33f2de97eda8e09029a4deed161e7844112cdd0
Instruction Fuzzy Hash: EF01D472601A157F2B211ABA6C88C7B6EEDDEC6BA131501B9F906D7200EE609E01C2B4

Function 00B79639 Relevance: 7.6, APIs: 5, Instructions: 66COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00B79693
SelectObject.GDI32(?,00000000), ref: 00B796A2
BeginPath.GDI32(?), ref: 00B796B9
SelectObject.GDI32(?,00000000), ref: 00B796E2

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 7a963d730cc0a759ec70035eeddb446674b7b29fad70cf6bdfbdbd2afb9a4e86
Instruction ID: ff0afcd27ffec59acc371080a0ebf8946ad9ca9fb18d318510da65025d26f311
Opcode Fuzzy Hash: 7a963d730cc0a759ec70035eeddb446674b7b29fad70cf6bdfbdbd2afb9a4e86
Instruction Fuzzy Hash: 36217C30812305EFDB119F28ED08BBD3BE8FB41725F188396F828A71A0D7709991CB94

Function 00BC5711 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00BC5726
_memcmp.LIBVCRUNTIME ref: 00BC5744
_memcmp.LIBVCRUNTIME ref: 00BC5757
_memcmp.LIBVCRUNTIME ref: 00BC576F
_memcmp.LIBVCRUNTIME ref: 00BC5787

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 15f3affdbab19036f0874525d4148cb5555da34de9258615f664166dbe04835c
Instruction ID: e2b11cbef11613b6e2878b2a49103dd010621e982a8b7e102d88f9fe3fb3765b
Opcode Fuzzy Hash: 15f3affdbab19036f0874525d4148cb5555da34de9258615f664166dbe04835c
Instruction Fuzzy Hash: 59019671741619BA922866149D82FBA63DCDF21394B0044AAFE049B251F660FD95C2A8

Function 00B92DF8 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,00B8F2DE,00B93863,00C31444,?,00B7FDF5,?,?,00B6A976,00000010,00C31440,00B613FC,?,00B613C6), ref: 00B92DFD
_free.LIBCMT ref: 00B92E32
_free.LIBCMT ref: 00B92E59
SetLastError.KERNEL32(00000000,00B61129), ref: 00B92E66
SetLastError.KERNEL32(00000000,00B61129), ref: 00B92E6F

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: ab89fb94a0a24751f479d508f6ce39e8f0da4824cfb8fb93993389a8187c8b59
Instruction ID: 0f7634020965e4e23ee2e83bb1d8afa43b6dca3e4e819759692b05f081f0fd49
Opcode Fuzzy Hash: ab89fb94a0a24751f479d508f6ce39e8f0da4824cfb8fb93993389a8187c8b59
Instruction Fuzzy Hash: A801A432E45E007BCE1267746DC6E2F2AEDEFD17A5B2540B9F425A3292EF748C414160

Function 00BC000E Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,00BBFF41,80070057,?,?,?,00BC035E), ref: 00BC002B
ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00BBFF41,80070057,?,?), ref: 00BC0046
lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00BBFF41,80070057,?,?), ref: 00BC0054
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00BBFF41,80070057,?), ref: 00BC0064
CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00BBFF41,80070057,?,?), ref: 00BC0070

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: 65c03519d2b984e7fad8bb4b6e078180deed23bfd653066e96fed2e15385818f
Instruction ID: 63ee7f907a7a3f93215cd4d3223324cf917b230b33f2c9d600a8162422ca895f
Opcode Fuzzy Hash: 65c03519d2b984e7fad8bb4b6e078180deed23bfd653066e96fed2e15385818f
Instruction Fuzzy Hash: EB017872610208EBDB116F68ED44FBA7EEDEB44792F154168F905D3210EB71DD808BA0

Function 00BCE97B Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?), ref: 00BCE997
QueryPerformanceFrequency.KERNEL32(?), ref: 00BCE9A5
Sleep.KERNEL32(00000000), ref: 00BCE9AD
QueryPerformanceCounter.KERNEL32(?), ref: 00BCE9B7
Sleep.KERNEL32 ref: 00BCE9F3

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: abe3a935ddab4894fb2abfc23cb6262445d387017f124a2f4ff8374c7710bf31
Instruction ID: b3b31a8491767dc1ddb20fda7542b2439dc9ce6f7cbebd4a77bc9453cf381466
Opcode Fuzzy Hash: abe3a935ddab4894fb2abfc23cb6262445d387017f124a2f4ff8374c7710bf31
Instruction Fuzzy Hash: 5F015B31C0152DDBCF009BE4D949BEDBBB8FF09700F00458AE512B3140CB709691C761

Function 00BC10F9 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00BC1114
GetLastError.KERNEL32(?,00000000,00000000,?,?,00BC0B9B,?,?,?), ref: 00BC1120
GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00BC0B9B,?,?,?), ref: 00BC112F
HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00BC0B9B,?,?,?), ref: 00BC1136
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00BC114D

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: 99900af56b0b4e855f4421ba562fa7dbebba298f2fa4ccfbac145f7c61b7eac8
Instruction ID: 4397722efd2e0f99e69dcd69761ff486307b5d5e008e5e242cff739933c14546
Opcode Fuzzy Hash: 99900af56b0b4e855f4421ba562fa7dbebba298f2fa4ccfbac145f7c61b7eac8
Instruction Fuzzy Hash: DC016975200209BFDB115FA8DD49E6A3FAEEF8A3A0B240458FA41E3360DF31DD50CA60

Function 00BC0FB4 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00BC0FCA
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00BC0FD6
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00BC0FE5
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00BC0FEC
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00BC1002

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 936ad223598d764f8570a9ea3764de7504efa193dcf759752b0dacfdce58db1f
Instruction ID: fbad009cf51d697a4753cc4703fa8df460f11a25b617b02d68066083942ce72b
Opcode Fuzzy Hash: 936ad223598d764f8570a9ea3764de7504efa193dcf759752b0dacfdce58db1f
Instruction Fuzzy Hash: 04F04F35100305ABD7214FA89D49F663FADEF8A761F114455FA45D7251CE70DC90CA60

Function 00BC1014 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00BC102A
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00BC1036
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00BC1045
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00BC104C
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00BC1062

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: ad757b49923f5aeef3b1bd0bfe3e44efd95c5b9e39a064aee57795e43ca3d403
Instruction ID: ec296a61ed3218a6803b28c5a8e9a23e32b77eb7c7780ee85f0e715d8cbd06b9
Opcode Fuzzy Hash: ad757b49923f5aeef3b1bd0bfe3e44efd95c5b9e39a064aee57795e43ca3d403
Instruction Fuzzy Hash: 3FF06D35240309EBDB215FA8ED49F663FADEF8A761F210818FE45E7251CE70D990CA60

Function 00BD030F Relevance: 7.5, APIs: 6, Instructions: 41COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,?,?,00BD017D,?,00BD32FC,?,00000001,00BA2592,?), ref: 00BD0324
CloseHandle.KERNEL32(?,?,?,?,00BD017D,?,00BD32FC,?,00000001,00BA2592,?), ref: 00BD0331
CloseHandle.KERNEL32(?,?,?,?,00BD017D,?,00BD32FC,?,00000001,00BA2592,?), ref: 00BD033E
CloseHandle.KERNEL32(?,?,?,?,00BD017D,?,00BD32FC,?,00000001,00BA2592,?), ref: 00BD034B
CloseHandle.KERNEL32(?,?,?,?,00BD017D,?,00BD32FC,?,00000001,00BA2592,?), ref: 00BD0358
CloseHandle.KERNEL32(?,?,?,?,00BD017D,?,00BD32FC,?,00000001,00BA2592,?), ref: 00BD0365

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 83703273b3e065cc907a27b8d34bbfe75b7c692ce09b8e700c2161ae9dec6e77
Instruction ID: 483bcf64eedabcf0c3e701d156d4fee600ff7b3044dd7c6f80d224fc220773a2
Opcode Fuzzy Hash: 83703273b3e065cc907a27b8d34bbfe75b7c692ce09b8e700c2161ae9dec6e77
Instruction Fuzzy Hash: BB01EE72800B058FCB30AF66D880812FBF9FF603253058A3FD19252A30C3B0A998CF84

Function 00B9D73A Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00B9D752

Part of subcall function 00B929C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00B9D7D1,00000000,00000000,00000000,00000000,?,00B9D7F8,00000000,00000007,00000000,?,00B9DBF5,00000000), ref: 00B929DE
Part of subcall function 00B929C8: GetLastError.KERNEL32(00000000,?,00B9D7D1,00000000,00000000,00000000,00000000,?,00B9D7F8,00000000,00000007,00000000,?,00B9DBF5,00000000,00000000), ref: 00B929F0

_free.LIBCMT ref: 00B9D764
_free.LIBCMT ref: 00B9D776
_free.LIBCMT ref: 00B9D788
_free.LIBCMT ref: 00B9D79A

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 2a958a70170cfddb5bdf42502541db6a1297df8dcbbf72aa6a80f756127bd71e
Instruction ID: 02fcbf584666ef8764ed7c4bb6734f25ba44e78799aaaa8cd4b7f1f349f051ae
Opcode Fuzzy Hash: 2a958a70170cfddb5bdf42502541db6a1297df8dcbbf72aa6a80f756127bd71e
Instruction Fuzzy Hash: B3F0FF32954204ABCA21EBA5F9C5E1E77DDFB447107A508A5F04CE7A51CB24FC8086A4

Function 00BC5C44 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 00BC5C58
GetWindowTextW.USER32(00000000,?,00000100), ref: 00BC5C6F
MessageBeep.USER32(00000000), ref: 00BC5C87
KillTimer.USER32(?,0000040A), ref: 00BC5CA3
EndDialog.USER32(?,00000001), ref: 00BC5CBD

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: 23e48524f3dadbcbeb7428d135896715bc3dd975064b2c48f535f9b07b951e80
Instruction ID: 81c10f070d55f98790de775bc8cd5e52053cd4b74897acf5278700de4de9f7d5
Opcode Fuzzy Hash: 23e48524f3dadbcbeb7428d135896715bc3dd975064b2c48f535f9b07b951e80
Instruction Fuzzy Hash: 85011230504B08ABEB315B10DE4EFA67BF8FB04B05F04159DA592A34E1DBF4B9C8CA90

Function 00B922A0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00B922BE

Part of subcall function 00B929C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00B9D7D1,00000000,00000000,00000000,00000000,?,00B9D7F8,00000000,00000007,00000000,?,00B9DBF5,00000000), ref: 00B929DE
Part of subcall function 00B929C8: GetLastError.KERNEL32(00000000,?,00B9D7D1,00000000,00000000,00000000,00000000,?,00B9D7F8,00000000,00000007,00000000,?,00B9DBF5,00000000,00000000), ref: 00B929F0

_free.LIBCMT ref: 00B922D0
_free.LIBCMT ref: 00B922E3
_free.LIBCMT ref: 00B922F4
_free.LIBCMT ref: 00B92305

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: ce54eaaff56d3c3f9ba28989fff83e6acd73b358ff7eebd1c4a9428bad82b8d2
Instruction ID: 317de6f3d4c37173c311067874a6247ed5f55cdce27eac43df33d7510f50fa2e
Opcode Fuzzy Hash: ce54eaaff56d3c3f9ba28989fff83e6acd73b358ff7eebd1c4a9428bad82b8d2
Instruction Fuzzy Hash: 53F05E71C20620AF8E22EF94BC41B0D3BE4F71876071405AAF814D63B1C7310912EFE4

Function 00B795C5 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 00B795D4
StrokeAndFillPath.GDI32(?,?,00BB71F7,00000000,?,?,?), ref: 00B795F0
SelectObject.GDI32(?,00000000), ref: 00B79603
DeleteObject.GDI32 ref: 00B79616
StrokePath.GDI32(?), ref: 00B79631

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: 566690ac6dd55763d6495676b6ba935614e7c2373e4c45a404025a2e0bd9cc76
Instruction ID: c30a26b86a19ecde1cba983a1aa1974cf889c94462fb587e58e21431da063e2b
Opcode Fuzzy Hash: 566690ac6dd55763d6495676b6ba935614e7c2373e4c45a404025a2e0bd9cc76
Instruction Fuzzy Hash: 49F0C935015708EFDB169F65EE18B683FA5EB11332F088354F869560F1CB308AA5DF20

Function 00B90F47 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE

Download Yara Rule

APIs

__freea.LIBCMT ref: 00B910F9
__freea.LIBCMT ref: 00B91117

Part of subcall function 00B91537: _free.LIBCMT ref: 00B9154F

Strings

a/p, xrefs: 00B911DE
am/pm, xrefs: 00B9117A

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: __freea$_free
String ID: a/p$am/pm
API String ID: 3432400110-3206640213
Opcode ID: 4c14d949fcccbc6103ba7bfc2d8db7c5cb285a8f16a603bc6266113ff1e09033
Instruction ID: e621cf13604ea87f267c507a219d1a9e3afafe4d041b97439285087cb1685e2b
Opcode Fuzzy Hash: 4c14d949fcccbc6103ba7bfc2d8db7c5cb285a8f16a603bc6266113ff1e09033
Instruction Fuzzy Hash: 9BD1D031904207EADF299F6CC895BBAB7F0EF05700F2449F9E901AB651D3359D80EB65

Function 00BE7B7E Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 230COMMON

Download Yara Rule

APIs

Part of subcall function 00B80242: EnterCriticalSection.KERNEL32(00C3070C,00C31884,?,?,00B7198B,00C32518,?,?,?,00B612F9,00000000), ref: 00B8024D
Part of subcall function 00B80242: LeaveCriticalSection.KERNEL32(00C3070C,?,00B7198B,00C32518,?,?,?,00B612F9,00000000), ref: 00B8028A

Part of subcall function 00B69CB3: _wcslen.LIBCMT ref: 00B69CBD

Part of subcall function 00B800A3: __onexit.LIBCMT ref: 00B800A9

__Init_thread_footer.LIBCMT ref: 00BE7BFB

Part of subcall function 00B801F8: EnterCriticalSection.KERNEL32(00C3070C,?,?,00B78747,00C32514), ref: 00B80202
Part of subcall function 00B801F8: LeaveCriticalSection.KERNEL32(00C3070C,?,00B78747,00C32514), ref: 00B80235

Strings

G, xrefs: 00BE7C7F
5, xrefs: 00BE7C78
Variable must be of type 'Object'., xrefs: 00BE7C3A

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit_wcslen
String ID: 5$G$Variable must be of type 'Object'.
API String ID: 535116098-3733170431
Opcode ID: d9017771bccdcccd6983e299c96e009f943bf7076f94f25600aa4dae72dc0e94
Instruction ID: bdabea0b558265132df91db7b114c34068b34645d05dbefce4518474bc727e14
Opcode Fuzzy Hash: d9017771bccdcccd6983e299c96e009f943bf7076f94f25600aa4dae72dc0e94
Instruction Fuzzy Hash: 6D91AA70A44289EFCB04EF55D8809BDB7F5FF48300F108099F806AB292DB71AE45CB91

Function 00BC2716 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00BCB403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00BC21D0,?,?,00000034,00000800,?,00000034), ref: 00BCB42D

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00BC2760

Part of subcall function 00BCB3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00BC21FF,?,?,00000800,?,00001073,00000000,?,?), ref: 00BCB3F8

Part of subcall function 00BCB32A: GetWindowThreadProcessId.USER32(?,?), ref: 00BCB355
Part of subcall function 00BCB32A: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00BC2194,00000034,?,?,00001004,00000000,00000000), ref: 00BCB365
Part of subcall function 00BCB32A: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00BC2194,00000034,?,?,00001004,00000000,00000000), ref: 00BCB37B

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00BC27CD
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00BC281A

Strings

@, xrefs: 00BC2832

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: b62b5bb811b864d6ec3d95926e0ac4eb382111e481a24a49fc8e78e08c42f5de
Instruction ID: 8962a3f6435fc98c9bad39578ac5631eee464436e54b8bb69b90cc8584861367
Opcode Fuzzy Hash: b62b5bb811b864d6ec3d95926e0ac4eb382111e481a24a49fc8e78e08c42f5de
Instruction Fuzzy Hash: 8341FB76900218AFDB10DBA4CD86FEEBBB8EF49700F104099FA55B7181DB706E45CBA1

Function 00B9172E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\file.exe,00000104), ref: 00B91769
_free.LIBCMT ref: 00B91834
_free.LIBCMT ref: 00B9183E

Strings

C:\Users\user\Desktop\file.exe, xrefs: 00B91760, 00B91767, 00B91796, 00B917CE

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\file.exe
API String ID: 2506810119-1957095476
Opcode ID: 0a33d9840e2e57d967f4eec1febb7e87bbc9fb91141d5063d57d629e581b64b0
Instruction ID: 78155bc22b4b6eab409285b3bf6f03eceb0528bb4992866e43d6f8c93f6f0ba9
Opcode Fuzzy Hash: 0a33d9840e2e57d967f4eec1febb7e87bbc9fb91141d5063d57d629e581b64b0
Instruction Fuzzy Hash: 0F3150B5A0021AAFDF21DF999885E9EBBFCEB85350B1445F6F80497211D6708E41EBA0

Function 00BCC27D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 00BCC306
DeleteMenu.USER32(?,00000007,00000000), ref: 00BCC34C
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00C31990,01405668), ref: 00BCC395

Strings

0, xrefs: 00BCC2DF

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Menu$Delete$InfoItem
String ID: 0
API String ID: 135850232-4108050209
Opcode ID: 167f8a68094778a338a67ad8ba595eef1763b55222adeb42537541a36c80f632
Instruction ID: 0b865291ee27b18092d269f193cf7965c8cb721a5180d7752fc91686c8220604
Opcode Fuzzy Hash: 167f8a68094778a338a67ad8ba595eef1763b55222adeb42537541a36c80f632
Instruction Fuzzy Hash: E94191712043419FD720DF24E885F1ABFE4EBE5310F10869DF8A9D7292D730A904CB66

Function 00BF4416 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,00BFCC08,00000000,?,?,?,?), ref: 00BF44AA
GetWindowLongW.USER32 ref: 00BF44C7
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00BF44D7

Strings

SysTreeView32, xrefs: 00BF447C

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: cf52e181eef25015396354d2e5a592b79bd42ecd7e463f17ad2ade683551d730
Instruction ID: 5cb16f8f46c467e845109bf158ca25fd3d579c38e247afcbce9d7594970fbf58
Opcode Fuzzy Hash: cf52e181eef25015396354d2e5a592b79bd42ecd7e463f17ad2ade683551d730
Instruction Fuzzy Hash: 13316D31214209AFDB209E78DC45BEB7BE9EB08324F204755FA75A32E0DB74EC549B50

Function 00BE304E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00BE335B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,00BE3077,?,?), ref: 00BE3378

inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 00BE307A
_wcslen.LIBCMT ref: 00BE309B
htons.WSOCK32(00000000,?,?,00000000), ref: 00BE3106

Strings

255.255.255.255, xrefs: 00BE3095, 00BE309A

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: ByteCharMultiWide_wcslenhtonsinet_addr
String ID: 255.255.255.255
API String ID: 946324512-2422070025
Opcode ID: ce3382875029262488bea9f66f0619f13382eba5fbdeecc2bd51081f8501f7d9
Instruction ID: 83574f8d0f22482da9f42e050e0269e6a24cecbd1e0ac41e9bfe2cedc614db23
Opcode Fuzzy Hash: ce3382875029262488bea9f66f0619f13382eba5fbdeecc2bd51081f8501f7d9
Instruction Fuzzy Hash: 7331F3352002859FCB20CF6AC589FAA77E0EF54718F2480D9E8159B393CB36EE41C761

Function 00BF3EB8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00BF3F40
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00BF3F54
SendMessageW.USER32(?,00001002,00000000,?), ref: 00BF3F78

Strings

SysMonthCal32, xrefs: 00BF3F0B

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: 9af99fa777bbc112435367f00ddf7025000807ae7cfc3f847fae6d6d6ef32583
Instruction ID: e76235a1c1c6c3caa0888af6915e67c769a28bd168a993816779ac9257d1593f
Opcode Fuzzy Hash: 9af99fa777bbc112435367f00ddf7025000807ae7cfc3f847fae6d6d6ef32583
Instruction Fuzzy Hash: 2D219F32610219BFDF118F50DC86FEA3BB5EF48724F110254FA15AB1D0D6B5AD94CBA0

Function 00BF4653 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00BF4705
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00BF4713
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00BF471A

Strings

msctls_updown32, xrefs: 00BF4684

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: c97e0ce3644450e04dea76565fa59ea56d44e03adbd7bde72bc460aadb2a015b
Instruction ID: 3870e6325ff1b4ec5e7a008462262772166c8dc45a45c7876afa7384309f71fb
Opcode Fuzzy Hash: c97e0ce3644450e04dea76565fa59ea56d44e03adbd7bde72bc460aadb2a015b
Instruction Fuzzy Hash: 11213EB5604209AFDB10DF64DCD1EBB37EDEB9A3A8B040199FA009B251CB71EC55CB60

Function 00BC95AD Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 85COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00BC961D

Strings

#requireadmin, xrefs: 00BC95D9
#OnAutoItStartRegister, xrefs: 00BC95F3
#notrayicon, xrefs: 00BC95B7

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: _wcslen
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 176396367-2734436370
Opcode ID: ecff4a88fd186900b63d6ee8ec90fbdda448830475da139e9ddd1811495b442e
Instruction ID: 95d6f08b247bb3647ef477e5d99e20cb0bed692c822f33155f9c4baef3f37b3f
Opcode Fuzzy Hash: ecff4a88fd186900b63d6ee8ec90fbdda448830475da139e9ddd1811495b442e
Instruction Fuzzy Hash: DC21573220421167E331BB28DC4AFBB73D8EFA5714F5040BEFA8A97091EB65AD45C395

Function 00BF37B7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00BF3840
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00BF3850
MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00BF3876

Strings

Listbox, xrefs: 00BF380F

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: 816221c31188a2303ec3aa443db08c39593247fbb74adeec011db203d006f06e
Instruction ID: d51a26672cef85de5195f24a7b89dd43d743970454140857f0199e82d27722b4
Opcode Fuzzy Hash: 816221c31188a2303ec3aa443db08c39593247fbb74adeec011db203d006f06e
Instruction Fuzzy Hash: 5D21B072610118BBEB119F54CC81FBB37EAEF89B90F118164FA009B190CA75DC55C7A0

Function 00BD49F4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00BD4A08
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00BD4A5C
SetErrorMode.KERNEL32(00000000,?,?,00BFCC08), ref: 00BD4AD0

Strings

%lu, xrefs: 00BD4A6F

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: ErrorMode$InformationVolume
String ID: %lu
API String ID: 2507767853-685833217
Opcode ID: 7f2e020fa87a6b9bc42425b04d8961173d716ef45e52815863f646e92efd4dc9
Instruction ID: 3d76d8fa192781e058542c3723248ef8b6d144513ed5f25faa23ab7d5bd9f8d0
Opcode Fuzzy Hash: 7f2e020fa87a6b9bc42425b04d8961173d716ef45e52815863f646e92efd4dc9
Instruction Fuzzy Hash: A3314175A00109AFDB10DF54C985EAABBF8EF04318F1480A5F509DB362DB75EE45CB61

Function 00BF41EB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00BF424F
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00BF4264
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00BF4271

Strings

msctls_trackbar32, xrefs: 00BF4226

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: 7ba4d1719d45411638d6c2b74fac829815c501dc5790f99736169631f041cef5
Instruction ID: 9c6f0b6246125e4a8144bb1d1afa5602c56e8c378fe410bedd900defdd018c91
Opcode Fuzzy Hash: 7ba4d1719d45411638d6c2b74fac829815c501dc5790f99736169631f041cef5
Instruction Fuzzy Hash: 4B11CE31250248BEEF205E28CC46FBB3BE8EB85B64F010624FA55E70A0D671D851DB20

Function 00BC2F52 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00B66B57: _wcslen.LIBCMT ref: 00B66B6A

Part of subcall function 00BC2DA7: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00BC2DC5
Part of subcall function 00BC2DA7: GetWindowThreadProcessId.USER32(?,00000000), ref: 00BC2DD6
Part of subcall function 00BC2DA7: GetCurrentThreadId.KERNEL32 ref: 00BC2DDD
Part of subcall function 00BC2DA7: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00BC2DE4

GetFocus.USER32 ref: 00BC2F78

Part of subcall function 00BC2DEE: GetParent.USER32(00000000), ref: 00BC2DF9

GetClassNameW.USER32(?,?,00000100), ref: 00BC2FC3
EnumChildWindows.USER32(?,00BC303B), ref: 00BC2FEB

Strings

%s%d, xrefs: 00BC2FFF

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
String ID: %s%d
API String ID: 1272988791-1110647743
Opcode ID: 9a174489aad9e68919c3ae08db5b93bd919204ad90d5bb1f0739e7c823894539
Instruction ID: e5ae622abd35578b20979adb0f9cd0752049045824f789e7c83ffbd080b59c67
Opcode Fuzzy Hash: 9a174489aad9e68919c3ae08db5b93bd919204ad90d5bb1f0739e7c823894539
Instruction Fuzzy Hash: C6119071600209ABDF556F649C86FFE37EAAF94304F0480B9B9099B292DE7099498B60

Function 00BF5882 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 00BF58C1
SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 00BF58EE
DrawMenuBar.USER32(?), ref: 00BF58FD

Strings

0, xrefs: 00BF588F

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Menu$InfoItem$Draw
String ID: 0
API String ID: 3227129158-4108050209
Opcode ID: b6f82b55b0d90b59a06419e88e2f1e874da7fdf926d976296fc9c1b3fc013cf9
Instruction ID: f5f609239115ff110c10f86b3622ac1d6e61d76cb137bc555d55f5e6ef66180b
Opcode Fuzzy Hash: b6f82b55b0d90b59a06419e88e2f1e874da7fdf926d976296fc9c1b3fc013cf9
Instruction Fuzzy Hash: 4E012731500218AEDB219F25DC85BBABBB4FB45360F10C0D9EA49D7251DB708A88EF21

Function 00BBD3A0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 27libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,GetSystemWow64DirectoryW), ref: 00BBD3BF
FreeLibrary.KERNEL32 ref: 00BBD3E5

Strings

GetSystemWow64DirectoryW, xrefs: 00BBD3B9
X64, xrefs: 00BBD2A8

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: AddressFreeLibraryProc
String ID: GetSystemWow64DirectoryW$X64
API String ID: 3013587201-2590602151
Opcode ID: b0a0793fb91d1167d6f0c9c959d536835a781fc1a1b8d9524dd4ef3455b9c222
Instruction ID: d97bf8592bba89dbf1b8e6f3ea95abcba488701fdd0dfcb0f4515f14b8eeeed3
Opcode Fuzzy Hash: b0a0793fb91d1167d6f0c9c959d536835a781fc1a1b8d9524dd4ef3455b9c222
Instruction Fuzzy Hash: F2F0552240075A8BC7741210CC98AFD77E4EF10741BA982E9F016F30A5FBF8CD88C64A

Function 00BC007F Relevance: 6.3, APIs: 4, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 028cd8b6d1a30935a210dca48b8b5abd7c44564005934521eeead680cf553835
Instruction ID: f580e428b0b6067efb05a41bc7cb55a1ebe36304a47dd372b0a80815e652f51e
Opcode Fuzzy Hash: 028cd8b6d1a30935a210dca48b8b5abd7c44564005934521eeead680cf553835
Instruction Fuzzy Hash: 8BC14775A1021AEFDB14DFA8C894FAAB7B5FF88304F248598E505EB251D731EE41CB90

Function 00B93E80 Relevance: 6.3, APIs: 4, Instructions: 305COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 00B93F0B
__alldvrm.LIBCMT ref: 00B9410C
__alldvrm.LIBCMT ref: 00B9412E

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: __alldvrm$_strrchr
String ID:
API String ID: 1036877536-0
Opcode ID: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
Instruction ID: 561f21f11133bf88cdbaf92e6c43b666358b6c9c4dcc8d088982a42de72fce8a
Opcode Fuzzy Hash: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
Instruction Fuzzy Hash: 0DA12476A042969FDF25CF28C891BAABFE5EF62350F1841FDE5859B281C3348982C750

Function 00BE342E Relevance: 6.3, APIs: 4, Instructions: 257COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00BE3459
CoUninitialize.OLE32 ref: 00BE3463
VariantInit.OLEAUT32(?), ref: 00BE346E
VariantClear.OLEAUT32(?), ref: 00BE371B

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Variant$ClearInitInitializeUninitialize
String ID:
API String ID: 1998397398-0
Opcode ID: 428d7c567e8b306f117c6af049472d920b062f65ff411a2915027b9a19bf830f
Instruction ID: b811ed85736baa0abff8271cea535327a93426f432dcca25f37aafeba0f6d0f4
Opcode Fuzzy Hash: 428d7c567e8b306f117c6af049472d920b062f65ff411a2915027b9a19bf830f
Instruction Fuzzy Hash: F2A15C752183009FC710DF29C595A2AB7E5FF88714F04889DF98A9B362DB34EE45CB91

Function 00BC0436 Relevance: 6.2, APIs: 4, Instructions: 230COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,00BFFC08,?), ref: 00BC05F0
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,00BFFC08,?), ref: 00BC0608
CLSIDFromProgID.OLE32(?,?,00000000,00BFCC40,000000FF,?,00000000,00000800,00000000,?,00BFFC08,?), ref: 00BC062D
_memcmp.LIBVCRUNTIME ref: 00BC064E

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: 46d974dabc746846f938c24171a2334639eac11df185078e67e5f78b4568c2c7
Instruction ID: 7095cafc3edb9e0b33b39002795b7937c08592006e05b322acd508cbd6cf1916
Opcode Fuzzy Hash: 46d974dabc746846f938c24171a2334639eac11df185078e67e5f78b4568c2c7
Instruction Fuzzy Hash: 0981F771A10109EFCB04DF94C984EEEB7F9FF89315F204598E516AB250DB71AE46CB60

Function 00BA1391 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00BA14C0

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: f990d31baaac1b997f84817c75fa151b11c77769295d323fadaa9d7c7c985caf
Instruction ID: f72489724c00b113058df7fea9db04c7339c3ab74d48cb35d38a9c71c94e7807
Opcode Fuzzy Hash: f990d31baaac1b997f84817c75fa151b11c77769295d323fadaa9d7c7c985caf
Instruction Fuzzy Hash: F5414931A08115ABDF617FBD8C85ABE3AE4EF4B370F144AE5F418D6391EA3448419BA1

Function 00BF6278 Relevance: 6.1, APIs: 4, Instructions: 138COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00BF62E2
ScreenToClient.USER32(?,?), ref: 00BF6315
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 00BF6382

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: 4e2008a2c03fe1035ae9ea9989e52b677b06dd251b4a06fa8664ca988b95311f
Instruction ID: 765628753a7a7b3cbabf58d20488951b4873fed8469f3c50262d6a4e54cf09a7
Opcode Fuzzy Hash: 4e2008a2c03fe1035ae9ea9989e52b677b06dd251b4a06fa8664ca988b95311f
Instruction Fuzzy Hash: 78511874A00209EFCB14DF68D980ABE7BF5EB55360F1481A9FE159B2A1D730ED85CB90

Function 00BE1AD6 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 00BE1AFD
WSAGetLastError.WSOCK32 ref: 00BE1B0B
#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00BE1B8A
WSAGetLastError.WSOCK32 ref: 00BE1B94

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: ErrorLast$socket
String ID:
API String ID: 1881357543-0
Opcode ID: 2c34bf9661adbf8c64097e679a0d79dc390035caf36a233e706316a5aec383ea
Instruction ID: 60728a79e6192a405f8e5a2f01e85dd5f238c6500f6546cb80c9c617b0de4ed2
Opcode Fuzzy Hash: 2c34bf9661adbf8c64097e679a0d79dc390035caf36a233e706316a5aec383ea
Instruction Fuzzy Hash: 9441A034600200AFE720AF24C886F2A77E5EB44718F54C498F95A9F3D2D776ED41CB90

Function 00B9B41F Relevance: 6.1, APIs: 4, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b25a880021febd963755f2bf97e600434a61381399c9dc9229d71ea3b425b8b3
Instruction ID: c8f8dba693bb113e66d86ff29b24461e22aa0cca9f75fd0278024c48752e389c
Opcode Fuzzy Hash: b25a880021febd963755f2bf97e600434a61381399c9dc9229d71ea3b425b8b3
Instruction Fuzzy Hash: C441E275A00304AFDB24AF78D941FAABBE9EB88710F1045BEF151DB392D77199018780

Function 00BD56D9 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00BD5783
GetLastError.KERNEL32(?,00000000), ref: 00BD57A9
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 00BD57CE
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 00BD57FA

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: b80457177f267fc60a7c2cdba9e05d11e262f653e63a16692b7c8843e8e63e6e
Instruction ID: 0337e65802d103bdcae73b2525830202a7319d0b874840b0a235dccc439e3b31
Opcode Fuzzy Hash: b80457177f267fc60a7c2cdba9e05d11e262f653e63a16692b7c8843e8e63e6e
Instruction Fuzzy Hash: 89415B39210610DFCB20EF15C554A5EBBF2EF99324B1884D9E84AAB362DB34FD40CB91

Function 00B9D8C3 Relevance: 6.1, APIs: 4, Instructions: 110COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,8BE85006,00B86D71,00000000,00000000,00B882D9,?,00B882D9,?,00000001,00B86D71,8BE85006,00000001,00B882D9,00B882D9), ref: 00B9D910
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00B9D999
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 00B9D9AB
__freea.LIBCMT ref: 00B9D9B4

Part of subcall function 00B93820: RtlAllocateHeap.NTDLL(00000000,?,00C31444,?,00B7FDF5,?,?,00B6A976,00000010,00C31440,00B613FC,?,00B613C6,?,00B61129), ref: 00B93852

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: 9e3da7b0e4ec6ab20deab0d400397c9535516d84edf37349c2325dd28ff8bc2f
Instruction ID: e9c4d980eb7775e76f7cddd91b3d99ec9cd6603866592fe1c35b26fe4d02fb24
Opcode Fuzzy Hash: 9e3da7b0e4ec6ab20deab0d400397c9535516d84edf37349c2325dd28ff8bc2f
Instruction Fuzzy Hash: 6831AE72A0020AABDF24AF65DC85EAE7BE5EB40710B1542A9FC05D7160EB35CD54CB90

Function 00BF52C1 Relevance: 6.1, APIs: 4, Instructions: 104windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001024,00000000,?), ref: 00BF5352
GetWindowLongW.USER32(?,000000F0), ref: 00BF5375
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00BF5382
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00BF53A8

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: LongWindow$InvalidateMessageRectSend
String ID:
API String ID: 3340791633-0
Opcode ID: e76e2708ea77752b8d7d804448f2e4093cbd2fcf1d8838ed5ec1c383a90febbc
Instruction ID: 4554e05cd0cf2d08c77635921554c616d228d67370c8030a48c19da50832cd20
Opcode Fuzzy Hash: e76e2708ea77752b8d7d804448f2e4093cbd2fcf1d8838ed5ec1c383a90febbc
Instruction Fuzzy Hash: 57319234A55A0CEFEB309A1CCC45BF877E5EB05390F584181FB12971E1C7B09988DB4A

Function 00BCAB9C Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,75C0C0D0,?,00008000), ref: 00BCABF1
SetKeyboardState.USER32(00000080,?,00008000), ref: 00BCAC0D
PostMessageW.USER32(00000000,00000101,00000000), ref: 00BCAC74
SendInput.USER32(00000001,?,0000001C,75C0C0D0,?,00008000), ref: 00BCACC6

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 2b4e21755bce2cc00b8169e8dd6318e35796f503e5667dc6c8b0cf1c13caae8f
Instruction ID: ea022528e725d910f21317ea607730794c12a4a55afc3833e9bce53acfae9a6a
Opcode Fuzzy Hash: 2b4e21755bce2cc00b8169e8dd6318e35796f503e5667dc6c8b0cf1c13caae8f
Instruction Fuzzy Hash: A3311230A4421CAFFB248B688C09FFB7BE5EB89318F04429EE491971D1C374998587A2

Function 00BF7674 Relevance: 6.1, APIs: 4, Instructions: 102windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 00BF769A
GetWindowRect.USER32(?,?), ref: 00BF7710
PtInRect.USER32(?,?,00BF8B89), ref: 00BF7720
MessageBeep.USER32(00000000), ref: 00BF778C

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: 805077369599b63997f5a55ec05ca79fd4b9c6f087140e5ef116aa20670970f7
Instruction ID: 751fe95a1aa11c3ba3eb1a87295b655ab3bf42d4a680cec02e3d3518cb35e95b
Opcode Fuzzy Hash: 805077369599b63997f5a55ec05ca79fd4b9c6f087140e5ef116aa20670970f7
Instruction Fuzzy Hash: 97416D34655218EFCB01EF58C894FB97BF5FB49314F1940E8EA249B261CB30AD49CB90

Function 00BF16DA Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 00BF16EB

Part of subcall function 00BC3A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00BC3A57
Part of subcall function 00BC3A3D: GetCurrentThreadId.KERNEL32 ref: 00BC3A5E
Part of subcall function 00BC3A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00BC25B3), ref: 00BC3A65

GetCaretPos.USER32(?), ref: 00BF16FF
ClientToScreen.USER32(00000000,?), ref: 00BF174C
GetForegroundWindow.USER32 ref: 00BF1752

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: 81cfb653c61773f2927d37a0483970b6f51eb780492493a244588dc21a242b13
Instruction ID: a04757acb5833d8986e783c4a8a718bfaa5ac6e04069c1f647861e91df6204b4
Opcode Fuzzy Hash: 81cfb653c61773f2927d37a0483970b6f51eb780492493a244588dc21a242b13
Instruction Fuzzy Hash: D6313E75D00249AFC704EFA9C981DBEBBF9EF48304B5084AAE415E7211EA35DE45CFA0

Function 00BCDF95 Relevance: 6.1, APIs: 4, Instructions: 87COMMON

Download Yara Rule

APIs

Part of subcall function 00B67620: _wcslen.LIBCMT ref: 00B67625

_wcslen.LIBCMT ref: 00BCDFCB
_wcslen.LIBCMT ref: 00BCDFE2
_wcslen.LIBCMT ref: 00BCE00D
GetTextExtentPoint32W.GDI32(?,00000000,00000000,?), ref: 00BCE018

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: _wcslen$ExtentPoint32Text
String ID:
API String ID: 3763101759-0
Opcode ID: 490d907fa4afea0d55dcc6b4f004bab68eb790784e4488afc694480966e9a795
Instruction ID: d8ad960a29efe2564fd7dd1cec91f82baefc05a191409d056549d34873006250
Opcode Fuzzy Hash: 490d907fa4afea0d55dcc6b4f004bab68eb790784e4488afc694480966e9a795
Instruction Fuzzy Hash: 3F21A375900215EFCB20EFA8D982B6EB7F8EF45760F1440A9E805BB281D7709E41CBA1

Function 00BF8FC9 Relevance: 6.1, APIs: 4, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00B79BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00B79BB2

GetCursorPos.USER32(?), ref: 00BF9001
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00BB7711,?,?,?,?,?), ref: 00BF9016
GetCursorPos.USER32(?), ref: 00BF905E
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00BB7711,?,?,?), ref: 00BF9094

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: 7f2549eebf61840f4b2180d73f39c4eade524d36134dd750496beae7ac59fafb
Instruction ID: 03a83a3dc1ccc4c84b487391c4085837187644bacb100a397dd251e35d4c09aa
Opcode Fuzzy Hash: 7f2549eebf61840f4b2180d73f39c4eade524d36134dd750496beae7ac59fafb
Instruction Fuzzy Hash: 04216D3560011CEFDB258FA4C859FFA7BF9EB89360F1440A5FA058B2A1CB319994DF60

Function 00BCD2C1 Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,00BFCB68), ref: 00BCD2FB
GetLastError.KERNEL32 ref: 00BCD30A
CreateDirectoryW.KERNEL32(?,00000000), ref: 00BCD319
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,00BFCB68), ref: 00BCD376

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: 57a0d45449f13cfec7400fe4b22161d053a971d2905a1de3b2722cd8ff29de31
Instruction ID: 429f27679db1e851dcb4dd88c04f0065c9cb4267cc176da0072d550b38f1e145
Opcode Fuzzy Hash: 57a0d45449f13cfec7400fe4b22161d053a971d2905a1de3b2722cd8ff29de31
Instruction Fuzzy Hash: AA21B7745043059F8300DF24C98196E7BE8EF95364F104AADF495C72A1DB30D949CB97

Function 00BC1571 Relevance: 6.1, APIs: 4, Instructions: 78memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00BC1014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00BC102A
Part of subcall function 00BC1014: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00BC1036
Part of subcall function 00BC1014: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00BC1045
Part of subcall function 00BC1014: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00BC104C
Part of subcall function 00BC1014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00BC1062

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 00BC15BE
_memcmp.LIBVCRUNTIME ref: 00BC15E1
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00BC1617
HeapFree.KERNEL32(00000000), ref: 00BC161E

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: 6d832aa329d1d5ddae5e2d7cdef985bb63e115262e3121858b54b2001c375a77
Instruction ID: 9b0734dac24b7d1db9a3f4ec637d7d43512fe679e36a60c989faf155aed8817f
Opcode Fuzzy Hash: 6d832aa329d1d5ddae5e2d7cdef985bb63e115262e3121858b54b2001c375a77
Instruction Fuzzy Hash: 4F217C71E00108AFDB00DFA8C945FEEB7F8EF45344F184899E441B7242D730AA45DB50

Function 00BF2782 Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 00BF280A
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00BF2824
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00BF2832
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 00BF2840

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: 83cc5c32dc7d7da2e64432372cfb3780064a1d9c50b4c40a1436c78f6b67d795
Instruction ID: fea500f652b9f9678b64519088c43727e050c8d103c1ef044aad224a2c78a6bd
Opcode Fuzzy Hash: 83cc5c32dc7d7da2e64432372cfb3780064a1d9c50b4c40a1436c78f6b67d795
Instruction Fuzzy Hash: A4212131204119AFD7109B24C841FBA7BE5EF45324F148198F526CB6E2CB71FC86C790

Function 00BC78F5 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00BC8D7D: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,00BC790A,?,000000FF,?,00BC8754,00000000,?,0000001C,?,?), ref: 00BC8D8C
Part of subcall function 00BC8D7D: lstrcpyW.KERNEL32(00000000,?,?,00BC790A,?,000000FF,?,00BC8754,00000000,?,0000001C,?,?,00000000), ref: 00BC8DB2
Part of subcall function 00BC8D7D: lstrcmpiW.KERNEL32(00000000,?,00BC790A,?,000000FF,?,00BC8754,00000000,?,0000001C,?,?), ref: 00BC8DE3

lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,00BC8754,00000000,?,0000001C,?,?,00000000), ref: 00BC7923
lstrcpyW.KERNEL32(00000000,?,?,00BC8754,00000000,?,0000001C,?,?,00000000), ref: 00BC7949
lstrcmpiW.KERNEL32(00000002,cdecl,?,00BC8754,00000000,?,0000001C,?,?,00000000), ref: 00BC7984

Strings

cdecl, xrefs: 00BC797B

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: e082f21be179aca2dde97b390cddb61d0f4bf100ed5c1eb527349bee13f2c41d
Instruction ID: aacb7449364b5f39c120b8b5af30f3566a860313e1c7820b71ae9a2e7ec01abb
Opcode Fuzzy Hash: e082f21be179aca2dde97b390cddb61d0f4bf100ed5c1eb527349bee13f2c41d
Instruction Fuzzy Hash: ED11263A200302BBCB159F38D844E7A77E9FF85390B50806EF846C72A4EF719811CBA1

Function 00BF7CC2 Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 00BF7D0B
SetWindowLongW.USER32(00000000,000000F0,?), ref: 00BF7D2A
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 00BF7D42
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,00BDB7AD,00000000), ref: 00BF7D6B

Part of subcall function 00B79BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00B79BB2

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Window$Long
String ID:
API String ID: 847901565-0
Opcode ID: 679ad0b3203e983e2872edb385764ceb974dc87c4166ee63132e43bdf28da443
Instruction ID: c0325f569df874c250cd9ebdd2c6188e0f8fbda47bcacbe049f402466ecbd58e
Opcode Fuzzy Hash: 679ad0b3203e983e2872edb385764ceb974dc87c4166ee63132e43bdf28da443
Instruction Fuzzy Hash: 8411AC75258619AFCB108F28CC04ABA3BE5EF45360B5583B4F939CB2E0DB308965CB80

Function 00BF5660 Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001060,?,00000004), ref: 00BF56BB
_wcslen.LIBCMT ref: 00BF56CD
_wcslen.LIBCMT ref: 00BF56D8
SendMessageW.USER32(?,00001002,00000000,?), ref: 00BF5816

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: MessageSend_wcslen
String ID:
API String ID: 455545452-0
Opcode ID: e8d32471beb16865159df164003ad44c0ea685a4e47ede5c99f5fe0eb524ce85
Instruction ID: 075230d18467b01c07654758266691476637bd3b94771390f8fcca7a64f49856
Opcode Fuzzy Hash: e8d32471beb16865159df164003ad44c0ea685a4e47ede5c99f5fe0eb524ce85
Instruction Fuzzy Hash: 3811B47160060CAADB30AF61CCC5AFE77ECEF11760B1080A6FB15D7181EB709988CB64

Function 00B91D09 Relevance: 6.1, APIs: 4, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e72752929b44c8d9ad9736a4d1a0dd594ced88daa7b26ccba82aa7cf58e36602
Instruction ID: 5dacd50412efb4e713db70e28fdf487ac910c64d2faff7aa81f89e03c2264658
Opcode Fuzzy Hash: e72752929b44c8d9ad9736a4d1a0dd594ced88daa7b26ccba82aa7cf58e36602
Instruction Fuzzy Hash: 90014FB260561B7EFE11167C6CC1F67669DDF413B8B340BB5F535621E2DB608D40A170

Function 00BC1A27 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00BC1A47
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00BC1A59
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00BC1A6F
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00BC1A8A

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 224c7db61abe98b8a2e2f7ebcc48eae10a24978635597dbc7f62f59e9eb2f7ce
Instruction ID: 3c834d8ad43b551803091f5c07fa7f8c6c3d1de160a23c4de16094ac92d127ee
Opcode Fuzzy Hash: 224c7db61abe98b8a2e2f7ebcc48eae10a24978635597dbc7f62f59e9eb2f7ce
Instruction Fuzzy Hash: A411393AD01219FFEB10DFA8CD85FADBBB8EB08750F200495EA10B7290D6716E50DB94

Function 00BCE1D6 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00BCE1FD
MessageBoxW.USER32(?,?,?,?), ref: 00BCE230
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00BCE246
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00BCE24D

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait
String ID:
API String ID: 2880819207-0
Opcode ID: f394bbe7c9a9580682eb31f81ea143ce4f0c8d3a6ac6e298fb5926cbbc6269ab
Instruction ID: cca0b31f656596c6f317b54d692f4b29b65011d504012177a5a236af32b7b29a
Opcode Fuzzy Hash: f394bbe7c9a9580682eb31f81ea143ce4f0c8d3a6ac6e298fb5926cbbc6269ab
Instruction Fuzzy Hash: 0511C876904258BFC7019FA89C05FAE7FECDB45320F044259F924E72A1D770CD048BA0

Function 00B8D1CC Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,?,00B8CFF9,00000000,00000004,00000000), ref: 00B8D218
GetLastError.KERNEL32 ref: 00B8D224
__dosmaperr.LIBCMT ref: 00B8D22B
ResumeThread.KERNEL32(00000000), ref: 00B8D249

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Thread$CreateErrorLastResume__dosmaperr
String ID:
API String ID: 173952441-0
Opcode ID: f6aaabda64df2a4371873000517ff76b03ef44804e3230a93f537ed54017b087
Instruction ID: 82a56bf7cc15440a1299f11aa3570778857447ec703b21c1cbfafb7885cd3859
Opcode Fuzzy Hash: f6aaabda64df2a4371873000517ff76b03ef44804e3230a93f537ed54017b087
Instruction Fuzzy Hash: A601C036805209BBDB117FA5DC09AAA7FA9EF81330F10029AF925A21F0CF708945C7A0

Function 00B7990E Relevance: 6.1, APIs: 4, Instructions: 55COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,?), ref: 00B798D6
SetBkMode.GDI32(?,00000001), ref: 00B798E9
GetStockObject.GDI32(00000005), ref: 00B798F1
GetWindowLongW.USER32(?,000000EB), ref: 00B79952

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: ColorLongModeObjectStockTextWindow
String ID:
API String ID: 2960364272-0
Opcode ID: 6be271b19b862f6de262eac5863584d4f168ced4788585535d91b1a01078149c
Instruction ID: 75f426b9f063dabeb1d87c5c2020b74e73eab64a4ab40a81b26fbc975cb9e242
Opcode Fuzzy Hash: 6be271b19b862f6de262eac5863584d4f168ced4788585535d91b1a01078149c
Instruction Fuzzy Hash: 2A118C322462109FD7118F20EC94FFA7FA5DF6B365B08419DFA468B2A2DB314891C751

Function 00BF9EF3 Relevance: 6.1, APIs: 4, Instructions: 55COMMON

Download Yara Rule

APIs

Part of subcall function 00B79BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00B79BB2

GetClientRect.USER32(?,?), ref: 00BF9F31
GetCursorPos.USER32(?), ref: 00BF9F3B
ScreenToClient.USER32(?,?), ref: 00BF9F46
DefDlgProcW.USER32(?,00000020,?,00000000,?,?,?), ref: 00BF9F7A

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID:
API String ID: 4127811313-0
Opcode ID: e1b58f1d1dfdfd2b78a19f9ae5592af6f40c0ffc8be64e58120c6240eee88ff6
Instruction ID: 1b30be844fde807f8375787aba0b9982dd2df9f9fa47fc2d87e075bf7167a273
Opcode Fuzzy Hash: e1b58f1d1dfdfd2b78a19f9ae5592af6f40c0ffc8be64e58120c6240eee88ff6
Instruction Fuzzy Hash: 00112A3290011EABDB10DF68D985AFE7BB9FF45311F104495FA11E7151D730BA89CBA1

Function 00B6600E Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00B6604C
GetStockObject.GDI32(00000011), ref: 00B66060
SendMessageW.USER32(00000000,00000030,00000000), ref: 00B6606A

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID:
API String ID: 3970641297-0
Opcode ID: 71a181c6d31c548e56afd592932fd50b540c94512300edeb168d6f2a184645c9
Instruction ID: cf2e1819eeecd88704105b277c745d4eb202ba50d33c3471e69064121d08d563
Opcode Fuzzy Hash: 71a181c6d31c548e56afd592932fd50b540c94512300edeb168d6f2a184645c9
Instruction Fuzzy Hash: 5B116D72501508BFEF165FA49C84EEABFADFF093A4F040265FA1553110DB369CA0DBA0

Function 00B83B3C Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 00B83B56

Part of subcall function 00B83AA3: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 00B83AD2
Part of subcall function 00B83AA3: ___AdjustPointer.LIBCMT ref: 00B83AED

_UnwindNestedFrames.LIBCMT ref: 00B83B6B
__FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 00B83B7C
CallCatchBlock.LIBVCRUNTIME ref: 00B83BA4

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
String ID:
API String ID: 737400349-0
Opcode ID: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction ID: 28d4f055bf347d8418a261e86557f490ff8caff64c1e664f5fab9bc221c58108
Opcode Fuzzy Hash: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction Fuzzy Hash: AB012972100149BBDF126E95CC42EEB7FE9EF48B54F044094FE4856131D732E961DBA0

Function 00B93073 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00B613C6,00000000,00000000,?,00B9301A,00B613C6,00000000,00000000,00000000,?,00B9328B,00000006,FlsSetValue), ref: 00B930A5
GetLastError.KERNEL32(?,00B9301A,00B613C6,00000000,00000000,00000000,?,00B9328B,00000006,FlsSetValue,00C02290,FlsSetValue,00000000,00000364,?,00B92E46), ref: 00B930B1
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,00B9301A,00B613C6,00000000,00000000,00000000,?,00B9328B,00000006,FlsSetValue,00C02290,FlsSetValue,00000000), ref: 00B930BF

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 226ceee353212825a90963020ce4b25b2bf8922c8c95c33d08c849b00180649b
Instruction ID: 092c838fbbe09517e1aa4e2ed5c3d994e2f2156bb86c7487a00a97e8673457f0
Opcode Fuzzy Hash: 226ceee353212825a90963020ce4b25b2bf8922c8c95c33d08c849b00180649b
Instruction Fuzzy Hash: B501D432301226ABCF314A789C84B6B7FD8EF05FA1B250670F915E3140CB21D945C6E0

Function 00BC7464 Relevance: 6.1, APIs: 4, Instructions: 51registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000), ref: 00BC747F
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 00BC7497
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 00BC74AC
RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 00BC74CA

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: 9453c453874a4b7d1f66b3221157bc242fcc335c1c78627fec2715a5baa17f86
Instruction ID: d28d37e36325cca6f2b1406bcea936a10f77db2eee3d62bd5861fe39db8070e7
Opcode Fuzzy Hash: 9453c453874a4b7d1f66b3221157bc242fcc335c1c78627fec2715a5baa17f86
Instruction Fuzzy Hash: B711A1B12453149BE7208F14ED49FA2BFFCEB00B00F1085ADA626D7251DB70E944DF90

Function 00BCB0A8 Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,00BCACD3,?,00008000), ref: 00BCB0C4
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,00BCACD3,?,00008000), ref: 00BCB0E9
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,00BCACD3,?,00008000), ref: 00BCB0F3
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,00BCACD3,?,00008000), ref: 00BCB126

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: 58dc9af120a001922c7d8dece8dc97978ce0d55b9a117481e3f49288759254ad
Instruction ID: 202f7b70c55e9eb5cdd6b0780652616dfb2da5204232c71c5edc9af7096f9c3d
Opcode Fuzzy Hash: 58dc9af120a001922c7d8dece8dc97978ce0d55b9a117481e3f49288759254ad
Instruction Fuzzy Hash: 48111831C1151CD7CF009FA4E99AFEEBBB8FF09711F114089D951B3181CB3056508B52

Function 00BF7E14 Relevance: 6.0, APIs: 4, Instructions: 46COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00BF7E33
ScreenToClient.USER32(?,?), ref: 00BF7E4B
ScreenToClient.USER32(?,?), ref: 00BF7E6F
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00BF7E8A

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: 3d5b1168b58b9474107cc73b6bef7c6105f4f50f215ad33554999747d1c9dc7d
Instruction ID: 772fbc8cbcdf69dfe5792c10fd8e741c51daaaec392fcd05c1381399fd1bb0e8
Opcode Fuzzy Hash: 3d5b1168b58b9474107cc73b6bef7c6105f4f50f215ad33554999747d1c9dc7d
Instruction Fuzzy Hash: EA1113B9D0424EAFDB41DF98C9849EEBBF9FB08310F505096E915E3210D735AA95CF50

Function 00BC2DA7 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00BC2DC5
GetWindowThreadProcessId.USER32(?,00000000), ref: 00BC2DD6
GetCurrentThreadId.KERNEL32 ref: 00BC2DDD
AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00BC2DE4

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: d75dd678d91386612f604db688dd4da2587f233dd614aba4b007168308b1088d
Instruction ID: b46d639db9bdb30ff03508325bf41004801d04b19ea168ce224f033ef3397712
Opcode Fuzzy Hash: d75dd678d91386612f604db688dd4da2587f233dd614aba4b007168308b1088d
Instruction Fuzzy Hash: 00E092711052287BD7201B729D0DFFB3EACEF53BA1F100069F506D30809EA0C980C6B0

Function 00BF8863 Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00B79639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00B79693
Part of subcall function 00B79639: SelectObject.GDI32(?,00000000), ref: 00B796A2
Part of subcall function 00B79639: BeginPath.GDI32(?), ref: 00B796B9
Part of subcall function 00B79639: SelectObject.GDI32(?,00000000), ref: 00B796E2

MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 00BF8887
LineTo.GDI32(?,?,?), ref: 00BF8894
EndPath.GDI32(?), ref: 00BF88A4
StrokePath.GDI32(?), ref: 00BF88B2

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: 6ac02bf02c1cd76765752751979273671fccf8871d00a694c12d021ed3f0a334
Instruction ID: b5a19d7b014a8bd265c5efd4bfc6112729222909e9bbec36a0839f1bc3b5b43e
Opcode Fuzzy Hash: 6ac02bf02c1cd76765752751979273671fccf8871d00a694c12d021ed3f0a334
Instruction Fuzzy Hash: 24F03A36041259BADB125FA4AD09FEE3E59AF06310F048141FA11670E2CB755561CBA5

Function 00B798B0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 00B798CC
SetTextColor.GDI32(?,?), ref: 00B798D6
SetBkMode.GDI32(?,00000001), ref: 00B798E9
GetStockObject.GDI32(00000005), ref: 00B798F1

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Color$ModeObjectStockText
String ID:
API String ID: 4037423528-0
Opcode ID: 07a2f1f81cb02c50a78ce0292fed580d73a7366e16d4a9be421056ff0bf402fb
Instruction ID: 397bca79d9d55b38aeb446828ac028df905800b86157697f4d9ade65da4f4f6c
Opcode Fuzzy Hash: 07a2f1f81cb02c50a78ce0292fed580d73a7366e16d4a9be421056ff0bf402fb
Instruction Fuzzy Hash: 12E06531244244ABEB215F74AD09BF83F50EB51336F148259F6F95A1E1CB714790DB10

Function 00BC162B Relevance: 6.0, APIs: 4, Instructions: 22threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 00BC1634
OpenThreadToken.ADVAPI32(00000000,?,?,?,00BC11D9), ref: 00BC163B
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,00BC11D9), ref: 00BC1648
OpenProcessToken.ADVAPI32(00000000,?,?,?,00BC11D9), ref: 00BC164F

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: 995914fe9d5997ee557650e68099fbb02cc69740f7176d33f87bfd19b7e263b1
Instruction ID: d41d7299af9e0297e9e16c929adc7090c8697176364b604a0a604368be93a95b
Opcode Fuzzy Hash: 995914fe9d5997ee557650e68099fbb02cc69740f7176d33f87bfd19b7e263b1
Instruction Fuzzy Hash: 4FE04632602215ABD7201BB4AE0DFA63FA8EF45792F148858F245DB080EE348485CB68

Function 00BBD858 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00BBD858
GetDC.USER32(00000000), ref: 00BBD862
GetDeviceCaps.GDI32(00000000,0000000C), ref: 00BBD882
ReleaseDC.USER32(?), ref: 00BBD8A3

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: c4ba6e95fddb2572aedc1a979ac1e66024e24a85a74c9e73d3354a8459ffd3fb
Instruction ID: 4fdb7d93eeb330ee62f8c24a7bcf288ddcc667466670ea810dad60f9820443af
Opcode Fuzzy Hash: c4ba6e95fddb2572aedc1a979ac1e66024e24a85a74c9e73d3354a8459ffd3fb
Instruction Fuzzy Hash: 6FE0E5B0804208EFCB419FA09A48A7DBFF1AB08311F109449E84AE7350CB784995EF40

Function 00BBD86C Relevance: 6.0, APIs: 4, Instructions: 18COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00BBD86C
GetDC.USER32(00000000), ref: 00BBD876
GetDeviceCaps.GDI32(00000000,0000000C), ref: 00BBD882
ReleaseDC.USER32(?), ref: 00BBD8A3

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 393f537c9ff17693ee54c8a1f7bd1416c674d24682d073ac03cc399bef790f3f
Instruction ID: 7f5d248e336cc2e8e751f070c45dd191f060c8d8ef76343e2e91123b2e10e548
Opcode Fuzzy Hash: 393f537c9ff17693ee54c8a1f7bd1416c674d24682d073ac03cc399bef790f3f
Instruction Fuzzy Hash: FDE012B0804208EFCB40AFA0DA08A7DBFF1BB08310F109448E84AE7350CF385996EF40

Function 00BD4D87 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON

Download Yara Rule

APIs

Part of subcall function 00B67620: _wcslen.LIBCMT ref: 00B67625

WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 00BD4ED4

Strings

LPT, xrefs: 00BD4DFB
*, xrefs: 00BD4E10

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Connection_wcslen
String ID: *$LPT
API String ID: 1725874428-3443410124
Opcode ID: 12caadbb9033a221e481401faada714af57f4dfd4b504ec051777d8ab57aebbe
Instruction ID: 0d75ff6f0c613a30bf390f612582a18fcea57d63d14ab2b1917975ac62ebb14c
Opcode Fuzzy Hash: 12caadbb9033a221e481401faada714af57f4dfd4b504ec051777d8ab57aebbe
Instruction Fuzzy Hash: 39913D75A002449FCB14DF58C494EAABBF5EF44308F1980DAE80A9F362E775ED85CB91

Function 00B8E27D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 00B8E30D

Strings

pow, xrefs: 00B8E2E5, 00B8E302

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: 7e1e9291ed64bf2e1ce2107c1c4add28042d6be81da241a4877d9a012c7d9ef3
Instruction ID: cef3df1ccf47fcaa2cdae1d0210e4777749c11f7a2d0a73bd7365cc36d9929d2
Opcode Fuzzy Hash: 7e1e9291ed64bf2e1ce2107c1c4add28042d6be81da241a4877d9a012c7d9ef3
Instruction Fuzzy Hash: F0514AA1A6C60296CF167B18C9417BD3BE8EF40740F3449F8E4A5422B9DF34CC91DB4A

Function 00B7E187 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON

Download Yara Rule

Strings

#, xrefs: 00B7E1B1

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: e9067d61f3d12bea72a4a0367f778e5ea24dc12128b8dc3114ce3e86d695a253
Instruction ID: db2d04e5a78e158b7daee6816cb15fbcb27aa9eb71eb7388feb66c7b33e38512
Opcode Fuzzy Hash: e9067d61f3d12bea72a4a0367f778e5ea24dc12128b8dc3114ce3e86d695a253
Instruction Fuzzy Hash: 40510035504246EFDB15DF68C4816FA7BE8EF19310F2480D9E8B1AB2A1DB74DD42CBA0

Function 00B7F291 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 00B7F2A2
GlobalMemoryStatusEx.KERNEL32(?), ref: 00B7F2BB

Strings

@, xrefs: 00B7F2AF

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: c9e9e902ab5f4783233ea7738ab2a53b626e889a86a3f21414606fc7ad5d64ef
Instruction ID: 05a200053483bc5b51e425af46cabc34e43b2e80af18f0d322edc2aa44f65c2b
Opcode Fuzzy Hash: c9e9e902ab5f4783233ea7738ab2a53b626e889a86a3f21414606fc7ad5d64ef
Instruction Fuzzy Hash: AC5155714187459BD320AF50D886BAFBBF8FB84304F81888DF2D9411A5EB758529CB66

Function 00BE5745 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,00000003,?,?), ref: 00BE57E0
_wcslen.LIBCMT ref: 00BE57EC

Strings

CALLARGARRAY, xrefs: 00BE57E6, 00BE57EB

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: BuffCharUpper_wcslen
String ID: CALLARGARRAY
API String ID: 157775604-1150593374
Opcode ID: 9837765c77022a6c25ba715e3e26957258ed72c3aa835626d71c4318fa615dfb
Instruction ID: d5d9f4b7862b9f13f8ad491b9047d6d327ec9a33ab6c04df86fc86ba557325c8
Opcode Fuzzy Hash: 9837765c77022a6c25ba715e3e26957258ed72c3aa835626d71c4318fa615dfb
Instruction Fuzzy Hash: F041B231E00109DFCB24DFA9C8819BEBBF9FF59318F1441A9E515A7251EB349D81CB90

Function 00BDD0F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98networkCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00BDD130
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 00BDD13A

Strings

|, xrefs: 00BDD10B

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: CrackInternet_wcslen
String ID: |
API String ID: 596671847-2343686810
Opcode ID: a1809a2930ed09f66dd920ac6aa5fd8beb634fab4db4cd3887e870a560b8c27f
Instruction ID: 8e3851e289471ca7bfba4ab6de5d53430d14defa0f9147fa3088c5fda3241e9d
Opcode Fuzzy Hash: a1809a2930ed09f66dd920ac6aa5fd8beb634fab4db4cd3887e870a560b8c27f
Instruction Fuzzy Hash: 99311A71D00209ABCF15EFA4CC85AEEBFF9FF04300F000199F915A6261E735AA46DB90

Function 00BF356C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 00BF3621
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 00BF365C

Strings

static, xrefs: 00BF35BC

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: 5eecb046fff4239b99bdca5f56ebbcde4a6e32f8ba393c51db38530a873ad762
Instruction ID: 9e6aa7a70188d289f28eaa15894817d7cc6a4454b2791da5eb9a4c693acb2e15
Opcode Fuzzy Hash: 5eecb046fff4239b99bdca5f56ebbcde4a6e32f8ba393c51db38530a873ad762
Instruction Fuzzy Hash: F0318D71110208AEDB109F68DC80EBB77E9FF98B24F008659FAA5D7290DA30ED95D760

Function 00BF4537 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000027,00001132,00000000,?), ref: 00BF461F
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00BF4634

Strings

', xrefs: 00BF458E

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: 4a5d30b3083b35ebb5624011e3c8b17dd14e958dbc25f9f91f70de1bfac47a99
Instruction ID: f81806e267f1acbf5d932555ffbc80353ac4a561680f7389bec3d976c968f827
Opcode Fuzzy Hash: 4a5d30b3083b35ebb5624011e3c8b17dd14e958dbc25f9f91f70de1bfac47a99
Instruction Fuzzy Hash: 1131F574A01209AFDF14DFA9C990BEABBF5FB59300F1440AAEA05AB351D770A945CF90

Function 00BF31EF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00BF327C
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00BF3287

Strings

Combobox, xrefs: 00BF3249

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: 91db9745cbcd6e36b76e18038df17bd4a7026103a9fc58c3c959c891b5ff8cb2
Instruction ID: 1b5bc8cf1faaa9438df18e3dcd65959829ffb4d90d416a79ae7336dba3e05076
Opcode Fuzzy Hash: 91db9745cbcd6e36b76e18038df17bd4a7026103a9fc58c3c959c891b5ff8cb2
Instruction Fuzzy Hash: B311B27130020C7FFF219E54DC80EBB3BEAEB98764F104265FA1897290D631DD559760

Function 00BF3710 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 00B6600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00B6604C
Part of subcall function 00B6600E: GetStockObject.GDI32(00000011), ref: 00B66060
Part of subcall function 00B6600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 00B6606A

GetWindowRect.USER32(00000000,?), ref: 00BF377A
GetSysColor.USER32(00000012), ref: 00BF3794

Strings

static, xrefs: 00BF3757

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: bd34ef6514d44be0a301e09b38554096361e9b0bafceb91c7b5e890b96ad3ccd
Instruction ID: e515e2949e018783128516f4419cd790ee59ba8d8072be2c04027862ed9f99ca
Opcode Fuzzy Hash: bd34ef6514d44be0a301e09b38554096361e9b0bafceb91c7b5e890b96ad3ccd
Instruction Fuzzy Hash: 601106B2610209AFDB00EFA8C846EBA7BE8EB08714F004954FA55E3250DB35E955DB50

Function 00BDCD1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00BDCD7D
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00BDCDA6

Strings

<local>, xrefs: 00BDCD66

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: 8b6200835cd926703463c3a8eae30a2a7c0745b09cef9fc3ddddb39763b0f562
Instruction ID: 12d047f736f68bf2506bbb1d7eb98331c7696e9f380adf1cadbba8db4efd6f71
Opcode Fuzzy Hash: 8b6200835cd926703463c3a8eae30a2a7c0745b09cef9fc3ddddb39763b0f562
Instruction Fuzzy Hash: 0611A3712056367AD7284A668C85EF7FEAAEF127A4F104277B11A83290E6609840D6F0

Function 00BF3429 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 00BF34AB
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 00BF34BA

Strings

edit, xrefs: 00BF348F

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: f18174672af4df32cc201ebb93a6ef144630e030ed1ec4ea7fe3a9d2b99cd8da
Instruction ID: 9bf704fb37aa702a2897cb02ede15fc7e2d396f3ce390f0d4c53d8a65e6f6c74
Opcode Fuzzy Hash: f18174672af4df32cc201ebb93a6ef144630e030ed1ec4ea7fe3a9d2b99cd8da
Instruction Fuzzy Hash: 5311BC7110020CAFEB128E64DC80ABB3BEAEB04B74F504364FA60932E0C771DD999B60

Function 00BC6C86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 00B69CB3: _wcslen.LIBCMT ref: 00B69CBD

CharUpperBuffW.USER32(?,?,?), ref: 00BC6CB6
_wcslen.LIBCMT ref: 00BC6CC2

Strings

STOP, xrefs: 00BC6CBC, 00BC6CC1

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: STOP
API String ID: 1256254125-2411985666
Opcode ID: b6c94653cb922d4c22f3190372f41438dfd58d7ab995298816d7e108d28a4d9b
Instruction ID: 440ccae411bc6831978dde2c9ee29e3f70e4ff9bbf23b64c08662de7313e8e62
Opcode Fuzzy Hash: b6c94653cb922d4c22f3190372f41438dfd58d7ab995298816d7e108d28a4d9b
Instruction Fuzzy Hash: 5801C032A1052A8BCB20AFFDDC80EBF77E9EB61720B1005BCE86297194EB35D940C650

Function 00BC1CDE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00B69CB3: _wcslen.LIBCMT ref: 00B69CBD

Part of subcall function 00BC3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00BC3CCA

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00BC1D4C

Strings

ComboBox, xrefs: 00BC1CEB
ListBox, xrefs: 00BC1D16

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: be1f406c1ed3832dbc5f829a40d0cd14b8f39019a9fbc6fd823a636775da47af
Instruction ID: 2f51347b4b1936385fac12de1e773d6871b811221fb8c0407bf2f417c44ba22c
Opcode Fuzzy Hash: be1f406c1ed3832dbc5f829a40d0cd14b8f39019a9fbc6fd823a636775da47af
Instruction Fuzzy Hash: EF01D871601218ABCB04EBA4CD51EFF77E8EB57350B140DADF823672C2EA349908C660

Function 00BC1BD8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00B69CB3: _wcslen.LIBCMT ref: 00B69CBD

Part of subcall function 00BC3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00BC3CCA

SendMessageW.USER32(?,00000180,00000000,?), ref: 00BC1C46

Strings

ComboBox, xrefs: 00BC1BE5
ListBox, xrefs: 00BC1C10

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: c1fb60aee2098d8ffecac0dbba04d1874dd494d1051296499d4a20039f19a992
Instruction ID: 12b6f48af06cec1687725d1c05c500c598c7bd211ffb21393db5aa4f7d7035c5
Opcode Fuzzy Hash: c1fb60aee2098d8ffecac0dbba04d1874dd494d1051296499d4a20039f19a992
Instruction Fuzzy Hash: 0B01A77578110867CB04EB94CA51FFF77ECDB12340F14049DB40677282EA349E18E6B1

Function 00BC1C5C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00B69CB3: _wcslen.LIBCMT ref: 00B69CBD

Part of subcall function 00BC3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00BC3CCA

SendMessageW.USER32(?,00000182,?,00000000), ref: 00BC1CC8

Strings

ComboBox, xrefs: 00BC1C69
ListBox, xrefs: 00BC1C94

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 1bac771f184acf773829f4e0bebd191a1a6cd7c0407f25d4ca9d90cb400545f3
Instruction ID: fb8ed551bb2dd66ca77e6f851cc4fc5ea068b5ad95f7128020109fda7cfb8ce2
Opcode Fuzzy Hash: 1bac771f184acf773829f4e0bebd191a1a6cd7c0407f25d4ca9d90cb400545f3
Instruction Fuzzy Hash: EB018F7168021867CB04EBA4CA51FFF77ECDB12380F540499B802B7282EA349E18D671

Function 00BC1D68 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00B69CB3: _wcslen.LIBCMT ref: 00B69CBD

Part of subcall function 00BC3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00BC3CCA

SendMessageW.USER32(?,0000018B,00000000,00000000), ref: 00BC1DD3

Strings

ComboBox, xrefs: 00BC1D75
ListBox, xrefs: 00BC1DA0

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: ab76c764f2af69d57401cdd12dd52cd807a7ca6cfd172498d0d2025b68402473
Instruction ID: de1b0562150d1d98f03f9cd5dc258b149098e8acc577c653bdcb614202f9139e
Opcode Fuzzy Hash: ab76c764f2af69d57401cdd12dd52cd807a7ca6cfd172498d0d2025b68402473
Instruction Fuzzy Hash: 36F0A471B5121867DB04F7A8DD92FFF77ECEB12750F440DA9B822B32C2DA7459088660

Function 00BE747E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00BE7493
_wcslen.LIBCMT ref: 00BE74B9

Strings

3, 3, 16, 1, xrefs: 00BE7483

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: _wcslen
String ID: 3, 3, 16, 1
API String ID: 176396367-3042988571
Opcode ID: da760fe68ea81731eb82ffbda04c4acb24a22dc91b2956f7bd2745e0690aa379
Instruction ID: 4ecba43e7b40aa2a556c173ecdedc5952c1f236109186aeee7978457c84247d3
Opcode Fuzzy Hash: da760fe68ea81731eb82ffbda04c4acb24a22dc91b2956f7bd2745e0690aa379
Instruction Fuzzy Hash: 1EE02B02245261149231227BECC197F56D9CFC975071018ABF985C23B6EF94CD91D3A0

Function 00BC0B15 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00BC0B23

Strings

Error allocating memory., xrefs: 00BC0B1C
AutoIt, xrefs: 00BC0B17

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Message
String ID: AutoIt$Error allocating memory.
API String ID: 2030045667-4017498283
Opcode ID: 945aad6451fe2233766feecc93489de27c90c45393349c74f89bed41e05f326c
Instruction ID: d8e88e696489b7d943f4b96163b3f2ce9675cc8689080b899aa0c352d2ab43ae
Opcode Fuzzy Hash: 945aad6451fe2233766feecc93489de27c90c45393349c74f89bed41e05f326c
Instruction Fuzzy Hash: 45E0483228931D6AD21436557D03FA97FC4CF05B51F1044AAFB58965D38FE168D087ED

Function 00B80D42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00B7F7C9: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00B80D71,?,?,?,00B6100A), ref: 00B7F7CE

IsDebuggerPresent.KERNEL32(?,?,?,00B6100A), ref: 00B80D75
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,00B6100A), ref: 00B80D84

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00B80D7F

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 55579361-631824599
Opcode ID: a4b20efc0cc0ec14c3d271ea3199d81aeda7b4c3e581db28635f863d9d476049
Instruction ID: be2abcea14b7e2849324af7e5059b9445af116dccd0ec66beff47760a54adc95
Opcode Fuzzy Hash: a4b20efc0cc0ec14c3d271ea3199d81aeda7b4c3e581db28635f863d9d476049
Instruction Fuzzy Hash: F2E06D702103028FD3A0BFB9E5043667BE4EF00780F0489BDE886C7661DBB4E488CB91

Function 00BD3017 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?,00000001), ref: 00BD302F
GetTempFileNameW.KERNEL32(?,aut,00000000,?), ref: 00BD3044

Strings

aut, xrefs: 00BD3038

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: 26b84ea9826e6f6d3955c82965cf4925c987e02f5aba6e164c6be25e7b063cef
Instruction ID: d71c12389162d9b464c834a3a3d117d09acf34809e73d49eee5ddf3694efc890
Opcode Fuzzy Hash: 26b84ea9826e6f6d3955c82965cf4925c987e02f5aba6e164c6be25e7b063cef
Instruction Fuzzy Hash: 50D05E72500328A7DA20A7A4AD0EFDB3E6CDB04750F0002A1B655E3092DEB09984CAE0

Function 00BBD21C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00BBD220

Strings

%.3d, xrefs: 00BBD22B
X64, xrefs: 00BBD2A8

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: LocalTime
String ID: %.3d$X64
API String ID: 481472006-1077770165
Opcode ID: a081c41b1cc86b247b9e3a619085f12db897235df51e5c2b8892b2d49c8cf397
Instruction ID: ddec2e7207602ad899893e688b6fe174c83e711a1680c50edf2ac22ee110061a
Opcode Fuzzy Hash: a081c41b1cc86b247b9e3a619085f12db897235df51e5c2b8892b2d49c8cf397
Instruction Fuzzy Hash: 47D01261C09159EBCB50D7D0DCC59F9B7FCEB08341F5084E2F91A92040F66CC948AB61

Function 00BF2322 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00BF232C
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 00BF233F

Part of subcall function 00BCE97B: Sleep.KERNEL32 ref: 00BCE9F3

Strings

Shell_TrayWnd, xrefs: 00BF2325

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 3904485b0501d268d7756f141df1c10b4dd100c935271b21150ceddaf3c3e876
Instruction ID: e985e1bcd37e2b6ae63eba7a7729a75c878b0c59e4073eee3eaae537e3261393
Opcode Fuzzy Hash: 3904485b0501d268d7756f141df1c10b4dd100c935271b21150ceddaf3c3e876
Instruction Fuzzy Hash: 8ED01276394314B7E664B770ED0FFD67E54AB10B10F0049267755EB1D0CDF0A881CA54

Function 00BF2356 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00BF236C
PostMessageW.USER32(00000000), ref: 00BF2373

Part of subcall function 00BCE97B: Sleep.KERNEL32 ref: 00BCE9F3

Strings

Shell_TrayWnd, xrefs: 00BF2365

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: a85a53ade4bd4abafd0825c10d5609479798fe214c055e985b4149e500448504
Instruction ID: fb97ad845171eb79dfad210004aed63f3588a220f35c25de6d56e7b9e29929d1
Opcode Fuzzy Hash: a85a53ade4bd4abafd0825c10d5609479798fe214c055e985b4149e500448504
Instruction Fuzzy Hash: 17D0C972385314BAE664A770AD0FFD66A54AB15B10F4049267655EB1D0C9F0A881CA54

Function 00B9BDFD Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,?,?,00000000,?,?,?,?,?,00000000,?), ref: 00B9BE93
GetLastError.KERNEL32 ref: 00B9BEA1
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00B9BEFC

Memory Dump Source

Source File: 00000000.00000002.1681687692.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1681640303.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681793541.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681842070.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681898148.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: c71a7f3f5dbd128c6f1f225bb062ec7f7610e9942676fc625cd099182a1e1430
Instruction ID: c72df82b3246c9cd85e89eb56b331e5700b7a2513cf360ae79e47c44364e2594
Opcode Fuzzy Hash: c71a7f3f5dbd128c6f1f225bb062ec7f7610e9942676fc625cd099182a1e1430
Instruction Fuzzy Hash: 5941B13560060AABCF219F64EE84FBA7BE9EF41310F1441F9F959971A1DB308D01CB50

Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 4.245.163.56
Source: unknown	TCP traffic detected without corresponding DNS query: 4.245.163.56
Source: unknown	TCP traffic detected without corresponding DNS query: 4.245.163.56
Source: unknown	TCP traffic detected without corresponding DNS query: 4.245.163.56
Source: unknown	TCP traffic detected without corresponding DNS query: 4.245.163.56
Source: unknown	TCP traffic detected without corresponding DNS query: 4.245.163.56
Source: unknown	TCP traffic detected without corresponding DNS query: 4.245.163.56
Source: unknown	TCP traffic detected without corresponding DNS query: 4.245.163.56
Source: unknown	TCP traffic detected without corresponding DNS query: 4.245.163.56
Source: unknown	TCP traffic detected without corresponding DNS query: 4.245.163.56
Source: unknown	TCP traffic detected without corresponding DNS query: 4.245.163.56
Source: unknown	TCP traffic detected without corresponding DNS query: 4.245.163.56
Source: unknown	TCP traffic detected without corresponding DNS query: 4.245.163.56
Source: unknown	TCP traffic detected without corresponding DNS query: 4.245.163.56
Source: unknown	TCP traffic detected without corresponding DNS query: 4.245.163.56
Source: unknown	TCP traffic detected without corresponding DNS query: 4.245.163.56
Source: unknown	TCP traffic detected without corresponding DNS query: 4.245.163.56
Source: unknown	TCP traffic detected without corresponding DNS query: 4.245.163.56
Source: unknown	TCP traffic detected without corresponding DNS query: 4.245.163.56
Source: unknown	TCP traffic detected without corresponding DNS query: 4.245.163.56
Source: unknown	TCP traffic detected without corresponding DNS query: 4.245.163.56
Source: unknown	TCP traffic detected without corresponding DNS query: 4.245.163.56
Source: unknown	TCP traffic detected without corresponding DNS query: 4.245.163.56
Source: unknown	TCP traffic detected without corresponding DNS query: 4.245.163.56
Source: unknown	TCP traffic detected without corresponding DNS query: 4.245.163.56
Source: unknown	TCP traffic detected without corresponding DNS query: 4.245.163.56
Source: unknown	TCP traffic detected without corresponding DNS query: 4.245.163.56
Source: unknown	TCP traffic detected without corresponding DNS query: 4.245.163.56
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /account?=https://accounts.google.com/v3/signin/challenge/pwd HTTP/1.1Host: youtube.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7X-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiUocsBCJz+zAEIhaDNAQjcvc0BCLnKzQEIotHNAQiK080BCJ7WzQEIp9jNAQj5wNQVGPbJzQEYutLNARjrjaUXSec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /account?=https%3A%2F%2Faccounts.google.com%2Fv3%2Fsignin%2Fchallenge%2Fpwd HTTP/1.1Host: www.youtube.comConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7X-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiUocsBCJz+zAEIhaDNAQjcvc0BCLnKzQEIotHNAQiK080BCJ7WzQEIp9jNAQj5wNQVGPbJzQEYutLNARjrjaUXSec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentsec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /fs/windows/config.json HTTP/1.1Connection: Keep-AliveAccept: /Accept-Encoding: identityIf-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMTRange: bytes=0-2147483646User-Agent: Microsoft BITS/7.8Host: fs.microsoft.com
Source: global traffic	HTTP traffic detected: GET /accounts/CheckConnection?pmpo=https%3A%2F%2Faccounts.google.com&v=1746766885&timestamp=1727829790934 HTTP/1.1Host: accounts.youtube.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-full-version: "117.0.5938.132"sec-ch-ua-arch: "x86"sec-ch-ua-platform: "Windows"sec-ch-ua-platform-version: "10.0.0"sec-ch-ua-model: ""sec-ch-ua-bitness: "64"sec-ch-ua-wow64: ?0sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7X-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiUocsBCJz+zAEIhaDNAQjcvc0BCLnKzQEIotHNAQiK080BCJ7WzQEIp9jNAQj5wNQVGPbJzQEYutLNARjrjaUXSec-Fetch-Site: cross-siteSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: iframeReferer: https://accounts.google.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /favicon.ico HTTP/1.1Host: www.google.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-arch: "x86"sec-ch-ua-full-version: "117.0.5938.132"sec-ch-ua-platform-version: "10.0.0"sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132"sec-ch-ua-bitness: "64"sec-ch-ua-model: ""sec-ch-ua-wow64: ?0sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8X-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiUocsBCJz+zAEIhaDNAQjcvc0BCLnKzQEIotHNAQiK080BCJ7WzQEIp9jNAQj5wNQVGPbJzQEYutLNARjrjaUXSec-Fetch-Site: same-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://accounts.google.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: NID=518=td3USADiuf4UJFR-rJ_nTV1nXxZ6JwH1b9VaIPLV5MHB_GegnsH3teqxUNiAEiXsc_rsLKUBt-l26GXIdDHPn5tH36lsp42jq2CNB5snErn29dckqMQRGpXIEEeyKU_KDA6l2b9nm8uGgGs9AlNIWzO2oC83ds-nIV0404CvTj4AG6B6-4c
Source: global traffic	HTTP traffic detected: GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=3NwXhwVSFcfTD3u&MD=OOTO6bEG HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic	HTTP traffic detected: GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=3NwXhwVSFcfTD3u&MD=OOTO6bEG HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Chrome Cache Entry: 73

Chrome Cache Entry: 74

Chrome Cache Entry: 75

Chrome Cache Entry: 76

Chrome Cache Entry: 77

Chrome Cache Entry: 78

Chrome Cache Entry: 79

Chrome Cache Entry: 80

Chrome Cache Entry: 81

Chrome Cache Entry: 82

Chrome Cache Entry: 83

Chrome Cache Entry: 84

Chrome Cache Entry: 85

Chrome Cache Entry: 86

Chrome Cache Entry: 87

Static File Info

General

File Icon

Windows Analysis Report
file.exe

Function 00B642DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Function 00B642A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Function 00BA2BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Function 00BEA67C Relevance: 6.2, APIs: 4, Instructions: 175
processCOMMON

Function 00BEAFF9 Relevance: 24.4, APIs: 16, Instructions: 418
processCOMMON

Function 00B62CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Function 00BA065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Function 00B6344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Function 00B62B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Function 00B63170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
windowtimeregistryCOMMON

Function 00B61410 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332
COMMON

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre