Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1523046
MD5:	b44fe2b76982daa43a25d6e62203b575
SHA1:	e1477346b672f5085ba1834a83bd115749b64570
SHA256:	92a682ac0279afe087f60cc9ff8664c88fc5c60c82456f904a96139cd2e34d8a
Tags:	exeuser-Bitsight
Infos:

Detection

Score:	56
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Found API chain indicative of sandbox detection

Machine Learning detection for sample

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected potential crypto function

Enables debug privileges

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

OS version to string mapping found (often used in BOTs)

Potential key logger detected (key state polling based)

Sample execution stops while process was sleeping (likely an evasion)

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Uses taskkill to terminate processes

Classification

Process Tree

System is w10x64

file.exe (PID: 2308 cmdline: "C:\Users\user\Desktop\file.exe" MD5: B44FE2B76982DAA43A25D6E62203B575)

taskkill.exe (PID: 2256 cmdline: taskkill /F /IM chrome.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 980 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

chrome.exe (PID: 2132 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --app="https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --start-fullscreen --no-first-run --disable-session-crashed-bubble --disable-features=CrashRecovery MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 5320 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1724 --field-trial-handle=2016,i,12500245755029994399,16919499737408860724,262144 --disable-features=CrashRecovery /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 8024 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5340 --field-trial-handle=2016,i,12500245755029994399,16919499737408860724,262144 --disable-features=CrashRecovery /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 8032 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5408 --field-trial-handle=2016,i,12500245755029994399,16919499737408860724,262144 --disable-features=CrashRecovery /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

cleanup

String found in binary or memory: _.iq(p)+"/familylink/privacy/notice/embedded?langCountry="+_.iq(p);break;case "PuZJUb":a+="https://www.youtube.com/t/terms?chromeless=1&hl="+_.iq(m);break;case "fxTQxb":a+="https://youtube.com/t/terms?gl="+_.iq(_.rq(c))+"&hl="+_.iq(d)+"&override_hl=1"+(f?"&linkless=1":"");break;case "prAmvd":a+="https://www.google.com/intl/"+_.iq(m)+"/chromebook/termsofservice.html?languageCode="+_.iq(d)+"&regionCode="+_.iq(c);break;case "NfnTze":a+="https://policies.google.com/privacy/google-partners"+(f?"/embedded": equals www.youtube.com (Youtube)

Source: global traffic	DNS traffic detected: DNS query: youtube.com
Source: global traffic	DNS traffic detected: DNS query: www.youtube.com
Source: global traffic	DNS traffic detected: DNS query: www.google.com
Source: global traffic	DNS traffic detected: DNS query: accounts.youtube.com
Source: global traffic	DNS traffic detected: DNS query: play.google.com

Source: unknown

HTTP traffic detected: POST /log?format=json&hasfast=true&authuser=0 HTTP/1.1Host: play.google.comConnection: keep-aliveContent-Length: 519sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-arch: "x86"Content-Type: application/x-www-form-urlencoded;charset=UTF-8sec-ch-ua-full-version: "117.0.5938.132"sec-ch-ua-platform-version: "10.0.0"X-Goog-AuthUser: 0sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132"sec-ch-ua-bitness: "64"sec-ch-ua-model: ""sec-ch-ua-wow64: ?0sec-ch-ua-platform: "Windows"Accept: */*Origin: https://accounts.google.comX-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiTocsBCJz+zAEIhaDNAQjcvc0BCLnKzQEIotHNAQiK080BCJ7WzQEIp9jNAQj5wNQVGPbJzQEYutLNARjrjaUXSec-Fetch-Site: same-siteSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: https://accounts.google.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9

Source: chromecache_75.5.dr	String found in binary or memory: https://accounts.google.com
Source: chromecache_75.5.dr	String found in binary or memory: https://accounts.google.com/TOS?loc=
Source: file.exe, 00000000.00000002.1700007268.0000000001258000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/v3/signin/challenge/pwd%
Source: chromecache_80.5.dr	String found in binary or memory: https://apis.google.com/js/api.js
Source: chromecache_75.5.dr	String found in binary or memory: https://apis.google.com/js/rpc:shindig_random.js?onload=credentialservice.postMessage
Source: chromecache_75.5.dr	String found in binary or memory: https://families.google.com/intl/
Source: chromecache_80.5.dr	String found in binary or memory: https://fonts.gstatic.com/s/i/productlogos/drive_2020q4/v10/192px.svg
Source: chromecache_80.5.dr	String found in binary or memory: https://fonts.gstatic.com/s/i/productlogos/gmail_2020q4/v10/web-48dp/logo_gmail_2020q4_color_2x_web_
Source: chromecache_80.5.dr	String found in binary or memory: https://fonts.gstatic.com/s/i/productlogos/maps/v7/192px.svg
Source: chromecache_75.5.dr	String found in binary or memory: https://g.co/recover
Source: chromecache_75.5.dr	String found in binary or memory: https://play.google.com/log?format=json&hasfast=true
Source: chromecache_75.5.dr	String found in binary or memory: https://play.google.com/work/enroll?identifier=
Source: chromecache_75.5.dr	String found in binary or memory: https://play.google/intl/
Source: chromecache_75.5.dr	String found in binary or memory: https://policies.google.com/privacy
Source: chromecache_75.5.dr	String found in binary or memory: https://policies.google.com/privacy/additional
Source: chromecache_75.5.dr	String found in binary or memory: https://policies.google.com/privacy/google-partners
Source: chromecache_75.5.dr	String found in binary or memory: https://policies.google.com/technologies/cookies
Source: chromecache_75.5.dr	String found in binary or memory: https://policies.google.com/technologies/location-data
Source: chromecache_75.5.dr	String found in binary or memory: https://policies.google.com/terms
Source: chromecache_75.5.dr	String found in binary or memory: https://policies.google.com/terms/location
Source: chromecache_75.5.dr	String found in binary or memory: https://policies.google.com/terms/service-specific
Source: chromecache_80.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/account-recovery-email-pin.gif
Source: chromecache_80.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/account-recovery-password.svg
Source: chromecache_80.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/account-recovery-sms-or-voice-pin.gif
Source: chromecache_80.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/account-recovery-sms-pin.gif
Source: chromecache_80.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/account-recovery-stop-go-landing-page_1x.png
Source: chromecache_80.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/animation/
Source: chromecache_80.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/ble_device.png
Source: chromecache_80.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/ble_pin.png
Source: chromecache_80.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/contacts_backup_sync.png
Source: chromecache_80.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/contacts_backup_sync_1x.png
Source: chromecache_80.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/contacts_backup_sync_2x.png
Source: chromecache_80.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/contacts_backup_sync_darkmode_1x.png
Source: chromecache_80.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/continue_on_your_phone.png
Source: chromecache_80.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/device_phone_number_verification.png
Source: chromecache_80.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/device_prompt_silent_tap_yes_darkmode.gif
Source: chromecache_80.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/device_prompt_tap_yes.gif
Source: chromecache_80.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/device_prompt_tap_yes_darkmode.gif
Source: chromecache_80.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kid_success.svg
Source: chromecache_80.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kid_success_darkmode.svg
Source: chromecache_80.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidfork_who_will_use_dark_v2.svg
Source: chromecache_80.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidfork_who_will_use_updated.svg
Source: chromecache_80.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidfork_who_will_use_updated_darkmode.svg
Source: chromecache_80.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidfork_who_will_use_v2.svg
Source: chromecache_80.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignin_not_ready.png
Source: chromecache_80.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignin_stick_around_1.svg
Source: chromecache_80.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignin_stick_around_dark_1.svg
Source: chromecache_80.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_child_account_1.svg
Source: chromecache_80.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_child_account_darkmode_1.svg
Source: chromecache_80.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_child_privacy_1.svg
Source: chromecache_80.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_child_privacy_darkmode_1.svg
Source: chromecache_80.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_created.png
Source: chromecache_80.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_double_device.svg
Source: chromecache_80.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_double_device_darkmode.svg
Source: chromecache_80.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_full_house.png
Source: chromecache_80.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_link_accounts_1.svg
Source: chromecache_80.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_link_accounts_darkmode_1.svg
Source: chromecache_80.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_parent_app_decision.svg
Source: chromecache_80.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_parent_app_decision_darkmode.svg
Source: chromecache_80.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_parent_supervision_1.svg
Source: chromecache_80.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_parent_supervision_darkmode_1.svg
Source: chromecache_80.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_respect_others_1.svg
Source: chromecache_80.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_respect_others_darkmode_1.svg
Source: chromecache_80.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_single_device.svg
Source: chromecache_80.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_single_device_darkmode.svg
Source: chromecache_80.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_stop.png
Source: chromecache_80.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/personalization_reminders.svg
Source: chromecache_80.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/phone_number_sign_in_2x.png
Source: chromecache_80.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/return_to_desktop.svg
Source: chromecache_80.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/return_to_desktop_darkmode.svg
Source: chromecache_80.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/security_key.gif
Source: chromecache_80.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/security_key_ios_center.png
Source: chromecache_80.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/security_key_laptop.gif
Source: chromecache_80.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/security_key_nfc_discovered.gif
Source: chromecache_80.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/security_key_nfc_discovered_darkmode.gif
Source: chromecache_80.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/security_key_phone.gif
Source: chromecache_80.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/signin_googleapp_ios.gif
Source: chromecache_80.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/signin_googleapp_pulldown.gif
Source: chromecache_80.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/signin_tapyes.gif
Source: chromecache_80.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/smart_lock_2x.png
Source: chromecache_80.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/usb_key.svg
Source: chromecache_80.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/web_and_app_activity.svg
Source: chromecache_80.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/who_will_be_using_this_device.svg
Source: chromecache_80.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/you_tube_history.svg
Source: chromecache_80.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/feature_not_available.svg
Source: chromecache_80.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/feature_not_available_dark.svg
Source: chromecache_80.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/gmail_ios_authzen.gif
Source: chromecache_80.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/paaskey.svg
Source: chromecache_80.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_challenge.svg
Source: chromecache_80.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_challenge_darkmode.svg
Source: chromecache_80.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_darkmode.svg
Source: chromecache_80.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_enrollment.svg
Source: chromecache_80.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_enrollment_cross_device.svg
Source: chromecache_80.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_enrollment_cross_device_darkmode.svg
Source: chromecache_80.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_enrollment_darkmode.svg
Source: chromecache_80.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_enrollment_error.svg
Source: chromecache_80.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_enrollment_error_darkmode.svg
Source: chromecache_80.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_enrollment_reauth.svg
Source: chromecache_80.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_enrollment_reauth_darkmode.svg
Source: chromecache_80.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_success.svg
Source: chromecache_80.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_success_darkmode.svg
Source: chromecache_80.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkeyerror.svg
Source: chromecache_80.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkeyerror_darkmode.svg
Source: chromecache_80.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/red_globe_dark.svg
Source: chromecache_80.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/red_globe_light.svg
Source: chromecache_80.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/screenlock.png
Source: chromecache_80.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/security_key_ipad.gif
Source: chromecache_80.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/security_key_iphone.gif
Source: chromecache_80.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/security_key_iphone_nfc.gif
Source: chromecache_80.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/security_key_iphone_usb.gif
Source: chromecache_80.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/security_key_phone.svg
Source: chromecache_80.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/security_keys.svg
Source: chromecache_80.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/success_checkmark_2.svg
Source: chromecache_80.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/success_checkmark_2_darkmode.svg
Source: chromecache_80.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/ui/loading_spinner_gm.gif
Source: chromecache_80.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/ui/progress_spinner_color_20dp_4x.gif
Source: chromecache_80.5.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/ui/success-gm-default_2x.png
Source: chromecache_80.5.dr	String found in binary or memory: https://ssl.gstatic.com/apps/signup/resources/custom-email-address.svg
Source: chromecache_80.5.dr	String found in binary or memory: https://ssl.gstatic.com/images/hpp/shield_security_checkup_green_2x_web_96dp.png
Source: chromecache_80.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/chaptering/account_setup_chapter_dark_1.svg
Source: chromecache_80.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/chaptering/account_setup_chapter_v1.svg
Source: chromecache_80.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/chaptering/device_setup_chapter_dark_v1.svg
Source: chromecache_80.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/chaptering/device_setup_chapter_v1.svg
Source: chromecache_80.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/chaptering/parental_control_chapter_dark_v1.svg
Source: chromecache_80.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/chaptering/parental_control_chapter_v1.svg
Source: chromecache_80.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/conversion/conversion_accountslinked.svg
Source: chromecache_80.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/conversion/conversion_accountslinked_dark.svg
Source: chromecache_80.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/conversion/conversion_childneedshelp.svg
Source: chromecache_80.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/conversion/conversion_childneedshelp_dark.svg
Source: chromecache_80.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/conversion/conversion_nextstepsforparents.svg
Source: chromecache_80.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/conversion/conversion_nextstepsforparents_dark.svg
Source: chromecache_80.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_allset.svg
Source: chromecache_80.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_allset_dark.svg
Source: chromecache_80.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_apps_devices.svg
Source: chromecache_80.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_apps_devices_darkmode.svg
Source: chromecache_80.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_areyousurekid.svg
Source: chromecache_80.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_areyousurekid_dark.svg
Source: chromecache_80.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_birthdayemail.svg
Source: chromecache_80.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_birthdayemail_dark.svg
Source: chromecache_80.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_choose_apps.svg
Source: chromecache_80.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_choose_apps_darkmode.svg
Source: chromecache_80.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_confirmation.svg
Source: chromecache_80.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_exploremore.svg
Source: chromecache_80.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_exploremore_dark.svg
Source: chromecache_80.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_intro.svg
Source: chromecache_80.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_intro_darkmode.svg
Source: chromecache_80.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_privacy_terms_a18.svg
Source: chromecache_80.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_privacy_terms_a18_darkmode.svg
Source: chromecache_80.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_privacyterms.svg
Source: chromecache_80.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_privacyterms_dark.svg
Source: chromecache_80.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_review_settings.svg
Source: chromecache_80.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_review_settings_darkmode.svg
Source: chromecache_80.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_safe_search.svg
Source: chromecache_80.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_safe_search_darkmode.svg
Source: chromecache_80.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_success_unchanged_a18.svg
Source: chromecache_80.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_success_unchanged_a18_darkmode.svg
Source: chromecache_80.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_success_update_a18.svg
Source: chromecache_80.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_success_update_a18_darkmode.svg
Source: chromecache_80.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_supervision_choice.svg
Source: chromecache_80.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_supervision_choice_a18.svg
Source: chromecache_80.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_supervision_choice_a18_darkmode.svg
Source: chromecache_80.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_supervision_choice_darkmode.svg
Source: chromecache_80.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_supervisiongrad.svg
Source: chromecache_80.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_supervisiongrad_dark.svg
Source: chromecache_80.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/guardianlinking/linking_complete_0.svg
Source: chromecache_80.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/guardianlinking/linking_complete_dark_0.svg
Source: chromecache_80.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/ads_personalization.svg
Source: chromecache_80.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/ads_personalization_darkmode.svg
Source: chromecache_80.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/confirmation.svg
Source: chromecache_80.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/confirmation_darkmode.svg
Source: chromecache_80.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/eligibility_error.svg
Source: chromecache_80.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/eligibility_error_darkmode.svg
Source: chromecache_80.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/fork.svg
Source: chromecache_80.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/fork_darkmode.svg
Source: chromecache_80.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/intro.svg
Source: chromecache_80.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/intro_darkmode.svg
Source: chromecache_80.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/personal_results.svg
Source: chromecache_80.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/personal_results_darkmode.svg
Source: chromecache_80.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/safe_search.svg
Source: chromecache_80.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/safe_search_darkmode.svg
Source: chromecache_80.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/check_notifications.svg
Source: chromecache_80.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/check_notifications_dark.svg
Source: chromecache_80.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/kid_watch_installing_family_link_2.svg
Source: chromecache_80.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/kid_watch_installing_family_link_dark_2.svg
Source: chromecache_80.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/kid_watch_set_up_location_sharing_2.svg
Source: chromecache_80.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/kid_watch_set_up_location_sharing_dark_2.svg
Source: chromecache_80.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/kid_watch_set_up_parental_controls_2.svg
Source: chromecache_80.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/kid_watch_set_up_parental_controls_dark_2.svg
Source: chromecache_80.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/kid_watch_set_up_school_time_2.svg
Source: chromecache_80.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/kid_watch_set_up_school_time_dark_2.svg
Source: chromecache_80.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/location_sharing_enabled_2.svg
Source: chromecache_80.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/location_sharing_enabled_dark_3.svg
Source: chromecache_80.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/parent_sign_in_prologue_1.svg
Source: chromecache_80.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/parent_sign_in_prologue_dark_1.svg
Source: chromecache_80.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/set_up_complete_1.svg
Source: chromecache_80.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/set_up_complete_dark_1.svg
Source: chromecache_80.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/set_up_contacts_2.svg
Source: chromecache_80.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/set_up_contacts_dark_2.svg
Source: chromecache_80.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/set_up_family_link_boy_1.svg
Source: chromecache_80.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/set_up_family_link_boy_dark_1.svg
Source: chromecache_80.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/set_up_family_link_girl_2.svg
Source: chromecache_80.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/set_up_family_link_girl_dark_2.svg
Source: chromecache_80.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/ulp_continue_without_gmail_dark_v2.svg
Source: chromecache_80.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/ulp_continue_without_gmail_v2.svg
Source: chromecache_80.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/all_set.svg
Source: chromecache_80.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/all_set_dark.svg
Source: chromecache_80.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/are_you_sure_parent.svg
Source: chromecache_80.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/are_you_sure_parent_dark.svg
Source: chromecache_80.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/content_restriction.svg
Source: chromecache_80.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/content_restriction_dark.svg
Source: chromecache_80.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/error.svg
Source: chromecache_80.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/error_dark.svg
Source: chromecache_80.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/how_controls_work.svg
Source: chromecache_80.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/how_controls_work_dark.svg
Source: chromecache_80.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/next_steps.svg
Source: chromecache_80.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/next_steps_dark.svg
Source: chromecache_80.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/setup_controls.svg
Source: chromecache_80.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/setup_controls_dark.svg
Source: chromecache_80.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/who_parent.svg
Source: chromecache_80.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/who_parent_dark.svg
Source: chromecache_80.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/who_teen.svg
Source: chromecache_80.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/who_teen_dark.svg
Source: chromecache_80.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teentoadultgraduation/supervision_choice.svg
Source: chromecache_80.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teentoadultgraduation/supervision_choice_darkmode.svg
Source: chromecache_80.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/ulp_appblock/kid_setup_parent_escalation.svg
Source: chromecache_80.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/ulp_appblock/kid_setup_parent_escalation_dark.svg
Source: chromecache_80.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/ulp_appblock/send_email_confirmation.svg
Source: chromecache_80.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/ulp_appblock/send_email_confirmation_dark.svg
Source: chromecache_80.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/ulp_appblock/success_sent_email.svg
Source: chromecache_80.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/ulp_appblock/success_sent_email_dark.svg
Source: chromecache_80.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/ulpupgrade/kidprofileupgrade_all_set.svg
Source: chromecache_80.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/ulpupgrade/kidprofileupgrade_all_set_darkmode.svg
Source: chromecache_80.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/all_set.svg
Source: chromecache_80.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/all_set_dark.svg
Source: chromecache_80.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/almost_done_kids_space_dark.svg
Source: chromecache_80.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/almost_done_kids_space_v2.svg
Source: chromecache_80.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/devices_connected_tablet_v2.svg
Source: chromecache_80.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/devices_connected_tablet_v2_dark.svg
Source: chromecache_80.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/devices_connected_v2.svg
Source: chromecache_80.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/devices_connected_v2_dark.svg
Source: chromecache_80.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/emailinstallfamilylink.svg
Source: chromecache_80.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/emailinstallfamilylink_dark.svg
Source: chromecache_80.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/familylinkinstalling.svg
Source: chromecache_80.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/familylinkinstalling_dark.svg
Source: chromecache_80.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/hand_over_device_dark_v2.svg
Source: chromecache_80.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/hand_over_device_v2.svg
Source: chromecache_80.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/linking_accounts_v2.svg
Source: chromecache_80.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/linking_accounts_v2_dark.svg
Source: chromecache_80.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/locationsetup.svg
Source: chromecache_80.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/locationsetup_dark.svg
Source: chromecache_80.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/manage_parental_controls_email.svg
Source: chromecache_80.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/manage_parental_controls_email_v2.svg
Source: chromecache_80.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/manage_parental_controls_email_v2_dark.svg
Source: chromecache_80.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/manage_parental_controls_v2.svg
Source: chromecache_80.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/manage_parental_controls_v2_dark.svg
Source: chromecache_80.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/open_family_link_v2.svg
Source: chromecache_80.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/open_family_link_v2_dark.svg
Source: chromecache_80.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/parents_help.svg
Source: chromecache_80.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/parents_help_dark.svg
Source: chromecache_80.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/set_up_kids_space.png
Source: chromecache_80.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/set_up_kids_space_dark.png
Source: chromecache_80.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/setupcontrol.svg
Source: chromecache_80.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/setupcontrol_dark.svg
Source: chromecache_80.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/setuplocation.svg
Source: chromecache_80.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/setuplocation_dark.svg
Source: chromecache_80.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/setuptimelimits.svg
Source: chromecache_80.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/setuptimelimits_dark.svg
Source: chromecache_80.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/supervision_ready_v2.svg
Source: chromecache_80.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/supervision_ready_v2_dark.svg
Source: chromecache_80.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/youtubeaccess.svg
Source: chromecache_80.5.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/youtubeaccess_dark.svg
Source: chromecache_75.5.dr	String found in binary or memory: https://support.google.com/accounts?hl=
Source: chromecache_75.5.dr	String found in binary or memory: https://support.google.com/accounts?p=new-si-ui
Source: chromecache_75.5.dr	String found in binary or memory: https://support.google.com/websearch/answer/4358949?hl=ko&ref_topic=3285072
Source: chromecache_80.5.dr	String found in binary or memory: https://uberproxy-pen-redirect.corp.google.com/uberproxy/pen?url=
Source: chromecache_75.5.dr	String found in binary or memory: https://www.google.com
Source: chromecache_75.5.dr	String found in binary or memory: https://www.google.com/intl/
Source: chromecache_80.5.dr	String found in binary or memory: https://www.gstatic.com/accounts/speedbump/authzen_optin_illustration.gif
Source: chromecache_80.5.dr	String found in binary or memory: https://www.gstatic.com/images/branding/product/2x/chrome_48dp.png
Source: chromecache_80.5.dr	String found in binary or memory: https://www.gstatic.com/images/branding/product/2x/googleg_48dp.png
Source: chromecache_80.5.dr	String found in binary or memory: https://www.gstatic.com/images/branding/product/2x/gsa_48dp.png
Source: chromecache_80.5.dr	String found in binary or memory: https://www.gstatic.com/images/branding/product/2x/play_prism_48dp.png
Source: chromecache_80.5.dr	String found in binary or memory: https://www.gstatic.com/images/branding/product/2x/youtube_48dp.png
Source: chromecache_75.5.dr	String found in binary or memory: https://www.gstatic.com/images/branding/productlogos/googleg/v6/36px.svg
Source: chromecache_75.5.dr	String found in binary or memory: https://www.youtube.com/t/terms?chromeless=1&hl=
Source: file.exe, 00000000.00000002.1700056785.0000000001281000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd
Source: chromecache_75.5.dr	String found in binary or memory: https://youtube.com/t/terms?gl=

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49788
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 49783 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49764
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49786
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 49779 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49784
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49783
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49782
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49781
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49789 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49764 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49781 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49791 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49779
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49756
Source: unknown	Network traffic detected: HTTP traffic on port 49782 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49771
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49792
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49791
Source: unknown	Network traffic detected: HTTP traffic on port 49786 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49788 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49761 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49767 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49784 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49792 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49756 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49767
Source: unknown	Network traffic detected: HTTP traffic on port 49771 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49789

Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.4:49743 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.4:49745 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 4.175.87.197:443 -> 192.168.2.4:49771 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 4.175.87.197:443 -> 192.168.2.4:49784 version: TLS 1.2

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0078EAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_0078EAFF

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0078ED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_0078ED6A

Source: C:\Users\user\Desktop\file.exe

0_2_0078EAFF

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0077AA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,

0_2_0077AA57

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_007A9576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_007A9576

System Summary

Binary is likely a compiled AutoIt script file

Source: file.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: file.exe, 00000000.00000000.1673297236.00000000007D2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_caa448f9-7
Source: file.exe, 00000000.00000000.1673297236.00000000007D2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_1e1ec682-0
Source: file.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_30168aa7-c
Source: file.exe	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_e6296373-d

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0077D5EB: CreateFileW,DeviceIoControl,CloseHandle,

0_2_0077D5EB

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00771201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_00771201

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0077E8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_0077E8F6

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0071BF40	0_2_0071BF40
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00718060	0_2_00718060
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00782046	0_2_00782046
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00778298	0_2_00778298
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0074E4FF	0_2_0074E4FF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0074676B	0_2_0074676B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007A4873	0_2_007A4873
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0071CAF0	0_2_0071CAF0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0073CAA0	0_2_0073CAA0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0072CC39	0_2_0072CC39
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00746DD9	0_2_00746DD9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0072B119	0_2_0072B119
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007191C0	0_2_007191C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00731394	0_2_00731394
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00731706	0_2_00731706
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0073781B	0_2_0073781B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0072997D	0_2_0072997D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00717920	0_2_00717920
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007319B0	0_2_007319B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00737A4A	0_2_00737A4A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00731C77	0_2_00731C77
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00737CA7	0_2_00737CA7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0079BE44	0_2_0079BE44
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00749EEE	0_2_00749EEE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00731F32	0_2_00731F32

Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00730A30 appears 46 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 0072F9F2 appears 31 times

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: classification engine

Classification label: mal56.evad.winEXE@34/30@12/8

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_007837B5 GetLastError,FormatMessageW,

0_2_007837B5

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007710BF AdjustTokenPrivileges,CloseHandle,		0_2_007710BF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007716C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_007716C3

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_007851CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_007851CD

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0077D4DC CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_0077D4DC

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0078648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize,

0_2_0078648E

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_007142A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_007142A2

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:980:120:WilError_03

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\SysWOW64\taskkill.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --app="https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --start-fullscreen --no-first-run --disable-session-crashed-bubble --disable-features=CrashRecovery
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1724 --field-trial-handle=2016,i,12500245755029994399,16919499737408860724,262144 --disable-features=CrashRecovery /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5340 --field-trial-handle=2016,i,12500245755029994399,16919499737408860724,262144 --disable-features=CrashRecovery /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5408 --field-trial-handle=2016,i,12500245755029994399,16919499737408860724,262144 --disable-features=CrashRecovery /prefetch:8
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --app="https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --start-fullscreen --no-first-run --disable-session-crashed-bubble --disable-features=CrashRecovery	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1724 --field-trial-handle=2016,i,12500245755029994399,16919499737408860724,262144 --disable-features=CrashRecovery /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5340 --field-trial-handle=2016,i,12500245755029994399,16919499737408860724,262144 --disable-features=CrashRecovery /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5408 --field-trial-handle=2016,i,12500245755029994399,16919499737408860724,262144 --disable-features=CrashRecovery /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_007142DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_007142DE

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00730A76 push ecx; ret

0_2_00730A89

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0072F98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_0072F98E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007A1C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_007A1C41

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Found API chain indicative of sandbox detection

Source: C:\Users\user\Desktop\file.exe

Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep

graph_0-95650

Source: C:\Users\user\Desktop\file.exe

API coverage: 3.6 %

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0077DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	0_2_0077DBBE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007868EE FindFirstFileW,FindClose,	0_2_007868EE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0078698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	0_2_0078698F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0077D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0077D076
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0077D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0077D3A9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00789642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00789642
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0078979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0078979D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00789B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_00789B2B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00785C97 FindFirstFileW,FindNextFileW,FindClose,	0_2_00785C97

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_007142DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_007142DE

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0078EAA2 BlockInput,

0_2_0078EAA2

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00742622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00742622

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_007142DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_007142DE

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00734CE8 mov eax, dword ptr fs:[00000030h]

0_2_00734CE8

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00770B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

0_2_00770B62

Source: C:\Windows\SysWOW64\taskkill.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00742622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00742622
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0073083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0073083F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007309D5 SetUnhandledExceptionFilter,	0_2_007309D5
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00730C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00730C21

Source: C:\Users\user\Desktop\file.exe

0_2_00771201

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00752BA5 KiUserCallbackDispatcher,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00752BA5

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0077B226 SendInput,keybd_event,

0_2_0077B226

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_007922DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event,

0_2_007922DA

Source: C:\Users\user\Desktop\file.exe

Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

0_2_00770B62

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00771663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_00771663

Source: file.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: file.exe	Binary or memory string: Shell_TrayWnd

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00730698 cpuid

0_2_00730698

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00788195 GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,

0_2_00788195

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0076D27A GetUserNameW,

0_2_0076D27A

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0074BB6F _free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

0_2_0074BB6F

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_007142DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_007142DE

Source: file.exe	Binary or memory string: WIN_81
Source: file.exe	Binary or memory string: WIN_XP
Source: file.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]\|%%\|%[-+ 0#]?([0-9]\|\)?(\.[0-9]\|\.\)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: file.exe	Binary or memory string: WIN_XPe
Source: file.exe	Binary or memory string: WIN_VISTA
Source: file.exe	Binary or memory string: WIN_7
Source: file.exe	Binary or memory string: WIN_8

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00791204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,		0_2_00791204
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00791806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_00791806

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	2 Disable or Modify Tools	21 Input Capture	2 System Time Discovery	Remote Services	1 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Native API	2 Valid Accounts	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	21 Input Capture	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	2 Valid Accounts	2 Obfuscated Files or Information	Security Account Manager	1 File and Directory Discovery	SMB/Windows Admin Shares	3 Clipboard Data	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	21 Access Token Manipulation	1 DLL Side-Loading	NTDS	16 System Information Discovery	Distributed Component Object Model	Input Capture	4 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	2 Process Injection	2 Valid Accounts	LSA Secrets	12 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Virtualization/Sandbox Evasion	Cached Domain Credentials	1 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	21 Access Token Manipulation	DCSync	3 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	2 Process Injection	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	HTML Smuggling	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
file.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
https://play.google/intl/	0%	URL Reputation	safe
https://families.google.com/intl/	0%	URL Reputation	safe
https://policies.google.com/technologies/location-data	0%	URL Reputation	safe
https://apis.google.com/js/api.js	0%	URL Reputation	safe
https://policies.google.com/privacy/google-partners	0%	URL Reputation	safe
https://policies.google.com/terms/service-specific	0%	URL Reputation	safe
https://g.co/recover	0%	URL Reputation	safe
https://policies.google.com/privacy/additional	0%	URL Reputation	safe
https://support.google.com/websearch/answer/4358949?hl=ko&ref_topic=3285072	0%	URL Reputation	safe
https://policies.google.com/technologies/cookies	0%	URL Reputation	safe
https://policies.google.com/terms	0%	URL Reputation	safe
https://uberproxy-pen-redirect.corp.google.com/uberproxy/pen?url=	0%	URL Reputation	safe
https://support.google.com/accounts?hl=	0%	URL Reputation	safe
https://policies.google.com/terms/location	0%	URL Reputation	safe
https://policies.google.com/privacy	0%	URL Reputation	safe
https://support.google.com/accounts?p=new-si-ui	0%	URL Reputation	safe
https://apis.google.com/js/rpc:shindig_random.js?onload=credentialservice.postMessage	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
youtube-ui.l.google.com	142.250.185.174	true	false	unknown
www3.l.google.com	172.217.18.14	true	false	unknown
play.google.com	142.250.186.110	true	false	unknown
www.google.com	142.250.185.132	true	false	unknown
youtube.com	216.58.206.46	true	false	unknown
accounts.youtube.com	unknown	unknown	false	unknown
www.youtube.com	unknown	unknown	false	unknown

Contacted URLs

Name	Malicious	Reputation
https://play.google.com/log?format=json&hasfast=true&authuser=0	false	unknown
https://www.google.com/favicon.ico	false	unknown
https://play.google.com/log?hasfast=true&authuser=0&format=json	false	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://play.google/intl/	chromecache_75.5.dr	false	URL Reputation: safe	unknown
https://families.google.com/intl/	chromecache_75.5.dr	false	URL Reputation: safe	unknown
https://youtube.com/t/terms?gl=	chromecache_75.5.dr	false		unknown
https://policies.google.com/technologies/location-data	chromecache_75.5.dr	false	URL Reputation: safe	unknown
https://www.google.com/intl/	chromecache_75.5.dr	false		unknown
https://apis.google.com/js/api.js	chromecache_80.5.dr	false	URL Reputation: safe	unknown
https://policies.google.com/privacy/google-partners	chromecache_75.5.dr	false	URL Reputation: safe	unknown
https://play.google.com/work/enroll?identifier=	chromecache_75.5.dr	false		unknown
https://policies.google.com/terms/service-specific	chromecache_75.5.dr	false	URL Reputation: safe	unknown
https://g.co/recover	chromecache_75.5.dr	false	URL Reputation: safe	unknown
https://policies.google.com/privacy/additional	chromecache_75.5.dr	false	URL Reputation: safe	unknown
https://support.google.com/websearch/answer/4358949?hl=ko&ref_topic=3285072	chromecache_75.5.dr	false	URL Reputation: safe	unknown
https://policies.google.com/technologies/cookies	chromecache_75.5.dr	false	URL Reputation: safe	unknown
https://policies.google.com/terms	chromecache_75.5.dr	false	URL Reputation: safe	unknown
https://uberproxy-pen-redirect.corp.google.com/uberproxy/pen?url=	chromecache_80.5.dr	false	URL Reputation: safe	unknown
https://www.google.com	chromecache_75.5.dr	false		unknown
https://play.google.com/log?format=json&hasfast=true	chromecache_75.5.dr	false		unknown
https://www.youtube.com/t/terms?chromeless=1&hl=	chromecache_75.5.dr	false		unknown
https://support.google.com/accounts?hl=	chromecache_75.5.dr	false	URL Reputation: safe	unknown
https://policies.google.com/terms/location	chromecache_75.5.dr	false	URL Reputation: safe	unknown
https://policies.google.com/privacy	chromecache_75.5.dr	false	URL Reputation: safe	unknown
https://support.google.com/accounts?p=new-si-ui	chromecache_75.5.dr	false	URL Reputation: safe	unknown
https://apis.google.com/js/rpc:shindig_random.js?onload=credentialservice.postMessage	chromecache_75.5.dr	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
172.217.18.14	www3.l.google.com	United States	15169	GOOGLEUS	false
216.58.206.78	unknown	United States	15169	GOOGLEUS	false
142.250.185.132	www.google.com	United States	15169	GOOGLEUS	false
216.58.206.46	youtube.com	United States	15169	GOOGLEUS	false
239.255.255.250	unknown	Reserved	unknown	unknown	false
142.250.185.174	youtube-ui.l.google.com	United States	15169	GOOGLEUS	false
142.250.186.110	play.google.com	United States	15169	GOOGLEUS	false

Private

IP
192.168.2.4

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1523046
Start date and time:	2024-10-01 00:50:05 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 46s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	13
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal56.evad.winEXE@34/30@12/8
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 97% Number of executed functions: 42 Number of non-executed functions: 311
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 172.217.18.3, 142.250.184.238, 74.125.133.84, 34.104.35.123, 216.58.206.67, 172.217.16.195, 142.250.185.138, 142.250.186.74, 142.250.184.202, 142.250.185.234, 142.250.184.234, 142.250.186.138, 142.250.185.170, 142.250.185.106, 142.250.185.202, 172.217.18.10, 172.217.23.106, 142.250.186.42, 172.217.16.202, 142.250.186.106, 216.58.206.74, 142.250.185.74, 172.217.18.106, 142.250.74.202, 199.232.214.172, 192.229.221.95, 142.250.181.227, 142.251.168.84, 142.250.181.238
Excluded domains from analysis (whitelisted): clients1.google.com, fs.microsoft.com, accounts.google.com, content-autofill.googleapis.com, slscr.update.microsoft.com, fonts.gstatic.com, ctldl.windowsupdate.com, clientservices.googleapis.com, fe3cr.delivery.mp.microsoft.com, clients2.google.com, ocsp.digicert.com, edgedl.me.gvt1.com, update.googleapis.com, clients.l.google.com, www.gstatic.com, optimizationguide-pa.googleapis.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing disassembly code.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: file.exe

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
239.255.255.250	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	https://bestratedrobotvacuum.com/?bypass-cdn=1	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	http://customervoice.microsoft.com/Pages/ResponsePage.aspx?id=rCxHFZLdZUGNvhn9cgWChLhuCDtpfZJDs2F6orjCzx1UQTZXSUlaNE5INzZVSkgxRlBKR1RMSTVRTi4u	Get hash	malicious	HTMLPhisher	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	https://wtm.ventes-privees-du-jour.com/r/eNplj92OmzAQRp+GvQwYbGNfRBVNwgblh61I0jQ3kTEmOAXsgoFNnr6utFppVcnSSOd845mZXApCiJCbs5xhHwkaMq/EwEMCc1wCRjGl3MOeC0iAXArdEmJaepgUhBKOwoJCQIUgBJU+CwoB3NCFrnK/DfPKGN07QeT4sX3TNM0q1TRCd3IUM64aC2Xb805qI1XrBLENL33iewR4nu/4eDDNtVdDx4UVk6htjxh1cf9QjSjk0FjFdf2BOGs0k7f2v7xomKwt7VQuOuNAz4hatMLMcmEtH3pjs921lF1vWtb8Gxi1rfwia/bpfibb7WqXWVvr66gtcfzgmiyvtrwUfJ4+1qCs1GnU/YrCyR4TK60aFU3idQ8ntNjW9+hZoTo/m7dl4PjfT7UZq27RguCy3hwOoZ/CanOkZnFKm8Oe4SnLJU5uXnywf50j/fb0ft/+8Et0eC2nJEu3krdIqEyy22bEjzBN90n9rLTMyO7Ml8kK3n+dH7dwWhNYgGP6owiHUdD7eRVnLOlHu8Lx/ZJ2uwc/BY8jgXGUDvsXJueAIgDJX8NYskg=	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	http://azgop.org/	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
28a2c9bd18a11de089ef85a160da29e4	file.exe	Get hash	malicious	Unknown	Browse	4.175.87.197 184.28.90.27
	file.exe	Get hash	malicious	Unknown	Browse	4.175.87.197 184.28.90.27
	https://bestratedrobotvacuum.com/?bypass-cdn=1	Get hash	malicious	Unknown	Browse	4.175.87.197 184.28.90.27
	file.exe	Get hash	malicious	Unknown	Browse	4.175.87.197 184.28.90.27
	http://customervoice.microsoft.com/Pages/ResponsePage.aspx?id=rCxHFZLdZUGNvhn9cgWChLhuCDtpfZJDs2F6orjCzx1UQTZXSUlaNE5INzZVSkgxRlBKR1RMSTVRTi4u	Get hash	malicious	HTMLPhisher	Browse	4.175.87.197 184.28.90.27
	file.exe	Get hash	malicious	Unknown	Browse	4.175.87.197 184.28.90.27
	https://wtm.ventes-privees-du-jour.com/r/eNplj92OmzAQRp+GvQwYbGNfRBVNwgblh61I0jQ3kTEmOAXsgoFNnr6utFppVcnSSOd845mZXApCiJCbs5xhHwkaMq/EwEMCc1wCRjGl3MOeC0iAXArdEmJaepgUhBKOwoJCQIUgBJU+CwoB3NCFrnK/DfPKGN07QeT4sX3TNM0q1TRCd3IUM64aC2Xb805qI1XrBLENL33iewR4nu/4eDDNtVdDx4UVk6htjxh1cf9QjSjk0FjFdf2BOGs0k7f2v7xomKwt7VQuOuNAz4hatMLMcmEtH3pjs921lF1vWtb8Gxi1rfwia/bpfibb7WqXWVvr66gtcfzgmiyvtrwUfJ4+1qCs1GnU/YrCyR4TK60aFU3idQ8ntNjW9+hZoTo/m7dl4PjfT7UZq27RguCy3hwOoZ/CanOkZnFKm8Oe4SnLJU5uXnywf50j/fb0ft/+8Et0eC2nJEu3krdIqEyy22bEjzBN90n9rLTMyO7Ml8kK3n+dH7dwWhNYgGP6owiHUdD7eRVnLOlHu8Lx/ZJ2uwc/BY8jgXGUDvsXJueAIgDJX8NYskg=	Get hash	malicious	Unknown	Browse	4.175.87.197 184.28.90.27
	file.exe	Get hash	malicious	Unknown	Browse	4.175.87.197 184.28.90.27
	http://azgop.org/	Get hash	malicious	Unknown	Browse	4.175.87.197 184.28.90.27
	file.exe	Get hash	malicious	Unknown	Browse	4.175.87.197 184.28.90.27

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (522)
Category:	downloaded
Size (bytes):	5049
Entropy (8bit):	5.317800104741948
Encrypted:	false
SSDEEP:	96:oHX9gPiPrfnHhsB0TR6kg1oDPJzLmM18Vh1z2fEZ54TZtnqj6w:EtEAr6BmPZtOeEvW/ncP
MD5:	CE53EF566B68CCF2D62FA044CFB0D138
SHA1:	F48EC60289F2B55E8B388601206888F8295B1EB1
SHA-256:	E6CC5114D92811D5DE0663266D4B63F367834AFA0FC3BAFA54F707038C59D010
SHA-512:	20B434881DE971E263669E6096C01665D4D35B0FBFF47D312A4A442645EE962A8CE6AD7E68246D4EE9691BD30D9B1DDCF7059226492E1B58CD3191B63B001E4D
Malicious:	false
Reputation:	moderate, very likely benign file
URL:	"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en._s1fC-CLCMs.es5.O/ck=boq-identity.AccountsSignInUi.gkspycgpiCY.L.B1.O/am=xIFgKBi2EQjEE86BHlAUCBkAAAAAAAAAALQBAIBm/d=1/exm=A7fCU,AvtSve,CMcBD,E87wgc,EFQ78c,EIOG1e,EN3i8d,Fndnac,GwYlN,I6YDgd,IZT63,K0PMbc,K1ZKnb,KUM7Z,L1AAkb,L9OGUe,LDQI,LEikZe,MY7mZe,MpJwZc,NOeYWe,NTMZac,O6y8ed,P6sQOc,PHUIyb,PrPYRd,RMhBfe,Rkm0ef,RqjULd,SCuOPb,SD8Jgb,STuCOe,SpsfSb,Tbb4sb,UUJqVe,Uas9Hd,WpP9Yc,XVq9Qb,YHI3We,YTxL4,YgOFye,ZDZcre,ZZ4WUe,ZakeSe,ZwDk9d,_b,_tp,aC1iue,aW3pY,b3kMqb,bSspM,bTi8wc,byfTOb,cYShmd,eVCnO,f8Gu1e,gJzDyc,hc6Ubd,iAskyc,inNHtf,iyZMqd,lsjVmc,ltDFwf,lwddkf,m9oV,mvkUhe,mzzZzc,n73qwf,njlZCf,oLggrd,pxq3x,q0xTif,qPYxq,qPfo0c,qmdT9,rCcCxc,rmumx,sOXFj,siKnQd,soHxf,t2srLd,tUnxGc,vHEMJe,vfuNJf,vjKJJ,vvMGie,w9hDv,ws9Tlc,xBaz7b,xQtZb,xiZRqc,y5vRwf,yRXbo,ywOR5c,z0u0L,zbML3c,ziXSP,ziZ8Mc,zr1jrb,zy0vNb/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlHcuwDoV1_a7sThPZwbu2Ah9zAL5g/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:GwYlN;EmZ2Bf:zr1jrb;JsbNhc:Xd8iUd;K5nYTd:ZDZcre;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;ScI3Yc:e7Hzgb;UpnZUd:nnwwYc;Uvc8o:VDovNc;XdiAjb:NLiXbe;YIZmRd:A1yn5d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;dowIGb:ebZ3mb;eBAeSb:zbML3c;iFQyKf:vfuNJf;lOO0Vd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qafBPd:yDVVkb;qddgKe:xQtZb;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=wg1P6b"
Preview:	"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi\|\|{};(function(_){var window=this;.try{._.$Ma=_.y("wg1P6b",[_.OA,_.Fn,_.Rn]);._.k("wg1P6b");.var M5a;M5a=_.oh(["aria-"]);._.mJ=function(a){_.Y.call(this,a.Fa);this.Ja=this.ta=this.aa=this.viewportElement=this.La=null;this.Tc=a.Ea.qf;this.ab=a.Ea.focus;this.Lc=a.Ea.Lc;this.ea=this.Ei();a=-1*parseInt(_.Fo(this.Ei().el(),"marginTop")\|\|"0",10);var b=parseInt(_.Fo(this.Ei().el(),"marginBottom")\|\|"0",10);this.Ta={top:a,right:0,bottom:b,left:0};a=_.gf(this.getData("isMenuDynamic"),!1);b=_.gf(this.getData("isMenuHoisted"),!1);this.Ga=a?1:b?2:0;this.ka=!1;this.Ca=1;this.Ga!==1&&(this.aa=this.Sa("U0exHf").children().Sc(0),_.fu(this,.N5a(this,this.aa.el())));_.mF(this.oa())&&(a=this.oa().el(),b=this.De.bind(this),a.__soy_skip_handler=b)};_.J(_.mJ,_.Y);_.mJ.Ba=function(){return{Ea:{qf:_.SE,focus:_.BE,Lc:_.mu}}};_.mJ.prototype.pF=function(a){var b=a.source;this.La=b;var c;((c=a.data)==null?0:c.Jy)?(a=a.data.Jy,this.Ca=a==="MOUS

Chrome Cache Entry: 75

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (5693)
Category:	downloaded
Size (bytes):	697429
Entropy (8bit):	5.593310312179182
Encrypted:	false
SSDEEP:	6144:TYNlxfbDTYDhzCTNoygVWyJb5eGpbL2Mp15gI8seqfh53p+rrvV7i:T25bDTYB+qeGB+Nu
MD5:	92F0F5E28355D863ACB77313F1E675DE
SHA1:	8AD6F9B535D5B8952A4ADCCC57E4A4E0723F1E8D
SHA-256:	F903AE346609A2872554A3D8FFBDB1836CB5C8B7AAAED4C3F8296B887E03D833
SHA-512:	0C81A6CD850C6ACDBE9CCCBA00BBA34CDE1E09E8572814AE8E55DBED3C2B56F0B020359841F8217843B3403847DF46FA1C82229684F762A73C8110CE45898DAF
Malicious:	false
Reputation:	moderate, very likely benign file
URL:	"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en._s1fC-CLCMs.es5.O/ck=boq-identity.AccountsSignInUi.gkspycgpiCY.L.B1.O/am=xIFgKBi2EQjEE86BHlAUCBkAAAAAAAAAALQBAIBm/d=1/exm=LEikZe,_b,_tp,byfTOb,lsjVmc/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlHcuwDoV1_a7sThPZwbu2Ah9zAL5g/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:GwYlN;EmZ2Bf:zr1jrb;JsbNhc:Xd8iUd;K5nYTd:ZDZcre;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;ScI3Yc:e7Hzgb;UpnZUd:nnwwYc;Uvc8o:VDovNc;XdiAjb:NLiXbe;YIZmRd:A1yn5d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;dowIGb:ebZ3mb;eBAeSb:zbML3c;iFQyKf:vfuNJf;lOO0Vd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qafBPd:yDVVkb;qddgKe:xQtZb;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=n73qwf,SCuOPb,IZT63,vfuNJf,UUJqVe,ws9Tlc,siKnQd,XVq9Qb,STuCOe,njlZCf,m9oV,vjKJJ,y5vRwf,iyZMqd,NTMZac,mzzZzc,rCcCxc,vvMGie,K1ZKnb,ziZ8Mc,b3kMqb,mvkUhe,CMcBD,Fndnac,t2srLd,EN3i8d,z0u0L,xiZRqc,NOeYWe,O6y8ed,L9OGUe,PrPYRd,MpJwZc,qPfo0c,cYShmd,hc6Ubd,Rkm0ef,KUM7Z,oLggrd,inNHtf,L1AAkb,WpP9Yc,lwddkf,gJzDyc,SpsfSb,aC1iue,tUnxGc,aW3pY,ZakeSe,EFQ78c,xQtZb,I6YDgd,zbML3c,zr1jrb,vHEMJe,YHI3We,YTxL4,bSspM,Uas9Hd,zy0vNb,K0PMbc,AvtSve,qmdT9,MY7mZe,xBaz7b,GwYlN,eVCnO,EIOG1e,LDQI"
Preview:	"use strict";_F_installCss(".r4WGQb{position:relative}.Dl08I>:first-child{margin-top:0}.Dl08I>:last-child{margin-bottom:0}.IzwVE{color:#1f1f1f;color:var(--gm3-sys-color-on-surface,#1f1f1f);font-family:\"Google Sans\",roboto,\"Noto Sans Myanmar UI\",arial,sans-serif;font-size:1.25rem;font-weight:400;letter-spacing:0rem;line-height:1.2}.l5PPKe{color:#1f1f1f;color:var(--gm3-sys-color-on-surface,#1f1f1f);font-size:1rem}.l5PPKe .dMNVAe{margin:0;padding:0}.l5PPKe>:first-child{margin-top:0;padding-top:0}.l5PPKe>:last-child{margin-bottom:0;padding-bottom:0}.Dl08I{margin:0;padding:0;position:relative}.Dl08I>.SmR8:only-child{padding-top:1px}.Dl08I>.SmR8:only-child::before{top:0}.Dl08I>.SmR8:not(first-child){padding-bottom:1px}.Dl08I>.SmR8::after{bottom:0}.Dl08I>.SmR8:only-child::before,.Dl08I>.SmR8::after{border-bottom:1px solid #c4c7c5;border-bottom:1px solid var(--gm3-sys-color-outline-variant,#c4c7c5);content:\"\";height:0;left:0;position:absolute;width:100%}.aZvCDf{margin-top:8px;margin-left

Chrome Cache Entry: 76

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (468)
Category:	downloaded
Size (bytes):	1858
Entropy (8bit):	5.253939888205379
Encrypted:	false
SSDEEP:	48:o7BNJfeFb8L3A6FHqIy5Z+d70OCzSfvi/3fM/r8ZQzRrw:oFuILhFHrVCz0vLZz9w
MD5:	10FF6F99E3228E96AFD6E2C30EF97C0A
SHA1:	4AE3DCB8D1F5A0C302D5BAD9DFF5050A7A5E8130
SHA-256:	95E5546E1C7F311D07BB5050CC456A973E43BCC4777BA6014757376016537679
SHA-512:	116C0B1CAC98A27044100005545AB66BE5F4801D75DC259093A9F145B3A4ACD8DC1C360AF525F6DC8421CD54B675A78023D2ED8B57F5946A3969543758C673C9
Malicious:	false
Reputation:	moderate, very likely benign file
URL:	"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en._s1fC-CLCMs.es5.O/ck=boq-identity.AccountsSignInUi.gkspycgpiCY.L.B1.O/am=xIFgKBi2EQjEE86BHlAUCBkAAAAAAAAAALQBAIBm/d=1/exm=A7fCU,AvtSve,CMcBD,E87wgc,EFQ78c,EIOG1e,EN3i8d,Fndnac,GwYlN,I6YDgd,IZT63,K0PMbc,K1ZKnb,KUM7Z,L1AAkb,L9OGUe,LDQI,LEikZe,MY7mZe,MpJwZc,NOeYWe,NTMZac,O6y8ed,P6sQOc,PHUIyb,PrPYRd,RMhBfe,Rkm0ef,RqjULd,SCuOPb,SD8Jgb,STuCOe,SpsfSb,Tbb4sb,UUJqVe,Uas9Hd,WpP9Yc,XVq9Qb,YHI3We,YTxL4,YgOFye,ZDZcre,ZZ4WUe,ZakeSe,ZwDk9d,_b,_tp,aC1iue,aW3pY,b3kMqb,bSspM,bTi8wc,byfTOb,cYShmd,eVCnO,f8Gu1e,gJzDyc,hc6Ubd,inNHtf,iyZMqd,lsjVmc,ltDFwf,lwddkf,m9oV,mvkUhe,mzzZzc,n73qwf,njlZCf,oLggrd,pxq3x,q0xTif,qPYxq,qPfo0c,qmdT9,rCcCxc,rmumx,sOXFj,siKnQd,soHxf,t2srLd,tUnxGc,vHEMJe,vfuNJf,vjKJJ,vvMGie,w9hDv,ws9Tlc,xBaz7b,xQtZb,xiZRqc,y5vRwf,yRXbo,ywOR5c,z0u0L,zbML3c,ziZ8Mc,zr1jrb,zy0vNb/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlHcuwDoV1_a7sThPZwbu2Ah9zAL5g/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:GwYlN;EmZ2Bf:zr1jrb;JsbNhc:Xd8iUd;K5nYTd:ZDZcre;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;ScI3Yc:e7Hzgb;UpnZUd:nnwwYc;Uvc8o:VDovNc;XdiAjb:NLiXbe;YIZmRd:A1yn5d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;dowIGb:ebZ3mb;eBAeSb:zbML3c;iFQyKf:vfuNJf;lOO0Vd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qafBPd:yDVVkb;qddgKe:xQtZb;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=iAskyc,ziXSP"
Preview:	"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi\|\|{};(function(_){var window=this;.try{._.k("iAskyc");._.$Z=function(a){_.X.call(this,a.Fa);this.window=a.Ea.window.get();this.Mc=a.Ea.Mc};_.J(_.$Z,_.X);_.$Z.Ba=function(){return{Ea:{window:_.lu,Mc:_.vE}}};_.$Z.prototype.Mo=function(){};_.$Z.prototype.addEncryptionRecoveryMethod=function(){};_.a_=function(a){return(a==null?void 0:a.Go)\|\|function(){}};_.b_=function(a){return(a==null?void 0:a.N2)\|\|function(){}};_.OOb=function(a){return(a==null?void 0:a.Mp)\|\|function(){}};._.POb=function(a){return new Map(Array.from(a,function(b){var c=_.n(b);b=c.next().value;c=c.next().value;return[b,c.map(function(d){return{epoch:d.epoch,key:new Uint8Array(d.key)}})]}))};_.QOb=function(a){setTimeout(function(){throw a;},0)};_.$Z.prototype.WN=function(){return!0};_.iu(_.Dn,_.$Z);._.l();._.k("ziXSP");.var t_=function(a){_.$Z.call(this,a.Fa)};_.J(t_,_.$Z);t_.Ba=_.$Z.Ba;t_.prototype.Mo=function(a,b,c){var d;if((d=this.window.chrome)==nu

Chrome Cache Entry: 77

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (3346)
Category:	downloaded
Size (bytes):	22827
Entropy (8bit):	5.420322672717721
Encrypted:	false
SSDEEP:	384:/jqdWXWfyA20UUjDE8BSUxDJs16KHvSN34kaHaN+587SaXD2mLR0H:/jqdWXAUUjDE84Wi6KPSKjHaN+58+0J2
MD5:	2B29741A316862EE788996DD29116DD5
SHA1:	9D5551916D4452E977C39B8D69CF88DF2AAA462B
SHA-256:	62955C853976B722EFBB4C116A10DB3FF54580EDD7495D280177550B8F4289AB
SHA-512:	6E37C3258F07F29909763728DADE0CD40A3602D55D9099F78B37756926FCF2A50008B82876B518FEAF3E56617F0F7D1D37A73C346A99A58E6AD8BCD6689E9B15
Malicious:	false
URL:	"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en._s1fC-CLCMs.es5.O/ck=boq-identity.AccountsSignInUi.gkspycgpiCY.L.B1.O/am=xIFgKBi2EQjEE86BHlAUCBkAAAAAAAAAALQBAIBm/d=1/exm=AvtSve,CMcBD,E87wgc,EFQ78c,EIOG1e,EN3i8d,Fndnac,GwYlN,I6YDgd,IZT63,K0PMbc,K1ZKnb,KUM7Z,L1AAkb,L9OGUe,LDQI,LEikZe,MY7mZe,MpJwZc,NOeYWe,NTMZac,O6y8ed,PHUIyb,PrPYRd,Rkm0ef,SCuOPb,SD8Jgb,STuCOe,SpsfSb,Tbb4sb,UUJqVe,Uas9Hd,WpP9Yc,XVq9Qb,YHI3We,YTxL4,YgOFye,ZakeSe,_b,_tp,aC1iue,aW3pY,b3kMqb,bSspM,bTi8wc,byfTOb,cYShmd,eVCnO,f8Gu1e,gJzDyc,hc6Ubd,inNHtf,iyZMqd,lsjVmc,ltDFwf,lwddkf,m9oV,mvkUhe,mzzZzc,n73qwf,njlZCf,oLggrd,pxq3x,qPYxq,qPfo0c,qmdT9,rCcCxc,rmumx,siKnQd,soHxf,t2srLd,tUnxGc,vHEMJe,vfuNJf,vjKJJ,vvMGie,ws9Tlc,xBaz7b,xQtZb,xiZRqc,y5vRwf,yRXbo,ywOR5c,z0u0L,zbML3c,ziZ8Mc,zr1jrb,zy0vNb/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlHcuwDoV1_a7sThPZwbu2Ah9zAL5g/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:GwYlN;EmZ2Bf:zr1jrb;JsbNhc:Xd8iUd;K5nYTd:ZDZcre;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;ScI3Yc:e7Hzgb;UpnZUd:nnwwYc;Uvc8o:VDovNc;XdiAjb:NLiXbe;YIZmRd:A1yn5d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;dowIGb:ebZ3mb;eBAeSb:zbML3c;iFQyKf:vfuNJf;lOO0Vd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qafBPd:yDVVkb;qddgKe:xQtZb;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=RqjULd"
Preview:	"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi\|\|{};(function(_){var window=this;.try{._.pu.prototype.da=_.ca(38,function(){return _.vj(this,3)});_.Vy=function(a,b){this.key=a;this.defaultValue=!1;this.flagName=b};_.Vy.prototype.ctor=function(a){return typeof a==="boolean"?a:this.defaultValue};_.Wy=function(){this.ka=!0;var a=_.Bj(_.jk(_.Fe("TSDtV",window),_.pya),_.pu,1,_.uj())[0];if(a){var b={};for(var c=_.n(_.Bj(a,_.qya,2,_.uj())),d=c.next();!d.done;d=c.next()){d=d.value;var e=_.Nj(d,1).toString();switch(_.xj(d,_.qu)){case 3:b[e]=_.Lj(d,_.pj(d,_.qu,3));break;case 2:b[e]=_.Nj(d,_.pj(d,_.qu,2));break;case 4:b[e]=_.Oj(d,_.pj(d,_.qu,4));break;case 5:b[e]=_.L(d,_.pj(d,_.qu,5));break;case 6:b[e]=_.Sj(d,_.kf,6,_.qu);break;default:throw Error("id`"+_.xj(d,_.qu));}}}else b={};this.ea=b;this.token=.a?a.da():null};_.Wy.prototype.aa=function(a){if(!this.ka\|\|a.key in this.ea)a=a.ctor(this.ea[a.key]);else if(_.Fe("nQyAE",window)){var b=_.sya(a.flagName);if(b===null)a=a.def

Chrome Cache Entry: 78

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	HTML document, ASCII text, with very long lines (681)
Category:	downloaded
Size (bytes):	4070
Entropy (8bit):	5.362700670482359
Encrypted:	false
SSDEEP:	96:GUpT+TmXtdW1qsHFcn7t7CnyWYvNTcLaQOw:lpT+qXW1PFcn7tGnyWY1TGb
MD5:	ED368A20CB303C0E7C6A3E6E43C2E14F
SHA1:	429A5C538B45221F80405163D1F87912DD73C05A
SHA-256:	93BA77AD4B11E0A70C0D36576F0DF24E27F50001EA02BAA6D357E034532D97F2
SHA-512:	DE74BBADE910475DD245FFEFD4E1FD10137DE710B1C920D33BA52554911496E1339EF3C1F6D9D315CBC98A60ABE5687A3E7D8BEE483708E18D25722E794BDBE9
Malicious:	false
URL:	"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en._s1fC-CLCMs.es5.O/ck=boq-identity.AccountsSignInUi.gkspycgpiCY.L.B1.O/am=xIFgKBi2EQjEE86BHlAUCBkAAAAAAAAAALQBAIBm/d=1/exm=A7fCU,AvtSve,CMcBD,E87wgc,EFQ78c,EIOG1e,EN3i8d,Fndnac,GwYlN,I6YDgd,IZT63,K0PMbc,K1ZKnb,KUM7Z,L1AAkb,L9OGUe,LDQI,LEikZe,MY7mZe,MpJwZc,NOeYWe,NTMZac,O6y8ed,P6sQOc,PHUIyb,PrPYRd,RMhBfe,Rkm0ef,RqjULd,SCuOPb,SD8Jgb,STuCOe,SpsfSb,Tbb4sb,UUJqVe,Uas9Hd,WpP9Yc,XVq9Qb,YHI3We,YTxL4,YgOFye,ZDZcre,ZakeSe,ZwDk9d,_b,_tp,aC1iue,aW3pY,b3kMqb,bSspM,bTi8wc,byfTOb,cYShmd,eVCnO,f8Gu1e,gJzDyc,hc6Ubd,inNHtf,iyZMqd,lsjVmc,ltDFwf,lwddkf,m9oV,mvkUhe,mzzZzc,n73qwf,njlZCf,oLggrd,pxq3x,qPYxq,qPfo0c,qmdT9,rCcCxc,rmumx,siKnQd,soHxf,t2srLd,tUnxGc,vHEMJe,vfuNJf,vjKJJ,vvMGie,w9hDv,ws9Tlc,xBaz7b,xQtZb,xiZRqc,y5vRwf,yRXbo,ywOR5c,z0u0L,zbML3c,ziZ8Mc,zr1jrb,zy0vNb/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlHcuwDoV1_a7sThPZwbu2Ah9zAL5g/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:GwYlN;EmZ2Bf:zr1jrb;JsbNhc:Xd8iUd;K5nYTd:ZDZcre;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;ScI3Yc:e7Hzgb;UpnZUd:nnwwYc;Uvc8o:VDovNc;XdiAjb:NLiXbe;YIZmRd:A1yn5d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;dowIGb:ebZ3mb;eBAeSb:zbML3c;iFQyKf:vfuNJf;lOO0Vd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qafBPd:yDVVkb;qddgKe:xQtZb;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=sOXFj,q0xTif,ZZ4WUe"
Preview:	"use strict";_F_installCss(".N7rBcd{overflow-x:auto}sentinel{}");.this.default_AccountsSignInUi=this.default_AccountsSignInUi\|\|{};(function(_){var window=this;.try{._.zg(_.dqa);._.k("sOXFj");.var ou=function(a){_.X.call(this,a.Fa)};_.J(ou,_.X);ou.Ba=_.X.Ba;ou.prototype.aa=function(a){return a()};_.iu(_.cqa,ou);._.l();._.k("oGtAuc");._.oya=new _.uf(_.dqa);._.l();._.k("q0xTif");.var iza=function(a){var b=function(d){_.Zn(d)&&(_.Zn(d).Gc=null,_.yu(d,null));d.XyHi9&&(d.XyHi9=null)};b(a);a=a.querySelectorAll("[c-wiz]");for(var c=0;c<a.length;c++)b(a[c])},Ku=function(a){_.et.call(this,a.Fa);this.Qa=this.dom=null;if(this.Vk()){var b=_.Jm(this.Mg(),[_.Om,_.Nm]);b=_.ri([b[_.Om],b[_.Nm]]).then(function(c){this.Qa=c[0];this.dom=c[1]},null,this);_.cu(this,b)}this.Ra=a.Xl.Hda};_.J(Ku,_.et);Ku.Ba=function(){return{Xl:{Hda:function(a){return _.Ye(a)}}}};Ku.prototype.yp=function(a){return this.Ra.yp(a)};.Ku.prototype.getData=function(a){return this.Ra.getData(a)};Ku.prototype.vp=function(){_.Ft(this.d

Chrome Cache Entry: 79

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows icon resource - 2 icons, 16x16, 32 bits/pixel, 32x32, 32 bits/pixel
Category:	downloaded
Size (bytes):	5430
Entropy (8bit):	3.6534652184263736
Encrypted:	false
SSDEEP:	48:wIJct3xIAxG/7nvWDtZcdYLtX7B6QXL3aqG8Q:wIJct+A47v+rcqlBPG9B
MD5:	F3418A443E7D841097C714D69EC4BCB8
SHA1:	49263695F6B0CDD72F45CF1B775E660FDC36C606
SHA-256:	6DA5620880159634213E197FAFCA1DDE0272153BE3E4590818533FAB8D040770
SHA-512:	82D017C4B7EC8E0C46E8B75DA0CA6A52FD8BCE7FCF4E556CBDF16B49FC81BE9953FE7E25A05F63ECD41C7272E8BB0A9FD9AEDF0AC06CB6032330B096B3702563
Malicious:	false
URL:	https://www.google.com/favicon.ico
Preview:	............ .h...&... .... .........(....... ..... ............................................0...................................................................................................................................v.].X.:.X.:.r.Y........................................q.X.S.4.S.4.S.4.S.4.S.4.S.4...X....................0........q.W.S.4.X.:.................J...A...g.........................K.H.V.8..........................F..B.....................,.......................................B..............................................B..B..B..B..B...u..........................................B..B..B..B..B...{.................5.......k...........................................................7R..8F.................................................2........Vb..5C..;I..................R^.....................0................Xc..5C..5C..5C..5C..5C..5C..lv..........................................]i..<J..:G..Zf....................................................

Chrome Cache Entry: 80

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (553)
Category:	downloaded
Size (bytes):	603951
Entropy (8bit):	5.789948381047936
Encrypted:	false
SSDEEP:	3072:W0pApkygA62bwwdnO2YflNYhFGOizdGj008PpVVM96C5bMEPQUhts6FV8eKqtVAT:WlgNmwwdnOsF98oNGuQRAYqXsI1+
MD5:	A97373CC3F8795654F3C8C6B57066AE7
SHA1:	F7BECFDDE230EF537E8745B598DCED737C490C3C
SHA-256:	A1B0568D555DC4B4AF4CC5A6C41E838B702816445C04FF002C8A13058387F311
SHA-512:	47C76D26F4F9F206F93186800E06D3DBE1FDD0A1BA23FB9A3556390DE7F86C1FFB2C78FE307FB944C690475BFBAE9738C38233E00FDDFA9775A3B2030081D7F1
Malicious:	false
URL:	"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en._s1fC-CLCMs.es5.O/am=xIFgKBi2EQjEE86BHlAUCBkAAAAAAAAAALQBAIBm/d=1/excm=_b,_tp,identifierview/ed=1/dg=0/wt=2/ujg=1/rs=AOaEmlEQAz5EZnBR6fK6LIn1v8ILsATM3g/m=_b,_tp"
Preview:	"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi\|\|{};(function(_){var window=this;.try{._._F_toggles_initialize=function(a){(typeof globalThis!=="undefined"?globalThis:typeof self!=="undefined"?self:this)._F_toggles=a\|\|[]};(0,_._F_toggles_initialize)([0x286081c4, 0x2046d860, 0x1ce13c40, 0x51407a0, 0x1908, 0x0, 0x1b400000, 0x19a00000, 0x0, ]);./.. Copyright The Closure Library Authors.. SPDX-License-Identifier: Apache-2.0././.. Copyright Google LLC. SPDX-License-Identifier: Apache-2.0././.. Copyright 2024 Google, Inc. SPDX-License-Identifier: MIT././. SPDX-License-Identifier: Apache-2.0././. Copyright The Closure Library Authors.. SPDX-License-Identifier: Apache-2.0./.var baa,daa,Na,Ua,gaa,iaa,lb,qaa,xaa,Daa,Iaa,Laa,Mb,Maa,Rb,Vb,Wb,Naa,Oaa,Xb,Paa,Qaa,Raa,ac,Waa,Yaa,ic,jc,kc,cba,dba,hba,kba,mba,nba,rba,uba,oba,tba,sba,qba,pba,vba,zba,Dba,Eba,Bba,Kc,Lc,Hba,Jba,Nba,Oba,Pba,Qba,Mba,Rba,Tba,gd,Vba,Wba,Yba,$ba,Zba,bca,cca,dca,eca,gca,fca,ica,jca,kca,lca,oca,r

Chrome Cache Entry: 81

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (533)
Category:	downloaded
Size (bytes):	9210
Entropy (8bit):	5.3872171131917925
Encrypted:	false
SSDEEP:	192:FK/pAzN7GZ068Hqhqu6DQaVapzYjgKItwdiwUsYRTi1j1t9bRl9:FqI7GZ04dRYjghtgisYYbt9ll9
MD5:	AB70454DE18E1CE16E61EAC290FC304D
SHA1:	68532B5E8B262D7E14B8F4507AA69A61146B3C18
SHA-256:	B32D746867CC4FA21FD39437502F401D952D0A3E8DC708DFB7D58B85F256C0F1
SHA-512:	A123C517380BEF0B47F23A5A6E1D16650FE39D9C701F9FA5ADD79294973C118E8EA3A7BA32CB63C3DFC0CE0F843FB86BFFCAA2AAE987629E7DFF84F176DEBB98
Malicious:	false
URL:	"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en._s1fC-CLCMs.es5.O/ck=boq-identity.AccountsSignInUi.gkspycgpiCY.L.B1.O/am=xIFgKBi2EQjEE86BHlAUCBkAAAAAAAAAALQBAIBm/d=1/exm=AvtSve,CMcBD,EFQ78c,EIOG1e,EN3i8d,Fndnac,GwYlN,I6YDgd,IZT63,K0PMbc,K1ZKnb,KUM7Z,L1AAkb,L9OGUe,LDQI,LEikZe,MY7mZe,MpJwZc,NOeYWe,NTMZac,O6y8ed,PrPYRd,Rkm0ef,SCuOPb,STuCOe,SpsfSb,UUJqVe,Uas9Hd,WpP9Yc,XVq9Qb,YHI3We,YTxL4,ZakeSe,_b,_tp,aC1iue,aW3pY,b3kMqb,bSspM,byfTOb,cYShmd,eVCnO,gJzDyc,hc6Ubd,inNHtf,iyZMqd,lsjVmc,lwddkf,m9oV,mvkUhe,mzzZzc,n73qwf,njlZCf,oLggrd,qPfo0c,qmdT9,rCcCxc,siKnQd,t2srLd,tUnxGc,vHEMJe,vfuNJf,vjKJJ,vvMGie,ws9Tlc,xBaz7b,xQtZb,xiZRqc,y5vRwf,z0u0L,zbML3c,ziZ8Mc,zr1jrb,zy0vNb/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlHcuwDoV1_a7sThPZwbu2Ah9zAL5g/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:GwYlN;EmZ2Bf:zr1jrb;JsbNhc:Xd8iUd;K5nYTd:ZDZcre;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;ScI3Yc:e7Hzgb;UpnZUd:nnwwYc;Uvc8o:VDovNc;XdiAjb:NLiXbe;YIZmRd:A1yn5d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;dowIGb:ebZ3mb;eBAeSb:zbML3c;iFQyKf:vfuNJf;lOO0Vd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qafBPd:yDVVkb;qddgKe:xQtZb;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=ltDFwf,SD8Jgb,rmumx,E87wgc,qPYxq,Tbb4sb,pxq3x,f8Gu1e,soHxf,YgOFye,yRXbo,bTi8wc,ywOR5c,PHUIyb"
Preview:	"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi\|\|{};(function(_){var window=this;.try{._.gNa=_.y("SD8Jgb",[]);._.QX=function(a,b){if(typeof b==="string")a.Nc(b);else if(b instanceof _.Ip&&b.ia&&b.ia===_.B)b=_.$a(b.ww()),a.empty().append(b);else if(b instanceof _.Wa)b=_.$a(b),a.empty().append(b);else if(b instanceof Node)a.empty().append(b);else throw Error("Vf");};_.RX=function(a){var b=_.Lo(a,"[jsslot]");if(b.size()>0)return b;b=new _.Jo([_.Qk("span")]);_.Mo(b,"jsslot","");a.empty().append(b);return b};_.TKb=function(a){return a===null\|\|typeof a==="string"&&_.Ki(a)};._.k("SD8Jgb");._.WX=function(a){_.Y.call(this,a.Fa);this.Ua=a.controller.Ua;this.kd=a.controllers.kd[0]\|\|null;this.header=a.controller.header;this.nav=a.controller.nav;var b;(b=this.oa().find("button:not([type])").el())==null\|\|b.setAttribute("type","button")};_.J(_.WX,_.Y);_.WX.Ba=function(){return{controller:{Ua:{jsname:"n7vHCb",ctor:_.hv},header:{jsname:"tJHJj",ctor:_.hv},nav:{jsname:"DH6Rkf",ct

Chrome Cache Entry: 82

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	Web Open Font Format (Version 2), TrueType, length 52280, version 1.0
Category:	downloaded
Size (bytes):	52280
Entropy (8bit):	7.995413196679271
Encrypted:	true
SSDEEP:	1536:1rvqtK8DZilXxwJ8mMwAZy7phqsFLdG3B4d:xytBZits8bw4wzbFxG3B4d
MD5:	F61F0D4D0F968D5BBA39A84C76277E1A
SHA1:	AA3693EA140ECA418B4B2A30F6A68F6F43B4BEB2
SHA-256:	57147F08949ABABE7DEEF611435AE418475A693E3823769A25C2A39B6EAD9CCC
SHA-512:	6C3BD90F709BCF9151C9ED9FFEA55C4F6883E7FDA2A4E26BF018C83FE1CFBE4F4AA0DB080D6D024070D53B2257472C399C8AC44EEFD38B9445640EFA85D5C487
Malicious:	false
URL:	https://fonts.gstatic.com/s/googlesans/v58/4UaRrENHsxJlGDuGo1OIlJfC6l_24rlCK1Yo_Iq2vgCI.woff2
Preview:	wOF2.......8.....................................^...$..4?HVAR..?MVAR9.`?STAT.',..J/.......`..(..Z.0..R.6.$.... .....K..[..q..c..T.....>.P.j.`.w..#...%......N.".....$..3.0.6......... .L.rX/r[j.y.\|(.4.%#.....2.v.m..-..%.....;-.Y.{..&..O=#l@...k..7g..ZI...#.Z./+T..r7...M..3).Z%.x....s..sL..[A!.51w'/.8V..2Z..%.X.h.o.).]..9..Q`.$.....7..kZ.~O........d..g.n.d.Rw+&....Cz..uy#..fz,(.J....v.%..`..9.....h...?O..:...c%.....6s....xl..#...5..._......1.>.)"U.4 W....?%......6//!$...!.n9C@n...........!""^.....W..Z<.7.x.."UT.T....E.."R>.R..t.....H d..e_.K../.+8.Q.P.ZQ....;...U....]......._.e......71.?.7.ORv.?...l...G\|.P...\|:...I.X..2.,.L........d.g.]}W#uW]QnuP-s.;.-Y.....].......C..j_.M0...y.......J..........NY..@A...,....-.F......'..w./j5g.vUS...U..0.&...y7.LP.....%.....Y......Y..D. e.A..G.?.$.......6...eaK.n5.m...N...,...+BCl..L> .E9~.b[.w.x....6<...}.e...%V....O.......*.?...a..#[eE.4..p..$...].....%......o._......N.._~..El....b..A.0.r8.....\|..D.d..

Chrome Cache Entry: 83

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (1694)
Category:	downloaded
Size (bytes):	32499
Entropy (8bit):	5.361345284201954
Encrypted:	false
SSDEEP:	768:mLX1O+aL6fgyIiREM4RKmh90toLoTswtF3ATcbDR6kIsnJd9DPyMv/FI:U2M4oltoLoTswtFoc/tIsnXFLI
MD5:	D5C3FB8EAE24AB7E40009338B5078496
SHA1:	5638BF5986A6445A88CD79A9B690B744B126BEC2
SHA-256:	597C14D360D690BCFDC2B8D315E6BB8879AEF33DE6C30D274743079BDB63C6B0
SHA-512:	6AE434850D473BEF15AA694AB4862596982CDDA6BD3991991D3ADD8F4A5F61DFBF8756D0DA98B72EF083909D68CF7B6B148A6488E9381F92FBF15CCB20176A0E
Malicious:	false
URL:	"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en._s1fC-CLCMs.es5.O/ck=boq-identity.AccountsSignInUi.gkspycgpiCY.L.B1.O/am=xIFgKBi2EQjEE86BHlAUCBkAAAAAAAAAALQBAIBm/d=1/exm=_b,_tp/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlHcuwDoV1_a7sThPZwbu2Ah9zAL5g/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:GwYlN;EmZ2Bf:zr1jrb;JsbNhc:Xd8iUd;K5nYTd:ZDZcre;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;ScI3Yc:e7Hzgb;UpnZUd:nnwwYc;Uvc8o:VDovNc;XdiAjb:NLiXbe;YIZmRd:A1yn5d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;dowIGb:ebZ3mb;eBAeSb:zbML3c;iFQyKf:vfuNJf;lOO0Vd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qafBPd:yDVVkb;qddgKe:xQtZb;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=byfTOb,lsjVmc,LEikZe"
Preview:	"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi\|\|{};(function(_){var window=this;.try{.var qua=function(a,b){this.da=a;this.ea=b;if(!c){var c=new _.gp("//www.google.com/images/cleardot.gif");_.rp(c)}this.ka=c};_.h=qua.prototype;_.h.Vc=null;_.h.QY=1E4;_.h.Iz=!1;_.h.TP=0;_.h.qJ=null;_.h.DU=null;_.h.setTimeout=function(a){this.QY=a};_.h.start=function(){if(this.Iz)throw Error("dc");this.Iz=!0;this.TP=0;rua(this)};_.h.stop=function(){sua(this);this.Iz=!1};.var rua=function(a){a.TP++;navigator!==null&&"onLine"in navigator&&!navigator.onLine?_.om((0,_.eg)(a.JG,a,!1),0):(a.aa=new Image,a.aa.onload=(0,_.eg)(a.Xia,a),a.aa.onerror=(0,_.eg)(a.Wia,a),a.aa.onabort=(0,_.eg)(a.Via,a),a.qJ=_.om(a.Yia,a.QY,a),a.aa.src=String(a.ka))};_.h=qua.prototype;_.h.Xia=function(){this.JG(!0)};_.h.Wia=function(){this.JG(!1)};_.h.Via=function(){this.JG(!1)};_.h.Yia=function(){this.JG(!1)};._.h.JG=function(a){sua(this);a?(this.Iz=!1,this.da.call(this.ea,!0)):this.TP<=0?rua(this):(this.Iz=!1,

Chrome Cache Entry: 84

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (683)
Category:	downloaded
Size (bytes):	3131
Entropy (8bit):	5.3750044852869046
Encrypted:	false
SSDEEP:	48:o7zfN/cD498xdg+Y5jNQ8js6npwk0OmNAEZbpMzR4EQBcW5QcHj9KWfGAeFKRrw:oCD9dA5jOEGh+EFqR4rhqUhzff9w
MD5:	39693D34EE3D1829DBB1627C4FC6687B
SHA1:	A03303C2F027F3749B48D5134D1F8FB3E495C6E9
SHA-256:	03B0C1B4E402E0BCF75D530DD9085B25357EEFD09E238453DE1F3A042542C076
SHA-512:	AC0749EDC33DA0EC0E40470388DD797B6528AD08B8FAC1C2AC42F85198131052BA1B533E90409D35DA237607E8B07D591FA6BA580B6A90B0D0AB2282A01F7585
Malicious:	false
URL:	"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en._s1fC-CLCMs.es5.O/ck=boq-identity.AccountsSignInUi.gkspycgpiCY.L.B1.O/am=xIFgKBi2EQjEE86BHlAUCBkAAAAAAAAAALQBAIBm/d=1/exm=AvtSve,CMcBD,E87wgc,EFQ78c,EIOG1e,EN3i8d,Fndnac,GwYlN,I6YDgd,IZT63,K0PMbc,K1ZKnb,KUM7Z,L1AAkb,L9OGUe,LDQI,LEikZe,MY7mZe,MpJwZc,NOeYWe,NTMZac,O6y8ed,PHUIyb,PrPYRd,Rkm0ef,RqjULd,SCuOPb,SD8Jgb,STuCOe,SpsfSb,Tbb4sb,UUJqVe,Uas9Hd,WpP9Yc,XVq9Qb,YHI3We,YTxL4,YgOFye,ZakeSe,_b,_tp,aC1iue,aW3pY,b3kMqb,bSspM,bTi8wc,byfTOb,cYShmd,eVCnO,f8Gu1e,gJzDyc,hc6Ubd,inNHtf,iyZMqd,lsjVmc,ltDFwf,lwddkf,m9oV,mvkUhe,mzzZzc,n73qwf,njlZCf,oLggrd,pxq3x,qPYxq,qPfo0c,qmdT9,rCcCxc,rmumx,siKnQd,soHxf,t2srLd,tUnxGc,vHEMJe,vfuNJf,vjKJJ,vvMGie,ws9Tlc,xBaz7b,xQtZb,xiZRqc,y5vRwf,yRXbo,ywOR5c,z0u0L,zbML3c,ziZ8Mc,zr1jrb,zy0vNb/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlHcuwDoV1_a7sThPZwbu2Ah9zAL5g/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:GwYlN;EmZ2Bf:zr1jrb;JsbNhc:Xd8iUd;K5nYTd:ZDZcre;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;ScI3Yc:e7Hzgb;UpnZUd:nnwwYc;Uvc8o:VDovNc;XdiAjb:NLiXbe;YIZmRd:A1yn5d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;dowIGb:ebZ3mb;eBAeSb:zbML3c;iFQyKf:vfuNJf;lOO0Vd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qafBPd:yDVVkb;qddgKe:xQtZb;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=ZwDk9d,RMhBfe"
Preview:	"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi\|\|{};(function(_){var window=this;.try{._.k("ZwDk9d");.var bA=function(a){_.X.call(this,a.Fa)};_.J(bA,_.X);bA.Ba=_.X.Ba;bA.prototype.wR=function(a){return _.af(this,{Wa:{HS:_.ol}}).then(function(b){var c=window._wjdd,d=window._wjdc;return!c&&d?new _.oi(function(e){window._wjdc=function(f){d(f);e(PJa(f,b,a))}}):PJa(c,b,a)})};var PJa=function(a,b,c){return(a=a&&a[c])?a:b.Wa.HS.wR(c)};.bA.prototype.aa=function(a,b){var c=_.csa(b).Gj;if(c.startsWith("$")){var d=_.jm.get(a);_.xq[b]&&(d\|\|(d={},_.jm.set(a,d)),d[c]=_.xq[b],delete _.xq[b],_.yq--);if(d)if(a=d[c])b=_.ef(a);else throw Error("Jb`"+b);else b=null}else b=null;return b};_.iu(_.Mfa,bA);._.l();._.k("SNUn3");._.OJa=new _.uf(_.Ag);._.l();._.k("RMhBfe");.var QJa=function(a){var b=_.wq(a);return b?new _.oi(function(c,d){var e=function(){b=_.wq(a);var f=_.Tfa(a,b);f?c(f.getAttribute("jsdata")):window.document.readyState=="complete"?(f=["Unable to find deferred jsdata wit

Chrome Cache Entry: 85

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (569)
Category:	downloaded
Size (bytes):	3471
Entropy (8bit):	5.5174491302699495
Encrypted:	false
SSDEEP:	96:ojAmjTJ/fJgpIcB7Fd2tilGBEMO/A6VxV08w:vUTJpgDJXM0ApJ
MD5:	2D999C87DD54C7FE6400D267C33FBB23
SHA1:	414C3A329C2760325EDBACBD7A221D7F8DBFEEE8
SHA-256:	76D55A1AFC1D39CB04D60EB04E45A538A0E75EE2871561C84CC89B1C13596BCC
SHA-512:	72D923BB71DD147139962FF8E2BD0E336E0F6409C212AC2F25387D0F3B4FC9365F5A6D40E2980BB1065534888362C97D6B7663E362D29166B5915D2A9DA7D238
Malicious:	false
URL:	"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en._s1fC-CLCMs.es5.O/ck=boq-identity.AccountsSignInUi.gkspycgpiCY.L.B1.O/am=xIFgKBi2EQjEE86BHlAUCBkAAAAAAAAAALQBAIBm/d=1/exm=A7fCU,AvtSve,CMcBD,E87wgc,EFQ78c,EIOG1e,EN3i8d,Fndnac,GwYlN,I6YDgd,IZT63,K0PMbc,K1ZKnb,KUM7Z,L1AAkb,L9OGUe,LDQI,LEikZe,MY7mZe,MpJwZc,NOeYWe,NTMZac,O6y8ed,P6sQOc,PHUIyb,PrPYRd,RMhBfe,Rkm0ef,RqjULd,SCuOPb,SD8Jgb,STuCOe,SpsfSb,Tbb4sb,UUJqVe,Uas9Hd,WpP9Yc,XVq9Qb,YHI3We,YTxL4,YgOFye,ZDZcre,ZZ4WUe,ZakeSe,ZwDk9d,_b,_tp,aC1iue,aW3pY,b3kMqb,bSspM,bTi8wc,byfTOb,cYShmd,eVCnO,f8Gu1e,gJzDyc,hc6Ubd,iAskyc,inNHtf,iyZMqd,lsjVmc,ltDFwf,lwddkf,m9oV,mvkUhe,mzzZzc,n73qwf,njlZCf,oLggrd,pxq3x,q0xTif,qPYxq,qPfo0c,qmdT9,rCcCxc,rmumx,sOXFj,siKnQd,soHxf,t2srLd,tUnxGc,vHEMJe,vfuNJf,vjKJJ,vvMGie,w9hDv,wg1P6b,ws9Tlc,xBaz7b,xQtZb,xiZRqc,y5vRwf,yRXbo,ywOR5c,z0u0L,zbML3c,ziXSP,ziZ8Mc,zr1jrb,zy0vNb/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlHcuwDoV1_a7sThPZwbu2Ah9zAL5g/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:GwYlN;EmZ2Bf:zr1jrb;JsbNhc:Xd8iUd;K5nYTd:ZDZcre;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;ScI3Yc:e7Hzgb;UpnZUd:nnwwYc;Uvc8o:VDovNc;XdiAjb:NLiXbe;YIZmRd:A1yn5d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;dowIGb:ebZ3mb;eBAeSb:zbML3c;iFQyKf:vfuNJf;lOO0Vd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qafBPd:yDVVkb;qddgKe:xQtZb;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=Wt6vjf,hhhU8,FCpbqb,WhJNk"
Preview:	"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi\|\|{};(function(_){var window=this;.try{._.k("Wt6vjf");.var Txa=function(){var a=_.Ke();return _.L(a,1)},Tt=function(a){this.Da=_.t(a,0,Tt.messageId)};_.J(Tt,_.w);Tt.prototype.Ha=function(){return _.Hj(this,1)};Tt.prototype.Va=function(a){return _.Yj(this,1,a)};Tt.messageId="f.bo";var Ut=function(){_.km.call(this)};_.J(Ut,_.km);Ut.prototype.ud=function(){this.jT=!1;Uxa(this);_.km.prototype.ud.call(this)};Ut.prototype.aa=function(){Vxa(this);if(this.hC)return Wxa(this),!1;if(!this.sV)return Vt(this),!0;this.dispatchEvent("p");if(!this.fP)return Vt(this),!0;this.jM?(this.dispatchEvent("r"),Vt(this)):Wxa(this);return!1};.var Xxa=function(a){var b=new _.gp(a.z4);a.WP!=null&&_.Mn(b,"authuser",a.WP);return b},Wxa=function(a){a.hC=!0;var b=Xxa(a),c="rt=r&f_uid="+_.sk(a.fP);_.fn(b,(0,_.eg)(a.ea,a),"POST",c)};.Ut.prototype.ea=function(a){a=a.target;Vxa(this);if(_.jn(a)){this.RJ=0;if(this.jM)this.hC=!1,this.dispatchEvent("r")

Chrome Cache Entry: 86

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (395)
Category:	downloaded
Size (bytes):	1608
Entropy (8bit):	5.280977407061266
Encrypted:	false
SSDEEP:	48:o7YNJvl3WlENrpB3stYCIgMxILNH/wf7DVTBpdQrw:oApB8iDwYlGw
MD5:	4FB66582D37D04933F00E49C2FBA34D4
SHA1:	3DB09C53BBEB1EEB045A001356E498D8EF30915D
SHA-256:	A97DAC01ABFE3EB75C7C97D504E21BDDDADDB6EBE0B56B6A9A10CD3700CAB41B
SHA-512:	2AEB3A6CFFBF6EFA626EBDC9E11ACBAC04BFE986F98FBC050B2501898B289C67D392ED195D16ACC9565EF8784401ADA1E88188CDE3A7AB12D98BB5ED7D8A5711
Malicious:	false
URL:	"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en._s1fC-CLCMs.es5.O/ck=boq-identity.AccountsSignInUi.gkspycgpiCY.L.B1.O/am=xIFgKBi2EQjEE86BHlAUCBkAAAAAAAAAALQBAIBm/d=1/exm=AvtSve,CMcBD,E87wgc,EFQ78c,EIOG1e,EN3i8d,Fndnac,GwYlN,I6YDgd,IZT63,K0PMbc,K1ZKnb,KUM7Z,L1AAkb,L9OGUe,LDQI,LEikZe,MY7mZe,MpJwZc,NOeYWe,NTMZac,O6y8ed,P6sQOc,PHUIyb,PrPYRd,RMhBfe,Rkm0ef,RqjULd,SCuOPb,SD8Jgb,STuCOe,SpsfSb,Tbb4sb,UUJqVe,Uas9Hd,WpP9Yc,XVq9Qb,YHI3We,YTxL4,YgOFye,ZakeSe,ZwDk9d,_b,_tp,aC1iue,aW3pY,b3kMqb,bSspM,bTi8wc,byfTOb,cYShmd,eVCnO,f8Gu1e,gJzDyc,hc6Ubd,inNHtf,iyZMqd,lsjVmc,ltDFwf,lwddkf,m9oV,mvkUhe,mzzZzc,n73qwf,njlZCf,oLggrd,pxq3x,qPYxq,qPfo0c,qmdT9,rCcCxc,rmumx,siKnQd,soHxf,t2srLd,tUnxGc,vHEMJe,vfuNJf,vjKJJ,vvMGie,ws9Tlc,xBaz7b,xQtZb,xiZRqc,y5vRwf,yRXbo,ywOR5c,z0u0L,zbML3c,ziZ8Mc,zr1jrb,zy0vNb/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlHcuwDoV1_a7sThPZwbu2Ah9zAL5g/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:GwYlN;EmZ2Bf:zr1jrb;JsbNhc:Xd8iUd;K5nYTd:ZDZcre;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;ScI3Yc:e7Hzgb;UpnZUd:nnwwYc;Uvc8o:VDovNc;XdiAjb:NLiXbe;YIZmRd:A1yn5d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;dowIGb:ebZ3mb;eBAeSb:zbML3c;iFQyKf:vfuNJf;lOO0Vd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qafBPd:yDVVkb;qddgKe:xQtZb;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=w9hDv,ZDZcre,A7fCU"
Preview:	"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi\|\|{};(function(_){var window=this;.try{._.k("w9hDv");._.zg(_.Kla);_.$z=function(a){_.X.call(this,a.Fa);this.aa=a.Wa.cache};_.J(_.$z,_.X);_.$z.Ba=function(){return{Wa:{cache:_.Zs}}};_.$z.prototype.execute=function(a){_.Gb(a,function(b){var c;_.df(b)&&(c=b.eb.jc(b.jb));c&&this.aa.oG(c)},this);return{}};_.iu(_.Qla,_.$z);._.l();._.k("ZDZcre");.var ZG=function(a){_.X.call(this,a.Fa);this.Nl=a.Ea.Nl;this.G3=a.Ea.metadata;this.aa=a.Ea.Ws};_.J(ZG,_.X);ZG.Ba=function(){return{Ea:{Nl:_.DG,metadata:_.HZa,Ws:_.AG}}};ZG.prototype.execute=function(a){var b=this;a=this.aa.create(a);return _.Gb(a,function(c){var d=b.G3.getType(c.Md())===2?b.Nl.Pb(c):b.Nl.fetch(c);return _.Jl(c,_.EG)?d.then(function(e){return _.Jd(e)}):d},this)};_.iu(_.Vla,ZG);._.l();._.k("K5nYTd");._.GZa=new _.uf(_.Rla);._.l();._.k("sP4Vbe");.._.l();._.k("kMFpHd");.._.l();._.k("A7fCU");.var GG=function(a){_.X.call(this,a.Fa);this.aa=a.Ea.ZP};_.J(GG,_.X);GG.Ba=func

Chrome Cache Entry: 87

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with no line terminators
Category:	downloaded
Size (bytes):	84
Entropy (8bit):	4.875266466142591
Encrypted:	false
SSDEEP:	3:DZFJu0+WVTBCq2Bjdw2KsJJuYHSKnZ:lFJuuVTBudw29nu4SKZ
MD5:	87B6333E98B7620EA1FF98D1A837A39E
SHA1:	105DE6815B0885357DE1414BFC0D77FCC9E924EF
SHA-256:	DCD3C133C5C40BECD4100BBE6EDAE84C9735E778E4234A5E8395C56FF8A733BA
SHA-512:	867D7943D813685FAA76394E53199750C55817E836FD19C933F74D11E9657CE66719A6D6B2E39EE1DE62358BCE364E38A55F4E138DF92337DE6985DDCD5D0994
Malicious:	false
URL:	https://content-autofill.googleapis.com/v1/pages/ChVDaHJvbWUvMTE3LjAuNTkzOC4xMzISHgmA6QC9dWevzxIFDRkBE_oSBQ3oIX6GEgUN05ioBw==?alt=proto
Preview:	Cj0KBw0ZARP6GgAKKQ3oIX6GGgQISxgCKhwIClIYCg5AIS4jJF8qLSY/Ky8lLBABGP////8PCgcN05ioBxoA

Chrome Cache Entry: 88

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (755)
Category:	downloaded
Size (bytes):	1460
Entropy (8bit):	5.316515499943097
Encrypted:	false
SSDEEP:	24:kMYD7DduJqrxsNL90YIzFK/Hb5eNhz1uktdDuvKKKGbLZ99GbSSF/ZR8OkdnprGJ:o7DQJopFN+ASCKKGbF99GbSS3RY7rw
MD5:	D97AB4594FC610665FF2763A650EE6A8
SHA1:	5C7459CA838D27BE45745571D8D96D156F4B9F8D
SHA-256:	767D778369623FD8F5FB98D3BCC3130D05D02CBE0B9B88DD226F43281B14E9AF
SHA-512:	CE4941B41C3A8CC983C1BBCC87EF682823CB9DB24EA7A570E35BBF832046340D433F7D47211384B61FA38F3527CC35C195A6068CCB24B48E1F492C5B4D4192A1
Malicious:	false
URL:	"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en._s1fC-CLCMs.es5.O/ck=boq-identity.AccountsSignInUi.gkspycgpiCY.L.B1.O/am=xIFgKBi2EQjEE86BHlAUCBkAAAAAAAAAALQBAIBm/d=1/exm=AvtSve,CMcBD,E87wgc,EFQ78c,EIOG1e,EN3i8d,Fndnac,GwYlN,I6YDgd,IZT63,K0PMbc,K1ZKnb,KUM7Z,L1AAkb,L9OGUe,LDQI,LEikZe,MY7mZe,MpJwZc,NOeYWe,NTMZac,O6y8ed,PHUIyb,PrPYRd,RMhBfe,Rkm0ef,RqjULd,SCuOPb,SD8Jgb,STuCOe,SpsfSb,Tbb4sb,UUJqVe,Uas9Hd,WpP9Yc,XVq9Qb,YHI3We,YTxL4,YgOFye,ZakeSe,ZwDk9d,_b,_tp,aC1iue,aW3pY,b3kMqb,bSspM,bTi8wc,byfTOb,cYShmd,eVCnO,f8Gu1e,gJzDyc,hc6Ubd,inNHtf,iyZMqd,lsjVmc,ltDFwf,lwddkf,m9oV,mvkUhe,mzzZzc,n73qwf,njlZCf,oLggrd,pxq3x,qPYxq,qPfo0c,qmdT9,rCcCxc,rmumx,siKnQd,soHxf,t2srLd,tUnxGc,vHEMJe,vfuNJf,vjKJJ,vvMGie,ws9Tlc,xBaz7b,xQtZb,xiZRqc,y5vRwf,yRXbo,ywOR5c,z0u0L,zbML3c,ziZ8Mc,zr1jrb,zy0vNb/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlHcuwDoV1_a7sThPZwbu2Ah9zAL5g/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:GwYlN;EmZ2Bf:zr1jrb;JsbNhc:Xd8iUd;K5nYTd:ZDZcre;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;ScI3Yc:e7Hzgb;UpnZUd:nnwwYc;Uvc8o:VDovNc;XdiAjb:NLiXbe;YIZmRd:A1yn5d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;dowIGb:ebZ3mb;eBAeSb:zbML3c;iFQyKf:vfuNJf;lOO0Vd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qafBPd:yDVVkb;qddgKe:xQtZb;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=P6sQOc"
Preview:	"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi\|\|{};(function(_){var window=this;.try{._.k("lOO0Vd");._.HZa=new _.uf(_.Km);._.l();._.k("P6sQOc");.var MZa=!!(_.Nh[1]&16);var OZa=function(a,b,c,d,e){this.ea=a;this.ta=b;this.ka=c;this.Ca=d;this.Ga=e;this.aa=0;this.da=NZa(this)},PZa=function(a){var b={};_.Ma(a.hS(),function(e){b[e]=!0});var c=a.WR(),d=a.cS();return new OZa(a.XO(),c.aa()1E3,a.oR(),d.aa()1E3,b)},NZa=function(a){return Math.random()Math.min(a.taMath.pow(a.ka,a.aa),a.Ca)},HG=function(a,b){return a.aa>=a.ea?!1:b!=null?!!a.Ga[b]:!0};var IG=function(a){_.X.call(this,a.Fa);this.da=a.Ea.mV;this.ea=a.Ea.metadata;a=a.Ea.lga;this.fetch=a.fetch.bind(a)};_.J(IG,_.X);IG.Ba=function(){return{Ea:{mV:_.KZa,metadata:_.HZa,lga:_.AZa}}};IG.prototype.aa=function(a,b){if(this.ea.getType(a.Md())!==1)return _.Vm(a);var c=this.da.JU;return(c=c?PZa(c):null)&&HG(c)?_.mya(a,QZa(this,a,b,c)):_.Vm(a)};.var QZa=function(a,b,c,d){return c.then(function(e){return e},function(e)

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.579771785034168
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	917'504 bytes
MD5:	b44fe2b76982daa43a25d6e62203b575
SHA1:	e1477346b672f5085ba1834a83bd115749b64570
SHA256:	92a682ac0279afe087f60cc9ff8664c88fc5c60c82456f904a96139cd2e34d8a
SHA512:	c7d677fb435e9f9cb88290a270dd13f12e4cd370308f6264de1c6ca9e76098bc57507d3a4385830d7cdba965199500d352319d50be03004dd2901866ceecbb64
SSDEEP:	12288:TqDEvFo+yo4DdbbMWu/jrQu4M9lBAlKhQcDGB3cuBNGE6iOrpfe4JdaDga9TQ:TqDEvCTbMWu7rQYlBQcBiT6rprG8a5Q
TLSH:	2C159E0273D1C062FFAB92334B5AF6515BBC69260123E61F13981DB9BE701B1563E7A3
File Content Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......................j:......j:..C...j:......@.*...............................n.......~.............{.......{.......{.........z....

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x420577
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x66FB2AED [Mon Sep 30 22:49:17 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	948cc502fe9226992dce9417f952fce3

Entrypoint Preview

Instruction
call 00007FF3690E8963h
jmp 00007FF3690E826Fh
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007FF3690E844Dh
mov dword ptr [esi], 0049FDF0h
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FDF8h
mov dword ptr [ecx], 0049FDF0h
ret
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007FF3690E841Ah
mov dword ptr [esi], 0049FE0Ch
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FE14h
mov dword ptr [ecx], 0049FE0Ch
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
and dword ptr [eax], 00000000h
and dword ptr [eax+04h], 00000000h
push eax
mov eax, dword ptr [ebp+08h]
add eax, 04h
push eax
call 00007FF3690EB00Dh
pop ecx
pop ecx
mov eax, esi
pop esi
pop ebp
retn 0004h
lea eax, dword ptr [ecx+04h]
mov dword ptr [ecx], 0049FDD0h
push eax
call 00007FF3690EB058h
pop ecx
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
push eax
call 00007FF3690EB041h
test byte ptr [ebp+08h], 00000001h
pop ecx

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc8e64	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xd4000	0x956c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xde000	0x7594	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xb0ff0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xc3400	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xb1010	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x9c000	0x894	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x9ab1d	0x9ac00	0a1473f3064dcbc32ef93c5c8a90f3a6	False	0.565500681542811	data	6.668273581389308	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x9c000	0x2fb82	0x2fc00	c9cf2468b60bf4f80f136ed54b3989fb	False	0.35289185209424084	data	5.691811547483722	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xcc000	0x706c	0x4800	53b9025d545d65e23295e30afdbd16d9	False	0.04356553819444445	DOS executable (block device driver @\273\)	0.5846666986982398	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xd4000	0x956c	0x9600	e185343aac492df4db0b3173396e1d63	False	0.28453125	data	5.166143566325022	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xde000	0x7594	0x7600	c68ee8931a32d45eb82dc450ee40efc3	False	0.7628111758474576	data	6.7972128181359786	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xd45a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xd46d0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xd47f8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xd4920	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xd4c08	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xd4d30	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xd5bd8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xd6480	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xd69e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xd8f90	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xda038	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xda4a0	0x50	data	English	Great Britain	0.9
RT_STRING	0xda4f0	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xdaa84	0x68a	data	English	Great Britain	0.2735961768219833
RT_STRING	0xdb110	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xdb5a0	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xdbb9c	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xdc1f8	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xdc660	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xdc7b8	0x834	data			1.0052380952380953
RT_GROUP_ICON	0xdcfec	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0xdd064	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0xdd078	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0xdd08c	0x14	data	English	Great Britain	1.25
RT_VERSION	0xdd0a0	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0xdd17c	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	gethostbyname, recv, send, socket, inet_ntoa, setsockopt, ntohs, WSACleanup, WSAStartup, sendto, htons, __WSAFDIsSet, select, accept, listen, bind, inet_addr, ioctlsocket, recvfrom, WSAGetLastError, closesocket, gethostname, connect
VERSION.dll	GetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetGetConnectionW, WNetCancelConnection2W, WNetUseConnectionW, WNetAddConnection2W
WININET.dll	HttpOpenRequestW, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, InternetConnectW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetQueryDataAvailable
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpSendEcho, IcmpCloseHandle, IcmpCreateFile
USERENV.dll	DestroyEnvironmentBlock, LoadUserProfileW, CreateEnvironmentBlock, UnloadUserProfile
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetShortPathNameW, DeleteFileW, IsDebuggerPresent, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, LoadResource, LockResource, SizeofResource, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, LoadLibraryW, GetLocalTime, CompareStringW, GetCurrentThread, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, VirtualAlloc, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, ResetEvent, WaitForSingleObjectEx, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, CloseHandle, GetFullPathNameW, GetStartupInfoW, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, SetLastError, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, ResumeThread, FreeLibraryAndExitThread, GetACP, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetStringTypeW, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, ReadConsoleW, GetTimeZoneInformation, FindFirstFileExW, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableA, SetCurrentDirectoryW, FindNextFileW, WriteConsoleW
USER32.dll	GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, PeekMessageW, GetInputState, UnregisterHotKey, CharLowerBuffW, MonitorFromPoint, MonitorFromRect, LoadImageW, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, ClientToScreen, GetCursorPos, DeleteMenu, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, LockWindowUpdate, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, RegisterHotKey, GetCursorInfo, SetWindowPos, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, TrackPopupMenuEx, GetMessageW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, DispatchMessageW, keybd_event, TranslateMessage, ScreenToClient
GDI32.dll	EndPath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, GetDeviceCaps, SetPixel, CloseFigure, LineTo, AngleArc, MoveToEx, Ellipse, CreateCompatibleBitmap, CreateCompatibleDC, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, SelectObject, StretchBlt, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, GetDIBits, StrokePath
COMDLG32.dll	GetSaveFileNameW, GetOpenFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, RegCreateKeyExW, GetSecurityDescriptorDacl, GetAclInformation, GetUserNameW, AddAce, SetSecurityDescriptorDacl, InitiateSystemShutdownExW
SHELL32.dll	DragFinish, DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
OLEAUT32.dll	CreateStdDispatch, CreateDispTypeInfo, UnRegisterTypeLib, UnRegisterTypeLibForUser, RegisterTypeLibForUser, RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, VariantChangeType, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysStringLen, QueryPathOfRegTypeLib, SysAllocString, VariantInit, VariantClear, DispCallFunc, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, SafeArrayDestroyDescriptor, VariantCopy, OleLoadPicture

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 1, 2024 00:51:00.606988907 CEST	49731	443	192.168.2.4	216.58.206.46
Oct 1, 2024 00:51:00.607024908 CEST	443	49731	216.58.206.46	192.168.2.4
Oct 1, 2024 00:51:00.607080936 CEST	49731	443	192.168.2.4	216.58.206.46
Oct 1, 2024 00:51:00.614140987 CEST	49731	443	192.168.2.4	216.58.206.46
Oct 1, 2024 00:51:00.614160061 CEST	443	49731	216.58.206.46	192.168.2.4
Oct 1, 2024 00:51:00.938075066 CEST	49675	443	192.168.2.4	173.222.162.32
Oct 1, 2024 00:51:01.376964092 CEST	443	49731	216.58.206.46	192.168.2.4
Oct 1, 2024 00:51:01.377140045 CEST	49731	443	192.168.2.4	216.58.206.46
Oct 1, 2024 00:51:01.377194881 CEST	443	49731	216.58.206.46	192.168.2.4
Oct 1, 2024 00:51:01.377780914 CEST	443	49731	216.58.206.46	192.168.2.4
Oct 1, 2024 00:51:01.377846956 CEST	49731	443	192.168.2.4	216.58.206.46
Oct 1, 2024 00:51:01.378791094 CEST	443	49731	216.58.206.46	192.168.2.4
Oct 1, 2024 00:51:01.378854990 CEST	49731	443	192.168.2.4	216.58.206.46
Oct 1, 2024 00:51:01.379607916 CEST	49731	443	192.168.2.4	216.58.206.46
Oct 1, 2024 00:51:01.379714012 CEST	443	49731	216.58.206.46	192.168.2.4
Oct 1, 2024 00:51:01.379723072 CEST	49731	443	192.168.2.4	216.58.206.46
Oct 1, 2024 00:51:01.422447920 CEST	49731	443	192.168.2.4	216.58.206.46
Oct 1, 2024 00:51:01.422466040 CEST	443	49731	216.58.206.46	192.168.2.4
Oct 1, 2024 00:51:01.469340086 CEST	49731	443	192.168.2.4	216.58.206.46
Oct 1, 2024 00:51:01.664330959 CEST	443	49731	216.58.206.46	192.168.2.4
Oct 1, 2024 00:51:01.664808989 CEST	443	49731	216.58.206.46	192.168.2.4
Oct 1, 2024 00:51:01.664875031 CEST	49731	443	192.168.2.4	216.58.206.46
Oct 1, 2024 00:51:01.665909052 CEST	49731	443	192.168.2.4	216.58.206.46
Oct 1, 2024 00:51:01.665949106 CEST	443	49731	216.58.206.46	192.168.2.4
Oct 1, 2024 00:51:01.677738905 CEST	49736	443	192.168.2.4	142.250.185.174
Oct 1, 2024 00:51:01.677778006 CEST	443	49736	142.250.185.174	192.168.2.4
Oct 1, 2024 00:51:01.677850008 CEST	49736	443	192.168.2.4	142.250.185.174
Oct 1, 2024 00:51:01.678045034 CEST	49736	443	192.168.2.4	142.250.185.174
Oct 1, 2024 00:51:01.678056002 CEST	443	49736	142.250.185.174	192.168.2.4
Oct 1, 2024 00:51:02.317655087 CEST	443	49736	142.250.185.174	192.168.2.4
Oct 1, 2024 00:51:02.318089008 CEST	49736	443	192.168.2.4	142.250.185.174
Oct 1, 2024 00:51:02.318104982 CEST	443	49736	142.250.185.174	192.168.2.4
Oct 1, 2024 00:51:02.318465948 CEST	443	49736	142.250.185.174	192.168.2.4
Oct 1, 2024 00:51:02.318536997 CEST	49736	443	192.168.2.4	142.250.185.174
Oct 1, 2024 00:51:02.319175959 CEST	443	49736	142.250.185.174	192.168.2.4
Oct 1, 2024 00:51:02.319230080 CEST	49736	443	192.168.2.4	142.250.185.174
Oct 1, 2024 00:51:02.320359945 CEST	49736	443	192.168.2.4	142.250.185.174
Oct 1, 2024 00:51:02.320406914 CEST	443	49736	142.250.185.174	192.168.2.4
Oct 1, 2024 00:51:02.320635080 CEST	49736	443	192.168.2.4	142.250.185.174
Oct 1, 2024 00:51:02.320641041 CEST	443	49736	142.250.185.174	192.168.2.4
Oct 1, 2024 00:51:02.375591040 CEST	49736	443	192.168.2.4	142.250.185.174
Oct 1, 2024 00:51:02.626283884 CEST	443	49736	142.250.185.174	192.168.2.4
Oct 1, 2024 00:51:02.626312017 CEST	443	49736	142.250.185.174	192.168.2.4
Oct 1, 2024 00:51:02.626380920 CEST	49736	443	192.168.2.4	142.250.185.174
Oct 1, 2024 00:51:02.626400948 CEST	443	49736	142.250.185.174	192.168.2.4
Oct 1, 2024 00:51:02.626463890 CEST	443	49736	142.250.185.174	192.168.2.4
Oct 1, 2024 00:51:02.627729893 CEST	49736	443	192.168.2.4	142.250.185.174
Oct 1, 2024 00:51:02.628441095 CEST	49736	443	192.168.2.4	142.250.185.174
Oct 1, 2024 00:51:02.628458023 CEST	443	49736	142.250.185.174	192.168.2.4
Oct 1, 2024 00:51:04.713912964 CEST	49741	443	192.168.2.4	142.250.185.132
Oct 1, 2024 00:51:04.713965893 CEST	443	49741	142.250.185.132	192.168.2.4
Oct 1, 2024 00:51:04.714054108 CEST	49741	443	192.168.2.4	142.250.185.132
Oct 1, 2024 00:51:04.714312077 CEST	49741	443	192.168.2.4	142.250.185.132
Oct 1, 2024 00:51:04.714325905 CEST	443	49741	142.250.185.132	192.168.2.4
Oct 1, 2024 00:51:05.362153053 CEST	443	49741	142.250.185.132	192.168.2.4
Oct 1, 2024 00:51:05.362510920 CEST	49741	443	192.168.2.4	142.250.185.132
Oct 1, 2024 00:51:05.362561941 CEST	443	49741	142.250.185.132	192.168.2.4
Oct 1, 2024 00:51:05.363580942 CEST	443	49741	142.250.185.132	192.168.2.4
Oct 1, 2024 00:51:05.363662958 CEST	49741	443	192.168.2.4	142.250.185.132
Oct 1, 2024 00:51:05.364511013 CEST	49741	443	192.168.2.4	142.250.185.132
Oct 1, 2024 00:51:05.364573956 CEST	443	49741	142.250.185.132	192.168.2.4
Oct 1, 2024 00:51:05.365592003 CEST	49743	443	192.168.2.4	184.28.90.27
Oct 1, 2024 00:51:05.365609884 CEST	443	49743	184.28.90.27	192.168.2.4
Oct 1, 2024 00:51:05.365686893 CEST	49743	443	192.168.2.4	184.28.90.27
Oct 1, 2024 00:51:05.367141962 CEST	49743	443	192.168.2.4	184.28.90.27
Oct 1, 2024 00:51:05.367153883 CEST	443	49743	184.28.90.27	192.168.2.4
Oct 1, 2024 00:51:05.405500889 CEST	49741	443	192.168.2.4	142.250.185.132
Oct 1, 2024 00:51:05.405529022 CEST	443	49741	142.250.185.132	192.168.2.4
Oct 1, 2024 00:51:05.452708960 CEST	49741	443	192.168.2.4	142.250.185.132
Oct 1, 2024 00:51:06.014647961 CEST	443	49743	184.28.90.27	192.168.2.4
Oct 1, 2024 00:51:06.014718056 CEST	49743	443	192.168.2.4	184.28.90.27
Oct 1, 2024 00:51:06.018536091 CEST	49743	443	192.168.2.4	184.28.90.27
Oct 1, 2024 00:51:06.018542051 CEST	443	49743	184.28.90.27	192.168.2.4
Oct 1, 2024 00:51:06.018791914 CEST	443	49743	184.28.90.27	192.168.2.4
Oct 1, 2024 00:51:06.062068939 CEST	49743	443	192.168.2.4	184.28.90.27
Oct 1, 2024 00:51:06.068764925 CEST	49743	443	192.168.2.4	184.28.90.27
Oct 1, 2024 00:51:06.111443043 CEST	443	49743	184.28.90.27	192.168.2.4
Oct 1, 2024 00:51:06.287668943 CEST	443	49743	184.28.90.27	192.168.2.4
Oct 1, 2024 00:51:06.287734032 CEST	443	49743	184.28.90.27	192.168.2.4
Oct 1, 2024 00:51:06.287781000 CEST	49743	443	192.168.2.4	184.28.90.27
Oct 1, 2024 00:51:06.287899971 CEST	49743	443	192.168.2.4	184.28.90.27
Oct 1, 2024 00:51:06.287909031 CEST	443	49743	184.28.90.27	192.168.2.4
Oct 1, 2024 00:51:06.287919998 CEST	49743	443	192.168.2.4	184.28.90.27
Oct 1, 2024 00:51:06.287925959 CEST	443	49743	184.28.90.27	192.168.2.4
Oct 1, 2024 00:51:06.349875927 CEST	49745	443	192.168.2.4	184.28.90.27
Oct 1, 2024 00:51:06.349942923 CEST	443	49745	184.28.90.27	192.168.2.4
Oct 1, 2024 00:51:06.350019932 CEST	49745	443	192.168.2.4	184.28.90.27
Oct 1, 2024 00:51:06.350492001 CEST	49745	443	192.168.2.4	184.28.90.27
Oct 1, 2024 00:51:06.350517035 CEST	443	49745	184.28.90.27	192.168.2.4
Oct 1, 2024 00:51:07.034302950 CEST	443	49745	184.28.90.27	192.168.2.4
Oct 1, 2024 00:51:07.034420013 CEST	49745	443	192.168.2.4	184.28.90.27
Oct 1, 2024 00:51:07.035762072 CEST	49745	443	192.168.2.4	184.28.90.27
Oct 1, 2024 00:51:07.035783052 CEST	443	49745	184.28.90.27	192.168.2.4
Oct 1, 2024 00:51:07.036000967 CEST	443	49745	184.28.90.27	192.168.2.4
Oct 1, 2024 00:51:07.037156105 CEST	49745	443	192.168.2.4	184.28.90.27
Oct 1, 2024 00:51:07.083411932 CEST	443	49745	184.28.90.27	192.168.2.4
Oct 1, 2024 00:51:07.402723074 CEST	443	49745	184.28.90.27	192.168.2.4
Oct 1, 2024 00:51:07.402791977 CEST	443	49745	184.28.90.27	192.168.2.4
Oct 1, 2024 00:51:07.402952909 CEST	49745	443	192.168.2.4	184.28.90.27
Oct 1, 2024 00:51:07.403692007 CEST	49745	443	192.168.2.4	184.28.90.27
Oct 1, 2024 00:51:07.403719902 CEST	443	49745	184.28.90.27	192.168.2.4
Oct 1, 2024 00:51:07.403733969 CEST	49745	443	192.168.2.4	184.28.90.27
Oct 1, 2024 00:51:07.403740883 CEST	443	49745	184.28.90.27	192.168.2.4
Oct 1, 2024 00:51:09.661499977 CEST	49756	443	192.168.2.4	172.217.18.14
Oct 1, 2024 00:51:09.661552906 CEST	443	49756	172.217.18.14	192.168.2.4
Oct 1, 2024 00:51:09.661650896 CEST	49756	443	192.168.2.4	172.217.18.14
Oct 1, 2024 00:51:09.661912918 CEST	49756	443	192.168.2.4	172.217.18.14
Oct 1, 2024 00:51:09.661942959 CEST	443	49756	172.217.18.14	192.168.2.4
Oct 1, 2024 00:51:10.309787989 CEST	443	49756	172.217.18.14	192.168.2.4
Oct 1, 2024 00:51:10.310280085 CEST	49756	443	192.168.2.4	172.217.18.14
Oct 1, 2024 00:51:10.310308933 CEST	443	49756	172.217.18.14	192.168.2.4
Oct 1, 2024 00:51:10.310868979 CEST	443	49756	172.217.18.14	192.168.2.4
Oct 1, 2024 00:51:10.310944080 CEST	49756	443	192.168.2.4	172.217.18.14
Oct 1, 2024 00:51:10.311892033 CEST	443	49756	172.217.18.14	192.168.2.4
Oct 1, 2024 00:51:10.311952114 CEST	49756	443	192.168.2.4	172.217.18.14
Oct 1, 2024 00:51:10.313926935 CEST	49756	443	192.168.2.4	172.217.18.14
Oct 1, 2024 00:51:10.314039946 CEST	443	49756	172.217.18.14	192.168.2.4
Oct 1, 2024 00:51:10.314152002 CEST	49756	443	192.168.2.4	172.217.18.14
Oct 1, 2024 00:51:10.314171076 CEST	443	49756	172.217.18.14	192.168.2.4
Oct 1, 2024 00:51:10.363886118 CEST	49756	443	192.168.2.4	172.217.18.14
Oct 1, 2024 00:51:10.631869078 CEST	443	49756	172.217.18.14	192.168.2.4
Oct 1, 2024 00:51:10.632302046 CEST	443	49756	172.217.18.14	192.168.2.4
Oct 1, 2024 00:51:10.632390022 CEST	49756	443	192.168.2.4	172.217.18.14
Oct 1, 2024 00:51:10.632455111 CEST	443	49756	172.217.18.14	192.168.2.4
Oct 1, 2024 00:51:10.632484913 CEST	443	49756	172.217.18.14	192.168.2.4
Oct 1, 2024 00:51:10.632539988 CEST	49756	443	192.168.2.4	172.217.18.14
Oct 1, 2024 00:51:10.632558107 CEST	443	49756	172.217.18.14	192.168.2.4
Oct 1, 2024 00:51:10.632611990 CEST	49756	443	192.168.2.4	172.217.18.14
Oct 1, 2024 00:51:10.637804985 CEST	443	49756	172.217.18.14	192.168.2.4
Oct 1, 2024 00:51:10.637898922 CEST	49756	443	192.168.2.4	172.217.18.14
Oct 1, 2024 00:51:10.643985033 CEST	443	49756	172.217.18.14	192.168.2.4
Oct 1, 2024 00:51:10.644058943 CEST	49756	443	192.168.2.4	172.217.18.14
Oct 1, 2024 00:51:10.644126892 CEST	443	49756	172.217.18.14	192.168.2.4
Oct 1, 2024 00:51:10.644185066 CEST	49756	443	192.168.2.4	172.217.18.14
Oct 1, 2024 00:51:10.650397062 CEST	443	49756	172.217.18.14	192.168.2.4
Oct 1, 2024 00:51:10.650484085 CEST	49756	443	192.168.2.4	172.217.18.14
Oct 1, 2024 00:51:10.656527042 CEST	443	49756	172.217.18.14	192.168.2.4
Oct 1, 2024 00:51:10.656603098 CEST	49756	443	192.168.2.4	172.217.18.14
Oct 1, 2024 00:51:10.656656027 CEST	443	49756	172.217.18.14	192.168.2.4
Oct 1, 2024 00:51:10.656714916 CEST	49756	443	192.168.2.4	172.217.18.14
Oct 1, 2024 00:51:10.722120047 CEST	443	49756	172.217.18.14	192.168.2.4
Oct 1, 2024 00:51:10.722207069 CEST	443	49756	172.217.18.14	192.168.2.4
Oct 1, 2024 00:51:10.722337008 CEST	49756	443	192.168.2.4	172.217.18.14
Oct 1, 2024 00:51:10.722366095 CEST	443	49756	172.217.18.14	192.168.2.4
Oct 1, 2024 00:51:10.722421885 CEST	49756	443	192.168.2.4	172.217.18.14
Oct 1, 2024 00:51:10.722801924 CEST	443	49756	172.217.18.14	192.168.2.4
Oct 1, 2024 00:51:10.722856045 CEST	49756	443	192.168.2.4	172.217.18.14
Oct 1, 2024 00:51:10.727030993 CEST	443	49756	172.217.18.14	192.168.2.4
Oct 1, 2024 00:51:10.727076054 CEST	443	49756	172.217.18.14	192.168.2.4
Oct 1, 2024 00:51:10.727097034 CEST	49756	443	192.168.2.4	172.217.18.14
Oct 1, 2024 00:51:10.727128029 CEST	443	49756	172.217.18.14	192.168.2.4
Oct 1, 2024 00:51:10.727174044 CEST	49756	443	192.168.2.4	172.217.18.14
Oct 1, 2024 00:51:10.733412981 CEST	443	49756	172.217.18.14	192.168.2.4
Oct 1, 2024 00:51:10.733499050 CEST	49756	443	192.168.2.4	172.217.18.14
Oct 1, 2024 00:51:10.739500046 CEST	443	49756	172.217.18.14	192.168.2.4
Oct 1, 2024 00:51:10.739568949 CEST	49756	443	192.168.2.4	172.217.18.14
Oct 1, 2024 00:51:10.739649057 CEST	443	49756	172.217.18.14	192.168.2.4
Oct 1, 2024 00:51:10.745907068 CEST	443	49756	172.217.18.14	192.168.2.4
Oct 1, 2024 00:51:10.745968103 CEST	49756	443	192.168.2.4	172.217.18.14
Oct 1, 2024 00:51:10.745985985 CEST	443	49756	172.217.18.14	192.168.2.4
Oct 1, 2024 00:51:10.752204895 CEST	443	49756	172.217.18.14	192.168.2.4
Oct 1, 2024 00:51:10.752264977 CEST	49756	443	192.168.2.4	172.217.18.14
Oct 1, 2024 00:51:10.752279043 CEST	443	49756	172.217.18.14	192.168.2.4
Oct 1, 2024 00:51:10.752408981 CEST	443	49756	172.217.18.14	192.168.2.4
Oct 1, 2024 00:51:10.752460957 CEST	49756	443	192.168.2.4	172.217.18.14
Oct 1, 2024 00:51:10.863675117 CEST	49756	443	192.168.2.4	172.217.18.14
Oct 1, 2024 00:51:10.863775969 CEST	443	49756	172.217.18.14	192.168.2.4
Oct 1, 2024 00:51:10.979805946 CEST	49760	443	192.168.2.4	142.250.186.110
Oct 1, 2024 00:51:10.979882002 CEST	443	49760	142.250.186.110	192.168.2.4
Oct 1, 2024 00:51:10.980132103 CEST	49760	443	192.168.2.4	142.250.186.110
Oct 1, 2024 00:51:10.980264902 CEST	49760	443	192.168.2.4	142.250.186.110
Oct 1, 2024 00:51:10.980281115 CEST	443	49760	142.250.186.110	192.168.2.4
Oct 1, 2024 00:51:11.063211918 CEST	49761	443	192.168.2.4	142.250.186.110
Oct 1, 2024 00:51:11.063271999 CEST	443	49761	142.250.186.110	192.168.2.4
Oct 1, 2024 00:51:11.063353062 CEST	49761	443	192.168.2.4	142.250.186.110
Oct 1, 2024 00:51:11.063852072 CEST	49761	443	192.168.2.4	142.250.186.110
Oct 1, 2024 00:51:11.063863993 CEST	443	49761	142.250.186.110	192.168.2.4
Oct 1, 2024 00:51:11.612144947 CEST	443	49760	142.250.186.110	192.168.2.4
Oct 1, 2024 00:51:11.612590075 CEST	49760	443	192.168.2.4	142.250.186.110
Oct 1, 2024 00:51:11.612613916 CEST	443	49760	142.250.186.110	192.168.2.4
Oct 1, 2024 00:51:11.612945080 CEST	443	49760	142.250.186.110	192.168.2.4
Oct 1, 2024 00:51:11.613006115 CEST	49760	443	192.168.2.4	142.250.186.110
Oct 1, 2024 00:51:11.613560915 CEST	443	49760	142.250.186.110	192.168.2.4
Oct 1, 2024 00:51:11.613619089 CEST	49760	443	192.168.2.4	142.250.186.110
Oct 1, 2024 00:51:11.614684105 CEST	49760	443	192.168.2.4	142.250.186.110
Oct 1, 2024 00:51:11.614751101 CEST	443	49760	142.250.186.110	192.168.2.4
Oct 1, 2024 00:51:11.614934921 CEST	49760	443	192.168.2.4	142.250.186.110
Oct 1, 2024 00:51:11.614942074 CEST	443	49760	142.250.186.110	192.168.2.4
Oct 1, 2024 00:51:11.657248974 CEST	49760	443	192.168.2.4	142.250.186.110
Oct 1, 2024 00:51:11.711874008 CEST	443	49761	142.250.186.110	192.168.2.4
Oct 1, 2024 00:51:11.712197065 CEST	49761	443	192.168.2.4	142.250.186.110
Oct 1, 2024 00:51:11.712271929 CEST	443	49761	142.250.186.110	192.168.2.4
Oct 1, 2024 00:51:11.712599993 CEST	443	49761	142.250.186.110	192.168.2.4
Oct 1, 2024 00:51:11.712681055 CEST	49761	443	192.168.2.4	142.250.186.110
Oct 1, 2024 00:51:11.713207006 CEST	443	49761	142.250.186.110	192.168.2.4
Oct 1, 2024 00:51:11.713270903 CEST	49761	443	192.168.2.4	142.250.186.110
Oct 1, 2024 00:51:11.713478088 CEST	49761	443	192.168.2.4	142.250.186.110
Oct 1, 2024 00:51:11.713537931 CEST	443	49761	142.250.186.110	192.168.2.4
Oct 1, 2024 00:51:11.713711023 CEST	49761	443	192.168.2.4	142.250.186.110
Oct 1, 2024 00:51:11.713727951 CEST	443	49761	142.250.186.110	192.168.2.4
Oct 1, 2024 00:51:11.768577099 CEST	49761	443	192.168.2.4	142.250.186.110
Oct 1, 2024 00:51:11.915612936 CEST	443	49760	142.250.186.110	192.168.2.4
Oct 1, 2024 00:51:11.915700912 CEST	443	49760	142.250.186.110	192.168.2.4
Oct 1, 2024 00:51:11.915745974 CEST	49760	443	192.168.2.4	142.250.186.110
Oct 1, 2024 00:51:11.917004108 CEST	49760	443	192.168.2.4	142.250.186.110
Oct 1, 2024 00:51:11.917031050 CEST	443	49760	142.250.186.110	192.168.2.4
Oct 1, 2024 00:51:11.918872118 CEST	49764	443	192.168.2.4	142.250.186.110
Oct 1, 2024 00:51:11.918910027 CEST	443	49764	142.250.186.110	192.168.2.4
Oct 1, 2024 00:51:11.918981075 CEST	49764	443	192.168.2.4	142.250.186.110
Oct 1, 2024 00:51:11.919579029 CEST	49764	443	192.168.2.4	142.250.186.110
Oct 1, 2024 00:51:11.919589996 CEST	443	49764	142.250.186.110	192.168.2.4
Oct 1, 2024 00:51:12.018534899 CEST	443	49761	142.250.186.110	192.168.2.4
Oct 1, 2024 00:51:12.018917084 CEST	443	49761	142.250.186.110	192.168.2.4
Oct 1, 2024 00:51:12.018987894 CEST	49761	443	192.168.2.4	142.250.186.110
Oct 1, 2024 00:51:12.019334078 CEST	49761	443	192.168.2.4	142.250.186.110
Oct 1, 2024 00:51:12.019418955 CEST	443	49761	142.250.186.110	192.168.2.4
Oct 1, 2024 00:51:12.019454002 CEST	49761	443	192.168.2.4	142.250.186.110
Oct 1, 2024 00:51:12.019484043 CEST	49761	443	192.168.2.4	142.250.186.110
Oct 1, 2024 00:51:12.020378113 CEST	49767	443	192.168.2.4	142.250.186.110
Oct 1, 2024 00:51:12.020426035 CEST	443	49767	142.250.186.110	192.168.2.4
Oct 1, 2024 00:51:12.020482063 CEST	49767	443	192.168.2.4	142.250.186.110
Oct 1, 2024 00:51:12.020972013 CEST	49767	443	192.168.2.4	142.250.186.110
Oct 1, 2024 00:51:12.020992994 CEST	443	49767	142.250.186.110	192.168.2.4
Oct 1, 2024 00:51:12.559669018 CEST	443	49764	142.250.186.110	192.168.2.4
Oct 1, 2024 00:51:12.560024977 CEST	49764	443	192.168.2.4	142.250.186.110
Oct 1, 2024 00:51:12.560045004 CEST	443	49764	142.250.186.110	192.168.2.4
Oct 1, 2024 00:51:12.560559034 CEST	443	49764	142.250.186.110	192.168.2.4
Oct 1, 2024 00:51:12.560614109 CEST	49764	443	192.168.2.4	142.250.186.110
Oct 1, 2024 00:51:12.561613083 CEST	443	49764	142.250.186.110	192.168.2.4
Oct 1, 2024 00:51:12.561664104 CEST	49764	443	192.168.2.4	142.250.186.110
Oct 1, 2024 00:51:12.562374115 CEST	49764	443	192.168.2.4	142.250.186.110
Oct 1, 2024 00:51:12.562465906 CEST	443	49764	142.250.186.110	192.168.2.4
Oct 1, 2024 00:51:12.564254999 CEST	49764	443	192.168.2.4	142.250.186.110
Oct 1, 2024 00:51:12.564260960 CEST	443	49764	142.250.186.110	192.168.2.4
Oct 1, 2024 00:51:12.564275980 CEST	49764	443	192.168.2.4	142.250.186.110
Oct 1, 2024 00:51:12.607397079 CEST	443	49764	142.250.186.110	192.168.2.4
Oct 1, 2024 00:51:12.608484030 CEST	49764	443	192.168.2.4	142.250.186.110
Oct 1, 2024 00:51:12.650129080 CEST	443	49767	142.250.186.110	192.168.2.4
Oct 1, 2024 00:51:12.650429010 CEST	49767	443	192.168.2.4	142.250.186.110
Oct 1, 2024 00:51:12.650453091 CEST	443	49767	142.250.186.110	192.168.2.4
Oct 1, 2024 00:51:12.650806904 CEST	443	49767	142.250.186.110	192.168.2.4
Oct 1, 2024 00:51:12.650873899 CEST	49767	443	192.168.2.4	142.250.186.110
Oct 1, 2024 00:51:12.651499987 CEST	443	49767	142.250.186.110	192.168.2.4
Oct 1, 2024 00:51:12.651551962 CEST	49767	443	192.168.2.4	142.250.186.110
Oct 1, 2024 00:51:12.651729107 CEST	49767	443	192.168.2.4	142.250.186.110
Oct 1, 2024 00:51:12.651791096 CEST	443	49767	142.250.186.110	192.168.2.4
Oct 1, 2024 00:51:12.651937008 CEST	49767	443	192.168.2.4	142.250.186.110
Oct 1, 2024 00:51:12.651947021 CEST	443	49767	142.250.186.110	192.168.2.4
Oct 1, 2024 00:51:12.651963949 CEST	49767	443	192.168.2.4	142.250.186.110
Oct 1, 2024 00:51:12.699398041 CEST	443	49767	142.250.186.110	192.168.2.4
Oct 1, 2024 00:51:12.702240944 CEST	49767	443	192.168.2.4	142.250.186.110
Oct 1, 2024 00:51:12.783354044 CEST	443	49764	142.250.186.110	192.168.2.4
Oct 1, 2024 00:51:12.784523010 CEST	443	49764	142.250.186.110	192.168.2.4
Oct 1, 2024 00:51:12.784624100 CEST	49764	443	192.168.2.4	142.250.186.110
Oct 1, 2024 00:51:12.785353899 CEST	49764	443	192.168.2.4	142.250.186.110
Oct 1, 2024 00:51:12.785368919 CEST	443	49764	142.250.186.110	192.168.2.4
Oct 1, 2024 00:51:12.868359089 CEST	443	49767	142.250.186.110	192.168.2.4
Oct 1, 2024 00:51:12.868908882 CEST	443	49767	142.250.186.110	192.168.2.4
Oct 1, 2024 00:51:12.869426966 CEST	49767	443	192.168.2.4	142.250.186.110
Oct 1, 2024 00:51:12.870498896 CEST	49767	443	192.168.2.4	142.250.186.110
Oct 1, 2024 00:51:12.870512962 CEST	443	49767	142.250.186.110	192.168.2.4
Oct 1, 2024 00:51:12.873569012 CEST	49741	443	192.168.2.4	142.250.185.132
Oct 1, 2024 00:51:12.919415951 CEST	443	49741	142.250.185.132	192.168.2.4
Oct 1, 2024 00:51:13.142111063 CEST	443	49741	142.250.185.132	192.168.2.4
Oct 1, 2024 00:51:13.142185926 CEST	443	49741	142.250.185.132	192.168.2.4
Oct 1, 2024 00:51:13.142347097 CEST	443	49741	142.250.185.132	192.168.2.4
Oct 1, 2024 00:51:13.142353058 CEST	49741	443	192.168.2.4	142.250.185.132
Oct 1, 2024 00:51:13.142375946 CEST	443	49741	142.250.185.132	192.168.2.4
Oct 1, 2024 00:51:13.142424107 CEST	443	49741	142.250.185.132	192.168.2.4
Oct 1, 2024 00:51:13.142474890 CEST	49741	443	192.168.2.4	142.250.185.132
Oct 1, 2024 00:51:13.142493010 CEST	443	49741	142.250.185.132	192.168.2.4
Oct 1, 2024 00:51:13.142541885 CEST	49741	443	192.168.2.4	142.250.185.132
Oct 1, 2024 00:51:13.142842054 CEST	443	49741	142.250.185.132	192.168.2.4
Oct 1, 2024 00:51:13.142894030 CEST	443	49741	142.250.185.132	192.168.2.4
Oct 1, 2024 00:51:13.143754005 CEST	49741	443	192.168.2.4	142.250.185.132
Oct 1, 2024 00:51:13.352720976 CEST	49741	443	192.168.2.4	142.250.185.132
Oct 1, 2024 00:51:13.352780104 CEST	443	49741	142.250.185.132	192.168.2.4
Oct 1, 2024 00:51:13.810976982 CEST	49771	443	192.168.2.4	4.175.87.197
Oct 1, 2024 00:51:13.811022043 CEST	443	49771	4.175.87.197	192.168.2.4
Oct 1, 2024 00:51:13.811110020 CEST	49771	443	192.168.2.4	4.175.87.197
Oct 1, 2024 00:51:13.812649965 CEST	49771	443	192.168.2.4	4.175.87.197
Oct 1, 2024 00:51:13.812676907 CEST	443	49771	4.175.87.197	192.168.2.4
Oct 1, 2024 00:51:14.632312059 CEST	443	49771	4.175.87.197	192.168.2.4
Oct 1, 2024 00:51:14.632400990 CEST	49771	443	192.168.2.4	4.175.87.197
Oct 1, 2024 00:51:14.636750937 CEST	49771	443	192.168.2.4	4.175.87.197
Oct 1, 2024 00:51:14.636764050 CEST	443	49771	4.175.87.197	192.168.2.4
Oct 1, 2024 00:51:14.637003899 CEST	443	49771	4.175.87.197	192.168.2.4
Oct 1, 2024 00:51:14.686800957 CEST	49771	443	192.168.2.4	4.175.87.197
Oct 1, 2024 00:51:15.226342916 CEST	49771	443	192.168.2.4	4.175.87.197
Oct 1, 2024 00:51:15.267410994 CEST	443	49771	4.175.87.197	192.168.2.4
Oct 1, 2024 00:51:15.487421036 CEST	443	49771	4.175.87.197	192.168.2.4
Oct 1, 2024 00:51:15.487443924 CEST	443	49771	4.175.87.197	192.168.2.4
Oct 1, 2024 00:51:15.487452030 CEST	443	49771	4.175.87.197	192.168.2.4
Oct 1, 2024 00:51:15.487468004 CEST	443	49771	4.175.87.197	192.168.2.4
Oct 1, 2024 00:51:15.487500906 CEST	443	49771	4.175.87.197	192.168.2.4
Oct 1, 2024 00:51:15.487694979 CEST	49771	443	192.168.2.4	4.175.87.197
Oct 1, 2024 00:51:15.487694979 CEST	49771	443	192.168.2.4	4.175.87.197
Oct 1, 2024 00:51:15.487719059 CEST	443	49771	4.175.87.197	192.168.2.4
Oct 1, 2024 00:51:15.487773895 CEST	49771	443	192.168.2.4	4.175.87.197
Oct 1, 2024 00:51:15.488545895 CEST	443	49771	4.175.87.197	192.168.2.4
Oct 1, 2024 00:51:15.488625050 CEST	49771	443	192.168.2.4	4.175.87.197
Oct 1, 2024 00:51:15.488632917 CEST	443	49771	4.175.87.197	192.168.2.4
Oct 1, 2024 00:51:15.488856077 CEST	443	49771	4.175.87.197	192.168.2.4
Oct 1, 2024 00:51:15.489816904 CEST	49771	443	192.168.2.4	4.175.87.197
Oct 1, 2024 00:51:16.013531923 CEST	49771	443	192.168.2.4	4.175.87.197
Oct 1, 2024 00:51:16.013562918 CEST	443	49771	4.175.87.197	192.168.2.4
Oct 1, 2024 00:51:16.013576984 CEST	49771	443	192.168.2.4	4.175.87.197
Oct 1, 2024 00:51:16.013582945 CEST	443	49771	4.175.87.197	192.168.2.4
Oct 1, 2024 00:51:17.452034950 CEST	49723	80	192.168.2.4	93.184.221.240
Oct 1, 2024 00:51:17.458110094 CEST	80	49723	93.184.221.240	192.168.2.4
Oct 1, 2024 00:51:17.458194971 CEST	49723	80	192.168.2.4	93.184.221.240
Oct 1, 2024 00:51:18.692179918 CEST	49779	443	192.168.2.4	142.250.186.110
Oct 1, 2024 00:51:18.692225933 CEST	443	49779	142.250.186.110	192.168.2.4
Oct 1, 2024 00:51:18.692329884 CEST	49779	443	192.168.2.4	142.250.186.110
Oct 1, 2024 00:51:18.692739964 CEST	49779	443	192.168.2.4	142.250.186.110
Oct 1, 2024 00:51:18.692758083 CEST	443	49779	142.250.186.110	192.168.2.4
Oct 1, 2024 00:51:19.348006964 CEST	443	49779	142.250.186.110	192.168.2.4
Oct 1, 2024 00:51:19.348308086 CEST	49779	443	192.168.2.4	142.250.186.110
Oct 1, 2024 00:51:19.348361015 CEST	443	49779	142.250.186.110	192.168.2.4
Oct 1, 2024 00:51:19.348673105 CEST	443	49779	142.250.186.110	192.168.2.4
Oct 1, 2024 00:51:19.349067926 CEST	49779	443	192.168.2.4	142.250.186.110
Oct 1, 2024 00:51:19.349136114 CEST	443	49779	142.250.186.110	192.168.2.4
Oct 1, 2024 00:51:19.349237919 CEST	49779	443	192.168.2.4	142.250.186.110
Oct 1, 2024 00:51:19.349256039 CEST	49779	443	192.168.2.4	142.250.186.110
Oct 1, 2024 00:51:19.349265099 CEST	443	49779	142.250.186.110	192.168.2.4
Oct 1, 2024 00:51:19.678854942 CEST	443	49779	142.250.186.110	192.168.2.4
Oct 1, 2024 00:51:19.680104017 CEST	443	49779	142.250.186.110	192.168.2.4
Oct 1, 2024 00:51:19.680226088 CEST	49779	443	192.168.2.4	142.250.186.110
Oct 1, 2024 00:51:19.681375980 CEST	49779	443	192.168.2.4	142.250.186.110
Oct 1, 2024 00:51:19.681396961 CEST	443	49779	142.250.186.110	192.168.2.4
Oct 1, 2024 00:51:41.565838099 CEST	49781	443	192.168.2.4	142.250.186.110
Oct 1, 2024 00:51:41.565875053 CEST	443	49781	142.250.186.110	192.168.2.4
Oct 1, 2024 00:51:41.565977097 CEST	49781	443	192.168.2.4	142.250.186.110
Oct 1, 2024 00:51:41.566243887 CEST	49781	443	192.168.2.4	142.250.186.110
Oct 1, 2024 00:51:41.566258907 CEST	443	49781	142.250.186.110	192.168.2.4
Oct 1, 2024 00:51:41.971707106 CEST	49782	443	192.168.2.4	142.250.186.110
Oct 1, 2024 00:51:41.971796036 CEST	443	49782	142.250.186.110	192.168.2.4
Oct 1, 2024 00:51:41.971889019 CEST	49782	443	192.168.2.4	142.250.186.110
Oct 1, 2024 00:51:41.972168922 CEST	49782	443	192.168.2.4	142.250.186.110
Oct 1, 2024 00:51:41.972203970 CEST	443	49782	142.250.186.110	192.168.2.4
Oct 1, 2024 00:51:42.221014023 CEST	443	49781	142.250.186.110	192.168.2.4
Oct 1, 2024 00:51:42.221898079 CEST	49781	443	192.168.2.4	142.250.186.110
Oct 1, 2024 00:51:42.221956015 CEST	443	49781	142.250.186.110	192.168.2.4
Oct 1, 2024 00:51:42.223208904 CEST	443	49781	142.250.186.110	192.168.2.4
Oct 1, 2024 00:51:42.223536015 CEST	49781	443	192.168.2.4	142.250.186.110
Oct 1, 2024 00:51:42.223686934 CEST	49781	443	192.168.2.4	142.250.186.110
Oct 1, 2024 00:51:42.223705053 CEST	443	49781	142.250.186.110	192.168.2.4
Oct 1, 2024 00:51:42.223728895 CEST	49781	443	192.168.2.4	142.250.186.110
Oct 1, 2024 00:51:42.223728895 CEST	443	49781	142.250.186.110	192.168.2.4
Oct 1, 2024 00:51:42.267786980 CEST	49781	443	192.168.2.4	142.250.186.110
Oct 1, 2024 00:51:42.267813921 CEST	443	49781	142.250.186.110	192.168.2.4
Oct 1, 2024 00:51:42.522140026 CEST	443	49781	142.250.186.110	192.168.2.4
Oct 1, 2024 00:51:42.522895098 CEST	443	49781	142.250.186.110	192.168.2.4
Oct 1, 2024 00:51:42.522953987 CEST	49781	443	192.168.2.4	142.250.186.110
Oct 1, 2024 00:51:42.523113966 CEST	49781	443	192.168.2.4	142.250.186.110
Oct 1, 2024 00:51:42.523154974 CEST	443	49781	142.250.186.110	192.168.2.4
Oct 1, 2024 00:51:42.622334003 CEST	443	49782	142.250.186.110	192.168.2.4
Oct 1, 2024 00:51:42.622713089 CEST	49782	443	192.168.2.4	142.250.186.110
Oct 1, 2024 00:51:42.622746944 CEST	443	49782	142.250.186.110	192.168.2.4
Oct 1, 2024 00:51:42.623115063 CEST	443	49782	142.250.186.110	192.168.2.4
Oct 1, 2024 00:51:42.623477936 CEST	49782	443	192.168.2.4	142.250.186.110
Oct 1, 2024 00:51:42.623550892 CEST	443	49782	142.250.186.110	192.168.2.4
Oct 1, 2024 00:51:42.623619080 CEST	49782	443	192.168.2.4	142.250.186.110
Oct 1, 2024 00:51:42.623653889 CEST	49782	443	192.168.2.4	142.250.186.110
Oct 1, 2024 00:51:42.623667955 CEST	443	49782	142.250.186.110	192.168.2.4
Oct 1, 2024 00:51:42.844645023 CEST	443	49782	142.250.186.110	192.168.2.4
Oct 1, 2024 00:51:42.845331907 CEST	443	49782	142.250.186.110	192.168.2.4
Oct 1, 2024 00:51:42.845434904 CEST	49782	443	192.168.2.4	142.250.186.110
Oct 1, 2024 00:51:42.845721006 CEST	49782	443	192.168.2.4	142.250.186.110
Oct 1, 2024 00:51:42.845753908 CEST	443	49782	142.250.186.110	192.168.2.4
Oct 1, 2024 00:51:43.517930031 CEST	49783	443	192.168.2.4	142.250.186.110
Oct 1, 2024 00:51:43.518023968 CEST	443	49783	142.250.186.110	192.168.2.4
Oct 1, 2024 00:51:43.518131971 CEST	49783	443	192.168.2.4	142.250.186.110
Oct 1, 2024 00:51:43.518373013 CEST	49783	443	192.168.2.4	142.250.186.110
Oct 1, 2024 00:51:43.518405914 CEST	443	49783	142.250.186.110	192.168.2.4
Oct 1, 2024 00:51:44.154864073 CEST	443	49783	142.250.186.110	192.168.2.4
Oct 1, 2024 00:51:44.155199051 CEST	49783	443	192.168.2.4	142.250.186.110
Oct 1, 2024 00:51:44.155260086 CEST	443	49783	142.250.186.110	192.168.2.4
Oct 1, 2024 00:51:44.155802965 CEST	443	49783	142.250.186.110	192.168.2.4
Oct 1, 2024 00:51:44.156280994 CEST	49783	443	192.168.2.4	142.250.186.110
Oct 1, 2024 00:51:44.156372070 CEST	443	49783	142.250.186.110	192.168.2.4
Oct 1, 2024 00:51:44.156471014 CEST	49783	443	192.168.2.4	142.250.186.110
Oct 1, 2024 00:51:44.156471014 CEST	49783	443	192.168.2.4	142.250.186.110
Oct 1, 2024 00:51:44.156510115 CEST	443	49783	142.250.186.110	192.168.2.4
Oct 1, 2024 00:51:44.453429937 CEST	443	49783	142.250.186.110	192.168.2.4
Oct 1, 2024 00:51:44.454106092 CEST	443	49783	142.250.186.110	192.168.2.4
Oct 1, 2024 00:51:44.454216003 CEST	49783	443	192.168.2.4	142.250.186.110
Oct 1, 2024 00:51:44.454612017 CEST	49783	443	192.168.2.4	142.250.186.110
Oct 1, 2024 00:51:44.454669952 CEST	443	49783	142.250.186.110	192.168.2.4
Oct 1, 2024 00:51:52.634716988 CEST	49784	443	192.168.2.4	4.175.87.197
Oct 1, 2024 00:51:52.634830952 CEST	443	49784	4.175.87.197	192.168.2.4
Oct 1, 2024 00:51:52.634893894 CEST	49784	443	192.168.2.4	4.175.87.197
Oct 1, 2024 00:51:52.635512114 CEST	49784	443	192.168.2.4	4.175.87.197
Oct 1, 2024 00:51:52.635546923 CEST	443	49784	4.175.87.197	192.168.2.4
Oct 1, 2024 00:51:53.413645983 CEST	443	49784	4.175.87.197	192.168.2.4
Oct 1, 2024 00:51:53.413769960 CEST	49784	443	192.168.2.4	4.175.87.197
Oct 1, 2024 00:51:53.417541027 CEST	49784	443	192.168.2.4	4.175.87.197
Oct 1, 2024 00:51:53.417565107 CEST	443	49784	4.175.87.197	192.168.2.4
Oct 1, 2024 00:51:53.417903900 CEST	443	49784	4.175.87.197	192.168.2.4
Oct 1, 2024 00:51:53.426913023 CEST	49784	443	192.168.2.4	4.175.87.197
Oct 1, 2024 00:51:53.467420101 CEST	443	49784	4.175.87.197	192.168.2.4
Oct 1, 2024 00:51:53.760946989 CEST	443	49784	4.175.87.197	192.168.2.4
Oct 1, 2024 00:51:53.760974884 CEST	443	49784	4.175.87.197	192.168.2.4
Oct 1, 2024 00:51:53.760993004 CEST	443	49784	4.175.87.197	192.168.2.4
Oct 1, 2024 00:51:53.761096001 CEST	49784	443	192.168.2.4	4.175.87.197
Oct 1, 2024 00:51:53.761132002 CEST	443	49784	4.175.87.197	192.168.2.4
Oct 1, 2024 00:51:53.761188030 CEST	49784	443	192.168.2.4	4.175.87.197
Oct 1, 2024 00:51:53.762434959 CEST	443	49784	4.175.87.197	192.168.2.4
Oct 1, 2024 00:51:53.762486935 CEST	443	49784	4.175.87.197	192.168.2.4
Oct 1, 2024 00:51:53.762514114 CEST	49784	443	192.168.2.4	4.175.87.197
Oct 1, 2024 00:51:53.762531996 CEST	443	49784	4.175.87.197	192.168.2.4
Oct 1, 2024 00:51:53.762556076 CEST	49784	443	192.168.2.4	4.175.87.197
Oct 1, 2024 00:51:53.762574911 CEST	443	49784	4.175.87.197	192.168.2.4
Oct 1, 2024 00:51:53.762624979 CEST	49784	443	192.168.2.4	4.175.87.197
Oct 1, 2024 00:51:53.766529083 CEST	49784	443	192.168.2.4	4.175.87.197
Oct 1, 2024 00:51:53.766561985 CEST	443	49784	4.175.87.197	192.168.2.4
Oct 1, 2024 00:51:53.766587973 CEST	49784	443	192.168.2.4	4.175.87.197
Oct 1, 2024 00:51:53.766604900 CEST	443	49784	4.175.87.197	192.168.2.4
Oct 1, 2024 00:52:04.766808033 CEST	49786	443	192.168.2.4	142.250.185.132
Oct 1, 2024 00:52:04.766836882 CEST	443	49786	142.250.185.132	192.168.2.4
Oct 1, 2024 00:52:04.766911983 CEST	49786	443	192.168.2.4	142.250.185.132
Oct 1, 2024 00:52:04.767169952 CEST	49786	443	192.168.2.4	142.250.185.132
Oct 1, 2024 00:52:04.767183065 CEST	443	49786	142.250.185.132	192.168.2.4
Oct 1, 2024 00:52:05.406610966 CEST	443	49786	142.250.185.132	192.168.2.4
Oct 1, 2024 00:52:05.407205105 CEST	49786	443	192.168.2.4	142.250.185.132
Oct 1, 2024 00:52:05.407217026 CEST	443	49786	142.250.185.132	192.168.2.4
Oct 1, 2024 00:52:05.407511950 CEST	443	49786	142.250.185.132	192.168.2.4
Oct 1, 2024 00:52:05.407998085 CEST	49786	443	192.168.2.4	142.250.185.132
Oct 1, 2024 00:52:05.408055067 CEST	443	49786	142.250.185.132	192.168.2.4
Oct 1, 2024 00:52:05.453165054 CEST	49786	443	192.168.2.4	142.250.185.132
Oct 1, 2024 00:52:06.452907085 CEST	49724	80	192.168.2.4	93.184.221.240
Oct 1, 2024 00:52:06.460364103 CEST	80	49724	93.184.221.240	192.168.2.4
Oct 1, 2024 00:52:06.460431099 CEST	49724	80	192.168.2.4	93.184.221.240
Oct 1, 2024 00:52:13.903420925 CEST	49788	443	192.168.2.4	216.58.206.78
Oct 1, 2024 00:52:13.903533936 CEST	443	49788	216.58.206.78	192.168.2.4
Oct 1, 2024 00:52:13.903620958 CEST	49788	443	192.168.2.4	216.58.206.78
Oct 1, 2024 00:52:13.903995991 CEST	49788	443	192.168.2.4	216.58.206.78
Oct 1, 2024 00:52:13.904031038 CEST	443	49788	216.58.206.78	192.168.2.4
Oct 1, 2024 00:52:13.987601042 CEST	49789	443	192.168.2.4	216.58.206.78
Oct 1, 2024 00:52:13.987626076 CEST	443	49789	216.58.206.78	192.168.2.4
Oct 1, 2024 00:52:13.987737894 CEST	49789	443	192.168.2.4	216.58.206.78
Oct 1, 2024 00:52:13.988097906 CEST	49789	443	192.168.2.4	216.58.206.78
Oct 1, 2024 00:52:13.988111973 CEST	443	49789	216.58.206.78	192.168.2.4
Oct 1, 2024 00:52:14.532711029 CEST	443	49788	216.58.206.78	192.168.2.4
Oct 1, 2024 00:52:14.533014059 CEST	49788	443	192.168.2.4	216.58.206.78
Oct 1, 2024 00:52:14.533066034 CEST	443	49788	216.58.206.78	192.168.2.4
Oct 1, 2024 00:52:14.533433914 CEST	443	49788	216.58.206.78	192.168.2.4
Oct 1, 2024 00:52:14.533744097 CEST	49788	443	192.168.2.4	216.58.206.78
Oct 1, 2024 00:52:14.533812046 CEST	443	49788	216.58.206.78	192.168.2.4
Oct 1, 2024 00:52:14.533909082 CEST	49788	443	192.168.2.4	216.58.206.78
Oct 1, 2024 00:52:14.533943892 CEST	49788	443	192.168.2.4	216.58.206.78
Oct 1, 2024 00:52:14.533955097 CEST	443	49788	216.58.206.78	192.168.2.4
Oct 1, 2024 00:52:14.627532005 CEST	443	49789	216.58.206.78	192.168.2.4
Oct 1, 2024 00:52:14.627783060 CEST	49789	443	192.168.2.4	216.58.206.78
Oct 1, 2024 00:52:14.627794981 CEST	443	49789	216.58.206.78	192.168.2.4
Oct 1, 2024 00:52:14.628146887 CEST	443	49789	216.58.206.78	192.168.2.4
Oct 1, 2024 00:52:14.628429890 CEST	49789	443	192.168.2.4	216.58.206.78
Oct 1, 2024 00:52:14.628489971 CEST	443	49789	216.58.206.78	192.168.2.4
Oct 1, 2024 00:52:14.628573895 CEST	49789	443	192.168.2.4	216.58.206.78
Oct 1, 2024 00:52:14.628595114 CEST	49789	443	192.168.2.4	216.58.206.78
Oct 1, 2024 00:52:14.628654957 CEST	443	49789	216.58.206.78	192.168.2.4
Oct 1, 2024 00:52:14.832664013 CEST	443	49788	216.58.206.78	192.168.2.4
Oct 1, 2024 00:52:14.832808018 CEST	443	49788	216.58.206.78	192.168.2.4
Oct 1, 2024 00:52:14.832881927 CEST	49788	443	192.168.2.4	216.58.206.78
Oct 1, 2024 00:52:14.833235025 CEST	49788	443	192.168.2.4	216.58.206.78
Oct 1, 2024 00:52:14.833266973 CEST	443	49788	216.58.206.78	192.168.2.4
Oct 1, 2024 00:52:14.932111025 CEST	443	49789	216.58.206.78	192.168.2.4
Oct 1, 2024 00:52:14.932226896 CEST	443	49789	216.58.206.78	192.168.2.4
Oct 1, 2024 00:52:14.932293892 CEST	49789	443	192.168.2.4	216.58.206.78
Oct 1, 2024 00:52:14.932715893 CEST	49789	443	192.168.2.4	216.58.206.78
Oct 1, 2024 00:52:14.932724953 CEST	443	49789	216.58.206.78	192.168.2.4
Oct 1, 2024 00:52:15.353090048 CEST	443	49786	142.250.185.132	192.168.2.4
Oct 1, 2024 00:52:15.353164911 CEST	443	49786	142.250.185.132	192.168.2.4
Oct 1, 2024 00:52:15.353266954 CEST	49786	443	192.168.2.4	142.250.185.132
Oct 1, 2024 00:52:27.828425884 CEST	49786	443	192.168.2.4	142.250.185.132
Oct 1, 2024 00:52:27.828445911 CEST	443	49786	142.250.185.132	192.168.2.4
Oct 1, 2024 00:52:46.287194967 CEST	49791	443	192.168.2.4	216.58.206.78
Oct 1, 2024 00:52:46.287266016 CEST	443	49791	216.58.206.78	192.168.2.4
Oct 1, 2024 00:52:46.287354946 CEST	49791	443	192.168.2.4	216.58.206.78
Oct 1, 2024 00:52:46.287967920 CEST	49791	443	192.168.2.4	216.58.206.78
Oct 1, 2024 00:52:46.287986040 CEST	443	49791	216.58.206.78	192.168.2.4
Oct 1, 2024 00:52:46.550601006 CEST	49792	443	192.168.2.4	216.58.206.78
Oct 1, 2024 00:52:46.550658941 CEST	443	49792	216.58.206.78	192.168.2.4
Oct 1, 2024 00:52:46.550762892 CEST	49792	443	192.168.2.4	216.58.206.78
Oct 1, 2024 00:52:46.551882029 CEST	49792	443	192.168.2.4	216.58.206.78
Oct 1, 2024 00:52:46.551897049 CEST	443	49792	216.58.206.78	192.168.2.4
Oct 1, 2024 00:52:46.922476053 CEST	443	49791	216.58.206.78	192.168.2.4
Oct 1, 2024 00:52:46.922806978 CEST	49791	443	192.168.2.4	216.58.206.78
Oct 1, 2024 00:52:46.922836065 CEST	443	49791	216.58.206.78	192.168.2.4
Oct 1, 2024 00:52:46.923182011 CEST	443	49791	216.58.206.78	192.168.2.4
Oct 1, 2024 00:52:46.923705101 CEST	49791	443	192.168.2.4	216.58.206.78
Oct 1, 2024 00:52:46.923763990 CEST	443	49791	216.58.206.78	192.168.2.4
Oct 1, 2024 00:52:46.924015999 CEST	49791	443	192.168.2.4	216.58.206.78
Oct 1, 2024 00:52:46.924056053 CEST	49791	443	192.168.2.4	216.58.206.78
Oct 1, 2024 00:52:46.924056053 CEST	49791	443	192.168.2.4	216.58.206.78
Oct 1, 2024 00:52:46.924062967 CEST	443	49791	216.58.206.78	192.168.2.4
Oct 1, 2024 00:52:46.971440077 CEST	443	49791	216.58.206.78	192.168.2.4
Oct 1, 2024 00:52:47.285258055 CEST	443	49791	216.58.206.78	192.168.2.4
Oct 1, 2024 00:52:47.285391092 CEST	443	49791	216.58.206.78	192.168.2.4
Oct 1, 2024 00:52:47.285450935 CEST	49791	443	192.168.2.4	216.58.206.78
Oct 1, 2024 00:52:47.286756992 CEST	443	49792	216.58.206.78	192.168.2.4
Oct 1, 2024 00:52:47.327785015 CEST	49792	443	192.168.2.4	216.58.206.78
Oct 1, 2024 00:52:47.405967951 CEST	49792	443	192.168.2.4	216.58.206.78
Oct 1, 2024 00:52:47.405986071 CEST	443	49792	216.58.206.78	192.168.2.4
Oct 1, 2024 00:52:47.406426907 CEST	443	49792	216.58.206.78	192.168.2.4
Oct 1, 2024 00:52:47.407289982 CEST	49792	443	192.168.2.4	216.58.206.78
Oct 1, 2024 00:52:47.407351017 CEST	443	49792	216.58.206.78	192.168.2.4
Oct 1, 2024 00:52:47.407373905 CEST	49791	443	192.168.2.4	216.58.206.78
Oct 1, 2024 00:52:47.407406092 CEST	443	49791	216.58.206.78	192.168.2.4
Oct 1, 2024 00:52:47.412749052 CEST	49792	443	192.168.2.4	216.58.206.78
Oct 1, 2024 00:52:47.412779093 CEST	49792	443	192.168.2.4	216.58.206.78
Oct 1, 2024 00:52:47.412785053 CEST	443	49792	216.58.206.78	192.168.2.4
Oct 1, 2024 00:52:47.711421013 CEST	443	49792	216.58.206.78	192.168.2.4
Oct 1, 2024 00:52:47.711914062 CEST	443	49792	216.58.206.78	192.168.2.4
Oct 1, 2024 00:52:47.711977005 CEST	49792	443	192.168.2.4	216.58.206.78
Oct 1, 2024 00:52:47.712263107 CEST	49792	443	192.168.2.4	216.58.206.78
Oct 1, 2024 00:52:47.712285042 CEST	443	49792	216.58.206.78	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 1, 2024 00:51:00.595892906 CEST	53	54297	1.1.1.1	192.168.2.4
Oct 1, 2024 00:51:00.596801043 CEST	64075	53	192.168.2.4	1.1.1.1
Oct 1, 2024 00:51:00.596859932 CEST	61766	53	192.168.2.4	1.1.1.1
Oct 1, 2024 00:51:00.603621006 CEST	53	64075	1.1.1.1	192.168.2.4
Oct 1, 2024 00:51:00.604098082 CEST	53	61766	1.1.1.1	192.168.2.4
Oct 1, 2024 00:51:00.605166912 CEST	53	49383	1.1.1.1	192.168.2.4
Oct 1, 2024 00:51:01.668612957 CEST	49966	53	192.168.2.4	1.1.1.1
Oct 1, 2024 00:51:01.668955088 CEST	64376	53	192.168.2.4	1.1.1.1
Oct 1, 2024 00:51:01.676974058 CEST	53	49966	1.1.1.1	192.168.2.4
Oct 1, 2024 00:51:01.677078962 CEST	53	64376	1.1.1.1	192.168.2.4
Oct 1, 2024 00:51:01.711081028 CEST	53	49628	1.1.1.1	192.168.2.4
Oct 1, 2024 00:51:04.704866886 CEST	51954	53	192.168.2.4	1.1.1.1
Oct 1, 2024 00:51:04.705738068 CEST	62299	53	192.168.2.4	1.1.1.1
Oct 1, 2024 00:51:04.711555004 CEST	53	51954	1.1.1.1	192.168.2.4
Oct 1, 2024 00:51:04.712234020 CEST	53	62299	1.1.1.1	192.168.2.4
Oct 1, 2024 00:51:06.895730972 CEST	53	62197	1.1.1.1	192.168.2.4
Oct 1, 2024 00:51:09.650212049 CEST	64052	53	192.168.2.4	1.1.1.1
Oct 1, 2024 00:51:09.650588036 CEST	49335	53	192.168.2.4	1.1.1.1
Oct 1, 2024 00:51:09.656905890 CEST	53	64052	1.1.1.1	192.168.2.4
Oct 1, 2024 00:51:09.657370090 CEST	53	49335	1.1.1.1	192.168.2.4
Oct 1, 2024 00:51:10.960714102 CEST	61013	53	192.168.2.4	1.1.1.1
Oct 1, 2024 00:51:10.961239100 CEST	57662	53	192.168.2.4	1.1.1.1
Oct 1, 2024 00:51:10.967591047 CEST	53	61013	1.1.1.1	192.168.2.4
Oct 1, 2024 00:51:10.967968941 CEST	53	57662	1.1.1.1	192.168.2.4
Oct 1, 2024 00:51:12.570291042 CEST	53	54173	1.1.1.1	192.168.2.4
Oct 1, 2024 00:51:17.879204035 CEST	138	138	192.168.2.4	192.168.2.255
Oct 1, 2024 00:51:18.869689941 CEST	53	50171	1.1.1.1	192.168.2.4
Oct 1, 2024 00:51:37.697432041 CEST	53	57682	1.1.1.1	192.168.2.4
Oct 1, 2024 00:51:59.979768038 CEST	53	64715	1.1.1.1	192.168.2.4
Oct 1, 2024 00:52:00.543906927 CEST	53	54227	1.1.1.1	192.168.2.4
Oct 1, 2024 00:52:11.722316980 CEST	53	53527	1.1.1.1	192.168.2.4
Oct 1, 2024 00:52:13.895642996 CEST	62956	53	192.168.2.4	1.1.1.1
Oct 1, 2024 00:52:13.895843983 CEST	57345	53	192.168.2.4	1.1.1.1
Oct 1, 2024 00:52:13.902431011 CEST	53	62956	1.1.1.1	192.168.2.4
Oct 1, 2024 00:52:13.902597904 CEST	53	57345	1.1.1.1	192.168.2.4
Oct 1, 2024 00:52:27.838131905 CEST	53	63336	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 1, 2024 00:51:00.596801043 CEST	192.168.2.4	1.1.1.1	0x5243	Standard query (0)	youtube.com	A (IP address)	IN (0x0001)	false
Oct 1, 2024 00:51:00.596859932 CEST	192.168.2.4	1.1.1.1	0xc2bf	Standard query (0)	youtube.com	65	IN (0x0001)	false
Oct 1, 2024 00:51:01.668612957 CEST	192.168.2.4	1.1.1.1	0x412f	Standard query (0)	www.youtube.com	A (IP address)	IN (0x0001)	false
Oct 1, 2024 00:51:01.668955088 CEST	192.168.2.4	1.1.1.1	0x6226	Standard query (0)	www.youtube.com	65	IN (0x0001)	false
Oct 1, 2024 00:51:04.704866886 CEST	192.168.2.4	1.1.1.1	0x3cbc	Standard query (0)	www.google.com	A (IP address)	IN (0x0001)	false
Oct 1, 2024 00:51:04.705738068 CEST	192.168.2.4	1.1.1.1	0xfcde	Standard query (0)	www.google.com	65	IN (0x0001)	false
Oct 1, 2024 00:51:09.650212049 CEST	192.168.2.4	1.1.1.1	0xa633	Standard query (0)	accounts.youtube.com	A (IP address)	IN (0x0001)	false
Oct 1, 2024 00:51:09.650588036 CEST	192.168.2.4	1.1.1.1	0x9a9a	Standard query (0)	accounts.youtube.com	65	IN (0x0001)	false
Oct 1, 2024 00:51:10.960714102 CEST	192.168.2.4	1.1.1.1	0x4fea	Standard query (0)	play.google.com	A (IP address)	IN (0x0001)	false
Oct 1, 2024 00:51:10.961239100 CEST	192.168.2.4	1.1.1.1	0x1ddf	Standard query (0)	play.google.com	65	IN (0x0001)	false
Oct 1, 2024 00:52:13.895642996 CEST	192.168.2.4	1.1.1.1	0x5f	Standard query (0)	play.google.com	A (IP address)	IN (0x0001)	false
Oct 1, 2024 00:52:13.895843983 CEST	192.168.2.4	1.1.1.1	0x748a	Standard query (0)	play.google.com	65	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 1, 2024 00:51:00.603621006 CEST	1.1.1.1	192.168.2.4	0x5243	No error (0)	youtube.com		216.58.206.46	A (IP address)	IN (0x0001)	false
Oct 1, 2024 00:51:00.604098082 CEST	1.1.1.1	192.168.2.4	0xc2bf	No error (0)	youtube.com			65	IN (0x0001)	false
Oct 1, 2024 00:51:01.676974058 CEST	1.1.1.1	192.168.2.4	0x412f	No error (0)	www.youtube.com	youtube-ui.l.google.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 1, 2024 00:51:01.676974058 CEST	1.1.1.1	192.168.2.4	0x412f	No error (0)	youtube-ui.l.google.com		142.250.185.174	A (IP address)	IN (0x0001)	false
Oct 1, 2024 00:51:01.676974058 CEST	1.1.1.1	192.168.2.4	0x412f	No error (0)	youtube-ui.l.google.com		142.250.184.238	A (IP address)	IN (0x0001)	false
Oct 1, 2024 00:51:01.676974058 CEST	1.1.1.1	192.168.2.4	0x412f	No error (0)	youtube-ui.l.google.com		142.250.186.142	A (IP address)	IN (0x0001)	false
Oct 1, 2024 00:51:01.676974058 CEST	1.1.1.1	192.168.2.4	0x412f	No error (0)	youtube-ui.l.google.com		142.250.185.110	A (IP address)	IN (0x0001)	false
Oct 1, 2024 00:51:01.676974058 CEST	1.1.1.1	192.168.2.4	0x412f	No error (0)	youtube-ui.l.google.com		142.250.185.206	A (IP address)	IN (0x0001)	false
Oct 1, 2024 00:51:01.676974058 CEST	1.1.1.1	192.168.2.4	0x412f	No error (0)	youtube-ui.l.google.com		142.250.186.110	A (IP address)	IN (0x0001)	false
Oct 1, 2024 00:51:01.676974058 CEST	1.1.1.1	192.168.2.4	0x412f	No error (0)	youtube-ui.l.google.com		172.217.16.206	A (IP address)	IN (0x0001)	false
Oct 1, 2024 00:51:01.676974058 CEST	1.1.1.1	192.168.2.4	0x412f	No error (0)	youtube-ui.l.google.com		142.250.186.78	A (IP address)	IN (0x0001)	false
Oct 1, 2024 00:51:01.676974058 CEST	1.1.1.1	192.168.2.4	0x412f	No error (0)	youtube-ui.l.google.com		172.217.18.110	A (IP address)	IN (0x0001)	false
Oct 1, 2024 00:51:01.676974058 CEST	1.1.1.1	192.168.2.4	0x412f	No error (0)	youtube-ui.l.google.com		142.250.185.78	A (IP address)	IN (0x0001)	false
Oct 1, 2024 00:51:01.676974058 CEST	1.1.1.1	192.168.2.4	0x412f	No error (0)	youtube-ui.l.google.com		216.58.206.78	A (IP address)	IN (0x0001)	false
Oct 1, 2024 00:51:01.676974058 CEST	1.1.1.1	192.168.2.4	0x412f	No error (0)	youtube-ui.l.google.com		172.217.18.14	A (IP address)	IN (0x0001)	false
Oct 1, 2024 00:51:01.676974058 CEST	1.1.1.1	192.168.2.4	0x412f	No error (0)	youtube-ui.l.google.com		142.250.185.238	A (IP address)	IN (0x0001)	false
Oct 1, 2024 00:51:01.676974058 CEST	1.1.1.1	192.168.2.4	0x412f	No error (0)	youtube-ui.l.google.com		142.250.185.142	A (IP address)	IN (0x0001)	false
Oct 1, 2024 00:51:01.676974058 CEST	1.1.1.1	192.168.2.4	0x412f	No error (0)	youtube-ui.l.google.com		142.250.186.46	A (IP address)	IN (0x0001)	false
Oct 1, 2024 00:51:01.676974058 CEST	1.1.1.1	192.168.2.4	0x412f	No error (0)	youtube-ui.l.google.com		172.217.23.110	A (IP address)	IN (0x0001)	false
Oct 1, 2024 00:51:01.677078962 CEST	1.1.1.1	192.168.2.4	0x6226	No error (0)	www.youtube.com	youtube-ui.l.google.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 1, 2024 00:51:01.677078962 CEST	1.1.1.1	192.168.2.4	0x6226	No error (0)	youtube-ui.l.google.com			65	IN (0x0001)	false
Oct 1, 2024 00:51:04.711555004 CEST	1.1.1.1	192.168.2.4	0x3cbc	No error (0)	www.google.com		142.250.185.132	A (IP address)	IN (0x0001)	false
Oct 1, 2024 00:51:04.712234020 CEST	1.1.1.1	192.168.2.4	0xfcde	No error (0)	www.google.com			65	IN (0x0001)	false
Oct 1, 2024 00:51:09.656905890 CEST	1.1.1.1	192.168.2.4	0xa633	No error (0)	accounts.youtube.com	www3.l.google.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 1, 2024 00:51:09.656905890 CEST	1.1.1.1	192.168.2.4	0xa633	No error (0)	www3.l.google.com		172.217.18.14	A (IP address)	IN (0x0001)	false
Oct 1, 2024 00:51:09.657370090 CEST	1.1.1.1	192.168.2.4	0x9a9a	No error (0)	accounts.youtube.com	www3.l.google.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 1, 2024 00:51:10.967591047 CEST	1.1.1.1	192.168.2.4	0x4fea	No error (0)	play.google.com		142.250.186.110	A (IP address)	IN (0x0001)	false
Oct 1, 2024 00:52:13.902431011 CEST	1.1.1.1	192.168.2.4	0x5f	No error (0)	play.google.com		216.58.206.78	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

youtube.com

www.youtube.com

fs.microsoft.com

https:

accounts.youtube.com

play.google.com

www.google.com

slscr.update.microsoft.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49731	216.58.206.46	443	5320	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-30 22:51:01 UTC	851	OUT	GET /account?=https://accounts.google.com/v3/signin/challenge/pwd HTTP/1.1 Host: youtube.com Connection: keep-alive sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "Windows" Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 X-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiTocsBCJz+zAEIhaDNAQjcvc0BCLnKzQEIotHNAQiK080BCJ7WzQEIp9jNAQj5wNQVGPbJzQEYutLNARjrjaUX Sec-Fetch-Site: none Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-09-30 22:51:01 UTC	1704	IN	HTTP/1.1 301 Moved Permanently Content-Type: application/binary X-Content-Type-Options: nosniff Expires: Mon, 30 Sep 2024 22:51:01 GMT Date: Mon, 30 Sep 2024 22:51:01 GMT Cache-Control: private, max-age=31536000 Location: https://www.youtube.com/account?=https%3A%2F%2Faccounts.google.com%2Fv3%2Fsignin%2Fchallenge%2Fpwd Strict-Transport-Security: max-age=31536000; includeSubDomains; preload X-Frame-Options: SAMEORIGIN Cross-Origin-Opener-Policy: same-origin-allow-popups; report-to="youtube_main" Origin-Trial: AmhMBR6zCLzDDxpW+HfpP67BqwIknWnyMOXOQGfzYswFmJe+fgaI6XZgAzcxOrzNtP7hEDsOo1jdjFnVr2IdxQ4AAAB4eyJvcmlnaW4iOiJodHRwczovL3lvdXR1YmUuY29tOjQ0MyIsImZlYXR1cmUiOiJXZWJWaWV3WFJlcXVlc3RlZFdpdGhEZXByZWNhdGlvbiIsImV4cGlyeSI6MTc1ODA2NzE5OSwiaXNTdWJkb21haW4iOnRydWV9 Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Content-Security-Policy: require-trusted-types-for 'script' Report-To: {"group":"youtube_main","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/youtube_main"}]} Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Vary: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Server: ESF Content-Length: 0 X-XSS-Protection: 0 Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49736	142.250.185.174	443	5320	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-30 22:51:02 UTC	869	OUT	GET /account?=https%3A%2F%2Faccounts.google.com%2Fv3%2Fsignin%2Fchallenge%2Fpwd HTTP/1.1 Host: www.youtube.com Connection: keep-alive Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 X-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiTocsBCJz+zAEIhaDNAQjcvc0BCLnKzQEIotHNAQiK080BCJ7WzQEIp9jNAQj5wNQVGPbJzQEYutLNARjrjaUX Sec-Fetch-Site: none Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "Windows" Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-09-30 22:51:02 UTC	2634	IN	HTTP/1.1 303 See Other Content-Type: application/binary X-Content-Type-Options: nosniff Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Mon, 30 Sep 2024 22:51:02 GMT Location: https://accounts.google.com/ServiceLogin?service=youtube&uilel=3&passive=true&continue=https%3A%2F%2Fwww.youtube.com%2Fsignin%3Faction_handle_signin%3Dtrue%26app%3Ddesktop%26hl%3Den%26next%3Dhttps%253A%252F%252Fwww.youtube.com%252Faccount%253F%253Dhttps%25253A%25252F%25252Faccounts.google.com%25252Fv3%25252Fsignin%25252Fchallenge%25252Fpwd%26feature%3Dredirect_login&hl=en X-Frame-Options: SAMEORIGIN Strict-Transport-Security: max-age=31536000 Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Vary: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Report-To: {"group":"youtube_main","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/youtube_main"}]} Cross-Origin-Opener-Policy: same-origin-allow-popups; report-to="youtube_main" Origin-Trial: AmhMBR6zCLzDDxpW+HfpP67BqwIknWnyMOXOQGfzYswFmJe+fgaI6XZgAzcxOrzNtP7hEDsOo1jdjFnVr2IdxQ4AAAB4eyJvcmlnaW4iOiJodHRwczovL3lvdXR1YmUuY29tOjQ0MyIsImZlYXR1cmUiOiJXZWJWaWV3WFJlcXVlc3RlZFdpdGhEZXByZWNhdGlvbiIsImV4cGlyeSI6MTc1ODA2NzE5OSwiaXNTdWJkb21haW4iOnRydWV9 Content-Security-Policy: require-trusted-types-for 'script' P3P: CP="This is not a P3P policy! See http://support.google.com/accounts/answer/151657?hl=en for more info." Server: ESF Content-Length: 0 X-XSS-Protection: 0 Set-Cookie: GPS=1; Domain=.youtube.com; Expires=Mon, 30-Sep-2024 23:21:02 GMT; Path=/; Secure; HttpOnly Set-Cookie: YSC=aw__V0zjf74; Domain=.youtube.com; Path=/; Secure; HttpOnly; SameSite=none; Partitioned Set-Cookie: VISITOR_INFO1_LIVE=euesydakLMg; Domain=.youtube.com; Expires=Sat, 29-Mar-2025 22:51:02 GMT; Path=/; Secure; HttpOnly; SameSite=none; Partitioned Set-Cookie: VISITOR_PRIVACY_METADATA=CgJVUxIEGgAgDQ%3D%3D; Domain=.youtube.com; Expires=Sat, 29-Mar-2025 22:51:02 GMT; Path=/; Secure; HttpOnly; SameSite=none; Partitioned Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49743	184.28.90.27	443

Timestamp	Bytes transferred	Direction	Data
2024-09-30 22:51:06 UTC	161	OUT	HEAD /fs/windows/config.json HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Encoding: identity User-Agent: Microsoft BITS/7.8 Host: fs.microsoft.com
2024-09-30 22:51:06 UTC	467	IN	HTTP/1.1 200 OK Content-Disposition: attachment; filename=config.json; filename*=UTF-8''config.json Content-Type: application/octet-stream ETag: "0x64667F707FF07D62B733DBCB79EFE3855E6886C9975B0C0B467D46231B3FA5E7" Last-Modified: Tue, 16 May 2017 22:58:00 GMT Server: ECAcc (lpl/EF06) X-CID: 11 X-Ms-ApiVersion: Distribute 1.2 X-Ms-Region: prod-neu-z1 Cache-Control: public, max-age=237284 Date: Mon, 30 Sep 2024 22:51:06 GMT Connection: close X-CID: 2

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49745	184.28.90.27	443

Timestamp	Bytes transferred	Direction	Data
2024-09-30 22:51:07 UTC	239	OUT	GET /fs/windows/config.json HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Encoding: identity If-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMT Range: bytes=0-2147483646 User-Agent: Microsoft BITS/7.8 Host: fs.microsoft.com
2024-09-30 22:51:07 UTC	515	IN	HTTP/1.1 200 OK ApiVersion: Distribute 1.1 Content-Disposition: attachment; filename=config.json; filename*=UTF-8''config.json Content-Type: application/octet-stream ETag: "0x64667F707FF07D62B733DBCB79EFE3855E6886C9975B0C0B467D46231B3FA5E7" Last-Modified: Tue, 16 May 2017 22:58:00 GMT Server: ECAcc (lpl/EF06) X-CID: 11 X-Ms-ApiVersion: Distribute 1.2 X-Ms-Region: prod-weu-z1 Cache-Control: public, max-age=237227 Date: Mon, 30 Sep 2024 22:51:07 GMT Content-Length: 55 Connection: close X-CID: 2
2024-09-30 22:51:07 UTC	55	IN	Data Raw: 7b 22 66 6f 6e 74 53 65 74 55 72 69 22 3a 22 66 6f 6e 74 73 65 74 2d 32 30 31 37 2d 30 34 2e 6a 73 6f 6e 22 2c 22 62 61 73 65 55 72 69 22 3a 22 66 6f 6e 74 73 22 7d Data Ascii: {"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49756	172.217.18.14	443	5320	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-30 22:51:10 UTC	1215	OUT	GET /accounts/CheckConnection?pmpo=https%3A%2F%2Faccounts.google.com&v=756816628&timestamp=1727736668553 HTTP/1.1 Host: accounts.youtube.com Connection: keep-alive sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 sec-ch-ua-full-version: "117.0.5938.132" sec-ch-ua-arch: "x86" sec-ch-ua-platform: "Windows" sec-ch-ua-platform-version: "10.0.0" sec-ch-ua-model: "" sec-ch-ua-bitness: "64" sec-ch-ua-wow64: ?0 sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132" Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 X-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiTocsBCJz+zAEIhaDNAQjcvc0BCLnKzQEIotHNAQiK080BCJ7WzQEIp9jNAQj5wNQVGPbJzQEYutLNARjrjaUX Sec-Fetch-Site: cross-site Sec-Fetch-Mode: navigate Sec-Fetch-Dest: iframe Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-09-30 22:51:10 UTC	1969	IN	HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 X-Frame-Options: ALLOW-FROM https://accounts.google.com Content-Security-Policy: frame-ancestors https://accounts.google.com Content-Security-Policy: script-src 'report-sample' 'nonce-1iPixHssZaBeVpglAgk7-Q' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/AccountsDomainCookiesCheckConnectionHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/AccountsDomainCookiesCheckConnectionHttp/cspreport/allowlist Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/AccountsDomainCookiesCheckConnectionHttp/cspreport Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Mon, 30 Sep 2024 22:51:10 GMT Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Cross-Origin-Opener-Policy: same-origin Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Cross-Origin-Resource-Policy: cross-origin reporting-endpoints: default="/_/AccountsDomainCookiesCheckConnectionHttp/web-reports?context=eJzjstDikmJw0ZBikPj6kkkDiJ3SZ7AGAXHSv_OsRUB8ufsS63UgVu25xGoKxEUSV1ibgFiIh-PetTfb2QQePHnwlVFJLym_MD4zJTWvJLOkMiU_NzEzLzk_Pzsztbg4tagstSjeyMDIxMDSyEjPwCK-wAAAGXQunA" Server: ESF X-XSS-Protection: 0 X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2024-09-30 22:51:10 UTC	1969	IN	Data Raw: 37 36 32 30 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 20 6e 6f 6e 63 65 3d 22 31 69 50 69 78 48 73 73 5a 61 42 65 56 70 67 6c 41 67 6b 37 2d 51 22 3e 22 75 73 65 20 73 74 72 69 63 74 22 3b 74 68 69 73 2e 64 65 66 61 75 6c 74 5f 41 63 63 6f 75 6e 74 73 44 6f 6d 61 69 6e 63 6f 6f 6b 69 65 73 43 68 65 63 6b 63 6f 6e 6e 65 63 74 69 6f 6e 4a 73 3d 74 68 69 73 2e 64 65 66 61 75 6c 74 5f 41 63 63 6f 75 6e 74 73 44 6f 6d 61 69 6e 63 6f 6f 6b 69 65 73 43 68 65 63 6b 63 6f 6e 6e 65 63 74 69 6f 6e 4a 73 7c 7c 7b 7d 3b 28 66 75 6e 63 74 69 6f 6e 28 5f 29 7b 76 61 72 20 77 69 6e 64 6f 77 3d 74 68 69 73 3b 0a 74 72 79 7b 0a 5f 2e 5f 46 5f 74 6f 67 67 6c 65 73 5f 69 6e 69 74 69 61 6c 69 7a 65 3d 66 75 6e 63 74 69 6f 6e 28 61 29 7b 28 74 79 70 65 6f Data Ascii: 7620<html><head><script nonce="1iPixHssZaBeVpglAgk7-Q">"use strict";this.default_AccountsDomaincookiesCheckconnectionJs=this.default_AccountsDomaincookiesCheckconnectionJs\|\|{};(function(_){var window=this;try{_._F_toggles_initialize=function(a){(typeo
2024-09-30 22:51:10 UTC	1969	IN	Data Raw: 54 72 69 64 65 6e 74 5c 2f 28 5c 64 2e 5c 64 29 2f 2e 65 78 65 63 28 62 29 2c 0a 63 5b 31 5d 3d 3d 22 37 2e 30 22 29 69 66 28 62 26 26 62 5b 31 5d 29 73 77 69 74 63 68 28 62 5b 31 5d 29 7b 63 61 73 65 20 22 34 2e 30 22 3a 61 3d 22 38 2e 30 22 3b 62 72 65 61 6b 3b 63 61 73 65 20 22 35 2e 30 22 3a 61 3d 22 39 2e 30 22 3b 62 72 65 61 6b 3b 63 61 73 65 20 22 36 2e 30 22 3a 61 3d 22 31 30 2e 30 22 3b 62 72 65 61 6b 3b 63 61 73 65 20 22 37 2e 30 22 3a 61 3d 22 31 31 2e 30 22 7d 65 6c 73 65 20 61 3d 22 37 2e 30 22 3b 65 6c 73 65 20 61 3d 63 5b 31 5d 3b 62 3d 61 7d 65 6c 73 65 20 62 3d 22 22 3b 72 65 74 75 72 6e 20 62 7d 76 61 72 20 64 3d 52 65 67 45 78 70 28 22 28 5b 41 2d 5a 5d 5b 5c 5c 77 20 5d 2b 29 2f 28 5b 5e 5c 5c 73 5d 2b 29 5c 5c 73 2a 28 3f 3a 5c 5c 28 Data Ascii: Trident\/(\d.\d)/.exec(b),c[1]=="7.0")if(b&&b[1])switch(b[1]){case "4.0":a="8.0";break;case "5.0":a="9.0";break;case "6.0":a="10.0";break;case "7.0":a="11.0"}else a="7.0";else a=c[1];b=a}else b="";return b}var d=RegExp("([A-Z][\\w ]+)/([^\\s]+)\\s*(?:\\(
2024-09-30 22:51:10 UTC	1969	IN	Data Raw: 74 63 68 28 74 79 70 65 6f 66 20 61 29 7b 63 61 73 65 20 22 6e 75 6d 62 65 72 22 3a 72 65 74 75 72 6e 20 69 73 46 69 6e 69 74 65 28 61 29 3f 61 3a 53 74 72 69 6e 67 28 61 29 3b 63 61 73 65 20 22 62 69 67 69 6e 74 22 3a 72 65 74 75 72 6e 28 41 61 3f 0a 61 3e 3d 42 61 26 26 61 3c 3d 43 61 3a 61 5b 30 5d 3d 3d 3d 22 2d 22 3f 75 61 28 61 2c 44 61 29 3a 75 61 28 61 2c 45 61 29 29 3f 4e 75 6d 62 65 72 28 61 29 3a 53 74 72 69 6e 67 28 61 29 3b 63 61 73 65 20 22 62 6f 6f 6c 65 61 6e 22 3a 72 65 74 75 72 6e 20 61 3f 31 3a 30 3b 63 61 73 65 20 22 6f 62 6a 65 63 74 22 3a 69 66 28 61 29 69 66 28 41 72 72 61 79 2e 69 73 41 72 72 61 79 28 61 29 29 7b 69 66 28 43 28 61 29 29 72 65 74 75 72 6e 7d 65 6c 73 65 20 69 66 28 46 61 26 26 61 21 3d 6e 75 6c 6c 26 26 61 20 69 6e Data Ascii: tch(typeof a){case "number":return isFinite(a)?a:String(a);case "bigint":return(Aa?a>=Ba&&a<=Ca:a[0]==="-"?ua(a,Da):ua(a,Ea))?Number(a):String(a);case "boolean":return a?1:0;case "object":if(a)if(Array.isArray(a)){if(C(a))return}else if(Fa&&a!=null&&a in
2024-09-30 22:51:10 UTC	1969	IN	Data Raw: 7b 76 61 72 20 62 3b 69 66 28 61 26 26 28 62 3d 51 61 29 21 3d 6e 75 6c 6c 26 26 62 2e 68 61 73 28 61 29 26 26 28 62 3d 61 2e 43 29 29 66 6f 72 28 76 61 72 20 63 3d 30 3b 63 3c 62 2e 6c 65 6e 67 74 68 3b 63 2b 2b 29 7b 76 61 72 20 64 3d 62 5b 63 5d 3b 69 66 28 63 3d 3d 3d 62 2e 6c 65 6e 67 74 68 2d 31 26 26 41 28 64 29 29 66 6f 72 28 76 61 72 20 65 20 69 6e 20 64 29 7b 76 61 72 20 66 3d 64 5b 65 5d 3b 41 72 72 61 79 2e 69 73 41 72 72 61 79 28 66 29 26 26 0a 52 61 28 66 2c 61 29 7d 65 6c 73 65 20 41 72 72 61 79 2e 69 73 41 72 72 61 79 28 64 29 26 26 52 61 28 64 2c 61 29 7d 61 3d 45 3f 61 2e 43 3a 4d 61 28 61 2e 43 2c 50 61 2c 76 6f 69 64 20 30 2c 76 6f 69 64 20 30 2c 21 31 29 3b 65 3d 21 45 3b 69 66 28 62 3d 61 2e 6c 65 6e 67 74 68 29 7b 64 3d 61 5b 62 2d Data Ascii: {var b;if(a&&(b=Qa)!=null&&b.has(a)&&(b=a.C))for(var c=0;c<b.length;c++){var d=b[c];if(c===b.length-1&&A(d))for(var e in d){var f=d[e];Array.isArray(f)&&Ra(f,a)}else Array.isArray(d)&&Ra(d,a)}a=E?a.C:Ma(a.C,Pa,void 0,void 0,!1);e=!E;if(b=a.length){d=a[b-
2024-09-30 22:51:10 UTC	1969	IN	Data Raw: 6f 6c 2e 69 74 65 72 61 74 6f 72 22 2c 66 75 6e 63 74 69 6f 6e 28 61 29 7b 69 66 28 61 29 72 65 74 75 72 6e 20 61 3b 61 3d 53 79 6d 62 6f 6c 28 22 63 22 29 3b 66 6f 72 28 76 61 72 20 62 3d 22 41 72 72 61 79 20 49 6e 74 38 41 72 72 61 79 20 55 69 6e 74 38 41 72 72 61 79 20 55 69 6e 74 38 43 6c 61 6d 70 65 64 41 72 72 61 79 20 49 6e 74 31 36 41 72 72 61 79 20 55 69 6e 74 31 36 41 72 72 61 79 20 49 6e 74 33 32 41 72 72 61 79 20 55 69 6e 74 33 32 41 72 72 61 79 20 46 6c 6f 61 74 33 32 41 72 72 61 79 20 46 6c 6f 61 74 36 34 41 72 72 61 79 22 2e 73 70 6c 69 74 28 22 20 22 29 2c 63 3d 30 3b 63 3c 62 2e 6c 65 6e 67 74 68 3b 63 2b 2b 29 7b 76 61 72 20 64 3d 57 61 5b 62 5b 63 5d 5d 3b 74 79 70 65 6f 66 20 64 3d 3d 3d 22 66 75 6e 63 74 69 6f 6e 22 26 26 74 79 70 65 Data Ascii: ol.iterator",function(a){if(a)return a;a=Symbol("c");for(var b="Array Int8Array Uint8Array Uint8ClampedArray Int16Array Uint16Array Int32Array Uint32Array Float32Array Float64Array".split(" "),c=0;c<b.length;c++){var d=Wa[b[c]];typeof d==="function"&&type
2024-09-30 22:51:10 UTC	1969	IN	Data Raw: 29 3b 65 28 22 66 72 65 65 7a 65 22 29 3b 65 28 22 70 72 65 76 65 6e 74 45 78 74 65 6e 73 69 6f 6e 73 22 29 3b 65 28 22 73 65 61 6c 22 29 3b 76 61 72 20 68 3d 30 2c 67 3d 66 75 6e 63 74 69 6f 6e 28 6b 29 7b 74 68 69 73 2e 67 3d 28 68 2b 3d 4d 61 74 68 2e 72 61 6e 64 6f 6d 28 29 2b 31 29 2e 74 6f 53 74 72 69 6e 67 28 29 3b 69 66 28 6b 29 7b 6b 3d 48 28 6b 29 3b 66 6f 72 28 76 61 72 20 6c 3b 21 28 6c 3d 6b 2e 6e 65 78 74 28 29 29 2e 64 6f 6e 65 3b 29 6c 3d 6c 2e 76 61 6c 75 65 2c 74 68 69 73 2e 73 65 74 28 6c 5b 30 5d 2c 6c 5b 31 5d 29 7d 7d 3b 67 2e 70 72 6f 74 6f 74 79 70 65 2e 73 65 74 3d 66 75 6e 63 74 69 6f 6e 28 6b 2c 6c 29 7b 69 66 28 21 63 28 6b 29 29 74 68 72 6f 77 20 45 72 72 6f 72 28 22 69 22 29 3b 64 28 6b 29 3b 69 66 28 21 49 28 6b 2c 66 29 29 Data Ascii: );e("freeze");e("preventExtensions");e("seal");var h=0,g=function(k){this.g=(h+=Math.random()+1).toString();if(k){k=H(k);for(var l;!(l=k.next()).done;)l=l.value,this.set(l[0],l[1])}};g.prototype.set=function(k,l){if(!c(k))throw Error("i");d(k);if(!I(k,f))
2024-09-30 22:51:10 UTC	1969	IN	Data Raw: 75 72 6e 20 67 2e 76 61 6c 75 65 7d 29 7d 3b 63 2e 70 72 6f 74 6f 74 79 70 65 2e 66 6f 72 45 61 63 68 3d 66 75 6e 63 74 69 6f 6e 28 67 2c 6b 29 7b 66 6f 72 28 76 61 72 20 6c 3d 74 68 69 73 2e 65 6e 74 72 69 65 73 28 29 2c 6d 3b 21 28 6d 3d 6c 2e 6e 65 78 74 28 29 29 2e 64 6f 6e 65 3b 29 6d 3d 0a 6d 2e 76 61 6c 75 65 2c 67 2e 63 61 6c 6c 28 6b 2c 6d 5b 31 5d 2c 6d 5b 30 5d 2c 74 68 69 73 29 7d 3b 63 2e 70 72 6f 74 6f 74 79 70 65 5b 53 79 6d 62 6f 6c 2e 69 74 65 72 61 74 6f 72 5d 3d 63 2e 70 72 6f 74 6f 74 79 70 65 2e 65 6e 74 72 69 65 73 3b 76 61 72 20 64 3d 66 75 6e 63 74 69 6f 6e 28 67 2c 6b 29 7b 76 61 72 20 6c 3d 6b 26 26 74 79 70 65 6f 66 20 6b 3b 6c 3d 3d 22 6f 62 6a 65 63 74 22 7c 7c 6c 3d 3d 22 66 75 6e 63 74 69 6f 6e 22 3f 62 2e 68 61 73 28 6b 29 Data Ascii: urn g.value})};c.prototype.forEach=function(g,k){for(var l=this.entries(),m;!(m=l.next()).done;)m=m.value,g.call(k,m[1],m[0],this)};c.prototype[Symbol.iterator]=c.prototype.entries;var d=function(g,k){var l=k&&typeof k;l=="object"\|\|l=="function"?b.has(k)
2024-09-30 22:51:10 UTC	1969	IN	Data Raw: 6f 6e 28 61 29 7b 72 65 74 75 72 6e 20 61 3f 61 3a 66 75 6e 63 74 69 6f 6e 28 62 29 7b 72 65 74 75 72 6e 20 74 79 70 65 6f 66 20 62 3d 3d 3d 22 6e 75 6d 62 65 72 22 26 26 69 73 4e 61 4e 28 62 29 7d 7d 29 3b 76 61 72 20 66 62 3d 66 62 7c 7c 7b 7d 2c 71 3d 74 68 69 73 7c 7c 73 65 6c 66 2c 67 62 3d 71 2e 5f 46 5f 74 6f 67 67 6c 65 73 7c 7c 5b 5d 2c 68 62 3d 66 75 6e 63 74 69 6f 6e 28 61 29 7b 61 3d 61 2e 73 70 6c 69 74 28 22 2e 22 29 3b 66 6f 72 28 76 61 72 20 62 3d 71 2c 63 3d 30 3b 63 3c 61 2e 6c 65 6e 67 74 68 3b 63 2b 2b 29 69 66 28 62 3d 62 5b 61 5b 63 5d 5d 2c 62 3d 3d 6e 75 6c 6c 29 72 65 74 75 72 6e 20 6e 75 6c 6c 3b 72 65 74 75 72 6e 20 62 7d 2c 69 62 3d 22 63 6c 6f 73 75 72 65 5f 75 69 64 5f 22 2b 28 4d 61 74 68 2e 72 61 6e 64 6f 6d 28 29 2a 31 45 Data Ascii: on(a){return a?a:function(b){return typeof b==="number"&&isNaN(b)}});var fb=fb\|\|{},q=this\|\|self,gb=q._F_toggles\|\|[],hb=function(a){a=a.split(".");for(var b=q,c=0;c<a.length;c++)if(b=b[a[c]],b==null)return null;return b},ib="closure_uid_"+(Math.random()*1E
2024-09-30 22:51:10 UTC	1969	IN	Data Raw: 74 65 78 74 5f 5f 39 38 34 33 38 32 3d 7b 7d 29 3b 61 2e 5f 5f 63 6c 6f 73 75 72 65 5f 5f 65 72 72 6f 72 5f 5f 63 6f 6e 74 65 78 74 5f 5f 39 38 34 33 38 32 2e 73 65 76 65 72 69 74 79 3d 62 7d 3b 76 61 72 20 71 62 3d 66 75 6e 63 74 69 6f 6e 28 61 2c 62 2c 63 29 7b 63 3d 63 7c 7c 71 3b 76 61 72 20 64 3d 63 2e 6f 6e 65 72 72 6f 72 2c 65 3d 21 21 62 3b 63 2e 6f 6e 65 72 72 6f 72 3d 66 75 6e 63 74 69 6f 6e 28 66 2c 68 2c 67 2c 6b 2c 6c 29 7b 64 26 26 64 28 66 2c 68 2c 67 2c 6b 2c 6c 29 3b 61 28 7b 6d 65 73 73 61 67 65 3a 66 2c 66 69 6c 65 4e 61 6d 65 3a 68 2c 6c 69 6e 65 3a 67 2c 6c 69 6e 65 4e 75 6d 62 65 72 3a 67 2c 63 61 3a 6b 2c 65 72 72 6f 72 3a 6c 7d 29 3b 72 65 74 75 72 6e 20 65 7d 7d 2c 74 62 3d 66 75 6e 63 74 69 6f 6e 28 61 29 7b 76 61 72 20 62 3d 68 Data Ascii: text__984382={});a.__closure__error__context__984382.severity=b};var qb=function(a,b,c){c=c\|\|q;var d=c.onerror,e=!!b;c.onerror=function(f,h,g,k,l){d&&d(f,h,g,k,l);a({message:f,fileName:h,line:g,lineNumber:g,ca:k,error:l});return e}},tb=function(a){var b=h
2024-09-30 22:51:10 UTC	1969	IN	Data Raw: 22 6e 75 6d 62 65 72 22 3a 66 3d 53 74 72 69 6e 67 28 66 29 3b 62 72 65 61 6b 3b 63 61 73 65 20 22 62 6f 6f 6c 65 61 6e 22 3a 66 3d 66 3f 22 74 72 75 65 22 3a 22 66 61 6c 73 65 22 3b 62 72 65 61 6b 3b 63 61 73 65 20 22 66 75 6e 63 74 69 6f 6e 22 3a 66 3d 28 66 3d 73 62 28 66 29 29 3f 66 3a 22 5b 66 6e 5d 22 3b 62 72 65 61 6b 3b 64 65 66 61 75 6c 74 3a 66 3d 0a 74 79 70 65 6f 66 20 66 7d 66 2e 6c 65 6e 67 74 68 3e 34 30 26 26 28 66 3d 66 2e 73 6c 69 63 65 28 30 2c 34 30 29 2b 22 2e 2e 2e 22 29 3b 63 2e 70 75 73 68 28 66 29 7d 62 2e 70 75 73 68 28 61 29 3b 63 2e 70 75 73 68 28 22 29 5c 6e 22 29 3b 74 72 79 7b 63 2e 70 75 73 68 28 77 62 28 61 2e 63 61 6c 6c 65 72 2c 62 29 29 7d 63 61 74 63 68 28 68 29 7b 63 2e 70 75 73 68 28 22 5b 65 78 63 65 70 74 69 6f 6e Data Ascii: "number":f=String(f);break;case "boolean":f=f?"true":"false";break;case "function":f=(f=sb(f))?f:"[fn]";break;default:f=typeof f}f.length>40&&(f=f.slice(0,40)+"...");c.push(f)}b.push(a);c.push(")\n");try{c.push(wb(a.caller,b))}catch(h){c.push("[exception

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49760	142.250.186.110	443	5320	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-30 22:51:11 UTC	549	OUT	OPTIONS /log?format=json&hasfast=true&authuser=0 HTTP/1.1 Host: play.google.com Connection: keep-alive Accept: / Access-Control-Request-Method: POST Access-Control-Request-Headers: x-goog-authuser Origin: https://accounts.google.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Sec-Fetch-Mode: cors Sec-Fetch-Site: same-site Sec-Fetch-Dest: empty Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-09-30 22:51:11 UTC	520	IN	HTTP/1.1 200 OK Access-Control-Allow-Origin: https://accounts.google.com Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Max-Age: 86400 Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: X-Playlog-Web,authorization,origin,x-goog-authuser Content-Type: text/plain; charset=UTF-8 Date: Mon, 30 Sep 2024 22:51:11 GMT Server: Playlog Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	49761	142.250.186.110	443	5320	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-30 22:51:11 UTC	549	OUT	OPTIONS /log?format=json&hasfast=true&authuser=0 HTTP/1.1 Host: play.google.com Connection: keep-alive Accept: / Access-Control-Request-Method: POST Access-Control-Request-Headers: x-goog-authuser Origin: https://accounts.google.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Sec-Fetch-Mode: cors Sec-Fetch-Site: same-site Sec-Fetch-Dest: empty Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-09-30 22:51:12 UTC	520	IN	HTTP/1.1 200 OK Access-Control-Allow-Origin: https://accounts.google.com Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Max-Age: 86400 Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: X-Playlog-Web,authorization,origin,x-goog-authuser Content-Type: text/plain; charset=UTF-8 Date: Mon, 30 Sep 2024 22:51:11 GMT Server: Playlog Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.4	49764	142.250.186.110	443	5320	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-30 22:51:12 UTC	1124	OUT	POST /log?format=json&hasfast=true&authuser=0 HTTP/1.1 Host: play.google.com Connection: keep-alive Content-Length: 519 sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-arch: "x86" Content-Type: application/x-www-form-urlencoded;charset=UTF-8 sec-ch-ua-full-version: "117.0.5938.132" sec-ch-ua-platform-version: "10.0.0" X-Goog-AuthUser: 0 sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132" sec-ch-ua-bitness: "64" sec-ch-ua-model: "" sec-ch-ua-wow64: ?0 sec-ch-ua-platform: "Windows" Accept: / Origin: https://accounts.google.com X-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiTocsBCJz+zAEIhaDNAQjcvc0BCLnKzQEIotHNAQiK080BCJ7WzQEIp9jNAQj5wNQVGPbJzQEYutLNARjrjaUX Sec-Fetch-Site: same-site Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-09-30 22:51:12 UTC	519	OUT	Data Raw: 5b 5b 31 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 5b 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 22 65 6e 22 2c 6e 75 6c 6c 2c 22 33 30 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 47 6f 6f 67 6c 65 20 43 68 72 6f 6d 65 22 2c 22 31 31 37 22 5d 2c 5b 22 4e 6f 74 3b 41 3d 42 72 61 6e 64 22 2c 22 38 22 5d 2c 5b 22 43 68 72 6f 6d 69 75 6d 22 2c 22 31 31 37 22 5d 5d 2c 30 2c 22 57 69 6e 64 6f 77 73 22 2c 22 31 30 2e 30 2e 30 22 2c 22 78 38 36 22 2c 22 22 2c 22 31 31 37 2e 30 2e 35 39 33 38 2e 31 33 32 22 5d 2c 5b 31 2c 30 2c 30 2c 30 2c 30 5d 5d 5d 2c 31 38 32 38 2c 5b 5b 22 31 37 32 37 37 33 36 36 36 39 38 36 36 22 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c Data Ascii: [[1,null,null,null,null,null,null,null,null,null,[null,null,null,null,"en",null,"30",null,[[["Google Chrome","117"],["Not;A=Brand","8"],["Chromium","117"]],0,"Windows","10.0.0","x86","","117.0.5938.132"],[1,0,0,0,0]]],1828,[["1727736669866",null,null,null
2024-09-30 22:51:12 UTC	933	IN	HTTP/1.1 200 OK Access-Control-Allow-Origin: https://accounts.google.com Cross-Origin-Resource-Policy: cross-origin Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: X-Playlog-Web Set-Cookie: NID=518=ZIEcnbDmg5kMJInDhpZVY-6HwpO0AbLiv9Wxo1HYyEARyldWeJKl3YcNmDSBXZ87EC6JNjQ5-GnzU6SqLyr4_X5GGrOu3hhk7f_lPXJUh1ReZimnTx8v_--YUTwcepFLbOmC-YI_fYfdzNQgX6u1AQZd2XrBky4EcBFDkVAD48G6C4ZfEig; expires=Tue, 01-Apr-2025 22:51:12 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=none P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info." Content-Type: text/plain; charset=UTF-8 Date: Mon, 30 Sep 2024 22:51:12 GMT Server: Playlog Cache-Control: private X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Expires: Mon, 30 Sep 2024 22:51:12 GMT Connection: close Transfer-Encoding: chunked
2024-09-30 22:51:12 UTC	137	IN	Data Raw: 38 33 0d 0a 5b 22 2d 31 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 41 4e 44 52 4f 49 44 5f 42 41 43 4b 55 50 22 2c 30 5d 2c 5b 22 42 41 54 54 45 52 59 5f 53 54 41 54 53 22 2c 30 5d 2c 5b 22 53 4d 41 52 54 5f 53 45 54 55 50 22 2c 30 5d 2c 5b 22 54 52 4f 4e 22 2c 30 5d 5d 2c 2d 33 33 33 34 37 33 37 35 39 34 30 32 34 39 37 31 32 32 35 5d 2c 5b 5d 2c 7b 22 31 37 35 32 33 37 33 37 35 22 3a 5b 31 30 30 30 30 5d 7d 5d 0d 0a Data Ascii: 83["-1",null,[[["ANDROID_BACKUP",0],["BATTERY_STATS",0],["SMART_SETUP",0],["TRON",0]],-3334737594024971225],[],{"175237375":[10000]}]
2024-09-30 22:51:12 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.4	49767	142.250.186.110	443	5320	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-30 22:51:12 UTC	1124	OUT	POST /log?format=json&hasfast=true&authuser=0 HTTP/1.1 Host: play.google.com Connection: keep-alive Content-Length: 519 sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-arch: "x86" Content-Type: application/x-www-form-urlencoded;charset=UTF-8 sec-ch-ua-full-version: "117.0.5938.132" sec-ch-ua-platform-version: "10.0.0" X-Goog-AuthUser: 0 sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132" sec-ch-ua-bitness: "64" sec-ch-ua-model: "" sec-ch-ua-wow64: ?0 sec-ch-ua-platform: "Windows" Accept: / Origin: https://accounts.google.com X-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiTocsBCJz+zAEIhaDNAQjcvc0BCLnKzQEIotHNAQiK080BCJ7WzQEIp9jNAQj5wNQVGPbJzQEYutLNARjrjaUX Sec-Fetch-Site: same-site Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-09-30 22:51:12 UTC	519	OUT	Data Raw: 5b 5b 31 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 5b 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 22 65 6e 22 2c 6e 75 6c 6c 2c 22 33 30 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 47 6f 6f 67 6c 65 20 43 68 72 6f 6d 65 22 2c 22 31 31 37 22 5d 2c 5b 22 4e 6f 74 3b 41 3d 42 72 61 6e 64 22 2c 22 38 22 5d 2c 5b 22 43 68 72 6f 6d 69 75 6d 22 2c 22 31 31 37 22 5d 5d 2c 30 2c 22 57 69 6e 64 6f 77 73 22 2c 22 31 30 2e 30 2e 30 22 2c 22 78 38 36 22 2c 22 22 2c 22 31 31 37 2e 30 2e 35 39 33 38 2e 31 33 32 22 5d 2c 5b 31 2c 30 2c 30 2c 30 2c 30 5d 5d 5d 2c 31 38 32 38 2c 5b 5b 22 31 37 32 37 37 33 36 36 36 39 39 37 30 22 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c Data Ascii: [[1,null,null,null,null,null,null,null,null,null,[null,null,null,null,"en",null,"30",null,[[["Google Chrome","117"],["Not;A=Brand","8"],["Chromium","117"]],0,"Windows","10.0.0","x86","","117.0.5938.132"],[1,0,0,0,0]]],1828,[["1727736669970",null,null,null
2024-09-30 22:51:12 UTC	932	IN	HTTP/1.1 200 OK Access-Control-Allow-Origin: https://accounts.google.com Cross-Origin-Resource-Policy: cross-origin Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: X-Playlog-Web Set-Cookie: NID=518=HzBEQLtXiO0sUyzN6iLBseVYTZTLwazWmS33sGQBZqfg10E1WdlDA5RzdklOxyEdnuFKyvckRFFOilHQ2YGS9z6MGw_CpGQDXJLbWSCuirQeQk7cup_oQlWaFDBBiNTvkSYWf-aXYHL4Rf0ySl5aBKfFqA8D-NyUhHwPHl2Mr8NMJNHcfg; expires=Tue, 01-Apr-2025 22:51:12 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=none P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info." Content-Type: text/plain; charset=UTF-8 Date: Mon, 30 Sep 2024 22:51:12 GMT Server: Playlog Cache-Control: private X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Expires: Mon, 30 Sep 2024 22:51:12 GMT Connection: close Transfer-Encoding: chunked
2024-09-30 22:51:12 UTC	137	IN	Data Raw: 38 33 0d 0a 5b 22 2d 31 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 41 4e 44 52 4f 49 44 5f 42 41 43 4b 55 50 22 2c 30 5d 2c 5b 22 42 41 54 54 45 52 59 5f 53 54 41 54 53 22 2c 30 5d 2c 5b 22 53 4d 41 52 54 5f 53 45 54 55 50 22 2c 30 5d 2c 5b 22 54 52 4f 4e 22 2c 30 5d 5d 2c 2d 33 33 33 34 37 33 37 35 39 34 30 32 34 39 37 31 32 32 35 5d 2c 5b 5d 2c 7b 22 31 37 35 32 33 37 33 37 35 22 3a 5b 31 30 30 30 30 5d 7d 5d 0d 0a Data Ascii: 83["-1",null,[[["ANDROID_BACKUP",0],["BATTERY_STATS",0],["SMART_SETUP",0],["TRON",0]],-3334737594024971225],[],{"175237375":[10000]}]
2024-09-30 22:51:12 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.4	49741	142.250.185.132	443	5320	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-30 22:51:12 UTC	1214	OUT	GET /favicon.ico HTTP/1.1 Host: www.google.com Connection: keep-alive sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-arch: "x86" sec-ch-ua-full-version: "117.0.5938.132" sec-ch-ua-platform-version: "10.0.0" sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132" sec-ch-ua-bitness: "64" sec-ch-ua-model: "" sec-ch-ua-wow64: ?0 sec-ch-ua-platform: "Windows" Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8 X-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiTocsBCJz+zAEIhaDNAQjcvc0BCLnKzQEIotHNAQiK080BCJ7WzQEIp9jNAQj5wNQVGPbJzQEYutLNARjrjaUX Sec-Fetch-Site: same-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: image Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: NID=518=ZIEcnbDmg5kMJInDhpZVY-6HwpO0AbLiv9Wxo1HYyEARyldWeJKl3YcNmDSBXZ87EC6JNjQ5-GnzU6SqLyr4_X5GGrOu3hhk7f_lPXJUh1ReZimnTx8v_--YUTwcepFLbOmC-YI_fYfdzNQgX6u1AQZd2XrBky4EcBFDkVAD48G6C4ZfEig
2024-09-30 22:51:13 UTC	705	IN	HTTP/1.1 200 OK Accept-Ranges: bytes Cross-Origin-Resource-Policy: cross-origin Cross-Origin-Opener-Policy-Report-Only: same-origin; report-to="static-on-bigtable" Report-To: {"group":"static-on-bigtable","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/static-on-bigtable"}]} Content-Length: 5430 X-Content-Type-Options: nosniff Server: sffe X-XSS-Protection: 0 Date: Mon, 30 Sep 2024 21:46:52 GMT Expires: Tue, 08 Oct 2024 21:46:52 GMT Cache-Control: public, max-age=691200 Last-Modified: Tue, 22 Oct 2019 18:30:00 GMT Content-Type: image/x-icon Vary: Accept-Encoding Age: 3861 Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-09-30 22:51:13 UTC	685	IN	Data Raw: 00 00 01 00 02 00 10 10 00 00 01 00 20 00 68 04 00 00 26 00 00 00 20 20 00 00 01 00 20 00 a8 10 00 00 8e 04 00 00 28 00 00 00 10 00 00 00 20 00 00 00 01 00 20 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff ff ff 30 fd fd fd 96 fd fd fd d8 fd fd fd f9 fd fd fd f9 fd fd fd d7 fd fd fd 94 fe fe fe 2e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fe fe fe 09 fd fd fd 99 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd 95 ff ff ff 08 00 00 00 00 00 00 00 00 00 00 00 00 fe fe fe 09 fd fd fd c1 ff ff ff ff fa fd f9 ff b4 d9 a7 ff 76 ba 5d ff 58 ab 3a ff 58 aa 3a ff 72 b8 59 ff ac d5 9d ff f8 fb f6 ff ff Data Ascii: h& ( 0.v]X:X:rY
2024-09-30 22:51:13 UTC	1390	IN	Data Raw: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd d8 fd fd fd 99 ff ff ff ff 92 cf fb ff 37 52 ec ff 38 46 ea ff d0 d4 fa ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd 96 fe fe fe 32 ff ff ff ff f9 f9 fe ff 56 62 ed ff 35 43 ea ff 3b 49 eb ff 95 9c f4 ff cf d2 fa ff d1 d4 fa ff 96 9d f4 ff 52 5e ed ff e1 e3 fc ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 30 00 00 00 00 fd fd fd 9d ff ff ff ff e8 ea fd ff 58 63 ee ff 35 43 ea ff 35 43 ea ff 35 43 ea ff 35 43 ea ff 35 43 ea ff 35 43 ea ff 6c 76 f0 ff ff ff ff ff ff ff ff ff fd fd fd 98 00 00 00 00 00 00 00 00 ff ff ff 0a fd fd fd c3 ff ff ff ff f9 f9 fe ff a5 ac f6 ff 5d 69 ee ff 3c 4a Data Ascii: 7R8F2Vb5C;IR^0Xc5C5C5C5C5C5Clv]i<J
2024-09-30 22:51:13 UTC	1390	IN	Data Raw: ff ff ff ff ff ff ff ff ff ff ff fd fd fd d0 ff ff ff 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fd fd fd 8b ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff b1 d8 a3 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 60 a5 35 ff ca 8e 3e ff f9 c1 9f ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd 87 00 00 00 00 00 00 00 00 00 00 00 00 fe fe fe 25 fd fd fd fb ff ff ff ff ff ff ff ff ff ff ff ff c2 e0 b7 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 6e b6 54 ff 9f ce 8d ff b7 da aa ff b8 db ab ff a5 d2 95 ff 7b bc 64 ff 54 a8 35 ff 53 a8 34 ff 77 a0 37 ff e3 89 41 ff f4 85 42 ff f4 85 42 ff Data Ascii: S4S4S4S4S4S4S4S4S4S4S4S4S4S4`5>%S4S4S4S4S4S4nT{dT5S4w7ABB
2024-09-30 22:51:13 UTC	1390	IN	Data Raw: ff f4 85 42 ff f4 85 42 ff f4 85 42 ff f4 85 42 ff f4 85 42 ff f4 85 42 ff fb d5 bf ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd ea fd fd fd cb ff ff ff ff ff ff ff ff ff ff ff ff 46 cd fc ff 05 bc fb ff 05 bc fb ff 05 bc fb ff 21 ae f9 ff fb fb ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd c8 fd fd fd 9c ff ff ff ff ff ff ff ff ff ff ff ff 86 df fd ff 05 bc fb ff 05 bc fb ff 15 93 f5 ff 34 49 eb ff b3 b8 f7 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff Data Ascii: BBBBBBF!4I
2024-09-30 22:51:13 UTC	575	IN	Data Raw: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd d2 fe fe fe 24 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff ff ff 0a fd fd fd 8d fd fd fd fc ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd fb fd fd fd 8b fe fe fe 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fe fe fe 27 fd fd fd 9f fd fd fd f7 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff Data Ascii: $'

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.4	49771	4.175.87.197	443

Timestamp	Bytes transferred	Direction	Data
2024-09-30 22:51:15 UTC	306	OUT	GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=HL5H5yoHUlv7Y1p&MD=84Svop5v HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33 Host: slscr.update.microsoft.com
2024-09-30 22:51:15 UTC	560	IN	HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Type: application/octet-stream Expires: -1 Last-Modified: Mon, 01 Jan 0001 00:00:00 GMT ETag: "XAopazV00XDWnJCwkmEWRv6JkbjRA9QSSZ2+e/3MzEk=_2880" MS-CorrelationId: 48232004-1efb-4e10-a9fa-32c81ac0676b MS-RequestId: 4e4a2b6a-83c7-49cd-b003-cac21343927e MS-CV: qt8O9jQk0UKwKBUE.0 X-Microsoft-SLSClientCache: 2880 Content-Disposition: attachment; filename=environment.cab X-Content-Type-Options: nosniff Date: Mon, 30 Sep 2024 22:51:14 GMT Connection: close Content-Length: 24490
2024-09-30 22:51:15 UTC	15824	IN	Data Raw: 4d 53 43 46 00 00 00 00 92 1e 00 00 00 00 00 00 44 00 00 00 00 00 00 00 03 01 01 00 01 00 04 00 23 d0 00 00 14 00 00 00 00 00 10 00 92 1e 00 00 18 41 00 00 00 00 00 00 00 00 00 00 64 00 00 00 01 00 01 00 e6 42 00 00 00 00 00 00 00 00 00 00 00 00 80 00 65 6e 76 69 72 6f 6e 6d 65 6e 74 2e 63 61 62 00 78 cf 8d 5c 26 1e e6 42 43 4b ed 5c 07 54 13 db d6 4e a3 f7 2e d5 d0 3b 4c 42 af 4a 57 10 e9 20 bd 77 21 94 80 88 08 24 2a 02 02 d2 55 10 a4 a8 88 97 22 8a 0a d2 11 04 95 ae d2 8b 20 28 0a 88 20 45 05 f4 9f 80 05 bd ed dd f7 ff 77 dd f7 bf 65 d6 4a 66 ce 99 33 67 4e d9 7b 7f fb db 7b 56 f4 4d 34 b4 21 e0 a7 03 0a d9 fc 68 6e 1d 20 70 28 14 02 85 20 20 ad 61 10 08 e3 66 0d ed 66 9b 1d 6a 90 af 1f 17 f0 4b 68 35 01 83 6c fb 44 42 5c 7d 83 3d 03 30 be 3e ae be 58 Data Ascii: MSCFD#AdBenvironment.cabx\&BCK\TN.;LBJW w!$*U" ( EweJf3gN{{VM4!hn p( affjKh5lDB\}=0>X
2024-09-30 22:51:15 UTC	8666	IN	Data Raw: 04 01 31 2f 30 2d 30 0a 02 05 00 e1 2b 8a 50 02 01 00 30 0a 02 01 00 02 02 12 fe 02 01 ff 30 07 02 01 00 02 02 11 e6 30 0a 02 05 00 e1 2c db d0 02 01 00 30 36 06 0a 2b 06 01 04 01 84 59 0a 04 02 31 28 30 26 30 0c 06 0a 2b 06 01 04 01 84 59 0a 03 02 a0 0a 30 08 02 01 00 02 03 07 a1 20 a1 0a 30 08 02 01 00 02 03 01 86 a0 30 0d 06 09 2a 86 48 86 f7 0d 01 01 05 05 00 03 81 81 00 0c d9 08 df 48 94 57 65 3e ad e7 f2 17 9c 1f ca 3d 4d 6c cd 51 e1 ed 9c 17 a5 52 35 0f fd de 4b bd 22 92 c5 69 e5 d7 9f 29 23 72 40 7a ca 55 9d 8d 11 ad d5 54 00 bb 53 b4 87 7b 72 84 da 2d f6 e3 2c 4f 7e ba 1a 58 88 6e d6 b9 6d 16 ae 85 5b b5 c2 81 a8 e0 ee 0a 9c 60 51 3a 7b e4 61 f8 c3 e4 38 bd 7d 28 17 d6 79 f0 c8 58 c6 ef 1f f7 88 65 b1 ea 0a c0 df f7 ee 5c 23 c2 27 fd 98 63 08 31 Data Ascii: 1/0-0+P000,06+Y1(0&0+Y0 00*HHWe>=MlQR5K"i)#r@zUTS{r-,O~Xnm[`Q:{a8}(yXe\#'c1

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.4	49779	142.250.186.110	443	5320	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-30 22:51:19 UTC	1298	OUT	POST /log?format=json&hasfast=true&authuser=0 HTTP/1.1 Host: play.google.com Connection: keep-alive Content-Length: 1218 sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-arch: "x86" Content-Type: text/plain;charset=UTF-8 sec-ch-ua-full-version: "117.0.5938.132" sec-ch-ua-platform-version: "10.0.0" X-Goog-AuthUser: 0 sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132" sec-ch-ua-bitness: "64" sec-ch-ua-model: "" sec-ch-ua-wow64: ?0 sec-ch-ua-platform: "Windows" Accept: / Origin: https://accounts.google.com X-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiTocsBCJz+zAEIhaDNAQjcvc0BCLnKzQEIotHNAQiK080BCJ7WzQEIp9jNAQj5wNQVGPbJzQEYutLNARjrjaUX Sec-Fetch-Site: same-site Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: NID=518=HzBEQLtXiO0sUyzN6iLBseVYTZTLwazWmS33sGQBZqfg10E1WdlDA5RzdklOxyEdnuFKyvckRFFOilHQ2YGS9z6MGw_CpGQDXJLbWSCuirQeQk7cup_oQlWaFDBBiNTvkSYWf-aXYHL4Rf0ySl5aBKfFqA8D-NyUhHwPHl2Mr8NMJNHcfg
2024-09-30 22:51:19 UTC	1218	OUT	Data Raw: 5b 5b 31 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 5b 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 22 65 6e 22 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 5b 5b 5b 22 47 6f 6f 67 6c 65 20 43 68 72 6f 6d 65 22 2c 22 31 31 37 22 5d 2c 5b 22 4e 6f 74 3b 41 3d 42 72 61 6e 64 22 2c 22 38 22 5d 2c 5b 22 43 68 72 6f 6d 69 75 6d 22 2c 22 31 31 37 22 5d 5d 2c 30 2c 22 57 69 6e 64 6f 77 73 22 2c 22 31 30 2e 30 2e 30 22 2c 22 78 38 36 22 2c 22 22 2c 22 31 31 37 2e 30 2e 35 39 33 38 2e 31 33 32 22 5d 2c 5b 34 2c 30 2c 30 2c 30 2c 30 5d 5d 5d 2c 35 35 38 2c 5b 5b 22 31 37 32 37 37 33 36 36 36 37 30 30 30 22 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c Data Ascii: [[1,null,null,null,null,null,null,null,null,null,[null,null,null,null,"en",null,null,null,[[["Google Chrome","117"],["Not;A=Brand","8"],["Chromium","117"]],0,"Windows","10.0.0","x86","","117.0.5938.132"],[4,0,0,0,0]]],558,[["1727736667000",null,null,null,
2024-09-30 22:51:19 UTC	940	IN	HTTP/1.1 200 OK Access-Control-Allow-Origin: https://accounts.google.com Cross-Origin-Resource-Policy: cross-origin Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: X-Playlog-Web Set-Cookie: NID=518=ANMJC43NkEBKG1CLEsmst3nstoK1TtCRkqbna5-DrU0-Ob7BMoMq4CUJVXxo0IhMZ_fAu3V3xMbvFY_KEH0UfYaC580ILeHSPC8PyVGjIfRdUautX6bSBZSJeJiORb8EZLGy9R9ZQ_ivn3kUHvvyxR3oCGIAXfFLStZechE9so2jLyuEUKe8AwRG0Q; expires=Tue, 01-Apr-2025 22:51:19 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=none P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info." Content-Type: text/plain; charset=UTF-8 Date: Mon, 30 Sep 2024 22:51:19 GMT Server: Playlog Cache-Control: private X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Expires: Mon, 30 Sep 2024 22:51:19 GMT Connection: close Transfer-Encoding: chunked
2024-09-30 22:51:19 UTC	137	IN	Data Raw: 38 33 0d 0a 5b 22 2d 31 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 41 4e 44 52 4f 49 44 5f 42 41 43 4b 55 50 22 2c 30 5d 2c 5b 22 42 41 54 54 45 52 59 5f 53 54 41 54 53 22 2c 30 5d 2c 5b 22 53 4d 41 52 54 5f 53 45 54 55 50 22 2c 30 5d 2c 5b 22 54 52 4f 4e 22 2c 30 5d 5d 2c 2d 33 33 33 34 37 33 37 35 39 34 30 32 34 39 37 31 32 32 35 5d 2c 5b 5d 2c 7b 22 31 37 35 32 33 37 33 37 35 22 3a 5b 31 30 30 30 30 5d 7d 5d 0d 0a Data Ascii: 83["-1",null,[[["ANDROID_BACKUP",0],["BATTERY_STATS",0],["SMART_SETUP",0],["TRON",0]],-3334737594024971225],[],{"175237375":[10000]}]
2024-09-30 22:51:19 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.4	49781	142.250.186.110	443	5320	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-30 22:51:42 UTC	1329	OUT	POST /log?format=json&hasfast=true&authuser=0 HTTP/1.1 Host: play.google.com Connection: keep-alive Content-Length: 1387 sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-arch: "x86" Content-Type: application/x-www-form-urlencoded;charset=UTF-8 sec-ch-ua-full-version: "117.0.5938.132" sec-ch-ua-platform-version: "10.0.0" X-Goog-AuthUser: 0 sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132" sec-ch-ua-bitness: "64" sec-ch-ua-model: "" sec-ch-ua-wow64: ?0 sec-ch-ua-platform: "Windows" Accept: / Origin: https://accounts.google.com X-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiTocsBCJz+zAEIhaDNAQjcvc0BCLnKzQEIotHNAQiK080BCJ7WzQEIp9jNAQj5wNQVGPbJzQEYutLNARjrjaUX Sec-Fetch-Site: same-site Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: NID=518=ANMJC43NkEBKG1CLEsmst3nstoK1TtCRkqbna5-DrU0-Ob7BMoMq4CUJVXxo0IhMZ_fAu3V3xMbvFY_KEH0UfYaC580ILeHSPC8PyVGjIfRdUautX6bSBZSJeJiORb8EZLGy9R9ZQ_ivn3kUHvvyxR3oCGIAXfFLStZechE9so2jLyuEUKe8AwRG0Q
2024-09-30 22:51:42 UTC	1387	OUT	Data Raw: 5b 5b 31 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 5b 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 22 65 6e 22 2c 6e 75 6c 6c 2c 22 33 30 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 47 6f 6f 67 6c 65 20 43 68 72 6f 6d 65 22 2c 22 31 31 37 22 5d 2c 5b 22 4e 6f 74 3b 41 3d 42 72 61 6e 64 22 2c 22 38 22 5d 2c 5b 22 43 68 72 6f 6d 69 75 6d 22 2c 22 31 31 37 22 5d 5d 2c 30 2c 22 57 69 6e 64 6f 77 73 22 2c 22 31 30 2e 30 2e 30 22 2c 22 78 38 36 22 2c 22 22 2c 22 31 31 37 2e 30 2e 35 39 33 38 2e 31 33 32 22 5d 2c 5b 31 2c 30 2c 30 2c 30 2c 30 5d 5d 5d 2c 31 38 32 38 2c 5b 5b 22 31 37 32 37 37 33 36 37 30 30 34 37 33 22 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c Data Ascii: [[1,null,null,null,null,null,null,null,null,null,[null,null,null,null,"en",null,"30",null,[[["Google Chrome","117"],["Not;A=Brand","8"],["Chromium","117"]],0,"Windows","10.0.0","x86","","117.0.5938.132"],[1,0,0,0,0]]],1828,[["1727736700473",null,null,null
2024-09-30 22:51:42 UTC	523	IN	HTTP/1.1 200 OK Access-Control-Allow-Origin: https://accounts.google.com Cross-Origin-Resource-Policy: cross-origin Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: X-Playlog-Web Content-Type: text/plain; charset=UTF-8 Date: Mon, 30 Sep 2024 22:51:42 GMT Server: Playlog Cache-Control: private X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2024-09-30 22:51:42 UTC	137	IN	Data Raw: 38 33 0d 0a 5b 22 2d 31 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 41 4e 44 52 4f 49 44 5f 42 41 43 4b 55 50 22 2c 30 5d 2c 5b 22 42 41 54 54 45 52 59 5f 53 54 41 54 53 22 2c 30 5d 2c 5b 22 53 4d 41 52 54 5f 53 45 54 55 50 22 2c 30 5d 2c 5b 22 54 52 4f 4e 22 2c 30 5d 5d 2c 2d 33 33 33 34 37 33 37 35 39 34 30 32 34 39 37 31 32 32 35 5d 2c 5b 5d 2c 7b 22 31 37 35 32 33 37 33 37 35 22 3a 5b 31 30 30 30 30 5d 7d 5d 0d 0a Data Ascii: 83["-1",null,[[["ANDROID_BACKUP",0],["BATTERY_STATS",0],["SMART_SETUP",0],["TRON",0]],-3334737594024971225],[],{"175237375":[10000]}]
2024-09-30 22:51:42 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.4	49782	142.250.186.110	443	5320	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-30 22:51:42 UTC	1289	OUT	POST /log?hasfast=true&authuser=0&format=json HTTP/1.1 Host: play.google.com Connection: keep-alive Content-Length: 1038 sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-arch: "x86" sec-ch-ua-full-version: "117.0.5938.132" Content-Type: text/plain;charset=UTF-8 sec-ch-ua-platform-version: "10.0.0" sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132" sec-ch-ua-bitness: "64" sec-ch-ua-model: "" sec-ch-ua-wow64: ?0 sec-ch-ua-platform: "Windows" Accept: / Origin: https://accounts.google.com X-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiTocsBCJz+zAEIhaDNAQjcvc0BCLnKzQEIotHNAQiK080BCJ7WzQEIp9jNAQj5wNQVGPbJzQEYutLNARjrjaUX Sec-Fetch-Site: same-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: NID=518=ANMJC43NkEBKG1CLEsmst3nstoK1TtCRkqbna5-DrU0-Ob7BMoMq4CUJVXxo0IhMZ_fAu3V3xMbvFY_KEH0UfYaC580ILeHSPC8PyVGjIfRdUautX6bSBZSJeJiORb8EZLGy9R9ZQ_ivn3kUHvvyxR3oCGIAXfFLStZechE9so2jLyuEUKe8AwRG0Q
2024-09-30 22:51:42 UTC	1038	OUT	Data Raw: 5b 5b 31 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 5b 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 22 65 6e 22 2c 6e 75 6c 6c 2c 22 62 6f 71 5f 69 64 65 6e 74 69 74 79 66 72 6f 6e 74 65 6e 64 61 75 74 68 75 69 73 65 72 76 65 72 5f 32 30 32 34 30 39 32 34 2e 30 32 5f 70 30 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 47 6f 6f 67 6c 65 20 43 68 72 6f 6d 65 22 2c 22 31 31 37 22 5d 2c 5b 22 4e 6f 74 3b 41 3d 42 72 61 6e 64 22 2c 22 38 22 5d 2c 5b 22 43 68 72 6f 6d 69 75 6d 22 2c 22 31 31 37 22 5d 5d 2c 30 2c 22 57 69 6e 64 6f 77 73 22 2c 22 31 30 2e 30 2e 30 22 2c 22 78 38 36 22 2c 22 22 2c 22 31 31 37 2e 30 2e 35 39 33 38 2e 31 33 32 22 5d 2c 5b 33 2c 30 2c 30 Data Ascii: [[1,null,null,null,null,null,null,null,null,null,[null,null,null,null,"en",null,"boq_identityfrontendauthuiserver_20240924.02_p0",null,[[["Google Chrome","117"],["Not;A=Brand","8"],["Chromium","117"]],0,"Windows","10.0.0","x86","","117.0.5938.132"],[3,0,0
2024-09-30 22:51:42 UTC	523	IN	HTTP/1.1 200 OK Access-Control-Allow-Origin: https://accounts.google.com Cross-Origin-Resource-Policy: cross-origin Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: X-Playlog-Web Content-Type: text/plain; charset=UTF-8 Date: Mon, 30 Sep 2024 22:51:42 GMT Server: Playlog Cache-Control: private X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2024-09-30 22:51:42 UTC	137	IN	Data Raw: 38 33 0d 0a 5b 22 2d 31 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 41 4e 44 52 4f 49 44 5f 42 41 43 4b 55 50 22 2c 30 5d 2c 5b 22 42 41 54 54 45 52 59 5f 53 54 41 54 53 22 2c 30 5d 2c 5b 22 53 4d 41 52 54 5f 53 45 54 55 50 22 2c 30 5d 2c 5b 22 54 52 4f 4e 22 2c 30 5d 5d 2c 2d 33 33 33 34 37 33 37 35 39 34 30 32 34 39 37 31 32 32 35 5d 2c 5b 5d 2c 7b 22 31 37 35 32 33 37 33 37 35 22 3a 5b 31 30 30 30 30 5d 7d 5d 0d 0a Data Ascii: 83["-1",null,[[["ANDROID_BACKUP",0],["BATTERY_STATS",0],["SMART_SETUP",0],["TRON",0]],-3334737594024971225],[],{"175237375":[10000]}]
2024-09-30 22:51:42 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.4	49783	142.250.186.110	443	5320	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-30 22:51:44 UTC	1329	OUT	POST /log?format=json&hasfast=true&authuser=0 HTTP/1.1 Host: play.google.com Connection: keep-alive Content-Length: 1259 sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-arch: "x86" Content-Type: application/x-www-form-urlencoded;charset=UTF-8 sec-ch-ua-full-version: "117.0.5938.132" sec-ch-ua-platform-version: "10.0.0" X-Goog-AuthUser: 0 sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132" sec-ch-ua-bitness: "64" sec-ch-ua-model: "" sec-ch-ua-wow64: ?0 sec-ch-ua-platform: "Windows" Accept: / Origin: https://accounts.google.com X-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiTocsBCJz+zAEIhaDNAQjcvc0BCLnKzQEIotHNAQiK080BCJ7WzQEIp9jNAQj5wNQVGPbJzQEYutLNARjrjaUX Sec-Fetch-Site: same-site Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: NID=518=ANMJC43NkEBKG1CLEsmst3nstoK1TtCRkqbna5-DrU0-Ob7BMoMq4CUJVXxo0IhMZ_fAu3V3xMbvFY_KEH0UfYaC580ILeHSPC8PyVGjIfRdUautX6bSBZSJeJiORb8EZLGy9R9ZQ_ivn3kUHvvyxR3oCGIAXfFLStZechE9so2jLyuEUKe8AwRG0Q
2024-09-30 22:51:44 UTC	1259	OUT	Data Raw: 5b 5b 31 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 5b 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 22 65 6e 22 2c 6e 75 6c 6c 2c 22 33 30 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 47 6f 6f 67 6c 65 20 43 68 72 6f 6d 65 22 2c 22 31 31 37 22 5d 2c 5b 22 4e 6f 74 3b 41 3d 42 72 61 6e 64 22 2c 22 38 22 5d 2c 5b 22 43 68 72 6f 6d 69 75 6d 22 2c 22 31 31 37 22 5d 5d 2c 30 2c 22 57 69 6e 64 6f 77 73 22 2c 22 31 30 2e 30 2e 30 22 2c 22 78 38 36 22 2c 22 22 2c 22 31 31 37 2e 30 2e 35 39 33 38 2e 31 33 32 22 5d 2c 5b 31 2c 30 2c 30 2c 30 2c 30 5d 5d 5d 2c 31 38 32 38 2c 5b 5b 22 31 37 32 37 37 33 36 37 30 32 34 32 35 22 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c Data Ascii: [[1,null,null,null,null,null,null,null,null,null,[null,null,null,null,"en",null,"30",null,[[["Google Chrome","117"],["Not;A=Brand","8"],["Chromium","117"]],0,"Windows","10.0.0","x86","","117.0.5938.132"],[1,0,0,0,0]]],1828,[["1727736702425",null,null,null
2024-09-30 22:51:44 UTC	523	IN	HTTP/1.1 200 OK Access-Control-Allow-Origin: https://accounts.google.com Cross-Origin-Resource-Policy: cross-origin Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: X-Playlog-Web Content-Type: text/plain; charset=UTF-8 Date: Mon, 30 Sep 2024 22:51:44 GMT Server: Playlog Cache-Control: private X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2024-09-30 22:51:44 UTC	137	IN	Data Raw: 38 33 0d 0a 5b 22 2d 31 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 41 4e 44 52 4f 49 44 5f 42 41 43 4b 55 50 22 2c 30 5d 2c 5b 22 42 41 54 54 45 52 59 5f 53 54 41 54 53 22 2c 30 5d 2c 5b 22 53 4d 41 52 54 5f 53 45 54 55 50 22 2c 30 5d 2c 5b 22 54 52 4f 4e 22 2c 30 5d 5d 2c 2d 33 33 33 34 37 33 37 35 39 34 30 32 34 39 37 31 32 32 35 5d 2c 5b 5d 2c 7b 22 31 37 35 32 33 37 33 37 35 22 3a 5b 31 30 30 30 30 5d 7d 5d 0d 0a Data Ascii: 83["-1",null,[[["ANDROID_BACKUP",0],["BATTERY_STATS",0],["SMART_SETUP",0],["TRON",0]],-3334737594024971225],[],{"175237375":[10000]}]
2024-09-30 22:51:44 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.4	49784	4.175.87.197	443

Timestamp	Bytes transferred	Direction	Data
2024-09-30 22:51:53 UTC	306	OUT	GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=HL5H5yoHUlv7Y1p&MD=84Svop5v HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33 Host: slscr.update.microsoft.com
2024-09-30 22:51:53 UTC	560	IN	HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Type: application/octet-stream Expires: -1 Last-Modified: Mon, 01 Jan 0001 00:00:00 GMT ETag: "vic+p1MiJJ+/WMnK08jaWnCBGDfvkGRzPk9f8ZadQHg=_1440" MS-CorrelationId: c30b8ed2-ced4-419b-b344-6c2646961176 MS-RequestId: 130ead67-f8c8-47a7-ace7-9a4364afc102 MS-CV: /RtDbfp2j0q7bGBK.0 X-Microsoft-SLSClientCache: 1440 Content-Disposition: attachment; filename=environment.cab X-Content-Type-Options: nosniff Date: Mon, 30 Sep 2024 22:51:53 GMT Connection: close Content-Length: 30005
2024-09-30 22:51:53 UTC	15824	IN	Data Raw: 4d 53 43 46 00 00 00 00 8d 2b 00 00 00 00 00 00 44 00 00 00 00 00 00 00 03 01 01 00 01 00 04 00 5b 49 00 00 14 00 00 00 00 00 10 00 8d 2b 00 00 a8 49 00 00 00 00 00 00 00 00 00 00 64 00 00 00 01 00 01 00 72 4d 00 00 00 00 00 00 00 00 00 00 00 00 80 00 65 6e 76 69 72 6f 6e 6d 65 6e 74 2e 63 61 62 00 fe f6 51 be 21 2b 72 4d 43 4b ed 7c 05 58 54 eb da f6 14 43 49 37 0a 02 d2 b9 86 0e 41 52 a4 1b 24 a5 bb 43 24 44 18 94 90 92 52 41 3a 05 09 95 ee 54 b0 00 91 2e e9 12 10 04 11 c9 6f 10 b7 a2 67 9f bd cf 3e ff b7 ff b3 bf 73 ed e1 9a 99 f5 c6 7a d7 bb de f5 3e cf fd 3c f7 dc 17 4a 1a 52 e7 41 a8 97 1e 14 f4 e5 25 7d f4 05 82 82 c1 20 30 08 06 ba c3 05 02 11 7f a9 c1 ff d2 87 5c 1e f4 ed 65 8e 7a 1f f6 0a 40 03 1d 7b f9 83 2c 1c 2f db b8 3a 39 3a 58 38 ba 73 5e Data Ascii: MSCF+D[I+IdrMenvironment.cabQ!+rMCK\|XTCI7AR$C$DRA:T.og>sz><JRA%} 0\ez@{,/:9:X8s^
2024-09-30 22:51:53 UTC	14181	IN	Data Raw: 06 03 55 04 06 13 02 55 53 31 13 30 11 06 03 55 04 08 13 0a 57 61 73 68 69 6e 67 74 6f 6e 31 10 30 0e 06 03 55 04 07 13 07 52 65 64 6d 6f 6e 64 31 1e 30 1c 06 03 55 04 0a 13 15 4d 69 63 72 6f 73 6f 66 74 20 43 6f 72 70 6f 72 61 74 69 6f 6e 31 26 30 24 06 03 55 04 03 13 1d 4d 69 63 72 6f 73 6f 66 74 20 54 69 6d 65 2d 53 74 61 6d 70 20 50 43 41 20 32 30 31 30 30 1e 17 0d 32 33 31 30 31 32 31 39 30 37 32 35 5a 17 0d 32 35 30 31 31 30 31 39 30 37 32 35 5a 30 81 d2 31 0b 30 09 06 03 55 04 06 13 02 55 53 31 13 30 11 06 03 55 04 08 13 0a 57 61 73 68 69 6e 67 74 6f 6e 31 10 30 0e 06 03 55 04 07 13 07 52 65 64 6d 6f 6e 64 31 1e 30 1c 06 03 55 04 0a 13 15 4d 69 63 72 6f 73 6f 66 74 20 43 6f 72 70 6f 72 61 74 69 6f 6e 31 2d 30 2b 06 03 55 04 0b 13 24 4d 69 63 72 6f Data Ascii: UUS10UWashington10URedmond10UMicrosoft Corporation1&0$UMicrosoft Time-Stamp PCA 20100231012190725Z250110190725Z010UUS10UWashington10URedmond10UMicrosoft Corporation1-0+U$Micro

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.4	49788	216.58.206.78	443	5320	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-30 22:52:14 UTC	1329	OUT	POST /log?format=json&hasfast=true&authuser=0 HTTP/1.1 Host: play.google.com Connection: keep-alive Content-Length: 1280 sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-arch: "x86" Content-Type: application/x-www-form-urlencoded;charset=UTF-8 sec-ch-ua-full-version: "117.0.5938.132" sec-ch-ua-platform-version: "10.0.0" X-Goog-AuthUser: 0 sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132" sec-ch-ua-bitness: "64" sec-ch-ua-model: "" sec-ch-ua-wow64: ?0 sec-ch-ua-platform: "Windows" Accept: / Origin: https://accounts.google.com X-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiTocsBCJz+zAEIhaDNAQjcvc0BCLnKzQEIotHNAQiK080BCJ7WzQEIp9jNAQj5wNQVGPbJzQEYutLNARjrjaUX Sec-Fetch-Site: same-site Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: NID=518=ANMJC43NkEBKG1CLEsmst3nstoK1TtCRkqbna5-DrU0-Ob7BMoMq4CUJVXxo0IhMZ_fAu3V3xMbvFY_KEH0UfYaC580ILeHSPC8PyVGjIfRdUautX6bSBZSJeJiORb8EZLGy9R9ZQ_ivn3kUHvvyxR3oCGIAXfFLStZechE9so2jLyuEUKe8AwRG0Q
2024-09-30 22:52:14 UTC	1280	OUT	Data Raw: 5b 5b 31 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 5b 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 22 65 6e 22 2c 6e 75 6c 6c 2c 22 33 30 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 47 6f 6f 67 6c 65 20 43 68 72 6f 6d 65 22 2c 22 31 31 37 22 5d 2c 5b 22 4e 6f 74 3b 41 3d 42 72 61 6e 64 22 2c 22 38 22 5d 2c 5b 22 43 68 72 6f 6d 69 75 6d 22 2c 22 31 31 37 22 5d 5d 2c 30 2c 22 57 69 6e 64 6f 77 73 22 2c 22 31 30 2e 30 2e 30 22 2c 22 78 38 36 22 2c 22 22 2c 22 31 31 37 2e 30 2e 35 39 33 38 2e 31 33 32 22 5d 2c 5b 31 2c 30 2c 30 2c 30 2c 30 5d 5d 5d 2c 31 38 32 38 2c 5b 5b 22 31 37 32 37 37 33 36 37 33 32 38 31 31 22 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c Data Ascii: [[1,null,null,null,null,null,null,null,null,null,[null,null,null,null,"en",null,"30",null,[[["Google Chrome","117"],["Not;A=Brand","8"],["Chromium","117"]],0,"Windows","10.0.0","x86","","117.0.5938.132"],[1,0,0,0,0]]],1828,[["1727736732811",null,null,null
2024-09-30 22:52:14 UTC	523	IN	HTTP/1.1 200 OK Access-Control-Allow-Origin: https://accounts.google.com Cross-Origin-Resource-Policy: cross-origin Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: X-Playlog-Web Content-Type: text/plain; charset=UTF-8 Date: Mon, 30 Sep 2024 22:52:14 GMT Server: Playlog Cache-Control: private X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2024-09-30 22:52:14 UTC	137	IN	Data Raw: 38 33 0d 0a 5b 22 2d 31 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 41 4e 44 52 4f 49 44 5f 42 41 43 4b 55 50 22 2c 30 5d 2c 5b 22 42 41 54 54 45 52 59 5f 53 54 41 54 53 22 2c 30 5d 2c 5b 22 53 4d 41 52 54 5f 53 45 54 55 50 22 2c 30 5d 2c 5b 22 54 52 4f 4e 22 2c 30 5d 5d 2c 2d 33 33 33 34 37 33 37 35 39 34 30 32 34 39 37 31 32 32 35 5d 2c 5b 5d 2c 7b 22 31 37 35 32 33 37 33 37 35 22 3a 5b 31 30 30 30 30 5d 7d 5d 0d 0a Data Ascii: 83["-1",null,[[["ANDROID_BACKUP",0],["BATTERY_STATS",0],["SMART_SETUP",0],["TRON",0]],-3334737594024971225],[],{"175237375":[10000]}]
2024-09-30 22:52:14 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.4	49789	216.58.206.78	443	5320	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-30 22:52:14 UTC	1329	OUT	POST /log?format=json&hasfast=true&authuser=0 HTTP/1.1 Host: play.google.com Connection: keep-alive Content-Length: 1332 sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-arch: "x86" Content-Type: application/x-www-form-urlencoded;charset=UTF-8 sec-ch-ua-full-version: "117.0.5938.132" sec-ch-ua-platform-version: "10.0.0" X-Goog-AuthUser: 0 sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132" sec-ch-ua-bitness: "64" sec-ch-ua-model: "" sec-ch-ua-wow64: ?0 sec-ch-ua-platform: "Windows" Accept: / Origin: https://accounts.google.com X-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiTocsBCJz+zAEIhaDNAQjcvc0BCLnKzQEIotHNAQiK080BCJ7WzQEIp9jNAQj5wNQVGPbJzQEYutLNARjrjaUX Sec-Fetch-Site: same-site Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: NID=518=ANMJC43NkEBKG1CLEsmst3nstoK1TtCRkqbna5-DrU0-Ob7BMoMq4CUJVXxo0IhMZ_fAu3V3xMbvFY_KEH0UfYaC580ILeHSPC8PyVGjIfRdUautX6bSBZSJeJiORb8EZLGy9R9ZQ_ivn3kUHvvyxR3oCGIAXfFLStZechE9so2jLyuEUKe8AwRG0Q
2024-09-30 22:52:14 UTC	1332	OUT	Data Raw: 5b 5b 31 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 5b 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 22 65 6e 22 2c 6e 75 6c 6c 2c 22 33 30 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 47 6f 6f 67 6c 65 20 43 68 72 6f 6d 65 22 2c 22 31 31 37 22 5d 2c 5b 22 4e 6f 74 3b 41 3d 42 72 61 6e 64 22 2c 22 38 22 5d 2c 5b 22 43 68 72 6f 6d 69 75 6d 22 2c 22 31 31 37 22 5d 5d 2c 30 2c 22 57 69 6e 64 6f 77 73 22 2c 22 31 30 2e 30 2e 30 22 2c 22 78 38 36 22 2c 22 22 2c 22 31 31 37 2e 30 2e 35 39 33 38 2e 31 33 32 22 5d 2c 5b 31 2c 30 2c 30 2c 30 2c 30 5d 5d 5d 2c 31 38 32 38 2c 5b 5b 22 31 37 32 37 37 33 36 37 33 32 39 30 34 22 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c Data Ascii: [[1,null,null,null,null,null,null,null,null,null,[null,null,null,null,"en",null,"30",null,[[["Google Chrome","117"],["Not;A=Brand","8"],["Chromium","117"]],0,"Windows","10.0.0","x86","","117.0.5938.132"],[1,0,0,0,0]]],1828,[["1727736732904",null,null,null
2024-09-30 22:52:14 UTC	523	IN	HTTP/1.1 200 OK Access-Control-Allow-Origin: https://accounts.google.com Cross-Origin-Resource-Policy: cross-origin Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: X-Playlog-Web Content-Type: text/plain; charset=UTF-8 Date: Mon, 30 Sep 2024 22:52:14 GMT Server: Playlog Cache-Control: private X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2024-09-30 22:52:14 UTC	137	IN	Data Raw: 38 33 0d 0a 5b 22 2d 31 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 41 4e 44 52 4f 49 44 5f 42 41 43 4b 55 50 22 2c 30 5d 2c 5b 22 42 41 54 54 45 52 59 5f 53 54 41 54 53 22 2c 30 5d 2c 5b 22 53 4d 41 52 54 5f 53 45 54 55 50 22 2c 30 5d 2c 5b 22 54 52 4f 4e 22 2c 30 5d 5d 2c 2d 33 33 33 34 37 33 37 35 39 34 30 32 34 39 37 31 32 32 35 5d 2c 5b 5d 2c 7b 22 31 37 35 32 33 37 33 37 35 22 3a 5b 31 30 30 30 30 5d 7d 5d 0d 0a Data Ascii: 83["-1",null,[[["ANDROID_BACKUP",0],["BATTERY_STATS",0],["SMART_SETUP",0],["TRON",0]],-3334737594024971225],[],{"175237375":[10000]}]
2024-09-30 22:52:14 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.4	49791	216.58.206.78	443	5320	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-30 22:52:46 UTC	1329	OUT	POST /log?format=json&hasfast=true&authuser=0 HTTP/1.1 Host: play.google.com Connection: keep-alive Content-Length: 1440 sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-arch: "x86" Content-Type: application/x-www-form-urlencoded;charset=UTF-8 sec-ch-ua-full-version: "117.0.5938.132" sec-ch-ua-platform-version: "10.0.0" X-Goog-AuthUser: 0 sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132" sec-ch-ua-bitness: "64" sec-ch-ua-model: "" sec-ch-ua-wow64: ?0 sec-ch-ua-platform: "Windows" Accept: / Origin: https://accounts.google.com X-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiTocsBCJz+zAEIhaDNAQjcvc0BCLnKzQEIotHNAQiK080BCJ7WzQEIp9jNAQj5wNQVGPbJzQEYutLNARjrjaUX Sec-Fetch-Site: same-site Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: NID=518=ANMJC43NkEBKG1CLEsmst3nstoK1TtCRkqbna5-DrU0-Ob7BMoMq4CUJVXxo0IhMZ_fAu3V3xMbvFY_KEH0UfYaC580ILeHSPC8PyVGjIfRdUautX6bSBZSJeJiORb8EZLGy9R9ZQ_ivn3kUHvvyxR3oCGIAXfFLStZechE9so2jLyuEUKe8AwRG0Q
2024-09-30 22:52:46 UTC	1440	OUT	Data Raw: 5b 5b 31 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 5b 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 22 65 6e 22 2c 6e 75 6c 6c 2c 22 33 30 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 47 6f 6f 67 6c 65 20 43 68 72 6f 6d 65 22 2c 22 31 31 37 22 5d 2c 5b 22 4e 6f 74 3b 41 3d 42 72 61 6e 64 22 2c 22 38 22 5d 2c 5b 22 43 68 72 6f 6d 69 75 6d 22 2c 22 31 31 37 22 5d 5d 2c 30 2c 22 57 69 6e 64 6f 77 73 22 2c 22 31 30 2e 30 2e 30 22 2c 22 78 38 36 22 2c 22 22 2c 22 31 31 37 2e 30 2e 35 39 33 38 2e 31 33 32 22 5d 2c 5b 31 2c 30 2c 30 2c 30 2c 30 5d 5d 5d 2c 31 38 32 38 2c 5b 5b 22 31 37 32 37 37 33 36 37 36 35 32 30 32 22 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c Data Ascii: [[1,null,null,null,null,null,null,null,null,null,[null,null,null,null,"en",null,"30",null,[[["Google Chrome","117"],["Not;A=Brand","8"],["Chromium","117"]],0,"Windows","10.0.0","x86","","117.0.5938.132"],[1,0,0,0,0]]],1828,[["1727736765202",null,null,null
2024-09-30 22:52:47 UTC	523	IN	HTTP/1.1 200 OK Access-Control-Allow-Origin: https://accounts.google.com Cross-Origin-Resource-Policy: cross-origin Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: X-Playlog-Web Content-Type: text/plain; charset=UTF-8 Date: Mon, 30 Sep 2024 22:52:47 GMT Server: Playlog Cache-Control: private X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2024-09-30 22:52:47 UTC	137	IN	Data Raw: 38 33 0d 0a 5b 22 2d 31 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 41 4e 44 52 4f 49 44 5f 42 41 43 4b 55 50 22 2c 30 5d 2c 5b 22 42 41 54 54 45 52 59 5f 53 54 41 54 53 22 2c 30 5d 2c 5b 22 53 4d 41 52 54 5f 53 45 54 55 50 22 2c 30 5d 2c 5b 22 54 52 4f 4e 22 2c 30 5d 5d 2c 2d 33 33 33 34 37 33 37 35 39 34 30 32 34 39 37 31 32 32 35 5d 2c 5b 5d 2c 7b 22 31 37 35 32 33 37 33 37 35 22 3a 5b 31 30 30 30 30 5d 7d 5d 0d 0a Data Ascii: 83["-1",null,[[["ANDROID_BACKUP",0],["BATTERY_STATS",0],["SMART_SETUP",0],["TRON",0]],-3334737594024971225],[],{"175237375":[10000]}]
2024-09-30 22:52:47 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.4	49792	216.58.206.78	443	5320	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-30 22:52:47 UTC	1329	OUT	POST /log?format=json&hasfast=true&authuser=0 HTTP/1.1 Host: play.google.com Connection: keep-alive Content-Length: 1416 sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-arch: "x86" Content-Type: application/x-www-form-urlencoded;charset=UTF-8 sec-ch-ua-full-version: "117.0.5938.132" sec-ch-ua-platform-version: "10.0.0" X-Goog-AuthUser: 0 sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132" sec-ch-ua-bitness: "64" sec-ch-ua-model: "" sec-ch-ua-wow64: ?0 sec-ch-ua-platform: "Windows" Accept: / Origin: https://accounts.google.com X-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiTocsBCJz+zAEIhaDNAQjcvc0BCLnKzQEIotHNAQiK080BCJ7WzQEIp9jNAQj5wNQVGPbJzQEYutLNARjrjaUX Sec-Fetch-Site: same-site Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: NID=518=ANMJC43NkEBKG1CLEsmst3nstoK1TtCRkqbna5-DrU0-Ob7BMoMq4CUJVXxo0IhMZ_fAu3V3xMbvFY_KEH0UfYaC580ILeHSPC8PyVGjIfRdUautX6bSBZSJeJiORb8EZLGy9R9ZQ_ivn3kUHvvyxR3oCGIAXfFLStZechE9so2jLyuEUKe8AwRG0Q
2024-09-30 22:52:47 UTC	1416	OUT	Data Raw: 5b 5b 31 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 5b 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 22 65 6e 22 2c 6e 75 6c 6c 2c 22 33 30 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 47 6f 6f 67 6c 65 20 43 68 72 6f 6d 65 22 2c 22 31 31 37 22 5d 2c 5b 22 4e 6f 74 3b 41 3d 42 72 61 6e 64 22 2c 22 38 22 5d 2c 5b 22 43 68 72 6f 6d 69 75 6d 22 2c 22 31 31 37 22 5d 5d 2c 30 2c 22 57 69 6e 64 6f 77 73 22 2c 22 31 30 2e 30 2e 30 22 2c 22 78 38 36 22 2c 22 22 2c 22 31 31 37 2e 30 2e 35 39 33 38 2e 31 33 32 22 5d 2c 5b 31 2c 30 2c 30 2c 30 2c 30 5d 5d 5d 2c 31 38 32 38 2c 5b 5b 22 31 37 32 37 37 33 36 37 36 35 34 36 37 22 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c Data Ascii: [[1,null,null,null,null,null,null,null,null,null,[null,null,null,null,"en",null,"30",null,[[["Google Chrome","117"],["Not;A=Brand","8"],["Chromium","117"]],0,"Windows","10.0.0","x86","","117.0.5938.132"],[1,0,0,0,0]]],1828,[["1727736765467",null,null,null
2024-09-30 22:52:47 UTC	523	IN	HTTP/1.1 200 OK Access-Control-Allow-Origin: https://accounts.google.com Cross-Origin-Resource-Policy: cross-origin Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: X-Playlog-Web Content-Type: text/plain; charset=UTF-8 Date: Mon, 30 Sep 2024 22:52:47 GMT Server: Playlog Cache-Control: private X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2024-09-30 22:52:47 UTC	137	IN	Data Raw: 38 33 0d 0a 5b 22 2d 31 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 41 4e 44 52 4f 49 44 5f 42 41 43 4b 55 50 22 2c 30 5d 2c 5b 22 42 41 54 54 45 52 59 5f 53 54 41 54 53 22 2c 30 5d 2c 5b 22 53 4d 41 52 54 5f 53 45 54 55 50 22 2c 30 5d 2c 5b 22 54 52 4f 4e 22 2c 30 5d 5d 2c 2d 33 33 33 34 37 33 37 35 39 34 30 32 34 39 37 31 32 32 35 5d 2c 5b 5d 2c 7b 22 31 37 35 32 33 37 33 37 35 22 3a 5b 31 30 30 30 30 5d 7d 5d 0d 0a Data Ascii: 83["-1",null,[[["ANDROID_BACKUP",0],["BATTERY_STATS",0],["SMART_SETUP",0],["TRON",0]],-3334737594024971225],[],{"175237375":[10000]}]
2024-09-30 22:52:47 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Target ID:	0
Start time:	18:50:55
Start date:	30/09/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0x710000
File size:	917'504 bytes
MD5 hash:	B44FE2B76982DAA43A25D6E62203B575
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	18:50:55
Start date:	30/09/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM chrome.exe /T
Imagebase:	0x2a0000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	18:50:55
Start date:	30/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	18:50:58
Start date:	30/09/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --app="https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --start-fullscreen --no-first-run --disable-session-crashed-bubble --disable-features=CrashRecovery
Imagebase:	0x7ff76e190000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	5
Start time:	18:50:58
Start date:	30/09/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1724 --field-trial-handle=2016,i,12500245755029994399,16919499737408860724,262144 --disable-features=CrashRecovery /prefetch:8
Imagebase:	0x7ff76e190000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	6
Start time:	18:51:09
Start date:	30/09/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5340 --field-trial-handle=2016,i,12500245755029994399,16919499737408860724,262144 --disable-features=CrashRecovery /prefetch:8
Imagebase:	0x7ff76e190000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	7
Start time:	18:51:09
Start date:	30/09/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5408 --field-trial-handle=2016,i,12500245755029994399,16919499737408860724,262144 --disable-features=CrashRecovery /prefetch:8
Imagebase:	0x7ff76e190000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	2%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	7.2%
Total number of Nodes:	1495
Total number of Limit Nodes:	38

Executed Functions

Function 007142DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 0071430D

Part of subcall function 00716B57: _wcslen.LIBCMT ref: 00716B6A

GetCurrentProcess.KERNEL32(?,007ACB64,00000000,?,?), ref: 00714422
IsWow64Process.KERNEL32(00000000,?,?), ref: 00714429
LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 00714454
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00714466
GetNativeSystemInfo.KERNELBASE(?,?,?), ref: 00714474
FreeLibrary.KERNEL32(00000000,?,?), ref: 0071447B
GetSystemInfo.KERNEL32(?,?,?), ref: 007144A0

Strings

kernel32.dll, xrefs: 0071444F
GetNativeSystemInfo, xrefs: 00714460
|O, xrefs: 007536F8

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
String ID: GetNativeSystemInfo$kernel32.dll$|O
API String ID: 3290436268-3101561225
Opcode ID: 8422e3c819b3fd66c7ef82bb10765c8cc169e645bb6c45aca133f72cb36812a9
Instruction ID: 61a728e487382d2ffd26c9a8a2a6302f791fd2cd0d411c066b4e7bd40995fff8
Opcode Fuzzy Hash: 8422e3c819b3fd66c7ef82bb10765c8cc169e645bb6c45aca133f72cb36812a9
Instruction Fuzzy Hash: C2A1B57190B2C0DFC712C76DBCC35D97FA46B2E741B98C899D8419BA62D27C4948CB39

Function 007142A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,007150AA,?,?,00000000,00000000), ref: 007142B2
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,007150AA,?,?,00000000,00000000), ref: 007142C9
LoadResource.KERNEL32(?,00000000,?,?,007150AA,?,?,00000000,00000000,?,?,?,?,?,?,00714F20), ref: 007535BE
SizeofResource.KERNEL32(?,00000000,?,?,007150AA,?,?,00000000,00000000,?,?,?,?,?,?,00714F20), ref: 007535D3
LockResource.KERNEL32(007150AA,?,?,007150AA,?,?,00000000,00000000,?,?,?,?,?,?,00714F20,?), ref: 007535E6

Strings

SCRIPT, xrefs: 007142BF

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: 6326701dea7b611c3745878353fef1de12f9c6246b7a54cb7ee9eadea9309db9
Instruction ID: 078e415e3dcdb5a2318902a1cf8b8e1b4e08edb23d86cefa097389b90d852af8
Opcode Fuzzy Hash: 6326701dea7b611c3745878353fef1de12f9c6246b7a54cb7ee9eadea9309db9
Instruction Fuzzy Hash: 76118E71200700BFDB268B69DC49F677BBAFBC6B51F108169F402D62A0DB75DC409A30

Function 00752BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetCurrentDirectoryW.KERNEL32(?), ref: 00712B6B

Part of subcall function 00713A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,007E1418,?,00712E7F,?,?,?,00000000), ref: 00713A78

Part of subcall function 00719CB3: _wcslen.LIBCMT ref: 00719CBD

GetForegroundWindow.USER32(runas,?,?,?,?,?,007D2224), ref: 00752C10
ShellExecuteW.SHELL32(00000000,?,?,007D2224), ref: 00752C17

Strings

runas, xrefs: 00752C0B

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: CurrentDirectoryExecuteFileForegroundModuleNameShellWindow_wcslen
String ID: runas
API String ID: 448630720-4000483414
Opcode ID: 85d584d4f750e5e00dd26d518d932129a611c4dc5a64ff1e93e14fc5f3e5bb7a
Instruction ID: fdd33ec09103c1c2364a8ce8d37effc187918350f2a1411c69899f80e1b0251e
Opcode Fuzzy Hash: 85d584d4f750e5e00dd26d518d932129a611c4dc5a64ff1e93e14fc5f3e5bb7a
Instruction Fuzzy Hash: 8C11D571208381EAC715FF68D85A9EDB7A49B96350F44442DB182061E3DF3C9A8B8712

Function 0077D4DC Relevance: 6.1, APIs: 4, Instructions: 86
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0077D501
Process32FirstW.KERNEL32(00000000,?), ref: 0077D50F
Process32NextW.KERNEL32(00000000,?), ref: 0077D52F
CloseHandle.KERNELBASE(00000000), ref: 0077D5DC

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: 95326117376729f05973ea81cc7a6813d97bfbb87f909dba36f38cd3f287a449
Instruction ID: fdac29c39eb320e89cdccb77d7d8b6e701500ab5697455adbf8ec287c4ecc539
Opcode Fuzzy Hash: 95326117376729f05973ea81cc7a6813d97bfbb87f909dba36f38cd3f287a449
Instruction Fuzzy Hash: 5A31B372108300EFD711EF54C895AAFBBF8EFD9384F10452DF685821A1EB759985CBA2

Function 0077DBBE Relevance: 6.0, APIs: 4, Instructions: 29
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenW.KERNEL32(?,00755222), ref: 0077DBCE
GetFileAttributesW.KERNELBASE(?), ref: 0077DBDD
FindFirstFileW.KERNEL32(?,?), ref: 0077DBEE
FindClose.KERNEL32(00000000), ref: 0077DBFA

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: FileFind$AttributesCloseFirstlstrlen
String ID:
API String ID: 2695905019-0
Opcode ID: 7fc455223917fb0fcf06fe3d132dd4ee6b2e069a4ca13ffdbcd0756ea121652e
Instruction ID: 0e8db9eb0887bbd4ddfbbb28e9558a1b47cc3b62dee6685332612eef450e94a1
Opcode Fuzzy Hash: 7fc455223917fb0fcf06fe3d132dd4ee6b2e069a4ca13ffdbcd0756ea121652e
Instruction Fuzzy Hash: 91F0EC304105146B96326B7CDC0D4AA377CAE42374F10C702F43AC10F0EBB85D54C5E9

Function 00734CE8 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(007428E9,?,00734CBE,007428E9,007D88B8,0000000C,00734E15,007428E9,00000002,00000000,?,007428E9), ref: 00734D09
TerminateProcess.KERNEL32(00000000,?,00734CBE,007428E9,007D88B8,0000000C,00734E15,007428E9,00000002,00000000,?,007428E9), ref: 00734D10
ExitProcess.KERNEL32 ref: 00734D22

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 587f9d0bcb64feacf17a6f5caa9774471686834c6b9ba6d5a022fae6e187e72b
Instruction ID: f71e474f37f7d0577c0548a2aaf5504297bc068c4a3bdbc9ea5456626bc873f8
Opcode Fuzzy Hash: 587f9d0bcb64feacf17a6f5caa9774471686834c6b9ba6d5a022fae6e187e72b
Instruction Fuzzy Hash: BFE0B631110548FBDF16AF64DD09A593B79EB82781F118014FD099A133CB3DED42CA85

Function 0071BF40 Relevance: 2.4, Strings: 1, Instructions: 1178COMMON

Download Yara Rule

Strings

p#~, xrefs: 007607CE

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: BuffCharUpper
String ID: p#~
API String ID: 3964851224-2728696344
Opcode ID: 47ffaab34a1a8b08fff18b6fb707925df46451e9ee38597902d2041efda77374
Instruction ID: c02292d465e6b338c137c29cec6f9c6645fe3e361ee6a88ca52c75b719bff6ef
Opcode Fuzzy Hash: 47ffaab34a1a8b08fff18b6fb707925df46451e9ee38597902d2041efda77374
Instruction Fuzzy Hash: 9DA28D70608341CFD711CF68C484B6AB7E1BF89304F14896DE89A9B392D779EC85CB92

Function 0079AFF9 Relevance: 24.4, APIs: 16, Instructions: 418
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_wcslen.LIBCMT ref: 0079B198
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0079B1B0
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0079B1D4
_wcslen.LIBCMT ref: 0079B200
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0079B214
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0079B236
_wcslen.LIBCMT ref: 0079B332

Part of subcall function 007805A7: GetStdHandle.KERNEL32(000000F6), ref: 007805C6

_wcslen.LIBCMT ref: 0079B34B
_wcslen.LIBCMT ref: 0079B366
CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0079B3B6
GetLastError.KERNEL32(00000000), ref: 0079B407
CloseHandle.KERNEL32(?), ref: 0079B439
CloseHandle.KERNEL32(00000000), ref: 0079B44A
CloseHandle.KERNEL32(00000000), ref: 0079B45C
CloseHandle.KERNEL32(00000000), ref: 0079B46E
CloseHandle.KERNEL32(?), ref: 0079B4E3

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
String ID:
API String ID: 2178637699-0
Opcode ID: af442077189b8b8efde5acd5d542345fe111d547fbb227bf3e41a62c5189ca33
Instruction ID: 2dd6ef691732084a6b7ab70e7b8270db7d3fba16c75bb02701d5cf3d6a20750d
Opcode Fuzzy Hash: af442077189b8b8efde5acd5d542345fe111d547fbb227bf3e41a62c5189ca33
Instruction Fuzzy Hash: C7F1AC31604340DFCB15EF28E995B6EBBE1AF85310F14855DF8898B2A2DB39EC44CB52

Function 0071D730 Relevance: 21.6, APIs: 14, Instructions: 631sleepsynchronizationtimeCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 0071D807
timeGetTime.WINMM ref: 0071DA07
Sleep.KERNELBASE(0000000A), ref: 0071DBB1
Sleep.KERNELBASE(0000000A), ref: 00762B76
GetExitCodeProcess.KERNELBASE(?,?), ref: 00762C11
WaitForSingleObject.KERNEL32(?,00000000), ref: 00762C29
CloseHandle.KERNELBASE(?), ref: 00762C3D
Sleep.KERNELBASE(?,CCCCCCCC,00000000), ref: 00762CA9

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: Sleep$CloseCodeExitHandleInputObjectProcessSingleStateTimeWaittime
String ID:
API String ID: 388478766-0
Opcode ID: c66138e69e1c88171accb294e99c17e8483ba315f019120bcc7a52461e1baca2
Instruction ID: f82fb1cb92721b5671b42632a80fcc0d51ac00dfe5b886877876f40a349a80b4
Opcode Fuzzy Hash: c66138e69e1c88171accb294e99c17e8483ba315f019120bcc7a52461e1baca2
Instruction Fuzzy Hash: 0442D070608641EFD735CF28C888BAAB7A0BF85314F548519E8568B2D2D77CEC85CF92

Function 00712CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00712D07
RegisterClassExW.USER32(00000030), ref: 00712D31
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00712D42
InitCommonControlsEx.COMCTL32(?), ref: 00712D5F
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00712D6F
LoadIconW.USER32(000000A9), ref: 00712D85
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00712D94

Strings

0, xrefs: 00712CE9
TaskbarCreated, xrefs: 00712D37
+, xrefs: 00712CF0
AutoIt v3 GUI, xrefs: 00712D23

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: dfe6825f45f290bb68e5d778acd7217887d9ccbd652295985936790c9ed2f015
Instruction ID: e1fe3b45651527b76380ed27353a5991d1fc725b37eff30921cbe47250dbdb5f
Opcode Fuzzy Hash: dfe6825f45f290bb68e5d778acd7217887d9ccbd652295985936790c9ed2f015
Instruction Fuzzy Hash: 9221F9B1902398EFDB01DF94EC89BDD7BB4FB49704F40811AF511AA290D7B95540CF58

Function 0075065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0075039A: CreateFileW.KERNELBASE(00000000,00000000,?,00750704,?,?,00000000,?,00750704,00000000,0000000C), ref: 007503B7

GetLastError.KERNEL32 ref: 0075076F
__dosmaperr.LIBCMT ref: 00750776
GetFileType.KERNELBASE(00000000), ref: 00750782
GetLastError.KERNEL32 ref: 0075078C
__dosmaperr.LIBCMT ref: 00750795
CloseHandle.KERNEL32(00000000), ref: 007507B5
CloseHandle.KERNEL32(?), ref: 007508FF
GetLastError.KERNEL32 ref: 00750931
__dosmaperr.LIBCMT ref: 00750938

Strings

H, xrefs: 007508BD

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: 9c19d918f0722275fba9651391daa993402c04553b8ed26138bf1fce2925649d
Instruction ID: 2756dfd9e64cdc3823c23120e3f72f3330ee844166fcfcb294bb197b23a930b7
Opcode Fuzzy Hash: 9c19d918f0722275fba9651391daa993402c04553b8ed26138bf1fce2925649d
Instruction Fuzzy Hash: E4A12532A001449FDF19AF68D895BEE3BA0EB4A321F14415DFC11DF292DB799816CBD1

Function 0071344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00713A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,007E1418,?,00712E7F,?,?,?,00000000), ref: 00713A78

Part of subcall function 00713357: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00713379

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 0071356A
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 0075318D
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 007531CE
RegCloseKey.ADVAPI32(?), ref: 00753210
_wcslen.LIBCMT ref: 00753277
_wcslen.LIBCMT ref: 00753286

Strings

Software\AutoIt v3\AutoIt, xrefs: 00713560
Include, xrefs: 00753184, 007531C5
\, xrefs: 0075328C
\Include\, xrefs: 00713527

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 98802146-2727554177
Opcode ID: 090b813e4937396d67f225a5ee52187f6752719ff1ea84f2bd76cf4e27f14d4f
Instruction ID: 641b74626531812f7e281e842b2567130f5a6fa06b5443884013a9f87e0bde13
Opcode Fuzzy Hash: 090b813e4937396d67f225a5ee52187f6752719ff1ea84f2bd76cf4e27f14d4f
Instruction Fuzzy Hash: CD718D71405340AEC314DF29DC869ABBBE8FF89740F40452EF545871A2EB7C9A8ACF65

Function 00712B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00712B8E
LoadCursorW.USER32(00000000,00007F00), ref: 00712B9D
LoadIconW.USER32(00000063), ref: 00712BB3
LoadIconW.USER32(000000A4), ref: 00712BC5
LoadIconW.USER32(000000A2), ref: 00712BD7
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00712BEF
RegisterClassExW.USER32(?), ref: 00712C40

Part of subcall function 00712CD4: GetSysColorBrush.USER32(0000000F), ref: 00712D07
Part of subcall function 00712CD4: RegisterClassExW.USER32(00000030), ref: 00712D31
Part of subcall function 00712CD4: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00712D42
Part of subcall function 00712CD4: InitCommonControlsEx.COMCTL32(?), ref: 00712D5F
Part of subcall function 00712CD4: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00712D6F
Part of subcall function 00712CD4: LoadIconW.USER32(000000A9), ref: 00712D85
Part of subcall function 00712CD4: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00712D94

Strings

0, xrefs: 00712C0F
#, xrefs: 00712C16
AutoIt v3, xrefs: 00712C2F

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: 07bd633a6ddb6652be54ba343b786d814a85e4eaac00e7df9244790d5e58f00f
Instruction ID: 4982dca1d4aa2946c6a60bc830685cc4544640f3969abe2ee9725dc15f8a5a3d
Opcode Fuzzy Hash: 07bd633a6ddb6652be54ba343b786d814a85e4eaac00e7df9244790d5e58f00f
Instruction Fuzzy Hash: F2213D70E02358AFDB119F95EC96A9D7FB4FB4CB50F40801AE500EA7A0D7B91540CF98

Function 0071B710 Relevance: 16.3, APIs: 1, Strings: 8, Instructions: 587COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 0071BB4E

Strings

p%~, xrefs: 0071B8DC
p%~, xrefs: 0071BB32
x#~, xrefs: 00760207
x#~, xrefs: 00760168
p#~, xrefs: 0071BA72
p#~, xrefs: 0071BB6B
p#~, xrefs: 0076024F
p#~, xrefs: 00760263

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID: p#~$p#~$p#~$p#~$p%~$p%~$x#~$x#~
API String ID: 1385522511-3993589769
Opcode ID: 0a505d872b97696ea69f2eb60285f85285325c4ffd6ab2ec449e69f36b6b0256
Instruction ID: 89e136bec427604818833f11869aa4db7558e2c6158dfdc5454cde948fa105fc
Opcode Fuzzy Hash: 0a505d872b97696ea69f2eb60285f85285325c4ffd6ab2ec449e69f36b6b0256
Instruction Fuzzy Hash: 9A329074A04209DFDB24CF58C894ABEB7B9EF48314F148059ED06AB291D77CED82CB91

Function 00713170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,0071316A,?,?), ref: 007131D8
KillTimer.USER32(?,00000001,?,?,?,?,?,0071316A,?,?), ref: 00713204
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00713227
RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,0071316A,?,?), ref: 00713232
CreatePopupMenu.USER32 ref: 00713246
PostQuitMessage.USER32(00000000), ref: 00713267

Strings

TaskbarCreated, xrefs: 0071322D

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: 8598525eece451ce39067f810198165d680532bcd3012b95e53f0b90ae9d990d
Instruction ID: d7498f32f24b11cbad3cbb81253b2ba8205f76f692222e2ce03392ead23fc2e5
Opcode Fuzzy Hash: 8598525eece451ce39067f810198165d680532bcd3012b95e53f0b90ae9d990d
Instruction Fuzzy Hash: B9414731300288BBDB156B7C9C4EBFD3A29F74A340F448125F9029A1E2CB7DDAC197A5

Function 00711410 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00711459
CoUninitialize.COMBASE ref: 007114F8
UnregisterHotKey.USER32(?), ref: 007116DD
DestroyWindow.USER32(?), ref: 007524B9
FreeLibrary.KERNEL32(?), ref: 0075251E
VirtualFree.KERNEL32(?,00000000,00008000), ref: 0075254B

Strings

close all, xrefs: 00711454

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: 6d010599df17e9c6f8b6f69cc31c869fb55ec74c1cc72acc703dcdad0a0682f4
Instruction ID: 540d7b52b1be858296832f5b41640ae98a657845887050055c73fbdd30021dd6
Opcode Fuzzy Hash: 6d010599df17e9c6f8b6f69cc31c869fb55ec74c1cc72acc703dcdad0a0682f4
Instruction Fuzzy Hash: E9D1A131701212DFCB19EF18C499AA9F7A0BF06701F5441ADE94A6B292DB39EC67CF50

Function 00712C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00712C91
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00712CB2
ShowWindow.USER32(00000000,?,?,?,?,?,?,00711CAD,?), ref: 00712CC6
ShowWindow.USER32(00000000,?,?,?,?,?,?,00711CAD,?), ref: 00712CCF

Strings

edit, xrefs: 00712CAC
AutoIt v3, xrefs: 00712C89, 00712C8E, 00712C8F

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: a3b949660ac9a5c9714c627a93af04e0220dc3501074f5bc28d72a468e7fb54c
Instruction ID: dfd36fd927c4f82ca94494c4970cb2751ac708fe6d468624cc0fad9be2f9d430
Opcode Fuzzy Hash: a3b949660ac9a5c9714c627a93af04e0220dc3501074f5bc28d72a468e7fb54c
Instruction Fuzzy Hash: F1F0DA755412D07AEB311717AC8AE772EBDD7CBF50B80805AF900AA9A0C6791851DAB8

Function 00713B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,00713B0F,SwapMouseButtons,00000004,?), ref: 00713B40
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,00713B0F,SwapMouseButtons,00000004,?), ref: 00713B61
RegCloseKey.KERNELBASE(00000000,?,?,?,80000001,80000001,?,00713B0F,SwapMouseButtons,00000004,?), ref: 00713B83

Strings

Control Panel\Mouse, xrefs: 00713B3E

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: 6c5452fc065eb7a4e93cd530fb7913faf89614a159613aa6855c33ed05ac17ca
Instruction ID: 0078ff801ee003af4fd72b8af98ec4cb76e4bac48958a350de0f80346895b6ad
Opcode Fuzzy Hash: 6c5452fc065eb7a4e93cd530fb7913faf89614a159613aa6855c33ed05ac17ca
Instruction Fuzzy Hash: A41127F5614208FFDB218FA9DC85AEFBBB8EF45744B10846AA805D7150E2359E809BA4

Function 00713923 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94windowCOMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 007533A2

Part of subcall function 00716B57: _wcslen.LIBCMT ref: 00716B6A

Shell_NotifyIconW.SHELL32(00000001,?), ref: 00713A04

Strings

Line: , xrefs: 007533EB

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: IconLoadNotifyShell_String_wcslen
String ID: Line:
API String ID: 2289894680-1585850449
Opcode ID: a6dc32fb4beb16ecb8d03fe18ff20e13fe920454a719c32aa703679a922e1275
Instruction ID: bd7a0b599e1d0cff4a3815d3206242eb45fa1ec06cc4b7e8de1586e7fe723869
Opcode Fuzzy Hash: a6dc32fb4beb16ecb8d03fe18ff20e13fe920454a719c32aa703679a922e1275
Instruction Fuzzy Hash: CC31C571409344AAD721EB18DC4ABEBB7ECAF44714F00451AF599930D1DB7CA689C7C6

Function 00712DE3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 64COMMON

Download Yara Rule

APIs

GetOpenFileNameW.COMDLG32(?), ref: 00752C8C

Part of subcall function 00713AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00713A97,?,?,00712E7F,?,?,?,00000000), ref: 00713AC2

Part of subcall function 00712DA5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00712DC4

Strings

`e}, xrefs: 00752C85
X, xrefs: 00752C5A

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen
String ID: X$`e}
API String ID: 779396738-2683834941
Opcode ID: 0164105ea38a0198ec167846dc3ec67a85c8c89ed149bc93c7e9c5bf856b026e
Instruction ID: 5260650d06b0f85b87e6d1abacea3563a0e0ab950da70406ffa2e126c88eb735
Opcode Fuzzy Hash: 0164105ea38a0198ec167846dc3ec67a85c8c89ed149bc93c7e9c5bf856b026e
Instruction Fuzzy Hash: A7219671A00298DBDB41DF98D8497EE7BF89F49705F10805AE405A7282DBBC5A8D8F61

Function 0072FDDB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 00730668

Part of subcall function 007332A4: RaiseException.KERNEL32(?,?,?,0073068A,?,007E1444,?,?,?,?,?,?,0073068A,00711129,007D8738,00711129), ref: 00733304

__CxxThrowException@8.LIBVCRUNTIME ref: 00730685

Strings

Unknown exception, xrefs: 00730692

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID: Unknown exception
API String ID: 3476068407-410509341
Opcode ID: fb295e991040b356e7a8e2a0dc26024c734a70fa7851b3a02c3a0fc029660b39
Instruction ID: 3738ef3aa7bc16a0498bd7a634489059d13cb8c70dca95bfeb5e720267212109
Opcode Fuzzy Hash: fb295e991040b356e7a8e2a0dc26024c734a70fa7851b3a02c3a0fc029660b39
Instruction Fuzzy Hash: D7F0C234A0020DF7DB04B6A4E86AD9E777C6E40320F604532F824D6597EF79EA65C5C1

Function 007110F3 Relevance: 4.7, APIs: 3, Instructions: 153comCOMMON

Download Yara Rule

APIs

Part of subcall function 00711BC3: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00711BF4
Part of subcall function 00711BC3: MapVirtualKeyW.USER32(00000010,00000000), ref: 00711BFC
Part of subcall function 00711BC3: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00711C07
Part of subcall function 00711BC3: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00711C12
Part of subcall function 00711BC3: MapVirtualKeyW.USER32(00000011,00000000), ref: 00711C1A
Part of subcall function 00711BC3: MapVirtualKeyW.USER32(00000012,00000000), ref: 00711C22

Part of subcall function 00711B4A: RegisterWindowMessageW.USER32(00000004,?,007112C4), ref: 00711BA2

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 0071136A
OleInitialize.OLE32 ref: 00711388
CloseHandle.KERNEL32(00000000,00000000), ref: 007524AB

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID:
API String ID: 1986988660-0
Opcode ID: 3d12395fc684213075d0232744f24e3bb8755de42ccc99fdd5e1b563f1f2dc13
Instruction ID: 55fc5a7b85a390aed54c42a564f7ea5afc2d3248a32d7752b327b437c4c949aa
Opcode Fuzzy Hash: 3d12395fc684213075d0232744f24e3bb8755de42ccc99fdd5e1b563f1f2dc13
Instruction Fuzzy Hash: 0F717EB49033C09EC785DF69A9876993AE0BB8D3543D4C22A911ACF3A1EB3C5491CF59

Function 0077C161 Relevance: 4.6, APIs: 3, Instructions: 74timewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00713923: Shell_NotifyIconW.SHELL32(00000001,?), ref: 00713A04

Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 0077C259
KillTimer.USER32(?,00000001,?,?), ref: 0077C261
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 0077C270

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: IconNotifyShell_Timer$Kill
String ID:
API String ID: 3500052701-0
Opcode ID: cbcfb45c63eb10e59cfabbdb4b85d4a28c73fc2b24470b0962c1671b5b667b5c
Instruction ID: 8e12aa002fb6a9ceda885705988786615e48ad772155b7d70fef3aa54d0572eb
Opcode Fuzzy Hash: cbcfb45c63eb10e59cfabbdb4b85d4a28c73fc2b24470b0962c1671b5b667b5c
Instruction Fuzzy Hash: 1F31C570A04344AFEF23CF649895BE7BBECAB0A344F00849DD2DE97242C7785A84CB55

Function 007486AE Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE

Download Yara Rule

APIs

CloseHandle.KERNELBASE(00000000,00000000,?,?,007485CC,?,007D8CC8,0000000C), ref: 00748704
GetLastError.KERNEL32(?,007485CC,?,007D8CC8,0000000C), ref: 0074870E
__dosmaperr.LIBCMT ref: 00748739

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: CloseErrorHandleLast__dosmaperr
String ID:
API String ID: 2583163307-0
Opcode ID: d9edd168f9b517d021ee5c9dc2a02ff6c2b364a2f9a3044e4896393e8738309d
Instruction ID: 220c78d434cec0b5602b0aaeef549645116e905eb5a9ee5840d40c0f354895e9
Opcode Fuzzy Hash: d9edd168f9b517d021ee5c9dc2a02ff6c2b364a2f9a3044e4896393e8738309d
Instruction Fuzzy Hash: 49018933A0526467D6E66734A889B7E27494B82B78F3A0119F818CB1D3DFACCC818193

Function 0071DB38 Relevance: 4.5, APIs: 3, Instructions: 29windowsleepCOMMON

Download Yara Rule

APIs

TranslateMessage.USER32(?), ref: 0071DB7B
DispatchMessageW.USER32(?), ref: 0071DB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0071DB9F
Sleep.KERNELBASE(0000000A), ref: 0071DBB1
TranslateAcceleratorW.USER32(?,?,?), ref: 00761CC9

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchPeekSleep
String ID:
API String ID: 3288985973-0
Opcode ID: 0880fb337d42742b7d4b4b3e8a3f42a988bbc0f41096a2112f9229f5de96682d
Instruction ID: 0959bbbc4cf89211d7a123bbe614e4a405870366d319ba41c7ec1cf9ab29f411
Opcode Fuzzy Hash: 0880fb337d42742b7d4b4b3e8a3f42a988bbc0f41096a2112f9229f5de96682d
Instruction Fuzzy Hash: 5CF054306443409BE730C7648C49FDA73ACEB85310F508518E60A870C0DB3894849F25

Function 00721310 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 007217F6

Strings

CALL, xrefs: 007217C6

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID: CALL
API String ID: 1385522511-4196123274
Opcode ID: f3e249661a1351541d0048c07534f0fbf00b6a8c765fe42663ccc273e104c0ab
Instruction ID: 95f39f7418a0ebf6ff2b716d1e519465e902f3b8bf85a8ee810a38db45513dec
Opcode Fuzzy Hash: f3e249661a1351541d0048c07534f0fbf00b6a8c765fe42663ccc273e104c0ab
Instruction Fuzzy Hash: 6622CB70608351DFC714DF14D484A2ABBF1BF99314FA4896DF8868B3A2D739E851CB82

Function 00713837 Relevance: 3.1, APIs: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000000,?), ref: 00713908

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: b0ed89807fe0cba6536bc76611406b9f9caa42bd89f36f79cd9e9b464e2d90a9
Instruction ID: 66e2e1dfc3589fba36e3874dcc514136f424ccd4df000746995c296624b9695f
Opcode Fuzzy Hash: b0ed89807fe0cba6536bc76611406b9f9caa42bd89f36f79cd9e9b464e2d90a9
Instruction Fuzzy Hash: B531D270505300DFD721DF28D8857D7BBE8FB49708F00092EF99997290E7B9AA84CB56

Function 0072F645 Relevance: 3.0, APIs: 2, Instructions: 29sleeptimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 0072F661

Part of subcall function 0071D730: GetInputState.USER32 ref: 0071D807

Sleep.KERNEL32(00000000), ref: 0076F2DE

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: InputSleepStateTimetime
String ID:
API String ID: 4149333218-0
Opcode ID: eb834e4d1c80d41eae97cc22a182dbcb257b35ec54cf4f633026b1c349e4e863
Instruction ID: 8706964f43dd2b6efa8d98429620fb361a5e0db4d69cc8140a8e6dccf3b3742a
Opcode Fuzzy Hash: eb834e4d1c80d41eae97cc22a182dbcb257b35ec54cf4f633026b1c349e4e863
Instruction Fuzzy Hash: B2F08231240215AFD310EF69D449B9AB7E5FF49760F004029E859C72A0DB74AC40CF94

Function 0079AA6C Relevance: 1.6, APIs: 1, Instructions: 89COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00100400,00000000,?,?,?), ref: 0079AAF9

Part of subcall function 0071D730: GetInputState.USER32 ref: 0071D807

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: InputOpenProcessState
String ID:
API String ID: 2450012749-0
Opcode ID: 21f6fb4b1898fe1cb7a7da8f649a36c90bdaf4d9f8eaa891b52640280fb5fce7
Instruction ID: 587d38145509d46c9c732f0799cfa4e7544a97d4174e446baea38a658670db18
Opcode Fuzzy Hash: 21f6fb4b1898fe1cb7a7da8f649a36c90bdaf4d9f8eaa891b52640280fb5fce7
Instruction Fuzzy Hash: CD31ADB5209105BFCB15DF58D484DAABBA5FF48344B08C199F81A8B352D734ED80CBD1

Function 00714ECB Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00714E90: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00714EDD,?,007E1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00714E9C
Part of subcall function 00714E90: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00714EAE
Part of subcall function 00714E90: FreeLibrary.KERNEL32(00000000,?,?,00714EDD,?,007E1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00714EC0

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,007E1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00714EFD

Part of subcall function 00714E59: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00753CDE,?,007E1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00714E62
Part of subcall function 00714E59: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00714E74
Part of subcall function 00714E59: FreeLibrary.KERNEL32(00000000,?,?,00753CDE,?,007E1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00714E87

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: Library$Load$AddressFreeProc
String ID:
API String ID: 2632591731-0
Opcode ID: 8fe67c9b368e29d9519de14325d62151ee7c813283ac5717759b8990d84b2c24
Instruction ID: 76af7969f5a0577337adbcd0faad85bf62a73e91abf4df71a3cd64f4a0ee156a
Opcode Fuzzy Hash: 8fe67c9b368e29d9519de14325d62151ee7c813283ac5717759b8990d84b2c24
Instruction Fuzzy Hash: B011EB31600205EBDF15BB68DC0AFED77A59F80711F10441DF542A62D1DE799A85D750

Function 00748402 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT ref: 00748440

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: 53b033ee531f3662b986c7b0c6d20b4bb0eb6f716091fe4cba2d80b76bd444c7
Instruction ID: f30460c853e3dc0e3e3513be94dcb57c2beb8d9763100a9eb2d3614fc12aec4b
Opcode Fuzzy Hash: 53b033ee531f3662b986c7b0c6d20b4bb0eb6f716091fe4cba2d80b76bd444c7
Instruction Fuzzy Hash: 781118B590410EAFCB05DF58E94599E7BF5EF48314F144059FC08AB312DB35EA11CBA5

Function 00745000 Relevance: 1.6, APIs: 1, Instructions: 52COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00744C7D: RtlAllocateHeap.NTDLL(00000008,00711129,00000000,?,00742E29,00000001,00000364,?,?,?,0073F2DE,00743863,007E1444,?,0072FDF5,?), ref: 00744CBE

_free.LIBCMT ref: 0074506C

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
Instruction ID: 51c1f12f1c16426740089c69f655a24486b61a07381b58eee4094772cea8e08e
Opcode Fuzzy Hash: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
Instruction Fuzzy Hash: 16014976204705ABE3318F69D885A9AFBEDFB89370F65061DF184932C1EB34A805C7B4

Function 0073E602 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction ID: 1a243268a1c68ddd28128b956a7ceb449ee541cce34ddaf88e3c17b924417484
Opcode Fuzzy Hash: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction Fuzzy Hash: 88F0CD32511A14D7F7313A659C0EB5B37989F52375F100719F525931D3DB7CE80285A6

Function 00744C7D Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,00711129,00000000,?,00742E29,00000001,00000364,?,?,?,0073F2DE,00743863,007E1444,?,0072FDF5,?), ref: 00744CBE

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 684cb63b132dec826163496a89eaec8a492cc08efb4f3744cfb6f428d438e346
Instruction ID: de84e5fc178d8d214b39c303ce0938d6651e45a40d35da0365c5fbbbb4210b49
Opcode Fuzzy Hash: 684cb63b132dec826163496a89eaec8a492cc08efb4f3744cfb6f428d438e346
Instruction Fuzzy Hash: 21F0E932603224A7EB315F62AC89B5B3788BF417A1F1C8111FC15AA181CB3CDC0066F0

Function 00743820 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,007E1444,?,0072FDF5,?,?,0071A976,00000010,007E1440,007113FC,?,007113C6,?,00711129), ref: 00743852

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 0d0a7271a6bd409d3eac5dad85aee32aa6fffc57d141abbbb920bd9ed82cfbe6
Instruction ID: baf43af9b646a94707b2f5615ce9bdf9c07b6fd36ae64d4b311f996c418f76aa
Opcode Fuzzy Hash: 0d0a7271a6bd409d3eac5dad85aee32aa6fffc57d141abbbb920bd9ed82cfbe6
Instruction Fuzzy Hash: 5EE0E532141224AAF62126679C05B9BB74DAB827B0F0A0022BC1C96481DB2DED0185F0

Function 00714F39 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,007E1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00714F6D

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: c11b6d10422cd28595214c7678423047eb02288be0cf4819301b5c5079df35d7
Instruction ID: b39c22409534f28a96a4f2beedde8827906a01dfd44a995f61bfe2f7a18688fe
Opcode Fuzzy Hash: c11b6d10422cd28595214c7678423047eb02288be0cf4819301b5c5079df35d7
Instruction Fuzzy Hash: 2FF0A070105301CFDB348F28D490892B7F8EF00319318897EE1DA86651C7399885DF00

Function 007130F2 Relevance: 1.5, APIs: 1, Instructions: 24windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000002,?), ref: 0071314E

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: 945847f4eee698005b5f95895eb9710610e8ac161fa8b45af31a526106f11494
Instruction ID: cde9f29037e05a8d30cbb90b11d99c27e502a61487f44a4ba6581412cdb6456a
Opcode Fuzzy Hash: 945847f4eee698005b5f95895eb9710610e8ac161fa8b45af31a526106f11494
Instruction Fuzzy Hash: D9F0A7709003589FE753DB24DC8A7D57BBCA705708F0040E5A1489A182D77847C8CF45

Function 00712DA5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00712DC4

Part of subcall function 00716B57: _wcslen.LIBCMT ref: 00716B6A

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: LongNamePath_wcslen
String ID:
API String ID: 541455249-0
Opcode ID: 6faf21b02cf0af1eddda0951b7f0fd8b36994c43d369bbe4e98e88740bdc7243
Instruction ID: ef46e7dde26e139298ecb2fe795f6294e96c75ef564f41c83da2b11f1bb84556
Opcode Fuzzy Hash: 6faf21b02cf0af1eddda0951b7f0fd8b36994c43d369bbe4e98e88740bdc7243
Instruction Fuzzy Hash: D6E0CD726041245BC72192589C09FEA77EDDFC8791F054071FD09D7288D964AD848550

Function 00712B3D Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00713837: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00713908

Part of subcall function 0071D730: GetInputState.USER32 ref: 0071D807

SetCurrentDirectoryW.KERNEL32(?), ref: 00712B6B

Part of subcall function 007130F2: Shell_NotifyIconW.SHELL32(00000002,?), ref: 0071314E

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: IconNotifyShell_$CurrentDirectoryInputState
String ID:
API String ID: 3667716007-0
Opcode ID: 3af3390a6e78bbfa73126e08ad70e50686c00815381e8b541e7ad39f310b5f4d
Instruction ID: 409194b16441804dff6b74a42844c6ffe8a26902afca06ce8ac2de5d6dce600e
Opcode Fuzzy Hash: 3af3390a6e78bbfa73126e08ad70e50686c00815381e8b541e7ad39f310b5f4d
Instruction Fuzzy Hash: 7AE0263230428483CB04BB7CA85B4EDA3998BD6351F40043EF142472E3CE2C89C64352

Function 0075039A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,00000000,?,00750704,?,?,00000000,?,00750704,00000000,0000000C), ref: 007503B7

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 355314f27c768120cf49cee82f4b5c06d1c41d98c15c983ea39391b747edfdcd
Instruction ID: 4dae7c9d816b162cea2ea98dab8e5618de76efff89b4ddcf5f45c17c5ab07e1e
Opcode Fuzzy Hash: 355314f27c768120cf49cee82f4b5c06d1c41d98c15c983ea39391b747edfdcd
Instruction Fuzzy Hash: 32D06C3214010DBBDF028F84DD06EDA3BAAFB88714F018000BE1856020C736E821AB94

Function 00711CAD Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00002001,00000000,00000002), ref: 00711CBC

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: InfoParametersSystem
String ID:
API String ID: 3098949447-0
Opcode ID: 93ace0ad0194841b87b462004dad1eb3a08eef01334c53c28c6b65d760432aa2
Instruction ID: 7b27006ae3dbb585dc09542d98860080c415c026221e8c6ba1212d1f650abdde
Opcode Fuzzy Hash: 93ace0ad0194841b87b462004dad1eb3a08eef01334c53c28c6b65d760432aa2
Instruction Fuzzy Hash: E8C09B36281344AFF2154784BD9BF107758A34CB00F54C001F6095D5E3C7B51830D658

Function 00761DC2 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 0071D807
Sleep.KERNELBASE(?,CCCCCCCC,00000000), ref: 00762CA9

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: InputSleepState
String ID:
API String ID: 1650039560-0
Opcode ID: 9651ea0ecfefb729529a8ff3c1c312fa72daf11c170ab590a22567458120f52f
Instruction ID: bc79f20a1e015cea6001b8cf953d8ea284004bb76fa0073b093280c86366151f
Opcode Fuzzy Hash: 9651ea0ecfefb729529a8ff3c1c312fa72daf11c170ab590a22567458120f52f
Instruction Fuzzy Hash: 04E02B31348542AAD37ACB3C90047F0F780F717310F048662C419C12D1D3A95CA0DFD2

Non-executed Functions

Function 007A9576 Relevance: 74.1, APIs: 39, Strings: 3, Instructions: 625windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00729BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00729BB2

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 007A961A
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 007A965B
GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 007A969F
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 007A96C9
SendMessageW.USER32 ref: 007A96F2
GetKeyState.USER32(00000011), ref: 007A978B
GetKeyState.USER32(00000009), ref: 007A9798
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 007A97AE
GetKeyState.USER32(00000010), ref: 007A97B8
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 007A97E9
SendMessageW.USER32 ref: 007A9810
SendMessageW.USER32(?,00001030,?,007A7E95), ref: 007A9918
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 007A992E
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 007A9941
SetCapture.USER32(?), ref: 007A994A
ClientToScreen.USER32(?,?), ref: 007A99AF
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 007A99BC
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 007A99D6
ReleaseCapture.USER32 ref: 007A99E1
GetCursorPos.USER32(?), ref: 007A9A19
ScreenToClient.USER32(?,?), ref: 007A9A26
SendMessageW.USER32(?,00001012,00000000,?), ref: 007A9A80
SendMessageW.USER32 ref: 007A9AAE
SendMessageW.USER32(?,00001111,00000000,?), ref: 007A9AEB
SendMessageW.USER32 ref: 007A9B1A
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 007A9B3B
SendMessageW.USER32(?,0000110B,00000009,?), ref: 007A9B4A
GetCursorPos.USER32(?), ref: 007A9B68
ScreenToClient.USER32(?,?), ref: 007A9B75
GetParent.USER32(?), ref: 007A9B93
SendMessageW.USER32(?,00001012,00000000,?), ref: 007A9BFA
SendMessageW.USER32 ref: 007A9C2B
ClientToScreen.USER32(?,?), ref: 007A9C84
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 007A9CB4
SendMessageW.USER32(?,00001111,00000000,?), ref: 007A9CDE
SendMessageW.USER32 ref: 007A9D01
ClientToScreen.USER32(?,?), ref: 007A9D4E
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 007A9D82

Part of subcall function 00729944: GetWindowLongW.USER32(?,000000EB), ref: 00729952

GetWindowLongW.USER32(?,000000F0), ref: 007A9E05

Strings

p#~, xrefs: 007A9990
@GUI_DRAGID, xrefs: 007A997D
F, xrefs: 007A9D07

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease
String ID: @GUI_DRAGID$F$p#~
API String ID: 3429851547-1555356086
Opcode ID: a81494756b5c16d922db1a6d2933ba0c91873e23e13bb3b0c71040077a71e5a5
Instruction ID: 6a82f58d750d80f826d47a86aeee34baf1f2e70868d32edbe6bfb59c7a7a74e7
Opcode Fuzzy Hash: a81494756b5c16d922db1a6d2933ba0c91873e23e13bb3b0c71040077a71e5a5
Instruction Fuzzy Hash: DF429D34605240EFD725CF24CC88EAABBE5FF8A320F144659F699872A1D739E860CF55

Function 007A4873 Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 566windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000408,00000000,00000000), ref: 007A48F3
SendMessageW.USER32(00000000,00000188,00000000,00000000), ref: 007A4908
SendMessageW.USER32(00000000,0000018A,00000000,00000000), ref: 007A4927
SendMessageW.USER32(?,00000148,00000000,00000000), ref: 007A494B
SendMessageW.USER32(00000000,00000147,00000000,00000000), ref: 007A495C
SendMessageW.USER32(00000000,00000149,00000000,00000000), ref: 007A497B
SendMessageW.USER32(00000000,0000130B,00000000,00000000), ref: 007A49AE
SendMessageW.USER32(00000000,0000133C,00000000,?), ref: 007A49D4
SendMessageW.USER32(00000000,0000110A,00000009,00000000), ref: 007A4A0F
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 007A4A56
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 007A4A7E
IsMenu.USER32(?), ref: 007A4A97
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 007A4AF2
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 007A4B20
GetWindowLongW.USER32(?,000000F0), ref: 007A4B94
SendMessageW.USER32(?,0000113E,00000000,00000008), ref: 007A4BE3
SendMessageW.USER32(00000000,00001001,00000000,?), ref: 007A4C82
wsprintfW.USER32 ref: 007A4CAE
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 007A4CC9
GetWindowTextW.USER32(?,00000000,00000001), ref: 007A4CF1
SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 007A4D13
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 007A4D33
GetWindowTextW.USER32(?,00000000,00000001), ref: 007A4D5A

Strings

%d/%02d/%02d, xrefs: 007A4CA8

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: MessageSend$MenuWindow$InfoItemText$Longwsprintf
String ID: %d/%02d/%02d
API String ID: 4054740463-328681919
Opcode ID: 329c01c8aa33bbe21530c65c88ac1dfe97ef40cc2b49e97b4b715793c7403010
Instruction ID: 30c6300bd6b80a34e4908a5955d2e2492ee48131dc943114950bd07f17795a1d
Opcode Fuzzy Hash: 329c01c8aa33bbe21530c65c88ac1dfe97ef40cc2b49e97b4b715793c7403010
Instruction Fuzzy Hash: 7F12D071600214ABEB258F28DC49FAE7BF8EFC6310F144269F516EA1E1DBBD9940CB50

Function 0072F98E Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,00000000,00000000), ref: 0072F998
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0076F474
IsIconic.USER32(00000000), ref: 0076F47D
ShowWindow.USER32(00000000,00000009), ref: 0076F48A
SetForegroundWindow.USER32(00000000), ref: 0076F494
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0076F4AA
GetCurrentThreadId.KERNEL32 ref: 0076F4B1
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0076F4BD
AttachThreadInput.USER32(?,00000000,00000001), ref: 0076F4CE
AttachThreadInput.USER32(?,00000000,00000001), ref: 0076F4D6
AttachThreadInput.USER32(00000000,000000FF,00000001), ref: 0076F4DE
SetForegroundWindow.USER32(00000000), ref: 0076F4E1
MapVirtualKeyW.USER32(00000012,00000000), ref: 0076F4F6
keybd_event.USER32(00000012,00000000), ref: 0076F501
MapVirtualKeyW.USER32(00000012,00000000), ref: 0076F50B
keybd_event.USER32(00000012,00000000), ref: 0076F510
MapVirtualKeyW.USER32(00000012,00000000), ref: 0076F519
keybd_event.USER32(00000012,00000000), ref: 0076F51E
MapVirtualKeyW.USER32(00000012,00000000), ref: 0076F528
keybd_event.USER32(00000012,00000000), ref: 0076F52D
SetForegroundWindow.USER32(00000000), ref: 0076F530
AttachThreadInput.USER32(?,000000FF,00000000), ref: 0076F557

Strings

Shell_TrayWnd, xrefs: 0076F46F

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: ad45ca6c94f6a93eea2836f35a993232b7eee342b020b3f77d46d15c4c93711b
Instruction ID: c74e06e898cf58708ede0b832b91664226dcd9e869fee5993b54badd4cbcc2b9
Opcode Fuzzy Hash: ad45ca6c94f6a93eea2836f35a993232b7eee342b020b3f77d46d15c4c93711b
Instruction Fuzzy Hash: C3318671A40218BFEB216BB55C4AFBF7E6CEB85B50F204065FA01F61D1CBB85D10AE64

Function 00771201 Relevance: 40.5, APIs: 19, Strings: 4, Instructions: 241COMMON

Download Yara Rule

APIs

Part of subcall function 007716C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0077170D
Part of subcall function 007716C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0077173A
Part of subcall function 007716C3: GetLastError.KERNEL32 ref: 0077174A

LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 00771286
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 007712A8
CloseHandle.KERNEL32(?), ref: 007712B9
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 007712D1
GetProcessWindowStation.USER32 ref: 007712EA
SetProcessWindowStation.USER32(00000000), ref: 007712F4
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00771310

Part of subcall function 007710BF: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,007711FC), ref: 007710D4
Part of subcall function 007710BF: CloseHandle.KERNEL32(?,?,007711FC), ref: 007710E9

Strings

, xrefs: 0077125A
winsta0, xrefs: 007712CC
default, xrefs: 0077130B
Z}, xrefs: 00771392

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
String ID: $default$winsta0$Z}
API String ID: 22674027-3716028957
Opcode ID: a7185daa8a9ae8dec665253ed3f84f09c0d6d98e7167301a9755f922241498e9
Instruction ID: d3b4d6251fc08764519caa10097faab7ddcc3c74bb6bbace1a1b9e2037359d67
Opcode Fuzzy Hash: a7185daa8a9ae8dec665253ed3f84f09c0d6d98e7167301a9755f922241498e9
Instruction Fuzzy Hash: 1581AB71A00248BFDF218FA8DC49FEE7BB9EF45744F14C129F918A62A0D7388944CB65

Function 00770B62 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 007710F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00771114
Part of subcall function 007710F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00770B9B,?,?,?), ref: 00771120
Part of subcall function 007710F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00770B9B,?,?,?), ref: 0077112F
Part of subcall function 007710F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00770B9B,?,?,?), ref: 00771136
Part of subcall function 007710F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0077114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00770BCC
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00770C00
GetLengthSid.ADVAPI32(?), ref: 00770C17
GetAce.ADVAPI32(?,00000000,?), ref: 00770C51
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00770C6D
GetLengthSid.ADVAPI32(?), ref: 00770C84
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00770C8C
HeapAlloc.KERNEL32(00000000), ref: 00770C93
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00770CB4
CopySid.ADVAPI32(00000000), ref: 00770CBB
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00770CEA
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00770D0C
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00770D1E
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00770D45
HeapFree.KERNEL32(00000000), ref: 00770D4C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00770D55
HeapFree.KERNEL32(00000000), ref: 00770D5C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00770D65
HeapFree.KERNEL32(00000000), ref: 00770D6C
GetProcessHeap.KERNEL32(00000000,?), ref: 00770D78
HeapFree.KERNEL32(00000000), ref: 00770D7F

Part of subcall function 00771193: GetProcessHeap.KERNEL32(00000008,00770BB1,?,00000000,?,00770BB1,?), ref: 007711A1
Part of subcall function 00771193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00770BB1,?), ref: 007711A8
Part of subcall function 00771193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00770BB1,?), ref: 007711B7

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 28f3d4fc6f9c1a95f6163a31f2b6b251e1c4e60423151022542d778f4d71e806
Instruction ID: a79a72d81b488964055420e2883e5a6b6d4bd599990f97b037976d16129a087d
Opcode Fuzzy Hash: 28f3d4fc6f9c1a95f6163a31f2b6b251e1c4e60423151022542d778f4d71e806
Instruction Fuzzy Hash: 12715C71A0020AFBDF11DFA4DC49BEEBBB8BF45340F048515E919A6291D779A905CFA0

Function 0078EAFF Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(007ACC08), ref: 0078EB29
IsClipboardFormatAvailable.USER32(0000000D), ref: 0078EB37
GetClipboardData.USER32(0000000D), ref: 0078EB43
CloseClipboard.USER32 ref: 0078EB4F
GlobalLock.KERNEL32(00000000), ref: 0078EB87
CloseClipboard.USER32 ref: 0078EB91
GlobalUnlock.KERNEL32(00000000), ref: 0078EBBC
IsClipboardFormatAvailable.USER32(00000001), ref: 0078EBC9
GetClipboardData.USER32(00000001), ref: 0078EBD1
GlobalLock.KERNEL32(00000000), ref: 0078EBE2
GlobalUnlock.KERNEL32(00000000), ref: 0078EC22
IsClipboardFormatAvailable.USER32(0000000F), ref: 0078EC38
GetClipboardData.USER32(0000000F), ref: 0078EC44
GlobalLock.KERNEL32(00000000), ref: 0078EC55
DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 0078EC77
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 0078EC94
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 0078ECD2
GlobalUnlock.KERNEL32(00000000), ref: 0078ECF3
CountClipboardFormats.USER32 ref: 0078ED14
CloseClipboard.USER32 ref: 0078ED59

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
String ID:
API String ID: 420908878-0
Opcode ID: 0bab003d0e0320b9390f0a55d49cbc6ea106e04e9e5cf06a8ebadb4c11ce8279
Instruction ID: 7ff2d144c836c6dbad879efa604d19d99da0c70b2948f4a286ddd7a8435cb60c
Opcode Fuzzy Hash: 0bab003d0e0320b9390f0a55d49cbc6ea106e04e9e5cf06a8ebadb4c11ce8279
Instruction Fuzzy Hash: 2661EF74244201EFD301EF24C889F6ABBE4AF85714F088519F456872E2DB39ED4ACB62

Function 0078698F Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 007869BE
FindClose.KERNEL32(00000000), ref: 00786A12
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00786A4E
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00786A75

Part of subcall function 00719CB3: _wcslen.LIBCMT ref: 00719CBD

FileTimeToSystemTime.KERNEL32(?,?), ref: 00786AB2
FileTimeToSystemTime.KERNEL32(?,?), ref: 00786ADF

Strings

%02d, xrefs: 00786C00, 00786C0A, 00786C5A, 00786CAA, 00786CFA, 00786D4A
%4d%02d%02d%02d%02d%02d, xrefs: 00786B6A
%03d, xrefs: 00786DA2
%4d, xrefs: 00786BB1
%4d%02d%02d%02d%02d%02d%03d, xrefs: 00786B32

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
API String ID: 3830820486-3289030164
Opcode ID: 562bcd879568ef63ad33bd485137ce873c6d95c7d3f6825f48d5f86038c7ccbb
Instruction ID: 7ffda116ebeb2cbccff88cbb81b9775a738d55b85e881619ee921dade9aafed1
Opcode Fuzzy Hash: 562bcd879568ef63ad33bd485137ce873c6d95c7d3f6825f48d5f86038c7ccbb
Instruction Fuzzy Hash: D8D15FB2508340AFC314EBA4D896EABB7FCAF88704F04491DF585D7191EB78DA45CB62

Function 00789642 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 00789663
GetFileAttributesW.KERNEL32(?), ref: 007896A1
SetFileAttributesW.KERNEL32(?,?), ref: 007896BB
FindNextFileW.KERNEL32(00000000,?), ref: 007896D3
FindClose.KERNEL32(00000000), ref: 007896DE
FindFirstFileW.KERNEL32(*.*,?), ref: 007896FA
SetCurrentDirectoryW.KERNEL32(?), ref: 0078974A
SetCurrentDirectoryW.KERNEL32(007D6B7C), ref: 00789768
FindNextFileW.KERNEL32(00000000,00000010), ref: 00789772
FindClose.KERNEL32(00000000), ref: 0078977F
FindClose.KERNEL32(00000000), ref: 0078978F

Strings

*.*, xrefs: 007896F5

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1409584000-438819550
Opcode ID: 93c6126d0f99e7c40292689ab43ee0ee243e72afea715aac616d014d1b76eb01
Instruction ID: 858c53429e59d10ad98046e1903c59807454d7089f3e72114eb0827220df6c2d
Opcode Fuzzy Hash: 93c6126d0f99e7c40292689ab43ee0ee243e72afea715aac616d014d1b76eb01
Instruction Fuzzy Hash: 6831D5726802197EDF11AFB4DC08AEE77ACAF4A320F188156F905E2190EB3CDE408B54

Function 0078979D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 007897BE
FindNextFileW.KERNEL32(00000000,?), ref: 00789819
FindClose.KERNEL32(00000000), ref: 00789824
FindFirstFileW.KERNEL32(*.*,?), ref: 00789840
SetCurrentDirectoryW.KERNEL32(?), ref: 00789890
SetCurrentDirectoryW.KERNEL32(007D6B7C), ref: 007898AE
FindNextFileW.KERNEL32(00000000,00000010), ref: 007898B8
FindClose.KERNEL32(00000000), ref: 007898C5
FindClose.KERNEL32(00000000), ref: 007898D5

Part of subcall function 0077DAE5: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 0077DB00

Strings

*.*, xrefs: 0078983B

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 2640511053-438819550
Opcode ID: aed0af55bc730b3888182c04a3562b5680cb5ad48e1b07822a8069f282657d21
Instruction ID: 46cd3f0ec63e8c1e6efcd3a4ce6290e8e6a1d0c281f81b25f855111afa7bb3e6
Opcode Fuzzy Hash: aed0af55bc730b3888182c04a3562b5680cb5ad48e1b07822a8069f282657d21
Instruction Fuzzy Hash: 0C31E57258021ABEEF10AFB4DC48AEE37ACAF46320F188156E950A21D1DB39DD448B64

Function 0079BE44 Relevance: 17.0, APIs: 11, Instructions: 456registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0079C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0079B6AE,?,?), ref: 0079C9B5
Part of subcall function 0079C998: _wcslen.LIBCMT ref: 0079C9F1
Part of subcall function 0079C998: _wcslen.LIBCMT ref: 0079CA68
Part of subcall function 0079C998: _wcslen.LIBCMT ref: 0079CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0079BF3E
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?), ref: 0079BFA9
RegCloseKey.ADVAPI32(00000000), ref: 0079BFCD
RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 0079C02C
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 0079C0E7
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 0079C154
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 0079C1E9
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,?,?,?,00000000), ref: 0079C23A
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 0079C2E3
RegCloseKey.ADVAPI32(?,?,00000000), ref: 0079C382
RegCloseKey.ADVAPI32(00000000), ref: 0079C38F

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: QueryValue$Close_wcslen$BuffCharConnectOpenRegistryUpper
String ID:
API String ID: 3102970594-0
Opcode ID: 30b496ce39627cc9fb119e35a466524212f42e1dcafb400d7e514644741d1970
Instruction ID: ed15d1b0746906dad85432a15a451fb6f358487b1da47371d7fbc3be250a8008
Opcode Fuzzy Hash: 30b496ce39627cc9fb119e35a466524212f42e1dcafb400d7e514644741d1970
Instruction Fuzzy Hash: 91025B71604200EFDB15DF28D895E2ABBE5AF89304F18C49DF84ACB2A2D735EC45CB52

Function 00788195 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00788257
SystemTimeToFileTime.KERNEL32(?,?), ref: 00788267
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00788273
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00788310
SetCurrentDirectoryW.KERNEL32(?), ref: 00788324
SetCurrentDirectoryW.KERNEL32(?), ref: 00788356
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 0078838C
SetCurrentDirectoryW.KERNEL32(?), ref: 00788395

Strings

*.*, xrefs: 0078839B

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local$System
String ID: *.*
API String ID: 1464919966-438819550
Opcode ID: bd9edf07b6185b93a98b33d185296ee8198aba7e26d99652cedd5496b9697f4b
Instruction ID: 6fba0a85c048567482ed5dcfcfe7098b29670df480dd8df3f8dc156f1a006c0b
Opcode Fuzzy Hash: bd9edf07b6185b93a98b33d185296ee8198aba7e26d99652cedd5496b9697f4b
Instruction Fuzzy Hash: DA617BB25443059FCB10EF64C8449AEB3E9FF89310F44891EF999C7251EB39E945CB92

Function 0077D076 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00713AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00713A97,?,?,00712E7F,?,?,?,00000000), ref: 00713AC2

Part of subcall function 0077E199: GetFileAttributesW.KERNEL32(?,0077CF95), ref: 0077E19A

FindFirstFileW.KERNEL32(?,?), ref: 0077D122
DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 0077D1DD
MoveFileW.KERNEL32(?,?), ref: 0077D1F0
DeleteFileW.KERNEL32(?,?,?,?), ref: 0077D20D
FindNextFileW.KERNEL32(00000000,00000010), ref: 0077D237

Part of subcall function 0077D29C: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,0077D21C,?,?), ref: 0077D2B2

FindClose.KERNEL32(00000000,?,?,?), ref: 0077D253
FindClose.KERNEL32(00000000), ref: 0077D264

Strings

\*.*, xrefs: 0077D0CD, 0077D0D6, 0077D0EB

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 1946585618-1173974218
Opcode ID: be0c871c67662cc5346ffa71317debb57d520037972d43d8d722098143122fdc
Instruction ID: 1f49a11783cd33b1f511c938a3580366ca277e130ce0a6f379f41f4f6855aa5c
Opcode Fuzzy Hash: be0c871c67662cc5346ffa71317debb57d520037972d43d8d722098143122fdc
Instruction Fuzzy Hash: 91618C3180110DEFCF15EBE4C9969EDB7B9AF55340F248065E50A77192EB38AF4ACB60

Function 0078ED6A Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 0078ED91
EmptyClipboard.USER32 ref: 0078ED97
GlobalAlloc.KERNEL32(00000002,?), ref: 0078EDAC
CloseClipboard.USER32 ref: 0078EEA3

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: 81dc2018dd5b35acd2b2d6e76b076b0457d2b0da4d7cb6fee5e29de10933396b
Instruction ID: b3dc44cb50ab052d5fb7f293f49f538a7bceeae591fce03841f2272534dfe90b
Opcode Fuzzy Hash: 81dc2018dd5b35acd2b2d6e76b076b0457d2b0da4d7cb6fee5e29de10933396b
Instruction Fuzzy Hash: F9418D35244611EFE721EF15D888B59BBE5FF45318F14C099E4158B6A2C739EC42CB94

Function 0077E8F6 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 007716C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0077170D
Part of subcall function 007716C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0077173A
Part of subcall function 007716C3: GetLastError.KERNEL32 ref: 0077174A

ExitWindowsEx.USER32(?,00000000), ref: 0077E932

Strings

SeShutdownPrivilege, xrefs: 0077E902
@, xrefs: 0077E925
, xrefs: 0077E920
, xrefs: 0077E95C

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $ $@$SeShutdownPrivilege
API String ID: 2234035333-3163812486
Opcode ID: 0a0e9755ed3d4f0c1e54f7d341ad550eddc1e42f33232dda7ade74d32f1b6513
Instruction ID: 4ac8a1da5beee408550004aed758433446311a5863956aaee349a67a270a4d24
Opcode Fuzzy Hash: 0a0e9755ed3d4f0c1e54f7d341ad550eddc1e42f33232dda7ade74d32f1b6513
Instruction Fuzzy Hash: D9012B73610210BBEF5426749C89BBB725C97087C4F15C462FA06E21D1D6AC7C408695

Function 00791204 Relevance: 12.1, APIs: 8, Instructions: 113networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006), ref: 00791276
WSAGetLastError.WSOCK32 ref: 00791283
bind.WSOCK32(00000000,?,00000010), ref: 007912BA
WSAGetLastError.WSOCK32 ref: 007912C5
closesocket.WSOCK32(00000000), ref: 007912F4
listen.WSOCK32(00000000,00000005), ref: 00791303
WSAGetLastError.WSOCK32 ref: 0079130D
closesocket.WSOCK32(00000000), ref: 0079133C

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: ErrorLast$closesocket$bindlistensocket
String ID:
API String ID: 540024437-0
Opcode ID: 47335f9a358128dab459d3b5408c19b90a1a5232dfa1c3e9869a847cd8a3357d
Instruction ID: f581364c2dc70ccfe56072e5df8c08002543a07f46a255e19c6a8cca276a01d1
Opcode Fuzzy Hash: 47335f9a358128dab459d3b5408c19b90a1a5232dfa1c3e9869a847cd8a3357d
Instruction Fuzzy Hash: 6F418431600101AFDB10EF68D488B69BBE6BF86314F58C198D8569F2D2C779ED81CBE1

Function 0077D3A9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00713AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00713A97,?,?,00712E7F,?,?,?,00000000), ref: 00713AC2

Part of subcall function 0077E199: GetFileAttributesW.KERNEL32(?,0077CF95), ref: 0077E19A

FindFirstFileW.KERNEL32(?,?), ref: 0077D420
DeleteFileW.KERNEL32(?,?,?,?), ref: 0077D470
FindNextFileW.KERNEL32(00000000,00000010), ref: 0077D481
FindClose.KERNEL32(00000000), ref: 0077D498
FindClose.KERNEL32(00000000), ref: 0077D4A1

Strings

\*.*, xrefs: 0077D3F2

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: 617ef96ba5d6e4ffc7c1029e71a398054fa54e6d113355d54847c9e5edd9824c
Instruction ID: 48e10a85b0e9c74252726a5ea6374990367a8fd1cd3b0c1da4c5a09b27049853
Opcode Fuzzy Hash: 617ef96ba5d6e4ffc7c1029e71a398054fa54e6d113355d54847c9e5edd9824c
Instruction Fuzzy Hash: 2D318171008381ABC711EF64C8558EFB7B8BE91350F44891DF4D5521D1EB28AE49C767

Function 0074E4FF Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 0074E645

Strings

1#INF, xrefs: 0074F852
1#SNAN, xrefs: 0074F844
1#IND, xrefs: 0074F83D
1#QNAN, xrefs: 0074F84B

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: 6438fa1dae4be82e3f1e67f6d38bb40d6ac640762a464eda0afb28ce18a09e8f
Instruction ID: b94f35600fa1faed84426f93ab01cc4148812555cb312560ec175ac0d9ad1d44
Opcode Fuzzy Hash: 6438fa1dae4be82e3f1e67f6d38bb40d6ac640762a464eda0afb28ce18a09e8f
Instruction Fuzzy Hash: BEC23972E086288FDB25CE28DD447EAB7B5FB48315F1541EAD84DE7241E778AE818F40

Function 0078648E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 007864DC
CoInitialize.OLE32(00000000), ref: 00786639
CoCreateInstance.OLE32(007AFCF8,00000000,00000001,007AFB68,?), ref: 00786650
CoUninitialize.OLE32 ref: 007868D4

Strings

.lnk, xrefs: 007864BA, 00786524, 007865E0

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_wcslen
String ID: .lnk
API String ID: 886957087-24824748
Opcode ID: 02986613a8c3cd88651a7b4077b10be7eb24a244a33e96234c5826a62059cc2c
Instruction ID: b5e507368f04c98dbfce830ca91f85da0fafd7c3864cf5ddf2751edc04662272
Opcode Fuzzy Hash: 02986613a8c3cd88651a7b4077b10be7eb24a244a33e96234c5826a62059cc2c
Instruction Fuzzy Hash: 3FD15D71548301AFC304EF24C8959ABB7E8FF98704F00496DF5958B291DB74ED46CBA2

Function 007922DA Relevance: 9.1, APIs: 6, Instructions: 103COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,00000000), ref: 007922E8

Part of subcall function 0078E4EC: GetWindowRect.USER32(?,?), ref: 0078E504

GetDesktopWindow.USER32 ref: 00792312
GetWindowRect.USER32(00000000), ref: 00792319
mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 00792355
GetCursorPos.USER32(?), ref: 00792381
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 007923DF

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForeground
String ID:
API String ID: 2387181109-0
Opcode ID: 74626ba06ae9e3f32bfdbd6df191f89e4cc1576afe3b89ae312d9380aa37dded
Instruction ID: 251b3c70d79bc3e8cc5b3627ad737d4d9e2cbdc03e739c03e570955870b0e2a4
Opcode Fuzzy Hash: 74626ba06ae9e3f32bfdbd6df191f89e4cc1576afe3b89ae312d9380aa37dded
Instruction Fuzzy Hash: 5931E072504315AFCB21EF14D849B5BBBA9FFC9310F004919F98997182DB38EA09CB96

Function 00789B2B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00719CB3: _wcslen.LIBCMT ref: 00719CBD

FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 00789B78
FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 00789C8B

Part of subcall function 00783874: GetInputState.USER32 ref: 007838CB
Part of subcall function 00783874: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00783966

Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 00789BA8
FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 00789C75

Strings

*.*, xrefs: 00789B5D

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
String ID: *.*
API String ID: 1972594611-438819550
Opcode ID: 86b073a4ac8725bb02d0592948e40be599f75e6d8c24b089cf6af01876d24107
Instruction ID: a90d64912a4ddcf9ee2f3db1ae3159fdb9dd2a2be9e2a67a55a1f03b3bc84655
Opcode Fuzzy Hash: 86b073a4ac8725bb02d0592948e40be599f75e6d8c24b089cf6af01876d24107
Instruction Fuzzy Hash: 66418371940209EFDF15EF74C849AEEBBB4FF45310F244156E905A2191EB399E84CF64

Function 0072997D Relevance: 7.9, APIs: 5, Instructions: 375COMMON

Download Yara Rule

APIs

Part of subcall function 00729BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00729BB2

DefDlgProcW.USER32(?,?,?,?,?), ref: 00729A4E
GetSysColor.USER32(0000000F), ref: 00729B23
SetBkColor.GDI32(?,00000000), ref: 00729B36

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: Color$LongProcWindow
String ID:
API String ID: 3131106179-0
Opcode ID: fa809e35345170dc9e7ca2c602f505803d98e37d457e3317320fb0adc8c3934d
Instruction ID: 537bb205f96940ef3e425cb51287367c28107cd6367a87638e964c25096f45ba
Opcode Fuzzy Hash: fa809e35345170dc9e7ca2c602f505803d98e37d457e3317320fb0adc8c3934d
Instruction Fuzzy Hash: 41A14BB0109564FEE72D9A3CAC8DD7B26ADDF87354F188209FB03CA591CA2D9D41C275

Function 00791806 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0079304E: inet_addr.WSOCK32(?), ref: 0079307A
Part of subcall function 0079304E: _wcslen.LIBCMT ref: 0079309B

socket.WSOCK32(00000002,00000002,00000011), ref: 0079185D
WSAGetLastError.WSOCK32 ref: 00791884
bind.WSOCK32(00000000,?,00000010), ref: 007918DB
WSAGetLastError.WSOCK32 ref: 007918E6
closesocket.WSOCK32(00000000), ref: 00791915

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
String ID:
API String ID: 1601658205-0
Opcode ID: 05a676cb686d0d096d18536a321371709b4f72738e5fa3d793365e6b9cae3269
Instruction ID: b58b9c2e3cb7a583d2fb73c7095b2db2ab23c087bce01bb604ccd77e3dc0044c
Opcode Fuzzy Hash: 05a676cb686d0d096d18536a321371709b4f72738e5fa3d793365e6b9cae3269
Instruction Fuzzy Hash: 5D51B271A00210AFEB10AF28D88AF6A77E5AB45718F48C098F9155F3C3C779AD41CBE1

Function 007A1C41 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 007A1CC0
IsWindowEnabled.USER32 ref: 007A1CCE
GetForegroundWindow.USER32(?,?,00000001,?), ref: 007A1CDB
IsIconic.USER32 ref: 007A1CE9
IsZoomed.USER32 ref: 007A1CF7

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: 75a7eb5387a3e1d9517a3c40989eeb29a6e49fb45078b7826b829fcbaab44ffc
Instruction ID: a8996c36dca701b868b75ecbc45157b8a3a4aa0f26dac9a65b8e974d398cc0dc
Opcode Fuzzy Hash: 75a7eb5387a3e1d9517a3c40989eeb29a6e49fb45078b7826b829fcbaab44ffc
Instruction Fuzzy Hash: 2B21B5317402109FE7218F2AC844B6A7BE5EFC6325F598158E846CB352DB79DC42CBA4

Function 00718060 Relevance: 7.4, Strings: 5, Instructions: 1151COMMON

Download Yara Rule

Strings

VUUU, xrefs: 0071843C
VUUU, xrefs: 007183E8
VUUU, xrefs: 00755DF0
VUUU, xrefs: 007183FA
ERCP, xrefs: 0071813C

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID:
String ID: ERCP$VUUU$VUUU$VUUU$VUUU
API String ID: 0-1546025612
Opcode ID: df8e9dc1cdb6a7926c90eeb52d33befd0598dd8548cd29112a85b89358718b2d
Instruction ID: 6f557e7a13bc18746ad785e39757a3d4a7b738f0cd969186fb62d65c51621c92
Opcode Fuzzy Hash: df8e9dc1cdb6a7926c90eeb52d33befd0598dd8548cd29112a85b89358718b2d
Instruction Fuzzy Hash: F1A29F70E0061ACBDF64CF58C8907EDB7B1BB54311F2481AAEC15A7285EB789DC5CB91

Function 00778298 Relevance: 6.6, APIs: 1, Strings: 3, Instructions: 568stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 007782AA

Strings

|, xrefs: 007782DA
tb}, xrefs: 007784F4
(, xrefs: 007782F0

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: lstrlen
String ID: ($tb}$|
API String ID: 1659193697-2483859856
Opcode ID: 03ed6a28848e7d0c8de7cd8d0790aa5a4004f7af5e6ed141c8b40bb79a2015ac
Instruction ID: a241425c70ab24491b6eaa44b3166cd77de142b95661e282271aac67f5c28c39
Opcode Fuzzy Hash: 03ed6a28848e7d0c8de7cd8d0790aa5a4004f7af5e6ed141c8b40bb79a2015ac
Instruction Fuzzy Hash: B8323474A00605DFCB68CF69C084A6AB7F0FF48750B15C56EE49ADB3A1EB74E981CB41

Function 0077AA57 Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 0077AAAC
SetKeyboardState.USER32(00000080), ref: 0077AAC8
PostMessageW.USER32(?,00000102,00000001,00000001), ref: 0077AB36
SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 0077AB88

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 32e0fa2ea806937e60ccd7e3bb6284240c35afdf3502e4d20e6411c8ac2fb7bb
Instruction ID: f7b293f2b0219cd9f7f119fe342ad18b58da321774cfe073e7bc186f8075620e
Opcode Fuzzy Hash: 32e0fa2ea806937e60ccd7e3bb6284240c35afdf3502e4d20e6411c8ac2fb7bb
Instruction Fuzzy Hash: E33109B1A40248BEFF35CA64CC05BFE77A6ABC5350F04C21AF189561E1D37C9985C766

Function 0074BB6F Relevance: 6.1, APIs: 4, Instructions: 90timeCOMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0074BB7F

Part of subcall function 007429C8: HeapFree.KERNEL32(00000000,00000000,?,0074D7D1,00000000,00000000,00000000,00000000,?,0074D7F8,00000000,00000007,00000000,?,0074DBF5,00000000), ref: 007429DE
Part of subcall function 007429C8: GetLastError.KERNEL32(00000000,?,0074D7D1,00000000,00000000,00000000,00000000,?,0074D7F8,00000000,00000007,00000000,?,0074DBF5,00000000,00000000), ref: 007429F0

GetTimeZoneInformation.KERNEL32 ref: 0074BB91
WideCharToMultiByte.KERNEL32(00000000,?,007E121C,000000FF,?,0000003F,?,?), ref: 0074BC09
WideCharToMultiByte.KERNEL32(00000000,?,007E1270,000000FF,?,0000003F,?,?,?,007E121C,000000FF,?,0000003F,?,?), ref: 0074BC36

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorFreeHeapInformationLastTimeZone_free
String ID:
API String ID: 806657224-0
Opcode ID: 6705edb71f69fe3b7b964306c2a611753f532707a779766239f05196f37f635d
Instruction ID: 22fa56a5a1d48a073939ae7add3f9a112ad3eb0a06da71f2a50633785c7e7ae9
Opcode Fuzzy Hash: 6705edb71f69fe3b7b964306c2a611753f532707a779766239f05196f37f635d
Instruction Fuzzy Hash: 2C31B070A04245EFCB11DF69CCC182DBBB8FF4A35075586AAE150DB2A1D738DD41CB64

Function 0078CE44 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON

Download Yara Rule

APIs

InternetReadFile.WININET(?,?,00000400,?), ref: 0078CE89
GetLastError.KERNEL32(?,00000000), ref: 0078CEEA
SetEvent.KERNEL32(?,?,00000000), ref: 0078CEFE

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: ErrorEventFileInternetLastRead
String ID:
API String ID: 234945975-0
Opcode ID: e9ead9153a08f7de0269bb3caec01bcef9ac18df9910645065bfe02d507bfe0c
Instruction ID: 5ab7a1b3cc7ec420ee4d53d9262dfa284f086548df018b9464d9b5e09cb0678b
Opcode Fuzzy Hash: e9ead9153a08f7de0269bb3caec01bcef9ac18df9910645065bfe02d507bfe0c
Instruction Fuzzy Hash: 8B21CFB2540305EBEB32EF65C949BA7B7FCEB40314F10841EE646D2151EB78EE048B64

Function 00785C97 Relevance: 4.6, APIs: 3, Instructions: 138fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00785CC1
FindNextFileW.KERNEL32(00000000,?), ref: 00785D17
FindClose.KERNEL32(?), ref: 00785D5F

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: Find$File$CloseFirstNext
String ID:
API String ID: 3541575487-0
Opcode ID: ce78ccbf684e5c05e418c5a5ee7bb26b4b550b23b436658532e5322696a1d5c4
Instruction ID: 5caa924bceda6421d0d6e14505dfd43ae1edbb1c833121143203ab90be7874f7
Opcode Fuzzy Hash: ce78ccbf684e5c05e418c5a5ee7bb26b4b550b23b436658532e5322696a1d5c4
Instruction Fuzzy Hash: 15519A75704A01DFC714DF28C498A96B7E4FF49314F14855EE95A8B3A2CB38EC44CBA1

Function 00742622 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 0074271A
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00742724
UnhandledExceptionFilter.KERNEL32(?), ref: 00742731

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 8636de60ace649e46909e61b952a10aac7fee11139386ba5090c5d235afd6f0e
Instruction ID: 900e284fc14a955f19388db890ddb076f9fd90f0d7a85a3fb04be8894caacda3
Opcode Fuzzy Hash: 8636de60ace649e46909e61b952a10aac7fee11139386ba5090c5d235afd6f0e
Instruction Fuzzy Hash: CF31D57494122CABCB21DF64DD887DCBBB8AF08310F5081EAE40CA7261E7349F818F45

Function 007851CD Relevance: 4.6, APIs: 3, Instructions: 76COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 007851DA
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00785238
SetErrorMode.KERNEL32(00000000), ref: 007852A1

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: 470bd785796b26f8d892bd122243fe070f897c7f61540a6105675284aa374ae5
Instruction ID: 90bb344ff3262e5ec305e0776f52d376dd1277b17bb60e7ed54efc3fd2a2e9d7
Opcode Fuzzy Hash: 470bd785796b26f8d892bd122243fe070f897c7f61540a6105675284aa374ae5
Instruction Fuzzy Hash: 10315075A00518DFDB00DF54D888EADBBF5FF49314F088099E8059B392DB35E856CB90

Function 007716C3 Relevance: 4.6, APIs: 3, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 0072FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00730668
Part of subcall function 0072FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00730685

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0077170D
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0077173A
GetLastError.KERNEL32 ref: 0077174A

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
String ID:
API String ID: 577356006-0
Opcode ID: de3d253ce0d89adb7ae291b7144a6e2545366d7955df46284ca7488c850d095e
Instruction ID: 006df684b40a2ef75372a37d626e28427f634c7938695d93609e416c9fcde467
Opcode Fuzzy Hash: de3d253ce0d89adb7ae291b7144a6e2545366d7955df46284ca7488c850d095e
Instruction Fuzzy Hash: 4D1191B2504304BFDB189F54EC86D6BB7BDEB44754B20C52EE05657241EB74BC418B64

Function 0077D5EB Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0077D608
DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 0077D645
CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0077D650

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle
String ID:
API String ID: 33631002-0
Opcode ID: 6c0d9351c165cef0156cadfeffa3ece59667236d4e04fc6272c4073093d1bfb3
Instruction ID: e160c162093a01a06ebec37c6d1e6b3681c2ad03cd159bce7f979925ac246f02
Opcode Fuzzy Hash: 6c0d9351c165cef0156cadfeffa3ece59667236d4e04fc6272c4073093d1bfb3
Instruction Fuzzy Hash: 52115E75E05228BFDB218F95DC45FAFBBBCEB45B90F108115F908E7290D6744E058BA1

Function 00771663 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 0077168C
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 007716A1
FreeSid.ADVAPI32(?), ref: 007716B1

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: a13338226f4e1463696f20c1c32ccd2f5bca4f598ae4c6730894de406d796f45
Instruction ID: a06a0ffde052be720ac62903b1d0535bc6a15ff69b92f30ebc399cc4fb198497
Opcode Fuzzy Hash: a13338226f4e1463696f20c1c32ccd2f5bca4f598ae4c6730894de406d796f45
Instruction Fuzzy Hash: 4DF0F47195030DFBDF01DFE49C89AAEBBBCEB08644F508565E601E2181E778AA448B54

Function 0076D27A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 0076D28C

Strings

X64, xrefs: 0076D2A8

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: NameUser
String ID: X64
API String ID: 2645101109-893830106
Opcode ID: 494fac3842971052d2fca4a7269eb05d02fa0dd167468eb3d23120fe1533d802
Instruction ID: f72d0ec976e44be8fd900533816f1512d22994b5ad2ca17f3e92a5d765834ca4
Opcode Fuzzy Hash: 494fac3842971052d2fca4a7269eb05d02fa0dd167468eb3d23120fe1533d802
Instruction Fuzzy Hash: 34D0CAB481116DEECBA0CBA0EC88DEAB3BCBB04305F104292F506A2000DB789A488F20

Function 0073CAA0 Relevance: 3.5, APIs: 2, Instructions: 464COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction ID: daae3e6d4a2dbff54cf49b291f8839ea577bbfb18e533db465d9402f8d9dbaf9
Opcode Fuzzy Hash: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction Fuzzy Hash: F2022D72E002199FEF15CFA9C8806ADFBF1EF48314F258169E919F7381D735AA418B90

Function 0071CAF0 Relevance: 3.2, Strings: 2, Instructions: 659COMMON

Download Yara Rule

Strings

Variable is not of type 'Object'., xrefs: 00760C40
p#~, xrefs: 0071CF7F

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID:
String ID: Variable is not of type 'Object'.$p#~
API String ID: 0-3866028822
Opcode ID: c43e7265a31b2932ec9fbf72569071f5fdf567072b4f90d82f9bb266cc193a47
Instruction ID: 9bb3ff8076c1c36e097326131e4496056075bcae88daab8d156064b3d33845e5
Opcode Fuzzy Hash: c43e7265a31b2932ec9fbf72569071f5fdf567072b4f90d82f9bb266cc193a47
Instruction Fuzzy Hash: 50328070940218DFCF15DF98D885AEEB7B5FF05304F148059E806AB2D2D779AD86CBA1

Function 007868EE Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00786918
FindClose.KERNEL32(00000000), ref: 00786961

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 824c8a2bb04a4b028012572a06a8a7410fdb07a2b3ed8054d228fd6f4bf978b6
Instruction ID: 637e530f3fad9467de3aa12b805b9eff45e83af646291ab18d8bb8416a9b5e66
Opcode Fuzzy Hash: 824c8a2bb04a4b028012572a06a8a7410fdb07a2b3ed8054d228fd6f4bf978b6
Instruction Fuzzy Hash: 9E118E71604200AFD710DF69D488A16BBE5FF85328F14C69DE4698F6A2CB38EC45CB91

Function 007837B5 Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,00794891,?,?,00000035,?), ref: 007837E4
FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,00794891,?,?,00000035,?), ref: 007837F4

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: ed7faf894b2313ac16443a80f83f8ea3812ec7525aa6679e1e8764374a638b7a
Instruction ID: 9e25effdb0cc1a91e4dbf5f7a34d88a463d1f46c90f752d66f75e622daa19a71
Opcode Fuzzy Hash: ed7faf894b2313ac16443a80f83f8ea3812ec7525aa6679e1e8764374a638b7a
Instruction Fuzzy Hash: 1FF0EC706052147AD71027794C4DFDB369DEFC5B61F000275F505D22C1D9749944C7B0

Function 0077B226 Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 0077B25D
keybd_event.USER32(?,75C0C0D0,?,00000000), ref: 0077B270

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: InputSendkeybd_event
String ID:
API String ID: 3536248340-0
Opcode ID: 636b5af045a3ca469cc033cf41a700b0eec0e909264a9e96989fd3ce56041af1
Instruction ID: 3a82427765ddae691a036731353a69b65502cea8e43467958376d625109ca565
Opcode Fuzzy Hash: 636b5af045a3ca469cc033cf41a700b0eec0e909264a9e96989fd3ce56041af1
Instruction Fuzzy Hash: C2F01D7180424DABDF059FA0C805BBE7BB4FF09309F10C009F955A5192C37D86119F98

Function 007710BF Relevance: 3.0, APIs: 2, Instructions: 24COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,007711FC), ref: 007710D4
CloseHandle.KERNEL32(?,?,007711FC), ref: 007710E9

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: cf3c87eadb58f0373deaf6005e17c9653ce3fe178b4f1cfb2ac68685db1f6592
Instruction ID: 87c8f9bc81b1ab12f6e6c824503114ca8c6864d0cd184aa0a67b87fb9717aceb
Opcode Fuzzy Hash: cf3c87eadb58f0373deaf6005e17c9653ce3fe178b4f1cfb2ac68685db1f6592
Instruction Fuzzy Hash: A4E04F32004610FEEB262B11FC09E7377A9EF04310B10C82DF4A6804B1DB666C90DB54

Function 0074676B Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00746766,?,?,00000008,?,?,0074FEFE,00000000), ref: 00746998

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 70b4a4e4b461d8a138d0c5ba0b7c8f1543a90893c78c0c1db1a1b1613ece04d3
Instruction ID: 7ae972dcdc914ef9c67f1d5c013db30c36c3acfa136c903ca9ebf6ec8c41be89
Opcode Fuzzy Hash: 70b4a4e4b461d8a138d0c5ba0b7c8f1543a90893c78c0c1db1a1b1613ece04d3
Instruction Fuzzy Hash: ABB13A71610608DFD719CF28C48AB657BE0FF46364F25C658E899CF2A2C339E991CB41

Function 0072B119 Relevance: 1.8, Strings: 1, Instructions: 511COMMON

Download Yara Rule

Strings

, xrefs: 0076851F

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 19bba0cb93b2f0ec7d3eb8e7ec8c916e8382cd43b6dfa3238b19e5df71313222
Instruction ID: cf08e47dcb5e5b5d909b0b1fed935b0b451a0f5847a6a15bb03ee41766231c96
Opcode Fuzzy Hash: 19bba0cb93b2f0ec7d3eb8e7ec8c916e8382cd43b6dfa3238b19e5df71313222
Instruction Fuzzy Hash: 4E124071900229DFCB54DF58D880AEEB7F5FF48710F14819AE849EB255EB389E81CB91

Function 0078EAA2 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 0078EABD

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: 6916a5b826447627815c10868500bbaec976fcac7505d3e6be37ccfe5010cf55
Instruction ID: f25727e56b4a2aa9b75f43b1a001027f99e19c04d0618a56d7a973812295c804
Opcode Fuzzy Hash: 6916a5b826447627815c10868500bbaec976fcac7505d3e6be37ccfe5010cf55
Instruction Fuzzy Hash: 18E01A32240204AFC710EF59D808E9AB7E9AF98B60F04C416FC49C7291DB78E8818B91

Function 007309D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_000209E1,007303EE), ref: 007309DA

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 993be9517cb20bae495fb910fdc548ca9f7819efee2c491ee7c1bf6a70b0ae6c
Instruction ID: db1a77139aa106494364c2c9db253bd7165492016a29353edf7576696d33badc
Opcode Fuzzy Hash: 993be9517cb20bae495fb910fdc548ca9f7819efee2c491ee7c1bf6a70b0ae6c
Instruction Fuzzy Hash:

Function 0073781B Relevance: 1.5, Strings: 1, Instructions: 214COMMON

Download Yara Rule

Strings

0, xrefs: 0073798B

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction ID: f8191f6f199374d7a7de4d3bb88afd30f1a8f5fdc7f4dc601de2d919780b7f4b
Opcode Fuzzy Hash: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction Fuzzy Hash: 2A517BF160C745ABFB3C8568889E7FE63C99B12300F184A09E982DB383C61DEE41D352

Function 00782046 Relevance: 1.3, Strings: 1, Instructions: 72COMMON

Download Yara Rule

Strings

0&~, xrefs: 00782053

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID:
String ID: 0&~
API String ID: 0-2940855197
Opcode ID: d99bda3efd3b98660a66f5769668f672f82ecfdec9c89d466e79d9f1823139bf
Instruction ID: 23a9c30f300783b5595706dec1a54ec2d1ff898a85e86232ecfee897233ffde6
Opcode Fuzzy Hash: d99bda3efd3b98660a66f5769668f672f82ecfdec9c89d466e79d9f1823139bf
Instruction Fuzzy Hash: D32108322612108BDB28CE79C81267A73E9A754310F14862EE0A3C77C1DE79A905C784

Function 00746DD9 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9a339bef2efb18e2ada37f51dd80d93e66ee8d36b7876cb01f817cc1e1ed47e
Instruction ID: 22e22bc5b31753577da14bfc814d629730718cce7a124dcdbf0083324ba6bf15
Opcode Fuzzy Hash: c9a339bef2efb18e2ada37f51dd80d93e66ee8d36b7876cb01f817cc1e1ed47e
Instruction Fuzzy Hash: 64322522D29F414DDB279635CC22335A64DAFB73C5F15D737E81AB59AAEB2DC4838100

Function 0072CC39 Relevance: .6, Instructions: 635COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e699f4f1c5674846153a35a5bdbe24d12dea3de762b667191215d5113a896f96
Instruction ID: c1119d207840d97d6aa02c00fb6546fc0faa0234f2570b27361c7a66f0119b3d
Opcode Fuzzy Hash: e699f4f1c5674846153a35a5bdbe24d12dea3de762b667191215d5113a896f96
Instruction Fuzzy Hash: ED321431A001158BDF2ACF68D89467D7BA1EB55300F28816ADCCBDB291E73CDE81DB61

Function 00717920 Relevance: .6, Instructions: 563COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 023b7d3a2eda0dadd0dbfa6e55aa77c24e125d207d1e7b03ec59a32f5e13ecb0
Instruction ID: 6df75fee7115c8fcb1ad3a95c0214df383bb5496b31084d9499c01030bdf6364
Opcode Fuzzy Hash: 023b7d3a2eda0dadd0dbfa6e55aa77c24e125d207d1e7b03ec59a32f5e13ecb0
Instruction Fuzzy Hash: 4222D2B0A04609DFDF14CF68D895AEEB3F6FF44300F204129E816A7291EB79AD55CB50

Function 007191C0 Relevance: .5, Instructions: 475COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c1c1752e221a52cca1880a6a9ab037c3b5bffda10e5280673e0f38a35b79225
Instruction ID: 1e97ac94efa82c04c7ad305575cb51394b32ed07f54bb2273f93c29978fecb21
Opcode Fuzzy Hash: 4c1c1752e221a52cca1880a6a9ab037c3b5bffda10e5280673e0f38a35b79225
Instruction Fuzzy Hash: CE02F6B0E00209EBDF04DF64D885AEEB7B5FF44300F108169E9169B291EB79EE55CB91

Function 00749EEE Relevance: .3, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a38ead9f39fd03880e77736ec5f73749892a885a1ca446dadc68435b197f593
Instruction ID: 22b3489974c46dca195f3c4537c54cc90fafa9c45a3f3fe417de64ce35ec1eec
Opcode Fuzzy Hash: 8a38ead9f39fd03880e77736ec5f73749892a885a1ca446dadc68435b197f593
Instruction Fuzzy Hash: 06B1EF20D2AF414DD22396398835337B69CAFBB6D5F92D31BFC2675D22EB2686C34140

Function 00731C77 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction ID: 747b0c9e019a034b9de7d67fc5b7c3da95c9e076cf59fd8d8f445c97d31a785a
Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction Fuzzy Hash: 289189732090E34AFB29463E857403EFFE15A523A2B5A079DD4F2CB1C6FE18D954D620

Function 00731F32 Relevance: .2, Instructions: 244COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
Instruction ID: e681d032b82fd8801e80e00bc3afa74a24427d3bc257f3d54628b00ace2db6f9
Opcode Fuzzy Hash: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
Instruction Fuzzy Hash: 009156722090E349FB6D423D857403EFFE15A923A1B1A079DD4F2CB1C7EE28D959E620

Function 007319B0 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction ID: 2e7442406410d10b90ae99023f84cb40d72b1cf45a2ec00d4cd01b45524e4982
Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction Fuzzy Hash: 1891577220D0E34EFB2D467A857403DFFE15A923A2B5A479ED4F2CA1C2FD18D564D620

Function 00737A4A Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dfd0d2c3257da00639d646b22c01c1629f9e3bf052da45c9275d2e636b0d6bd4
Instruction ID: 623a69fd8901438e650cf29196f87b6b738da55f9ad7a3129dbb2d8bdc5558a5
Opcode Fuzzy Hash: dfd0d2c3257da00639d646b22c01c1629f9e3bf052da45c9275d2e636b0d6bd4
Instruction Fuzzy Hash: 2E615CF1208749A6FE7C5A2C8C95BBEA3A8DF41700F14491DF843DB283D61D9E42C366

Function 00737CA7 Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7fd21dba53f14f859ba0de681d46060ed441d4903cf556a69dd17ba3737f8276
Instruction ID: cd8a879b8a2401a0b19c43e13ec49133553584e1da7a1fd6f33f025e24f753f4
Opcode Fuzzy Hash: 7fd21dba53f14f859ba0de681d46060ed441d4903cf556a69dd17ba3737f8276
Instruction Fuzzy Hash: D4616BF1758709A6FE3C5A288896BBF2398DF41700F104959F943DF283D62EAD41C356

Function 00731706 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction ID: 228bda9c24756fb4c75185dcb6c225ed39b42796dd5b22932373e3461a26a414
Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction Fuzzy Hash: 3A8193726080E309FB2D823A853407EFFE15A923B1B5E079DD4F2CA1C3EE28D554E620

Function 00792ADE Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 486filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00792B30
DeleteObject.GDI32(00000000), ref: 00792B43
DestroyWindow.USER32 ref: 00792B52
GetDesktopWindow.USER32 ref: 00792B6D
GetWindowRect.USER32(00000000), ref: 00792B74
SetRect.USER32(?,00000000,00000000,00000007,00000002), ref: 00792CA3
AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 00792CB1
CreateWindowExW.USER32(?,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00792CF8
GetClientRect.USER32(00000000,?), ref: 00792D04
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00792D40
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00792D62
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00792D75
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00792D80
GlobalLock.KERNEL32(00000000), ref: 00792D89
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00792D98
GlobalUnlock.KERNEL32(00000000), ref: 00792DA1
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00792DA8
GlobalFree.KERNEL32(00000000), ref: 00792DB3
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00792DC5
OleLoadPicture.OLEAUT32(?,00000000,00000000,007AFC38,00000000), ref: 00792DDB
GlobalFree.KERNEL32(00000000), ref: 00792DEB
CopyImage.USER32(00000007,00000000,00000000,00000000,00002000), ref: 00792E11
SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 00792E30
SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00792E52
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0079303F

Strings

static, xrefs: 00792D3A, 00792E91
AutoIt v3, xrefs: 00792CF2
, xrefs: 00792FC5
DISPLAY, xrefs: 00792EA2

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: 02befa9a0c82a01c9c0a75fd745a77be05bf0973dfb9a4d6ba6e3945aba49f63
Instruction ID: c1038f47d585b850984fe188bf91fe37d0f53c34bd38ea7eb998faeea107e17e
Opcode Fuzzy Hash: 02befa9a0c82a01c9c0a75fd745a77be05bf0973dfb9a4d6ba6e3945aba49f63
Instruction Fuzzy Hash: D5027E71600204FFDB15DF64DC89EAE7BB9FB49310F008158F915AB2A1DB38AD01CB64

Function 007A70D5 Relevance: 49.8, APIs: 33, Instructions: 273COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 007A712F
GetSysColorBrush.USER32(0000000F), ref: 007A7160
GetSysColor.USER32(0000000F), ref: 007A716C
SetBkColor.GDI32(?,000000FF), ref: 007A7186
SelectObject.GDI32(?,?), ref: 007A7195
InflateRect.USER32(?,000000FF,000000FF), ref: 007A71C0
GetSysColor.USER32(00000010), ref: 007A71C8
CreateSolidBrush.GDI32(00000000), ref: 007A71CF
FrameRect.USER32(?,?,00000000), ref: 007A71DE
DeleteObject.GDI32(00000000), ref: 007A71E5
InflateRect.USER32(?,000000FE,000000FE), ref: 007A7230
FillRect.USER32(?,?,?), ref: 007A7262
GetWindowLongW.USER32(?,000000F0), ref: 007A7284

Part of subcall function 007A73E8: GetSysColor.USER32(00000012), ref: 007A7421
Part of subcall function 007A73E8: SetTextColor.GDI32(?,?), ref: 007A7425
Part of subcall function 007A73E8: GetSysColorBrush.USER32(0000000F), ref: 007A743B
Part of subcall function 007A73E8: GetSysColor.USER32(0000000F), ref: 007A7446
Part of subcall function 007A73E8: GetSysColor.USER32(00000011), ref: 007A7463
Part of subcall function 007A73E8: CreatePen.GDI32(00000000,00000001,00743C00), ref: 007A7471
Part of subcall function 007A73E8: SelectObject.GDI32(?,00000000), ref: 007A7482
Part of subcall function 007A73E8: SetBkColor.GDI32(?,00000000), ref: 007A748B
Part of subcall function 007A73E8: SelectObject.GDI32(?,?), ref: 007A7498
Part of subcall function 007A73E8: InflateRect.USER32(?,000000FF,000000FF), ref: 007A74B7
Part of subcall function 007A73E8: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 007A74CE
Part of subcall function 007A73E8: GetWindowLongW.USER32(00000000,000000F0), ref: 007A74DB

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
String ID:
API String ID: 4124339563-0
Opcode ID: 0f4f378a209d33f16ac66cc527f0fd10dc6314b8a36807e64c8cc6d577c16ff4
Instruction ID: c1d833a297b8b297f6d1daa8806396e47f3a606c5ba0eede3470e098bae3167b
Opcode Fuzzy Hash: 0f4f378a209d33f16ac66cc527f0fd10dc6314b8a36807e64c8cc6d577c16ff4
Instruction Fuzzy Hash: 52A19C72508305BFDB069F60DC48A6BBBE9FBCA320F104B19F962961E1D738E944CB51

Function 00728D85 Relevance: 47.7, APIs: 26, Strings: 1, Instructions: 480windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?), ref: 00728E14
SendMessageW.USER32(?,00001308,?,00000000), ref: 00766AC5
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 00766AFE
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00766F43

Part of subcall function 00728F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00728BE8,?,00000000,?,?,?,?,00728BBA,00000000,?), ref: 00728FC5

SendMessageW.USER32(?,00001053), ref: 00766F7F
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00766F96
ImageList_Destroy.COMCTL32(00000000,?), ref: 00766FAC
ImageList_Destroy.COMCTL32(00000000,?), ref: 00766FB7

Strings

0, xrefs: 00766DCF

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: DestroyImageList_MessageSend$Window$InvalidateMoveRectRemove
String ID: 0
API String ID: 2760611726-4108050209
Opcode ID: 5cf960e0bc177573c301937f2194a77b082775510c01acbf8398033157868eec
Instruction ID: b391f4e94040ef4cd4d46059eb55ea3ffd03a5bcf3b3695a5811d5d342211faa
Opcode Fuzzy Hash: 5cf960e0bc177573c301937f2194a77b082775510c01acbf8398033157868eec
Instruction Fuzzy Hash: A912C330602251EFDB25CF24D884BA5B7E5FB49300F958469F896CB262CB3AEC51CF55

Function 00792711 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 330windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 0079273E
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 0079286A
SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 007928A9
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 007928B9
CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 00792900
GetClientRect.USER32(00000000,?), ref: 0079290C
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 00792955
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00792964
GetStockObject.GDI32(00000011), ref: 00792974
SelectObject.GDI32(00000000,00000000), ref: 00792978
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 00792988
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00792991
DeleteDC.GDI32(00000000), ref: 0079299A
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 007929C6
SendMessageW.USER32(00000030,00000000,00000001), ref: 007929DD
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 00792A1D
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00792A31
SendMessageW.USER32(00000404,00000001,00000000), ref: 00792A42
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 00792A77
GetStockObject.GDI32(00000011), ref: 00792A82
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00792A8D
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 00792A97

Strings

static, xrefs: 0079294F, 00792A71
msctls_progress32, xrefs: 00792A13
AutoIt v3, xrefs: 007928F8
DISPLAY, xrefs: 0079295A

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: ef465bcdc2fd621a0ebc047f127f0758a802ec6c6c2009459480ba0329bfecfc
Instruction ID: 3c85a15974266b009cbf1326dfd01d56ec5e317e21ff6ab51d09c1c6584c2c20
Opcode Fuzzy Hash: ef465bcdc2fd621a0ebc047f127f0758a802ec6c6c2009459480ba0329bfecfc
Instruction Fuzzy Hash: C7B14EB1A00215BFDB14DFA8DC8AEAE7BB9EB49710F008114F915EB291D778AD41CB94

Function 00784ADF Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00784AED
GetDriveTypeW.KERNEL32(?,007ACB68,?,\\.\,007ACC08), ref: 00784BCA
SetErrorMode.KERNEL32(00000000,007ACB68,?,\\.\,007ACC08), ref: 00784D36

Strings

Fixed, xrefs: 00784C09
USB, xrefs: 00784CB4
SAS, xrefs: 00784CC9
\\.\, xrefs: 00784B3F
RAMDisk, xrefs: 00784BF4
ATAPI, xrefs: 00784C91
Fibre, xrefs: 00784CAD
SCSI, xrefs: 00784C8A
Unknown, xrefs: 00784BED, 00784C83
CDROM, xrefs: 00784BFB
ATA, xrefs: 00784C98
SSD, xrefs: 00784C4A
FileBackedVirtual, xrefs: 00784CEC
RAID, xrefs: 00784CBB
iSCSI, xrefs: 00784CC2
Network, xrefs: 00784C02
SSA, xrefs: 00784CA6
Virtual, xrefs: 00784CE5
SATA, xrefs: 00784CD0
PhysicalDrive, xrefs: 00784B76
MMC, xrefs: 00784CDE
1394, xrefs: 00784C9F
Removable, xrefs: 00784C10, 00784C15

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: 4acd804f0e23125ff8d188f92bdac33c2167b8cce1ea84a80044afe9e56bc5af
Instruction ID: cc126940e35461b3c12a4c137c417d5931f29c2df85563d7bbc1eb128b2cf26c
Opcode Fuzzy Hash: 4acd804f0e23125ff8d188f92bdac33c2167b8cce1ea84a80044afe9e56bc5af
Instruction Fuzzy Hash: 7361B370785107EBCB14FF28CA959A8B7F5AB44340B248016F806AB791DBFDED41DB61

Function 007A73E8 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 007A7421
SetTextColor.GDI32(?,?), ref: 007A7425
GetSysColorBrush.USER32(0000000F), ref: 007A743B
GetSysColor.USER32(0000000F), ref: 007A7446
CreateSolidBrush.GDI32(?), ref: 007A744B
GetSysColor.USER32(00000011), ref: 007A7463
CreatePen.GDI32(00000000,00000001,00743C00), ref: 007A7471
SelectObject.GDI32(?,00000000), ref: 007A7482
SetBkColor.GDI32(?,00000000), ref: 007A748B
SelectObject.GDI32(?,?), ref: 007A7498
InflateRect.USER32(?,000000FF,000000FF), ref: 007A74B7
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 007A74CE
GetWindowLongW.USER32(00000000,000000F0), ref: 007A74DB
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 007A752A
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 007A7554
InflateRect.USER32(?,000000FD,000000FD), ref: 007A7572
DrawFocusRect.USER32(?,?), ref: 007A757D
GetSysColor.USER32(00000011), ref: 007A758E
SetTextColor.GDI32(?,00000000), ref: 007A7596
DrawTextW.USER32(?,007A70F5,000000FF,?,00000000), ref: 007A75A8
SelectObject.GDI32(?,?), ref: 007A75BF
DeleteObject.GDI32(?), ref: 007A75CA
SelectObject.GDI32(?,?), ref: 007A75D0
DeleteObject.GDI32(?), ref: 007A75D5
SetTextColor.GDI32(?,?), ref: 007A75DB
SetBkColor.GDI32(?,?), ref: 007A75E5

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: ca70157d23e82227a37a5efa461f5021cbad6664b453e0d926b9385652fa6eb4
Instruction ID: d9068959950ecebb2df0f9b7249635de96628bbe75cd9bfcd5189e73a71b16d4
Opcode Fuzzy Hash: ca70157d23e82227a37a5efa461f5021cbad6664b453e0d926b9385652fa6eb4
Instruction Fuzzy Hash: 26616272D00218BFDF059FA4DC49A9E7FB9EB4A320F118125F911A72A1D7789940CB94

Function 007A0FF3 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 007A1128
GetDesktopWindow.USER32 ref: 007A113D
GetWindowRect.USER32(00000000), ref: 007A1144
GetWindowLongW.USER32(?,000000F0), ref: 007A1199
DestroyWindow.USER32(?), ref: 007A11B9
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 007A11ED
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 007A120B
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 007A121D
SendMessageW.USER32(00000000,00000421,?,?), ref: 007A1232
SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 007A1245
IsWindowVisible.USER32(00000000), ref: 007A12A1
SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 007A12BC
SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 007A12D0
GetWindowRect.USER32(00000000,?), ref: 007A12E8
MonitorFromPoint.USER32(?,?,00000002), ref: 007A130E
GetMonitorInfoW.USER32(00000000,?), ref: 007A1328
CopyRect.USER32(?,?), ref: 007A133F
SendMessageW.USER32(00000000,00000412,00000000), ref: 007A13AA

Strings

(, xrefs: 007A131B
tooltips_class32, xrefs: 007A11E6
0, xrefs: 007A10D3

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: 6d652756a919b59a4110630ce22425126f06b37f57d111bceccfbb35d96202f2
Instruction ID: 782dc17fbec0acaf029921461ac602e0b5be55932ca5b835e16f62a83bda18f0
Opcode Fuzzy Hash: 6d652756a919b59a4110630ce22425126f06b37f57d111bceccfbb35d96202f2
Instruction Fuzzy Hash: F7B1A071604340EFE714DF64C888B6BBBE4FF89350F408A18F9999B2A1D735D845CB96

Function 00728891 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 282windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00728968
GetSystemMetrics.USER32(00000007), ref: 00728970
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 0072899B
GetSystemMetrics.USER32(00000008), ref: 007289A3
GetSystemMetrics.USER32(00000004), ref: 007289C8
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 007289E5
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 007289F5
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00728A28
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00728A3C
GetClientRect.USER32(00000000,000000FF), ref: 00728A5A
GetStockObject.GDI32(00000011), ref: 00728A76
SendMessageW.USER32(00000000,00000030,00000000), ref: 00728A81

Part of subcall function 0072912D: GetCursorPos.USER32(?), ref: 00729141
Part of subcall function 0072912D: ScreenToClient.USER32(00000000,?), ref: 0072915E
Part of subcall function 0072912D: GetAsyncKeyState.USER32(00000001), ref: 00729183
Part of subcall function 0072912D: GetAsyncKeyState.USER32(00000002), ref: 0072919D

SetTimer.USER32(00000000,00000000,00000028,007290FC), ref: 00728AA8

Strings

AutoIt v3 GUI, xrefs: 00728A20

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: 89d7d0c439e4ca71de77e43e8aa67e56dcf13b45239ce88f1f5c99c708b51046
Instruction ID: 0dd3d6f3f47ba72a18efbe996c5f4f997bb4bdaaaffd93b17bc9b4f36e94b4e1
Opcode Fuzzy Hash: 89d7d0c439e4ca71de77e43e8aa67e56dcf13b45239ce88f1f5c99c708b51046
Instruction Fuzzy Hash: 7DB1A071A01259EFDB14DF68DC85BAE3BB5FB48314F518129FA05AB290DB38E840CF55

Function 00770D8B Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 007710F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00771114
Part of subcall function 007710F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00770B9B,?,?,?), ref: 00771120
Part of subcall function 007710F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00770B9B,?,?,?), ref: 0077112F
Part of subcall function 007710F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00770B9B,?,?,?), ref: 00771136
Part of subcall function 007710F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0077114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00770DF5
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00770E29
GetLengthSid.ADVAPI32(?), ref: 00770E40
GetAce.ADVAPI32(?,00000000,?), ref: 00770E7A
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00770E96
GetLengthSid.ADVAPI32(?), ref: 00770EAD
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00770EB5
HeapAlloc.KERNEL32(00000000), ref: 00770EBC
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00770EDD
CopySid.ADVAPI32(00000000), ref: 00770EE4
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00770F13
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00770F35
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00770F47
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00770F6E
HeapFree.KERNEL32(00000000), ref: 00770F75
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00770F7E
HeapFree.KERNEL32(00000000), ref: 00770F85
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00770F8E
HeapFree.KERNEL32(00000000), ref: 00770F95
GetProcessHeap.KERNEL32(00000000,?), ref: 00770FA1
HeapFree.KERNEL32(00000000), ref: 00770FA8

Part of subcall function 00771193: GetProcessHeap.KERNEL32(00000008,00770BB1,?,00000000,?,00770BB1,?), ref: 007711A1
Part of subcall function 00771193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00770BB1,?), ref: 007711A8
Part of subcall function 00771193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00770BB1,?), ref: 007711B7

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 5cec4432f3190834fb43302b69ad515fa6b80d0944febbd8eed5dc3f7cee670d
Instruction ID: 2645551991a30bcc0b5cded3c28126c47a0d355c033c54bc94b51c5c03b3310c
Opcode Fuzzy Hash: 5cec4432f3190834fb43302b69ad515fa6b80d0944febbd8eed5dc3f7cee670d
Instruction Fuzzy Hash: 39715C72A0020AFBDF21DFA4DC49BAEBBB8BF45340F048115F919A6191D7799A05CFA0

Function 0079C3B7 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0079C4BD
RegCreateKeyExW.ADVAPI32(?,?,00000000,007ACC08,00000000,?,00000000,?,?), ref: 0079C544
RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 0079C5A4
_wcslen.LIBCMT ref: 0079C5F4
_wcslen.LIBCMT ref: 0079C66F
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 0079C6B2
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 0079C7C1
RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 0079C84D
RegCloseKey.ADVAPI32(?), ref: 0079C881
RegCloseKey.ADVAPI32(00000000), ref: 0079C88E
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 0079C960

Strings

REG_BINARY, xrefs: 0079C913
REG_EXPAND_SZ, xrefs: 0079C5CD
REG_SZ, xrefs: 0079C644
REG_DWORD, xrefs: 0079C804
REG_MULTI_SZ, xrefs: 0079C6F5
REG_QWORD, xrefs: 0079C8C3

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: Value$Close$_wcslen$ConnectCreateRegistry
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 9721498-966354055
Opcode ID: 3f40a5987f512d33b031c581f6b1df18b96309f76280efb1b43012db40bf2513
Instruction ID: 6fed43151c1e7ff8b7e2e84299a3485540fc2bc4a2d0e29aa8c2cee2ca46d8cd
Opcode Fuzzy Hash: 3f40a5987f512d33b031c581f6b1df18b96309f76280efb1b43012db40bf2513
Instruction Fuzzy Hash: F5126835604200DFDB15DF18D895A6AB7E5EF88714F14889CF84A9B3A2DB39FD81CB81

Function 007A091E Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 372windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 007A09C6
_wcslen.LIBCMT ref: 007A0A01
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 007A0A54
_wcslen.LIBCMT ref: 007A0A8A
_wcslen.LIBCMT ref: 007A0B06
_wcslen.LIBCMT ref: 007A0B81

Part of subcall function 0072F9F2: _wcslen.LIBCMT ref: 0072F9FD

Part of subcall function 00772BE8: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00772BFA

Strings

COLLAPSE, xrefs: 007A0B01, 007A0B1C
UNCHECK, xrefs: 007A0D3E
GETTEXT, xrefs: 007A0C97
EXPAND, xrefs: 007A0BF8
EXISTS, xrefs: 007A0B7C, 007A0B97
GETSELECTED, xrefs: 007A0C4E
GETTOTALCOUNT, xrefs: 007A09F2, 007A0A17
GETITEMCOUNT, xrefs: 007A0C1E
CHECK, xrefs: 007A0A85, 007A0AA0
SELECT, xrefs: 007A0D11
ISCHECKED, xrefs: 007A0CE1

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 1103490817-4258414348
Opcode ID: 7c2c45f5a005b4d06800eefe41716ef6ab77a8b477f66cb18c2aec9cf5998212
Instruction ID: 22102b2c419446e4d3948f6fe2a1e7885ffef863ef856305f2adeda4cc06149d
Opcode Fuzzy Hash: 7c2c45f5a005b4d06800eefe41716ef6ab77a8b477f66cb18c2aec9cf5998212
Instruction Fuzzy Hash: 3DE19B72208301DFC714DF28C45096AB7E2BFD9314B148A5DF89A9B3A2D739ED85CB91

Function 0079C998 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,0079B6AE,?,?), ref: 0079C9B5
_wcslen.LIBCMT ref: 0079C9F1
_wcslen.LIBCMT ref: 0079CA68
_wcslen.LIBCMT ref: 0079CA9E
_wcslen.LIBCMT ref: 0079CAF9
_wcslen.LIBCMT ref: 0079CB2F
_wcslen.LIBCMT ref: 0079CB7F

Strings

HKLM, xrefs: 0079CA98, 0079CA9D
HKCU, xrefs: 0079CBCE
HKU, xrefs: 0079CBF0
HKCR, xrefs: 0079CB29, 0079CB2E
HKEY_CLASSES_ROOT, xrefs: 0079CAF3, 0079CAF8
HKEY_LOCAL_MACHINE, xrefs: 0079CA62, 0079CA67
HKCC, xrefs: 0079CBAC
HKEY_CURRENT_CONFIG, xrefs: 0079CB79, 0079CB7E
HKEY_USERS, xrefs: 0079CBDF
HKEY_CURRENT_USER, xrefs: 0079CBBD

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 1256254125-909552448
Opcode ID: 048d6748928f87a8de04e0264cc3e1e36c776c55dbcdc73eec03849d1f5f9155
Instruction ID: 62368458ed893a8d339d501f93f39e7cfd5c960ae59f3af31f748630178d38ee
Opcode Fuzzy Hash: 048d6748928f87a8de04e0264cc3e1e36c776c55dbcdc73eec03849d1f5f9155
Instruction Fuzzy Hash: 8371257260016A8BCF22DE3CED525BE33A1AF61760F544529F856A7285F63CDD80C3A0

Function 007A833C Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 196windowlibraryCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 007A835A
_wcslen.LIBCMT ref: 007A836E
_wcslen.LIBCMT ref: 007A8391
_wcslen.LIBCMT ref: 007A83B4
LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 007A83F2
LoadLibraryExW.KERNEL32(?,00000000,00000032,?,?,00000001,?,?,?,007A361A,?), ref: 007A844E
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 007A8487
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 007A84CA
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 007A8501
FreeLibrary.KERNEL32(?), ref: 007A850D
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 007A851D
DestroyIcon.USER32(?), ref: 007A852C
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 007A8549
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 007A8555

Strings

.dll, xrefs: 007A83AB
.icl, xrefs: 007A8368
.exe, xrefs: 007A8388

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
String ID: .dll$.exe$.icl
API String ID: 799131459-1154884017
Opcode ID: 3c546f22ae403b8729255c5bceaf18d94430bc23034349420aa746d493149c4c
Instruction ID: bf52bd6586f31cf91310295902d3f75159927da9ee6e7efa8fe7d0dc06ca1abc
Opcode Fuzzy Hash: 3c546f22ae403b8729255c5bceaf18d94430bc23034349420aa746d493149c4c
Instruction Fuzzy Hash: 3061C271940215FEEB18DF64CC45BBE77A8BF89721F108609F815D61D1EB7CA990C7A0

Function 00717778 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 273COMMON

Download Yara Rule

Strings

#comments-start, xrefs: 0071785F, 007178B1
", xrefs: 00755153
Bad directive syntax error, xrefs: 0075519A
Unterminated group of comments, xrefs: 0075528C
#include-once, xrefs: 0071782F
#comments-end, xrefs: 007178D9
#requireadmin, xrefs: 007177FF
#notrayicon, xrefs: 007177E7
Cannot parse #include, xrefs: 00755279
', xrefs: 00755169
#include, xrefs: 00717847
#cs, xrefs: 00717873, 007178C5
#ce, xrefs: 007178ED
#OnAutoItStartRegister, xrefs: 00717817
#pragma compile, xrefs: 007177D3

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID:
String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 0-1645009161
Opcode ID: 2544f17896afd52e26c204abcae7588b2bca6be6a0fd1de7979f027f29027d5d
Instruction ID: f09dcaa43f1ea316fb7c046ec9da676070d14e6097179b7961adf3a857325e1c
Opcode Fuzzy Hash: 2544f17896afd52e26c204abcae7588b2bca6be6a0fd1de7979f027f29027d5d
Instruction Fuzzy Hash: 858104B0A40605FBDB25AF64CC56FEE3BB4AF55700F044024F905AA1D2EB7CD985C7A2

Function 00783E79 Relevance: 28.2, APIs: 8, Strings: 8, Instructions: 205COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 00783EF8
_wcslen.LIBCMT ref: 00783F03
_wcslen.LIBCMT ref: 00783F5A
_wcslen.LIBCMT ref: 00783F98
GetDriveTypeW.KERNEL32(?), ref: 00783FD6
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0078401E
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00784059
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00784087

Strings

close cd wait, xrefs: 00784072
wait, xrefs: 00784044
open, xrefs: 00783F54, 00783F59
set cd door , xrefs: 00784028
open , xrefs: 00783FE5
closed, xrefs: 00783F08, 00783F2D, 00783F46, 00783F7E, 00783F97
close, xrefs: 00783EFE, 00783F18
type cdaudio alias cd wait, xrefs: 00784001

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: SendString_wcslen$BuffCharDriveLowerType
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 1839972693-4113822522
Opcode ID: e1877105dbd22fac164fa355b112e8223b948f0b3fb24eb0549e000088be0e14
Instruction ID: 9f2a12bb83ca36d50cc4f52dd1e51e1cf8516699bcddb021f200bc3a06f08958
Opcode Fuzzy Hash: e1877105dbd22fac164fa355b112e8223b948f0b3fb24eb0549e000088be0e14
Instruction Fuzzy Hash: 8371E472604202DFC710EF28C8819ABB7F4EF94764F10492DF99597291EB39ED45CB91

Function 00775A1B Relevance: 27.2, APIs: 18, Instructions: 198windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 00775A2E
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00775A40
SetWindowTextW.USER32(?,?), ref: 00775A57
GetDlgItem.USER32(?,000003EA), ref: 00775A6C
SetWindowTextW.USER32(00000000,?), ref: 00775A72
GetDlgItem.USER32(?,000003E9), ref: 00775A82
SetWindowTextW.USER32(00000000,?), ref: 00775A88
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00775AA9
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00775AC3
GetWindowRect.USER32(?,?), ref: 00775ACC
_wcslen.LIBCMT ref: 00775B33
SetWindowTextW.USER32(?,?), ref: 00775B6F
GetDesktopWindow.USER32 ref: 00775B75
GetWindowRect.USER32(00000000), ref: 00775B7C
MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 00775BD3
GetClientRect.USER32(?,?), ref: 00775BE0
PostMessageW.USER32(?,00000005,00000000,?), ref: 00775C05
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00775C2F

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
String ID:
API String ID: 895679908-0
Opcode ID: 6b1e3756d91422d41eeb58383f73d4eae82763a1a3f3fd97cae9e14b9ead0468
Instruction ID: 64f358efd5f5c4895115346bb6da2064ba583947efab3f6fc9e95215ece1deb0
Opcode Fuzzy Hash: 6b1e3756d91422d41eeb58383f73d4eae82763a1a3f3fd97cae9e14b9ead0468
Instruction Fuzzy Hash: FF717E71900B09EFDF21DFA8CE85A6EBBF5FF48744F108918E146A25A0D7B8E944CB54

Function 0078FE0E Relevance: 27.1, APIs: 18, Instructions: 128COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F89), ref: 0078FE27
LoadCursorW.USER32(00000000,00007F8A), ref: 0078FE32
LoadCursorW.USER32(00000000,00007F00), ref: 0078FE3D
LoadCursorW.USER32(00000000,00007F03), ref: 0078FE48
LoadCursorW.USER32(00000000,00007F8B), ref: 0078FE53
LoadCursorW.USER32(00000000,00007F01), ref: 0078FE5E
LoadCursorW.USER32(00000000,00007F81), ref: 0078FE69
LoadCursorW.USER32(00000000,00007F88), ref: 0078FE74
LoadCursorW.USER32(00000000,00007F80), ref: 0078FE7F
LoadCursorW.USER32(00000000,00007F86), ref: 0078FE8A
LoadCursorW.USER32(00000000,00007F83), ref: 0078FE95
LoadCursorW.USER32(00000000,00007F85), ref: 0078FEA0
LoadCursorW.USER32(00000000,00007F82), ref: 0078FEAB
LoadCursorW.USER32(00000000,00007F84), ref: 0078FEB6
LoadCursorW.USER32(00000000,00007F04), ref: 0078FEC1
LoadCursorW.USER32(00000000,00007F02), ref: 0078FECC
GetCursorInfo.USER32(?), ref: 0078FEDC
GetLastError.KERNEL32 ref: 0078FF1E

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: Cursor$Load$ErrorInfoLast
String ID:
API String ID: 3215588206-0
Opcode ID: f38323cfafc4eddfca1c530700f5dc27ed5885216f3a6998476b240c92dd823d
Instruction ID: 93c183cf7058ec3dda3cae4da97633749976d27d422d23f86e2269b20a6cef5c
Opcode Fuzzy Hash: f38323cfafc4eddfca1c530700f5dc27ed5885216f3a6998476b240c92dd823d
Instruction Fuzzy Hash: E94151B0D44319AADB109FBA8C8985EBFE8FF04754B54852AE119E7281DB78A9018F91

Function 007730F7 Relevance: 26.6, APIs: 8, Strings: 7, Instructions: 400COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0077318D
_wcslen.LIBCMT ref: 007731F8

Strings

TEXT, xrefs: 0077347C
REGEXPCLASS, xrefs: 00773255, 00773266
[}, xrefs: 0077339A
CLASS, xrefs: 00773188, 007731A5
NAME, xrefs: 00773335, 00773346
INSTANCE, xrefs: 00773453
CLASSNN, xrefs: 007731F3, 00773204

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: _wcslen
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT$[}
API String ID: 176396367-3465173759
Opcode ID: 27aa810b7de3fb5dd477533edb78d0a41f9c724d367dd1a9bd59df2230b9f62b
Instruction ID: 579df7f60cf39c993509c270a1abbcc8f0516337bc5cfdfcb879e0e638c306fb
Opcode Fuzzy Hash: 27aa810b7de3fb5dd477533edb78d0a41f9c724d367dd1a9bd59df2230b9f62b
Instruction Fuzzy Hash: 37E1E732A00516EBCF189F78C4556FDBBB0BF44790F54C12AE45AF7241DB38AE85A790

Function 007300C6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON

Download Yara Rule

APIs

__scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 007300C6

Part of subcall function 007300ED: InitializeCriticalSectionAndSpinCount.KERNEL32(007E070C,00000FA0,4A4C7BA1,?,?,?,?,007523B3,000000FF), ref: 0073011C
Part of subcall function 007300ED: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,007523B3,000000FF), ref: 00730127
Part of subcall function 007300ED: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,007523B3,000000FF), ref: 00730138
Part of subcall function 007300ED: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 0073014E
Part of subcall function 007300ED: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 0073015C
Part of subcall function 007300ED: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 0073016A
Part of subcall function 007300ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00730195
Part of subcall function 007300ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 007301A0

___scrt_fastfail.LIBCMT ref: 007300E7

Part of subcall function 007300A3: __onexit.LIBCMT ref: 007300A9

Strings

InitializeConditionVariable, xrefs: 00730148
WakeAllConditionVariable, xrefs: 00730162
api-ms-win-core-synch-l1-2-0.dll, xrefs: 00730122
SleepConditionVariableCS, xrefs: 00730154
kernel32.dll, xrefs: 00730133

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 66158676-1714406822
Opcode ID: a66d3b3912eebb0b712965ec9c228ec33c01245181882190efe500a9f5e641e2
Instruction ID: 15c34a5f8dd2c40da9e2568fefe82ec49589ed6ea8b58984281bc4a832319f22
Opcode Fuzzy Hash: a66d3b3912eebb0b712965ec9c228ec33c01245181882190efe500a9f5e641e2
Instruction Fuzzy Hash: E021FCB2B45714BBF7125BB4AC59B6E73A4DB86B51F004135F801A7292DBBC5C008AD4

Function 007844C0 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(00000000,00000000,007ACC08), ref: 00784527
_wcslen.LIBCMT ref: 0078453B
_wcslen.LIBCMT ref: 00784599
_wcslen.LIBCMT ref: 007845F4
_wcslen.LIBCMT ref: 0078463F
_wcslen.LIBCMT ref: 007846A7

Part of subcall function 0072F9F2: _wcslen.LIBCMT ref: 0072F9FD

GetDriveTypeW.KERNEL32(?,007D6BF0,00000061), ref: 00784743

Strings

unknown, xrefs: 00784708
removable, xrefs: 007845EA, 007845EF
cdrom, xrefs: 0078458F, 00784594
network, xrefs: 0078469D, 007846A2
all, xrefs: 00784531, 00784536
fixed, xrefs: 00784635, 0078463A
ramdisk, xrefs: 007846F1

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: _wcslen$BuffCharDriveLowerType
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2055661098-1000479233
Opcode ID: f97d70a35ebb89afca7cee98d0bffbd3dd32295b7c5196c32aa864887c7d85b3
Instruction ID: 30fe9aef8bba7dc4809cf2f8f6ee5958d5d3e7afa540d71a4f6d41a341d46b65
Opcode Fuzzy Hash: f97d70a35ebb89afca7cee98d0bffbd3dd32295b7c5196c32aa864887c7d85b3
Instruction Fuzzy Hash: 08B116716483039FC710EF28C894A6EB7E5BFA5720F50491DF496C7291E778E984CB52

Function 007A911E Relevance: 24.7, APIs: 10, Strings: 4, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00729BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00729BB2

DragQueryPoint.SHELL32(?,?), ref: 007A9147

Part of subcall function 007A7674: ClientToScreen.USER32(?,?), ref: 007A769A
Part of subcall function 007A7674: GetWindowRect.USER32(?,?), ref: 007A7710
Part of subcall function 007A7674: PtInRect.USER32(?,?,007A8B89), ref: 007A7720

SendMessageW.USER32(?,000000B0,?,?), ref: 007A91B0
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 007A91BB
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 007A91DE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 007A9225
SendMessageW.USER32(?,000000B0,?,?), ref: 007A923E
SendMessageW.USER32(?,000000B1,?,?), ref: 007A9255
SendMessageW.USER32(?,000000B1,?,?), ref: 007A9277
DragFinish.SHELL32(?), ref: 007A927E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 007A9371

Strings

@GUI_DRAGID, xrefs: 007A92E9
p#~, xrefs: 007A92BB
@GUI_DRAGFILE, xrefs: 007A9320
@GUI_DROPID, xrefs: 007A929E

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID$p#~
API String ID: 221274066-3354685542
Opcode ID: a924b41c5e18998f6b10a37b34d3464104f816357884f50ee7abacce945ef7a5
Instruction ID: 25f49c682e3a98667729743ea3b7071271ef2e46cf2e57e6bcefaeb058758de6
Opcode Fuzzy Hash: a924b41c5e18998f6b10a37b34d3464104f816357884f50ee7abacce945ef7a5
Instruction Fuzzy Hash: D3617C71108301AFC701DF64DC89DAFBBE8EFC9750F404A1EF691921A1DB389A49CB96

Function 0071326F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(007E1990), ref: 00752F8D
GetMenuItemCount.USER32(007E1990), ref: 0075303D
GetCursorPos.USER32(?), ref: 00753081
SetForegroundWindow.USER32(00000000), ref: 0075308A
TrackPopupMenuEx.USER32(007E1990,00000000,?,00000000,00000000,00000000), ref: 0075309D
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 007530A9

Strings

0, xrefs: 0071327D

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
String ID: 0
API String ID: 36266755-4108050209
Opcode ID: 52f25020c0b27414e6948b5b5251264ebdde973c55858936677a4495d91527e9
Instruction ID: 152908fb2f9e8ea74dc9dcf880c94cddecf0e4a42a6b4ca7e8e6825e1f6863aa
Opcode Fuzzy Hash: 52f25020c0b27414e6948b5b5251264ebdde973c55858936677a4495d91527e9
Instruction Fuzzy Hash: FA712970644205FEEB219F28DC49FEABF65FF06364F204206F9196A1E1C7F9A954C790

Function 007A6CD9 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 194windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,?), ref: 007A6DEB

Part of subcall function 00716B57: _wcslen.LIBCMT ref: 00716B6A

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 007A6E5F
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 007A6E81
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 007A6E94
DestroyWindow.USER32(?), ref: 007A6EB5
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00710000,00000000), ref: 007A6EE4
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 007A6EFD
GetDesktopWindow.USER32 ref: 007A6F16
GetWindowRect.USER32(00000000), ref: 007A6F1D
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 007A6F35
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 007A6F4D

Part of subcall function 00729944: GetWindowLongW.USER32(?,000000EB), ref: 00729952

Strings

0, xrefs: 007A6D98
tooltips_class32, xrefs: 007A6E58, 007A6EDD

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
String ID: 0$tooltips_class32
API String ID: 2429346358-3619404913
Opcode ID: 0d4cec7dea2598c09cce24782bf768c9cd7b1931cc61e8fa2e207144d0a7f859
Instruction ID: 61393156d6ad619e0f50f5898277428101b89250b538c1c64a3a092d0b6f8f97
Opcode Fuzzy Hash: 0d4cec7dea2598c09cce24782bf768c9cd7b1931cc61e8fa2e207144d0a7f859
Instruction Fuzzy Hash: 43717870144284AFDB21CF18DC48EAABBF9FBCA304F48455EF999872A1C778E905CB15

Function 0078C476 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0078C4B0
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 0078C4C3
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 0078C4D7
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 0078C4F0
InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 0078C533
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 0078C549
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0078C554
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0078C584
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 0078C5DC
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 0078C5F0
InternetCloseHandle.WININET(00000000), ref: 0078C5FB

Strings

, xrefs: 0078C575

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
String ID:
API String ID: 3800310941-3916222277
Opcode ID: 56a2a935119f150ffdd9e2b23bebb6ad14a637bc9e0ce92b2c93dd8199a7d923
Instruction ID: fc7d3826c9b263824a7f1fea31687b5a0b84e9babcc1f2cb0fc8a34edb93df34
Opcode Fuzzy Hash: 56a2a935119f150ffdd9e2b23bebb6ad14a637bc9e0ce92b2c93dd8199a7d923
Instruction Fuzzy Hash: 75516EB1540204BFEB22AF60C948ABB7BFCFF49754F108419F94596250DB38E954DB70

Function 007A856F Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,00000000,?), ref: 007A8592
GetFileSize.KERNEL32(00000000,00000000), ref: 007A85A2
GlobalAlloc.KERNEL32(00000002,00000000), ref: 007A85AD
CloseHandle.KERNEL32(00000000), ref: 007A85BA
GlobalLock.KERNEL32(00000000), ref: 007A85C8
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 007A85D7
GlobalUnlock.KERNEL32(00000000), ref: 007A85E0
CloseHandle.KERNEL32(00000000), ref: 007A85E7
CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 007A85F8
OleLoadPicture.OLEAUT32(?,00000000,00000000,007AFC38,?), ref: 007A8611
GlobalFree.KERNEL32(00000000), ref: 007A8621
GetObjectW.GDI32(?,00000018,000000FF), ref: 007A8641
CopyImage.USER32(?,00000000,00000000,?,00002000), ref: 007A8671
DeleteObject.GDI32(00000000), ref: 007A8699
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 007A86AF

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: 201d3b6513a259901d43bffa495593dd8f07e07b96a4666cbd01ff112ad35f38
Instruction ID: 15e5fc193d8c7b011943669548eb765e01080317df1699e9f726980c15e7f308
Opcode Fuzzy Hash: 201d3b6513a259901d43bffa495593dd8f07e07b96a4666cbd01ff112ad35f38
Instruction Fuzzy Hash: 5C41FA75600208FFDB129FA5DC48EAA7BB8FF8A711F148158F905E7260DB389901CB65

Function 007814BD Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 360timeCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000000), ref: 00781502
VariantCopy.OLEAUT32(?,?), ref: 0078150B
VariantClear.OLEAUT32(?), ref: 00781517
VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 007815FB
VarR8FromDec.OLEAUT32(?,?), ref: 00781657
VariantInit.OLEAUT32(?), ref: 00781708
SysFreeString.OLEAUT32(?), ref: 0078178C
VariantClear.OLEAUT32(?), ref: 007817D8
VariantClear.OLEAUT32(?), ref: 007817E7
VariantInit.OLEAUT32(00000000), ref: 00781823

Strings

%4d%02d%02d%02d%02d%02d, xrefs: 00781625
Default, xrefs: 007816AF

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem
String ID: %4d%02d%02d%02d%02d%02d$Default
API String ID: 1234038744-3931177956
Opcode ID: 115ecb186baeb016d4fa238746cc79cc249cda7a5e6d254a2d897ae12ebb00ed
Instruction ID: 2d6a94b6b96e87ba7ea690f0c652f1a8e30db7b415073ed811c9e96d6b61bfdc
Opcode Fuzzy Hash: 115ecb186baeb016d4fa238746cc79cc249cda7a5e6d254a2d897ae12ebb00ed
Instruction Fuzzy Hash: AFD12572A40115EBDB00BF65E889BBDB7B9BF46700F50805AF446AB180DB3CED52DB61

Function 0079B60E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00719CB3: _wcslen.LIBCMT ref: 00719CBD

Part of subcall function 0079C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0079B6AE,?,?), ref: 0079C9B5
Part of subcall function 0079C998: _wcslen.LIBCMT ref: 0079C9F1
Part of subcall function 0079C998: _wcslen.LIBCMT ref: 0079CA68
Part of subcall function 0079C998: _wcslen.LIBCMT ref: 0079CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0079B6F4
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0079B772
RegDeleteValueW.ADVAPI32(?,?), ref: 0079B80A
RegCloseKey.ADVAPI32(?), ref: 0079B87E
RegCloseKey.ADVAPI32(?), ref: 0079B89C
LoadLibraryA.KERNEL32(advapi32.dll), ref: 0079B8F2
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 0079B904
RegDeleteKeyW.ADVAPI32(?,?), ref: 0079B922
FreeLibrary.KERNEL32(00000000), ref: 0079B983
RegCloseKey.ADVAPI32(00000000), ref: 0079B994

Strings

RegDeleteKeyExW, xrefs: 0079B8FE
advapi32.dll, xrefs: 0079B8ED

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 146587525-4033151799
Opcode ID: 73f6588a85b0ab8bfc12711fddff83326c187c3429bb01040e813b770ee57604
Instruction ID: a4e8b71d5d10f2c5c6317a77f5065edf400ed363a5db4885f46fb191f5311599
Opcode Fuzzy Hash: 73f6588a85b0ab8bfc12711fddff83326c187c3429bb01040e813b770ee57604
Instruction Fuzzy Hash: 4BC19F30204201EFDB14DF18E599F2ABBE5BF84314F14855CF55A4B2A2CB79EC86CB91

Function 0079255C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 007925D8
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 007925E8
CreateCompatibleDC.GDI32(?), ref: 007925F4
SelectObject.GDI32(00000000,?), ref: 00792601
StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 0079266D
GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 007926AC
GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 007926D0
SelectObject.GDI32(?,?), ref: 007926D8
DeleteObject.GDI32(?), ref: 007926E1
DeleteDC.GDI32(?), ref: 007926E8
ReleaseDC.USER32(00000000,?), ref: 007926F3

Strings

(, xrefs: 0079268D

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: b234e94667c7d71169a6aca8e954822ff148ad248221cdfc05842737914930ab
Instruction ID: 7acb154ea546c7639b4f5687e10ca0bf6cbf77bf1492f15ca269d03c28f27ebf
Opcode Fuzzy Hash: b234e94667c7d71169a6aca8e954822ff148ad248221cdfc05842737914930ab
Instruction Fuzzy Hash: 296113B5E00219EFCF05DFA4D884AAEBBF5FF48310F208429E955A7251E734A941CF94

Function 0074DA5D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 0074DAA1

Part of subcall function 0074D63C: _free.LIBCMT ref: 0074D659
Part of subcall function 0074D63C: _free.LIBCMT ref: 0074D66B
Part of subcall function 0074D63C: _free.LIBCMT ref: 0074D67D
Part of subcall function 0074D63C: _free.LIBCMT ref: 0074D68F
Part of subcall function 0074D63C: _free.LIBCMT ref: 0074D6A1
Part of subcall function 0074D63C: _free.LIBCMT ref: 0074D6B3
Part of subcall function 0074D63C: _free.LIBCMT ref: 0074D6C5
Part of subcall function 0074D63C: _free.LIBCMT ref: 0074D6D7
Part of subcall function 0074D63C: _free.LIBCMT ref: 0074D6E9
Part of subcall function 0074D63C: _free.LIBCMT ref: 0074D6FB
Part of subcall function 0074D63C: _free.LIBCMT ref: 0074D70D
Part of subcall function 0074D63C: _free.LIBCMT ref: 0074D71F
Part of subcall function 0074D63C: _free.LIBCMT ref: 0074D731

_free.LIBCMT ref: 0074DA96

Part of subcall function 007429C8: HeapFree.KERNEL32(00000000,00000000,?,0074D7D1,00000000,00000000,00000000,00000000,?,0074D7F8,00000000,00000007,00000000,?,0074DBF5,00000000), ref: 007429DE
Part of subcall function 007429C8: GetLastError.KERNEL32(00000000,?,0074D7D1,00000000,00000000,00000000,00000000,?,0074D7F8,00000000,00000007,00000000,?,0074DBF5,00000000,00000000), ref: 007429F0

_free.LIBCMT ref: 0074DAB8
_free.LIBCMT ref: 0074DACD
_free.LIBCMT ref: 0074DAD8
_free.LIBCMT ref: 0074DAFA
_free.LIBCMT ref: 0074DB0D
_free.LIBCMT ref: 0074DB1B
_free.LIBCMT ref: 0074DB26
_free.LIBCMT ref: 0074DB5E
_free.LIBCMT ref: 0074DB65
_free.LIBCMT ref: 0074DB82
_free.LIBCMT ref: 0074DB9A

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 2236a7c2cc877088aaad6c78fe7d9836e7d9c2afcd62775bda157e989cb610d3
Instruction ID: d625ca373adeb312f2c68f3a5941913f580ea98a507d686cfac3a1406c6ec626
Opcode Fuzzy Hash: 2236a7c2cc877088aaad6c78fe7d9836e7d9c2afcd62775bda157e989cb610d3
Instruction Fuzzy Hash: 2F315C71604205DFEB32AA39E849B5677E9FF00310F55442AF498E72A2DB39BC51CB20

Function 0077365B Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 267windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 0077369C
_wcslen.LIBCMT ref: 007736A7
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00773797
GetClassNameW.USER32(?,?,00000400), ref: 0077380C
GetDlgCtrlID.USER32(?), ref: 0077385D
GetWindowRect.USER32(?,?), ref: 00773882
GetParent.USER32(?), ref: 007738A0
ScreenToClient.USER32(00000000), ref: 007738A7
GetClassNameW.USER32(?,?,00000100), ref: 00773921
GetWindowTextW.USER32(?,?,00000400), ref: 0077395D

Strings

%s%u, xrefs: 00773734

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout_wcslen
String ID: %s%u
API String ID: 4010501982-679674701
Opcode ID: 87d4bf53057a4a192d7d825b694fe61144d1fc3a02859461c9ee34c4a9f65909
Instruction ID: 0a157ad61caa41298e01fbbbd8396955b7cfbd73a6417f340410c011b5642f27
Opcode Fuzzy Hash: 87d4bf53057a4a192d7d825b694fe61144d1fc3a02859461c9ee34c4a9f65909
Instruction Fuzzy Hash: 9B91C671204606EFDB19DF24C885BAAF7A8FF44394F00C519FA9DC2190DB38EA55DBA1

Function 00774954 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 253COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000400), ref: 00774994
GetWindowTextW.USER32(?,?,00000400), ref: 007749DA
_wcslen.LIBCMT ref: 007749EB
CharUpperBuffW.USER32(?,00000000), ref: 007749F7
_wcsstr.LIBVCRUNTIME ref: 00774A2C
GetClassNameW.USER32(00000018,?,00000400), ref: 00774A64
GetWindowTextW.USER32(?,?,00000400), ref: 00774A9D
GetClassNameW.USER32(00000018,?,00000400), ref: 00774AE6
GetClassNameW.USER32(?,?,00000400), ref: 00774B20
GetWindowRect.USER32(?,?), ref: 00774B8B

Strings

ThumbnailClass, xrefs: 00774A6F, 00774AF1

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
String ID: ThumbnailClass
API String ID: 1311036022-1241985126
Opcode ID: 8f7e29016109780ce8c948b72b783c3a7a87eca3a5b63adb4c9b72f3bfb33fd8
Instruction ID: b80187898ff3fdcd98f2d282ea8ba80aa5dfec2051367c60f56f4bc6fe25d952
Opcode Fuzzy Hash: 8f7e29016109780ce8c948b72b783c3a7a87eca3a5b63adb4c9b72f3bfb33fd8
Instruction Fuzzy Hash: 8391AC71104205AFDF05DF14C985BAAB7E8FF84394F04C46AFD899A0A6DB38ED45CBA1

Function 0077BF30 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 190windowsleepCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(007E1990,000000FF,00000000,00000030), ref: 0077BFAC
SetMenuItemInfoW.USER32(007E1990,00000004,00000000,00000030), ref: 0077BFE1
Sleep.KERNEL32(000001F4), ref: 0077BFF3
GetMenuItemCount.USER32(?), ref: 0077C039
GetMenuItemID.USER32(?,00000000), ref: 0077C056
GetMenuItemID.USER32(?,-00000001), ref: 0077C082
GetMenuItemID.USER32(?,?), ref: 0077C0C9
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 0077C10F
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 0077C124
SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 0077C145

Strings

0, xrefs: 0077BF3D

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep
String ID: 0
API String ID: 1460738036-4108050209
Opcode ID: 71f8d5e546079917a08d8cb3719246734da0e279d779bded42e2ee023a40d041
Instruction ID: a7bfa67228042f0517a0d35ff7eccad2de7153000658226fe777c80134a4bb25
Opcode Fuzzy Hash: 71f8d5e546079917a08d8cb3719246734da0e279d779bded42e2ee023a40d041
Instruction Fuzzy Hash: 876196B0900249EFDF12CF64DC88AFE7BB8EB49384F548059F915A7251D739AD15CB60

Function 0079CC34 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 0079CC64
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 0079CC8D
FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 0079CD48

Part of subcall function 0079CC34: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 0079CCAA
Part of subcall function 0079CC34: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 0079CCBD
Part of subcall function 0079CC34: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 0079CCCF
Part of subcall function 0079CC34: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 0079CD05
Part of subcall function 0079CC34: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 0079CD28

RegDeleteKeyW.ADVAPI32(?,?), ref: 0079CCF3

Strings

RegDeleteKeyExW, xrefs: 0079CCC9
advapi32.dll, xrefs: 0079CCB8

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2734957052-4033151799
Opcode ID: 58e169e97069616d224fbc28461a152562e840171f07749c4c9fd59011c9b10a
Instruction ID: a63672db045f136fd85fd1487ff8c56c669713044f75bb7298e0b8f5f4807505
Opcode Fuzzy Hash: 58e169e97069616d224fbc28461a152562e840171f07749c4c9fd59011c9b10a
Instruction Fuzzy Hash: C63160B1A01129BBDF228B54EC88EFFBB7CEF46750F004165F905E6240D6389E45DAB4

Function 00783D1E Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 101fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00783D40
_wcslen.LIBCMT ref: 00783D6D
CreateDirectoryW.KERNEL32(?,00000000), ref: 00783D9D
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00783DBE
RemoveDirectoryW.KERNEL32(?), ref: 00783DCE
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 00783E55
CloseHandle.KERNEL32(00000000), ref: 00783E60
CloseHandle.KERNEL32(00000000), ref: 00783E6B

Strings

\??\%s, xrefs: 00783D5B
:, xrefs: 00783D82
\, xrefs: 00783D77

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove_wcslen
String ID: :$\$\??\%s
API String ID: 1149970189-3457252023
Opcode ID: 6d6cc309248cf78872c0e4499fbd14f1886cceb70334834f2d1a0bc7b35b3088
Instruction ID: 660c9a330f12500435ef8bb9b071ad2757052d5227faab6c6779f19a514d973c
Opcode Fuzzy Hash: 6d6cc309248cf78872c0e4499fbd14f1886cceb70334834f2d1a0bc7b35b3088
Instruction Fuzzy Hash: 3231B471A40119BBDB21ABA4DC49FEF37BCEF89B00F1040B5F505D6151EB7897458B24

Function 0077E6B0 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 0077E6B4

Part of subcall function 0072E551: timeGetTime.WINMM(?,?,0077E6D4), ref: 0072E555

Sleep.KERNEL32(0000000A), ref: 0077E6E1
EnumThreadWindows.USER32(?,Function_0006E665,00000000), ref: 0077E705
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 0077E727
SetActiveWindow.USER32 ref: 0077E746
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 0077E754
SendMessageW.USER32(00000010,00000000,00000000), ref: 0077E773
Sleep.KERNEL32(000000FA), ref: 0077E77E
IsWindow.USER32 ref: 0077E78A
EndDialog.USER32(00000000), ref: 0077E79B

Strings

BUTTON, xrefs: 0077E719

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: 993587705f88a52d6687f4e800783f540a6df186af052a5903f9bfcd1c07ed30
Instruction ID: 74d56d9d27ecbd12462fe3f6c4273f3e61cd924b960b7103ff96781692dbb6a9
Opcode Fuzzy Hash: 993587705f88a52d6687f4e800783f540a6df186af052a5903f9bfcd1c07ed30
Instruction Fuzzy Hash: BF2184B0301245BFEF015F24ECC9A253B6DF79D389B10C465F509C55A2DBBDAC119A6C

Function 0077E9FC Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 00719CB3: _wcslen.LIBCMT ref: 00719CBD

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 0077EA5D
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 0077EA73
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0077EA84
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 0077EA96
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 0077EAA7

Strings

play PlayMe, xrefs: 0077EAA2
close PlayMe, xrefs: 0077EA6E, 0077EA9B
play PlayMe wait, xrefs: 0077EA91
status PlayMe mode, xrefs: 0077EA58
open , xrefs: 0077EA0C
alias PlayMe, xrefs: 0077EA36

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: SendString$_wcslen
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2420728520-1007645807
Opcode ID: 50481ae339408c38273122dc77c8e5c4a29b42b76c6ee6d1497f5b80fe56555d
Instruction ID: 342595b667d5a48f4992cdaad74addaccd65374cbdfddc172ce18fd6857fed3b
Opcode Fuzzy Hash: 50481ae339408c38273122dc77c8e5c4a29b42b76c6ee6d1497f5b80fe56555d
Instruction Fuzzy Hash: 5711C671A50219B9DB20A7A5DC5ADFF6B7CEBD5F40F00442AB815A20D0EE782E45C5B0

Function 00775CC6 Relevance: 18.2, APIs: 12, Instructions: 173COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 00775CE2
GetWindowRect.USER32(00000000,?), ref: 00775CFB
MoveWindow.USER32(?,0000000A,00000004,?,?,00000004,00000000), ref: 00775D59
GetDlgItem.USER32(?,00000002), ref: 00775D69
GetWindowRect.USER32(00000000,?), ref: 00775D7B
MoveWindow.USER32(?,?,00000004,00000000,?,00000004,00000000), ref: 00775DCF
GetDlgItem.USER32(?,000003E9), ref: 00775DDD
GetWindowRect.USER32(00000000,?), ref: 00775DEF
MoveWindow.USER32(?,0000000A,00000000,?,00000004,00000000), ref: 00775E31
GetDlgItem.USER32(?,000003EA), ref: 00775E44
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00775E5A
InvalidateRect.USER32(?,00000000,00000001), ref: 00775E67

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: 5f1c3069313b18bd95384a4c04f19d248a823568df520585c285669abc4b9338
Instruction ID: da4c34ed71b9b7bcdc6e471035cfdaacab6c5b67fef080ffd939503cc2cb7dac
Opcode Fuzzy Hash: 5f1c3069313b18bd95384a4c04f19d248a823568df520585c285669abc4b9338
Instruction Fuzzy Hash: 0B510E71B00605AFDF19CF68DD89AAEBBB5FB88340F148229F519E7290D7B49E04CB50

Function 00728BCD Relevance: 18.2, APIs: 12, Instructions: 168timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00728F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00728BE8,?,00000000,?,?,?,?,00728BBA,00000000,?), ref: 00728FC5

DestroyWindow.USER32(?), ref: 00728C81
KillTimer.USER32(00000000,?,?,?,?,00728BBA,00000000,?), ref: 00728D1B
DestroyAcceleratorTable.USER32(00000000), ref: 00766973
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,00728BBA,00000000,?), ref: 007669A1
ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,00728BBA,00000000,?), ref: 007669B8
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,00728BBA,00000000), ref: 007669D4
DeleteObject.GDI32(00000000), ref: 007669E6

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: 15edd979b51235ebf9f8e73cddcc28a73998165aeb65717879ac996720e6f53a
Instruction ID: 806e62fe21244b42d05081aaeb0594f06c8dc144e0111865dc50edfa3495d1ff
Opcode Fuzzy Hash: 15edd979b51235ebf9f8e73cddcc28a73998165aeb65717879ac996720e6f53a
Instruction Fuzzy Hash: A161BD30103760DFCB629F14EA49B2A77F1FB44312F95855CE4429A560CB3EB880CFA6

Function 00729838 Relevance: 18.1, APIs: 12, Instructions: 137COMMON

Download Yara Rule

APIs

Part of subcall function 00729944: GetWindowLongW.USER32(?,000000EB), ref: 00729952

GetSysColor.USER32(0000000F), ref: 00729862

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: 7835aafe431d30363b66c9f02048d9d1181407f626babc299413983b7dd7cf54
Instruction ID: 4d9f738a6cf78cea092895015859589f94ba7e4d424af10846e6d1ea95ffe4e4
Opcode Fuzzy Hash: 7835aafe431d30363b66c9f02048d9d1181407f626babc299413983b7dd7cf54
Instruction Fuzzy Hash: 0841D471500654AFDB255F38EC88BB93BA5EB57370F1C8645FAA28B1E2D7389C41DB10

Function 00748D45 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 300COMMONLIBRARYCODE

Download Yara Rule

Strings

.s, xrefs: 0074903A, 00748FD0, 00748FF2

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID:
String ID: .s
API String ID: 0-1621786184
Opcode ID: 0a2c03f8e5a15180aabee92d8c4f41024f92b0465e446c58626dab10440bef17
Instruction ID: 5f24f82084dc2d8cb25200c8417c9dc9588f06d112c06876d3b777f25eb0c7f8
Opcode Fuzzy Hash: 0a2c03f8e5a15180aabee92d8c4f41024f92b0465e446c58626dab10440bef17
Instruction Fuzzy Hash: ACC1E475E0424AEFDF11DFA8D845BAEBBB0BF09310F144199F514AB3A2C7789941CB61

Function 007796E2 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,?,?,0075F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?), ref: 00779717
LoadStringW.USER32(00000000,?,0075F7F8,00000001), ref: 00779720

Part of subcall function 00719CB3: _wcslen.LIBCMT ref: 00719CBD

GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,0075F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?,00000000), ref: 00779742
LoadStringW.USER32(00000000,?,0075F7F8,00000001), ref: 00779745
MessageBoxW.USER32(00000000,00000000,?,00011010), ref: 00779866

Strings

^ ERROR, xrefs: 007797FB
Line %d:, xrefs: 007797A0
Error: , xrefs: 0077981D
%s (%d) : ==> %s: %s %s, xrefs: 0077984A
Line %d (File "%s"):, xrefs: 0077978F

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wcslen
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 747408836-2268648507
Opcode ID: dd34ea3cea8ce4c0b254f0710500c69203bd5d134acedb07e6a4dc55f0a87136
Instruction ID: e1d34adf31fc0a5483b78541497c1a408c562206105c159e49f974ee0ea1b5df
Opcode Fuzzy Hash: dd34ea3cea8ce4c0b254f0710500c69203bd5d134acedb07e6a4dc55f0a87136
Instruction Fuzzy Hash: CB412C72801219EADF04EBE4DE9ADEEB778AF55340F504025F60572092EB396F89CB61

Function 007706DE Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 00716B57: _wcslen.LIBCMT ref: 00716B6A

WNetAddConnection2W.MPR(?,?,?,00000000), ref: 007707A2
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 007707BE
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 007707DA
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00770804
CLSIDFromString.OLE32(?,000001FE,?,SOFTWARE\Classes\), ref: 0077082C
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00770837
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 0077083C

Strings

\CLSID, xrefs: 00770724
SOFTWARE\Classes\, xrefs: 0077070E
\IPC$, xrefs: 00770784

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 323675364-22481851
Opcode ID: 1730bb1184b533f6b04555e74676e42127a24534818df67221bcaf3ccb084bc8
Instruction ID: 3e84a2599c5ce989d04024ff7d96e5a74f2fff3331168affcda1f7820dc8f4d1
Opcode Fuzzy Hash: 1730bb1184b533f6b04555e74676e42127a24534818df67221bcaf3ccb084bc8
Instruction Fuzzy Hash: EC41FC71C10229EBDF15EB94DC99CEDB778FF44350F148126E915A31A1EB386E44CB90

Function 00793C30 Relevance: 16.8, APIs: 11, Instructions: 344fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00793C5C
CoInitialize.OLE32(00000000), ref: 00793C8A
CoUninitialize.OLE32 ref: 00793C94
_wcslen.LIBCMT ref: 00793D2D
GetRunningObjectTable.OLE32(00000000,?), ref: 00793DB1
SetErrorMode.KERNEL32(00000001,00000029), ref: 00793ED5
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,?), ref: 00793F0E
CoGetObject.OLE32(?,00000000,007AFB98,?), ref: 00793F2D
SetErrorMode.KERNEL32(00000000), ref: 00793F40
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00793FC4
VariantClear.OLEAUT32(?), ref: 00793FD8

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize_wcslen
String ID:
API String ID: 429561992-0
Opcode ID: 45d4dca5080aab846e6abb0d921ded7caf8036c5df244bf06cd3a8cda3faedc7
Instruction ID: 12d05e6351322a7470e843501cedb6a979c10bda55cf6e0147376642a274fcea
Opcode Fuzzy Hash: 45d4dca5080aab846e6abb0d921ded7caf8036c5df244bf06cd3a8cda3faedc7
Instruction Fuzzy Hash: 16C13571608205EFDB00DF68D88492BBBE9FF89744F04491DF98A9B250D738EE45CB52

Function 00787A96 Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00787AF3
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00787B8F
SHGetDesktopFolder.SHELL32(?), ref: 00787BA3
CoCreateInstance.OLE32(007AFD08,00000000,00000001,007D6E6C,?), ref: 00787BEF
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00787C74
CoTaskMemFree.OLE32(?,?), ref: 00787CCC
SHBrowseForFolderW.SHELL32(?), ref: 00787D57
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00787D7A
CoTaskMemFree.OLE32(00000000), ref: 00787D81
CoTaskMemFree.OLE32(00000000), ref: 00787DD6
CoUninitialize.OLE32 ref: 00787DDC

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
String ID:
API String ID: 2762341140-0
Opcode ID: 07a594093c9897746c2674a66b1b3e0d219a6c327ea1f8fcc0f52c99856e8030
Instruction ID: a1ea3237c0ce135112af93e70a82eea2a6065efbe5b2ddffa36e4a590da1865b
Opcode Fuzzy Hash: 07a594093c9897746c2674a66b1b3e0d219a6c327ea1f8fcc0f52c99856e8030
Instruction Fuzzy Hash: 10C11B75A04109EFCB14DFA4C888DAEBBF9FF48314B148499E91A9B361D734ED81CB90

Function 007A541D Relevance: 16.7, APIs: 11, Instructions: 191windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 007A5504
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 007A5515
CharNextW.USER32(00000158), ref: 007A5544
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 007A5585
SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 007A559B
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 007A55AC

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: MessageSend$CharNext
String ID:
API String ID: 1350042424-0
Opcode ID: 0b6edd0e069b134ccdcdce7c63c734ddeedf1cd7903ccfcde53a9210ac6c03fa
Instruction ID: de204444eb45672ebab9863bf6542c4133ebe5d19e1a20031217fc2dac6980d3
Opcode Fuzzy Hash: 0b6edd0e069b134ccdcdce7c63c734ddeedf1cd7903ccfcde53a9210ac6c03fa
Instruction Fuzzy Hash: C2619D31900608EFDF11CF54CC84DFE7BB9EB8B721F108245F925AA290D7789A80DB60

Function 0076FA88 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 0076FAAF
SafeArrayAllocData.OLEAUT32(?), ref: 0076FB08
VariantInit.OLEAUT32(?), ref: 0076FB1A
SafeArrayAccessData.OLEAUT32(?,?), ref: 0076FB3A
VariantCopy.OLEAUT32(?,?), ref: 0076FB8D
SafeArrayUnaccessData.OLEAUT32(?), ref: 0076FBA1
VariantClear.OLEAUT32(?), ref: 0076FBB6
SafeArrayDestroyData.OLEAUT32(?), ref: 0076FBC3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0076FBCC
VariantClear.OLEAUT32(?), ref: 0076FBDE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0076FBE9

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: a51e3726dbcff2d934ad68cc285ea7fba784dcabe92c3cb215bfba4dedb9a95a
Instruction ID: cfc1656868a028d2709063e0e973b9c691d4aaca8aa68b7edbf421f72d861bd1
Opcode Fuzzy Hash: a51e3726dbcff2d934ad68cc285ea7fba784dcabe92c3cb215bfba4dedb9a95a
Instruction Fuzzy Hash: E3415475900119EFCB01DF68D8589ADBFB9FF49354F00C065E906A7251CB38A945CF94

Function 00779C79 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00779CA1
GetAsyncKeyState.USER32(000000A0), ref: 00779D22
GetKeyState.USER32(000000A0), ref: 00779D3D
GetAsyncKeyState.USER32(000000A1), ref: 00779D57
GetKeyState.USER32(000000A1), ref: 00779D6C
GetAsyncKeyState.USER32(00000011), ref: 00779D84
GetKeyState.USER32(00000011), ref: 00779D96
GetAsyncKeyState.USER32(00000012), ref: 00779DAE
GetKeyState.USER32(00000012), ref: 00779DC0
GetAsyncKeyState.USER32(0000005B), ref: 00779DD8
GetKeyState.USER32(0000005B), ref: 00779DEA

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: d88205d8b2a43ea41832cba4dae28516970f65b1467d1d29d8b1aaa19f112197
Instruction ID: a34b9af03e56ca108fcf7fd684ac3f68c4a5163906ba4c6e4a1b0f753623f224
Opcode Fuzzy Hash: d88205d8b2a43ea41832cba4dae28516970f65b1467d1d29d8b1aaa19f112197
Instruction Fuzzy Hash: 8A41EB346057C96DFF31877484043B5BEA06F12384F08C05ADBCA566C2EBEC99D4C7A2

Function 0079055B Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 007905BC
inet_addr.WSOCK32(?), ref: 0079061C
gethostbyname.WSOCK32(?), ref: 00790628
IcmpCreateFile.IPHLPAPI ref: 00790636
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 007906C6
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 007906E5
IcmpCloseHandle.IPHLPAPI(?), ref: 007907B9
WSACleanup.WSOCK32 ref: 007907BF

Strings

Ping, xrefs: 00790676

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: e5fffbb68dd417be135e2e9420de30644b37e303bb8a9e03dbfe70d9301b1424
Instruction ID: ec90d4ccca555170b95abd6d23679d94407de49c2155d58e49524ca47fcbaed3
Opcode Fuzzy Hash: e5fffbb68dd417be135e2e9420de30644b37e303bb8a9e03dbfe70d9301b1424
Instruction Fuzzy Hash: 8E918F75614201EFDB20CF19E488F16BBE0AF84328F1585A9E4698B6A2C738EC41CFD1

Function 00798CD3 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,00000000,?), ref: 00798CF3

Part of subcall function 00778E54: _wcslen.LIBCMT ref: 00778E77

_wcslen.LIBCMT ref: 00798D4E
_wcslen.LIBCMT ref: 00798D9C
_wcslen.LIBCMT ref: 00798DDC
_wcslen.LIBCMT ref: 00798E6E

Strings

cdecl, xrefs: 00798D48, 00798D4D
stdcall, xrefs: 00798DD6, 00798DDB
winapi, xrefs: 00798D96, 00798D9B
none, xrefs: 00798E65, 00798E6A

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: _wcslen$BuffCharLower
String ID: cdecl$none$stdcall$winapi
API String ID: 707087890-567219261
Opcode ID: b26d95b1406ff9adae0b60c5bfb1601feba799f053981d0f7e3d48299e3a11d3
Instruction ID: 68b8f763237af72f3898132b6ccb41d26f01dd23ee748aa11ebd05fe0c4bbd78
Opcode Fuzzy Hash: b26d95b1406ff9adae0b60c5bfb1601feba799f053981d0f7e3d48299e3a11d3
Instruction Fuzzy Hash: 1B51C131A00116EBCF54DF6CD9519BEB3A5BF6A320B204229E526E73C4EB39ED40C791

Function 0079372C Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32 ref: 00793774
CoUninitialize.OLE32 ref: 0079377F
CoCreateInstance.OLE32(?,00000000,00000017,007AFB78,?), ref: 007937D9
IIDFromString.OLE32(?,?), ref: 0079384C
VariantInit.OLEAUT32(?), ref: 007938E4
VariantClear.OLEAUT32(?), ref: 00793936

Strings

NULL Pointer assignment, xrefs: 0079381E
Invalid parameter, xrefs: 00793865
Failed to create object, xrefs: 007937E4, 0079389A

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 636576611-1287834457
Opcode ID: 1bc51be3fdb8f964dcaaa18552aadd8a58a65c20271358b01975bb9818285fa1
Instruction ID: 8449756ee865153a3acd7457757dd13fa9854e49ea10fd2cb126d6ae603342a5
Opcode Fuzzy Hash: 1bc51be3fdb8f964dcaaa18552aadd8a58a65c20271358b01975bb9818285fa1
Instruction Fuzzy Hash: D7618FB0608301EFDB11DF54D889F6ABBE4EF49714F004909F5859B291D778EE48CBA6

Function 00783388 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 149COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,?), ref: 007833CF

Part of subcall function 00719CB3: _wcslen.LIBCMT ref: 00719CBD

LoadStringW.USER32(00000072,?,00000FFF,?), ref: 007833F0

Strings

Error: , xrefs: 007834D1
"%s" (%d) : ==> %s:, xrefs: 00783522
"%s" (%d) : ==> %s:%s%s, xrefs: 00783504
Line %d (File "%s"):, xrefs: 00783443, 0078345C
Incorrect parameters to object property !, xrefs: 007834AB
^ ERROR , xrefs: 0078349E

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-3080491070
Opcode ID: 8b1937190c3870a64b761b89a14aff8a241323911190c20b698dd8ed11d30fba
Instruction ID: dcb822214164a15fb6e55ac32d2eeeb22b5a04948406def78c38482f842510f5
Opcode Fuzzy Hash: 8b1937190c3870a64b761b89a14aff8a241323911190c20b698dd8ed11d30fba
Instruction Fuzzy Hash: 0151A1B1801209FADF15EBA4CD5AEEEB778AF04740F108065F50972191EB3D2F98DB60

Function 0077B5C8 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 142COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 0077B5FC
_wcslen.LIBCMT ref: 0077B608
_wcslen.LIBCMT ref: 0077B64D
_wcslen.LIBCMT ref: 0077B68C
_wcslen.LIBCMT ref: 0077B6C7

Strings

EXISTS, xrefs: 0077B686, 0077B68B
KEYS, xrefs: 0077B647, 0077B64C
APPEND, xrefs: 0077B6C1, 0077B6C6
REMOVE, xrefs: 0077B602, 0077B607

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 1256254125-769500911
Opcode ID: fdf75f613284c4c4ebdc7cc58e3938fb600a7d2313240745d94afb35de0f9226
Instruction ID: 0234136423d9755658c416cb3a812a16d69a0f2f1585bf5f15205fbe7df9d44d
Opcode Fuzzy Hash: fdf75f613284c4c4ebdc7cc58e3938fb600a7d2313240745d94afb35de0f9226
Instruction Fuzzy Hash: E641DB32A00126DBCF105F7DC8906BE77B5AFA17E4B24812AE629D7284E73DDD81C790

Function 00785393 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 103COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 007853A0
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00785416
GetLastError.KERNEL32 ref: 00785420
SetErrorMode.KERNEL32(00000000,READY), ref: 007854A7

Strings

INVALID, xrefs: 00785459
READY, xrefs: 00785460, 00785468
UNKNOWN, xrefs: 00785444
NOTREADY, xrefs: 0078544B
READONLY, xrefs: 00785452

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: 06a6bbcbf2ee43283ec7805604b052b28a087f430dec391e557d3db823d77cff
Instruction ID: 5b47cbfa90dfdfe6d3ba97940a1ad761a30be29dc75deea0d3c9f9ac0b2d7c4e
Opcode Fuzzy Hash: 06a6bbcbf2ee43283ec7805604b052b28a087f430dec391e557d3db823d77cff
Instruction Fuzzy Hash: 8E31C375A40644EFDB10EF68C488AAABBF4FF45305F148065E509CB392DB79DD86CB90

Function 007A3C46 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON

Download Yara Rule

APIs

CreateMenu.USER32 ref: 007A3C79
SetMenu.USER32(?,00000000), ref: 007A3C88
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 007A3D10
IsMenu.USER32(?), ref: 007A3D24
CreatePopupMenu.USER32 ref: 007A3D2E
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 007A3D5B
DrawMenuBar.USER32 ref: 007A3D63

Strings

F, xrefs: 007A3D4E
0, xrefs: 007A3C54

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup
String ID: 0$F
API String ID: 161812096-3044882817
Opcode ID: 2c3cf050c0897e2bee7e8e8cde114fa81defd51c1498f9994f559ceadbc08ffe
Instruction ID: cb37d3cb225638b8564d07d2185cab250dc1e193453b521516427f702c21a6c0
Opcode Fuzzy Hash: 2c3cf050c0897e2bee7e8e8cde114fa81defd51c1498f9994f559ceadbc08ffe
Instruction Fuzzy Hash: 10416B75A01209EFDB14CF64D884EEA7BB5FF8A351F144129F946A7360D738AA10CF94

Function 00771EDF Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00719CB3: _wcslen.LIBCMT ref: 00719CBD

Part of subcall function 00773CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00773CCA

SendMessageW.USER32(?,0000018C,000000FF,00020000), ref: 00771F64
GetDlgCtrlID.USER32 ref: 00771F6F
GetParent.USER32 ref: 00771F8B
SendMessageW.USER32(00000000,?,00000111,?), ref: 00771F8E
GetDlgCtrlID.USER32(?), ref: 00771F97
GetParent.USER32(?), ref: 00771FAB
SendMessageW.USER32(00000000,?,00000111,?), ref: 00771FAE

Strings

ComboBox, xrefs: 00771EEC
ListBox, xrefs: 00771F21

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_wcslen
String ID: ComboBox$ListBox
API String ID: 711023334-1403004172
Opcode ID: b6c3671e18102fafb7f465a816c7ff7a11ad7e8ce720faa8603f5749d5823891
Instruction ID: 676a8086067f978802b1ac300a7e2bf70b734f8e20104687444d67883697ab2f
Opcode Fuzzy Hash: b6c3671e18102fafb7f465a816c7ff7a11ad7e8ce720faa8603f5749d5823891
Instruction Fuzzy Hash: C421B070900214BBCF05EFA4CC99DEEBBB8AF46390B108196FA65672D1CB3C59059B64

Function 007A3A23 Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 007A3A9D
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 007A3AA0
GetWindowLongW.USER32(?,000000F0), ref: 007A3AC7
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 007A3AEA
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 007A3B62
SendMessageW.USER32(?,00001074,00000000,00000007), ref: 007A3BAC
SendMessageW.USER32(?,00001057,00000000,00000000), ref: 007A3BC7
SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 007A3BE2
SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 007A3BF6
SendMessageW.USER32(?,00001008,00000000,00000007), ref: 007A3C13

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: MessageSend$LongWindow
String ID:
API String ID: 312131281-0
Opcode ID: 8878165e2fbb03f15021f7bedb0ed621ad4a0b4a3b100f133a51872119bba73d
Instruction ID: f5977a6a3632517722006a40c6ef30ed1361ad8613f2146a7ef80ae23c68d3da
Opcode Fuzzy Hash: 8878165e2fbb03f15021f7bedb0ed621ad4a0b4a3b100f133a51872119bba73d
Instruction Fuzzy Hash: 09618E75900248EFDB10DF68CC81EEE77F8EB49710F104199FA15AB291C778AE41DB60

Function 0077B12F Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0077B151
GetForegroundWindow.USER32(00000000,?,?,?,?,?,0077A1E1,?,00000001), ref: 0077B165
GetWindowThreadProcessId.USER32(00000000), ref: 0077B16C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,0077A1E1,?,00000001), ref: 0077B17B
GetWindowThreadProcessId.USER32(?,00000000), ref: 0077B18D
AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,0077A1E1,?,00000001), ref: 0077B1A6
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,0077A1E1,?,00000001), ref: 0077B1B8
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,0077A1E1,?,00000001), ref: 0077B1FD
AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,0077A1E1,?,00000001), ref: 0077B212
AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,0077A1E1,?,00000001), ref: 0077B21D

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: 2ba24b83eae2e55d404b625ca3df072aa898b403cfb74af5beb41f99899044cf
Instruction ID: 9e553bdb81490b2954950294fbf33e7f4b49b7653afcbdd327f3dc05a9c1e26d
Opcode Fuzzy Hash: 2ba24b83eae2e55d404b625ca3df072aa898b403cfb74af5beb41f99899044cf
Instruction Fuzzy Hash: D831BD71501208BFDF119F24DC89B6D7BAABB96395F10C804FA08DB191D7BC9E008F68

Function 00742C80 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00742C94

Part of subcall function 007429C8: HeapFree.KERNEL32(00000000,00000000,?,0074D7D1,00000000,00000000,00000000,00000000,?,0074D7F8,00000000,00000007,00000000,?,0074DBF5,00000000), ref: 007429DE
Part of subcall function 007429C8: GetLastError.KERNEL32(00000000,?,0074D7D1,00000000,00000000,00000000,00000000,?,0074D7F8,00000000,00000007,00000000,?,0074DBF5,00000000,00000000), ref: 007429F0

_free.LIBCMT ref: 00742CA0
_free.LIBCMT ref: 00742CAB
_free.LIBCMT ref: 00742CB6
_free.LIBCMT ref: 00742CC1
_free.LIBCMT ref: 00742CCC
_free.LIBCMT ref: 00742CD7
_free.LIBCMT ref: 00742CE2
_free.LIBCMT ref: 00742CED
_free.LIBCMT ref: 00742CFB

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: ce7b3cc3c49480840254e3318bbd9c4c20df97c8dca47403a806ebe281e5e7f3
Instruction ID: b6a43f5aa0e407b4ce2e8f7a30c21fcd7a924bc9f2c1cbcabb2f7372238f5c79
Opcode Fuzzy Hash: ce7b3cc3c49480840254e3318bbd9c4c20df97c8dca47403a806ebe281e5e7f3
Instruction Fuzzy Hash: A9118076100108EFDB02EF55D886CDD3BA5FF05350F9144A5FA48AB232DB35EA619F90

Function 00787DF0 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00787FAD
SetCurrentDirectoryW.KERNEL32(?), ref: 00787FC1
GetFileAttributesW.KERNEL32(?), ref: 00787FEB
SetFileAttributesW.KERNEL32(?,00000000), ref: 00788005
SetCurrentDirectoryW.KERNEL32(?), ref: 00788017
SetCurrentDirectoryW.KERNEL32(?), ref: 00788060
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 007880B0

Strings

*.*, xrefs: 00788066

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile
String ID: *.*
API String ID: 769691225-438819550
Opcode ID: b78b0e9ff3d08d2d6f06ece8cc991f09c91bec867616b5f5147170d28a975661
Instruction ID: 3d7b99ba003dc667f0906e4badac13a8b25b9c44c357e623a1a185b8f942c624
Opcode Fuzzy Hash: b78b0e9ff3d08d2d6f06ece8cc991f09c91bec867616b5f5147170d28a975661
Instruction Fuzzy Hash: E181A172548201DBCB28FF54C4849AAB3E8BF89310F644C5EF88AD7251EB79ED45CB52

Function 00715BEA Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 00715C7A

Part of subcall function 00715D0A: GetClientRect.USER32(?,?), ref: 00715D30
Part of subcall function 00715D0A: GetWindowRect.USER32(?,?), ref: 00715D71
Part of subcall function 00715D0A: ScreenToClient.USER32(?,?), ref: 00715D99

GetDC.USER32 ref: 007546F5
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00754708
SelectObject.GDI32(00000000,00000000), ref: 00754716
SelectObject.GDI32(00000000,00000000), ref: 0075472B
ReleaseDC.USER32(?,00000000), ref: 00754733
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 007547C4

Strings

U, xrefs: 00754693

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: fcd3a5e2b7d0551d9b00312002bb0f5bffd60130e38d076e23e53121d4f2a90d
Instruction ID: b882137ff5d1dda9f164b1d720a07bfd4376c252d2416993c6b014c04b0d60b7
Opcode Fuzzy Hash: fcd3a5e2b7d0551d9b00312002bb0f5bffd60130e38d076e23e53121d4f2a90d
Instruction Fuzzy Hash: 0E711330400205EFCF258F68C984AFA3BB1FF8A31AF144669ED515A1A6C7799CC5DF60

Function 0078359C Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 150COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 007835E4

Part of subcall function 00719CB3: _wcslen.LIBCMT ref: 00719CBD

LoadStringW.USER32(007E2390,?,00000FFF,?), ref: 0078360A

Strings

^ ERROR, xrefs: 007836C9
Error: , xrefs: 007836EF
"%s" (%d) : ==> %s:, xrefs: 00783742
"%s" (%d) : ==> %s:%s%s, xrefs: 00783724
Line %d (File "%s"):, xrefs: 0078366B

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-2391861430
Opcode ID: 849e504b765fcbe03ba525af43bf68a4c8b7e2c33bb0dbcbae7fd206bb3cb52d
Instruction ID: 0221c687b5867931140c44528a02a70f4ca45806f5d2dceb61dfae1914f56991
Opcode Fuzzy Hash: 849e504b765fcbe03ba525af43bf68a4c8b7e2c33bb0dbcbae7fd206bb3cb52d
Instruction Fuzzy Hash: E55191B1800209FADF15EBA4CC96EEDBB34AF04740F144125F615721A1EB386BD9DFA4

Function 0078C253 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0078C272
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0078C29A
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0078C2CA
GetLastError.KERNEL32 ref: 0078C322
SetEvent.KERNEL32(?), ref: 0078C336
InternetCloseHandle.WININET(00000000), ref: 0078C341

Strings

, xrefs: 0078C2BB

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: 991ef556da168dd44b2c96aa79d6283a2c6b37a78535445d44b090f8b3dc9d8c
Instruction ID: 9ed4e96060f9088913b8be0951e92af6d8bb65d55b717a1173c7acf9571b0d9f
Opcode Fuzzy Hash: 991ef556da168dd44b2c96aa79d6283a2c6b37a78535445d44b090f8b3dc9d8c
Instruction Fuzzy Hash: D8319CB1640208BFD723AFA49C88AAB7BFCEB4A744F14851EF446D2640DB38DD058B71

Function 0077989B Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00753AAF,?,?,Bad directive syntax error,007ACC08,00000000,00000010,?,?,>>>AUTOIT SCRIPT<<<), ref: 007798BC
LoadStringW.USER32(00000000,?,00753AAF,?), ref: 007798C3

Part of subcall function 00719CB3: _wcslen.LIBCMT ref: 00719CBD

MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 00779987

Strings

%s (%d) : ==> %s.: %s %s, xrefs: 007798F1
., xrefs: 0077996D
Error: , xrefs: 00779955
Line %d:, xrefs: 00779912
Line %d (File "%s"):, xrefs: 0077992D

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: HandleLoadMessageModuleString_wcslen
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 858772685-4153970271
Opcode ID: 543a2e67ee8667919d6c91072a7c630d9058999f0d71c87e10ec000d949eb11f
Instruction ID: 63fe143c677f1d9655ab7cc246022260f11e3aefd5d6f3985f756100ff289c9a
Opcode Fuzzy Hash: 543a2e67ee8667919d6c91072a7c630d9058999f0d71c87e10ec000d949eb11f
Instruction Fuzzy Hash: 0321917180021AFBDF11AF90CC1AEEE7775FF18340F044426F619620A2EB79A658DB60

Function 0077209F Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 007720AB
GetClassNameW.USER32(00000000,?,00000100), ref: 007720C0
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 0077214D

Strings

smallicons, xrefs: 00772115
SHELLDLL_DefView, xrefs: 007720CC
list, xrefs: 0077212F
details, xrefs: 007720FB
largeicons, xrefs: 007720E1

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: ClassMessageNameParentSend
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1290815626-3381328864
Opcode ID: df633578cf622d63d50d479da97db8c293ccd2fc5e735c9d4a595c9b2db204c6
Instruction ID: 468c0601891aae59edc9cdcaa6a6fac9484dac1266361fa21c9e29455dd385c1
Opcode Fuzzy Hash: df633578cf622d63d50d479da97db8c293ccd2fc5e735c9d4a595c9b2db204c6
Instruction Fuzzy Hash: F51129B668870EFAFE056624DC0BDA637ACEB05364F608117FB18B51D3FE6D68035618

Function 0074CE90 Relevance: 13.7, APIs: 9, Instructions: 209COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 0074CEB7
_free.LIBCMT ref: 0074CF22
_free.LIBCMT ref: 0074CF48
_free.LIBCMT ref: 0074CF71
_free.LIBCMT ref: 0074CFA9
_free.LIBCMT ref: 0074CFDA
_free.LIBCMT ref: 0074D01B
SetEnvironmentVariableA.KERNEL32(00000000,00000000), ref: 0074D09C
_free.LIBCMT ref: 0074D0B5

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: _free$EnvironmentVariable___from_strstr_to_strchr
String ID:
API String ID: 1282221369-0
Opcode ID: b8cad544439ee4336c01ba18c3151f41a0173d61557f25fc7d45911c86d2259f
Instruction ID: 8f3c71c923197a8a6a034b36ddb193dd0a9dcdd40d60a8691aa195c04a01bf6c
Opcode Fuzzy Hash: b8cad544439ee4336c01ba18c3151f41a0173d61557f25fc7d45911c86d2259f
Instruction Fuzzy Hash: 61616B73A06340EFDF22AFB49C89A6E7BA5EF05310F04416DF940AB252DB7D9D4587A0

Function 007A50D4 Relevance: 13.7, APIs: 9, Instructions: 162windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00002001,00000000,00000000), ref: 007A5186
ShowWindow.USER32(?,00000000), ref: 007A51C7
ShowWindow.USER32(?,00000005,?,00000000), ref: 007A51CD
SetFocus.USER32(?,?,00000005,?,00000000), ref: 007A51D1

Part of subcall function 007A6FBA: DeleteObject.GDI32(00000000), ref: 007A6FE6

GetWindowLongW.USER32(?,000000F0), ref: 007A520D
SetWindowLongW.USER32(?,000000F0,00000000), ref: 007A521A
InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 007A524D
SendMessageW.USER32(?,00001001,00000000,000000FE), ref: 007A5287
SendMessageW.USER32(?,00001026,00000000,000000FE), ref: 007A5296

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: Window$MessageSend$LongShow$DeleteFocusInvalidateObjectRect
String ID:
API String ID: 3210457359-0
Opcode ID: afd2f2385d4ee35b0e7da531ae241b62a88712b923c00a685bf8aeac89bb6807
Instruction ID: 8702e731ae5570ba536d7f5b738a1637fc5aec39b63a84a083f617c8f9a18d0a
Opcode Fuzzy Hash: afd2f2385d4ee35b0e7da531ae241b62a88712b923c00a685bf8aeac89bb6807
Instruction Fuzzy Hash: 19519070A41A08FEEF349F28DC4ABE93B65FB87321F148211F615962E1C77DA990DB41

Function 00728B06 Relevance: 13.7, APIs: 9, Instructions: 155windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 00766890
ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 007668A9
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 007668B9
ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 007668D1
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 007668F2
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00728874,00000000,00000000,00000000,000000FF,00000000), ref: 00766901
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 0076691E
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00728874,00000000,00000000,00000000,000000FF,00000000), ref: 0076692D

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend
String ID:
API String ID: 1268354404-0
Opcode ID: 2efea9f047332c8f8c57a0e0634f5859b518b1948e7b0b0bebc4cd87f458848f
Instruction ID: c322a1d137ec193d85169d28f928d754c2731438a3aeb6a7035f8a9607823914
Opcode Fuzzy Hash: 2efea9f047332c8f8c57a0e0634f5859b518b1948e7b0b0bebc4cd87f458848f
Instruction Fuzzy Hash: E35178B0A01209EFDB20CF24DC95FAA7BB5FB88750F14851CF916972A0DB79E990DB50

Function 0078C143 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0078C182
GetLastError.KERNEL32 ref: 0078C195
SetEvent.KERNEL32(?), ref: 0078C1A9

Part of subcall function 0078C253: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0078C272
Part of subcall function 0078C253: GetLastError.KERNEL32 ref: 0078C322
Part of subcall function 0078C253: SetEvent.KERNEL32(?), ref: 0078C336
Part of subcall function 0078C253: InternetCloseHandle.WININET(00000000), ref: 0078C341

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
String ID:
API String ID: 337547030-0
Opcode ID: a86942dbc3231edef32a4409d5029b58db770a4abeb3eb23d5199aa6647ae432
Instruction ID: 85922222b3b36ceea9b08277edfb018b42acbed4a27901c3a23637768fe4fec0
Opcode Fuzzy Hash: a86942dbc3231edef32a4409d5029b58db770a4abeb3eb23d5199aa6647ae432
Instruction Fuzzy Hash: 43318C71640605BFDB23AFB5DC48A66BBF8FF59300B04841DF95686660DB39E8149BB0

Function 007725A2 Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00773A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00773A57
Part of subcall function 00773A3D: GetCurrentThreadId.KERNEL32 ref: 00773A5E
Part of subcall function 00773A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,007725B3), ref: 00773A65

MapVirtualKeyW.USER32(00000025,00000000), ref: 007725BD
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 007725DB
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 007725DF
MapVirtualKeyW.USER32(00000025,00000000), ref: 007725E9
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00772601
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 00772605
MapVirtualKeyW.USER32(00000025,00000000), ref: 0077260F
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00772623
Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 00772627

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: bcd81176dd1d628cfd7623935c5363bd69ec4795edef0e17b5502f1dba743bc2
Instruction ID: f349deb9227eaa5c586b99ac1e2baa8a9e0ed3f947f17a84d099687f19856b23
Opcode Fuzzy Hash: bcd81176dd1d628cfd7623935c5363bd69ec4795edef0e17b5502f1dba743bc2
Instruction Fuzzy Hash: DA01D471390214BBFB106768DC8FF593F59DB8EB52F108041F328AE0D1C9EA28459E6D

Function 00771803 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,00771449,?,?,00000000), ref: 0077180C
HeapAlloc.KERNEL32(00000000,?,00771449,?,?,00000000), ref: 00771813
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00771449,?,?,00000000), ref: 00771828
GetCurrentProcess.KERNEL32(?,00000000,?,00771449,?,?,00000000), ref: 00771830
DuplicateHandle.KERNEL32(00000000,?,00771449,?,?,00000000), ref: 00771833
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00771449,?,?,00000000), ref: 00771843
GetCurrentProcess.KERNEL32(00771449,00000000,?,00771449,?,?,00000000), ref: 0077184B
DuplicateHandle.KERNEL32(00000000,?,00771449,?,?,00000000), ref: 0077184E
CreateThread.KERNEL32(00000000,00000000,00771874,00000000,00000000,00000000), ref: 00771868

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: 5df737b31a9b1c9511d4f859aa5092f8466e04aa022ca3f9bd325a26d7da0bda
Instruction ID: 87898c13a66add17a974d5164bee916431b6f46fe9492503eb0096984702e29c
Opcode Fuzzy Hash: 5df737b31a9b1c9511d4f859aa5092f8466e04aa022ca3f9bd325a26d7da0bda
Instruction Fuzzy Hash: AC01ACB5340308BFE611ABA5DC4AF573BACEB8AB11F418411FA05DB191DA7498008B25

Function 00743E80 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 305COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 00743F0B
__alldvrm.LIBCMT ref: 0074410C
__alldvrm.LIBCMT ref: 0074412E

Strings

}}s, xrefs: 007440CD
}}s, xrefs: 00743E8A
}}s, xrefs: 00743E96, 00743EF1, 00743F0A, 00744090

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: __alldvrm$_strrchr
String ID: }}s$}}s$}}s
API String ID: 1036877536-1291969072
Opcode ID: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
Instruction ID: 1fa862bddcd80b2cdcd3967b96d5e0370edb57413298658c437698e8910e90ca
Opcode Fuzzy Hash: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
Instruction Fuzzy Hash: D9A14672E003869FEB25CF18C8917AEBBF4EF61350F1841AEE5959B282C73C8985D750

Function 0079A0E2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON

Download Yara Rule

APIs

Part of subcall function 0077D4DC: CreateToolhelp32Snapshot.KERNEL32 ref: 0077D501
Part of subcall function 0077D4DC: Process32FirstW.KERNEL32(00000000,?), ref: 0077D50F
Part of subcall function 0077D4DC: CloseHandle.KERNELBASE(00000000), ref: 0077D5DC

OpenProcess.KERNEL32(00000001,00000000,?), ref: 0079A16D
GetLastError.KERNEL32 ref: 0079A180
OpenProcess.KERNEL32(00000001,00000000,?), ref: 0079A1B3
TerminateProcess.KERNEL32(00000000,00000000), ref: 0079A268
GetLastError.KERNEL32(00000000), ref: 0079A273
CloseHandle.KERNEL32(00000000), ref: 0079A2C4

Strings

SeDebugPrivilege, xrefs: 0079A18F

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: 163e9b790e186cda8f0d3f1eee029b2f4df17748ef316765fe221ed80a363ab7
Instruction ID: 84648d28c6efe1296582c53bcaa36a178e6a4445885b19195b87d3ebb621ee05
Opcode Fuzzy Hash: 163e9b790e186cda8f0d3f1eee029b2f4df17748ef316765fe221ed80a363ab7
Instruction Fuzzy Hash: A461AF71209241AFDB20DF18D498F15BBE1AF84318F18848CE4664B7A3C77AEC85CBD2

Function 007A3886 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 007A3925
SendMessageW.USER32(00000000,00001036,00000000,?), ref: 007A393A
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 007A3954
_wcslen.LIBCMT ref: 007A3999
SendMessageW.USER32(?,00001057,00000000,?), ref: 007A39C6
SendMessageW.USER32(?,00001061,?,0000000F), ref: 007A39F4

Strings

SysListView32, xrefs: 007A38F7

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: MessageSend$Window_wcslen
String ID: SysListView32
API String ID: 2147712094-78025650
Opcode ID: d756ce45eaa60cdf7b18a02cb6bcf03caf9d70a92634e29fafa0fd87611293a5
Instruction ID: 2d1d3c296e243c2087eee341f568cc2062283eed0b45ecc767097bedb288c194
Opcode Fuzzy Hash: d756ce45eaa60cdf7b18a02cb6bcf03caf9d70a92634e29fafa0fd87611293a5
Instruction Fuzzy Hash: 5F41C671A00218BBEF21DF64CC49FEA77A9EF49354F100226F958E7281D7799E80CB90

Function 0077BC5E Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 0077BCFD
IsMenu.USER32(00000000), ref: 0077BD1D
CreatePopupMenu.USER32 ref: 0077BD53
GetMenuItemCount.USER32(0126F878), ref: 0077BDA4
InsertMenuItemW.USER32(0126F878,?,00000001,00000030), ref: 0077BDCC

Strings

2, xrefs: 0077BD37
0, xrefs: 0077BCA8

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup
String ID: 0$2
API String ID: 93392585-3793063076
Opcode ID: 709c07dc7a65a1a3da338779e45787830b191d7086e5a438020e98173b439735
Instruction ID: 043329400da1f108a0cee8bdc7de2762ec673f105c2d9153dcd542e9d413edc9
Opcode Fuzzy Hash: 709c07dc7a65a1a3da338779e45787830b191d7086e5a438020e98173b439735
Instruction Fuzzy Hash: 03518070B00305EFDF25CFA8D888BAEBBF4AF45394F24C169E41997291D778A941CB61

Function 00732D20 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00732D4B
___except_validate_context_record.LIBVCRUNTIME ref: 00732D53
_ValidateLocalCookies.LIBCMT ref: 00732DE1
__IsNonwritableInCurrentImage.LIBCMT ref: 00732E0C
_ValidateLocalCookies.LIBCMT ref: 00732E61

Strings

csm, xrefs: 00732DF6
&Hs, xrefs: 00732DFE, 00732E07, 00732E18

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: &Hs$csm
API String ID: 1170836740-1354961900
Opcode ID: 0207d7eaccc7ae423911718996c31001eb868b48f4ed3b4653b238bda937314e
Instruction ID: cbf83cd26fe9113664fd4031fe5b3581529f6dfd4801e48612d675d9881b3f06
Opcode Fuzzy Hash: 0207d7eaccc7ae423911718996c31001eb868b48f4ed3b4653b238bda937314e
Instruction Fuzzy Hash: EE419374A10209EBDF10DF68C849A9EBBB5BF44324F148155E915AB353D739EA06CBE0

Function 0077C874 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 0077C913

Strings

info, xrefs: 0077C8B4
stop, xrefs: 0077C8E4
blank, xrefs: 0077C895
warning, xrefs: 0077C8FC
question, xrefs: 0077C8CC

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: b3004f869a13d7faeaeaff0e4f2bf438feaea3cc9ef7cba6cdec3223dfc8e256
Instruction ID: daa68b2b1e5c4ac8de3066ee2b5346ae93924b72dbad2f4af70c1fb0b1e87d64
Opcode Fuzzy Hash: b3004f869a13d7faeaeaff0e4f2bf438feaea3cc9ef7cba6cdec3223dfc8e256
Instruction Fuzzy Hash: 9011EE3168930AFEEB065B549C82CDA67ACDF193A4B10842FF508A5282D76C7D005669

Function 0077DE27 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 70networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 0077DE42
gethostname.WSOCK32(?,00000100), ref: 0077DE5C
gethostbyname.WSOCK32(?), ref: 0077DE69
inet_ntoa.WSOCK32(?), ref: 0077DEAB
_strcat.LIBCMT ref: 0077DEB9
WSACleanup.WSOCK32 ref: 0077DEDE

Strings

0.0.0.0, xrefs: 0077DE87

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: CleanupStartup_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 642191829-3771769585
Opcode ID: 72edd031d9f55fda6e7787e4997e5a8999d7476841596ebdbb1fbf5573a5518b
Instruction ID: 2256a2199d3172eaf9781dfef8be688cde475d3d43fb15d06aad71b2c4f553d9
Opcode Fuzzy Hash: 72edd031d9f55fda6e7787e4997e5a8999d7476841596ebdbb1fbf5573a5518b
Instruction Fuzzy Hash: F7110672904114FBDF36AB309C0AEEE77BCDF55751F0041A9F40996092EFBD9E818AA0

Function 0077ED19 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 0077ED2A
_wcslen.LIBCMT ref: 0077ED3B
_wcslen.LIBCMT ref: 0077ED79
_wcslen.LIBCMT ref: 0077EDAF
_wcslen.LIBCMT ref: 0077EDDF
_wcslen.LIBCMT ref: 0077EDEF
_wcslen.LIBCMT ref: 0077EE2B
_wcslen.LIBCMT ref: 0077EE5A

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: _wcslen$LocalTime
String ID:
API String ID: 952045576-0
Opcode ID: 374e45c2ede5f48277fa5513aac3a517a23a8a33dfd6ae53a2db0396b6dcbae7
Instruction ID: d27baaf659fcf280150b40660b486edef22881bc1c04af6a2d0cfec3c3412e67
Opcode Fuzzy Hash: 374e45c2ede5f48277fa5513aac3a517a23a8a33dfd6ae53a2db0396b6dcbae7
Instruction Fuzzy Hash: 80419666C10118B5EB21EBF4888EACF77A8AF49710F508462F518E3123FB3CE655C3A5

Function 0072F8D8 Relevance: 12.1, APIs: 8, Instructions: 124COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,0076682C,00000004,00000000,00000000), ref: 0072F953
ShowWindow.USER32(FFFFFFFF,00000006,?,00000000,?,0076682C,00000004,00000000,00000000), ref: 0076F3D1
ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,0076682C,00000004,00000000,00000000), ref: 0076F454

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 0181240a7d32f1a239a6565589521c509766db7eb923d938e15fa7cedbe97c8f
Instruction ID: aaa872d5f42dd3b604d00f0b5aafbc98e9c0a6addc0113da47d67118295efcad
Opcode Fuzzy Hash: 0181240a7d32f1a239a6565589521c509766db7eb923d938e15fa7cedbe97c8f
Instruction Fuzzy Hash: AE410A31608690BEC7399B2DF88872A7BB5AB96314F54843DE4C7D6661DA3DB8C0CB11

Function 007A2D03 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 007A2D1B
GetDC.USER32(00000000), ref: 007A2D23
GetDeviceCaps.GDI32(00000000,0000005A), ref: 007A2D2E
ReleaseDC.USER32(00000000,00000000), ref: 007A2D3A
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 007A2D76
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 007A2D87
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,007A5A65,?,?,000000FF,00000000,?,000000FF,?), ref: 007A2DC2
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 007A2DE1

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: 6ba767d388ac09378804cf26e1d44bdc63c3a23a752d26f7c916e672b321e3ed
Instruction ID: 7d7bd8a1d2d54d25b90b6c3c2c37ea6c3335fd060f2ce4f3bc0291cfc67eaf5c
Opcode Fuzzy Hash: 6ba767d388ac09378804cf26e1d44bdc63c3a23a752d26f7c916e672b321e3ed
Instruction Fuzzy Hash: 9A318072201214BFEB158F54CC89FEB3FADEF8A715F048155FE089A292C6799C51C7A4

Function 00775622 Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00775637
_memcmp.LIBVCRUNTIME ref: 00775659
_memcmp.LIBVCRUNTIME ref: 00775671
_memcmp.LIBVCRUNTIME ref: 00775684
_memcmp.LIBVCRUNTIME ref: 0077569E
_memcmp.LIBVCRUNTIME ref: 007756B1
_memcmp.LIBVCRUNTIME ref: 007756C9
_memcmp.LIBVCRUNTIME ref: 007756E4

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 1f48fc5ac123f200f7c0f433b8038486604562e021d690073858156da749252e
Instruction ID: 9f5cdf6266d20c1969ab24c6d755083bde103c94d6bdaed90506daffad9363ad
Opcode Fuzzy Hash: 1f48fc5ac123f200f7c0f433b8038486604562e021d690073858156da749252e
Instruction Fuzzy Hash: 6821FCA1740A09B7EA1857218D82FFA335CAF517D4F848120FD0CDA542F7ADEE1082F5

Function 00794FAE Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON

Download Yara Rule

Strings

NULL Pointer assignment, xrefs: 0079502E, 00795383
Not an Object type, xrefs: 00795007

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: b59fd9e36f3f4546ffa9dc0e615a3fae4934718228bdc4d571be34f8a2b53d1b
Instruction ID: 091218591e2498ce87cb8a9748c28ffec8dca6af14bfd5fd8502ea3b2c01d1c4
Opcode Fuzzy Hash: b59fd9e36f3f4546ffa9dc0e615a3fae4934718228bdc4d571be34f8a2b53d1b
Instruction Fuzzy Hash: 35D1E471A0061AAFDF11CFA8E885BAEB7B5FF48344F148169E915AB281E374DD41CB90

Function 00751522 Relevance: 10.8, APIs: 7, Instructions: 268COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(?,?), ref: 007515CE
MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 00751651
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 007516E4
MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 007516FB

Part of subcall function 00743820: RtlAllocateHeap.NTDLL(00000000,?,007E1444,?,0072FDF5,?,?,0071A976,00000010,007E1440,007113FC,?,007113C6,?,00711129), ref: 00743852

MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00751777
__freea.LIBCMT ref: 007517A2
__freea.LIBCMT ref: 007517AE

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
String ID:
API String ID: 2829977744-0
Opcode ID: 7f04e7bfc9461c7b176e496d607b810a75c5d89ebd97454612885a6fdc0bd8c3
Instruction ID: e3bcdbfa30defbe245a3376009d1589fad420cbb2a65c49ef194ce2465f74dd1
Opcode Fuzzy Hash: 7f04e7bfc9461c7b176e496d607b810a75c5d89ebd97454612885a6fdc0bd8c3
Instruction Fuzzy Hash: 6B91D571E002169ADB208E78C885BEE7BB5DF49313F984659EC01E7141EBBDCD48C760

Function 00794523 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00794648
VariantInit.OLEAUT32(?), ref: 00794749
VariantClear.OLEAUT32(?), ref: 00794753
VariantClear.OLEAUT32(?), ref: 007947B0

Strings

Incorrect Object type in FOR..IN loop, xrefs: 0079472C
Null Object assignment in FOR..IN loop, xrefs: 007945D8, 00794706, 007947BE

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: Variant$ClearInit
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2610073882-625585964
Opcode ID: 66878766e0dbf6555b72d1f0cf8d8c604a9681dca36e946464b140eee8683435
Instruction ID: 57da5829f894b22822e49af9a33af9ff3f90da0972e4413065a4073307675847
Opcode Fuzzy Hash: 66878766e0dbf6555b72d1f0cf8d8c604a9681dca36e946464b140eee8683435
Instruction Fuzzy Hash: 12919471A00219EBDF24CFA4DC48FAE7BB8EF46714F108559F505AB280D7789942CFA0

Function 00781187 Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000001,?), ref: 0078125C
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00781284
SafeArrayUnaccessData.OLEAUT32(00000001), ref: 007812A8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 007812D8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 0078135F
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 007813C4
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00781430

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: ArraySafe$Data$Access$UnaccessVartype
String ID:
API String ID: 2550207440-0
Opcode ID: 68761571e62faa0e929e591d00ff3d2b1fcd906f192097b1c3b72246cebb4f22
Instruction ID: c58f0240b76f4c088f7d9e479dd4be0860ab5a4fb8985a9a9b5c25ed038da7d4
Opcode Fuzzy Hash: 68761571e62faa0e929e591d00ff3d2b1fcd906f192097b1c3b72246cebb4f22
Instruction Fuzzy Hash: 5591D471A40218EFDB01EF98C888BBE77B9FF45325F504029E905E7291D77CA946CB94

Function 0072948A Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 5e263921f4defef66cafa9e19f203cefb1f42a99350fcf2e3ffa308719413d2b
Instruction ID: 1db8bfb72d5145652abec93baf0134b1f96d1a98a68990e29a41a9bfac568acd
Opcode Fuzzy Hash: 5e263921f4defef66cafa9e19f203cefb1f42a99350fcf2e3ffa308719413d2b
Instruction Fuzzy Hash: 75915C71E00219EFCB15CFA9DC84AEEBBB8FF49320F148055E915B7291D378A951CB60

Function 00793947 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 0079396B
CharUpperBuffW.USER32(?,?), ref: 00793A7A
_wcslen.LIBCMT ref: 00793A8A
VariantClear.OLEAUT32(?), ref: 00793C1F

Part of subcall function 00780CDF: VariantInit.OLEAUT32(00000000), ref: 00780D1F
Part of subcall function 00780CDF: VariantCopy.OLEAUT32(?,?), ref: 00780D28
Part of subcall function 00780CDF: VariantClear.OLEAUT32(?), ref: 00780D34

Strings

Incorrect Parameter format, xrefs: 007939A6, 00793BA1
AUTOIT.ERROR, xrefs: 00793A80, 00793A85

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4137639002-1221869570
Opcode ID: 2258d3928beb7d6350e2563c79eebb989b527776ed82de6830bd701f53d7f29f
Instruction ID: 486d14978b32bb3dc3e34b91c8cb593a2fd92ca05da94d29e879775daeea1db3
Opcode Fuzzy Hash: 2258d3928beb7d6350e2563c79eebb989b527776ed82de6830bd701f53d7f29f
Instruction Fuzzy Hash: 249144756083059FCB04EF28D48596AB7E5FF89314F14882DF8899B351DB38EE45CB92

Function 00794BAD Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

APIs

Part of subcall function 0077000E: CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,0076FF41,80070057,?,?,?,0077035E), ref: 0077002B
Part of subcall function 0077000E: ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0076FF41,80070057,?,?), ref: 00770046
Part of subcall function 0077000E: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0076FF41,80070057,?,?), ref: 00770054
Part of subcall function 0077000E: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0076FF41,80070057,?), ref: 00770064

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,00000001,?,?), ref: 00794C51
_wcslen.LIBCMT ref: 00794D59
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 00794DCF
CoTaskMemFree.OLE32(?), ref: 00794DDA

Strings

NULL Pointer assignment, xrefs: 00794E23, 00794E52

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
String ID: NULL Pointer assignment
API String ID: 614568839-2785691316
Opcode ID: c4465fa0171a2ca5f26711f2dd830170346cf0ee0ebbecacebba3ac32d36c97f
Instruction ID: a826c8bec5a95e51e26e92f8b7ef1400dbebae25387448eafb4f7f08564c63f1
Opcode Fuzzy Hash: c4465fa0171a2ca5f26711f2dd830170346cf0ee0ebbecacebba3ac32d36c97f
Instruction Fuzzy Hash: 7F911771D00219EFDF15DFA4D895EEEB7B8BF08310F108169E919A7291DB389A45CFA0

Function 007A20FD Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 007A2183
GetMenuItemCount.USER32(00000000), ref: 007A21B5
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 007A21DD
_wcslen.LIBCMT ref: 007A2213
GetMenuItemID.USER32(?,?), ref: 007A224D
GetSubMenu.USER32(?,?), ref: 007A225B

Part of subcall function 00773A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00773A57
Part of subcall function 00773A3D: GetCurrentThreadId.KERNEL32 ref: 00773A5E
Part of subcall function 00773A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,007725B3), ref: 00773A65

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 007A22E3

Part of subcall function 0077E97B: Sleep.KERNEL32 ref: 0077E9F3

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
String ID:
API String ID: 4196846111-0
Opcode ID: 6c17123b4eb8e13e8b80882b5a646fa277ec93c4091f1d42e573d6ca2f60a4dd
Instruction ID: 5f496f74baad75f0e164df5f4c66a4e0a5cd03224669a34c737b03a01ffbc9f8
Opcode Fuzzy Hash: 6c17123b4eb8e13e8b80882b5a646fa277ec93c4091f1d42e573d6ca2f60a4dd
Instruction Fuzzy Hash: C1718135A00205EFCB15DF68C845AAEB7F5FF89310F158559E816EB392DB38ED428B90

Function 007A7E9E Relevance: 10.7, APIs: 7, Instructions: 193windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(0126F8F0), ref: 007A7F37
IsWindowEnabled.USER32(0126F8F0), ref: 007A7F43
SendMessageW.USER32(00000000,0000041C,00000000,00000000), ref: 007A801E
SendMessageW.USER32(0126F8F0,000000B0,?,?), ref: 007A8051
IsDlgButtonChecked.USER32(?,?), ref: 007A8089
GetWindowLongW.USER32(0126F8F0,000000EC), ref: 007A80AB
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 007A80C3

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID:
API String ID: 4072528602-0
Opcode ID: 3c4edfcfaa1dbe97fb2fd9842830cf83a4addba1c842c604a13b4f7a8dffac58
Instruction ID: 81494061b779caa36139122ad32bc755e05c6e369050f132fc9ae74d1bbf7e0f
Opcode Fuzzy Hash: 3c4edfcfaa1dbe97fb2fd9842830cf83a4addba1c842c604a13b4f7a8dffac58
Instruction Fuzzy Hash: 2A71BF35608244EFEF29DF54CC84FAA7BB5EF8B300F144299F94597261CB39AA46CB10

Function 0077AEBA Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 0077AEF9
GetKeyboardState.USER32(?), ref: 0077AF0E
SetKeyboardState.USER32(?), ref: 0077AF6F
PostMessageW.USER32(?,00000101,00000010,?), ref: 0077AF9D
PostMessageW.USER32(?,00000101,00000011,?), ref: 0077AFBC
PostMessageW.USER32(?,00000101,00000012,?), ref: 0077AFFD
PostMessageW.USER32(?,00000101,0000005B,?), ref: 0077B020

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 222692f3ca71d8dbf98498b7378c586ef855c07494137cda8107be305461aac1
Instruction ID: f839fcb0f75cd0a06b3deb4fdb94dbffd986f4999fd90ed1407a26f67d0aa1e9
Opcode Fuzzy Hash: 222692f3ca71d8dbf98498b7378c586ef855c07494137cda8107be305461aac1
Instruction Fuzzy Hash: 7F51C0A06087D53DFF3682348849BBABEA95B46384F08C589E1DD958C2C3DCE888D761

Function 0077ACDA Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 0077AD19
GetKeyboardState.USER32(?), ref: 0077AD2E
SetKeyboardState.USER32(?), ref: 0077AD8F
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 0077ADBB
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 0077ADD8
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 0077AE17
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 0077AE38

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 0772cbb387c9055a35cae5a5b89b6487cdac92207deeaee35665a6b35020ef3b
Instruction ID: ea15915b231fe0a9e65c5539d6a12179a46f456cf7f5996246cb9231d428082b
Opcode Fuzzy Hash: 0772cbb387c9055a35cae5a5b89b6487cdac92207deeaee35665a6b35020ef3b
Instruction Fuzzy Hash: F051A3A16047D53DFF3783248C56BBE7EA96B86340F08C589E1DD46882D29CAC94D752

Function 0074542E Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(00753CD6,?,?,?,?,?,?,?,?,00745BA3,?,?,00753CD6,?,?), ref: 00745470
__fassign.LIBCMT ref: 007454EB
__fassign.LIBCMT ref: 00745506
WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,00753CD6,00000005,00000000,00000000), ref: 0074552C
WriteFile.KERNEL32(?,00753CD6,00000000,00745BA3,00000000,?,?,?,?,?,?,?,?,?,00745BA3,?), ref: 0074554B
WriteFile.KERNEL32(?,?,00000001,00745BA3,00000000,?,?,?,?,?,?,?,?,?,00745BA3,?), ref: 00745584

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: bf03449d3132c7b7934d3329b0ae1782cad7f96788510cb015565ff195c46e50
Instruction ID: 10bf75a695019a5eb57b5524ba20365d7e455ab97ff693bd6fef1dce28cb63fe
Opcode Fuzzy Hash: bf03449d3132c7b7934d3329b0ae1782cad7f96788510cb015565ff195c46e50
Instruction Fuzzy Hash: 2851E670A00649AFDB11CFA8D885AEEFBFAEF09300F14411AF555E7292E7349A51CB60

Function 007910B8 Relevance: 10.6, APIs: 7, Instructions: 110networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0079304E: inet_addr.WSOCK32(?), ref: 0079307A
Part of subcall function 0079304E: _wcslen.LIBCMT ref: 0079309B

socket.WSOCK32(00000002,00000001,00000006), ref: 00791112
WSAGetLastError.WSOCK32 ref: 00791121
WSAGetLastError.WSOCK32 ref: 007911C9
closesocket.WSOCK32(00000000), ref: 007911F9

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: ErrorLast$_wcslenclosesocketinet_addrsocket
String ID:
API String ID: 2675159561-0
Opcode ID: 32c704fbb015dfe37e782e4ab78e3fa7e23fd2a6ea55ab3f9be9c6800e7d89e0
Instruction ID: 443a8aaf88ddbaacbe4aaf25af00f731db032f0474a022cc33d394f72780b2cf
Opcode Fuzzy Hash: 32c704fbb015dfe37e782e4ab78e3fa7e23fd2a6ea55ab3f9be9c6800e7d89e0
Instruction Fuzzy Hash: B541F431600209FFDB119F58D888BA9BBEAFF85324F148059F9159B291D778ED81CBA1

Function 0077CF00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0077DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,0077CF22,?), ref: 0077DDFD

Part of subcall function 0077DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,0077CF22,?), ref: 0077DE16

lstrcmpiW.KERNEL32(?,?), ref: 0077CF45
MoveFileW.KERNEL32(?,?), ref: 0077CF7F
_wcslen.LIBCMT ref: 0077D005
_wcslen.LIBCMT ref: 0077D01B
SHFileOperationW.SHELL32(?), ref: 0077D061

Strings

\*.*, xrefs: 0077CFF3

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
String ID: \*.*
API String ID: 3164238972-1173974218
Opcode ID: 57a80be3a6d7426630cc611d64db7763978f18860d8ce00b6cf31345cbc61ddf
Instruction ID: 0a7a506feae95326bdfbbdbe4bbc846970fe3cccbb7fec4fbae78eac38b043bf
Opcode Fuzzy Hash: 57a80be3a6d7426630cc611d64db7763978f18860d8ce00b6cf31345cbc61ddf
Instruction Fuzzy Hash: F74157729052189EDF17EFA4C985BDDB7B9AF09380F0440E6E509E7142EA38AA44CB50

Function 007A2DFD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 007A2E1C
GetWindowLongW.USER32(?,000000F0), ref: 007A2E4F
GetWindowLongW.USER32(?,000000F0), ref: 007A2E84
SendMessageW.USER32(?,000000F1,00000000,00000000), ref: 007A2EB6
SendMessageW.USER32(?,000000F1,00000001,00000000), ref: 007A2EE0
GetWindowLongW.USER32(?,000000F0), ref: 007A2EF1
SetWindowLongW.USER32(?,000000F0,00000000), ref: 007A2F0B

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: 23aebe6b5ca12811621ccb2092da6542b400fb75c878d063ddb77841c4a8c8ee
Instruction ID: c310c7d8a3e36e395a4c7a68bfb87f3074e547fdeab5bd17e06dd89eb09ee7bd
Opcode Fuzzy Hash: 23aebe6b5ca12811621ccb2092da6542b400fb75c878d063ddb77841c4a8c8ee
Instruction Fuzzy Hash: 8631F230609290EFEB21CF5CDC89F6537E1EB8A710F1542A4F9008F2B2CB79A881DB45

Function 00777726 Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00777769
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0077778F
SysAllocString.OLEAUT32(00000000), ref: 00777792
SysAllocString.OLEAUT32(?), ref: 007777B0
SysFreeString.OLEAUT32(?), ref: 007777B9
StringFromGUID2.OLE32(?,?,00000028), ref: 007777DE
SysAllocString.OLEAUT32(?), ref: 007777EC

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 564f6bd74184dbca37457e2bdb5ec10b474ba74549dd66c7eb215df44970a218
Instruction ID: 09a9dcb49e9006cf5908129c2e009c96f134ff7a7f7c4ed34da84dff5c16c833
Opcode Fuzzy Hash: 564f6bd74184dbca37457e2bdb5ec10b474ba74549dd66c7eb215df44970a218
Instruction Fuzzy Hash: 97219C76604219BFDF199FA8DC89CBB77ACEB093A4700C025FA08DB150D6789C41C7A8

Function 007777FD Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00777842
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00777868
SysAllocString.OLEAUT32(00000000), ref: 0077786B
SysAllocString.OLEAUT32 ref: 0077788C
SysFreeString.OLEAUT32 ref: 00777895
StringFromGUID2.OLE32(?,?,00000028), ref: 007778AF
SysAllocString.OLEAUT32(?), ref: 007778BD

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 7bc1b61788c9d8549be975f64b42827f60b7046f1913b6a51571444299699e56
Instruction ID: 9e3dcb49674d962a2c720522d141ad1aedd61244d11c3c988cc51fe0af1a02c4
Opcode Fuzzy Hash: 7bc1b61788c9d8549be975f64b42827f60b7046f1913b6a51571444299699e56
Instruction Fuzzy Hash: 36218E71608204BF9F159BA8DC8CDBA77ECEB493A0710C125F919CB2A1DA78DC41CB69

Function 007804D2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 007804F2
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 0078052E

Strings

nul, xrefs: 00780567

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: b40fa0838365418bacb923c96461c477e7681888106ead078c16920ae6fd27bd
Instruction ID: 7b8f6bda2c5ffe09df9b6f25b1e90c2463d79f61a8da658618865e81941c0a9d
Opcode Fuzzy Hash: b40fa0838365418bacb923c96461c477e7681888106ead078c16920ae6fd27bd
Instruction Fuzzy Hash: F2218071640305AFDB20AF29DC08E9A77F4BF85724F204A19F8A1D62E0D7749968CFB0

Function 007805A7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 007805C6
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00780601

Strings

nul, xrefs: 00780639

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: ec328e11b76ccff67adcac441180115cad45139a064b99ef8e98e3e47f8efb8d
Instruction ID: c91ddfd124518ab22963c918711ac8f18e4687b9b3f0c2015bb1eba70a67dbd6
Opcode Fuzzy Hash: ec328e11b76ccff67adcac441180115cad45139a064b99ef8e98e3e47f8efb8d
Instruction Fuzzy Hash: 8521B775640305AFDB60AF68CC08A5A77F4BF85720F204B19F8B1D32D0E7749864CBA0

Function 007A40AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0071600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0071604C
Part of subcall function 0071600E: GetStockObject.GDI32(00000011), ref: 00716060
Part of subcall function 0071600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 0071606A

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 007A4112
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 007A411F
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 007A412A
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 007A4139
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 007A4145

Strings

Msctls_Progress32, xrefs: 007A40E3

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: af3995b0c90db14dfc0402c096d5c7453315158fbb1fda31bb7ec055b6f5b108
Instruction ID: 1b83b845f1595856cc86a4abe0b7f6901d3b5097a2e3b11519934f9dc5678275
Opcode Fuzzy Hash: af3995b0c90db14dfc0402c096d5c7453315158fbb1fda31bb7ec055b6f5b108
Instruction Fuzzy Hash: 5E11B6B214011DBEEF119F64CC85EE77F9DEF49798F004211B618A6150C6769C61DBA4

Function 0074D7DF Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0074D7A3: _free.LIBCMT ref: 0074D7CC

_free.LIBCMT ref: 0074D82D

Part of subcall function 007429C8: HeapFree.KERNEL32(00000000,00000000,?,0074D7D1,00000000,00000000,00000000,00000000,?,0074D7F8,00000000,00000007,00000000,?,0074DBF5,00000000), ref: 007429DE
Part of subcall function 007429C8: GetLastError.KERNEL32(00000000,?,0074D7D1,00000000,00000000,00000000,00000000,?,0074D7F8,00000000,00000007,00000000,?,0074DBF5,00000000,00000000), ref: 007429F0

_free.LIBCMT ref: 0074D838
_free.LIBCMT ref: 0074D843
_free.LIBCMT ref: 0074D897
_free.LIBCMT ref: 0074D8A2
_free.LIBCMT ref: 0074D8AD
_free.LIBCMT ref: 0074D8B8

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction ID: b320a4b62d0a679d12d76f64c39e08dea60116b76b557046721243a63fd439b6
Opcode Fuzzy Hash: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction Fuzzy Hash: D111DD71541B04EBE932BFB1CC4BFCB7BDC6F05700F804825B2D9A65A2DB79B9164A50

Function 0077DA5A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 0077DA74
LoadStringW.USER32(00000000), ref: 0077DA7B
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 0077DA91
LoadStringW.USER32(00000000), ref: 0077DA98
MessageBoxW.USER32(00000000,?,?,00011010), ref: 0077DADC

Strings

%s (%d) : ==> %s: %s %s, xrefs: 0077DAB9

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: HandleLoadModuleString$Message
String ID: %s (%d) : ==> %s: %s %s
API String ID: 4072794657-3128320259
Opcode ID: 54ca8737d381320f9bdd0e509c3768f78c1f120ad13d7826effbdc8666f8b3c9
Instruction ID: 338dbc0c5e1da14efc52f98b726e3c234bd3d4ebef394f32c4e02f25a59f4b12
Opcode Fuzzy Hash: 54ca8737d381320f9bdd0e509c3768f78c1f120ad13d7826effbdc8666f8b3c9
Instruction Fuzzy Hash: E50162F25002087FEB11DBA0DD89EE7336CEB09741F408496B70AE2041EA789E844F74

Function 0078096B Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(0125DF88,0125DF88), ref: 0078097B
EnterCriticalSection.KERNEL32(0125DF68,00000000), ref: 0078098D
TerminateThread.KERNEL32(?,000001F6), ref: 0078099B
WaitForSingleObject.KERNEL32(?,000003E8), ref: 007809A9
CloseHandle.KERNEL32(?), ref: 007809B8
InterlockedExchange.KERNEL32(0125DF88,000001F6), ref: 007809C8
LeaveCriticalSection.KERNEL32(0125DF68), ref: 007809CF

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: 8ff25daf169209225ff19b02cd595b3a0898eadb738b21e244c51b329fcfd4f6
Instruction ID: 21c661b928f8a2bb304b205e712d579faaef1b687436dda6ecf709f7da615aa3
Opcode Fuzzy Hash: 8ff25daf169209225ff19b02cd595b3a0898eadb738b21e244c51b329fcfd4f6
Instruction Fuzzy Hash: E8F04431542502FBD7425F94EE8DBD67B35FF42702F405015F101508A0CB78A475CF95

Function 00715D0A Relevance: 9.3, APIs: 6, Instructions: 276COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 00715D30
GetWindowRect.USER32(?,?), ref: 00715D71
ScreenToClient.USER32(?,?), ref: 00715D99
GetClientRect.USER32(?,?), ref: 00715ED7
GetWindowRect.USER32(?,?), ref: 00715EF8

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: Rect$Client$Window$Screen
String ID:
API String ID: 1296646539-0
Opcode ID: bd86771ee0a4adb37cdb616d5640542bc3f8d304354d3abfe2add92e660f48e2
Instruction ID: bab8dfe7f80b3d07cd17da5d6480cb68adf285f2a32c966f5e531b30352ed936
Opcode Fuzzy Hash: bd86771ee0a4adb37cdb616d5640542bc3f8d304354d3abfe2add92e660f48e2
Instruction Fuzzy Hash: 2AB17B34A0064ADBDB14CFA8C4807EEB7F1FF84314F14851AE8A9D7290D738AA95DB54

Function 007401B7 Relevance: 9.3, APIs: 6, Instructions: 269COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 007400BA
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 007400D6
__allrem.LIBCMT ref: 007400ED
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0074010B
__allrem.LIBCMT ref: 00740122
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00740140

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: c0aa086816e9a6b10c8594d9af3fc1b6618250ddc70608c46d0048b3e4fbc764
Instruction ID: 934cd40fed86ad28cbe13f1e092e33dd65c2e715ff2e28a3c58434ae9a1df0b8
Opcode Fuzzy Hash: c0aa086816e9a6b10c8594d9af3fc1b6618250ddc70608c46d0048b3e4fbc764
Instruction Fuzzy Hash: CF81F676A00706EBE720AE39CC45B6F73E9AF51364F24453AFA51D7682E778DD008B90

Function 00791D10 Relevance: 9.3, APIs: 6, Instructions: 254networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00793149: select.WSOCK32(00000000,?,00000000,00000000,?), ref: 00793195

__WSAFDIsSet.WSOCK32(00000000,?), ref: 00791DC0
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00791DE1
WSAGetLastError.WSOCK32 ref: 00791DF2
inet_ntoa.WSOCK32(?), ref: 00791E8C
htons.WSOCK32(?), ref: 00791EDB
_strlen.LIBCMT ref: 00791F35

Part of subcall function 007739E8: _strlen.LIBCMT ref: 007739F2

Part of subcall function 00716D9E: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000002,?,?,?,?,0072CF58,?,?,?), ref: 00716DBA
Part of subcall function 00716D9E: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,?,?,?,0072CF58,?,?,?), ref: 00716DED

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: ByteCharMultiWide_strlen$ErrorLasthtonsinet_ntoaselect
String ID:
API String ID: 1923757996-0
Opcode ID: 1b37b43983d86e2286fa64b7098418d5d3d816262e94f27da049ac5ee0f81348
Instruction ID: d834b730b5a71771cf3ae54e5c814547960bfb44a927a7c7fa8f3a97e84c5d7a
Opcode Fuzzy Hash: 1b37b43983d86e2286fa64b7098418d5d3d816262e94f27da049ac5ee0f81348
Instruction Fuzzy Hash: 93A10331204341EFCB14DF24D889E6AB7E5AF85308F94894CF4565B2E2DB39ED82CB91

Function 007461FE Relevance: 9.2, APIs: 6, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,007382D9,007382D9,?,?,?,0074644F,00000001,00000001,8BE85006), ref: 00746258
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,0074644F,00000001,00000001,8BE85006,?,?,?), ref: 007462DE
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 007463D8
__freea.LIBCMT ref: 007463E5

Part of subcall function 00743820: RtlAllocateHeap.NTDLL(00000000,?,007E1444,?,0072FDF5,?,?,0071A976,00000010,007E1440,007113FC,?,007113C6,?,00711129), ref: 00743852

__freea.LIBCMT ref: 007463EE
__freea.LIBCMT ref: 00746413

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: 365f97954fd25fcf71ab2548235e651a749657fb7dbb8b6e2ccd769453307e5c
Instruction ID: d003556acf7cc89bcb35faa0134dfadf6f7f799ecc34295b25a0b934bb3ccb50
Opcode Fuzzy Hash: 365f97954fd25fcf71ab2548235e651a749657fb7dbb8b6e2ccd769453307e5c
Instruction Fuzzy Hash: 1951E172A00256ABEB258F64CC85EBF7BAAEF46750F144669FC05D6180EB7CDC40C6A1

Function 0079BBDB Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00719CB3: _wcslen.LIBCMT ref: 00719CBD

Part of subcall function 0079C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0079B6AE,?,?), ref: 0079C9B5
Part of subcall function 0079C998: _wcslen.LIBCMT ref: 0079C9F1
Part of subcall function 0079C998: _wcslen.LIBCMT ref: 0079CA68
Part of subcall function 0079C998: _wcslen.LIBCMT ref: 0079CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0079BCCA
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0079BD25
RegCloseKey.ADVAPI32(00000000), ref: 0079BD6A
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 0079BD99
RegCloseKey.ADVAPI32(?,?,00000000), ref: 0079BDF3
RegCloseKey.ADVAPI32(?), ref: 0079BDFF

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
String ID:
API String ID: 1120388591-0
Opcode ID: fc88d71f57be67d8f26c642c977d4960df02c820e47ad48ee2ad10742e9cc17c
Instruction ID: e42279537fe5cf3be91be60ad1afef9cf88d2b0e0539ac95392fab1511ba2836
Opcode Fuzzy Hash: fc88d71f57be67d8f26c642c977d4960df02c820e47ad48ee2ad10742e9cc17c
Instruction Fuzzy Hash: 7B81CD30208241EFCB14DF24D995E6ABBE5FF85308F14885CF5594B2A2DB39ED45CB92

Function 0076F7AD Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000035), ref: 0076F7B9
SysAllocString.OLEAUT32(00000001), ref: 0076F860
VariantCopy.OLEAUT32(0076FA64,00000000), ref: 0076F889
VariantClear.OLEAUT32(0076FA64), ref: 0076F8AD
VariantCopy.OLEAUT32(0076FA64,00000000), ref: 0076F8B1
VariantClear.OLEAUT32(?), ref: 0076F8BB

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: Variant$ClearCopy$AllocInitString
String ID:
API String ID: 3859894641-0
Opcode ID: 39be56acca62131d513032b652e6bcec09de1c867e5df132f6e8a0a09f99ac7a
Instruction ID: 37b7ac6a2232b38e2e3b0c3cdc87627fd611a7bfc4dc6c07b787581a1d3ede74
Opcode Fuzzy Hash: 39be56acca62131d513032b652e6bcec09de1c867e5df132f6e8a0a09f99ac7a
Instruction Fuzzy Hash: 0951B631601310FACF24AB65E899B69B3E9EF45310B249467ED07DF291DB789C40CB96

Function 0078910C Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 383COMMON

Download Yara Rule

APIs

Part of subcall function 00717620: _wcslen.LIBCMT ref: 00717625

Part of subcall function 00716B57: _wcslen.LIBCMT ref: 00716B6A

GetOpenFileNameW.COMDLG32(00000058), ref: 007894E5
_wcslen.LIBCMT ref: 00789506
_wcslen.LIBCMT ref: 0078952D
GetSaveFileNameW.COMDLG32(00000058), ref: 00789585

Strings

X, xrefs: 00789412

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: _wcslen$FileName$OpenSave
String ID: X
API String ID: 83654149-3081909835
Opcode ID: 6f74628fb7faaa6b721cdc0bdc17e633d2025bf3ee82aee86fe61869a1de774a
Instruction ID: 32a75576053e7a41b55c92101b8a47a3cd18d51b7b4abc4e7a46a7615d474caa
Opcode Fuzzy Hash: 6f74628fb7faaa6b721cdc0bdc17e633d2025bf3ee82aee86fe61869a1de774a
Instruction Fuzzy Hash: F6E1B431504340DFD724EF28C885AAAB7E0BF85314F08856DF9999B2A2DB39ED45CB91

Function 0072920C Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00729BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00729BB2

BeginPaint.USER32(?,?,?), ref: 00729241
GetWindowRect.USER32(?,?), ref: 007292A5
ScreenToClient.USER32(?,?), ref: 007292C2
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 007292D3
EndPaint.USER32(?,?,?,?,?), ref: 00729321
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 007671EA

Part of subcall function 00729339: BeginPath.GDI32(00000000), ref: 00729357

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
String ID:
API String ID: 3050599898-0
Opcode ID: 8d77930e50d72ed3c1834ea5057273e897f5fdecc51344a90917529feb8c9b5c
Instruction ID: d9877d1b4fdb6510af0a0610396975b7c1777886fa3b864099af432ffed39cb9
Opcode Fuzzy Hash: 8d77930e50d72ed3c1834ea5057273e897f5fdecc51344a90917529feb8c9b5c
Instruction Fuzzy Hash: A841D270105250EFD711DF24DC85FBA7BF8EB8A364F184229FA558B2A2C738A845DB61

Function 007807EF Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 0078080C
ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 00780847
EnterCriticalSection.KERNEL32(?), ref: 00780863
LeaveCriticalSection.KERNEL32(?), ref: 007808DC
ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 007808F3
InterlockedExchange.KERNEL32(?,000001F6), ref: 00780921

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
String ID:
API String ID: 3368777196-0
Opcode ID: fadbb26d29cf94dfe0875f5db7c8877d41c2098ad07203e90e099a1a6f14a573
Instruction ID: d4124d6d6eaa41f4709f2958efed107cfa10137ba232306d6a230d0ad6589633
Opcode Fuzzy Hash: fadbb26d29cf94dfe0875f5db7c8877d41c2098ad07203e90e099a1a6f14a573
Instruction Fuzzy Hash: A3418D71A00205EFDF15AF54DC85AAA7778FF44310F1480B9ED00AA297DB38EE65DBA4

Function 007A81DB Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,0076F3AB,00000000,?,?,00000000,?,0076682C,00000004,00000000,00000000), ref: 007A824C
EnableWindow.USER32(?,00000000), ref: 007A8272
ShowWindow.USER32(FFFFFFFF,00000000), ref: 007A82D1
ShowWindow.USER32(?,00000004), ref: 007A82E5
EnableWindow.USER32(?,00000001), ref: 007A830B
SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 007A832F

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: 449ac696c46614cd7a3a9dcd69792935650a4b90bae45384b675f0f2a6200cdf
Instruction ID: 1a61f3781e4aa8a6525ebfa625d660b535f0d0f268c456ecb0d35135aff55593
Opcode Fuzzy Hash: 449ac696c46614cd7a3a9dcd69792935650a4b90bae45384b675f0f2a6200cdf
Instruction Fuzzy Hash: 8041A630601684EFDF55CF14D899BA47BE0FB8B714F1842A5E6484F2A2CB396841CF56

Function 00774C7D Relevance: 9.1, APIs: 6, Instructions: 87windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00774C95
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00774CB2
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00774CEA
_wcslen.LIBCMT ref: 00774D08
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00774D10
_wcsstr.LIBVCRUNTIME ref: 00774D1A

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
String ID:
API String ID: 72514467-0
Opcode ID: ce6566ff92f743993a65bacbc8ed18348e8b0887d2c1d5d7ca0db17898a1381a
Instruction ID: 5f0027283bbee1c28cb1fcf7fcf94576a4574ff501fa988369f73cb72357ea09
Opcode Fuzzy Hash: ce6566ff92f743993a65bacbc8ed18348e8b0887d2c1d5d7ca0db17898a1381a
Instruction Fuzzy Hash: 3321FC31704210BBEF269B39AC49E7B7BACDF46790F10C079F909CA152EF69DC0196A0

Function 0078581E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON

Download Yara Rule

APIs

Part of subcall function 00713AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00713A97,?,?,00712E7F,?,?,?,00000000), ref: 00713AC2

_wcslen.LIBCMT ref: 0078587B
CoInitialize.OLE32(00000000), ref: 00785995
CoCreateInstance.OLE32(007AFCF8,00000000,00000001,007AFB68,?), ref: 007859AE
CoUninitialize.OLE32 ref: 007859CC

Strings

.lnk, xrefs: 00785876, 007858C1, 00785985

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
String ID: .lnk
API String ID: 3172280962-24824748
Opcode ID: aa7d380027c503b89f904981543c7976af8bb58978d2ca0e5f986a070595334b
Instruction ID: f8a96ac652b3e176f9f853fad41bec5c444adacae372b3beb4e22e432c6b2ebb
Opcode Fuzzy Hash: aa7d380027c503b89f904981543c7976af8bb58978d2ca0e5f986a070595334b
Instruction Fuzzy Hash: CAD164B1604600DFC714EF28C48496ABBF2FF89710F148859F8899B361DB39EC45CB92

Function 0077175D Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00770FB4: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00770FCA
Part of subcall function 00770FB4: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00770FD6
Part of subcall function 00770FB4: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00770FE5
Part of subcall function 00770FB4: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00770FEC
Part of subcall function 00770FB4: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00771002

GetLengthSid.ADVAPI32(?,00000000,00771335), ref: 007717AE
GetProcessHeap.KERNEL32(00000008,00000000), ref: 007717BA
HeapAlloc.KERNEL32(00000000), ref: 007717C1
CopySid.ADVAPI32(00000000,00000000,?), ref: 007717DA
GetProcessHeap.KERNEL32(00000000,00000000,00771335), ref: 007717EE
HeapFree.KERNEL32(00000000), ref: 007717F5

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: d3b02d56c4187fc380885b36928dc8575edbbb08a98201ff1ee6d5f004ec8cf1
Instruction ID: 8ed5e9991a0465e5a934a10b3af634b5a47f608cb001feade70c71aea4b97aae
Opcode Fuzzy Hash: d3b02d56c4187fc380885b36928dc8575edbbb08a98201ff1ee6d5f004ec8cf1
Instruction Fuzzy Hash: 55117C71600209FFDF199FA8CC49BAF7BA9EB86395F50C018F44597210D739A944CFA0

Function 007714CE Relevance: 9.1, APIs: 6, Instructions: 64processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 007714FF
OpenProcessToken.ADVAPI32(00000000), ref: 00771506
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00771515
CloseHandle.KERNEL32(00000004), ref: 00771520
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0077154F
DestroyEnvironmentBlock.USERENV(00000000), ref: 00771563

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: 6748936c245cea50d734746a489ac87a9c3e8a1344bd80e221dd226d660851b8
Instruction ID: 5b381dcc736f60cc94a0fd1a315759107b45225552f6b37422945c5c586b3ad5
Opcode Fuzzy Hash: 6748936c245cea50d734746a489ac87a9c3e8a1344bd80e221dd226d660851b8
Instruction Fuzzy Hash: AF113A7250024DBBDF128F98DD49FDE7BA9EF89744F048055FA09A2160C379CE64DB61

Function 00733382 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00733379,00732FE5), ref: 00733390
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0073339E
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 007333B7
SetLastError.KERNEL32(00000000,?,00733379,00732FE5), ref: 00733409

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 06a5d07238b3e98a52c5dbdb5c47f83aff48b18134a257c23df1a4b67de7bf31
Instruction ID: a511d4771ce9f10f6cfae09293ef845fac0fef325e1fe403ed703c08272bfe34
Opcode Fuzzy Hash: 06a5d07238b3e98a52c5dbdb5c47f83aff48b18134a257c23df1a4b67de7bf31
Instruction Fuzzy Hash: D001F73360E312FEBA3627757C8A6676BA4EB05379F20C22AF410852F3EF1D4D019548

Function 00742D74 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00745686,00753CD6,?,00000000,?,00745B6A,?,?,?,?,?,0073E6D1,?,007D8A48), ref: 00742D78
_free.LIBCMT ref: 00742DAB
_free.LIBCMT ref: 00742DD3
SetLastError.KERNEL32(00000000,?,?,?,?,0073E6D1,?,007D8A48,00000010,00714F4A,?,?,00000000,00753CD6), ref: 00742DE0
SetLastError.KERNEL32(00000000,?,?,?,?,0073E6D1,?,007D8A48,00000010,00714F4A,?,?,00000000,00753CD6), ref: 00742DEC
_abort.LIBCMT ref: 00742DF2

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: 7a9b99ff6b36a3e66fa9f31e3dba58e66db0b8578298f5553c8cfa8f4ea0ab02
Instruction ID: 96582149e7a18aa565d2bd9d77c745bc56a14802e904a7250713dd578122b68a
Opcode Fuzzy Hash: 7a9b99ff6b36a3e66fa9f31e3dba58e66db0b8578298f5553c8cfa8f4ea0ab02
Instruction Fuzzy Hash: 79F0A431A05A01B7C6176735AC0EB1A2669AFC27A1B644419F824921A3EF6C98235961

Function 007A8A24 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 00729639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00729693
Part of subcall function 00729639: SelectObject.GDI32(?,00000000), ref: 007296A2
Part of subcall function 00729639: BeginPath.GDI32(?), ref: 007296B9
Part of subcall function 00729639: SelectObject.GDI32(?,00000000), ref: 007296E2

MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 007A8A4E
LineTo.GDI32(?,00000003,00000000), ref: 007A8A62
MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 007A8A70
LineTo.GDI32(?,00000000,00000003), ref: 007A8A80
EndPath.GDI32(?), ref: 007A8A90
StrokePath.GDI32(?), ref: 007A8AA0

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: f189f7e5377d671cdcd34bcb2df62b6c4fbd0e0e5763f17844bded78397a432d
Instruction ID: 4f4340b4b2601cdd0fea9a7bc33a75edba9c1d00a44da350c2eb9aff0ba56d33
Opcode Fuzzy Hash: f189f7e5377d671cdcd34bcb2df62b6c4fbd0e0e5763f17844bded78397a432d
Instruction Fuzzy Hash: CB11057600014CFFEB129F90DC88EAA7FACEB09350F04C022BA199A1A1C775AD55DBA4

Function 007751FD Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00775218
GetDeviceCaps.GDI32(00000000,00000058), ref: 00775229
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00775230
ReleaseDC.USER32(00000000,00000000), ref: 00775238
MulDiv.KERNEL32(000009EC,?,00000000), ref: 0077524F
MulDiv.KERNEL32(000009EC,00000001,?), ref: 00775261

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: b3e319468c20a5904b1dcba83accac3ccb0fe2764d29e547bcc09d44900790ff
Instruction ID: 9d16cef0de00a27920edc8651dfc34e6fd2cbf97a01d1a1cc0abf62477e07d94
Opcode Fuzzy Hash: b3e319468c20a5904b1dcba83accac3ccb0fe2764d29e547bcc09d44900790ff
Instruction Fuzzy Hash: A9018FB5A00708BBEF119BA59C49A4EBFB8FB89351F048065FA04A7281D6749C00CBA4

Function 00711BC3 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 00711BF4
MapVirtualKeyW.USER32(00000010,00000000), ref: 00711BFC
MapVirtualKeyW.USER32(000000A0,00000000), ref: 00711C07
MapVirtualKeyW.USER32(000000A1,00000000), ref: 00711C12
MapVirtualKeyW.USER32(00000011,00000000), ref: 00711C1A
MapVirtualKeyW.USER32(00000012,00000000), ref: 00711C22

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: fc642aee033f1221e76e13a64784fe0779d9a835314785496a78a6f3dfd8d76a
Instruction ID: a20a0c87b58452d5c1ddddab5f1d37eb41ec8c55d5821e473e5ae642fe3e6d68
Opcode Fuzzy Hash: fc642aee033f1221e76e13a64784fe0779d9a835314785496a78a6f3dfd8d76a
Instruction Fuzzy Hash: 9B0167B0902B5ABDE3008F6A8C85B52FFE8FF59354F04415BA15C4BA42C7F5A864CBE5

Function 0077EB20 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 0077EB30
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 0077EB46
GetWindowThreadProcessId.USER32(?,?), ref: 0077EB55
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0077EB64
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0077EB6E
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0077EB75

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: 0d377c04bfc5174237b0e949df107f1c5106daff4dce21238caee43cc5929a47
Instruction ID: 0f139b76699644a87a5f3d4eddf8348181555bf9412fe73629aba430720de79f
Opcode Fuzzy Hash: 0d377c04bfc5174237b0e949df107f1c5106daff4dce21238caee43cc5929a47
Instruction Fuzzy Hash: 99F054B2240158BBE7225B52DC0EEEF3E7CEFCBB11F008159F601D1091DBA85A01C6B9

Function 00767439 Relevance: 9.0, APIs: 6, Instructions: 37windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?), ref: 00767452
SendMessageW.USER32(?,00001328,00000000,?), ref: 00767469
GetWindowDC.USER32(?), ref: 00767475
GetPixel.GDI32(00000000,?,?), ref: 00767484
ReleaseDC.USER32(?,00000000), ref: 00767496
GetSysColor.USER32(00000005), ref: 007674B0

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: ClientColorMessagePixelRectReleaseSendWindow
String ID:
API String ID: 272304278-0
Opcode ID: 955d9d2d1692ecae10325e30531b312c775556a2193b78c03b514b7309e399df
Instruction ID: 3d61583e9d91f65e67d43268180fb97b0f65bd871d68cb52166a922b7edf9fa1
Opcode Fuzzy Hash: 955d9d2d1692ecae10325e30531b312c775556a2193b78c03b514b7309e399df
Instruction Fuzzy Hash: 26018B31400215FFDB129FA4DD08BAA7FB5FB45311F648060FD16A61A0CF391E51EB54

Function 00771874 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 0077187F
UnloadUserProfile.USERENV(?,?), ref: 0077188B
CloseHandle.KERNEL32(?), ref: 00771894
CloseHandle.KERNEL32(?), ref: 0077189C
GetProcessHeap.KERNEL32(00000000,?), ref: 007718A5
HeapFree.KERNEL32(00000000), ref: 007718AC

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: ff7577a8d729257f1c7764fb8715b9552954c501a4919a72a8ba55212f0f0376
Instruction ID: b726b52f8103410e8cfcbcff62722f60089ad6ea9eb3f69ca9adda4f899ceca5
Opcode Fuzzy Hash: ff7577a8d729257f1c7764fb8715b9552954c501a4919a72a8ba55212f0f0376
Instruction Fuzzy Hash: C7E0E576204105BBDB025FA1ED0C90ABF79FF8AB22B10C220F22581070CB369821DF5A

Function 0071BBE0 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 232COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 0071BEB3

Strings

D%~, xrefs: 0071BCA2
D%~D%~, xrefs: 0071BCA5
D%~, xrefs: 0071BE9A
D%~, xrefs: 0071BDED, 0071BD91, 0071BD1B

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID: D%~$D%~$D%~$D%~D%~
API String ID: 1385522511-534703835
Opcode ID: 1343a3f6fbcd1d376515c2c935e1da7bb02243d77fcaf1ce119dfffed9facd63
Instruction ID: 0bde99fd833bef1f27ec1452ea331335c1f37e5bb5b901c50471117c5d4c6e54
Opcode Fuzzy Hash: 1343a3f6fbcd1d376515c2c935e1da7bb02243d77fcaf1ce119dfffed9facd63
Instruction Fuzzy Hash: 55911775A0020ADFCB18CF5DC0916EAB7F1FF58310F248169D985AB391E779A981CBE0

Function 00797B7E Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 230COMMON

Download Yara Rule

APIs

Part of subcall function 00730242: EnterCriticalSection.KERNEL32(007E070C,007E1884,?,?,0072198B,007E2518,?,?,?,007112F9,00000000), ref: 0073024D
Part of subcall function 00730242: LeaveCriticalSection.KERNEL32(007E070C,?,0072198B,007E2518,?,?,?,007112F9,00000000), ref: 0073028A

Part of subcall function 00719CB3: _wcslen.LIBCMT ref: 00719CBD

Part of subcall function 007300A3: __onexit.LIBCMT ref: 007300A9

__Init_thread_footer.LIBCMT ref: 00797BFB

Part of subcall function 007301F8: EnterCriticalSection.KERNEL32(007E070C,?,?,00728747,007E2514), ref: 00730202
Part of subcall function 007301F8: LeaveCriticalSection.KERNEL32(007E070C,?,00728747,007E2514), ref: 00730235

Strings

+Tv, xrefs: 00797E2E
5, xrefs: 00797C78
G, xrefs: 00797C7F
Variable must be of type 'Object'., xrefs: 00797C3A

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit_wcslen
String ID: +Tv$5$G$Variable must be of type 'Object'.
API String ID: 535116098-960950384
Opcode ID: 17c928d6efbbd3b26fd4f69f84275755d655f945d4f0c026117855f16e1d7ba2
Instruction ID: 138e8bf49927cae45a7c690dcc88912c4f30414e035a2e5d46fe7741fc3150a3
Opcode Fuzzy Hash: 17c928d6efbbd3b26fd4f69f84275755d655f945d4f0c026117855f16e1d7ba2
Instruction Fuzzy Hash: 34919D70A14209EFCF08EF58E8959BDB7B5FF49300F148059F8069B292DB79AE41CB60

Function 0077C5D0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00717620: _wcslen.LIBCMT ref: 00717625

GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0077C6EE
_wcslen.LIBCMT ref: 0077C735
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0077C79C
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 0077C7CA

Strings

0, xrefs: 0077C6AF

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: ItemMenu$Info_wcslen$Default
String ID: 0
API String ID: 1227352736-4108050209
Opcode ID: 2152b43fb6813a82b6ceb398a3f9582da8ae2b07087fc2aad91fbe885307fec8
Instruction ID: e4276643fcd350c21c370fcc79d4352cc44f1fde62878ac59636615cd89e3e9b
Opcode Fuzzy Hash: 2152b43fb6813a82b6ceb398a3f9582da8ae2b07087fc2aad91fbe885307fec8
Instruction Fuzzy Hash: D751E2716043409BDB1A9F28C889B6B77E8AF8D390F04892DF999D31D1DB7CDD448B92

Function 0079AD64 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(0000003C), ref: 0079AEA3

Part of subcall function 00717620: _wcslen.LIBCMT ref: 00717625

GetProcessId.KERNEL32(00000000), ref: 0079AF38
CloseHandle.KERNEL32(00000000), ref: 0079AF67

Strings

@, xrefs: 0079AE72
<, xrefs: 0079AE6B

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: CloseExecuteHandleProcessShell_wcslen
String ID: <$@
API String ID: 146682121-1426351568
Opcode ID: 0c985aa329930d1ca22289f62947816c9aa3d45c959822c8d4260f0b2726ff50
Instruction ID: 9ccfbbed16f0a5db175c83c0e687b380da033b827b1b3618d9582f0dcd96bb2b
Opcode Fuzzy Hash: 0c985aa329930d1ca22289f62947816c9aa3d45c959822c8d4260f0b2726ff50
Instruction Fuzzy Hash: 8C715971A00615EFCF15DF58D489A9EBBF1BF08310F048499E816AB292CB79ED81CB91

Function 0077719E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00777206
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 0077723C
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 0077724D
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 007772CF

Strings

DllGetClassObject, xrefs: 00777242

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: dc975ce3799741bead7a939358c7a5cf81f4823c8aca7537842266290d497c5a
Instruction ID: 68e2d1c8bd5cb6918dfde83badba3b5eedee120004a21fe97aa7bb55086fa275
Opcode Fuzzy Hash: dc975ce3799741bead7a939358c7a5cf81f4823c8aca7537842266290d497c5a
Instruction Fuzzy Hash: 94418FB1604204EFDF19CF54C884A9A7BB9FF89350F14C0A9BD099F20AD7B8D940DBA0

Function 007A3D7C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 007A3E35
IsMenu.USER32(?), ref: 007A3E4A
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 007A3E92
DrawMenuBar.USER32 ref: 007A3EA5

Strings

0, xrefs: 007A3D89

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert
String ID: 0
API String ID: 3076010158-4108050209
Opcode ID: 9015fac6bc19d14dcec7cafc51b0da4d04f9dd4bbe15be1d4ea14440b64593fb
Instruction ID: 13c184cca3bff44fc20c342e04d6f3f735ecc8592d8d89997c9b6857713b69ad
Opcode Fuzzy Hash: 9015fac6bc19d14dcec7cafc51b0da4d04f9dd4bbe15be1d4ea14440b64593fb
Instruction Fuzzy Hash: 17416A75A05209EFDB10DF50D884AEABBB5FF8A351F04822AF9159B250D738AE50CF50

Function 00771DE2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00719CB3: _wcslen.LIBCMT ref: 00719CBD

Part of subcall function 00773CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00773CCA

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00771E66
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00771E79
SendMessageW.USER32(?,00000189,?,00000000), ref: 00771EA9

Part of subcall function 00716B57: _wcslen.LIBCMT ref: 00716B6A

Strings

ComboBox, xrefs: 00771DF0
ListBox, xrefs: 00771E25

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: MessageSend$_wcslen$ClassName
String ID: ComboBox$ListBox
API String ID: 2081771294-1403004172
Opcode ID: 65aeefe99d7bf578fc5d2f31bbe9697511f1bac5380a024ce5bd2d29e34095ec
Instruction ID: 2ad5bc00637083651999a66044ec8ff11983e6a111c2d6b24e28407ea12c6740
Opcode Fuzzy Hash: 65aeefe99d7bf578fc5d2f31bbe9697511f1bac5380a024ce5bd2d29e34095ec
Instruction Fuzzy Hash: 102137B1A00104FADF159B68DC5ACFFB7B8DF42390B548119F869A31E0DB7C4E468720

Function 0079C9EA Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 91COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0079C9F1
_wcslen.LIBCMT ref: 0079CA68
_wcslen.LIBCMT ref: 0079CA9E
_wcslen.LIBCMT ref: 0079CAF9
_wcslen.LIBCMT ref: 0079CB2F
_wcslen.LIBCMT ref: 0079CB7F

Strings

HKLM, xrefs: 0079CA98, 0079CA9D
HKEY_LOCAL_MACHINE, xrefs: 0079CA62, 0079CA67

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: _wcslen
String ID: HKEY_LOCAL_MACHINE$HKLM
API String ID: 176396367-4004644295
Opcode ID: 336cad8d7c8c94f1580ba03e46f7e864234a6a0412acea35ece92dbf6d8dea65
Instruction ID: fe0f29cf401faa06d457446a14a43bcbae57677e153bf1b543fe4b2f78bb1834
Opcode Fuzzy Hash: 336cad8d7c8c94f1580ba03e46f7e864234a6a0412acea35ece92dbf6d8dea65
Instruction Fuzzy Hash: 6531F873A001698BCF26DF2CA9911BE37A1DBA1750F55C02AE845AB385F67DDD80D3A0

Function 007A2F17 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 007A2F8D
LoadLibraryW.KERNEL32(?), ref: 007A2F94
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 007A2FA9
DestroyWindow.USER32(?), ref: 007A2FB1

Strings

SysAnimate32, xrefs: 007A2F68

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: MessageSend$DestroyLibraryLoadWindow
String ID: SysAnimate32
API String ID: 3529120543-1011021900
Opcode ID: a606cb0fc9f22cb9ef4772d077992dbe7d9d1ce3783bef8f7214c8a80ca442d3
Instruction ID: f1e19102666e9e5b69d669826fb8565fd56d8cfd3d80efd865fab22f27d7219a
Opcode Fuzzy Hash: a606cb0fc9f22cb9ef4772d077992dbe7d9d1ce3783bef8f7214c8a80ca442d3
Instruction Fuzzy Hash: 9421FD71200209AFEB118F68DC84FBB37BDEB9A364F104718FA10D61A1D739DC829760

Function 00734D6D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00734D1E,007428E9,?,00734CBE,007428E9,007D88B8,0000000C,00734E15,007428E9,00000002), ref: 00734D8D
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00734DA0
FreeLibrary.KERNEL32(00000000,?,?,?,00734D1E,007428E9,?,00734CBE,007428E9,007D88B8,0000000C,00734E15,007428E9,00000002,00000000), ref: 00734DC3

Strings

CorExitProcess, xrefs: 00734D98
mscoree.dll, xrefs: 00734D86

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 2c08451982a47ae69370906c79a6187338dfae6dd7db653a4dd90a49e9105535
Instruction ID: 410814cb9ab3bce3f687c58d6921a141659b18509778921c9d3cc090cd145da4
Opcode Fuzzy Hash: 2c08451982a47ae69370906c79a6187338dfae6dd7db653a4dd90a49e9105535
Instruction Fuzzy Hash: 2EF0AF70A00208BBEB169F90DC09BEEBFF5EF44711F0040A4F906A2261CF38AD40CAD4

Function 0076D3A0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 29libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32 ref: 0076D3AD
GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 0076D3BF
FreeLibrary.KERNEL32(00000000), ref: 0076D3E5

Strings

GetSystemWow64DirectoryW, xrefs: 0076D3B9
X64, xrefs: 0076D2A8

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: GetSystemWow64DirectoryW$X64
API String ID: 145871493-2590602151
Opcode ID: edc6575d6ff3e1db41f52acbc7fe7cac23d8edf1378b8316a22e1e817358884a
Instruction ID: 3f2dcebd46b362c5cb135a191aec6b4663c8788ddf74b382f0d6329337a4021d
Opcode Fuzzy Hash: edc6575d6ff3e1db41f52acbc7fe7cac23d8edf1378b8316a22e1e817358884a
Instruction Fuzzy Hash: 58F055F0F26620EFD7322712CC289293220BF42701B688165FC03E5210EB7CCC408A97

Function 00714E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00714EDD,?,007E1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00714E9C
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00714EAE
FreeLibrary.KERNEL32(00000000,?,?,00714EDD,?,007E1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00714EC0

Strings

kernel32.dll, xrefs: 00714E94
Wow64DisableWow64FsRedirection, xrefs: 00714EA8

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 145871493-3689287502
Opcode ID: 506b291061bb901010142dc8cf4a0aa2a89482770ee3292f8f75991103ca582b
Instruction ID: 9aa1a6f459f2c48c6ea7790d064aaf66b3c68a590e72d875e08959f4af8f7bb3
Opcode Fuzzy Hash: 506b291061bb901010142dc8cf4a0aa2a89482770ee3292f8f75991103ca582b
Instruction Fuzzy Hash: EBE0CD75B015227BD3331729FC18B9F6554AFC3F627054215FC05D2240DB6CCD4544B5

Function 00714E59 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00753CDE,?,007E1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00714E62
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00714E74
FreeLibrary.KERNEL32(00000000,?,?,00753CDE,?,007E1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00714E87

Strings

kernel32.dll, xrefs: 00714E5B
Wow64RevertWow64FsRedirection, xrefs: 00714E6E

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 145871493-1355242751
Opcode ID: 30ab4ae6ec78a45eac47b155025840616053b3011a891292e85c91f327e4b905
Instruction ID: 78e65608dd35b7b3e62933c9fc941a8e462dfecf3b900d250eb1922a456da8b8
Opcode Fuzzy Hash: 30ab4ae6ec78a45eac47b155025840616053b3011a891292e85c91f327e4b905
Instruction Fuzzy Hash: 5DD0C2756026227747231B28BC09DCB2A18AFC2B113054211F801A2150CF2DCD4281E4

Function 00782947 Relevance: 7.8, APIs: 5, Instructions: 313fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00782C05
DeleteFileW.KERNEL32(?), ref: 00782C87
CopyFileW.KERNEL32(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00782C9D
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00782CAE
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00782CC0

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: File$Delete$Copy
String ID:
API String ID: 3226157194-0
Opcode ID: f4c97f896b18d39de6df3cbf6be69d778417c2074438f553ee4ac68e3ca49054
Instruction ID: 254bfb0f410f271fcb47f30e0e50e50b879f0c9a7082e3327118a3b2c01e4d0b
Opcode Fuzzy Hash: f4c97f896b18d39de6df3cbf6be69d778417c2074438f553ee4ac68e3ca49054
Instruction Fuzzy Hash: B8B16071D01119EBDF25EBA4CC89EDEBB7DEF48310F1040A6F509E6142EB399A458F61

Function 0079A387 Relevance: 7.8, APIs: 5, Instructions: 256COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 0079A427
OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 0079A435
GetProcessIoCounters.KERNEL32(00000000,?), ref: 0079A468
CloseHandle.KERNEL32(?), ref: 0079A63D

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: Process$CloseCountersCurrentHandleOpen
String ID:
API String ID: 3488606520-0
Opcode ID: 07ebb5b5cb5eb7ef855de3c1081642dcb825b451236359daccf57230ccf19935
Instruction ID: f0654350a0f4ab12c15a14ad1be2623ee47ef16e567ca7009ffcbe1bab95f825
Opcode Fuzzy Hash: 07ebb5b5cb5eb7ef855de3c1081642dcb825b451236359daccf57230ccf19935
Instruction Fuzzy Hash: D4A16371604301AFDB20DF28D88AF2AB7E5AF84714F14885DF9599B2D2DB74EC41CB92

Function 0077E3FB Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0077DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,0077CF22,?), ref: 0077DDFD

Part of subcall function 0077DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,0077CF22,?), ref: 0077DE16

Part of subcall function 0077E199: GetFileAttributesW.KERNEL32(?,0077CF95), ref: 0077E19A

lstrcmpiW.KERNEL32(?,?), ref: 0077E473
MoveFileW.KERNEL32(?,?), ref: 0077E4AC
_wcslen.LIBCMT ref: 0077E5EB
_wcslen.LIBCMT ref: 0077E603
SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 0077E650

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
String ID:
API String ID: 3183298772-0
Opcode ID: f5aeaf731fe57bf2617a55d56d7f5bf15f1b74de603dc0984662fd4b815ccfd7
Instruction ID: 7de46a64412b19a985d649f4bd1f46299dd7428d67a1b5e1c57d249a61f8507e
Opcode Fuzzy Hash: f5aeaf731fe57bf2617a55d56d7f5bf15f1b74de603dc0984662fd4b815ccfd7
Instruction Fuzzy Hash: 7351B8B25083859BDB34DB94CC859DF73DCAF89340F00491EF689D3191EF79A6888766

Function 0079B9C9 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00719CB3: _wcslen.LIBCMT ref: 00719CBD

Part of subcall function 0079C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0079B6AE,?,?), ref: 0079C9B5
Part of subcall function 0079C998: _wcslen.LIBCMT ref: 0079C9F1
Part of subcall function 0079C998: _wcslen.LIBCMT ref: 0079CA68
Part of subcall function 0079C998: _wcslen.LIBCMT ref: 0079CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0079BAA5
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0079BB00
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 0079BB63
RegCloseKey.ADVAPI32(?,?), ref: 0079BBA6
RegCloseKey.ADVAPI32(00000000), ref: 0079BBB3

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
String ID:
API String ID: 826366716-0
Opcode ID: fb9e5553388f579ca33c0175778f3c77a4c50319f21dbf7961bad228a5b5d18a
Instruction ID: f12b0e1ef2ac51e472d8c5aceb3025810dc2680a41d8c304e53d2bdff3e6ae3b
Opcode Fuzzy Hash: fb9e5553388f579ca33c0175778f3c77a4c50319f21dbf7961bad228a5b5d18a
Instruction Fuzzy Hash: B461E371208241EFC714DF24D994E6ABBE5FF84308F14855CF4998B2A2DB39ED45CB92

Function 00778BB0 Relevance: 7.7, APIs: 5, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00778BCD
VariantClear.OLEAUT32 ref: 00778C3E
VariantClear.OLEAUT32 ref: 00778C9D
VariantClear.OLEAUT32(?), ref: 00778D10
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00778D3B

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType
String ID:
API String ID: 4136290138-0
Opcode ID: ae19fbed29144ec61f156ac0ef7788505ace1e69d5f7302c0b2264a8758e73e9
Instruction ID: 92bb5fa71d503dab30741ee3f898015536c8387d4b4e8cf3e505d85c9ef84007
Opcode Fuzzy Hash: ae19fbed29144ec61f156ac0ef7788505ace1e69d5f7302c0b2264a8758e73e9
Instruction Fuzzy Hash: 29516DB5A00219EFCB10CF68C894AAABBF4FF8D350B158559E919DB350E734E911CFA4

Function 00788AFB Relevance: 7.6, APIs: 5, Instructions: 143COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00788BAE
GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 00788BDA
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00788C32
WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00788C57
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00788C5F

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String
String ID:
API String ID: 2832842796-0
Opcode ID: 64a238509e221556de91d4f09a382edb1d72acb929dd6096f3f144342f72c1b6
Instruction ID: bff4806f86c215d9bcee4551e6ff29b6d857176a3fef565e5111fb3c63802d5c
Opcode Fuzzy Hash: 64a238509e221556de91d4f09a382edb1d72acb929dd6096f3f144342f72c1b6
Instruction Fuzzy Hash: DC514F35A00215DFCB05DF64C885AADBBF5FF49314F088498E849AB3A2DB39ED51CB91

Function 00798EE4 Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(?,00000000,?), ref: 00798F40
GetProcAddress.KERNEL32(00000000,?), ref: 00798FD0
GetProcAddress.KERNEL32(00000000,00000000), ref: 00798FEC
GetProcAddress.KERNEL32(00000000,?), ref: 00799032
FreeLibrary.KERNEL32(00000000), ref: 00799052

Part of subcall function 0072F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,00781043,?,753CE610), ref: 0072F6E6
Part of subcall function 0072F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,0076FA64,00000000,00000000,?,?,00781043,?,753CE610,?,0076FA64), ref: 0072F70D

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
String ID:
API String ID: 666041331-0
Opcode ID: b9faf10cb567af433e52fa7075164347c1f9d944238f51e69bba29c1953d8d7c
Instruction ID: 339826e85688129c538e467c16645cff0f6d0e30de08766ad04096fb614b8c0a
Opcode Fuzzy Hash: b9faf10cb567af433e52fa7075164347c1f9d944238f51e69bba29c1953d8d7c
Instruction Fuzzy Hash: 96514E34600205DFCB15DF58D4948ADBBF1FF49314F048098E9169B362DB39ED86CB91

Function 007A6B76 Relevance: 7.6, APIs: 5, Instructions: 131windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(00000002,000000F0,?), ref: 007A6C33
SetWindowLongW.USER32(?,000000EC,?), ref: 007A6C4A
SendMessageW.USER32(00000002,00001036,00000000,?), ref: 007A6C73
ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,0078AB79,00000000,00000000), ref: 007A6C98
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 007A6CC7

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: Window$Long$MessageSendShow
String ID:
API String ID: 3688381893-0
Opcode ID: 4c862896f41cc54575a4fa83c556583b2dd16c6dc232d309c07840ad5ec9d601
Instruction ID: c0be182e6a40188d8e4e1ed69b16c75ad4722fea236826e68eba213fe2c273ef
Opcode Fuzzy Hash: 4c862896f41cc54575a4fa83c556583b2dd16c6dc232d309c07840ad5ec9d601
Instruction Fuzzy Hash: CB41D075A04104BFD724DF28CC48BA97BA5EB8B360F194368F895A72E0C779FD40CA60

Function 00742051 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 007420C3
_free.LIBCMT ref: 007420E3

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 86cf9ff042edd9f604c5850ddd51545892b163ed8fb6afd9b470b5ad46c0d257
Instruction ID: 3b48ed716823fd4e606d038a901500b35ad9d5e1343c2768ac84ff8c96579d86
Opcode Fuzzy Hash: 86cf9ff042edd9f604c5850ddd51545892b163ed8fb6afd9b470b5ad46c0d257
Instruction Fuzzy Hash: 1F41D032A002049FDB24DF78C884A5EB7F5EF88310F5545A9F515EB366EB35AD12CB90

Function 0072912D Relevance: 7.6, APIs: 5, Instructions: 121keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00729141
ScreenToClient.USER32(00000000,?), ref: 0072915E
GetAsyncKeyState.USER32(00000001), ref: 00729183
GetAsyncKeyState.USER32(00000002), ref: 0072919D

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: 3edae845eba0d86161f8a8d5346c829583dcf285b05d98644f4fe9b78ab5f293
Instruction ID: 4fd9bdfbef24dca1c04dd6c64decf63aa1d9b56ee86c598a2c5c0af66cadec31
Opcode Fuzzy Hash: 3edae845eba0d86161f8a8d5346c829583dcf285b05d98644f4fe9b78ab5f293
Instruction Fuzzy Hash: 3C41903190821AFBDF099F68D848BEEB774FB46364F248216E925A32D0C7385D50CBA1

Function 00783874 Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 007838CB
TranslateAcceleratorW.USER32(?,00000000,?), ref: 00783922
TranslateMessage.USER32(?), ref: 0078394B
DispatchMessageW.USER32(?), ref: 00783955
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00783966

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchInputPeekState
String ID:
API String ID: 2256411358-0
Opcode ID: 1492f31529dd2e0a7a185aa7bc2c38d7ab5255fed3bf59a395305264b986ecf1
Instruction ID: 556d7e165740bce44474434c1befb76762fd4cd6deb36cde88f95bcb1bd9135a
Opcode Fuzzy Hash: 1492f31529dd2e0a7a185aa7bc2c38d7ab5255fed3bf59a395305264b986ecf1
Instruction Fuzzy Hash: B4311A709853819EEB35EB3CD849FB637A8EB05708F44456DE466C60A0E3FCB685CB21

Function 0078CF1A Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,00000000,?,?,?,0078C21E,00000000), ref: 0078CF38
InternetReadFile.WININET(?,00000000,?,?), ref: 0078CF6F
GetLastError.KERNEL32(?,00000000,?,?,?,0078C21E,00000000), ref: 0078CFB4
SetEvent.KERNEL32(?,?,00000000,?,?,?,0078C21E,00000000), ref: 0078CFC8
SetEvent.KERNEL32(?,?,00000000,?,?,?,0078C21E,00000000), ref: 0078CFF2

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: EventInternet$AvailableDataErrorFileLastQueryRead
String ID:
API String ID: 3191363074-0
Opcode ID: 011f425ef30d25266ab83c736d992ba8105ffc08557e488ef01db72e19fbffe1
Instruction ID: 02da19631f17b63c90bd373601da9104c8f9727fdff3ca8cba969361f966149d
Opcode Fuzzy Hash: 011f425ef30d25266ab83c736d992ba8105ffc08557e488ef01db72e19fbffe1
Instruction Fuzzy Hash: C5315472544205FFEB21EFA5D88496B77F9EB55354B10842EF606D2140DB38AD41DB60

Function 00771901 Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00771915
PostMessageW.USER32(00000001,00000201,00000001), ref: 007719C1
Sleep.KERNEL32(00000000,?,?,?), ref: 007719C9
PostMessageW.USER32(00000001,00000202,00000000), ref: 007719DA
Sleep.KERNEL32(00000000,?,?,?,?), ref: 007719E2

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: 6da31fa6fad30290b62d42899acc5cc9f96620f3ee2101bd0e80ddef42215b60
Instruction ID: d69031b206f0d91c3cfd301de69af99910b1bda47eed75242d0c15a50dd6f1bd
Opcode Fuzzy Hash: 6da31fa6fad30290b62d42899acc5cc9f96620f3ee2101bd0e80ddef42215b60
Instruction Fuzzy Hash: 6831CD71A00259EFCF00CFACC999AEE3BB5EB45314F008229FA25A72D0C374A945CF90

Function 007A5706 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001053,000000FF,?), ref: 007A5745
SendMessageW.USER32(?,00001074,?,00000001), ref: 007A579D
_wcslen.LIBCMT ref: 007A57AF
_wcslen.LIBCMT ref: 007A57BA
SendMessageW.USER32(?,00001002,00000000,?), ref: 007A5816

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: MessageSend$_wcslen
String ID:
API String ID: 763830540-0
Opcode ID: 9a21b0322d220719e090b0822fe9ae3608c522dd8765abdd148ad085a2f5f7ed
Instruction ID: 4f7bfbce01983ce7c2ed400ca59cd53d69f10829eca10364f2430cc91933e510
Opcode Fuzzy Hash: 9a21b0322d220719e090b0822fe9ae3608c522dd8765abdd148ad085a2f5f7ed
Instruction Fuzzy Hash: F721A271904618EADB208FA0CC85EEE77B8FF86320F108356F929EA181D7789985CF50

Function 00790930 Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00790951
GetForegroundWindow.USER32 ref: 00790968
GetDC.USER32(00000000), ref: 007909A4
GetPixel.GDI32(00000000,?,00000003), ref: 007909B0
ReleaseDC.USER32(00000000,00000003), ref: 007909E8

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: c4c3b1ddd2a95e287abccbe46cb13899b3a724d823d79cc7bf28d7106dc22720
Instruction ID: 131e460efd0d28d2715b1df3b19fc8066e71a0825e77e9c532e8d06317d211f9
Opcode Fuzzy Hash: c4c3b1ddd2a95e287abccbe46cb13899b3a724d823d79cc7bf28d7106dc22720
Instruction Fuzzy Hash: FA219675600204EFD704EF69D948AAEB7F9EF49710F048468F84AD7352DB38AC44CB90

Function 0074CDBD Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 0074CDC6
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0074CDE9

Part of subcall function 00743820: RtlAllocateHeap.NTDLL(00000000,?,007E1444,?,0072FDF5,?,?,0071A976,00000010,007E1440,007113FC,?,007113C6,?,00711129), ref: 00743852

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0074CE0F
_free.LIBCMT ref: 0074CE22
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0074CE31

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: cb267e277d34f1bf080a79e21e6cf5ac0f8b93590842f258660448138e145642
Instruction ID: e10bb750703c34dfcff45397270a766a4ba95066399be75725b5e040f3b825f5
Opcode Fuzzy Hash: cb267e277d34f1bf080a79e21e6cf5ac0f8b93590842f258660448138e145642
Instruction Fuzzy Hash: 7101D4726032257F276316B66C8CC7B696DDEC7BA1315412DF905C7201EF798D0291B4

Function 00729639 Relevance: 7.6, APIs: 5, Instructions: 66COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00729693
SelectObject.GDI32(?,00000000), ref: 007296A2
BeginPath.GDI32(?), ref: 007296B9
SelectObject.GDI32(?,00000000), ref: 007296E2

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 7d7a1ac49c91bde26a6adce58121af3b5eb4251f053cdd4932342651be3958d9
Instruction ID: 0016f455f1bde8896828d5d2e82a7c2917cf1b63f0ea1c13ab0cb60bd240d9ed
Opcode Fuzzy Hash: 7d7a1ac49c91bde26a6adce58121af3b5eb4251f053cdd4932342651be3958d9
Instruction Fuzzy Hash: 6521C5708033D5EFDB118F24EC49BA93BB4BB45355F548215F510AA1B1D37C6881CF98

Function 00775711 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00775726
_memcmp.LIBVCRUNTIME ref: 00775744
_memcmp.LIBVCRUNTIME ref: 00775757
_memcmp.LIBVCRUNTIME ref: 0077576F
_memcmp.LIBVCRUNTIME ref: 00775787

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 8edd2fa962bebb852ec6cc38a95820d4f66c201fe34b2c4dd394376aa1720395
Instruction ID: 920d362e614cb3e5c73ac44085ac043bb25794722ae00f593bc49645bb721e0c
Opcode Fuzzy Hash: 8edd2fa962bebb852ec6cc38a95820d4f66c201fe34b2c4dd394376aa1720395
Instruction Fuzzy Hash: F60175E1641A09FBEA0C57219D86FBB735D9B613E5F408121FD0C9A642F7ADED1082F1

Function 00742DF8 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,0073F2DE,00743863,007E1444,?,0072FDF5,?,?,0071A976,00000010,007E1440,007113FC,?,007113C6), ref: 00742DFD
_free.LIBCMT ref: 00742E32
_free.LIBCMT ref: 00742E59
SetLastError.KERNEL32(00000000,00711129), ref: 00742E66
SetLastError.KERNEL32(00000000,00711129), ref: 00742E6F

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 671eb169bc0c2ebc2b2c6be1c3ee23ebc2717b3a1e87efc6cb9ebf9bf8763ed6
Instruction ID: ed432084d1bab747334970ff3bc0e11594b2926819d681a801268feadd53f509
Opcode Fuzzy Hash: 671eb169bc0c2ebc2b2c6be1c3ee23ebc2717b3a1e87efc6cb9ebf9bf8763ed6
Instruction Fuzzy Hash: D301F972245621B7C61367356C4ED2B2669ABD27A17E44025F415E2193EF7CCC238524

Function 0077000E Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,0076FF41,80070057,?,?,?,0077035E), ref: 0077002B
ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0076FF41,80070057,?,?), ref: 00770046
lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0076FF41,80070057,?,?), ref: 00770054
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0076FF41,80070057,?), ref: 00770064
CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0076FF41,80070057,?,?), ref: 00770070

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: dd31c680bb045cad86d64b370ac17d5d07ac5078c5ebf59bf3010a2992dabfcf
Instruction ID: b3318dddae2431434e652a5ab01647363c06d195fc24c13972a82f311b94fc67
Opcode Fuzzy Hash: dd31c680bb045cad86d64b370ac17d5d07ac5078c5ebf59bf3010a2992dabfcf
Instruction Fuzzy Hash: 78014B76600214FFDF124F69DC48BAA7AEDEB847A2F148124F909D6210EB7DDD40DBA0

Function 0077E97B Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?), ref: 0077E997
QueryPerformanceFrequency.KERNEL32(?), ref: 0077E9A5
Sleep.KERNEL32(00000000), ref: 0077E9AD
QueryPerformanceCounter.KERNEL32(?), ref: 0077E9B7
Sleep.KERNEL32 ref: 0077E9F3

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: f37bc50a9af1c14a8d96d98e4729224c201ec0c4984f05155e304159a0187bdd
Instruction ID: 7f645410aa6b746828b36e69e76cb40bc58745661e6931fa2dad3d19cff1b082
Opcode Fuzzy Hash: f37bc50a9af1c14a8d96d98e4729224c201ec0c4984f05155e304159a0187bdd
Instruction Fuzzy Hash: CE015B72D0152DEBCF009BE4D849ADDBB78BF4E301F008596E606B2241DB38A555CB66

Function 007710F9 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00771114
GetLastError.KERNEL32(?,00000000,00000000,?,?,00770B9B,?,?,?), ref: 00771120
GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00770B9B,?,?,?), ref: 0077112F
HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00770B9B,?,?,?), ref: 00771136
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0077114D

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: 8f09c2b92b1e50f50cb31fd749957f6f01e7b7d453fd34dc5a7cf4e4720810cb
Instruction ID: c960b6721a75f1b66d723341ca3091e1be999c208ab9a436159d755fc26809b7
Opcode Fuzzy Hash: 8f09c2b92b1e50f50cb31fd749957f6f01e7b7d453fd34dc5a7cf4e4720810cb
Instruction Fuzzy Hash: 17011975200209BFDB124FA9DC59A6A3B6EEFCA3A0B608419FA45D7360DA35DD009F64

Function 00770FB4 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00770FCA
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00770FD6
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00770FE5
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00770FEC
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00771002

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: c84b9f9112ddd362d23c68a5d5b12e06629704078015a9a5ada51348eddd64fe
Instruction ID: b055de372fca47096504a2e6dbc4f591dc2f7294cf93cd6cc5555b26eeecb0b7
Opcode Fuzzy Hash: c84b9f9112ddd362d23c68a5d5b12e06629704078015a9a5ada51348eddd64fe
Instruction Fuzzy Hash: E9F04975200305BBDB224FA8DC4AF573BADEFCA7A2F508414FA49C6251DE78DC50CA60

Function 00771014 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 0077102A
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00771036
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00771045
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 0077104C
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00771062

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 3fbfc60b5aa9ab7833dea4a31f4f01cd5fafe612dd1ba8d0895886fcc9bf9ef3
Instruction ID: 9ffa0270f2a9dc9731848d2d9b7903a26368646768462ebe5e871ad0ca6e6538
Opcode Fuzzy Hash: 3fbfc60b5aa9ab7833dea4a31f4f01cd5fafe612dd1ba8d0895886fcc9bf9ef3
Instruction Fuzzy Hash: 1CF03775200305BBDB225FA8EC49A563BADEF8A6A1F508414FA4986250DA78D8508A60

Function 0078030F Relevance: 7.5, APIs: 6, Instructions: 41COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,?,?,0078017D,?,007832FC,?,00000001,00752592,?), ref: 00780324
CloseHandle.KERNEL32(?,?,?,?,0078017D,?,007832FC,?,00000001,00752592,?), ref: 00780331
CloseHandle.KERNEL32(?,?,?,?,0078017D,?,007832FC,?,00000001,00752592,?), ref: 0078033E
CloseHandle.KERNEL32(?,?,?,?,0078017D,?,007832FC,?,00000001,00752592,?), ref: 0078034B
CloseHandle.KERNEL32(?,?,?,?,0078017D,?,007832FC,?,00000001,00752592,?), ref: 00780358
CloseHandle.KERNEL32(?,?,?,?,0078017D,?,007832FC,?,00000001,00752592,?), ref: 00780365

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: a1dd6b7a2562ecc66a26464acf587d65669c6cba39b52378367a88d64a27ab17
Instruction ID: 4278d09b166396528bf5fb1deac67c3ff72df9a38201d529b9aa2a1336a10f3e
Opcode Fuzzy Hash: a1dd6b7a2562ecc66a26464acf587d65669c6cba39b52378367a88d64a27ab17
Instruction Fuzzy Hash: B501AA72801B15DFCB30AF66D880812FBF9BF603153158A3FD1A692931C7B5A998DF80

Function 0074D73A Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0074D752

Part of subcall function 007429C8: HeapFree.KERNEL32(00000000,00000000,?,0074D7D1,00000000,00000000,00000000,00000000,?,0074D7F8,00000000,00000007,00000000,?,0074DBF5,00000000), ref: 007429DE
Part of subcall function 007429C8: GetLastError.KERNEL32(00000000,?,0074D7D1,00000000,00000000,00000000,00000000,?,0074D7F8,00000000,00000007,00000000,?,0074DBF5,00000000,00000000), ref: 007429F0

_free.LIBCMT ref: 0074D764
_free.LIBCMT ref: 0074D776
_free.LIBCMT ref: 0074D788
_free.LIBCMT ref: 0074D79A

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 1ed2ef87f7952582b06e7fa24c89eeb3af820dde89be3e4b5f78d11d7c739a0f
Instruction ID: ec6f8f4b9bf33524adf3adef0e2584a4453a8aec0bb6ef1bc94fcb935d3dd295
Opcode Fuzzy Hash: 1ed2ef87f7952582b06e7fa24c89eeb3af820dde89be3e4b5f78d11d7c739a0f
Instruction Fuzzy Hash: 93F01232545205AB9633EB65F9C5C167BEDBB447107D54C06F088E7512C73CFC908A64

Function 00775C44 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 00775C58
GetWindowTextW.USER32(00000000,?,00000100), ref: 00775C6F
MessageBeep.USER32(00000000), ref: 00775C87
KillTimer.USER32(?,0000040A), ref: 00775CA3
EndDialog.USER32(?,00000001), ref: 00775CBD

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: e4ee66bec887d26b28aa99b459cd0f80aa01c7ad18a78a3275d30c147e812468
Instruction ID: da582877b8aed7f676cd6d77dd1810d49af0fe77c94136bebdd9266743ec1f19
Opcode Fuzzy Hash: e4ee66bec887d26b28aa99b459cd0f80aa01c7ad18a78a3275d30c147e812468
Instruction Fuzzy Hash: 0F018130500B05ABEF229B10DD4EFA677B8BB41B45F049569A587A10E1DBF8A9848AA4

Function 007422A0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 007422BE

Part of subcall function 007429C8: HeapFree.KERNEL32(00000000,00000000,?,0074D7D1,00000000,00000000,00000000,00000000,?,0074D7F8,00000000,00000007,00000000,?,0074DBF5,00000000), ref: 007429DE
Part of subcall function 007429C8: GetLastError.KERNEL32(00000000,?,0074D7D1,00000000,00000000,00000000,00000000,?,0074D7F8,00000000,00000007,00000000,?,0074DBF5,00000000,00000000), ref: 007429F0

_free.LIBCMT ref: 007422D0
_free.LIBCMT ref: 007422E3
_free.LIBCMT ref: 007422F4
_free.LIBCMT ref: 00742305

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 21ce87950c1e94388ac6635b4797d6af451f7902e97af4886dc00645677d6ccd
Instruction ID: aa4126a23027dc76d42fda70bb528be4c09cd17f221a1029c461069e8902e76a
Opcode Fuzzy Hash: 21ce87950c1e94388ac6635b4797d6af451f7902e97af4886dc00645677d6ccd
Instruction Fuzzy Hash: CDF03A709021A19B9A13AF55BC8680C3B68F71C760781850BF410EA2B2C77D2873EFEC

Function 007295C5 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 007295D4
StrokeAndFillPath.GDI32(?,?,007671F7,00000000,?,?,?), ref: 007295F0
SelectObject.GDI32(?,00000000), ref: 00729603
DeleteObject.GDI32 ref: 00729616
StrokePath.GDI32(?), ref: 00729631

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: cfaa1e1d0ad170192dfcbee496248f0e4741dbfea55e267cf21a96eecae9597f
Instruction ID: e8fc2614c2ad8cbdbdc29e75b13cc9162f029d6e8b366f1a9607001f41247d9f
Opcode Fuzzy Hash: cfaa1e1d0ad170192dfcbee496248f0e4741dbfea55e267cf21a96eecae9597f
Instruction Fuzzy Hash: D6F03C30006288EBDB135F65ED5D7A53BA1AB46322F48C214F525590F2DB3C99A1DF28

Function 00740F47 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE

Download Yara Rule

APIs

__freea.LIBCMT ref: 007410F9
__freea.LIBCMT ref: 00741117

Part of subcall function 00741537: _free.LIBCMT ref: 0074154F

Strings

am/pm, xrefs: 0074117A
a/p, xrefs: 007411DE

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: __freea$_free
String ID: a/p$am/pm
API String ID: 3432400110-3206640213
Opcode ID: e43ad88c79126362eedff591aaeced324cca744c88659b5191a0f09e99e2e7bf
Instruction ID: a3e4aaac37e706634ee21717f47f2cc24499652aa2c23d7ae5809e699cced3c7
Opcode Fuzzy Hash: e43ad88c79126362eedff591aaeced324cca744c88659b5191a0f09e99e2e7bf
Instruction Fuzzy Hash: E3D12631A1020ACADB24BF68C895BFEBBB0FF06700FA44159E915AB651D37D9DC0CB91

Function 007961D0 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 324COMMON

Download Yara Rule

APIs

Part of subcall function 00730242: EnterCriticalSection.KERNEL32(007E070C,007E1884,?,?,0072198B,007E2518,?,?,?,007112F9,00000000), ref: 0073024D
Part of subcall function 00730242: LeaveCriticalSection.KERNEL32(007E070C,?,0072198B,007E2518,?,?,?,007112F9,00000000), ref: 0073028A

Part of subcall function 007300A3: __onexit.LIBCMT ref: 007300A9

__Init_thread_footer.LIBCMT ref: 00796238

Part of subcall function 007301F8: EnterCriticalSection.KERNEL32(007E070C,?,?,00728747,007E2514), ref: 00730202
Part of subcall function 007301F8: LeaveCriticalSection.KERNEL32(007E070C,?,00728747,007E2514), ref: 00730235

Part of subcall function 0078359C: LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 007835E4
Part of subcall function 0078359C: LoadStringW.USER32(007E2390,?,00000FFF,?), ref: 0078360A

Strings

x#~, xrefs: 0079633A
x#~, xrefs: 00796353
x#~, xrefs: 0079636F

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: CriticalSection$EnterLeaveLoadString$Init_thread_footer__onexit
String ID: x#~$x#~$x#~
API String ID: 1072379062-2863289283
Opcode ID: afb35b4c9551c1cf289781fa0be7ae8209c8023d2272b01ed682c4832ac016ef
Instruction ID: eafce2cd303131ee20826498f8160389b73c3ed681582683a724d9f939c552ad
Opcode Fuzzy Hash: afb35b4c9551c1cf289781fa0be7ae8209c8023d2272b01ed682c4832ac016ef
Instruction Fuzzy Hash: 59C17B71A00105EBCF14DF98D895EAEB7B9FF48300F118169E9059B291DB78EE55CBA0

Function 00745AA9 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 186COMMONLIBRARYCODE

Download Yara Rule

Strings

JOq, xrefs: 00745BA8, 00745C6C

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID:
String ID: JOq
API String ID: 0-3534734180
Opcode ID: e4678fa9163d5b08d7a1d883f3fc0505f1960f44e12959e7dd3353cac585b17d
Instruction ID: 063e01e8f0fdc428b25bb58e86d10e27447b6ccd27855c5071f4eafcac0cba55
Opcode Fuzzy Hash: e4678fa9163d5b08d7a1d883f3fc0505f1960f44e12959e7dd3353cac585b17d
Instruction Fuzzy Hash: 9451A0B1E0060AEFDB119FA4C889FAEBBB8EF45310F14015AF405A7293D77D9901CB61

Function 00748A61 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 124COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,00000002,00000000,?,?,?,00000000,?,?,?,?), ref: 00748B6E
GetLastError.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,00000000,00001000,?), ref: 00748B7A
__dosmaperr.LIBCMT ref: 00748B81

Strings

.s, xrefs: 00748A63

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: ByteCharErrorLastMultiWide__dosmaperr
String ID: .s
API String ID: 2434981716-1621786184
Opcode ID: d5ef8f52ef2e641989797162c82c2e270fd3fb75832694c9bfaa1fde14e96f2a
Instruction ID: eb9c0f856505561f43bf5fe67708360ff636d3c5059cde2aa50ca550a901da69
Opcode Fuzzy Hash: d5ef8f52ef2e641989797162c82c2e270fd3fb75832694c9bfaa1fde14e96f2a
Instruction Fuzzy Hash: B8418CF060404DAFDB659F24C884A7D7FA5EB86314F2881AAF8948B242DF798C42D795

Function 00772716 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0077B403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,007721D0,?,?,00000034,00000800,?,00000034), ref: 0077B42D

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00772760

Part of subcall function 0077B3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,007721FF,?,?,00000800,?,00001073,00000000,?,?), ref: 0077B3F8

Part of subcall function 0077B32A: GetWindowThreadProcessId.USER32(?,?), ref: 0077B355
Part of subcall function 0077B32A: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00772194,00000034,?,?,00001004,00000000,00000000), ref: 0077B365
Part of subcall function 0077B32A: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00772194,00000034,?,?,00001004,00000000,00000000), ref: 0077B37B

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 007727CD
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 0077281A

Strings

@, xrefs: 00772832

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: 23bb8b71d85cd8879e65ab9d210f2e8b9a6e5facb30b5e42597ee6e36c200bfa
Instruction ID: c78681f9650acc9ec7070a88361db9ef1fbc1b9e2d3ab878026e1fae3879c0d9
Opcode Fuzzy Hash: 23bb8b71d85cd8879e65ab9d210f2e8b9a6e5facb30b5e42597ee6e36c200bfa
Instruction Fuzzy Hash: FB412A72900218AFDF10DBA4CD45BEEBBB8EF09740F008095FA59B7181DB756E85CBA1

Function 0074172E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\file.exe,00000104), ref: 00741769
_free.LIBCMT ref: 00741834
_free.LIBCMT ref: 0074183E

Strings

C:\Users\user\Desktop\file.exe, xrefs: 00741760, 00741767, 00741796, 007417CE

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\file.exe
API String ID: 2506810119-1957095476
Opcode ID: 9903ab0c4833eb62d778178da8a0d9092c6e3bd82f8b62330502d2e225b1aedc
Instruction ID: 42ecaecbe6d13cd91172d1e9b3cf9887c452aa4d6882d5d7741e57c9efae8f25
Opcode Fuzzy Hash: 9903ab0c4833eb62d778178da8a0d9092c6e3bd82f8b62330502d2e225b1aedc
Instruction Fuzzy Hash: 77318271A40258EFDB22EB99DC85D9EBBFCEB89310B944166F504DB211D7784E80CB90

Function 0077C27D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 0077C306
DeleteMenu.USER32(?,00000007,00000000), ref: 0077C34C
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,007E1990,0126F878), ref: 0077C395

Strings

0, xrefs: 0077C2DF

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: Menu$Delete$InfoItem
String ID: 0
API String ID: 135850232-4108050209
Opcode ID: 7fe1bfeb7e3147d4b26451bb72c416c2a53689bcb75bd5ea6992520e9943b5fe
Instruction ID: 4737767276df15b6840c2ad0672327837c2f12177ae254941f3ee5680d9bd4e8
Opcode Fuzzy Hash: 7fe1bfeb7e3147d4b26451bb72c416c2a53689bcb75bd5ea6992520e9943b5fe
Instruction Fuzzy Hash: C9418071204301DFDB21DF25D885B5ABBE4AF89360F14C61DF9A9972D1D738A904CB62

Function 007A4416 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,007ACC08,00000000,?,?,?,?), ref: 007A44AA
GetWindowLongW.USER32 ref: 007A44C7
SetWindowLongW.USER32(?,000000F0,00000000), ref: 007A44D7

Strings

SysTreeView32, xrefs: 007A447C

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: 35fc212d16b9ba6e3fb0883bdc34107300583c0069bcf6936e15d10f309bb1f4
Instruction ID: 41c858362b6291223d97be3651dbd60a672dfadb6e35541803954c5e21f352b7
Opcode Fuzzy Hash: 35fc212d16b9ba6e3fb0883bdc34107300583c0069bcf6936e15d10f309bb1f4
Instruction Fuzzy Hash: 9831AD71200245AFDB218F78DC45BEA77A9EB8A334F204725F975921D0D7B9EC509B50

Function 00776E71 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 92memoryCOMMON

Download Yara Rule

APIs

SysReAllocString.OLEAUT32(?,?), ref: 00776EED
VariantCopyInd.OLEAUT32(?,?), ref: 00776F08
VariantClear.OLEAUT32(?), ref: 00776F12

Strings

*jw, xrefs: 00776E8B, 00776E90, 00776EF8

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: Variant$AllocClearCopyString
String ID: *jw
API String ID: 2173805711-2615704982
Opcode ID: bc73a657917de3d09f5e5bea73c97e0a082f87b43bf965aad1fd5ae8a6fc7e6b
Instruction ID: 9353b39d648c6cb00b96d8038f9c756c1c6b70e4a807ee4f907edc55e2f72912
Opcode Fuzzy Hash: bc73a657917de3d09f5e5bea73c97e0a082f87b43bf965aad1fd5ae8a6fc7e6b
Instruction Fuzzy Hash: 52310231604646DFCF05AFA8E8548BD37B6FF85740B1084A8F8065B2A1C73C9D52CBD4

Function 0079304E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0079335B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,00793077,?,?), ref: 00793378

inet_addr.WSOCK32(?), ref: 0079307A
_wcslen.LIBCMT ref: 0079309B
htons.WSOCK32(00000000), ref: 00793106

Strings

255.255.255.255, xrefs: 00793095, 0079309A

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: ByteCharMultiWide_wcslenhtonsinet_addr
String ID: 255.255.255.255
API String ID: 946324512-2422070025
Opcode ID: b3dd11f961a9e1d15629d93a7b5df6ff9b45a00f7f9a8c32c697a1402ac1ed33
Instruction ID: bb791d58aa421d601845515162aba5e74372324a1167ca8b0d5217aefe2b7860
Opcode Fuzzy Hash: b3dd11f961a9e1d15629d93a7b5df6ff9b45a00f7f9a8c32c697a1402ac1ed33
Instruction Fuzzy Hash: E031C139200205DFDF20CF6CD485EAA77E1EF55318F248059E9158B3A2DB3AEE45C760

Function 007A3EB8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 007A3F40
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 007A3F54
SendMessageW.USER32(?,00001002,00000000,?), ref: 007A3F78

Strings

SysMonthCal32, xrefs: 007A3F0B

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: f4e720da9f2b7aec91af3ba1e9f502930db8091fd07eb32f38dda8c950393ee7
Instruction ID: 62feefb80d5893154d65427079f50ea26452c9866fb5ba3dcbbb01e89cd71b12
Opcode Fuzzy Hash: f4e720da9f2b7aec91af3ba1e9f502930db8091fd07eb32f38dda8c950393ee7
Instruction Fuzzy Hash: 8221BF32610219BFDF25CF54CC46FEA3B75EB89714F110215FA156B1D0D6B9AD50CB90

Function 007A4653 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 007A4705
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 007A4713
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 007A471A

Strings

msctls_updown32, xrefs: 007A4684

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: 3c76bd6ae7b1db2a11920360a4ac4df382e46a194a8cf3224dc7926a51261daa
Instruction ID: b7d2906d0d5e513b5d04e727497ccc2fb3d12f422bc42597d08dd2cc706a5bdf
Opcode Fuzzy Hash: 3c76bd6ae7b1db2a11920360a4ac4df382e46a194a8cf3224dc7926a51261daa
Instruction Fuzzy Hash: 7C218EB5601248AFDB11DF68DCC5DBB37ADEB8B394B040159FA009B2A1DB79EC11CA60

Function 007795AD Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 85COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0077961D

Strings

#requireadmin, xrefs: 007795D9
#notrayicon, xrefs: 007795B7
#OnAutoItStartRegister, xrefs: 007795F3

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: _wcslen
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 176396367-2734436370
Opcode ID: 1bfea12dd076b5d10c03d32354edab8dfc3ed18ec13aff100cea9d74960e7a1a
Instruction ID: 6966fdb1e75230f2e2e7bd959d43cbe6a4b173bdeafac0ca29037489b0d1b008
Opcode Fuzzy Hash: 1bfea12dd076b5d10c03d32354edab8dfc3ed18ec13aff100cea9d74960e7a1a
Instruction Fuzzy Hash: 44218E72205221A6DB31BB289C06FB773E89F91340F00C125FA4DD70C1EB6CAD51C2A2

Function 007A37B7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 007A3840
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 007A3850
MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 007A3876

Strings

Listbox, xrefs: 007A380F

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: 9b52db193cd7c6c540c6c49aeafc5c2d12814f6a9a48e01899099dccab0a5a4f
Instruction ID: c7b738c0517dcde02b8fb7d1c93edcd13d1bd1b6b90fb76676e43006c476e999
Opcode Fuzzy Hash: 9b52db193cd7c6c540c6c49aeafc5c2d12814f6a9a48e01899099dccab0a5a4f
Instruction Fuzzy Hash: 7A219272610118BBEF119F54CC85FBB376EEFCA760F108225F9049B190CA79DC518BA0

Function 007849F4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00784A08
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00784A5C
SetErrorMode.KERNEL32(00000000,?,?,007ACC08), ref: 00784AD0

Strings

%lu, xrefs: 00784A6F

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: ErrorMode$InformationVolume
String ID: %lu
API String ID: 2507767853-685833217
Opcode ID: 7580c8df02931548c1ebcb008e54089aa4b2074ed06a6489026ce76f5fb22e48
Instruction ID: 2cf1e1071e9ceaee18450825b7ce8f0c4384a46a3d3c442106315d4aca06d1c5
Opcode Fuzzy Hash: 7580c8df02931548c1ebcb008e54089aa4b2074ed06a6489026ce76f5fb22e48
Instruction Fuzzy Hash: 84318071A00109EFDB10DF64C885EAA7BF8EF49304F1480A5E909DB352D779EE45CBA1

Function 007A41EB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 007A424F
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 007A4264
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 007A4271

Strings

msctls_trackbar32, xrefs: 007A4226

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: 0af5ebfb6504c6ffae02595068ac5c49ee1c2e5a969de4cd20c041814b00dab6
Instruction ID: cda1c2b61fd809b9c7486efab032f7316ad37d09b26149167efd2173357fb50b
Opcode Fuzzy Hash: 0af5ebfb6504c6ffae02595068ac5c49ee1c2e5a969de4cd20c041814b00dab6
Instruction Fuzzy Hash: 3711E331240248BEEF209F28CC46FAB3BACEFC6B64F010224FA55E60D0D6B6DC519B50

Function 00772F52 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00716B57: _wcslen.LIBCMT ref: 00716B6A

Part of subcall function 00772DA7: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00772DC5
Part of subcall function 00772DA7: GetWindowThreadProcessId.USER32(?,00000000), ref: 00772DD6
Part of subcall function 00772DA7: GetCurrentThreadId.KERNEL32 ref: 00772DDD
Part of subcall function 00772DA7: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00772DE4

GetFocus.USER32 ref: 00772F78

Part of subcall function 00772DEE: GetParent.USER32(00000000), ref: 00772DF9

GetClassNameW.USER32(?,?,00000100), ref: 00772FC3
EnumChildWindows.USER32(?,0077303B), ref: 00772FEB

Strings

%s%d, xrefs: 00772FFF

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
String ID: %s%d
API String ID: 1272988791-1110647743
Opcode ID: 9ebd0e65082ad258e10f4ce4130aa19a9e80299a1fe7324aa658ac97e89b7ec5
Instruction ID: f02ec294058f1f38194d3b084fe81b8a1fa81705e747e12ca59d31a238df716b
Opcode Fuzzy Hash: 9ebd0e65082ad258e10f4ce4130aa19a9e80299a1fe7324aa658ac97e89b7ec5
Instruction Fuzzy Hash: EE11C0B1700205ABCF55AF748C89EED376AAF84344F048075B90D9B292DE389946DB60

Function 007A5882 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 007A58C1
SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 007A58EE
DrawMenuBar.USER32(?), ref: 007A58FD

Strings

0, xrefs: 007A588F

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: Menu$InfoItem$Draw
String ID: 0
API String ID: 3227129158-4108050209
Opcode ID: 2ac06bb1ef688b68b680d30470271cb1656576e1e644b692f6076a633098be16
Instruction ID: b43f26ae942a84c06d9ed399d1c68996218107ec926403f1a6ebce1848a24ec7
Opcode Fuzzy Hash: 2ac06bb1ef688b68b680d30470271cb1656576e1e644b692f6076a633098be16
Instruction Fuzzy Hash: 99014431900218EFDB129F11EC44BAFBBB4FF86361F1481A9F849DA151DB389A94DF21

Function 0077007F Relevance: 6.3, APIs: 4, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9131d43242ec15843ad5f45515ecbd81dfb01368c007d4829049b87c53bfd0a2
Instruction ID: 680d0f7f0b95b71db0649cdabc67f279abb0c8bc59101be49d706543f4e9c7e9
Opcode Fuzzy Hash: 9131d43242ec15843ad5f45515ecbd81dfb01368c007d4829049b87c53bfd0a2
Instruction Fuzzy Hash: 8DC16C75A0020AEFDB14CFA4C898EAEB7B5FF48354F208598E509EB251D735ED41DB90

Function 0079342E Relevance: 6.3, APIs: 4, Instructions: 257COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00793459
CoUninitialize.OLE32 ref: 00793463
VariantInit.OLEAUT32(?), ref: 0079346E
VariantClear.OLEAUT32(?), ref: 0079371B

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: Variant$ClearInitInitializeUninitialize
String ID:
API String ID: 1998397398-0
Opcode ID: fa29cbd7a4b7e59fcaf4ae133ec46e1059f41bfb37d60f4718a35a19f84cd2fa
Instruction ID: ef903cef02cfdb4cbe792d853964af5b248a9e606601f98a7a83fce1119c4696
Opcode Fuzzy Hash: fa29cbd7a4b7e59fcaf4ae133ec46e1059f41bfb37d60f4718a35a19f84cd2fa
Instruction Fuzzy Hash: 16A14B75204200DFCB14DF68D489A6AB7E5FF8C714F058859F98A9B3A2DB38ED41CB91

Function 00770436 Relevance: 6.2, APIs: 4, Instructions: 230COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,007AFC08,?), ref: 007705F0
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,007AFC08,?), ref: 00770608
CLSIDFromProgID.OLE32(?,?,00000000,007ACC40,000000FF,?,00000000,00000800,00000000,?,007AFC08,?), ref: 0077062D
_memcmp.LIBVCRUNTIME ref: 0077064E

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: 84d7b9e48b41edeed5e9dfd2f6475782de075d0b4e78cffd45da8be6d46df471
Instruction ID: a650563f9ec91edc1a4ca41e0cd362376e373c8add486a579514354c8e86298b
Opcode Fuzzy Hash: 84d7b9e48b41edeed5e9dfd2f6475782de075d0b4e78cffd45da8be6d46df471
Instruction Fuzzy Hash: 2C81F971A00109EFCF04DF94C988DEEB7B9FF89355B208558E506AB250DB75AE46CBA0

Function 0079A67C Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0079A6AC
Process32FirstW.KERNEL32(00000000,?), ref: 0079A6BA

Part of subcall function 00719CB3: _wcslen.LIBCMT ref: 00719CBD

Process32NextW.KERNEL32(00000000,?), ref: 0079A79C
CloseHandle.KERNEL32(00000000), ref: 0079A7AB

Part of subcall function 0072CE60: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,00753303,?), ref: 0072CE8A

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
String ID:
API String ID: 1991900642-0
Opcode ID: 1f610637d248e20f67f3a88aa000e6010a4bda14f7bff1742963bd5416e14baf
Instruction ID: 6577b24413231ee6815e4e94667bde4ead71ac23d8920695cd086d0c33202d25
Opcode Fuzzy Hash: 1f610637d248e20f67f3a88aa000e6010a4bda14f7bff1742963bd5416e14baf
Instruction Fuzzy Hash: 85512C71508310EFD710EF28D88AA5BBBE8FF89754F00891DF58597291EB34E945CB92

Function 00751391 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 007514C0

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: c8371bfda78ec510951f3e52178d544537f9808201c68fd0a6ab7e5f175e7337
Instruction ID: 4601103d830c9f6ffe4c2a264c590a4605d009bf7ebc0a9833f63e991a09344d
Opcode Fuzzy Hash: c8371bfda78ec510951f3e52178d544537f9808201c68fd0a6ab7e5f175e7337
Instruction Fuzzy Hash: 62411932A00140EBEB216BBD9C49BEF3AA4EF41373F544225FC19D6192E7BC4C455661

Function 007A6278 Relevance: 6.1, APIs: 4, Instructions: 138COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 007A62E2
ScreenToClient.USER32(?,?), ref: 007A6315
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 007A6382

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: 1990292e2e5484b8a5cd53365201baba46e0165392aa680a69fd7fdd44bb544f
Instruction ID: 4efc3d8766e671c9d28c09bd4894cc893af8fa824a035af67feaa425aa908cc0
Opcode Fuzzy Hash: 1990292e2e5484b8a5cd53365201baba46e0165392aa680a69fd7fdd44bb544f
Instruction Fuzzy Hash: BA515E75A00249EFCF10DF68D881AAE7BB5FF86360F148269F9159B290D738ED81CB50

Function 00791AD6 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 00791AFD
WSAGetLastError.WSOCK32 ref: 00791B0B
#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00791B8A
WSAGetLastError.WSOCK32 ref: 00791B94

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: ErrorLast$socket
String ID:
API String ID: 1881357543-0
Opcode ID: 78b70921772a9e7e2707af4e3a7ca833293cc3b18a167f68ceda00b7d794ea14
Instruction ID: 1b7e1cf504daa74eb1ed0183a66106693f091b1087c9bbef8ef46b45fc3a64fb
Opcode Fuzzy Hash: 78b70921772a9e7e2707af4e3a7ca833293cc3b18a167f68ceda00b7d794ea14
Instruction Fuzzy Hash: 9041E574640200AFDB20AF24D88AF6577E5AB45718F54C448F5159F3D3D77AED82CB90

Function 0074B41F Relevance: 6.1, APIs: 4, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c61cac57aa9287b8374a46b73fc1356cae6cb878f8e4470574e93781097825df
Instruction ID: 1d3e6dad07d3bd57f1bf9b48819d2b219963d40529dedb8215219bb202d63f3d
Opcode Fuzzy Hash: c61cac57aa9287b8374a46b73fc1356cae6cb878f8e4470574e93781097825df
Instruction Fuzzy Hash: 11412872A00344FFD7259F3CCC49BAABBA9EB88710F10452AF555DB282D779ED118780

Function 007856D9 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00785783
GetLastError.KERNEL32(?,00000000), ref: 007857A9
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 007857CE
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 007857FA

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: 5cd7e7d8f1ccf8de81665dcd7f44703fa1d4493f1b672674e2b1789c73a33587
Instruction ID: aedc73a5447bb7f83f07bf479572ed346029bf79406350a10ed640fbdfa898ce
Opcode Fuzzy Hash: 5cd7e7d8f1ccf8de81665dcd7f44703fa1d4493f1b672674e2b1789c73a33587
Instruction Fuzzy Hash: 7E411E35600610DFCB15EF59C549A5DBBF2EF89720B19C488E84A5B3A2CB38FD41CB91

Function 0074D8C3 Relevance: 6.1, APIs: 4, Instructions: 110COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,?,00736D71,00000000,00000000,007382D9,?,007382D9,?,00000001,00736D71,?,00000001,007382D9,007382D9), ref: 0074D910
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0074D999
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 0074D9AB
__freea.LIBCMT ref: 0074D9B4

Part of subcall function 00743820: RtlAllocateHeap.NTDLL(00000000,?,007E1444,?,0072FDF5,?,?,0071A976,00000010,007E1440,007113FC,?,007113C6,?,00711129), ref: 00743852

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: 56c7eb64f4952d8d1a7dc259f83e30ae78b1513fe4994ddbf1153ebcfce38c6e
Instruction ID: 4b1d5987b2e5c612e5c0f20e73591c6447116879a260695939e46a2cd126b87e
Opcode Fuzzy Hash: 56c7eb64f4952d8d1a7dc259f83e30ae78b1513fe4994ddbf1153ebcfce38c6e
Instruction Fuzzy Hash: 7631BC72A0020AEBDF259F64DC45EBE7BA5EB41710F054168FC44D7291EB39ED50CBA0

Function 007A52C1 Relevance: 6.1, APIs: 4, Instructions: 104windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001024,00000000,?), ref: 007A5352
GetWindowLongW.USER32(?,000000F0), ref: 007A5375
SetWindowLongW.USER32(?,000000F0,00000000), ref: 007A5382
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 007A53A8

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: LongWindow$InvalidateMessageRectSend
String ID:
API String ID: 3340791633-0
Opcode ID: 8ec24d115c66e371fc198c9fe6d45fa2443054b903ce79c399e312ea844aafc4
Instruction ID: f8253f47388bd5e7af9bedd8ed2b26ba5eb8b11a6f090372afef422abf016b0e
Opcode Fuzzy Hash: 8ec24d115c66e371fc198c9fe6d45fa2443054b903ce79c399e312ea844aafc4
Instruction Fuzzy Hash: DE31C234A56A08FFEF349B14CC56BE83765ABC7398F584201FA11961E1C7BCA980DB42

Function 0077AB9C Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,75C0C0D0,?,00008000), ref: 0077ABF1
SetKeyboardState.USER32(00000080,?,00008000), ref: 0077AC0D
PostMessageW.USER32(00000000,00000101,00000000), ref: 0077AC74
SendInput.USER32(00000001,?,0000001C,75C0C0D0,?,00008000), ref: 0077ACC6

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: e9b3e3760d67f92022cc93b5a6742146307bf115d1693830a7ae855dcf5e47f5
Instruction ID: 9279e59dae8a3851c3392c43991e36b0035998a5286bb64a6f0de19995fde76e
Opcode Fuzzy Hash: e9b3e3760d67f92022cc93b5a6742146307bf115d1693830a7ae855dcf5e47f5
Instruction Fuzzy Hash: CB31F830A00718BFFF26CB658809BFE7BA5ABC5350F04D61AE489521D1D37D89858776

Function 007A7674 Relevance: 6.1, APIs: 4, Instructions: 102windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 007A769A
GetWindowRect.USER32(?,?), ref: 007A7710
PtInRect.USER32(?,?,007A8B89), ref: 007A7720
MessageBeep.USER32(00000000), ref: 007A778C

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: 8222429e87603aa520d2ab989237abd93db59250bd1d72e5fee2c958dc36e2aa
Instruction ID: 5a95ffa9941d253f9e6d829f03537fd33fb6085fb1a26ae83c4b75ec4bcbd60c
Opcode Fuzzy Hash: 8222429e87603aa520d2ab989237abd93db59250bd1d72e5fee2c958dc36e2aa
Instruction Fuzzy Hash: 5041AD34A05254EFCB09CF58CC94EA9B7F4FB8A310F5982A8E4149F261C738A941CF90

Function 007A16DA Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 007A16EB

Part of subcall function 00773A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00773A57
Part of subcall function 00773A3D: GetCurrentThreadId.KERNEL32 ref: 00773A5E
Part of subcall function 00773A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,007725B3), ref: 00773A65

GetCaretPos.USER32(?), ref: 007A16FF
ClientToScreen.USER32(00000000,?), ref: 007A174C
GetForegroundWindow.USER32 ref: 007A1752

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: 75756b039283b4b37f47a5a0488ce62a4494c86dcf847f1687b7e66d50cce1e6
Instruction ID: 199fa5c7aea7d3107031c96be1125a6b4487e95fb12657b37f0ee0272d4b50b1
Opcode Fuzzy Hash: 75756b039283b4b37f47a5a0488ce62a4494c86dcf847f1687b7e66d50cce1e6
Instruction Fuzzy Hash: 84316075D00149AFD704DFA9C8858EEB7FDEF89304B548069E415E7251D7349E41CBA0

Function 007A8FC9 Relevance: 6.1, APIs: 4, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00729BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00729BB2

GetCursorPos.USER32(?), ref: 007A9001
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00767711,?,?,?,?,?), ref: 007A9016
GetCursorPos.USER32(?), ref: 007A905E
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00767711,?,?,?), ref: 007A9094

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: f462a42da49546f0e7588f1cb11eafcf2b4268199ca48b83dfce954557877f9c
Instruction ID: f0bf60ac05fe00f60078d10a4bc04517eef14b801149dcb7f53d9079e9769751
Opcode Fuzzy Hash: f462a42da49546f0e7588f1cb11eafcf2b4268199ca48b83dfce954557877f9c
Instruction Fuzzy Hash: 80219135601018FFCB268F94D859EEB7BB9EB8A391F148155F6054B161C339A960DB60

Function 0077D2C1 Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,007ACB68), ref: 0077D2FB
GetLastError.KERNEL32 ref: 0077D30A
CreateDirectoryW.KERNEL32(?,00000000), ref: 0077D319
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,007ACB68), ref: 0077D376

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: 3c5a1d118e3be5530d325b5eb120ff8505881f6a09e4a7b43c80b1d1d5a4b344
Instruction ID: e2033a7b7a6cda05b1a3a4209e3f74976e69c63e647c12815b711f823dee028e
Opcode Fuzzy Hash: 3c5a1d118e3be5530d325b5eb120ff8505881f6a09e4a7b43c80b1d1d5a4b344
Instruction Fuzzy Hash: 96214170505201DF8B20DF28C8858AAB7F4AE967A4F508A1DF499C72E1DB39DD46CB93

Function 00771571 Relevance: 6.1, APIs: 4, Instructions: 78memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00771014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 0077102A
Part of subcall function 00771014: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00771036
Part of subcall function 00771014: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00771045
Part of subcall function 00771014: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 0077104C
Part of subcall function 00771014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00771062

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 007715BE
_memcmp.LIBVCRUNTIME ref: 007715E1
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00771617
HeapFree.KERNEL32(00000000), ref: 0077161E

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: 059e97b7ceb2d038111571109460a32ecb971550b7184d99215dfe4fdb327fc6
Instruction ID: c18340a758ca5b856a792fe0ba322e5ea7d9ea66a17b519caf46b8a5fb471d9c
Opcode Fuzzy Hash: 059e97b7ceb2d038111571109460a32ecb971550b7184d99215dfe4fdb327fc6
Instruction Fuzzy Hash: BB218E71E00108EFDF14DFA8C945BEEB7B8EF85384F598859E445AB241EB38AA05DB50

Function 007A2782 Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 007A280A
SetWindowLongW.USER32(?,000000EC,00000000), ref: 007A2824
SetWindowLongW.USER32(?,000000EC,00000000), ref: 007A2832
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 007A2840

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: ecf1eb167bdff8218e4161c0c979557d68cd2ba6ccd6f5bae44b3435288c6ef6
Instruction ID: 5a6a8ac9f1b92b1ae98adb612e56604d66089adbb835a953e45b3f2b3c1ba1c5
Opcode Fuzzy Hash: ecf1eb167bdff8218e4161c0c979557d68cd2ba6ccd6f5bae44b3435288c6ef6
Instruction Fuzzy Hash: E321C131605511BFD7159B28C844FAA7B95AFC6324F248258F4268B6E3CB79FD82CB90

Function 007778F5 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00778D7D: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,0077790A,?,000000FF,?,00778754,00000000,?,0000001C,?,?), ref: 00778D8C
Part of subcall function 00778D7D: lstrcpyW.KERNEL32(00000000,?,?,0077790A,?,000000FF,?,00778754,00000000,?,0000001C,?,?,00000000), ref: 00778DB2
Part of subcall function 00778D7D: lstrcmpiW.KERNEL32(00000000,?,0077790A,?,000000FF,?,00778754,00000000,?,0000001C,?,?), ref: 00778DE3

lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,00778754,00000000,?,0000001C,?,?,00000000), ref: 00777923
lstrcpyW.KERNEL32(00000000,?,?,00778754,00000000,?,0000001C,?,?,00000000), ref: 00777949
lstrcmpiW.KERNEL32(00000002,cdecl,?,00778754,00000000,?,0000001C,?,?,00000000), ref: 00777984

Strings

cdecl, xrefs: 0077797B

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: 59c41a885732fbf800009bb70cdf2b382fb17ce536eacc30a7984a21d0c2bf27
Instruction ID: a0f678016aa2c16988d50ae74539a815239621dc709e867288bdd05e83e357df
Opcode Fuzzy Hash: 59c41a885732fbf800009bb70cdf2b382fb17ce536eacc30a7984a21d0c2bf27
Instruction Fuzzy Hash: 5B11D63A201201ABCF155F34D849D7A77A9FF95390B50C02AF94AC7264EB39A811CB91

Function 007A7CC2 Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 007A7D0B
SetWindowLongW.USER32(00000000,000000F0,?), ref: 007A7D2A
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 007A7D42
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,0078B7AD,00000000), ref: 007A7D6B

Part of subcall function 00729BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00729BB2

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: Window$Long
String ID:
API String ID: 847901565-0
Opcode ID: e46b6f90d4002abf92f19974296a6456a8e9dcb148a2e50f866de69765b5bfa9
Instruction ID: e9eea10e247e65331f8f03ba4858b2e7329cae41eeacd5d2fe8fdc35855118a2
Opcode Fuzzy Hash: e46b6f90d4002abf92f19974296a6456a8e9dcb148a2e50f866de69765b5bfa9
Instruction Fuzzy Hash: 0811A231605665AFCB159F28CC04A6A3BA5AF86370B558724F835DB2F0E7389950DB50

Function 007A5660 Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001060,?,00000004), ref: 007A56BB
_wcslen.LIBCMT ref: 007A56CD
_wcslen.LIBCMT ref: 007A56D8
SendMessageW.USER32(?,00001002,00000000,?), ref: 007A5816

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: MessageSend_wcslen
String ID:
API String ID: 455545452-0
Opcode ID: 8ec7f131bdd8c6fcded7d30868c053a06f18e2270ed908f4812853992bfc62cc
Instruction ID: d398df136e75f7f940bd601cbf6cdde229c95948103f70c32fe1119d11eed71b
Opcode Fuzzy Hash: 8ec7f131bdd8c6fcded7d30868c053a06f18e2270ed908f4812853992bfc62cc
Instruction Fuzzy Hash: EC110671600604E6DB20DF61CC85EEE377CEF86760F104266F905D6081EB7CD980CB60

Function 00741D09 Relevance: 6.1, APIs: 4, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa329ddf0df1c596f98997313c1a1ca7cff35a0b51bf4f6c0bf1119418de62cd
Instruction ID: 388260fa4d6765fa5285f35096e97a3c227c310dd972e6284ccb39ba9039f47f
Opcode Fuzzy Hash: fa329ddf0df1c596f98997313c1a1ca7cff35a0b51bf4f6c0bf1119418de62cd
Instruction Fuzzy Hash: 7901F2F2B0560A7EF62126786CC0F27261CDF813B8B740325F530611D2DB789C804A70

Function 00771A27 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00771A47
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00771A59
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00771A6F
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00771A8A

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 9c3985466b9ad6068fdbf702da99ac7b7c99865a1a63c9bfe81305c9fd6051c6
Instruction ID: 3ad0ef151caf91cbc38a1ac9d145fcd78fc8ef8934586be23d2283e49fbab8e5
Opcode Fuzzy Hash: 9c3985466b9ad6068fdbf702da99ac7b7c99865a1a63c9bfe81305c9fd6051c6
Instruction Fuzzy Hash: 0711393AD01219FFEF11DBA8CD85FADBB78EB08750F218091EA04B7290D6716E50DB94

Function 0077E1D6 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0077E1FD
MessageBoxW.USER32(?,?,?,?), ref: 0077E230
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 0077E246
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 0077E24D

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait
String ID:
API String ID: 2880819207-0
Opcode ID: 91e317719598e648f81716a15c4115b157ae3b6152272062314fdba0f65d95de
Instruction ID: 8911cbf97687a9996d4ff1e21bc5ccf88ba562772973d7303d0f1619d3d6cd8a
Opcode Fuzzy Hash: 91e317719598e648f81716a15c4115b157ae3b6152272062314fdba0f65d95de
Instruction Fuzzy Hash: 80112F71A04258BBDB019FACDC45A9F7FACAB89354F00C255F814D7291D678CD008765

Function 0073D1CC Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,?,0073CFF9,00000000,00000004,00000000), ref: 0073D218
GetLastError.KERNEL32 ref: 0073D224
__dosmaperr.LIBCMT ref: 0073D22B
ResumeThread.KERNEL32(00000000), ref: 0073D249

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: Thread$CreateErrorLastResume__dosmaperr
String ID:
API String ID: 173952441-0
Opcode ID: b43233843b4a70fc5600e370aab970dc28102fd01eab50107b4e3fc98def2bdd
Instruction ID: 9f26d44dce493e0d6c1e303b9c5e96af101de495cbe113c63683824108f2e0a9
Opcode Fuzzy Hash: b43233843b4a70fc5600e370aab970dc28102fd01eab50107b4e3fc98def2bdd
Instruction Fuzzy Hash: F5012632805108BBEB315BA5EC09BAF3A6CEF82330F104219F924921D2CF79CC01C6A1

Function 007A9EF3 Relevance: 6.1, APIs: 4, Instructions: 55COMMON

Download Yara Rule

APIs

Part of subcall function 00729BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00729BB2

GetClientRect.USER32(?,?), ref: 007A9F31
GetCursorPos.USER32(?), ref: 007A9F3B
ScreenToClient.USER32(?,?), ref: 007A9F46
DefDlgProcW.USER32(?,00000020,?,00000000,?,?,?), ref: 007A9F7A

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID:
API String ID: 4127811313-0
Opcode ID: f1b9c56f2dcdef26b7bbdd5e6a63d7855115294c32942e67d56c2ee5e0f32f02
Instruction ID: be780dd61c74435c095c49c7088e26a2eede95cd4f2762b39b533488b45b7535
Opcode Fuzzy Hash: f1b9c56f2dcdef26b7bbdd5e6a63d7855115294c32942e67d56c2ee5e0f32f02
Instruction Fuzzy Hash: 6311363290015AFFDF15DF68D88A9EE77B8EB86311F504551FA01E7140D338BAA1CBA5

Function 0071600E Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0071604C
GetStockObject.GDI32(00000011), ref: 00716060
SendMessageW.USER32(00000000,00000030,00000000), ref: 0071606A

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID:
API String ID: 3970641297-0
Opcode ID: f96b536cc5d7791d9bf739a5debaef31921c81f28bb63e41ad3845cabd22f155
Instruction ID: b16116216a3d24536e27ba48669843f9bfe5fb09d4870dfdcfc96ed6d6235638
Opcode Fuzzy Hash: f96b536cc5d7791d9bf739a5debaef31921c81f28bb63e41ad3845cabd22f155
Instruction Fuzzy Hash: 5F116D72501548BFEF128FA8DC45EEABBA9EF4D3A4F044215FA1452150D73A9CA0DBA0

Function 00733B3C Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 00733B56

Part of subcall function 00733AA3: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 00733AD2
Part of subcall function 00733AA3: ___AdjustPointer.LIBCMT ref: 00733AED

_UnwindNestedFrames.LIBCMT ref: 00733B6B
__FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 00733B7C
CallCatchBlock.LIBVCRUNTIME ref: 00733BA4

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
String ID:
API String ID: 737400349-0
Opcode ID: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction ID: fb773ee0a676afe724b71170e27e3788d94d1134f51c031a22b100f50fe37024
Opcode Fuzzy Hash: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction Fuzzy Hash: 19012972100148BBEF225E95CC46EEB7B6AEF48754F044014FE4866122C73AE961DBA0

Function 00743073 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,007113C6,00000000,00000000,?,0074301A,007113C6,00000000,00000000,00000000,?,0074328B,00000006,FlsSetValue), ref: 007430A5
GetLastError.KERNEL32(?,0074301A,007113C6,00000000,00000000,00000000,?,0074328B,00000006,FlsSetValue,007B2290,FlsSetValue,00000000,00000364,?,00742E46), ref: 007430B1
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,0074301A,007113C6,00000000,00000000,00000000,?,0074328B,00000006,FlsSetValue,007B2290,FlsSetValue,00000000), ref: 007430BF

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 4a1a8d35da4acb023a0540a27b39e6112f871098e2351a9d12ac1efb0845a0ea
Instruction ID: d6d4cceb2e85661b7d54412e8a28d640fc32cab3a9c5e2751c1d397920ba2bd9
Opcode Fuzzy Hash: 4a1a8d35da4acb023a0540a27b39e6112f871098e2351a9d12ac1efb0845a0ea
Instruction Fuzzy Hash: 73012B32301226BBCB314B789C45A577B9AAF46B61B204720F91DE71A0C72DD901C6E4

Function 00777464 Relevance: 6.1, APIs: 4, Instructions: 51registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000), ref: 0077747F
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 00777497
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 007774AC
RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 007774CA

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: c4632a4660b45bcab75c92cd97b203b4ccbf3b44c270c3e32b36aa399529da00
Instruction ID: 7d697ee27c0fa2f50edce55a09ce4ac8bcff387172736c0978a160c5a9542ed3
Opcode Fuzzy Hash: c4632a4660b45bcab75c92cd97b203b4ccbf3b44c270c3e32b36aa399529da00
Instruction Fuzzy Hash: 1511C0B1209354AFEB248F24DC08FA27FFCEB44B50F10C569A61AD6191D7B8E904DB60

Function 0077B0A8 Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,0077ACD3,?,00008000), ref: 0077B0C4
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,0077ACD3,?,00008000), ref: 0077B0E9
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,0077ACD3,?,00008000), ref: 0077B0F3
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,0077ACD3,?,00008000), ref: 0077B126

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: 2baaa5a86f6eda4dce2fb6cb5688d83d2b8764af3ae19b7f42fc0220f531a6f9
Instruction ID: 9cfc8a4ed73d6a8acaf18e2a0a2f850d2751789e73b9098eef03c3e9077e4492
Opcode Fuzzy Hash: 2baaa5a86f6eda4dce2fb6cb5688d83d2b8764af3ae19b7f42fc0220f531a6f9
Instruction Fuzzy Hash: 0211AD70E0152CE7CF00AFE4E9697EEBB78FF4A351F408086D945B2181CB388A51CB55

Function 007A7E14 Relevance: 6.0, APIs: 4, Instructions: 46COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 007A7E33
ScreenToClient.USER32(?,?), ref: 007A7E4B
ScreenToClient.USER32(?,?), ref: 007A7E6F
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 007A7E8A

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: ff8309f60824f2e43d8df46afaedb48a069c191cc08796a155ebd923504c5a3f
Instruction ID: a0a5e5fe3e85cf18910e03b2b46a34f6176e56a9eb8c5866c28d2ef09ea8f78d
Opcode Fuzzy Hash: ff8309f60824f2e43d8df46afaedb48a069c191cc08796a155ebd923504c5a3f
Instruction Fuzzy Hash: 8B1153B9D0420AAFDB41CF98C884AEEBBF9FF49310F509166E915E3210D735AA54CF94

Function 00772DA7 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00772DC5
GetWindowThreadProcessId.USER32(?,00000000), ref: 00772DD6
GetCurrentThreadId.KERNEL32 ref: 00772DDD
AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00772DE4

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: ed97e9ec6dea7840fa5eca24d4b015007cfee81c602030e02bdb32be63740f17
Instruction ID: 5e52246df146b520392c58fd946df717b42ec19500565b711ebf8269865dbe1b
Opcode Fuzzy Hash: ed97e9ec6dea7840fa5eca24d4b015007cfee81c602030e02bdb32be63740f17
Instruction Fuzzy Hash: F5E092716012247BDB315B729C0EFEB3E6CEF83BA1F008015F109D10819AA8C841C6B1

Function 007A8863 Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00729639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00729693
Part of subcall function 00729639: SelectObject.GDI32(?,00000000), ref: 007296A2
Part of subcall function 00729639: BeginPath.GDI32(?), ref: 007296B9
Part of subcall function 00729639: SelectObject.GDI32(?,00000000), ref: 007296E2

MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 007A8887
LineTo.GDI32(?,?,?), ref: 007A8894
EndPath.GDI32(?), ref: 007A88A4
StrokePath.GDI32(?), ref: 007A88B2

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: 264c68e86d32b17346fef68ce5a33bf84361f113f9ab0cdd0157090ff7da2845
Instruction ID: 5af2d0b8fdc43b2f7eadc4709215949313a1e45cc11b3ced30b144e275de48c3
Opcode Fuzzy Hash: 264c68e86d32b17346fef68ce5a33bf84361f113f9ab0cdd0157090ff7da2845
Instruction Fuzzy Hash: 9EF03A36046298FADB135F94AC0EFCE3A59AF4A310F44C100FA11651E2CB7D5511CBA9

Function 007298B0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 007298CC
SetTextColor.GDI32(?,?), ref: 007298D6
SetBkMode.GDI32(?,00000001), ref: 007298E9
GetStockObject.GDI32(00000005), ref: 007298F1

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: Color$ModeObjectStockText
String ID:
API String ID: 4037423528-0
Opcode ID: a1f37ed5990670bc7e213084769338620fa5c839cbf1cc8b4e6f515d5ea8f3b9
Instruction ID: 9c9aa6bc14fb10cbaf16ab1fda7488236249375bdec1974ae689e1d93bc762b6
Opcode Fuzzy Hash: a1f37ed5990670bc7e213084769338620fa5c839cbf1cc8b4e6f515d5ea8f3b9
Instruction Fuzzy Hash: A0E06531244284BADB225B74FC09BD83F50EB93375F14C219F6F6540E1C7794650DB10

Function 0077162B Relevance: 6.0, APIs: 4, Instructions: 22threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 00771634
OpenThreadToken.ADVAPI32(00000000,?,?,?,007711D9), ref: 0077163B
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,007711D9), ref: 00771648
OpenProcessToken.ADVAPI32(00000000,?,?,?,007711D9), ref: 0077164F

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: 7d6b5c69862bd7aaf3afd2b3a4d9a65eafb134faa5211911b7156684f2c590aa
Instruction ID: e8a0564065f0b8902758be5b0c911e8e7871284facb81b3d28a4355e838859f2
Opcode Fuzzy Hash: 7d6b5c69862bd7aaf3afd2b3a4d9a65eafb134faa5211911b7156684f2c590aa
Instruction Fuzzy Hash: 41E08631601211FBDB201FA49E0DB473B7CAF867D1F14C808F245C9080DA3C4540C759

Function 0076D858 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 0076D858
GetDC.USER32(00000000), ref: 0076D862
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0076D882
ReleaseDC.USER32(?), ref: 0076D8A3

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: e3ea4095172ef440f9ba5e7a5ab663e791111ede09ade675f21337be0df286af
Instruction ID: 741e37b7bd531bf5342827510a8d55408346f31af3fa7cfcb7366c5d9b335626
Opcode Fuzzy Hash: e3ea4095172ef440f9ba5e7a5ab663e791111ede09ade675f21337be0df286af
Instruction Fuzzy Hash: 30E01AB1800205EFCB529FA0D80C66EBBB5FB49310F14D009E806E7350CB3C8941AF44

Function 0076D86C Relevance: 6.0, APIs: 4, Instructions: 18COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 0076D86C
GetDC.USER32(00000000), ref: 0076D876
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0076D882
ReleaseDC.USER32(?), ref: 0076D8A3

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 50b0304b434d9e8c3ae73be0564f2a114ce7b55a78ca19472196491a8800b464
Instruction ID: 5df945cd1ef420ed72db4d1bbb160294ddd3e697e89e8e27357517169cb7e31b
Opcode Fuzzy Hash: 50b0304b434d9e8c3ae73be0564f2a114ce7b55a78ca19472196491a8800b464
Instruction Fuzzy Hash: F3E092B5800204EFCB56AFA4D80C66EBBB5BB89311B149449E94AE7360DB3C9942AF54

Function 00784D87 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON

Download Yara Rule

APIs

Part of subcall function 00717620: _wcslen.LIBCMT ref: 00717625

WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 00784ED4

Strings

*, xrefs: 00784E10
LPT, xrefs: 00784DFB

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: Connection_wcslen
String ID: *$LPT
API String ID: 1725874428-3443410124
Opcode ID: 67299999721f2c3fa399b82bc0fd66e18762ae6341b20913beef03bbe78afe33
Instruction ID: fae27524edb2e5a0e25ad67425236742fddd8e1c5f37204f6e101f43773634c2
Opcode Fuzzy Hash: 67299999721f2c3fa399b82bc0fd66e18762ae6341b20913beef03bbe78afe33
Instruction Fuzzy Hash: F5914E75A00205DFCB15EF58C484EAABBF1AF44304F19809DE50A9F3A2D779ED85CB91

Function 0073E27D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 0073E30D

Strings

pow, xrefs: 0073E2E5, 0073E302

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: 7d97af43f3670dfdf40d75167aff79011ab0b6dd7ea388af68549a0dff0c55a1
Instruction ID: 62425bd3df622c85d76ea09a0da40b3339cc8f140b09778aa95f41f1cb9b65bb
Opcode Fuzzy Hash: 7d97af43f3670dfdf40d75167aff79011ab0b6dd7ea388af68549a0dff0c55a1
Instruction Fuzzy Hash: F4516E61E1D102D6EB197724CD457BA3B94EF40740F748E58F0D5422EBEB3D8C92DA46

Function 00797771 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(0076569E,00000000,?,007ACC08,?,00000000,00000000), ref: 007978DD

Part of subcall function 00716B57: _wcslen.LIBCMT ref: 00716B6A

CharUpperBuffW.USER32(0076569E,00000000,?,007ACC08,00000000,?,00000000,00000000), ref: 0079783B

Strings

<s}, xrefs: 007977C8

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: BuffCharUpper$_wcslen
String ID: <s}
API String ID: 3544283678-4170637906
Opcode ID: c342f4b82c0d5ca9942f2cf03271d04500e8ce8a976b0343118889cc9d4f5fe5
Instruction ID: 9178acf46b7abae1090fa73a1748172c2e1e973f7c00b95846b9bc74d9a879f7
Opcode Fuzzy Hash: c342f4b82c0d5ca9942f2cf03271d04500e8ce8a976b0343118889cc9d4f5fe5
Instruction Fuzzy Hash: 67616E72924118EACF09EBE8DC95DFDB378FF14300B444126F542A7195EF38AA85CBA0

Function 0072E187 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON

Download Yara Rule

Strings

#, xrefs: 0072E1B1

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: 5026c902a4c10ee3bc6088d928b7d91088613be3ac972038ecadc8e82fc4bdbe
Instruction ID: a48991b9de0feb51e804284b8db169ffbbcd1d7a5cb97d46efbc32101d8750ec
Opcode Fuzzy Hash: 5026c902a4c10ee3bc6088d928b7d91088613be3ac972038ecadc8e82fc4bdbe
Instruction Fuzzy Hash: 91510339500256DFDB15DF68D485AFA7BA8EF56310F248059FC929B2D0D63C9D82CBA0

Function 0072F291 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 0072F2A2
GlobalMemoryStatusEx.KERNEL32(?), ref: 0072F2BB

Strings

@, xrefs: 0072F2AF

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: f5b02ca3b21e908836a503f0bfc741537a5c1b0a865304d532cdef6ba9fcc623
Instruction ID: e05e476af38151a7b1e083595fed35b6570ee2461905869f12b55a26f86f3841
Opcode Fuzzy Hash: f5b02ca3b21e908836a503f0bfc741537a5c1b0a865304d532cdef6ba9fcc623
Instruction Fuzzy Hash: 4D513572408744DBD320AF54D88ABABBBF8FB85700F81885DF199411A5EB3485A9CB66

Function 00795745 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,00000003,?,?), ref: 007957E0
_wcslen.LIBCMT ref: 007957EC

Strings

CALLARGARRAY, xrefs: 007957E6, 007957EB

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: BuffCharUpper_wcslen
String ID: CALLARGARRAY
API String ID: 157775604-1150593374
Opcode ID: 5845fb2be58b0289ad5e445bf281e0d5d223251e7d276432e5bf6c8f098b0b6c
Instruction ID: eef349a70a4dc84639301aff7ceda9b1026a23149804fc9eb42a5413bf0f9a1e
Opcode Fuzzy Hash: 5845fb2be58b0289ad5e445bf281e0d5d223251e7d276432e5bf6c8f098b0b6c
Instruction Fuzzy Hash: E2419F71A00219DFCF05DFA8D889DAEBBB5EF59360F108069E505A7391E7389D81CBA0

Function 0078D0F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98networkCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0078D130
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 0078D13A

Strings

|, xrefs: 0078D10B

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: CrackInternet_wcslen
String ID: |
API String ID: 596671847-2343686810
Opcode ID: 18d211c4a799619355fb361b34fada199b64f041c88f38b4a39364f50aa80844
Instruction ID: 5202152c998dc024829b626151db7a83d615b13db065ba85182a6efc76b21238
Opcode Fuzzy Hash: 18d211c4a799619355fb361b34fada199b64f041c88f38b4a39364f50aa80844
Instruction Fuzzy Hash: 17313E71D00219EBCF15EFA4CC89AEE7FB9FF04310F000119F915A61A6EB39A956CB50

Function 007A356C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 007A3621
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 007A365C

Strings

static, xrefs: 007A35BC

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: cb4e5bf460b2c51f1e7f5f69e6af1b373f67b903a1da69d6026a554be803376e
Instruction ID: 2e5b27c41cf8227dffd29bf12271bb8c4234f82a939d0459e84d9ff44fc01ab7
Opcode Fuzzy Hash: cb4e5bf460b2c51f1e7f5f69e6af1b373f67b903a1da69d6026a554be803376e
Instruction Fuzzy Hash: 85319E71500204AEDB14DF78DC85EFB73A9FF89720F009619F8A597280DA39ED91DB60

Function 007A4537 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000027,00001132,00000000,?), ref: 007A461F
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 007A4634

Strings

', xrefs: 007A458E

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: 534d68ac91c4d9046ea9c4e89b8317e686e2d8f5b2890ef6f209b0b469e7e371
Instruction ID: 6afff3624d9148166911c712d7070b223802c96edfe7cdcf1318e16d21980cce
Opcode Fuzzy Hash: 534d68ac91c4d9046ea9c4e89b8317e686e2d8f5b2890ef6f209b0b469e7e371
Instruction Fuzzy Hash: 49313875E01209AFDF14CFA9C981BDA7BB5FF8A300F10416AE904AB381D7B5A951CF90

Function 007A31EF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 007A327C
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 007A3287

Strings

Combobox, xrefs: 007A3249

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: 438d93188bc79f62307dbe72b64fe797c0435ef4c4f51d509394f0e18d68ed1c
Instruction ID: ea65e3c8a5a57973b5c92c90f2dcaaa6aad6bc4ddaa8b02f8f3af3ee47ed7686
Opcode Fuzzy Hash: 438d93188bc79f62307dbe72b64fe797c0435ef4c4f51d509394f0e18d68ed1c
Instruction Fuzzy Hash: 67119371200208BFEF159F54DC85FAB376AEB9A364F104225F914972D0D6399D518760

Function 007A3710 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 0071600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0071604C
Part of subcall function 0071600E: GetStockObject.GDI32(00000011), ref: 00716060
Part of subcall function 0071600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 0071606A

GetWindowRect.USER32(00000000,?), ref: 007A377A
GetSysColor.USER32(00000012), ref: 007A3794

Strings

static, xrefs: 007A3757

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: 7318cadf632499e8189b08618e2d78f57a29e576389fd2a7e9ffd89cf568127a
Instruction ID: fa11b5cf22c88d02201a068dbd63007e2309bbde98d56ed2c8edd5a8bb1413da
Opcode Fuzzy Hash: 7318cadf632499e8189b08618e2d78f57a29e576389fd2a7e9ffd89cf568127a
Instruction Fuzzy Hash: 711129B2610209AFDB01DFA8CC86EFA7BB8EB49354F004614F955E2250E739E8519B60

Function 0078CD1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 0078CD7D
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 0078CDA6

Strings

<local>, xrefs: 0078CD66

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: 23eb1ed9570b4faf8ac2c9f75059824465fe3ec9d6ae3f43da1040af5018cedf
Instruction ID: 463f4eb878316899dff3e79c4896166dad6c4f5176253fcb105cad196e519cde
Opcode Fuzzy Hash: 23eb1ed9570b4faf8ac2c9f75059824465fe3ec9d6ae3f43da1040af5018cedf
Instruction Fuzzy Hash: 1611C6713856317AD7367B668C45EE7BEACEF527A4F004226B10983180D7789841D7F0

Function 007A3429 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 007A34AB
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 007A34BA

Strings

edit, xrefs: 007A348F

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: e71a227a7ef31687f4dd8a09dae123b879fb3b4b8470097b344812b7c8541f31
Instruction ID: 90f656930551082b4b119faeb003ef4396a43ba512ccabcb60a0e474a0b5e277
Opcode Fuzzy Hash: e71a227a7ef31687f4dd8a09dae123b879fb3b4b8470097b344812b7c8541f31
Instruction Fuzzy Hash: F7118F71500248AFEB128E64DC44AFB376AEB8A374F504324F961971D0C779DC919B55

Function 00776C86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 00719CB3: _wcslen.LIBCMT ref: 00719CBD

CharUpperBuffW.USER32(?,?,?), ref: 00776CB6
_wcslen.LIBCMT ref: 00776CC2

Strings

STOP, xrefs: 00776CBC, 00776CC1

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: STOP
API String ID: 1256254125-2411985666
Opcode ID: 7e9010b53f0b763e389b877d99cd87f70bb3efd0fb68157a28861d2dad7ee6da
Instruction ID: 24ed70f7f630d64623b533327e4a6c6a7677b8696e8339268bb5f2c678f05bcb
Opcode Fuzzy Hash: 7e9010b53f0b763e389b877d99cd87f70bb3efd0fb68157a28861d2dad7ee6da
Instruction Fuzzy Hash: F00104326109268BCF21AFBDCC959BF73B4EB61790B104924E95696198EB39E940C660

Function 00771CDE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00719CB3: _wcslen.LIBCMT ref: 00719CBD

Part of subcall function 00773CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00773CCA

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00771D4C

Strings

ComboBox, xrefs: 00771CEB
ListBox, xrefs: 00771D16

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 3c16558d8ba28d34517fe1b3b986d1edde4f8437e27969ccba4ae58f188af670
Instruction ID: 69c92790b0bcb1104e06ef9ac6d4481c8ffb5b46439baf49c7dd1f8b68c2fa46
Opcode Fuzzy Hash: 3c16558d8ba28d34517fe1b3b986d1edde4f8437e27969ccba4ae58f188af670
Instruction Fuzzy Hash: 4F01B571701214ABCF14EBA8CC56DFE7368EB463D0B44491AB976673C1EA3859099B60

Function 00771BD8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00719CB3: _wcslen.LIBCMT ref: 00719CBD

Part of subcall function 00773CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00773CCA

SendMessageW.USER32(?,00000180,00000000,?), ref: 00771C46

Strings

ComboBox, xrefs: 00771BE5
ListBox, xrefs: 00771C10

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 571f9f239305f58f31bc8670bb75903922e65eb97a6aa78df7d4ed35217eb655
Instruction ID: 129d64a83cb6244f6c32aab7bddae2157c9f5daaea8f72d32fc551fe87b6367a
Opcode Fuzzy Hash: 571f9f239305f58f31bc8670bb75903922e65eb97a6aa78df7d4ed35217eb655
Instruction Fuzzy Hash: 7701FCB1740104A7CF05EBE8C966DFF73A89B113C0F604016B91A772C1EA2C9F0897B1

Function 00771C5C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00719CB3: _wcslen.LIBCMT ref: 00719CBD

Part of subcall function 00773CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00773CCA

SendMessageW.USER32(?,00000182,?,00000000), ref: 00771CC8

Strings

ComboBox, xrefs: 00771C69
ListBox, xrefs: 00771C94

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 2de6088e3c752d2a7b3cc1ca382326b98eb427115d88c83fc413395b1eb12246
Instruction ID: da9a49bf8b4d7ed003c0939d17457ca0d2e050432408e79c4e1d7c123339ac3a
Opcode Fuzzy Hash: 2de6088e3c752d2a7b3cc1ca382326b98eb427115d88c83fc413395b1eb12246
Instruction Fuzzy Hash: 4C01DBB1640114A7CF05EBE8CA16EFE73A89B113C0F544016B946732C1EA2C9F19D7B1

Function 0072A4D6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 0072A529

Part of subcall function 00719CB3: _wcslen.LIBCMT ref: 00719CBD

Strings

3yv, xrefs: 0072A545, 0072A54D, 0072A552
,%~, xrefs: 0072A509

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: Init_thread_footer_wcslen
String ID: ,%~$3yv
API String ID: 2551934079-3390321579
Opcode ID: e70cc34fd02a47cd1edbdc33fdc44e2035e256fff57f803c50af3c0e47c68643
Instruction ID: f405149cb9050602bf3e4342352e4b433efcf8b53462caaf1f6788e99cc0f2ae
Opcode Fuzzy Hash: e70cc34fd02a47cd1edbdc33fdc44e2035e256fff57f803c50af3c0e47c68643
Instruction Fuzzy Hash: CE012B32701664EBD604F77DE86FA9E7368DB09710F400068FA025B1C3EE5C9D528AD7

Function 00771D68 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00719CB3: _wcslen.LIBCMT ref: 00719CBD

Part of subcall function 00773CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00773CCA

SendMessageW.USER32(?,0000018B,00000000,00000000), ref: 00771DD3

Strings

ComboBox, xrefs: 00771D75
ListBox, xrefs: 00771DA0

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: f6392e094bd9918cffaef111d3e0248fa533150abde4bbb1dbc27190cce5acee
Instruction ID: c34d5a896fa642456b8fd4cae93da0570fb5490ccf379cceb70a5102b0b8e3d4
Opcode Fuzzy Hash: f6392e094bd9918cffaef111d3e0248fa533150abde4bbb1dbc27190cce5acee
Instruction Fuzzy Hash: A3F0A4B1B41214A7DF14EBA8CC66FFE7778AB02390F440916B966632C1DA685A0987B0

Function 007A8172 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 40processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,007E3018,007E305C), ref: 007A81BF
CloseHandle.KERNEL32 ref: 007A81D1

Strings

\0~, xrefs: 007A818A

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: \0~
API String ID: 3712363035-4061946894
Opcode ID: 5729a2ea275749d0f49f96b11ad2740093a3c3997819acb68cfbc56149204c7d
Instruction ID: 4e35c462da9ddf2d1b9476e6a7bf69fe21d82da324afbb4fcc5ebea9d1432271
Opcode Fuzzy Hash: 5729a2ea275749d0f49f96b11ad2740093a3c3997819acb68cfbc56149204c7d
Instruction Fuzzy Hash: 01F054B1641354BAF6206761AC4DFB73A5DDB09750F008461BB08DA1A2D67D8A0082BD

Function 0079747E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00797493
_wcslen.LIBCMT ref: 007974B9

Strings

3, 3, 16, 1, xrefs: 00797483

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: _wcslen
String ID: 3, 3, 16, 1
API String ID: 176396367-3042988571
Opcode ID: bb540ef7a9207bf98e9b4d026d40d979086a4606e85ce9f5ea8cbfe8531bdfae
Instruction ID: 332c9b4072a4b9f4be3bbb043835d7c53d6003edd04b41341b1729bc571e8672
Opcode Fuzzy Hash: bb540ef7a9207bf98e9b4d026d40d979086a4606e85ce9f5ea8cbfe8531bdfae
Instruction Fuzzy Hash: 5BE02B422242A060A73D1279BCC5B7F5789CFC9760B14182BF985C2277EA9CAD91D3A0

Function 00770B15 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00770B23

Strings

Error allocating memory., xrefs: 00770B1C
AutoIt, xrefs: 00770B17

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: Message
String ID: AutoIt$Error allocating memory.
API String ID: 2030045667-4017498283
Opcode ID: d4109ba2dbdccb7e11c6a5290d86ec121c114f445387dbc50c949ef43517267c
Instruction ID: 3831991b6418f235d5b1f65dc34bfb0320a7b429187b51b34f2e199cffee67f0
Opcode Fuzzy Hash: d4109ba2dbdccb7e11c6a5290d86ec121c114f445387dbc50c949ef43517267c
Instruction Fuzzy Hash: 96E0D871384318B6D21537547C0BF897A948F06B60F104477F748555C38EE9789046E9

Function 00730D42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 0072F7C9: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00730D71,?,?,?,0071100A), ref: 0072F7CE

IsDebuggerPresent.KERNEL32(?,?,?,0071100A), ref: 00730D75
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,0071100A), ref: 00730D84

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00730D7F

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 55579361-631824599
Opcode ID: 92915eb79251d266fd433f26656644407375c4b3f8d713728bb1add795f49f67
Instruction ID: 15e84ceb889e70ac65a57bc85efc55f0a0d91d75a1c319ef4d23671f6945dee6
Opcode Fuzzy Hash: 92915eb79251d266fd433f26656644407375c4b3f8d713728bb1add795f49f67
Instruction Fuzzy Hash: 5EE06D702003518BE3209FBCE8183467BE0BB05740F008A3DE482C6692DBBCE4848BD1

Function 0072E398 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 21COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 0072E3D5

Strings

0%~, xrefs: 0072E3B5
8%~, xrefs: 0072E3CA

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID: 0%~$8%~
API String ID: 1385522511-2129309850
Opcode ID: 5c7d60a4a052f815c9db1d0352c9ebcd1a8e1711903adc8b26cbf13de5b59c84
Instruction ID: 35b48ed76a4d41f1d959aec5dc0e07f949a05d8caa7cf9f28ab6f7bfde5dc701
Opcode Fuzzy Hash: 5c7d60a4a052f815c9db1d0352c9ebcd1a8e1711903adc8b26cbf13de5b59c84
Instruction Fuzzy Hash: 92E0863141AAB4CBD604D718BAA9A8C3359AB0D321B5051F9E1128B1D7DBBC28538699

Function 00783017 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?,00000001), ref: 0078302F
GetTempFileNameW.KERNEL32(?,aut,00000000,?), ref: 00783044

Strings

aut, xrefs: 00783038

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: eb847fd4353cb9bd0810b029664d860a393e1454bbc85891bcc0aa76e21d8fd7
Instruction ID: cbf477f88187c79d9d3513cbaf59f1be68f4653570ae434bcd81ae533c06db59
Opcode Fuzzy Hash: eb847fd4353cb9bd0810b029664d860a393e1454bbc85891bcc0aa76e21d8fd7
Instruction Fuzzy Hash: D9D05B7150031477DA2097949D0DFC73B6CD745750F0041527655D60D1DAB49544CAD4

Function 0076D21C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 0076D220

Strings

%.3d, xrefs: 0076D22B
X64, xrefs: 0076D2A8

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: LocalTime
String ID: %.3d$X64
API String ID: 481472006-1077770165
Opcode ID: a552ed99f5cb52c4b628b71519f9491e361a476781d01d07ff585ed2f985b3aa
Instruction ID: bea029d3b8c51399cbb27f3f30ca628d851bd635dcfd33f0c7dddd04998681f1
Opcode Fuzzy Hash: a552ed99f5cb52c4b628b71519f9491e361a476781d01d07ff585ed2f985b3aa
Instruction Fuzzy Hash: F4D017A1D18158EECBB096E0DC599BAB3BCBB08301F608462FD07A2040E73CCD08AB61

Function 007A2356 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 007A236C
PostMessageW.USER32(00000000), ref: 007A2373

Part of subcall function 0077E97B: Sleep.KERNEL32 ref: 0077E9F3

Strings

Shell_TrayWnd, xrefs: 007A2365

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: cc2eb4b37515c78ead3de7c3a44e6c04d111af179e59818920acb7cd5ba2dfe1
Instruction ID: 622d9ce911a18c805707ce4a5be124e237ed1f35294dc1eabb9c8d22f34bf8d0
Opcode Fuzzy Hash: cc2eb4b37515c78ead3de7c3a44e6c04d111af179e59818920acb7cd5ba2dfe1
Instruction Fuzzy Hash: 35D012727C1310BBE665B770DC0FFC676149B56B10F1089567755EA1D0C9F8B801CA58

Function 007A2322 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 007A232C
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 007A233F

Part of subcall function 0077E97B: Sleep.KERNEL32 ref: 0077E9F3

Strings

Shell_TrayWnd, xrefs: 007A2325

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 3f2ea37b47192f890c700f16b84d0a1c43774ec8507bda8869f77ee514fa8438
Instruction ID: d162387247c83c955cb3b0aa8cd0b9108e651f9b138c9ec3e724971fee013fc8
Opcode Fuzzy Hash: 3f2ea37b47192f890c700f16b84d0a1c43774ec8507bda8869f77ee514fa8438
Instruction Fuzzy Hash: 9FD01276794310F7E664B770DC0FFC67A149B55B10F1089567759AA1D0C9F8B801CA58

Function 0074BDFD Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,?,?,00000000,?,?,?,?,?,00000000,?), ref: 0074BE93
GetLastError.KERNEL32 ref: 0074BEA1
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0074BEFC

Memory Dump Source

Source File: 00000000.00000002.1699742120.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1699728738.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699787613.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699822444.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836120.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: 84aa41ba18a17a595a67c3ebf16b76717e4fcc60e647f0b6793d68da846410f9
Instruction ID: 1896a62232b49fe8b548903758c668d8768fdb462959849f7a6e0f313ae9482c
Opcode Fuzzy Hash: 84aa41ba18a17a595a67c3ebf16b76717e4fcc60e647f0b6793d68da846410f9
Instruction Fuzzy Hash: A6412835600216FFDF218FA5CC84ABA7BA4EF82310F154169F95D971A2DB38CD05DB51

Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 93.184.221.240
Source: unknown	TCP traffic detected without corresponding DNS query: 93.184.221.240
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 93.184.221.240

Source: global traffic	HTTP traffic detected: GET /account?=https://accounts.google.com/v3/signin/challenge/pwd HTTP/1.1Host: youtube.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7X-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiTocsBCJz+zAEIhaDNAQjcvc0BCLnKzQEIotHNAQiK080BCJ7WzQEIp9jNAQj5wNQVGPbJzQEYutLNARjrjaUXSec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /account?=https%3A%2F%2Faccounts.google.com%2Fv3%2Fsignin%2Fchallenge%2Fpwd HTTP/1.1Host: www.youtube.comConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7X-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiTocsBCJz+zAEIhaDNAQjcvc0BCLnKzQEIotHNAQiK080BCJ7WzQEIp9jNAQj5wNQVGPbJzQEYutLNARjrjaUXSec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentsec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /fs/windows/config.json HTTP/1.1Connection: Keep-AliveAccept: /Accept-Encoding: identityIf-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMTRange: bytes=0-2147483646User-Agent: Microsoft BITS/7.8Host: fs.microsoft.com
Source: global traffic	HTTP traffic detected: GET /accounts/CheckConnection?pmpo=https%3A%2F%2Faccounts.google.com&v=756816628&timestamp=1727736668553 HTTP/1.1Host: accounts.youtube.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-full-version: "117.0.5938.132"sec-ch-ua-arch: "x86"sec-ch-ua-platform: "Windows"sec-ch-ua-platform-version: "10.0.0"sec-ch-ua-model: ""sec-ch-ua-bitness: "64"sec-ch-ua-wow64: ?0sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7X-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiTocsBCJz+zAEIhaDNAQjcvc0BCLnKzQEIotHNAQiK080BCJ7WzQEIp9jNAQj5wNQVGPbJzQEYutLNARjrjaUXSec-Fetch-Site: cross-siteSec-Fetch-Mode: navigateSec-Fetch-Dest: iframeReferer: https://accounts.google.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /favicon.ico HTTP/1.1Host: www.google.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-arch: "x86"sec-ch-ua-full-version: "117.0.5938.132"sec-ch-ua-platform-version: "10.0.0"sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132"sec-ch-ua-bitness: "64"sec-ch-ua-model: ""sec-ch-ua-wow64: ?0sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8X-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiTocsBCJz+zAEIhaDNAQjcvc0BCLnKzQEIotHNAQiK080BCJ7WzQEIp9jNAQj5wNQVGPbJzQEYutLNARjrjaUXSec-Fetch-Site: same-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://accounts.google.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: NID=518=ZIEcnbDmg5kMJInDhpZVY-6HwpO0AbLiv9Wxo1HYyEARyldWeJKl3YcNmDSBXZ87EC6JNjQ5-GnzU6SqLyr4_X5GGrOu3hhk7f_lPXJUh1ReZimnTx8v_--YUTwcepFLbOmC-YI_fYfdzNQgX6u1AQZd2XrBky4EcBFDkVAD48G6C4ZfEig
Source: global traffic	HTTP traffic detected: GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=HL5H5yoHUlv7Y1p&MD=84Svop5v HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic	HTTP traffic detected: GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=HL5H5yoHUlv7Y1p&MD=84Svop5v HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Chrome Cache Entry: 74

Chrome Cache Entry: 75

Chrome Cache Entry: 76

Chrome Cache Entry: 77

Chrome Cache Entry: 78

Chrome Cache Entry: 79

Chrome Cache Entry: 80

Chrome Cache Entry: 81

Chrome Cache Entry: 82

Chrome Cache Entry: 83

Chrome Cache Entry: 84

Chrome Cache Entry: 85

Chrome Cache Entry: 86

Chrome Cache Entry: 87

Chrome Cache Entry: 88

Static File Info

General

File Icon

Static PE Info

Windows Analysis Report
file.exe

Function 007142DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Function 007142A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Function 00752BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Function 0077D4DC Relevance: 6.1, APIs: 4, Instructions: 86
processCOMMON

Function 0077DBBE Relevance: 6.0, APIs: 4, Instructions: 29
filestringCOMMON

Function 0079AFF9 Relevance: 24.4, APIs: 16, Instructions: 418
processCOMMON

Function 00712CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Function 0075065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Function 0071344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre