Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1523109
MD5:	67684fd9387321aabd2378bfade0d6db
SHA1:	ba8f565089f33037f2043cb10330f7e7244fa88b
SHA256:	5fe8904fa8fa7093dc5628e159812466ae91ee695f61b5ac587fcd05ca7a0de2
Tags:	exeuser-Bitsight
Infos:

Detection

Score:	64
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Found API chain indicative of sandbox detection

Machine Learning detection for sample

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected potential crypto function

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

OS version to string mapping found (often used in BOTs)

Potential key logger detected (key state polling based)

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

file.exe (PID: 6916 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 67684FD9387321AABD2378BFADE0D6DB)

chrome.exe (PID: 6964 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --app="https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --start-fullscreen --no-first-run --disable-session-crashed-bubble --disable-features=CrashRecovery MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 4632 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2084 --field-trial-handle=2044,i,18315937055467420386,530209961681002181,262144 --disable-features=CrashRecovery /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 7884 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5292 --field-trial-handle=2044,i,18315937055467420386,530209961681002181,262144 --disable-features=CrashRecovery /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 7892 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5420 --field-trial-handle=2044,i,18315937055467420386,530209961681002181,262144 --disable-features=CrashRecovery /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

cleanup

String found in binary or memory: _.iq(p)+"/familylink/privacy/notice/embedded?langCountry="+_.iq(p);break;case "PuZJUb":a+="https://www.youtube.com/t/terms?chromeless=1&hl="+_.iq(m);break;case "fxTQxb":a+="https://youtube.com/t/terms?gl="+_.iq(_.rq(c))+"&hl="+_.iq(d)+"&override_hl=1"+(f?"&linkless=1":"");break;case "prAmvd":a+="https://www.google.com/intl/"+_.iq(m)+"/chromebook/termsofservice.html?languageCode="+_.iq(d)+"&regionCode="+_.iq(c);break;case "NfnTze":a+="https://policies.google.com/privacy/google-partners"+(f?"/embedded": equals www.youtube.com (Youtube)

Source: global traffic	DNS traffic detected: DNS query: youtube.com
Source: global traffic	DNS traffic detected: DNS query: www.youtube.com
Source: global traffic	DNS traffic detected: DNS query: www.google.com
Source: global traffic	DNS traffic detected: DNS query: accounts.youtube.com
Source: global traffic	DNS traffic detected: DNS query: play.google.com

Source: unknown

HTTP traffic detected: POST /log?format=json&hasfast=true&authuser=0 HTTP/1.1Host: play.google.comConnection: keep-aliveContent-Length: 505sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-arch: "x86"Content-Type: application/x-www-form-urlencoded;charset=UTF-8sec-ch-ua-full-version: "117.0.5938.132"sec-ch-ua-platform-version: "10.0.0"X-Goog-AuthUser: 0sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132"sec-ch-ua-bitness: "64"sec-ch-ua-model: ""sec-ch-ua-wow64: ?0sec-ch-ua-platform: "Windows"Accept: */*Origin: https://accounts.google.comX-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiTocsBCJz+zAEIhaDNAQjcvc0BCI/KzQEIucrNAQii0c0BCIrTzQEIntbNAQin2M0BCPnA1BUY9snNARi60s0BGOuNpRc=Sec-Fetch-Site: same-siteSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: https://accounts.google.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9

Source: chromecache_74.3.dr	String found in binary or memory: https://accounts.google.com
Source: chromecache_74.3.dr	String found in binary or memory: https://accounts.google.com/TOS?loc=
Source: chromecache_79.3.dr	String found in binary or memory: https://apis.google.com/js/api.js
Source: chromecache_74.3.dr	String found in binary or memory: https://apis.google.com/js/rpc:shindig_random.js?onload=credentialservice.postMessage
Source: chromecache_74.3.dr	String found in binary or memory: https://families.google.com/intl/
Source: chromecache_79.3.dr	String found in binary or memory: https://fonts.gstatic.com/s/i/productlogos/drive_2020q4/v10/192px.svg
Source: chromecache_79.3.dr	String found in binary or memory: https://fonts.gstatic.com/s/i/productlogos/gmail_2020q4/v10/web-48dp/logo_gmail_2020q4_color_2x_web_
Source: chromecache_79.3.dr	String found in binary or memory: https://fonts.gstatic.com/s/i/productlogos/maps/v7/192px.svg
Source: chromecache_74.3.dr	String found in binary or memory: https://g.co/recover
Source: chromecache_74.3.dr	String found in binary or memory: https://play.google.com/log?format=json&hasfast=true
Source: chromecache_74.3.dr	String found in binary or memory: https://play.google.com/work/enroll?identifier=
Source: chromecache_74.3.dr	String found in binary or memory: https://play.google/intl/
Source: chromecache_74.3.dr	String found in binary or memory: https://policies.google.com/privacy
Source: chromecache_74.3.dr	String found in binary or memory: https://policies.google.com/privacy/additional
Source: chromecache_74.3.dr	String found in binary or memory: https://policies.google.com/privacy/google-partners
Source: chromecache_74.3.dr	String found in binary or memory: https://policies.google.com/technologies/cookies
Source: chromecache_74.3.dr	String found in binary or memory: https://policies.google.com/technologies/location-data
Source: chromecache_74.3.dr	String found in binary or memory: https://policies.google.com/terms
Source: chromecache_74.3.dr	String found in binary or memory: https://policies.google.com/terms/location
Source: chromecache_74.3.dr	String found in binary or memory: https://policies.google.com/terms/service-specific
Source: chromecache_79.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/account-recovery-email-pin.gif
Source: chromecache_79.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/account-recovery-password.svg
Source: chromecache_79.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/account-recovery-sms-or-voice-pin.gif
Source: chromecache_79.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/account-recovery-sms-pin.gif
Source: chromecache_79.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/account-recovery-stop-go-landing-page_1x.png
Source: chromecache_79.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/animation/
Source: chromecache_79.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/ble_device.png
Source: chromecache_79.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/ble_pin.png
Source: chromecache_79.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/contacts_backup_sync.png
Source: chromecache_79.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/contacts_backup_sync_1x.png
Source: chromecache_79.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/contacts_backup_sync_2x.png
Source: chromecache_79.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/contacts_backup_sync_darkmode_1x.png
Source: chromecache_79.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/continue_on_your_phone.png
Source: chromecache_79.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/device_phone_number_verification.png
Source: chromecache_79.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/device_prompt_silent_tap_yes_darkmode.gif
Source: chromecache_79.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/device_prompt_tap_yes.gif
Source: chromecache_79.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/device_prompt_tap_yes_darkmode.gif
Source: chromecache_79.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kid_success.svg
Source: chromecache_79.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kid_success_darkmode.svg
Source: chromecache_79.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidfork_who_will_use_dark_v2.svg
Source: chromecache_79.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidfork_who_will_use_updated.svg
Source: chromecache_79.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidfork_who_will_use_updated_darkmode.svg
Source: chromecache_79.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidfork_who_will_use_v2.svg
Source: chromecache_79.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignin_not_ready.png
Source: chromecache_79.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignin_stick_around_1.svg
Source: chromecache_79.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignin_stick_around_dark_1.svg
Source: chromecache_79.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_child_account_1.svg
Source: chromecache_79.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_child_account_darkmode_1.svg
Source: chromecache_79.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_child_privacy_1.svg
Source: chromecache_79.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_child_privacy_darkmode_1.svg
Source: chromecache_79.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_created.png
Source: chromecache_79.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_double_device.svg
Source: chromecache_79.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_double_device_darkmode.svg
Source: chromecache_79.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_full_house.png
Source: chromecache_79.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_link_accounts_1.svg
Source: chromecache_79.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_link_accounts_darkmode_1.svg
Source: chromecache_79.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_parent_app_decision.svg
Source: chromecache_79.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_parent_app_decision_darkmode.svg
Source: chromecache_79.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_parent_supervision_1.svg
Source: chromecache_79.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_parent_supervision_darkmode_1.svg
Source: chromecache_79.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_respect_others_1.svg
Source: chromecache_79.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_respect_others_darkmode_1.svg
Source: chromecache_79.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_single_device.svg
Source: chromecache_79.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_single_device_darkmode.svg
Source: chromecache_79.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_stop.png
Source: chromecache_79.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/personalization_reminders.svg
Source: chromecache_79.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/phone_number_sign_in_2x.png
Source: chromecache_79.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/return_to_desktop.svg
Source: chromecache_79.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/return_to_desktop_darkmode.svg
Source: chromecache_79.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/security_key.gif
Source: chromecache_79.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/security_key_ios_center.png
Source: chromecache_79.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/security_key_laptop.gif
Source: chromecache_79.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/security_key_nfc_discovered.gif
Source: chromecache_79.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/security_key_nfc_discovered_darkmode.gif
Source: chromecache_79.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/security_key_phone.gif
Source: chromecache_79.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/signin_googleapp_ios.gif
Source: chromecache_79.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/signin_googleapp_pulldown.gif
Source: chromecache_79.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/signin_tapyes.gif
Source: chromecache_79.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/smart_lock_2x.png
Source: chromecache_79.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/usb_key.svg
Source: chromecache_79.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/web_and_app_activity.svg
Source: chromecache_79.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/who_will_be_using_this_device.svg
Source: chromecache_79.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/you_tube_history.svg
Source: chromecache_79.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/feature_not_available.svg
Source: chromecache_79.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/feature_not_available_dark.svg
Source: chromecache_79.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/gmail_ios_authzen.gif
Source: chromecache_79.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/paaskey.svg
Source: chromecache_79.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_challenge.svg
Source: chromecache_79.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_challenge_darkmode.svg
Source: chromecache_79.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_darkmode.svg
Source: chromecache_79.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_enrollment.svg
Source: chromecache_79.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_enrollment_cross_device.svg
Source: chromecache_79.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_enrollment_cross_device_darkmode.svg
Source: chromecache_79.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_enrollment_darkmode.svg
Source: chromecache_79.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_enrollment_error.svg
Source: chromecache_79.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_enrollment_error_darkmode.svg
Source: chromecache_79.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_enrollment_reauth.svg
Source: chromecache_79.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_enrollment_reauth_darkmode.svg
Source: chromecache_79.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_success.svg
Source: chromecache_79.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_success_darkmode.svg
Source: chromecache_79.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkeyerror.svg
Source: chromecache_79.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkeyerror_darkmode.svg
Source: chromecache_79.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/red_globe_dark.svg
Source: chromecache_79.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/red_globe_light.svg
Source: chromecache_79.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/screenlock.png
Source: chromecache_79.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/security_key_ipad.gif
Source: chromecache_79.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/security_key_iphone.gif
Source: chromecache_79.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/security_key_iphone_nfc.gif
Source: chromecache_79.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/security_key_iphone_usb.gif
Source: chromecache_79.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/security_key_phone.svg
Source: chromecache_79.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/security_keys.svg
Source: chromecache_79.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/success_checkmark_2.svg
Source: chromecache_79.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/success_checkmark_2_darkmode.svg
Source: chromecache_79.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/ui/loading_spinner_gm.gif
Source: chromecache_79.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/ui/progress_spinner_color_20dp_4x.gif
Source: chromecache_79.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/ui/success-gm-default_2x.png
Source: chromecache_79.3.dr	String found in binary or memory: https://ssl.gstatic.com/apps/signup/resources/custom-email-address.svg
Source: chromecache_79.3.dr	String found in binary or memory: https://ssl.gstatic.com/images/hpp/shield_security_checkup_green_2x_web_96dp.png
Source: chromecache_79.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/chaptering/account_setup_chapter_dark_1.svg
Source: chromecache_79.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/chaptering/account_setup_chapter_v1.svg
Source: chromecache_79.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/chaptering/device_setup_chapter_dark_v1.svg
Source: chromecache_79.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/chaptering/device_setup_chapter_v1.svg
Source: chromecache_79.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/chaptering/parental_control_chapter_dark_v1.svg
Source: chromecache_79.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/chaptering/parental_control_chapter_v1.svg
Source: chromecache_79.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/conversion/conversion_accountslinked.svg
Source: chromecache_79.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/conversion/conversion_accountslinked_dark.svg
Source: chromecache_79.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/conversion/conversion_childneedshelp.svg
Source: chromecache_79.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/conversion/conversion_childneedshelp_dark.svg
Source: chromecache_79.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/conversion/conversion_nextstepsforparents.svg
Source: chromecache_79.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/conversion/conversion_nextstepsforparents_dark.svg
Source: chromecache_79.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_allset.svg
Source: chromecache_79.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_allset_dark.svg
Source: chromecache_79.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_apps_devices.svg
Source: chromecache_79.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_apps_devices_darkmode.svg
Source: chromecache_79.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_areyousurekid.svg
Source: chromecache_79.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_areyousurekid_dark.svg
Source: chromecache_79.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_birthdayemail.svg
Source: chromecache_79.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_birthdayemail_dark.svg
Source: chromecache_79.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_choose_apps.svg
Source: chromecache_79.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_choose_apps_darkmode.svg
Source: chromecache_79.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_confirmation.svg
Source: chromecache_79.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_exploremore.svg
Source: chromecache_79.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_exploremore_dark.svg
Source: chromecache_79.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_intro.svg
Source: chromecache_79.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_intro_darkmode.svg
Source: chromecache_79.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_privacy_terms_a18.svg
Source: chromecache_79.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_privacy_terms_a18_darkmode.svg
Source: chromecache_79.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_privacyterms.svg
Source: chromecache_79.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_privacyterms_dark.svg
Source: chromecache_79.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_review_settings.svg
Source: chromecache_79.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_review_settings_darkmode.svg
Source: chromecache_79.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_safe_search.svg
Source: chromecache_79.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_safe_search_darkmode.svg
Source: chromecache_79.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_success_unchanged_a18.svg
Source: chromecache_79.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_success_unchanged_a18_darkmode.svg
Source: chromecache_79.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_success_update_a18.svg
Source: chromecache_79.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_success_update_a18_darkmode.svg
Source: chromecache_79.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_supervision_choice.svg
Source: chromecache_79.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_supervision_choice_a18.svg
Source: chromecache_79.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_supervision_choice_a18_darkmode.svg
Source: chromecache_79.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_supervision_choice_darkmode.svg
Source: chromecache_79.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_supervisiongrad.svg
Source: chromecache_79.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_supervisiongrad_dark.svg
Source: chromecache_79.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/guardianlinking/linking_complete_0.svg
Source: chromecache_79.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/guardianlinking/linking_complete_dark_0.svg
Source: chromecache_79.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/ads_personalization.svg
Source: chromecache_79.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/ads_personalization_darkmode.svg
Source: chromecache_79.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/confirmation.svg
Source: chromecache_79.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/confirmation_darkmode.svg
Source: chromecache_79.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/eligibility_error.svg
Source: chromecache_79.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/eligibility_error_darkmode.svg
Source: chromecache_79.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/fork.svg
Source: chromecache_79.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/fork_darkmode.svg
Source: chromecache_79.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/intro.svg
Source: chromecache_79.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/intro_darkmode.svg
Source: chromecache_79.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/personal_results.svg
Source: chromecache_79.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/personal_results_darkmode.svg
Source: chromecache_79.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/safe_search.svg
Source: chromecache_79.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/safe_search_darkmode.svg
Source: chromecache_79.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/check_notifications.svg
Source: chromecache_79.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/check_notifications_dark.svg
Source: chromecache_79.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/kid_watch_installing_family_link_2.svg
Source: chromecache_79.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/kid_watch_installing_family_link_dark_2.svg
Source: chromecache_79.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/kid_watch_set_up_location_sharing_2.svg
Source: chromecache_79.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/kid_watch_set_up_location_sharing_dark_2.svg
Source: chromecache_79.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/kid_watch_set_up_parental_controls_2.svg
Source: chromecache_79.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/kid_watch_set_up_parental_controls_dark_2.svg
Source: chromecache_79.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/kid_watch_set_up_school_time_2.svg
Source: chromecache_79.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/kid_watch_set_up_school_time_dark_2.svg
Source: chromecache_79.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/location_sharing_enabled_2.svg
Source: chromecache_79.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/location_sharing_enabled_dark_3.svg
Source: chromecache_79.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/parent_sign_in_prologue_1.svg
Source: chromecache_79.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/parent_sign_in_prologue_dark_1.svg
Source: chromecache_79.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/set_up_complete_1.svg
Source: chromecache_79.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/set_up_complete_dark_1.svg
Source: chromecache_79.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/set_up_contacts_2.svg
Source: chromecache_79.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/set_up_contacts_dark_2.svg
Source: chromecache_79.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/set_up_family_link_boy_1.svg
Source: chromecache_79.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/set_up_family_link_boy_dark_1.svg
Source: chromecache_79.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/set_up_family_link_girl_2.svg
Source: chromecache_79.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/set_up_family_link_girl_dark_2.svg
Source: chromecache_79.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/ulp_continue_without_gmail_dark_v2.svg
Source: chromecache_79.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/ulp_continue_without_gmail_v2.svg
Source: chromecache_79.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/all_set.svg
Source: chromecache_79.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/all_set_dark.svg
Source: chromecache_79.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/are_you_sure_parent.svg
Source: chromecache_79.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/are_you_sure_parent_dark.svg
Source: chromecache_79.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/content_restriction.svg
Source: chromecache_79.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/content_restriction_dark.svg
Source: chromecache_79.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/error.svg
Source: chromecache_79.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/error_dark.svg
Source: chromecache_79.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/how_controls_work.svg
Source: chromecache_79.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/how_controls_work_dark.svg
Source: chromecache_79.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/next_steps.svg
Source: chromecache_79.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/next_steps_dark.svg
Source: chromecache_79.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/setup_controls.svg
Source: chromecache_79.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/setup_controls_dark.svg
Source: chromecache_79.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/who_parent.svg
Source: chromecache_79.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/who_parent_dark.svg
Source: chromecache_79.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/who_teen.svg
Source: chromecache_79.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/who_teen_dark.svg
Source: chromecache_79.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teentoadultgraduation/supervision_choice.svg
Source: chromecache_79.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teentoadultgraduation/supervision_choice_darkmode.svg
Source: chromecache_79.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/ulp_appblock/kid_setup_parent_escalation.svg
Source: chromecache_79.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/ulp_appblock/kid_setup_parent_escalation_dark.svg
Source: chromecache_79.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/ulp_appblock/send_email_confirmation.svg
Source: chromecache_79.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/ulp_appblock/send_email_confirmation_dark.svg
Source: chromecache_79.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/ulp_appblock/success_sent_email.svg
Source: chromecache_79.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/ulp_appblock/success_sent_email_dark.svg
Source: chromecache_79.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/ulpupgrade/kidprofileupgrade_all_set.svg
Source: chromecache_79.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/ulpupgrade/kidprofileupgrade_all_set_darkmode.svg
Source: chromecache_79.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/all_set.svg
Source: chromecache_79.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/all_set_dark.svg
Source: chromecache_79.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/almost_done_kids_space_dark.svg
Source: chromecache_79.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/almost_done_kids_space_v2.svg
Source: chromecache_79.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/devices_connected_tablet_v2.svg
Source: chromecache_79.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/devices_connected_tablet_v2_dark.svg
Source: chromecache_79.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/devices_connected_v2.svg
Source: chromecache_79.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/devices_connected_v2_dark.svg
Source: chromecache_79.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/emailinstallfamilylink.svg
Source: chromecache_79.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/emailinstallfamilylink_dark.svg
Source: chromecache_79.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/familylinkinstalling.svg
Source: chromecache_79.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/familylinkinstalling_dark.svg
Source: chromecache_79.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/hand_over_device_dark_v2.svg
Source: chromecache_79.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/hand_over_device_v2.svg
Source: chromecache_79.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/linking_accounts_v2.svg
Source: chromecache_79.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/linking_accounts_v2_dark.svg
Source: chromecache_79.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/locationsetup.svg
Source: chromecache_79.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/locationsetup_dark.svg
Source: chromecache_79.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/manage_parental_controls_email.svg
Source: chromecache_79.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/manage_parental_controls_email_v2.svg
Source: chromecache_79.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/manage_parental_controls_email_v2_dark.svg
Source: chromecache_79.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/manage_parental_controls_v2.svg
Source: chromecache_79.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/manage_parental_controls_v2_dark.svg
Source: chromecache_79.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/open_family_link_v2.svg
Source: chromecache_79.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/open_family_link_v2_dark.svg
Source: chromecache_79.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/parents_help.svg
Source: chromecache_79.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/parents_help_dark.svg
Source: chromecache_79.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/set_up_kids_space.png
Source: chromecache_79.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/set_up_kids_space_dark.png
Source: chromecache_79.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/setupcontrol.svg
Source: chromecache_79.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/setupcontrol_dark.svg
Source: chromecache_79.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/setuplocation.svg
Source: chromecache_79.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/setuplocation_dark.svg
Source: chromecache_79.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/setuptimelimits.svg
Source: chromecache_79.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/setuptimelimits_dark.svg
Source: chromecache_79.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/supervision_ready_v2.svg
Source: chromecache_79.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/supervision_ready_v2_dark.svg
Source: chromecache_79.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/youtubeaccess.svg
Source: chromecache_79.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/youtubeaccess_dark.svg
Source: chromecache_74.3.dr	String found in binary or memory: https://support.google.com/accounts?hl=
Source: chromecache_74.3.dr	String found in binary or memory: https://support.google.com/accounts?p=new-si-ui
Source: chromecache_74.3.dr	String found in binary or memory: https://support.google.com/websearch/answer/4358949?hl=ko&ref_topic=3285072
Source: chromecache_79.3.dr	String found in binary or memory: https://uberproxy-pen-redirect.corp.google.com/uberproxy/pen?url=
Source: chromecache_74.3.dr	String found in binary or memory: https://www.google.com
Source: chromecache_74.3.dr	String found in binary or memory: https://www.google.com/intl/
Source: chromecache_79.3.dr	String found in binary or memory: https://www.gstatic.com/accounts/speedbump/authzen_optin_illustration.gif
Source: chromecache_79.3.dr	String found in binary or memory: https://www.gstatic.com/images/branding/product/2x/chrome_48dp.png
Source: chromecache_79.3.dr	String found in binary or memory: https://www.gstatic.com/images/branding/product/2x/googleg_48dp.png
Source: chromecache_79.3.dr	String found in binary or memory: https://www.gstatic.com/images/branding/product/2x/gsa_48dp.png
Source: chromecache_79.3.dr	String found in binary or memory: https://www.gstatic.com/images/branding/product/2x/play_prism_48dp.png
Source: chromecache_79.3.dr	String found in binary or memory: https://www.gstatic.com/images/branding/product/2x/youtube_48dp.png
Source: chromecache_74.3.dr	String found in binary or memory: https://www.gstatic.com/images/branding/productlogos/googleg/v6/36px.svg
Source: chromecache_74.3.dr	String found in binary or memory: https://www.youtube.com/t/terms?chromeless=1&hl=
Source: file.exe, 00000000.00000003.1701316077.0000000000D72000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd
Source: file.exe, 00000000.00000003.1701316077.0000000000D61000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1701402287.0000000000D65000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwdF
Source: chromecache_74.3.dr	String found in binary or memory: https://youtube.com/t/terms?gl=

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49788
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49765
Source: unknown	Network traffic detected: HTTP traffic on port 49783 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49764
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49786
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49784
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49783
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49782
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49781
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49789 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49762 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49764 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49781 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49793 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49778 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49791 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49757
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49778
Source: unknown	Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49782 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49773
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49793
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49792
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49791
Source: unknown	Network traffic detected: HTTP traffic on port 49786 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49788 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49784 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49765 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49773 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49792 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49789

Source: unknown	HTTPS traffic detected: 23.211.8.90:443 -> 192.168.2.4:49742 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.211.8.90:443 -> 192.168.2.4:49745 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 4.175.87.197:443 -> 192.168.2.4:49773 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 4.175.87.197:443 -> 192.168.2.4:49784 version: TLS 1.2

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0046EAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_0046EAFF

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0046ED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_0046ED6A

Source: C:\Users\user\Desktop\file.exe

0_2_0046EAFF

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0045AA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,

0_2_0045AA57

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00489576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_00489576

System Summary

Binary is likely a compiled AutoIt script file

Source: file.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: file.exe, 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_f733eef4-e
Source: file.exe, 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_72654691-7
Source: file.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_d7a0685e-1
Source: file.exe	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_7d5251f6-e

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0045D5EB: CreateFileW,DeviceIoControl,CloseHandle,

0_2_0045D5EB

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00451201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_00451201

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0045E8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_0045E8F6

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_003FBF40	0_2_003FBF40
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00462046	0_2_00462046
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_003F8060	0_2_003F8060
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00458298	0_2_00458298
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0042E4FF	0_2_0042E4FF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0042676B	0_2_0042676B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00484873	0_2_00484873
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_003FCAF0	0_2_003FCAF0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0041CAA0	0_2_0041CAA0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0040CC39	0_2_0040CC39
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00426DD9	0_2_00426DD9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0040B119	0_2_0040B119
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_003F91C0	0_2_003F91C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00411394	0_2_00411394
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00411706	0_2_00411706
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0041781B	0_2_0041781B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_003F7920	0_2_003F7920
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0040997D	0_2_0040997D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004119B0	0_2_004119B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00417A4A	0_2_00417A4A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00411C77	0_2_00411C77
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00443CD2	0_2_00443CD2
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00417CA7	0_2_00417CA7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0047BE44	0_2_0047BE44
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00429EEE	0_2_00429EEE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00411F32	0_2_00411F32

Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00410A30 appears 46 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 0040F9F2 appears 31 times

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: classification engine

Classification label: mal64.evad.winEXE@31/30@14/10

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_004637B5 GetLastError,FormatMessageW,

0_2_004637B5

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004510BF AdjustTokenPrivileges,CloseHandle,		0_2_004510BF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004516C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_004516C3

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_004651CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_004651CD

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0045D4DC CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_0045D4DC

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0046648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize,

0_2_0046648E

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_003F42A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_003F42A2

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: file.exe	ReversingLabs: Detection: 13%
Source: file.exe	Virustotal: Detection: 19%

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --app="https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --start-fullscreen --no-first-run --disable-session-crashed-bubble --disable-features=CrashRecovery
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2084 --field-trial-handle=2044,i,18315937055467420386,530209961681002181,262144 --disable-features=CrashRecovery /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5292 --field-trial-handle=2044,i,18315937055467420386,530209961681002181,262144 --disable-features=CrashRecovery /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5420 --field-trial-handle=2044,i,18315937055467420386,530209961681002181,262144 --disable-features=CrashRecovery /prefetch:8
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --app="https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --start-fullscreen --no-first-run --disable-session-crashed-bubble --disable-features=CrashRecovery	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2084 --field-trial-handle=2044,i,18315937055467420386,530209961681002181,262144 --disable-features=CrashRecovery /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5292 --field-trial-handle=2044,i,18315937055467420386,530209961681002181,262144 --disable-features=CrashRecovery /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5420 --field-trial-handle=2044,i,18315937055467420386,530209961681002181,262144 --disable-features=CrashRecovery /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior

Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_003F42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_003F42DE

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00410A76 push ecx; ret

0_2_00410A89

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0040F98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_0040F98E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00481C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_00481C41

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior

Malware Analysis System Evasion

Found API chain indicative of sandbox detection

Source: C:\Users\user\Desktop\file.exe

Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep

graph_0-94939

Source: C:\Users\user\Desktop\file.exe

API coverage: 3.2 %

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0045DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	0_2_0045DBBE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004668EE FindFirstFileW,FindClose,	0_2_004668EE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0046698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	0_2_0046698F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0045D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0045D076
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0045D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0045D3A9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00469642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00469642
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0046979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0046979D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00469B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_00469B2B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00465C97 FindFirstFileW,FindNextFileW,FindClose,	0_2_00465C97

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_003F42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_003F42DE

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0046EAA2 BlockInput,

0_2_0046EAA2

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00422622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00422622

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_003F42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_003F42DE

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00414CE8 mov eax, dword ptr fs:[00000030h]

0_2_00414CE8

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00450B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

0_2_00450B62

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00422622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00422622
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0041083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0041083F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004109D5 SetUnhandledExceptionFilter,	0_2_004109D5
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00410C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00410C21

Source: C:\Users\user\Desktop\file.exe

0_2_00451201

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00432BA5 KiUserCallbackDispatcher,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00432BA5

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0045B226 SendInput,keybd_event,

0_2_0045B226

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_004722DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event,

0_2_004722DA

Source: C:\Users\user\Desktop\file.exe

0_2_00450B62

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00451663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_00451663

Source: file.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: file.exe	Binary or memory string: Shell_TrayWnd

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00410698 cpuid

0_2_00410698

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00468195 GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,

0_2_00468195

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0044D27A GetUserNameW,

0_2_0044D27A

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0042BB6F _free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

0_2_0042BB6F

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_003F42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_003F42DE

Source: file.exe	Binary or memory string: WIN_81
Source: file.exe	Binary or memory string: WIN_XP
Source: file.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]\|%%\|%[-+ 0#]?([0-9]\|\)?(\.[0-9]\|\.\)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: file.exe	Binary or memory string: WIN_XPe
Source: file.exe	Binary or memory string: WIN_VISTA
Source: file.exe	Binary or memory string: WIN_7
Source: file.exe	Binary or memory string: WIN_8

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00471204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,		0_2_00471204
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00471806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_00471806

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	1 Native API	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	1 Disable or Modify Tools	21 Input Capture	2 System Time Discovery	Remote Services	1 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	Scheduled Task/Job	2 Valid Accounts	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	21 Input Capture	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	2 Valid Accounts	2 Obfuscated Files or Information	Security Account Manager	1 File and Directory Discovery	SMB/Windows Admin Shares	3 Clipboard Data	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	21 Access Token Manipulation	1 DLL Side-Loading	NTDS	15 System Information Discovery	Distributed Component Object Model	Input Capture	4 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	2 Process Injection	2 Valid Accounts	LSA Secrets	12 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Virtualization/Sandbox Evasion	Cached Domain Credentials	1 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	21 Access Token Manipulation	DCSync	3 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	2 Process Injection	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	HTML Smuggling	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Link
file.exe	13%	ReversingLabs
file.exe	19%	Virustotal	Browse
file.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Link
play.google.com	0%	Virustotal	Browse
youtube.com	0%	Virustotal	Browse
www3.l.google.com	0%	Virustotal	Browse
accounts.youtube.com	0%	Virustotal	Browse
www.youtube.com	0%	Virustotal	Browse
www.google.com	0%	Virustotal	Browse
youtube-ui.l.google.com	0%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label
https://play.google/intl/	0%	URL Reputation	safe
https://families.google.com/intl/	0%	URL Reputation	safe
https://families.google.com/intl/	0%	URL Reputation	safe
https://policies.google.com/technologies/location-data	0%	URL Reputation	safe
https://apis.google.com/js/api.js	0%	URL Reputation	safe
https://policies.google.com/privacy/google-partners	0%	URL Reputation	safe
https://policies.google.com/terms/service-specific	0%	URL Reputation	safe
https://g.co/recover	0%	URL Reputation	safe
https://policies.google.com/privacy/additional	0%	URL Reputation	safe
https://support.google.com/websearch/answer/4358949?hl=ko&ref_topic=3285072	0%	URL Reputation	safe
https://policies.google.com/technologies/cookies	0%	URL Reputation	safe
https://policies.google.com/technologies/cookies	0%	URL Reputation	safe
https://policies.google.com/terms	0%	URL Reputation	safe
https://uberproxy-pen-redirect.corp.google.com/uberproxy/pen?url=	0%	URL Reputation	safe
https://support.google.com/accounts?hl=	0%	URL Reputation	safe
https://policies.google.com/terms/location	0%	URL Reputation	safe
https://policies.google.com/privacy	0%	URL Reputation	safe
https://support.google.com/accounts?p=new-si-ui	0%	URL Reputation	safe
https://apis.google.com/js/rpc:shindig_random.js?onload=credentialservice.postMessage	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
youtube-ui.l.google.com	142.250.185.174	true	false	0%, Virustotal, Browse	unknown
www3.l.google.com	172.217.16.206	true	false	0%, Virustotal, Browse	unknown
play.google.com	172.217.18.110	true	false	0%, Virustotal, Browse	unknown
www.google.com	142.250.185.132	true	false	0%, Virustotal, Browse	unknown
youtube.com	142.250.186.78	true	false	0%, Virustotal, Browse	unknown
accounts.youtube.com	unknown	unknown	false	0%, Virustotal, Browse	unknown
www.youtube.com	unknown	unknown	false	0%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Reputation
https://play.google.com/log?format=json&hasfast=true&authuser=0	false	unknown
https://www.google.com/favicon.ico	false	unknown
https://play.google.com/log?hasfast=true&authuser=0&format=json	false	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://play.google/intl/	chromecache_74.3.dr	false	URL Reputation: safe	unknown
https://families.google.com/intl/	chromecache_74.3.dr	false	URL Reputation: safe URL Reputation: safe	unknown
https://youtube.com/t/terms?gl=	chromecache_74.3.dr	false		unknown
https://policies.google.com/technologies/location-data	chromecache_74.3.dr	false	URL Reputation: safe	unknown
https://www.google.com/intl/	chromecache_74.3.dr	false		unknown
https://apis.google.com/js/api.js	chromecache_79.3.dr	false	URL Reputation: safe	unknown
https://policies.google.com/privacy/google-partners	chromecache_74.3.dr	false	URL Reputation: safe	unknown
https://play.google.com/work/enroll?identifier=	chromecache_74.3.dr	false		unknown
https://policies.google.com/terms/service-specific	chromecache_74.3.dr	false	URL Reputation: safe	unknown
https://g.co/recover	chromecache_74.3.dr	false	URL Reputation: safe	unknown
https://policies.google.com/privacy/additional	chromecache_74.3.dr	false	URL Reputation: safe	unknown
https://support.google.com/websearch/answer/4358949?hl=ko&ref_topic=3285072	chromecache_74.3.dr	false	URL Reputation: safe	unknown
https://policies.google.com/technologies/cookies	chromecache_74.3.dr	false	URL Reputation: safe URL Reputation: safe	unknown
https://policies.google.com/terms	chromecache_74.3.dr	false	URL Reputation: safe	unknown
https://uberproxy-pen-redirect.corp.google.com/uberproxy/pen?url=	chromecache_79.3.dr	false	URL Reputation: safe	unknown
https://www.google.com	chromecache_74.3.dr	false		unknown
https://play.google.com/log?format=json&hasfast=true	chromecache_74.3.dr	false		unknown
https://www.youtube.com/t/terms?chromeless=1&hl=	chromecache_74.3.dr	false		unknown
https://support.google.com/accounts?hl=	chromecache_74.3.dr	false	URL Reputation: safe	unknown
https://policies.google.com/terms/location	chromecache_74.3.dr	false	URL Reputation: safe	unknown
https://policies.google.com/privacy	chromecache_74.3.dr	false	URL Reputation: safe	unknown
https://support.google.com/accounts?p=new-si-ui	chromecache_74.3.dr	false	URL Reputation: safe	unknown
https://apis.google.com/js/rpc:shindig_random.js?onload=credentialservice.postMessage	chromecache_74.3.dr	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
142.250.186.68	unknown	United States	15169	GOOGLEUS	false
142.250.186.78	youtube.com	United States	15169	GOOGLEUS	false
172.217.16.206	www3.l.google.com	United States	15169	GOOGLEUS	false
142.250.185.132	www.google.com	United States	15169	GOOGLEUS	false
239.255.255.250	unknown	Reserved	unknown	unknown	false
142.250.185.174	youtube-ui.l.google.com	United States	15169	GOOGLEUS	false
142.250.184.206	unknown	United States	15169	GOOGLEUS	false
172.217.18.110	play.google.com	United States	15169	GOOGLEUS	false

Private

IP
192.168.2.4
192.168.2.5

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1523109
Start date and time:	2024-10-01 05:15:08 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 35s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	10
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal64.evad.winEXE@31/30@14/10
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 96% Number of executed functions: 36 Number of non-executed functions: 315
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 142.250.185.227, 216.58.212.142, 142.251.168.84, 34.104.35.123, 142.250.185.195, 142.250.186.99, 142.250.186.74, 172.217.16.138, 142.250.185.74, 172.217.18.106, 142.250.186.42, 142.250.186.170, 216.58.206.74, 172.217.23.106, 142.250.185.106, 142.250.185.138, 216.58.206.42, 142.250.186.138, 172.217.18.10, 142.250.186.106, 142.250.185.170, 172.217.16.202, 142.250.181.234, 142.250.185.234, 142.250.184.234, 142.250.185.202, 142.250.184.202, 199.232.210.172, 192.229.221.95, 172.217.18.99, 173.194.76.84, 216.58.206.46
Excluded domains from analysis (whitelisted): clients1.google.com, fs.microsoft.com, accounts.google.com, content-autofill.googleapis.com, slscr.update.microsoft.com, fonts.gstatic.com, ctldl.windowsupdate.com, clientservices.googleapis.com, fe3cr.delivery.mp.microsoft.com, clients2.google.com, ocsp.digicert.com, edgedl.me.gvt1.com, update.googleapis.com, clients.l.google.com, www.gstatic.com, optimizationguide-pa.googleapis.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing disassembly code.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
239.255.255.250	file.exe	Get hash	malicious	Unknown	Browse
	https://booking.com-partners.one/confirm/login/qAlElVVF	Get hash	malicious	Unknown	Browse
	https://www.polorestobar.com/	Get hash	malicious	Unknown	Browse
	https://jv.prenticeu.com/SAFlSIeECgRZt_tUKXhAOQHYyqb5e4/	Get hash	malicious	HTMLPhisher	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	https://content.app-us1.com/1REPZ7/2024/09/30/ff91983f-ef4d-4288-b1e8-8d1ab94f757b.pdf	Get hash	malicious	HTMLPhisher	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
28a2c9bd18a11de089ef85a160da29e4	file.exe	Get hash	malicious	Unknown	Browse	4.175.87.197 23.211.8.90
	https://booking.com-partners.one/confirm/login/qAlElVVF	Get hash	malicious	Unknown	Browse	4.175.87.197 23.211.8.90
	https://www.polorestobar.com/	Get hash	malicious	Unknown	Browse	4.175.87.197 23.211.8.90
	https://jv.prenticeu.com/SAFlSIeECgRZt_tUKXhAOQHYyqb5e4/	Get hash	malicious	HTMLPhisher	Browse	4.175.87.197 23.211.8.90
	file.exe	Get hash	malicious	Unknown	Browse	4.175.87.197 23.211.8.90
	https://content.app-us1.com/1REPZ7/2024/09/30/ff91983f-ef4d-4288-b1e8-8d1ab94f757b.pdf	Get hash	malicious	HTMLPhisher	Browse	4.175.87.197 23.211.8.90
	file.exe	Get hash	malicious	Unknown	Browse	4.175.87.197 23.211.8.90
	file.exe	Get hash	malicious	Unknown	Browse	4.175.87.197 23.211.8.90
	file.exe	Get hash	malicious	Unknown	Browse	4.175.87.197 23.211.8.90
	file.exe	Get hash	malicious	Unknown	Browse	4.175.87.197 23.211.8.90

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (522)
Category:	downloaded
Size (bytes):	5049
Entropy (8bit):	5.317800104741948
Encrypted:	false
SSDEEP:	96:oHX9gPiPrfnHhsB0TR6kg1oDPJzLmM18Vh1z2fEZ54TZtnqj6w:EtEAr6BmPZtOeEvW/ncP
MD5:	CE53EF566B68CCF2D62FA044CFB0D138
SHA1:	F48EC60289F2B55E8B388601206888F8295B1EB1
SHA-256:	E6CC5114D92811D5DE0663266D4B63F367834AFA0FC3BAFA54F707038C59D010
SHA-512:	20B434881DE971E263669E6096C01665D4D35B0FBFF47D312A4A442645EE962A8CE6AD7E68246D4EE9691BD30D9B1DDCF7059226492E1B58CD3191B63B001E4D
Malicious:	false
Reputation:	moderate, very likely benign file
URL:	"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en._s1fC-CLCMs.es5.O/ck=boq-identity.AccountsSignInUi.gkspycgpiCY.L.B1.O/am=xIFgKBi2EQjEE86BHlAUCBkAAAAAAAAAALQBAIBm/d=1/exm=A7fCU,AvtSve,CMcBD,E87wgc,EFQ78c,EIOG1e,EN3i8d,Fndnac,GwYlN,I6YDgd,IZT63,K0PMbc,K1ZKnb,KUM7Z,L1AAkb,L9OGUe,LDQI,LEikZe,MY7mZe,MpJwZc,NOeYWe,NTMZac,O6y8ed,P6sQOc,PHUIyb,PrPYRd,RMhBfe,Rkm0ef,RqjULd,SCuOPb,SD8Jgb,STuCOe,SpsfSb,Tbb4sb,UUJqVe,Uas9Hd,WpP9Yc,XVq9Qb,YHI3We,YTxL4,YgOFye,ZDZcre,ZZ4WUe,ZakeSe,ZwDk9d,_b,_tp,aC1iue,aW3pY,b3kMqb,bSspM,bTi8wc,byfTOb,cYShmd,eVCnO,f8Gu1e,gJzDyc,hc6Ubd,iAskyc,inNHtf,iyZMqd,lsjVmc,ltDFwf,lwddkf,m9oV,mvkUhe,mzzZzc,n73qwf,njlZCf,oLggrd,pxq3x,q0xTif,qPYxq,qPfo0c,qmdT9,rCcCxc,rmumx,sOXFj,siKnQd,soHxf,t2srLd,tUnxGc,vHEMJe,vfuNJf,vjKJJ,vvMGie,w9hDv,ws9Tlc,xBaz7b,xQtZb,xiZRqc,y5vRwf,yRXbo,ywOR5c,z0u0L,zbML3c,ziXSP,ziZ8Mc,zr1jrb,zy0vNb/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlHcuwDoV1_a7sThPZwbu2Ah9zAL5g/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:GwYlN;EmZ2Bf:zr1jrb;JsbNhc:Xd8iUd;K5nYTd:ZDZcre;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;ScI3Yc:e7Hzgb;UpnZUd:nnwwYc;Uvc8o:VDovNc;XdiAjb:NLiXbe;YIZmRd:A1yn5d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;dowIGb:ebZ3mb;eBAeSb:zbML3c;iFQyKf:vfuNJf;lOO0Vd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qafBPd:yDVVkb;qddgKe:xQtZb;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=wg1P6b"
Preview:	"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi\|\|{};(function(_){var window=this;.try{._.$Ma=_.y("wg1P6b",[_.OA,_.Fn,_.Rn]);._.k("wg1P6b");.var M5a;M5a=_.oh(["aria-"]);._.mJ=function(a){_.Y.call(this,a.Fa);this.Ja=this.ta=this.aa=this.viewportElement=this.La=null;this.Tc=a.Ea.qf;this.ab=a.Ea.focus;this.Lc=a.Ea.Lc;this.ea=this.Ei();a=-1*parseInt(_.Fo(this.Ei().el(),"marginTop")\|\|"0",10);var b=parseInt(_.Fo(this.Ei().el(),"marginBottom")\|\|"0",10);this.Ta={top:a,right:0,bottom:b,left:0};a=_.gf(this.getData("isMenuDynamic"),!1);b=_.gf(this.getData("isMenuHoisted"),!1);this.Ga=a?1:b?2:0;this.ka=!1;this.Ca=1;this.Ga!==1&&(this.aa=this.Sa("U0exHf").children().Sc(0),_.fu(this,.N5a(this,this.aa.el())));_.mF(this.oa())&&(a=this.oa().el(),b=this.De.bind(this),a.__soy_skip_handler=b)};_.J(_.mJ,_.Y);_.mJ.Ba=function(){return{Ea:{qf:_.SE,focus:_.BE,Lc:_.mu}}};_.mJ.prototype.pF=function(a){var b=a.source;this.La=b;var c;((c=a.data)==null?0:c.Jy)?(a=a.data.Jy,this.Ca=a==="MOUS

Chrome Cache Entry: 74

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (5693)
Category:	downloaded
Size (bytes):	697429
Entropy (8bit):	5.593310312179182
Encrypted:	false
SSDEEP:	6144:TYNlxfbDTYDhzCTNoygVWyJb5eGpbL2Mp15gI8seqfh53p+rrvV7i:T25bDTYB+qeGB+Nu
MD5:	92F0F5E28355D863ACB77313F1E675DE
SHA1:	8AD6F9B535D5B8952A4ADCCC57E4A4E0723F1E8D
SHA-256:	F903AE346609A2872554A3D8FFBDB1836CB5C8B7AAAED4C3F8296B887E03D833
SHA-512:	0C81A6CD850C6ACDBE9CCCBA00BBA34CDE1E09E8572814AE8E55DBED3C2B56F0B020359841F8217843B3403847DF46FA1C82229684F762A73C8110CE45898DAF
Malicious:	false
Reputation:	moderate, very likely benign file
URL:	"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en._s1fC-CLCMs.es5.O/ck=boq-identity.AccountsSignInUi.gkspycgpiCY.L.B1.O/am=xIFgKBi2EQjEE86BHlAUCBkAAAAAAAAAALQBAIBm/d=1/exm=LEikZe,_b,_tp,byfTOb,lsjVmc/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlHcuwDoV1_a7sThPZwbu2Ah9zAL5g/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:GwYlN;EmZ2Bf:zr1jrb;JsbNhc:Xd8iUd;K5nYTd:ZDZcre;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;ScI3Yc:e7Hzgb;UpnZUd:nnwwYc;Uvc8o:VDovNc;XdiAjb:NLiXbe;YIZmRd:A1yn5d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;dowIGb:ebZ3mb;eBAeSb:zbML3c;iFQyKf:vfuNJf;lOO0Vd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qafBPd:yDVVkb;qddgKe:xQtZb;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=n73qwf,SCuOPb,IZT63,vfuNJf,UUJqVe,ws9Tlc,siKnQd,XVq9Qb,STuCOe,njlZCf,m9oV,vjKJJ,y5vRwf,iyZMqd,NTMZac,mzzZzc,rCcCxc,vvMGie,K1ZKnb,ziZ8Mc,b3kMqb,mvkUhe,CMcBD,Fndnac,t2srLd,EN3i8d,z0u0L,xiZRqc,NOeYWe,O6y8ed,L9OGUe,PrPYRd,MpJwZc,qPfo0c,cYShmd,hc6Ubd,Rkm0ef,KUM7Z,oLggrd,inNHtf,L1AAkb,WpP9Yc,lwddkf,gJzDyc,SpsfSb,aC1iue,tUnxGc,aW3pY,ZakeSe,EFQ78c,xQtZb,I6YDgd,zbML3c,zr1jrb,vHEMJe,YHI3We,YTxL4,bSspM,Uas9Hd,zy0vNb,K0PMbc,AvtSve,qmdT9,MY7mZe,xBaz7b,GwYlN,eVCnO,EIOG1e,LDQI"
Preview:	"use strict";_F_installCss(".r4WGQb{position:relative}.Dl08I>:first-child{margin-top:0}.Dl08I>:last-child{margin-bottom:0}.IzwVE{color:#1f1f1f;color:var(--gm3-sys-color-on-surface,#1f1f1f);font-family:\"Google Sans\",roboto,\"Noto Sans Myanmar UI\",arial,sans-serif;font-size:1.25rem;font-weight:400;letter-spacing:0rem;line-height:1.2}.l5PPKe{color:#1f1f1f;color:var(--gm3-sys-color-on-surface,#1f1f1f);font-size:1rem}.l5PPKe .dMNVAe{margin:0;padding:0}.l5PPKe>:first-child{margin-top:0;padding-top:0}.l5PPKe>:last-child{margin-bottom:0;padding-bottom:0}.Dl08I{margin:0;padding:0;position:relative}.Dl08I>.SmR8:only-child{padding-top:1px}.Dl08I>.SmR8:only-child::before{top:0}.Dl08I>.SmR8:not(first-child){padding-bottom:1px}.Dl08I>.SmR8::after{bottom:0}.Dl08I>.SmR8:only-child::before,.Dl08I>.SmR8::after{border-bottom:1px solid #c4c7c5;border-bottom:1px solid var(--gm3-sys-color-outline-variant,#c4c7c5);content:\"\";height:0;left:0;position:absolute;width:100%}.aZvCDf{margin-top:8px;margin-left

Chrome Cache Entry: 75

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (468)
Category:	downloaded
Size (bytes):	1858
Entropy (8bit):	5.253939888205379
Encrypted:	false
SSDEEP:	48:o7BNJfeFb8L3A6FHqIy5Z+d70OCzSfvi/3fM/r8ZQzRrw:oFuILhFHrVCz0vLZz9w
MD5:	10FF6F99E3228E96AFD6E2C30EF97C0A
SHA1:	4AE3DCB8D1F5A0C302D5BAD9DFF5050A7A5E8130
SHA-256:	95E5546E1C7F311D07BB5050CC456A973E43BCC4777BA6014757376016537679
SHA-512:	116C0B1CAC98A27044100005545AB66BE5F4801D75DC259093A9F145B3A4ACD8DC1C360AF525F6DC8421CD54B675A78023D2ED8B57F5946A3969543758C673C9
Malicious:	false
Reputation:	moderate, very likely benign file
URL:	"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en._s1fC-CLCMs.es5.O/ck=boq-identity.AccountsSignInUi.gkspycgpiCY.L.B1.O/am=xIFgKBi2EQjEE86BHlAUCBkAAAAAAAAAALQBAIBm/d=1/exm=A7fCU,AvtSve,CMcBD,E87wgc,EFQ78c,EIOG1e,EN3i8d,Fndnac,GwYlN,I6YDgd,IZT63,K0PMbc,K1ZKnb,KUM7Z,L1AAkb,L9OGUe,LDQI,LEikZe,MY7mZe,MpJwZc,NOeYWe,NTMZac,O6y8ed,P6sQOc,PHUIyb,PrPYRd,RMhBfe,Rkm0ef,RqjULd,SCuOPb,SD8Jgb,STuCOe,SpsfSb,Tbb4sb,UUJqVe,Uas9Hd,WpP9Yc,XVq9Qb,YHI3We,YTxL4,YgOFye,ZDZcre,ZZ4WUe,ZakeSe,ZwDk9d,_b,_tp,aC1iue,aW3pY,b3kMqb,bSspM,bTi8wc,byfTOb,cYShmd,eVCnO,f8Gu1e,gJzDyc,hc6Ubd,inNHtf,iyZMqd,lsjVmc,ltDFwf,lwddkf,m9oV,mvkUhe,mzzZzc,n73qwf,njlZCf,oLggrd,pxq3x,q0xTif,qPYxq,qPfo0c,qmdT9,rCcCxc,rmumx,sOXFj,siKnQd,soHxf,t2srLd,tUnxGc,vHEMJe,vfuNJf,vjKJJ,vvMGie,w9hDv,ws9Tlc,xBaz7b,xQtZb,xiZRqc,y5vRwf,yRXbo,ywOR5c,z0u0L,zbML3c,ziZ8Mc,zr1jrb,zy0vNb/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlHcuwDoV1_a7sThPZwbu2Ah9zAL5g/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:GwYlN;EmZ2Bf:zr1jrb;JsbNhc:Xd8iUd;K5nYTd:ZDZcre;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;ScI3Yc:e7Hzgb;UpnZUd:nnwwYc;Uvc8o:VDovNc;XdiAjb:NLiXbe;YIZmRd:A1yn5d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;dowIGb:ebZ3mb;eBAeSb:zbML3c;iFQyKf:vfuNJf;lOO0Vd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qafBPd:yDVVkb;qddgKe:xQtZb;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=iAskyc,ziXSP"
Preview:	"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi\|\|{};(function(_){var window=this;.try{._.k("iAskyc");._.$Z=function(a){_.X.call(this,a.Fa);this.window=a.Ea.window.get();this.Mc=a.Ea.Mc};_.J(_.$Z,_.X);_.$Z.Ba=function(){return{Ea:{window:_.lu,Mc:_.vE}}};_.$Z.prototype.Mo=function(){};_.$Z.prototype.addEncryptionRecoveryMethod=function(){};_.a_=function(a){return(a==null?void 0:a.Go)\|\|function(){}};_.b_=function(a){return(a==null?void 0:a.N2)\|\|function(){}};_.OOb=function(a){return(a==null?void 0:a.Mp)\|\|function(){}};._.POb=function(a){return new Map(Array.from(a,function(b){var c=_.n(b);b=c.next().value;c=c.next().value;return[b,c.map(function(d){return{epoch:d.epoch,key:new Uint8Array(d.key)}})]}))};_.QOb=function(a){setTimeout(function(){throw a;},0)};_.$Z.prototype.WN=function(){return!0};_.iu(_.Dn,_.$Z);._.l();._.k("ziXSP");.var t_=function(a){_.$Z.call(this,a.Fa)};_.J(t_,_.$Z);t_.Ba=_.$Z.Ba;t_.prototype.Mo=function(a,b,c){var d;if((d=this.window.chrome)==nu

Chrome Cache Entry: 76

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (3346)
Category:	downloaded
Size (bytes):	22827
Entropy (8bit):	5.420322672717721
Encrypted:	false
SSDEEP:	384:/jqdWXWfyA20UUjDE8BSUxDJs16KHvSN34kaHaN+587SaXD2mLR0H:/jqdWXAUUjDE84Wi6KPSKjHaN+58+0J2
MD5:	2B29741A316862EE788996DD29116DD5
SHA1:	9D5551916D4452E977C39B8D69CF88DF2AAA462B
SHA-256:	62955C853976B722EFBB4C116A10DB3FF54580EDD7495D280177550B8F4289AB
SHA-512:	6E37C3258F07F29909763728DADE0CD40A3602D55D9099F78B37756926FCF2A50008B82876B518FEAF3E56617F0F7D1D37A73C346A99A58E6AD8BCD6689E9B15
Malicious:	false
URL:	"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en._s1fC-CLCMs.es5.O/ck=boq-identity.AccountsSignInUi.gkspycgpiCY.L.B1.O/am=xIFgKBi2EQjEE86BHlAUCBkAAAAAAAAAALQBAIBm/d=1/exm=AvtSve,CMcBD,E87wgc,EFQ78c,EIOG1e,EN3i8d,Fndnac,GwYlN,I6YDgd,IZT63,K0PMbc,K1ZKnb,KUM7Z,L1AAkb,L9OGUe,LDQI,LEikZe,MY7mZe,MpJwZc,NOeYWe,NTMZac,O6y8ed,PHUIyb,PrPYRd,Rkm0ef,SCuOPb,SD8Jgb,STuCOe,SpsfSb,Tbb4sb,UUJqVe,Uas9Hd,WpP9Yc,XVq9Qb,YHI3We,YTxL4,YgOFye,ZakeSe,_b,_tp,aC1iue,aW3pY,b3kMqb,bSspM,bTi8wc,byfTOb,cYShmd,eVCnO,f8Gu1e,gJzDyc,hc6Ubd,inNHtf,iyZMqd,lsjVmc,ltDFwf,lwddkf,m9oV,mvkUhe,mzzZzc,n73qwf,njlZCf,oLggrd,pxq3x,qPYxq,qPfo0c,qmdT9,rCcCxc,rmumx,siKnQd,soHxf,t2srLd,tUnxGc,vHEMJe,vfuNJf,vjKJJ,vvMGie,ws9Tlc,xBaz7b,xQtZb,xiZRqc,y5vRwf,yRXbo,ywOR5c,z0u0L,zbML3c,ziZ8Mc,zr1jrb,zy0vNb/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlHcuwDoV1_a7sThPZwbu2Ah9zAL5g/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:GwYlN;EmZ2Bf:zr1jrb;JsbNhc:Xd8iUd;K5nYTd:ZDZcre;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;ScI3Yc:e7Hzgb;UpnZUd:nnwwYc;Uvc8o:VDovNc;XdiAjb:NLiXbe;YIZmRd:A1yn5d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;dowIGb:ebZ3mb;eBAeSb:zbML3c;iFQyKf:vfuNJf;lOO0Vd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qafBPd:yDVVkb;qddgKe:xQtZb;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=RqjULd"
Preview:	"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi\|\|{};(function(_){var window=this;.try{._.pu.prototype.da=_.ca(38,function(){return _.vj(this,3)});_.Vy=function(a,b){this.key=a;this.defaultValue=!1;this.flagName=b};_.Vy.prototype.ctor=function(a){return typeof a==="boolean"?a:this.defaultValue};_.Wy=function(){this.ka=!0;var a=_.Bj(_.jk(_.Fe("TSDtV",window),_.pya),_.pu,1,_.uj())[0];if(a){var b={};for(var c=_.n(_.Bj(a,_.qya,2,_.uj())),d=c.next();!d.done;d=c.next()){d=d.value;var e=_.Nj(d,1).toString();switch(_.xj(d,_.qu)){case 3:b[e]=_.Lj(d,_.pj(d,_.qu,3));break;case 2:b[e]=_.Nj(d,_.pj(d,_.qu,2));break;case 4:b[e]=_.Oj(d,_.pj(d,_.qu,4));break;case 5:b[e]=_.L(d,_.pj(d,_.qu,5));break;case 6:b[e]=_.Sj(d,_.kf,6,_.qu);break;default:throw Error("id`"+_.xj(d,_.qu));}}}else b={};this.ea=b;this.token=.a?a.da():null};_.Wy.prototype.aa=function(a){if(!this.ka\|\|a.key in this.ea)a=a.ctor(this.ea[a.key]);else if(_.Fe("nQyAE",window)){var b=_.sya(a.flagName);if(b===null)a=a.def

Chrome Cache Entry: 77

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	HTML document, ASCII text, with very long lines (681)
Category:	downloaded
Size (bytes):	4070
Entropy (8bit):	5.362700670482359
Encrypted:	false
SSDEEP:	96:GUpT+TmXtdW1qsHFcn7t7CnyWYvNTcLaQOw:lpT+qXW1PFcn7tGnyWY1TGb
MD5:	ED368A20CB303C0E7C6A3E6E43C2E14F
SHA1:	429A5C538B45221F80405163D1F87912DD73C05A
SHA-256:	93BA77AD4B11E0A70C0D36576F0DF24E27F50001EA02BAA6D357E034532D97F2
SHA-512:	DE74BBADE910475DD245FFEFD4E1FD10137DE710B1C920D33BA52554911496E1339EF3C1F6D9D315CBC98A60ABE5687A3E7D8BEE483708E18D25722E794BDBE9
Malicious:	false
URL:	"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en._s1fC-CLCMs.es5.O/ck=boq-identity.AccountsSignInUi.gkspycgpiCY.L.B1.O/am=xIFgKBi2EQjEE86BHlAUCBkAAAAAAAAAALQBAIBm/d=1/exm=A7fCU,AvtSve,CMcBD,E87wgc,EFQ78c,EIOG1e,EN3i8d,Fndnac,GwYlN,I6YDgd,IZT63,K0PMbc,K1ZKnb,KUM7Z,L1AAkb,L9OGUe,LDQI,LEikZe,MY7mZe,MpJwZc,NOeYWe,NTMZac,O6y8ed,P6sQOc,PHUIyb,PrPYRd,RMhBfe,Rkm0ef,RqjULd,SCuOPb,SD8Jgb,STuCOe,SpsfSb,Tbb4sb,UUJqVe,Uas9Hd,WpP9Yc,XVq9Qb,YHI3We,YTxL4,YgOFye,ZDZcre,ZakeSe,ZwDk9d,_b,_tp,aC1iue,aW3pY,b3kMqb,bSspM,bTi8wc,byfTOb,cYShmd,eVCnO,f8Gu1e,gJzDyc,hc6Ubd,inNHtf,iyZMqd,lsjVmc,ltDFwf,lwddkf,m9oV,mvkUhe,mzzZzc,n73qwf,njlZCf,oLggrd,pxq3x,qPYxq,qPfo0c,qmdT9,rCcCxc,rmumx,siKnQd,soHxf,t2srLd,tUnxGc,vHEMJe,vfuNJf,vjKJJ,vvMGie,w9hDv,ws9Tlc,xBaz7b,xQtZb,xiZRqc,y5vRwf,yRXbo,ywOR5c,z0u0L,zbML3c,ziZ8Mc,zr1jrb,zy0vNb/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlHcuwDoV1_a7sThPZwbu2Ah9zAL5g/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:GwYlN;EmZ2Bf:zr1jrb;JsbNhc:Xd8iUd;K5nYTd:ZDZcre;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;ScI3Yc:e7Hzgb;UpnZUd:nnwwYc;Uvc8o:VDovNc;XdiAjb:NLiXbe;YIZmRd:A1yn5d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;dowIGb:ebZ3mb;eBAeSb:zbML3c;iFQyKf:vfuNJf;lOO0Vd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qafBPd:yDVVkb;qddgKe:xQtZb;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=sOXFj,q0xTif,ZZ4WUe"
Preview:	"use strict";_F_installCss(".N7rBcd{overflow-x:auto}sentinel{}");.this.default_AccountsSignInUi=this.default_AccountsSignInUi\|\|{};(function(_){var window=this;.try{._.zg(_.dqa);._.k("sOXFj");.var ou=function(a){_.X.call(this,a.Fa)};_.J(ou,_.X);ou.Ba=_.X.Ba;ou.prototype.aa=function(a){return a()};_.iu(_.cqa,ou);._.l();._.k("oGtAuc");._.oya=new _.uf(_.dqa);._.l();._.k("q0xTif");.var iza=function(a){var b=function(d){_.Zn(d)&&(_.Zn(d).Gc=null,_.yu(d,null));d.XyHi9&&(d.XyHi9=null)};b(a);a=a.querySelectorAll("[c-wiz]");for(var c=0;c<a.length;c++)b(a[c])},Ku=function(a){_.et.call(this,a.Fa);this.Qa=this.dom=null;if(this.Vk()){var b=_.Jm(this.Mg(),[_.Om,_.Nm]);b=_.ri([b[_.Om],b[_.Nm]]).then(function(c){this.Qa=c[0];this.dom=c[1]},null,this);_.cu(this,b)}this.Ra=a.Xl.Hda};_.J(Ku,_.et);Ku.Ba=function(){return{Xl:{Hda:function(a){return _.Ye(a)}}}};Ku.prototype.yp=function(a){return this.Ra.yp(a)};.Ku.prototype.getData=function(a){return this.Ra.getData(a)};Ku.prototype.vp=function(){_.Ft(this.d

Chrome Cache Entry: 78

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows icon resource - 2 icons, 16x16, 32 bits/pixel, 32x32, 32 bits/pixel
Category:	downloaded
Size (bytes):	5430
Entropy (8bit):	3.6534652184263736
Encrypted:	false
SSDEEP:	48:wIJct3xIAxG/7nvWDtZcdYLtX7B6QXL3aqG8Q:wIJct+A47v+rcqlBPG9B
MD5:	F3418A443E7D841097C714D69EC4BCB8
SHA1:	49263695F6B0CDD72F45CF1B775E660FDC36C606
SHA-256:	6DA5620880159634213E197FAFCA1DDE0272153BE3E4590818533FAB8D040770
SHA-512:	82D017C4B7EC8E0C46E8B75DA0CA6A52FD8BCE7FCF4E556CBDF16B49FC81BE9953FE7E25A05F63ECD41C7272E8BB0A9FD9AEDF0AC06CB6032330B096B3702563
Malicious:	false
URL:	https://www.google.com/favicon.ico
Preview:	............ .h...&... .... .........(....... ..... ............................................0...................................................................................................................................v.].X.:.X.:.r.Y........................................q.X.S.4.S.4.S.4.S.4.S.4.S.4...X....................0........q.W.S.4.X.:.................J...A...g.........................K.H.V.8..........................F..B.....................,.......................................B..............................................B..B..B..B..B...u..........................................B..B..B..B..B...{.................5.......k...........................................................7R..8F.................................................2........Vb..5C..;I..................R^.....................0................Xc..5C..5C..5C..5C..5C..5C..lv..........................................]i..<J..:G..Zf....................................................

Chrome Cache Entry: 79

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (553)
Category:	downloaded
Size (bytes):	603951
Entropy (8bit):	5.789948381047936
Encrypted:	false
SSDEEP:	3072:W0pApkygA62bwwdnO2YflNYhFGOizdGj008PpVVM96C5bMEPQUhts6FV8eKqtVAT:WlgNmwwdnOsF98oNGuQRAYqXsI1+
MD5:	A97373CC3F8795654F3C8C6B57066AE7
SHA1:	F7BECFDDE230EF537E8745B598DCED737C490C3C
SHA-256:	A1B0568D555DC4B4AF4CC5A6C41E838B702816445C04FF002C8A13058387F311
SHA-512:	47C76D26F4F9F206F93186800E06D3DBE1FDD0A1BA23FB9A3556390DE7F86C1FFB2C78FE307FB944C690475BFBAE9738C38233E00FDDFA9775A3B2030081D7F1
Malicious:	false
URL:	"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en._s1fC-CLCMs.es5.O/am=xIFgKBi2EQjEE86BHlAUCBkAAAAAAAAAALQBAIBm/d=1/excm=_b,_tp,identifierview/ed=1/dg=0/wt=2/ujg=1/rs=AOaEmlEQAz5EZnBR6fK6LIn1v8ILsATM3g/m=_b,_tp"
Preview:	"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi\|\|{};(function(_){var window=this;.try{._._F_toggles_initialize=function(a){(typeof globalThis!=="undefined"?globalThis:typeof self!=="undefined"?self:this)._F_toggles=a\|\|[]};(0,_._F_toggles_initialize)([0x286081c4, 0x2046d860, 0x1ce13c40, 0x51407a0, 0x1908, 0x0, 0x1b400000, 0x19a00000, 0x0, ]);./.. Copyright The Closure Library Authors.. SPDX-License-Identifier: Apache-2.0././.. Copyright Google LLC. SPDX-License-Identifier: Apache-2.0././.. Copyright 2024 Google, Inc. SPDX-License-Identifier: MIT././. SPDX-License-Identifier: Apache-2.0././. Copyright The Closure Library Authors.. SPDX-License-Identifier: Apache-2.0./.var baa,daa,Na,Ua,gaa,iaa,lb,qaa,xaa,Daa,Iaa,Laa,Mb,Maa,Rb,Vb,Wb,Naa,Oaa,Xb,Paa,Qaa,Raa,ac,Waa,Yaa,ic,jc,kc,cba,dba,hba,kba,mba,nba,rba,uba,oba,tba,sba,qba,pba,vba,zba,Dba,Eba,Bba,Kc,Lc,Hba,Jba,Nba,Oba,Pba,Qba,Mba,Rba,Tba,gd,Vba,Wba,Yba,$ba,Zba,bca,cca,dca,eca,gca,fca,ica,jca,kca,lca,oca,r

Chrome Cache Entry: 80

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (533)
Category:	downloaded
Size (bytes):	9210
Entropy (8bit):	5.3872171131917925
Encrypted:	false
SSDEEP:	192:FK/pAzN7GZ068Hqhqu6DQaVapzYjgKItwdiwUsYRTi1j1t9bRl9:FqI7GZ04dRYjghtgisYYbt9ll9
MD5:	AB70454DE18E1CE16E61EAC290FC304D
SHA1:	68532B5E8B262D7E14B8F4507AA69A61146B3C18
SHA-256:	B32D746867CC4FA21FD39437502F401D952D0A3E8DC708DFB7D58B85F256C0F1
SHA-512:	A123C517380BEF0B47F23A5A6E1D16650FE39D9C701F9FA5ADD79294973C118E8EA3A7BA32CB63C3DFC0CE0F843FB86BFFCAA2AAE987629E7DFF84F176DEBB98
Malicious:	false
URL:	"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en._s1fC-CLCMs.es5.O/ck=boq-identity.AccountsSignInUi.gkspycgpiCY.L.B1.O/am=xIFgKBi2EQjEE86BHlAUCBkAAAAAAAAAALQBAIBm/d=1/exm=AvtSve,CMcBD,EFQ78c,EIOG1e,EN3i8d,Fndnac,GwYlN,I6YDgd,IZT63,K0PMbc,K1ZKnb,KUM7Z,L1AAkb,L9OGUe,LDQI,LEikZe,MY7mZe,MpJwZc,NOeYWe,NTMZac,O6y8ed,PrPYRd,Rkm0ef,SCuOPb,STuCOe,SpsfSb,UUJqVe,Uas9Hd,WpP9Yc,XVq9Qb,YHI3We,YTxL4,ZakeSe,_b,_tp,aC1iue,aW3pY,b3kMqb,bSspM,byfTOb,cYShmd,eVCnO,gJzDyc,hc6Ubd,inNHtf,iyZMqd,lsjVmc,lwddkf,m9oV,mvkUhe,mzzZzc,n73qwf,njlZCf,oLggrd,qPfo0c,qmdT9,rCcCxc,siKnQd,t2srLd,tUnxGc,vHEMJe,vfuNJf,vjKJJ,vvMGie,ws9Tlc,xBaz7b,xQtZb,xiZRqc,y5vRwf,z0u0L,zbML3c,ziZ8Mc,zr1jrb,zy0vNb/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlHcuwDoV1_a7sThPZwbu2Ah9zAL5g/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:GwYlN;EmZ2Bf:zr1jrb;JsbNhc:Xd8iUd;K5nYTd:ZDZcre;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;ScI3Yc:e7Hzgb;UpnZUd:nnwwYc;Uvc8o:VDovNc;XdiAjb:NLiXbe;YIZmRd:A1yn5d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;dowIGb:ebZ3mb;eBAeSb:zbML3c;iFQyKf:vfuNJf;lOO0Vd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qafBPd:yDVVkb;qddgKe:xQtZb;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=ltDFwf,SD8Jgb,rmumx,E87wgc,qPYxq,Tbb4sb,pxq3x,f8Gu1e,soHxf,YgOFye,yRXbo,bTi8wc,ywOR5c,PHUIyb"
Preview:	"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi\|\|{};(function(_){var window=this;.try{._.gNa=_.y("SD8Jgb",[]);._.QX=function(a,b){if(typeof b==="string")a.Nc(b);else if(b instanceof _.Ip&&b.ia&&b.ia===_.B)b=_.$a(b.ww()),a.empty().append(b);else if(b instanceof _.Wa)b=_.$a(b),a.empty().append(b);else if(b instanceof Node)a.empty().append(b);else throw Error("Vf");};_.RX=function(a){var b=_.Lo(a,"[jsslot]");if(b.size()>0)return b;b=new _.Jo([_.Qk("span")]);_.Mo(b,"jsslot","");a.empty().append(b);return b};_.TKb=function(a){return a===null\|\|typeof a==="string"&&_.Ki(a)};._.k("SD8Jgb");._.WX=function(a){_.Y.call(this,a.Fa);this.Ua=a.controller.Ua;this.kd=a.controllers.kd[0]\|\|null;this.header=a.controller.header;this.nav=a.controller.nav;var b;(b=this.oa().find("button:not([type])").el())==null\|\|b.setAttribute("type","button")};_.J(_.WX,_.Y);_.WX.Ba=function(){return{controller:{Ua:{jsname:"n7vHCb",ctor:_.hv},header:{jsname:"tJHJj",ctor:_.hv},nav:{jsname:"DH6Rkf",ct

Chrome Cache Entry: 81

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	Web Open Font Format (Version 2), TrueType, length 52280, version 1.0
Category:	downloaded
Size (bytes):	52280
Entropy (8bit):	7.995413196679271
Encrypted:	true
SSDEEP:	1536:1rvqtK8DZilXxwJ8mMwAZy7phqsFLdG3B4d:xytBZits8bw4wzbFxG3B4d
MD5:	F61F0D4D0F968D5BBA39A84C76277E1A
SHA1:	AA3693EA140ECA418B4B2A30F6A68F6F43B4BEB2
SHA-256:	57147F08949ABABE7DEEF611435AE418475A693E3823769A25C2A39B6EAD9CCC
SHA-512:	6C3BD90F709BCF9151C9ED9FFEA55C4F6883E7FDA2A4E26BF018C83FE1CFBE4F4AA0DB080D6D024070D53B2257472C399C8AC44EEFD38B9445640EFA85D5C487
Malicious:	false
URL:	https://fonts.gstatic.com/s/googlesans/v58/4UaRrENHsxJlGDuGo1OIlJfC6l_24rlCK1Yo_Iq2vgCI.woff2
Preview:	wOF2.......8.....................................^...$..4?HVAR..?MVAR9.`?STAT.',..J/.......`..(..Z.0..R.6.$.... .....K..[..q..c..T.....>.P.j.`.w..#...%......N.".....$..3.0.6......... .L.rX/r[j.y.\|(.4.%#.....2.v.m..-..%.....;-.Y.{..&..O=#l@...k..7g..ZI...#.Z./+T..r7...M..3).Z%.x....s..sL..[A!.51w'/.8V..2Z..%.X.h.o.).]..9..Q`.$.....7..kZ.~O........d..g.n.d.Rw+&....Cz..uy#..fz,(.J....v.%..`..9.....h...?O..:...c%.....6s....xl..#...5..._......1.>.)"U.4 W....?%......6//!$...!.n9C@n...........!""^.....W..Z<.7.x.."UT.T....E.."R>.R..t.....H d..e_.K../.+8.Q.P.ZQ....;...U....]......._.e......71.?.7.ORv.?...l...G\|.P...\|:...I.X..2.,.L........d.g.]}W#uW]QnuP-s.;.-Y.....].......C..j_.M0...y.......J..........NY..@A...,....-.F......'..w./j5g.vUS...U..0.&...y7.LP.....%.....Y......Y..D. e.A..G.?.$.......6...eaK.n5.m...N...,...+BCl..L> .E9~.b[.w.x....6<...}.e...%V....O.......*.?...a..#[eE.4..p..$...].....%......o._......N.._~..El....b..A.0.r8.....\|..D.d..

Chrome Cache Entry: 82

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (1694)
Category:	downloaded
Size (bytes):	32499
Entropy (8bit):	5.361345284201954
Encrypted:	false
SSDEEP:	768:mLX1O+aL6fgyIiREM4RKmh90toLoTswtF3ATcbDR6kIsnJd9DPyMv/FI:U2M4oltoLoTswtFoc/tIsnXFLI
MD5:	D5C3FB8EAE24AB7E40009338B5078496
SHA1:	5638BF5986A6445A88CD79A9B690B744B126BEC2
SHA-256:	597C14D360D690BCFDC2B8D315E6BB8879AEF33DE6C30D274743079BDB63C6B0
SHA-512:	6AE434850D473BEF15AA694AB4862596982CDDA6BD3991991D3ADD8F4A5F61DFBF8756D0DA98B72EF083909D68CF7B6B148A6488E9381F92FBF15CCB20176A0E
Malicious:	false
URL:	"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en._s1fC-CLCMs.es5.O/ck=boq-identity.AccountsSignInUi.gkspycgpiCY.L.B1.O/am=xIFgKBi2EQjEE86BHlAUCBkAAAAAAAAAALQBAIBm/d=1/exm=_b,_tp/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlHcuwDoV1_a7sThPZwbu2Ah9zAL5g/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:GwYlN;EmZ2Bf:zr1jrb;JsbNhc:Xd8iUd;K5nYTd:ZDZcre;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;ScI3Yc:e7Hzgb;UpnZUd:nnwwYc;Uvc8o:VDovNc;XdiAjb:NLiXbe;YIZmRd:A1yn5d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;dowIGb:ebZ3mb;eBAeSb:zbML3c;iFQyKf:vfuNJf;lOO0Vd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qafBPd:yDVVkb;qddgKe:xQtZb;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=byfTOb,lsjVmc,LEikZe"
Preview:	"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi\|\|{};(function(_){var window=this;.try{.var qua=function(a,b){this.da=a;this.ea=b;if(!c){var c=new _.gp("//www.google.com/images/cleardot.gif");_.rp(c)}this.ka=c};_.h=qua.prototype;_.h.Vc=null;_.h.QY=1E4;_.h.Iz=!1;_.h.TP=0;_.h.qJ=null;_.h.DU=null;_.h.setTimeout=function(a){this.QY=a};_.h.start=function(){if(this.Iz)throw Error("dc");this.Iz=!0;this.TP=0;rua(this)};_.h.stop=function(){sua(this);this.Iz=!1};.var rua=function(a){a.TP++;navigator!==null&&"onLine"in navigator&&!navigator.onLine?_.om((0,_.eg)(a.JG,a,!1),0):(a.aa=new Image,a.aa.onload=(0,_.eg)(a.Xia,a),a.aa.onerror=(0,_.eg)(a.Wia,a),a.aa.onabort=(0,_.eg)(a.Via,a),a.qJ=_.om(a.Yia,a.QY,a),a.aa.src=String(a.ka))};_.h=qua.prototype;_.h.Xia=function(){this.JG(!0)};_.h.Wia=function(){this.JG(!1)};_.h.Via=function(){this.JG(!1)};_.h.Yia=function(){this.JG(!1)};._.h.JG=function(a){sua(this);a?(this.Iz=!1,this.da.call(this.ea,!0)):this.TP<=0?rua(this):(this.Iz=!1,

Chrome Cache Entry: 83

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (683)
Category:	downloaded
Size (bytes):	3131
Entropy (8bit):	5.3750044852869046
Encrypted:	false
SSDEEP:	48:o7zfN/cD498xdg+Y5jNQ8js6npwk0OmNAEZbpMzR4EQBcW5QcHj9KWfGAeFKRrw:oCD9dA5jOEGh+EFqR4rhqUhzff9w
MD5:	39693D34EE3D1829DBB1627C4FC6687B
SHA1:	A03303C2F027F3749B48D5134D1F8FB3E495C6E9
SHA-256:	03B0C1B4E402E0BCF75D530DD9085B25357EEFD09E238453DE1F3A042542C076
SHA-512:	AC0749EDC33DA0EC0E40470388DD797B6528AD08B8FAC1C2AC42F85198131052BA1B533E90409D35DA237607E8B07D591FA6BA580B6A90B0D0AB2282A01F7585
Malicious:	false
URL:	"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en._s1fC-CLCMs.es5.O/ck=boq-identity.AccountsSignInUi.gkspycgpiCY.L.B1.O/am=xIFgKBi2EQjEE86BHlAUCBkAAAAAAAAAALQBAIBm/d=1/exm=AvtSve,CMcBD,E87wgc,EFQ78c,EIOG1e,EN3i8d,Fndnac,GwYlN,I6YDgd,IZT63,K0PMbc,K1ZKnb,KUM7Z,L1AAkb,L9OGUe,LDQI,LEikZe,MY7mZe,MpJwZc,NOeYWe,NTMZac,O6y8ed,PHUIyb,PrPYRd,Rkm0ef,RqjULd,SCuOPb,SD8Jgb,STuCOe,SpsfSb,Tbb4sb,UUJqVe,Uas9Hd,WpP9Yc,XVq9Qb,YHI3We,YTxL4,YgOFye,ZakeSe,_b,_tp,aC1iue,aW3pY,b3kMqb,bSspM,bTi8wc,byfTOb,cYShmd,eVCnO,f8Gu1e,gJzDyc,hc6Ubd,inNHtf,iyZMqd,lsjVmc,ltDFwf,lwddkf,m9oV,mvkUhe,mzzZzc,n73qwf,njlZCf,oLggrd,pxq3x,qPYxq,qPfo0c,qmdT9,rCcCxc,rmumx,siKnQd,soHxf,t2srLd,tUnxGc,vHEMJe,vfuNJf,vjKJJ,vvMGie,ws9Tlc,xBaz7b,xQtZb,xiZRqc,y5vRwf,yRXbo,ywOR5c,z0u0L,zbML3c,ziZ8Mc,zr1jrb,zy0vNb/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlHcuwDoV1_a7sThPZwbu2Ah9zAL5g/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:GwYlN;EmZ2Bf:zr1jrb;JsbNhc:Xd8iUd;K5nYTd:ZDZcre;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;ScI3Yc:e7Hzgb;UpnZUd:nnwwYc;Uvc8o:VDovNc;XdiAjb:NLiXbe;YIZmRd:A1yn5d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;dowIGb:ebZ3mb;eBAeSb:zbML3c;iFQyKf:vfuNJf;lOO0Vd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qafBPd:yDVVkb;qddgKe:xQtZb;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=ZwDk9d,RMhBfe"
Preview:	"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi\|\|{};(function(_){var window=this;.try{._.k("ZwDk9d");.var bA=function(a){_.X.call(this,a.Fa)};_.J(bA,_.X);bA.Ba=_.X.Ba;bA.prototype.wR=function(a){return _.af(this,{Wa:{HS:_.ol}}).then(function(b){var c=window._wjdd,d=window._wjdc;return!c&&d?new _.oi(function(e){window._wjdc=function(f){d(f);e(PJa(f,b,a))}}):PJa(c,b,a)})};var PJa=function(a,b,c){return(a=a&&a[c])?a:b.Wa.HS.wR(c)};.bA.prototype.aa=function(a,b){var c=_.csa(b).Gj;if(c.startsWith("$")){var d=_.jm.get(a);_.xq[b]&&(d\|\|(d={},_.jm.set(a,d)),d[c]=_.xq[b],delete _.xq[b],_.yq--);if(d)if(a=d[c])b=_.ef(a);else throw Error("Jb`"+b);else b=null}else b=null;return b};_.iu(_.Mfa,bA);._.l();._.k("SNUn3");._.OJa=new _.uf(_.Ag);._.l();._.k("RMhBfe");.var QJa=function(a){var b=_.wq(a);return b?new _.oi(function(c,d){var e=function(){b=_.wq(a);var f=_.Tfa(a,b);f?c(f.getAttribute("jsdata")):window.document.readyState=="complete"?(f=["Unable to find deferred jsdata wit

Chrome Cache Entry: 84

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (569)
Category:	downloaded
Size (bytes):	3471
Entropy (8bit):	5.5174491302699495
Encrypted:	false
SSDEEP:	96:ojAmjTJ/fJgpIcB7Fd2tilGBEMO/A6VxV08w:vUTJpgDJXM0ApJ
MD5:	2D999C87DD54C7FE6400D267C33FBB23
SHA1:	414C3A329C2760325EDBACBD7A221D7F8DBFEEE8
SHA-256:	76D55A1AFC1D39CB04D60EB04E45A538A0E75EE2871561C84CC89B1C13596BCC
SHA-512:	72D923BB71DD147139962FF8E2BD0E336E0F6409C212AC2F25387D0F3B4FC9365F5A6D40E2980BB1065534888362C97D6B7663E362D29166B5915D2A9DA7D238
Malicious:	false
URL:	"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en._s1fC-CLCMs.es5.O/ck=boq-identity.AccountsSignInUi.gkspycgpiCY.L.B1.O/am=xIFgKBi2EQjEE86BHlAUCBkAAAAAAAAAALQBAIBm/d=1/exm=A7fCU,AvtSve,CMcBD,E87wgc,EFQ78c,EIOG1e,EN3i8d,Fndnac,GwYlN,I6YDgd,IZT63,K0PMbc,K1ZKnb,KUM7Z,L1AAkb,L9OGUe,LDQI,LEikZe,MY7mZe,MpJwZc,NOeYWe,NTMZac,O6y8ed,P6sQOc,PHUIyb,PrPYRd,RMhBfe,Rkm0ef,RqjULd,SCuOPb,SD8Jgb,STuCOe,SpsfSb,Tbb4sb,UUJqVe,Uas9Hd,WpP9Yc,XVq9Qb,YHI3We,YTxL4,YgOFye,ZDZcre,ZZ4WUe,ZakeSe,ZwDk9d,_b,_tp,aC1iue,aW3pY,b3kMqb,bSspM,bTi8wc,byfTOb,cYShmd,eVCnO,f8Gu1e,gJzDyc,hc6Ubd,iAskyc,inNHtf,iyZMqd,lsjVmc,ltDFwf,lwddkf,m9oV,mvkUhe,mzzZzc,n73qwf,njlZCf,oLggrd,pxq3x,q0xTif,qPYxq,qPfo0c,qmdT9,rCcCxc,rmumx,sOXFj,siKnQd,soHxf,t2srLd,tUnxGc,vHEMJe,vfuNJf,vjKJJ,vvMGie,w9hDv,wg1P6b,ws9Tlc,xBaz7b,xQtZb,xiZRqc,y5vRwf,yRXbo,ywOR5c,z0u0L,zbML3c,ziXSP,ziZ8Mc,zr1jrb,zy0vNb/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlHcuwDoV1_a7sThPZwbu2Ah9zAL5g/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:GwYlN;EmZ2Bf:zr1jrb;JsbNhc:Xd8iUd;K5nYTd:ZDZcre;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;ScI3Yc:e7Hzgb;UpnZUd:nnwwYc;Uvc8o:VDovNc;XdiAjb:NLiXbe;YIZmRd:A1yn5d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;dowIGb:ebZ3mb;eBAeSb:zbML3c;iFQyKf:vfuNJf;lOO0Vd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qafBPd:yDVVkb;qddgKe:xQtZb;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=Wt6vjf,hhhU8,FCpbqb,WhJNk"
Preview:	"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi\|\|{};(function(_){var window=this;.try{._.k("Wt6vjf");.var Txa=function(){var a=_.Ke();return _.L(a,1)},Tt=function(a){this.Da=_.t(a,0,Tt.messageId)};_.J(Tt,_.w);Tt.prototype.Ha=function(){return _.Hj(this,1)};Tt.prototype.Va=function(a){return _.Yj(this,1,a)};Tt.messageId="f.bo";var Ut=function(){_.km.call(this)};_.J(Ut,_.km);Ut.prototype.ud=function(){this.jT=!1;Uxa(this);_.km.prototype.ud.call(this)};Ut.prototype.aa=function(){Vxa(this);if(this.hC)return Wxa(this),!1;if(!this.sV)return Vt(this),!0;this.dispatchEvent("p");if(!this.fP)return Vt(this),!0;this.jM?(this.dispatchEvent("r"),Vt(this)):Wxa(this);return!1};.var Xxa=function(a){var b=new _.gp(a.z4);a.WP!=null&&_.Mn(b,"authuser",a.WP);return b},Wxa=function(a){a.hC=!0;var b=Xxa(a),c="rt=r&f_uid="+_.sk(a.fP);_.fn(b,(0,_.eg)(a.ea,a),"POST",c)};.Ut.prototype.ea=function(a){a=a.target;Vxa(this);if(_.jn(a)){this.RJ=0;if(this.jM)this.hC=!1,this.dispatchEvent("r")

Chrome Cache Entry: 85

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (395)
Category:	downloaded
Size (bytes):	1608
Entropy (8bit):	5.280977407061266
Encrypted:	false
SSDEEP:	48:o7YNJvl3WlENrpB3stYCIgMxILNH/wf7DVTBpdQrw:oApB8iDwYlGw
MD5:	4FB66582D37D04933F00E49C2FBA34D4
SHA1:	3DB09C53BBEB1EEB045A001356E498D8EF30915D
SHA-256:	A97DAC01ABFE3EB75C7C97D504E21BDDDADDB6EBE0B56B6A9A10CD3700CAB41B
SHA-512:	2AEB3A6CFFBF6EFA626EBDC9E11ACBAC04BFE986F98FBC050B2501898B289C67D392ED195D16ACC9565EF8784401ADA1E88188CDE3A7AB12D98BB5ED7D8A5711
Malicious:	false
URL:	"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en._s1fC-CLCMs.es5.O/ck=boq-identity.AccountsSignInUi.gkspycgpiCY.L.B1.O/am=xIFgKBi2EQjEE86BHlAUCBkAAAAAAAAAALQBAIBm/d=1/exm=AvtSve,CMcBD,E87wgc,EFQ78c,EIOG1e,EN3i8d,Fndnac,GwYlN,I6YDgd,IZT63,K0PMbc,K1ZKnb,KUM7Z,L1AAkb,L9OGUe,LDQI,LEikZe,MY7mZe,MpJwZc,NOeYWe,NTMZac,O6y8ed,P6sQOc,PHUIyb,PrPYRd,RMhBfe,Rkm0ef,RqjULd,SCuOPb,SD8Jgb,STuCOe,SpsfSb,Tbb4sb,UUJqVe,Uas9Hd,WpP9Yc,XVq9Qb,YHI3We,YTxL4,YgOFye,ZakeSe,ZwDk9d,_b,_tp,aC1iue,aW3pY,b3kMqb,bSspM,bTi8wc,byfTOb,cYShmd,eVCnO,f8Gu1e,gJzDyc,hc6Ubd,inNHtf,iyZMqd,lsjVmc,ltDFwf,lwddkf,m9oV,mvkUhe,mzzZzc,n73qwf,njlZCf,oLggrd,pxq3x,qPYxq,qPfo0c,qmdT9,rCcCxc,rmumx,siKnQd,soHxf,t2srLd,tUnxGc,vHEMJe,vfuNJf,vjKJJ,vvMGie,ws9Tlc,xBaz7b,xQtZb,xiZRqc,y5vRwf,yRXbo,ywOR5c,z0u0L,zbML3c,ziZ8Mc,zr1jrb,zy0vNb/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlHcuwDoV1_a7sThPZwbu2Ah9zAL5g/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:GwYlN;EmZ2Bf:zr1jrb;JsbNhc:Xd8iUd;K5nYTd:ZDZcre;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;ScI3Yc:e7Hzgb;UpnZUd:nnwwYc;Uvc8o:VDovNc;XdiAjb:NLiXbe;YIZmRd:A1yn5d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;dowIGb:ebZ3mb;eBAeSb:zbML3c;iFQyKf:vfuNJf;lOO0Vd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qafBPd:yDVVkb;qddgKe:xQtZb;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=w9hDv,ZDZcre,A7fCU"
Preview:	"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi\|\|{};(function(_){var window=this;.try{._.k("w9hDv");._.zg(_.Kla);_.$z=function(a){_.X.call(this,a.Fa);this.aa=a.Wa.cache};_.J(_.$z,_.X);_.$z.Ba=function(){return{Wa:{cache:_.Zs}}};_.$z.prototype.execute=function(a){_.Gb(a,function(b){var c;_.df(b)&&(c=b.eb.jc(b.jb));c&&this.aa.oG(c)},this);return{}};_.iu(_.Qla,_.$z);._.l();._.k("ZDZcre");.var ZG=function(a){_.X.call(this,a.Fa);this.Nl=a.Ea.Nl;this.G3=a.Ea.metadata;this.aa=a.Ea.Ws};_.J(ZG,_.X);ZG.Ba=function(){return{Ea:{Nl:_.DG,metadata:_.HZa,Ws:_.AG}}};ZG.prototype.execute=function(a){var b=this;a=this.aa.create(a);return _.Gb(a,function(c){var d=b.G3.getType(c.Md())===2?b.Nl.Pb(c):b.Nl.fetch(c);return _.Jl(c,_.EG)?d.then(function(e){return _.Jd(e)}):d},this)};_.iu(_.Vla,ZG);._.l();._.k("K5nYTd");._.GZa=new _.uf(_.Rla);._.l();._.k("sP4Vbe");.._.l();._.k("kMFpHd");.._.l();._.k("A7fCU");.var GG=function(a){_.X.call(this,a.Fa);this.aa=a.Ea.ZP};_.J(GG,_.X);GG.Ba=func

Chrome Cache Entry: 86

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with no line terminators
Category:	downloaded
Size (bytes):	84
Entropy (8bit):	4.875266466142591
Encrypted:	false
SSDEEP:	3:DZFJu0+WVTBCq2Bjdw2KsJJuYHSKnZ:lFJuuVTBudw29nu4SKZ
MD5:	87B6333E98B7620EA1FF98D1A837A39E
SHA1:	105DE6815B0885357DE1414BFC0D77FCC9E924EF
SHA-256:	DCD3C133C5C40BECD4100BBE6EDAE84C9735E778E4234A5E8395C56FF8A733BA
SHA-512:	867D7943D813685FAA76394E53199750C55817E836FD19C933F74D11E9657CE66719A6D6B2E39EE1DE62358BCE364E38A55F4E138DF92337DE6985DDCD5D0994
Malicious:	false
URL:	https://content-autofill.googleapis.com/v1/pages/ChVDaHJvbWUvMTE3LjAuNTkzOC4xMzISHgmA6QC9dWevzxIFDRkBE_oSBQ3oIX6GEgUN05ioBw==?alt=proto
Preview:	Cj0KBw0ZARP6GgAKKQ3oIX6GGgQISxgCKhwIClIYCg5AIS4jJF8qLSY/Ky8lLBABGP////8PCgcN05ioBxoA

Chrome Cache Entry: 87

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (755)
Category:	downloaded
Size (bytes):	1460
Entropy (8bit):	5.316515499943097
Encrypted:	false
SSDEEP:	24:kMYD7DduJqrxsNL90YIzFK/Hb5eNhz1uktdDuvKKKGbLZ99GbSSF/ZR8OkdnprGJ:o7DQJopFN+ASCKKGbF99GbSS3RY7rw
MD5:	D97AB4594FC610665FF2763A650EE6A8
SHA1:	5C7459CA838D27BE45745571D8D96D156F4B9F8D
SHA-256:	767D778369623FD8F5FB98D3BCC3130D05D02CBE0B9B88DD226F43281B14E9AF
SHA-512:	CE4941B41C3A8CC983C1BBCC87EF682823CB9DB24EA7A570E35BBF832046340D433F7D47211384B61FA38F3527CC35C195A6068CCB24B48E1F492C5B4D4192A1
Malicious:	false
URL:	"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en._s1fC-CLCMs.es5.O/ck=boq-identity.AccountsSignInUi.gkspycgpiCY.L.B1.O/am=xIFgKBi2EQjEE86BHlAUCBkAAAAAAAAAALQBAIBm/d=1/exm=AvtSve,CMcBD,E87wgc,EFQ78c,EIOG1e,EN3i8d,Fndnac,GwYlN,I6YDgd,IZT63,K0PMbc,K1ZKnb,KUM7Z,L1AAkb,L9OGUe,LDQI,LEikZe,MY7mZe,MpJwZc,NOeYWe,NTMZac,O6y8ed,PHUIyb,PrPYRd,RMhBfe,Rkm0ef,RqjULd,SCuOPb,SD8Jgb,STuCOe,SpsfSb,Tbb4sb,UUJqVe,Uas9Hd,WpP9Yc,XVq9Qb,YHI3We,YTxL4,YgOFye,ZakeSe,ZwDk9d,_b,_tp,aC1iue,aW3pY,b3kMqb,bSspM,bTi8wc,byfTOb,cYShmd,eVCnO,f8Gu1e,gJzDyc,hc6Ubd,inNHtf,iyZMqd,lsjVmc,ltDFwf,lwddkf,m9oV,mvkUhe,mzzZzc,n73qwf,njlZCf,oLggrd,pxq3x,qPYxq,qPfo0c,qmdT9,rCcCxc,rmumx,siKnQd,soHxf,t2srLd,tUnxGc,vHEMJe,vfuNJf,vjKJJ,vvMGie,ws9Tlc,xBaz7b,xQtZb,xiZRqc,y5vRwf,yRXbo,ywOR5c,z0u0L,zbML3c,ziZ8Mc,zr1jrb,zy0vNb/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlHcuwDoV1_a7sThPZwbu2Ah9zAL5g/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:GwYlN;EmZ2Bf:zr1jrb;JsbNhc:Xd8iUd;K5nYTd:ZDZcre;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;ScI3Yc:e7Hzgb;UpnZUd:nnwwYc;Uvc8o:VDovNc;XdiAjb:NLiXbe;YIZmRd:A1yn5d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;dowIGb:ebZ3mb;eBAeSb:zbML3c;iFQyKf:vfuNJf;lOO0Vd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qafBPd:yDVVkb;qddgKe:xQtZb;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=P6sQOc"
Preview:	"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi\|\|{};(function(_){var window=this;.try{._.k("lOO0Vd");._.HZa=new _.uf(_.Km);._.l();._.k("P6sQOc");.var MZa=!!(_.Nh[1]&16);var OZa=function(a,b,c,d,e){this.ea=a;this.ta=b;this.ka=c;this.Ca=d;this.Ga=e;this.aa=0;this.da=NZa(this)},PZa=function(a){var b={};_.Ma(a.hS(),function(e){b[e]=!0});var c=a.WR(),d=a.cS();return new OZa(a.XO(),c.aa()1E3,a.oR(),d.aa()1E3,b)},NZa=function(a){return Math.random()Math.min(a.taMath.pow(a.ka,a.aa),a.Ca)},HG=function(a,b){return a.aa>=a.ea?!1:b!=null?!!a.Ga[b]:!0};var IG=function(a){_.X.call(this,a.Fa);this.da=a.Ea.mV;this.ea=a.Ea.metadata;a=a.Ea.lga;this.fetch=a.fetch.bind(a)};_.J(IG,_.X);IG.Ba=function(){return{Ea:{mV:_.KZa,metadata:_.HZa,lga:_.AZa}}};IG.prototype.aa=function(a,b){if(this.ea.getType(a.Md())!==1)return _.Vm(a);var c=this.da.JU;return(c=c?PZa(c):null)&&HG(c)?_.mya(a,QZa(this,a,b,c)):_.Vm(a)};.var QZa=function(a,b,c,d){return c.then(function(e){return e},function(e)

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.579777182525865
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	917'504 bytes
MD5:	67684fd9387321aabd2378bfade0d6db
SHA1:	ba8f565089f33037f2043cb10330f7e7244fa88b
SHA256:	5fe8904fa8fa7093dc5628e159812466ae91ee695f61b5ac587fcd05ca7a0de2
SHA512:	c0410199db6629ddee4e0bcdc3718d8f4cc60d17e8588501ad278900527aad569215276db607eec8df1f65ab40f5267672b6086095b6c9a3d475631b69711581
SSDEEP:	12288:QqDEvFo+yo4DdbbMWu/jrQu4M9lBAlKhQcDGB3cuBNGE6iOrpfe4JdaDgagTs:QqDEvCTbMWu7rQYlBQcBiT6rprG8a4s
TLSH:	03159E0273D1C062FFAB92334B5AF6515BBC69260123E61F13981DB9BE701B1563E7A3
File Content Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......................j:......j:..C...j:......@.*...............................n.......~.............{.......{.......{.........z....

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x420577
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x66FB64BF [Tue Oct 1 02:55:59 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	948cc502fe9226992dce9417f952fce3

Entrypoint Preview

Instruction
call 00007FB340C0E653h
jmp 00007FB340C0DF5Fh
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007FB340C0E13Dh
mov dword ptr [esi], 0049FDF0h
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FDF8h
mov dword ptr [ecx], 0049FDF0h
ret
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007FB340C0E10Ah
mov dword ptr [esi], 0049FE0Ch
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FE14h
mov dword ptr [ecx], 0049FE0Ch
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
and dword ptr [eax], 00000000h
and dword ptr [eax+04h], 00000000h
push eax
mov eax, dword ptr [ebp+08h]
add eax, 04h
push eax
call 00007FB340C10CFDh
pop ecx
pop ecx
mov eax, esi
pop esi
pop ebp
retn 0004h
lea eax, dword ptr [ecx+04h]
mov dword ptr [ecx], 0049FDD0h
push eax
call 00007FB340C10D48h
pop ecx
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
push eax
call 00007FB340C10D31h
test byte ptr [ebp+08h], 00000001h
pop ecx

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc8e64	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xd4000	0x95ac	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xde000	0x7594	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xb0ff0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xc3400	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xb1010	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x9c000	0x894	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x9ab1d	0x9ac00	0a1473f3064dcbc32ef93c5c8a90f3a6	False	0.565500681542811	data	6.668273581389308	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x9c000	0x2fb82	0x2fc00	c9cf2468b60bf4f80f136ed54b3989fb	False	0.35289185209424084	data	5.691811547483722	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xcc000	0x706c	0x4800	53b9025d545d65e23295e30afdbd16d9	False	0.04356553819444445	DOS executable (block device driver @\273\)	0.5846666986982398	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xd4000	0x95ac	0x9600	eae015d4fc9035341ffc85875eab3530	False	0.2860416666666667	data	5.163378231354932	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xde000	0x7594	0x7600	c68ee8931a32d45eb82dc450ee40efc3	False	0.7628111758474576	data	6.7972128181359786	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xd45a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xd46d0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xd47f8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xd4920	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xd4c08	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xd4d30	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xd5bd8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xd6480	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xd69e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xd8f90	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xda038	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xda4a0	0x50	data	English	Great Britain	0.9
RT_STRING	0xda4f0	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xdaa84	0x68a	data	English	Great Britain	0.2735961768219833
RT_STRING	0xdb110	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xdb5a0	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xdbb9c	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xdc1f8	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xdc660	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xdc7b8	0x874	data			1.005083179297597
RT_GROUP_ICON	0xdd02c	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0xdd0a4	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0xdd0b8	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0xdd0cc	0x14	data	English	Great Britain	1.25
RT_VERSION	0xdd0e0	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0xdd1bc	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	gethostbyname, recv, send, socket, inet_ntoa, setsockopt, ntohs, WSACleanup, WSAStartup, sendto, htons, __WSAFDIsSet, select, accept, listen, bind, inet_addr, ioctlsocket, recvfrom, WSAGetLastError, closesocket, gethostname, connect
VERSION.dll	GetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetGetConnectionW, WNetCancelConnection2W, WNetUseConnectionW, WNetAddConnection2W
WININET.dll	HttpOpenRequestW, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, InternetConnectW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetQueryDataAvailable
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpSendEcho, IcmpCloseHandle, IcmpCreateFile
USERENV.dll	DestroyEnvironmentBlock, LoadUserProfileW, CreateEnvironmentBlock, UnloadUserProfile
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetShortPathNameW, DeleteFileW, IsDebuggerPresent, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, LoadResource, LockResource, SizeofResource, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, LoadLibraryW, GetLocalTime, CompareStringW, GetCurrentThread, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, VirtualAlloc, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, ResetEvent, WaitForSingleObjectEx, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, CloseHandle, GetFullPathNameW, GetStartupInfoW, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, SetLastError, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, ResumeThread, FreeLibraryAndExitThread, GetACP, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetStringTypeW, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, ReadConsoleW, GetTimeZoneInformation, FindFirstFileExW, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableA, SetCurrentDirectoryW, FindNextFileW, WriteConsoleW
USER32.dll	GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, PeekMessageW, GetInputState, UnregisterHotKey, CharLowerBuffW, MonitorFromPoint, MonitorFromRect, LoadImageW, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, ClientToScreen, GetCursorPos, DeleteMenu, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, LockWindowUpdate, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, RegisterHotKey, GetCursorInfo, SetWindowPos, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, TrackPopupMenuEx, GetMessageW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, DispatchMessageW, keybd_event, TranslateMessage, ScreenToClient
GDI32.dll	EndPath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, GetDeviceCaps, SetPixel, CloseFigure, LineTo, AngleArc, MoveToEx, Ellipse, CreateCompatibleBitmap, CreateCompatibleDC, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, SelectObject, StretchBlt, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, GetDIBits, StrokePath
COMDLG32.dll	GetSaveFileNameW, GetOpenFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, RegCreateKeyExW, GetSecurityDescriptorDacl, GetAclInformation, GetUserNameW, AddAce, SetSecurityDescriptorDacl, InitiateSystemShutdownExW
SHELL32.dll	DragFinish, DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
OLEAUT32.dll	CreateStdDispatch, CreateDispTypeInfo, UnRegisterTypeLib, UnRegisterTypeLibForUser, RegisterTypeLibForUser, RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, VariantChangeType, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysStringLen, QueryPathOfRegTypeLib, SysAllocString, VariantInit, VariantClear, DispCallFunc, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, SafeArrayDestroyDescriptor, VariantCopy, OleLoadPicture

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 1, 2024 05:16:03.691484928 CEST	49731	443	192.168.2.4	142.250.186.78
Oct 1, 2024 05:16:03.691570997 CEST	443	49731	142.250.186.78	192.168.2.4
Oct 1, 2024 05:16:03.691646099 CEST	49731	443	192.168.2.4	142.250.186.78
Oct 1, 2024 05:16:03.691937923 CEST	49731	443	192.168.2.4	142.250.186.78
Oct 1, 2024 05:16:03.691976070 CEST	443	49731	142.250.186.78	192.168.2.4
Oct 1, 2024 05:16:04.339452982 CEST	443	49731	142.250.186.78	192.168.2.4
Oct 1, 2024 05:16:04.342315912 CEST	49731	443	192.168.2.4	142.250.186.78
Oct 1, 2024 05:16:04.342350006 CEST	443	49731	142.250.186.78	192.168.2.4
Oct 1, 2024 05:16:04.342782021 CEST	443	49731	142.250.186.78	192.168.2.4
Oct 1, 2024 05:16:04.342854023 CEST	49731	443	192.168.2.4	142.250.186.78
Oct 1, 2024 05:16:04.343805075 CEST	443	49731	142.250.186.78	192.168.2.4
Oct 1, 2024 05:16:04.343859911 CEST	49731	443	192.168.2.4	142.250.186.78
Oct 1, 2024 05:16:04.374944925 CEST	49731	443	192.168.2.4	142.250.186.78
Oct 1, 2024 05:16:04.375068903 CEST	443	49731	142.250.186.78	192.168.2.4
Oct 1, 2024 05:16:04.381072998 CEST	49731	443	192.168.2.4	142.250.186.78
Oct 1, 2024 05:16:04.381107092 CEST	443	49731	142.250.186.78	192.168.2.4
Oct 1, 2024 05:16:04.421911955 CEST	49731	443	192.168.2.4	142.250.186.78
Oct 1, 2024 05:16:04.630160093 CEST	443	49731	142.250.186.78	192.168.2.4
Oct 1, 2024 05:16:04.630229950 CEST	443	49731	142.250.186.78	192.168.2.4
Oct 1, 2024 05:16:04.630280018 CEST	49731	443	192.168.2.4	142.250.186.78
Oct 1, 2024 05:16:04.631328106 CEST	49731	443	192.168.2.4	142.250.186.78
Oct 1, 2024 05:16:04.631356001 CEST	443	49731	142.250.186.78	192.168.2.4
Oct 1, 2024 05:16:04.642275095 CEST	49736	443	192.168.2.4	142.250.185.174
Oct 1, 2024 05:16:04.642316103 CEST	443	49736	142.250.185.174	192.168.2.4
Oct 1, 2024 05:16:04.642405987 CEST	49736	443	192.168.2.4	142.250.185.174
Oct 1, 2024 05:16:04.642796993 CEST	49736	443	192.168.2.4	142.250.185.174
Oct 1, 2024 05:16:04.642827034 CEST	443	49736	142.250.185.174	192.168.2.4
Oct 1, 2024 05:16:05.291877031 CEST	443	49736	142.250.185.174	192.168.2.4
Oct 1, 2024 05:16:05.292301893 CEST	49736	443	192.168.2.4	142.250.185.174
Oct 1, 2024 05:16:05.292368889 CEST	443	49736	142.250.185.174	192.168.2.4
Oct 1, 2024 05:16:05.292797089 CEST	443	49736	142.250.185.174	192.168.2.4
Oct 1, 2024 05:16:05.292870998 CEST	49736	443	192.168.2.4	142.250.185.174
Oct 1, 2024 05:16:05.293536901 CEST	443	49736	142.250.185.174	192.168.2.4
Oct 1, 2024 05:16:05.293597937 CEST	49736	443	192.168.2.4	142.250.185.174
Oct 1, 2024 05:16:05.294732094 CEST	49736	443	192.168.2.4	142.250.185.174
Oct 1, 2024 05:16:05.294806957 CEST	443	49736	142.250.185.174	192.168.2.4
Oct 1, 2024 05:16:05.294933081 CEST	49736	443	192.168.2.4	142.250.185.174
Oct 1, 2024 05:16:05.294954062 CEST	443	49736	142.250.185.174	192.168.2.4
Oct 1, 2024 05:16:05.339709044 CEST	49736	443	192.168.2.4	142.250.185.174
Oct 1, 2024 05:16:05.595328093 CEST	443	49736	142.250.185.174	192.168.2.4
Oct 1, 2024 05:16:05.595344067 CEST	443	49736	142.250.185.174	192.168.2.4
Oct 1, 2024 05:16:05.595410109 CEST	443	49736	142.250.185.174	192.168.2.4
Oct 1, 2024 05:16:05.595424891 CEST	49736	443	192.168.2.4	142.250.185.174
Oct 1, 2024 05:16:05.595490932 CEST	49736	443	192.168.2.4	142.250.185.174
Oct 1, 2024 05:16:05.599807024 CEST	49736	443	192.168.2.4	142.250.185.174
Oct 1, 2024 05:16:05.599847078 CEST	443	49736	142.250.185.174	192.168.2.4
Oct 1, 2024 05:16:06.433476925 CEST	49675	443	192.168.2.4	173.222.162.32
Oct 1, 2024 05:16:07.981014967 CEST	49741	443	192.168.2.4	142.250.185.132
Oct 1, 2024 05:16:07.981086969 CEST	443	49741	142.250.185.132	192.168.2.4
Oct 1, 2024 05:16:07.981165886 CEST	49741	443	192.168.2.4	142.250.185.132
Oct 1, 2024 05:16:07.981396914 CEST	49741	443	192.168.2.4	142.250.185.132
Oct 1, 2024 05:16:07.981431007 CEST	443	49741	142.250.185.132	192.168.2.4
Oct 1, 2024 05:16:08.085094929 CEST	49742	443	192.168.2.4	23.211.8.90
Oct 1, 2024 05:16:08.085177898 CEST	443	49742	23.211.8.90	192.168.2.4
Oct 1, 2024 05:16:08.085263014 CEST	49742	443	192.168.2.4	23.211.8.90
Oct 1, 2024 05:16:08.087059021 CEST	49742	443	192.168.2.4	23.211.8.90
Oct 1, 2024 05:16:08.087096930 CEST	443	49742	23.211.8.90	192.168.2.4
Oct 1, 2024 05:16:08.641736031 CEST	443	49741	142.250.185.132	192.168.2.4
Oct 1, 2024 05:16:08.641952991 CEST	49741	443	192.168.2.4	142.250.185.132
Oct 1, 2024 05:16:08.642007113 CEST	443	49741	142.250.185.132	192.168.2.4
Oct 1, 2024 05:16:08.642868042 CEST	443	49741	142.250.185.132	192.168.2.4
Oct 1, 2024 05:16:08.642935991 CEST	49741	443	192.168.2.4	142.250.185.132
Oct 1, 2024 05:16:08.643984079 CEST	49741	443	192.168.2.4	142.250.185.132
Oct 1, 2024 05:16:08.644052982 CEST	443	49741	142.250.185.132	192.168.2.4
Oct 1, 2024 05:16:08.686548948 CEST	49741	443	192.168.2.4	142.250.185.132
Oct 1, 2024 05:16:08.686573982 CEST	443	49741	142.250.185.132	192.168.2.4
Oct 1, 2024 05:16:08.701791048 CEST	443	49742	23.211.8.90	192.168.2.4
Oct 1, 2024 05:16:08.701864004 CEST	49742	443	192.168.2.4	23.211.8.90
Oct 1, 2024 05:16:08.707691908 CEST	49742	443	192.168.2.4	23.211.8.90
Oct 1, 2024 05:16:08.707706928 CEST	443	49742	23.211.8.90	192.168.2.4
Oct 1, 2024 05:16:08.707962990 CEST	443	49742	23.211.8.90	192.168.2.4
Oct 1, 2024 05:16:08.727401972 CEST	49741	443	192.168.2.4	142.250.185.132
Oct 1, 2024 05:16:08.751652002 CEST	49742	443	192.168.2.4	23.211.8.90
Oct 1, 2024 05:16:08.774208069 CEST	49742	443	192.168.2.4	23.211.8.90
Oct 1, 2024 05:16:08.819406986 CEST	443	49742	23.211.8.90	192.168.2.4
Oct 1, 2024 05:16:08.949002981 CEST	443	49742	23.211.8.90	192.168.2.4
Oct 1, 2024 05:16:08.949059010 CEST	443	49742	23.211.8.90	192.168.2.4
Oct 1, 2024 05:16:08.949105978 CEST	49742	443	192.168.2.4	23.211.8.90
Oct 1, 2024 05:16:08.949388981 CEST	49742	443	192.168.2.4	23.211.8.90
Oct 1, 2024 05:16:08.949413061 CEST	443	49742	23.211.8.90	192.168.2.4
Oct 1, 2024 05:16:08.992240906 CEST	49745	443	192.168.2.4	23.211.8.90
Oct 1, 2024 05:16:08.992283106 CEST	443	49745	23.211.8.90	192.168.2.4
Oct 1, 2024 05:16:08.992350101 CEST	49745	443	192.168.2.4	23.211.8.90
Oct 1, 2024 05:16:08.992891073 CEST	49745	443	192.168.2.4	23.211.8.90
Oct 1, 2024 05:16:08.992918015 CEST	443	49745	23.211.8.90	192.168.2.4
Oct 1, 2024 05:16:09.606076002 CEST	443	49745	23.211.8.90	192.168.2.4
Oct 1, 2024 05:16:09.606134892 CEST	49745	443	192.168.2.4	23.211.8.90
Oct 1, 2024 05:16:09.607981920 CEST	49745	443	192.168.2.4	23.211.8.90
Oct 1, 2024 05:16:09.607990026 CEST	443	49745	23.211.8.90	192.168.2.4
Oct 1, 2024 05:16:09.608222961 CEST	443	49745	23.211.8.90	192.168.2.4
Oct 1, 2024 05:16:09.610116959 CEST	49745	443	192.168.2.4	23.211.8.90
Oct 1, 2024 05:16:09.651401043 CEST	443	49745	23.211.8.90	192.168.2.4
Oct 1, 2024 05:16:09.857567072 CEST	443	49745	23.211.8.90	192.168.2.4
Oct 1, 2024 05:16:09.857623100 CEST	443	49745	23.211.8.90	192.168.2.4
Oct 1, 2024 05:16:09.857671022 CEST	49745	443	192.168.2.4	23.211.8.90
Oct 1, 2024 05:16:09.858522892 CEST	49745	443	192.168.2.4	23.211.8.90
Oct 1, 2024 05:16:09.858531952 CEST	443	49745	23.211.8.90	192.168.2.4
Oct 1, 2024 05:16:12.713098049 CEST	49757	443	192.168.2.4	172.217.16.206
Oct 1, 2024 05:16:12.713124037 CEST	443	49757	172.217.16.206	192.168.2.4
Oct 1, 2024 05:16:12.713176966 CEST	49757	443	192.168.2.4	172.217.16.206
Oct 1, 2024 05:16:12.713378906 CEST	49757	443	192.168.2.4	172.217.16.206
Oct 1, 2024 05:16:12.713392019 CEST	443	49757	172.217.16.206	192.168.2.4
Oct 1, 2024 05:16:13.358474016 CEST	443	49757	172.217.16.206	192.168.2.4
Oct 1, 2024 05:16:13.358769894 CEST	49757	443	192.168.2.4	172.217.16.206
Oct 1, 2024 05:16:13.358791113 CEST	443	49757	172.217.16.206	192.168.2.4
Oct 1, 2024 05:16:13.359328032 CEST	443	49757	172.217.16.206	192.168.2.4
Oct 1, 2024 05:16:13.359401941 CEST	49757	443	192.168.2.4	172.217.16.206
Oct 1, 2024 05:16:13.360342026 CEST	443	49757	172.217.16.206	192.168.2.4
Oct 1, 2024 05:16:13.360395908 CEST	49757	443	192.168.2.4	172.217.16.206
Oct 1, 2024 05:16:13.361381054 CEST	49757	443	192.168.2.4	172.217.16.206
Oct 1, 2024 05:16:13.361460924 CEST	443	49757	172.217.16.206	192.168.2.4
Oct 1, 2024 05:16:13.361650944 CEST	49757	443	192.168.2.4	172.217.16.206
Oct 1, 2024 05:16:13.361660004 CEST	443	49757	172.217.16.206	192.168.2.4
Oct 1, 2024 05:16:13.404356956 CEST	49757	443	192.168.2.4	172.217.16.206
Oct 1, 2024 05:16:13.679361105 CEST	443	49757	172.217.16.206	192.168.2.4
Oct 1, 2024 05:16:13.679508924 CEST	443	49757	172.217.16.206	192.168.2.4
Oct 1, 2024 05:16:13.679580927 CEST	49757	443	192.168.2.4	172.217.16.206
Oct 1, 2024 05:16:13.679594040 CEST	443	49757	172.217.16.206	192.168.2.4
Oct 1, 2024 05:16:13.679609060 CEST	443	49757	172.217.16.206	192.168.2.4
Oct 1, 2024 05:16:13.679636002 CEST	49757	443	192.168.2.4	172.217.16.206
Oct 1, 2024 05:16:13.679642916 CEST	443	49757	172.217.16.206	192.168.2.4
Oct 1, 2024 05:16:13.679678917 CEST	49757	443	192.168.2.4	172.217.16.206
Oct 1, 2024 05:16:13.684959888 CEST	443	49757	172.217.16.206	192.168.2.4
Oct 1, 2024 05:16:13.685045958 CEST	49757	443	192.168.2.4	172.217.16.206
Oct 1, 2024 05:16:13.691297054 CEST	443	49757	172.217.16.206	192.168.2.4
Oct 1, 2024 05:16:13.691386938 CEST	49757	443	192.168.2.4	172.217.16.206
Oct 1, 2024 05:16:13.691381931 CEST	443	49757	172.217.16.206	192.168.2.4
Oct 1, 2024 05:16:13.691426992 CEST	443	49757	172.217.16.206	192.168.2.4
Oct 1, 2024 05:16:13.691482067 CEST	49757	443	192.168.2.4	172.217.16.206
Oct 1, 2024 05:16:13.697550058 CEST	443	49757	172.217.16.206	192.168.2.4
Oct 1, 2024 05:16:13.697630882 CEST	49757	443	192.168.2.4	172.217.16.206
Oct 1, 2024 05:16:13.703819036 CEST	443	49757	172.217.16.206	192.168.2.4
Oct 1, 2024 05:16:13.703905106 CEST	49757	443	192.168.2.4	172.217.16.206
Oct 1, 2024 05:16:13.703924894 CEST	443	49757	172.217.16.206	192.168.2.4
Oct 1, 2024 05:16:13.703968048 CEST	49757	443	192.168.2.4	172.217.16.206
Oct 1, 2024 05:16:13.767548084 CEST	443	49757	172.217.16.206	192.168.2.4
Oct 1, 2024 05:16:13.767611980 CEST	49757	443	192.168.2.4	172.217.16.206
Oct 1, 2024 05:16:13.767671108 CEST	443	49757	172.217.16.206	192.168.2.4
Oct 1, 2024 05:16:13.767715931 CEST	49757	443	192.168.2.4	172.217.16.206
Oct 1, 2024 05:16:13.768393993 CEST	443	49757	172.217.16.206	192.168.2.4
Oct 1, 2024 05:16:13.768440962 CEST	49757	443	192.168.2.4	172.217.16.206
Oct 1, 2024 05:16:13.774597883 CEST	443	49757	172.217.16.206	192.168.2.4
Oct 1, 2024 05:16:13.774660110 CEST	49757	443	192.168.2.4	172.217.16.206
Oct 1, 2024 05:16:13.774698973 CEST	443	49757	172.217.16.206	192.168.2.4
Oct 1, 2024 05:16:13.774758101 CEST	49757	443	192.168.2.4	172.217.16.206
Oct 1, 2024 05:16:13.780829906 CEST	443	49757	172.217.16.206	192.168.2.4
Oct 1, 2024 05:16:13.780881882 CEST	49757	443	192.168.2.4	172.217.16.206
Oct 1, 2024 05:16:13.787144899 CEST	443	49757	172.217.16.206	192.168.2.4
Oct 1, 2024 05:16:13.787204981 CEST	49757	443	192.168.2.4	172.217.16.206
Oct 1, 2024 05:16:13.787230015 CEST	443	49757	172.217.16.206	192.168.2.4
Oct 1, 2024 05:16:13.793427944 CEST	443	49757	172.217.16.206	192.168.2.4
Oct 1, 2024 05:16:13.793482065 CEST	49757	443	192.168.2.4	172.217.16.206
Oct 1, 2024 05:16:13.793490887 CEST	443	49757	172.217.16.206	192.168.2.4
Oct 1, 2024 05:16:13.799690008 CEST	443	49757	172.217.16.206	192.168.2.4
Oct 1, 2024 05:16:13.799767971 CEST	49757	443	192.168.2.4	172.217.16.206
Oct 1, 2024 05:16:13.799774885 CEST	443	49757	172.217.16.206	192.168.2.4
Oct 1, 2024 05:16:13.799972057 CEST	443	49757	172.217.16.206	192.168.2.4
Oct 1, 2024 05:16:13.800029039 CEST	49757	443	192.168.2.4	172.217.16.206
Oct 1, 2024 05:16:13.843449116 CEST	49757	443	192.168.2.4	172.217.16.206
Oct 1, 2024 05:16:13.843457937 CEST	443	49757	172.217.16.206	192.168.2.4
Oct 1, 2024 05:16:13.853595018 CEST	49760	443	192.168.2.4	172.217.18.110
Oct 1, 2024 05:16:13.853612900 CEST	443	49760	172.217.18.110	192.168.2.4
Oct 1, 2024 05:16:13.853674889 CEST	49760	443	192.168.2.4	172.217.18.110
Oct 1, 2024 05:16:13.853929043 CEST	49760	443	192.168.2.4	172.217.18.110
Oct 1, 2024 05:16:13.853940964 CEST	443	49760	172.217.18.110	192.168.2.4
Oct 1, 2024 05:16:14.215090990 CEST	49762	443	192.168.2.4	172.217.18.110
Oct 1, 2024 05:16:14.215117931 CEST	443	49762	172.217.18.110	192.168.2.4
Oct 1, 2024 05:16:14.215210915 CEST	49762	443	192.168.2.4	172.217.18.110
Oct 1, 2024 05:16:14.215617895 CEST	49762	443	192.168.2.4	172.217.18.110
Oct 1, 2024 05:16:14.215629101 CEST	443	49762	172.217.18.110	192.168.2.4
Oct 1, 2024 05:16:14.482702971 CEST	443	49760	172.217.18.110	192.168.2.4
Oct 1, 2024 05:16:14.483084917 CEST	49760	443	192.168.2.4	172.217.18.110
Oct 1, 2024 05:16:14.483102083 CEST	443	49760	172.217.18.110	192.168.2.4
Oct 1, 2024 05:16:14.483630896 CEST	443	49760	172.217.18.110	192.168.2.4
Oct 1, 2024 05:16:14.483711004 CEST	49760	443	192.168.2.4	172.217.18.110
Oct 1, 2024 05:16:14.484672070 CEST	443	49760	172.217.18.110	192.168.2.4
Oct 1, 2024 05:16:14.484739065 CEST	49760	443	192.168.2.4	172.217.18.110
Oct 1, 2024 05:16:14.489490986 CEST	49760	443	192.168.2.4	172.217.18.110
Oct 1, 2024 05:16:14.489587069 CEST	443	49760	172.217.18.110	192.168.2.4
Oct 1, 2024 05:16:14.489937067 CEST	49760	443	192.168.2.4	172.217.18.110
Oct 1, 2024 05:16:14.489944935 CEST	443	49760	172.217.18.110	192.168.2.4
Oct 1, 2024 05:16:14.532082081 CEST	49760	443	192.168.2.4	172.217.18.110
Oct 1, 2024 05:16:14.758668900 CEST	443	49760	172.217.18.110	192.168.2.4
Oct 1, 2024 05:16:14.758759022 CEST	443	49760	172.217.18.110	192.168.2.4
Oct 1, 2024 05:16:14.758835077 CEST	49760	443	192.168.2.4	172.217.18.110
Oct 1, 2024 05:16:14.759346962 CEST	49760	443	192.168.2.4	172.217.18.110
Oct 1, 2024 05:16:14.759356022 CEST	443	49760	172.217.18.110	192.168.2.4
Oct 1, 2024 05:16:14.760426044 CEST	49764	443	192.168.2.4	172.217.18.110
Oct 1, 2024 05:16:14.760463953 CEST	443	49764	172.217.18.110	192.168.2.4
Oct 1, 2024 05:16:14.760540962 CEST	49764	443	192.168.2.4	172.217.18.110
Oct 1, 2024 05:16:14.760859013 CEST	49764	443	192.168.2.4	172.217.18.110
Oct 1, 2024 05:16:14.760885954 CEST	443	49764	172.217.18.110	192.168.2.4
Oct 1, 2024 05:16:14.854485035 CEST	443	49762	172.217.18.110	192.168.2.4
Oct 1, 2024 05:16:14.854705095 CEST	49762	443	192.168.2.4	172.217.18.110
Oct 1, 2024 05:16:14.854715109 CEST	443	49762	172.217.18.110	192.168.2.4
Oct 1, 2024 05:16:14.855034113 CEST	443	49762	172.217.18.110	192.168.2.4
Oct 1, 2024 05:16:14.855086088 CEST	49762	443	192.168.2.4	172.217.18.110
Oct 1, 2024 05:16:14.855640888 CEST	443	49762	172.217.18.110	192.168.2.4
Oct 1, 2024 05:16:14.855685949 CEST	49762	443	192.168.2.4	172.217.18.110
Oct 1, 2024 05:16:14.856030941 CEST	49762	443	192.168.2.4	172.217.18.110
Oct 1, 2024 05:16:14.856087923 CEST	443	49762	172.217.18.110	192.168.2.4
Oct 1, 2024 05:16:14.856467962 CEST	49762	443	192.168.2.4	172.217.18.110
Oct 1, 2024 05:16:14.856476068 CEST	443	49762	172.217.18.110	192.168.2.4
Oct 1, 2024 05:16:14.907319069 CEST	49762	443	192.168.2.4	172.217.18.110
Oct 1, 2024 05:16:15.133229017 CEST	443	49762	172.217.18.110	192.168.2.4
Oct 1, 2024 05:16:15.133786917 CEST	443	49762	172.217.18.110	192.168.2.4
Oct 1, 2024 05:16:15.133919001 CEST	49762	443	192.168.2.4	172.217.18.110
Oct 1, 2024 05:16:15.134253979 CEST	49762	443	192.168.2.4	172.217.18.110
Oct 1, 2024 05:16:15.134274006 CEST	443	49762	172.217.18.110	192.168.2.4
Oct 1, 2024 05:16:15.134283066 CEST	49762	443	192.168.2.4	172.217.18.110
Oct 1, 2024 05:16:15.134324074 CEST	49762	443	192.168.2.4	172.217.18.110
Oct 1, 2024 05:16:15.135339975 CEST	49765	443	192.168.2.4	172.217.18.110
Oct 1, 2024 05:16:15.135394096 CEST	443	49765	172.217.18.110	192.168.2.4
Oct 1, 2024 05:16:15.135472059 CEST	49765	443	192.168.2.4	172.217.18.110
Oct 1, 2024 05:16:15.135768890 CEST	49765	443	192.168.2.4	172.217.18.110
Oct 1, 2024 05:16:15.135782003 CEST	443	49765	172.217.18.110	192.168.2.4
Oct 1, 2024 05:16:15.399246931 CEST	443	49764	172.217.18.110	192.168.2.4
Oct 1, 2024 05:16:15.399569988 CEST	49764	443	192.168.2.4	172.217.18.110
Oct 1, 2024 05:16:15.399591923 CEST	443	49764	172.217.18.110	192.168.2.4
Oct 1, 2024 05:16:15.400141001 CEST	443	49764	172.217.18.110	192.168.2.4
Oct 1, 2024 05:16:15.400218964 CEST	49764	443	192.168.2.4	172.217.18.110
Oct 1, 2024 05:16:15.401138067 CEST	443	49764	172.217.18.110	192.168.2.4
Oct 1, 2024 05:16:15.401210070 CEST	49764	443	192.168.2.4	172.217.18.110
Oct 1, 2024 05:16:15.401318073 CEST	49764	443	192.168.2.4	172.217.18.110
Oct 1, 2024 05:16:15.401403904 CEST	443	49764	172.217.18.110	192.168.2.4
Oct 1, 2024 05:16:15.401474953 CEST	49764	443	192.168.2.4	172.217.18.110
Oct 1, 2024 05:16:15.401474953 CEST	49764	443	192.168.2.4	172.217.18.110
Oct 1, 2024 05:16:15.401494026 CEST	443	49764	172.217.18.110	192.168.2.4
Oct 1, 2024 05:16:15.443447113 CEST	443	49764	172.217.18.110	192.168.2.4
Oct 1, 2024 05:16:15.453664064 CEST	49764	443	192.168.2.4	172.217.18.110
Oct 1, 2024 05:16:15.592832088 CEST	443	49764	172.217.18.110	192.168.2.4
Oct 1, 2024 05:16:15.592986107 CEST	443	49764	172.217.18.110	192.168.2.4
Oct 1, 2024 05:16:15.593070030 CEST	49764	443	192.168.2.4	172.217.18.110
Oct 1, 2024 05:16:15.593851089 CEST	49764	443	192.168.2.4	172.217.18.110
Oct 1, 2024 05:16:15.593868971 CEST	443	49764	172.217.18.110	192.168.2.4
Oct 1, 2024 05:16:15.775456905 CEST	443	49765	172.217.18.110	192.168.2.4
Oct 1, 2024 05:16:15.776177883 CEST	49765	443	192.168.2.4	172.217.18.110
Oct 1, 2024 05:16:15.776213884 CEST	443	49765	172.217.18.110	192.168.2.4
Oct 1, 2024 05:16:15.777431011 CEST	443	49765	172.217.18.110	192.168.2.4
Oct 1, 2024 05:16:15.777520895 CEST	49765	443	192.168.2.4	172.217.18.110
Oct 1, 2024 05:16:15.779745102 CEST	443	49765	172.217.18.110	192.168.2.4
Oct 1, 2024 05:16:15.779839039 CEST	49765	443	192.168.2.4	172.217.18.110
Oct 1, 2024 05:16:15.780257940 CEST	49765	443	192.168.2.4	172.217.18.110
Oct 1, 2024 05:16:15.780342102 CEST	443	49765	172.217.18.110	192.168.2.4
Oct 1, 2024 05:16:15.780591011 CEST	49765	443	192.168.2.4	172.217.18.110
Oct 1, 2024 05:16:15.780591011 CEST	49765	443	192.168.2.4	172.217.18.110
Oct 1, 2024 05:16:15.780610085 CEST	443	49765	172.217.18.110	192.168.2.4
Oct 1, 2024 05:16:15.827419996 CEST	443	49765	172.217.18.110	192.168.2.4
Oct 1, 2024 05:16:15.828552008 CEST	49765	443	192.168.2.4	172.217.18.110
Oct 1, 2024 05:16:15.976151943 CEST	443	49765	172.217.18.110	192.168.2.4
Oct 1, 2024 05:16:15.976480007 CEST	443	49765	172.217.18.110	192.168.2.4
Oct 1, 2024 05:16:15.976682901 CEST	49765	443	192.168.2.4	172.217.18.110
Oct 1, 2024 05:16:15.977617025 CEST	49765	443	192.168.2.4	172.217.18.110
Oct 1, 2024 05:16:15.977652073 CEST	443	49765	172.217.18.110	192.168.2.4
Oct 1, 2024 05:16:16.434602022 CEST	49741	443	192.168.2.4	142.250.185.132
Oct 1, 2024 05:16:16.475430012 CEST	443	49741	142.250.185.132	192.168.2.4
Oct 1, 2024 05:16:16.705719948 CEST	443	49741	142.250.185.132	192.168.2.4
Oct 1, 2024 05:16:16.705750942 CEST	443	49741	142.250.185.132	192.168.2.4
Oct 1, 2024 05:16:16.705785036 CEST	443	49741	142.250.185.132	192.168.2.4
Oct 1, 2024 05:16:16.705792904 CEST	49741	443	192.168.2.4	142.250.185.132
Oct 1, 2024 05:16:16.705820084 CEST	443	49741	142.250.185.132	192.168.2.4
Oct 1, 2024 05:16:16.705851078 CEST	49741	443	192.168.2.4	142.250.185.132
Oct 1, 2024 05:16:16.706274986 CEST	443	49741	142.250.185.132	192.168.2.4
Oct 1, 2024 05:16:16.706336975 CEST	49741	443	192.168.2.4	142.250.185.132
Oct 1, 2024 05:16:16.707298994 CEST	49741	443	192.168.2.4	142.250.185.132
Oct 1, 2024 05:16:16.707329035 CEST	443	49741	142.250.185.132	192.168.2.4
Oct 1, 2024 05:16:16.707354069 CEST	49741	443	192.168.2.4	142.250.185.132
Oct 1, 2024 05:16:16.707429886 CEST	49741	443	192.168.2.4	142.250.185.132
Oct 1, 2024 05:16:19.447685003 CEST	49773	443	192.168.2.4	4.175.87.197
Oct 1, 2024 05:16:19.447765112 CEST	443	49773	4.175.87.197	192.168.2.4
Oct 1, 2024 05:16:19.447840929 CEST	49773	443	192.168.2.4	4.175.87.197
Oct 1, 2024 05:16:19.449085951 CEST	49773	443	192.168.2.4	4.175.87.197
Oct 1, 2024 05:16:19.449116945 CEST	443	49773	4.175.87.197	192.168.2.4
Oct 1, 2024 05:16:20.236875057 CEST	443	49773	4.175.87.197	192.168.2.4
Oct 1, 2024 05:16:20.236953020 CEST	49773	443	192.168.2.4	4.175.87.197
Oct 1, 2024 05:16:20.240168095 CEST	49773	443	192.168.2.4	4.175.87.197
Oct 1, 2024 05:16:20.240176916 CEST	443	49773	4.175.87.197	192.168.2.4
Oct 1, 2024 05:16:20.240583897 CEST	443	49773	4.175.87.197	192.168.2.4
Oct 1, 2024 05:16:20.281491041 CEST	49773	443	192.168.2.4	4.175.87.197
Oct 1, 2024 05:16:20.776281118 CEST	49773	443	192.168.2.4	4.175.87.197
Oct 1, 2024 05:16:20.787508965 CEST	49723	80	192.168.2.4	88.221.110.91
Oct 1, 2024 05:16:20.792623043 CEST	80	49723	88.221.110.91	192.168.2.4
Oct 1, 2024 05:16:20.793118000 CEST	49723	80	192.168.2.4	88.221.110.91
Oct 1, 2024 05:16:20.819433928 CEST	443	49773	4.175.87.197	192.168.2.4
Oct 1, 2024 05:16:21.033112049 CEST	443	49773	4.175.87.197	192.168.2.4
Oct 1, 2024 05:16:21.033170938 CEST	443	49773	4.175.87.197	192.168.2.4
Oct 1, 2024 05:16:21.033201933 CEST	443	49773	4.175.87.197	192.168.2.4
Oct 1, 2024 05:16:21.033241034 CEST	443	49773	4.175.87.197	192.168.2.4
Oct 1, 2024 05:16:21.033256054 CEST	49773	443	192.168.2.4	4.175.87.197
Oct 1, 2024 05:16:21.033282042 CEST	443	49773	4.175.87.197	192.168.2.4
Oct 1, 2024 05:16:21.033293009 CEST	443	49773	4.175.87.197	192.168.2.4
Oct 1, 2024 05:16:21.033303022 CEST	49773	443	192.168.2.4	4.175.87.197
Oct 1, 2024 05:16:21.033308983 CEST	49773	443	192.168.2.4	4.175.87.197
Oct 1, 2024 05:16:21.033338070 CEST	49773	443	192.168.2.4	4.175.87.197
Oct 1, 2024 05:16:21.033653975 CEST	443	49773	4.175.87.197	192.168.2.4
Oct 1, 2024 05:16:21.033801079 CEST	49773	443	192.168.2.4	4.175.87.197
Oct 1, 2024 05:16:21.033807039 CEST	443	49773	4.175.87.197	192.168.2.4
Oct 1, 2024 05:16:21.033932924 CEST	443	49773	4.175.87.197	192.168.2.4
Oct 1, 2024 05:16:21.035732985 CEST	49773	443	192.168.2.4	4.175.87.197
Oct 1, 2024 05:16:21.643543959 CEST	49778	443	192.168.2.4	172.217.18.110
Oct 1, 2024 05:16:21.643587112 CEST	443	49778	172.217.18.110	192.168.2.4
Oct 1, 2024 05:16:21.643838882 CEST	49778	443	192.168.2.4	172.217.18.110
Oct 1, 2024 05:16:21.644840956 CEST	49778	443	192.168.2.4	172.217.18.110
Oct 1, 2024 05:16:21.644870996 CEST	443	49778	172.217.18.110	192.168.2.4
Oct 1, 2024 05:16:21.715230942 CEST	49773	443	192.168.2.4	4.175.87.197
Oct 1, 2024 05:16:21.715248108 CEST	443	49773	4.175.87.197	192.168.2.4
Oct 1, 2024 05:16:21.715260983 CEST	49773	443	192.168.2.4	4.175.87.197
Oct 1, 2024 05:16:21.715265036 CEST	443	49773	4.175.87.197	192.168.2.4
Oct 1, 2024 05:16:22.276793003 CEST	443	49778	172.217.18.110	192.168.2.4
Oct 1, 2024 05:16:22.277214050 CEST	49778	443	192.168.2.4	172.217.18.110
Oct 1, 2024 05:16:22.277235031 CEST	443	49778	172.217.18.110	192.168.2.4
Oct 1, 2024 05:16:22.277674913 CEST	443	49778	172.217.18.110	192.168.2.4
Oct 1, 2024 05:16:22.278140068 CEST	49778	443	192.168.2.4	172.217.18.110
Oct 1, 2024 05:16:22.278225899 CEST	443	49778	172.217.18.110	192.168.2.4
Oct 1, 2024 05:16:22.278794050 CEST	49778	443	192.168.2.4	172.217.18.110
Oct 1, 2024 05:16:22.278794050 CEST	49778	443	192.168.2.4	172.217.18.110
Oct 1, 2024 05:16:22.278836966 CEST	443	49778	172.217.18.110	192.168.2.4
Oct 1, 2024 05:16:22.583105087 CEST	443	49778	172.217.18.110	192.168.2.4
Oct 1, 2024 05:16:22.583487988 CEST	443	49778	172.217.18.110	192.168.2.4
Oct 1, 2024 05:16:22.583544970 CEST	49778	443	192.168.2.4	172.217.18.110
Oct 1, 2024 05:16:22.584525108 CEST	49778	443	192.168.2.4	172.217.18.110
Oct 1, 2024 05:16:22.584534883 CEST	443	49778	172.217.18.110	192.168.2.4
Oct 1, 2024 05:16:45.532835960 CEST	49781	443	192.168.2.4	172.217.18.110
Oct 1, 2024 05:16:45.532886028 CEST	443	49781	172.217.18.110	192.168.2.4
Oct 1, 2024 05:16:45.532974958 CEST	49781	443	192.168.2.4	172.217.18.110
Oct 1, 2024 05:16:45.539300919 CEST	49781	443	192.168.2.4	172.217.18.110
Oct 1, 2024 05:16:45.539315939 CEST	443	49781	172.217.18.110	192.168.2.4
Oct 1, 2024 05:16:45.556305885 CEST	49782	443	192.168.2.4	172.217.18.110
Oct 1, 2024 05:16:45.556317091 CEST	443	49782	172.217.18.110	192.168.2.4
Oct 1, 2024 05:16:45.556372881 CEST	49782	443	192.168.2.4	172.217.18.110
Oct 1, 2024 05:16:45.563215017 CEST	49782	443	192.168.2.4	172.217.18.110
Oct 1, 2024 05:16:45.563226938 CEST	443	49782	172.217.18.110	192.168.2.4
Oct 1, 2024 05:16:45.720432997 CEST	49783	443	192.168.2.4	172.217.18.110
Oct 1, 2024 05:16:45.720463991 CEST	443	49783	172.217.18.110	192.168.2.4
Oct 1, 2024 05:16:45.720513105 CEST	49783	443	192.168.2.4	172.217.18.110
Oct 1, 2024 05:16:45.720860958 CEST	49783	443	192.168.2.4	172.217.18.110
Oct 1, 2024 05:16:45.720874071 CEST	443	49783	172.217.18.110	192.168.2.4
Oct 1, 2024 05:16:46.193185091 CEST	443	49782	172.217.18.110	192.168.2.4
Oct 1, 2024 05:16:46.193507910 CEST	49782	443	192.168.2.4	172.217.18.110
Oct 1, 2024 05:16:46.193537951 CEST	443	49782	172.217.18.110	192.168.2.4
Oct 1, 2024 05:16:46.193900108 CEST	443	49782	172.217.18.110	192.168.2.4
Oct 1, 2024 05:16:46.194200039 CEST	49782	443	192.168.2.4	172.217.18.110
Oct 1, 2024 05:16:46.194259882 CEST	443	49782	172.217.18.110	192.168.2.4
Oct 1, 2024 05:16:46.194365025 CEST	49782	443	192.168.2.4	172.217.18.110
Oct 1, 2024 05:16:46.194381952 CEST	49782	443	192.168.2.4	172.217.18.110
Oct 1, 2024 05:16:46.194392920 CEST	443	49782	172.217.18.110	192.168.2.4
Oct 1, 2024 05:16:46.206176996 CEST	443	49781	172.217.18.110	192.168.2.4
Oct 1, 2024 05:16:46.206412077 CEST	49781	443	192.168.2.4	172.217.18.110
Oct 1, 2024 05:16:46.206423044 CEST	443	49781	172.217.18.110	192.168.2.4
Oct 1, 2024 05:16:46.206780910 CEST	443	49781	172.217.18.110	192.168.2.4
Oct 1, 2024 05:16:46.207046986 CEST	49781	443	192.168.2.4	172.217.18.110
Oct 1, 2024 05:16:46.207113981 CEST	443	49781	172.217.18.110	192.168.2.4
Oct 1, 2024 05:16:46.207168102 CEST	49781	443	192.168.2.4	172.217.18.110
Oct 1, 2024 05:16:46.207556963 CEST	49781	443	192.168.2.4	172.217.18.110
Oct 1, 2024 05:16:46.207571030 CEST	443	49781	172.217.18.110	192.168.2.4
Oct 1, 2024 05:16:46.384617090 CEST	443	49783	172.217.18.110	192.168.2.4
Oct 1, 2024 05:16:46.384844065 CEST	49783	443	192.168.2.4	172.217.18.110
Oct 1, 2024 05:16:46.384857893 CEST	443	49783	172.217.18.110	192.168.2.4
Oct 1, 2024 05:16:46.386037111 CEST	443	49783	172.217.18.110	192.168.2.4
Oct 1, 2024 05:16:46.386096954 CEST	49783	443	192.168.2.4	172.217.18.110
Oct 1, 2024 05:16:46.388561010 CEST	443	49783	172.217.18.110	192.168.2.4
Oct 1, 2024 05:16:46.388612986 CEST	49783	443	192.168.2.4	172.217.18.110
Oct 1, 2024 05:16:46.388753891 CEST	49783	443	192.168.2.4	172.217.18.110
Oct 1, 2024 05:16:46.388890028 CEST	49783	443	192.168.2.4	172.217.18.110
Oct 1, 2024 05:16:46.388895035 CEST	443	49783	172.217.18.110	192.168.2.4
Oct 1, 2024 05:16:46.388907909 CEST	49783	443	192.168.2.4	172.217.18.110
Oct 1, 2024 05:16:46.388926029 CEST	443	49783	172.217.18.110	192.168.2.4
Oct 1, 2024 05:16:46.437247038 CEST	49783	443	192.168.2.4	172.217.18.110
Oct 1, 2024 05:16:46.437259912 CEST	443	49783	172.217.18.110	192.168.2.4
Oct 1, 2024 05:16:46.468668938 CEST	443	49782	172.217.18.110	192.168.2.4
Oct 1, 2024 05:16:46.468803883 CEST	443	49782	172.217.18.110	192.168.2.4
Oct 1, 2024 05:16:46.468956947 CEST	49782	443	192.168.2.4	172.217.18.110
Oct 1, 2024 05:16:46.469448090 CEST	49782	443	192.168.2.4	172.217.18.110
Oct 1, 2024 05:16:46.469470978 CEST	443	49782	172.217.18.110	192.168.2.4
Oct 1, 2024 05:16:46.484714985 CEST	49783	443	192.168.2.4	172.217.18.110
Oct 1, 2024 05:16:46.486330032 CEST	443	49781	172.217.18.110	192.168.2.4
Oct 1, 2024 05:16:46.486435890 CEST	443	49781	172.217.18.110	192.168.2.4
Oct 1, 2024 05:16:46.486485958 CEST	49781	443	192.168.2.4	172.217.18.110
Oct 1, 2024 05:16:46.486690998 CEST	49781	443	192.168.2.4	172.217.18.110
Oct 1, 2024 05:16:46.486700058 CEST	443	49781	172.217.18.110	192.168.2.4
Oct 1, 2024 05:16:46.665920019 CEST	443	49783	172.217.18.110	192.168.2.4
Oct 1, 2024 05:16:46.666244984 CEST	443	49783	172.217.18.110	192.168.2.4
Oct 1, 2024 05:16:46.666317940 CEST	49783	443	192.168.2.4	172.217.18.110
Oct 1, 2024 05:16:46.666766882 CEST	49783	443	192.168.2.4	172.217.18.110
Oct 1, 2024 05:16:46.666781902 CEST	443	49783	172.217.18.110	192.168.2.4
Oct 1, 2024 05:16:58.498298883 CEST	49784	443	192.168.2.4	4.175.87.197
Oct 1, 2024 05:16:58.498317957 CEST	443	49784	4.175.87.197	192.168.2.4
Oct 1, 2024 05:16:58.498383045 CEST	49784	443	192.168.2.4	4.175.87.197
Oct 1, 2024 05:16:58.498825073 CEST	49784	443	192.168.2.4	4.175.87.197
Oct 1, 2024 05:16:58.498836994 CEST	443	49784	4.175.87.197	192.168.2.4
Oct 1, 2024 05:16:59.275054932 CEST	443	49784	4.175.87.197	192.168.2.4
Oct 1, 2024 05:16:59.275142908 CEST	49784	443	192.168.2.4	4.175.87.197
Oct 1, 2024 05:16:59.278785944 CEST	49784	443	192.168.2.4	4.175.87.197
Oct 1, 2024 05:16:59.278795958 CEST	443	49784	4.175.87.197	192.168.2.4
Oct 1, 2024 05:16:59.279022932 CEST	443	49784	4.175.87.197	192.168.2.4
Oct 1, 2024 05:16:59.288079023 CEST	49784	443	192.168.2.4	4.175.87.197
Oct 1, 2024 05:16:59.335405111 CEST	443	49784	4.175.87.197	192.168.2.4
Oct 1, 2024 05:16:59.608867884 CEST	443	49784	4.175.87.197	192.168.2.4
Oct 1, 2024 05:16:59.608887911 CEST	443	49784	4.175.87.197	192.168.2.4
Oct 1, 2024 05:16:59.608901024 CEST	443	49784	4.175.87.197	192.168.2.4
Oct 1, 2024 05:16:59.608958960 CEST	49784	443	192.168.2.4	4.175.87.197
Oct 1, 2024 05:16:59.608978033 CEST	443	49784	4.175.87.197	192.168.2.4
Oct 1, 2024 05:16:59.609025955 CEST	49784	443	192.168.2.4	4.175.87.197
Oct 1, 2024 05:16:59.609750986 CEST	443	49784	4.175.87.197	192.168.2.4
Oct 1, 2024 05:16:59.609780073 CEST	443	49784	4.175.87.197	192.168.2.4
Oct 1, 2024 05:16:59.609802008 CEST	49784	443	192.168.2.4	4.175.87.197
Oct 1, 2024 05:16:59.609808922 CEST	443	49784	4.175.87.197	192.168.2.4
Oct 1, 2024 05:16:59.609818935 CEST	49784	443	192.168.2.4	4.175.87.197
Oct 1, 2024 05:16:59.609827042 CEST	443	49784	4.175.87.197	192.168.2.4
Oct 1, 2024 05:16:59.609869957 CEST	49784	443	192.168.2.4	4.175.87.197
Oct 1, 2024 05:16:59.613846064 CEST	49784	443	192.168.2.4	4.175.87.197
Oct 1, 2024 05:16:59.613856077 CEST	443	49784	4.175.87.197	192.168.2.4
Oct 1, 2024 05:16:59.613866091 CEST	49784	443	192.168.2.4	4.175.87.197
Oct 1, 2024 05:16:59.613869905 CEST	443	49784	4.175.87.197	192.168.2.4
Oct 1, 2024 05:17:08.039226055 CEST	49786	443	192.168.2.4	142.250.186.68
Oct 1, 2024 05:17:08.039324045 CEST	443	49786	142.250.186.68	192.168.2.4
Oct 1, 2024 05:17:08.039414883 CEST	49786	443	192.168.2.4	142.250.186.68
Oct 1, 2024 05:17:08.039634943 CEST	49786	443	192.168.2.4	142.250.186.68
Oct 1, 2024 05:17:08.039669037 CEST	443	49786	142.250.186.68	192.168.2.4
Oct 1, 2024 05:17:08.680327892 CEST	443	49786	142.250.186.68	192.168.2.4
Oct 1, 2024 05:17:08.680635929 CEST	49786	443	192.168.2.4	142.250.186.68
Oct 1, 2024 05:17:08.680686951 CEST	443	49786	142.250.186.68	192.168.2.4
Oct 1, 2024 05:17:08.681020021 CEST	443	49786	142.250.186.68	192.168.2.4
Oct 1, 2024 05:17:08.681354046 CEST	49786	443	192.168.2.4	142.250.186.68
Oct 1, 2024 05:17:08.681421041 CEST	443	49786	142.250.186.68	192.168.2.4
Oct 1, 2024 05:17:08.734055042 CEST	49786	443	192.168.2.4	142.250.186.68
Oct 1, 2024 05:17:09.312268972 CEST	49724	80	192.168.2.4	2.19.126.163
Oct 1, 2024 05:17:09.320898056 CEST	80	49724	2.19.126.163	192.168.2.4
Oct 1, 2024 05:17:09.321032047 CEST	49724	80	192.168.2.4	2.19.126.163
Oct 1, 2024 05:17:16.294318914 CEST	49788	443	192.168.2.4	142.250.184.206
Oct 1, 2024 05:17:16.294343948 CEST	443	49788	142.250.184.206	192.168.2.4
Oct 1, 2024 05:17:16.294401884 CEST	49788	443	192.168.2.4	142.250.184.206
Oct 1, 2024 05:17:16.294655085 CEST	49788	443	192.168.2.4	142.250.184.206
Oct 1, 2024 05:17:16.294667006 CEST	443	49788	142.250.184.206	192.168.2.4
Oct 1, 2024 05:17:16.950145960 CEST	443	49788	142.250.184.206	192.168.2.4
Oct 1, 2024 05:17:16.950520992 CEST	49788	443	192.168.2.4	142.250.184.206
Oct 1, 2024 05:17:16.950540066 CEST	443	49788	142.250.184.206	192.168.2.4
Oct 1, 2024 05:17:16.950845957 CEST	443	49788	142.250.184.206	192.168.2.4
Oct 1, 2024 05:17:16.951148033 CEST	49788	443	192.168.2.4	142.250.184.206
Oct 1, 2024 05:17:16.951200962 CEST	443	49788	142.250.184.206	192.168.2.4
Oct 1, 2024 05:17:16.951333046 CEST	49788	443	192.168.2.4	142.250.184.206
Oct 1, 2024 05:17:16.951606035 CEST	49788	443	192.168.2.4	142.250.184.206
Oct 1, 2024 05:17:16.951611042 CEST	443	49788	142.250.184.206	192.168.2.4
Oct 1, 2024 05:17:17.233839035 CEST	443	49788	142.250.184.206	192.168.2.4
Oct 1, 2024 05:17:17.233957052 CEST	443	49788	142.250.184.206	192.168.2.4
Oct 1, 2024 05:17:17.234031916 CEST	49788	443	192.168.2.4	142.250.184.206
Oct 1, 2024 05:17:17.234438896 CEST	49788	443	192.168.2.4	142.250.184.206
Oct 1, 2024 05:17:17.234446049 CEST	443	49788	142.250.184.206	192.168.2.4
Oct 1, 2024 05:17:17.409813881 CEST	49789	443	192.168.2.4	142.250.184.206
Oct 1, 2024 05:17:17.409861088 CEST	443	49789	142.250.184.206	192.168.2.4
Oct 1, 2024 05:17:17.409928083 CEST	49789	443	192.168.2.4	142.250.184.206
Oct 1, 2024 05:17:17.410274029 CEST	49789	443	192.168.2.4	142.250.184.206
Oct 1, 2024 05:17:17.410289049 CEST	443	49789	142.250.184.206	192.168.2.4
Oct 1, 2024 05:17:18.042628050 CEST	443	49789	142.250.184.206	192.168.2.4
Oct 1, 2024 05:17:18.042948008 CEST	49789	443	192.168.2.4	142.250.184.206
Oct 1, 2024 05:17:18.042958975 CEST	443	49789	142.250.184.206	192.168.2.4
Oct 1, 2024 05:17:18.043312073 CEST	443	49789	142.250.184.206	192.168.2.4
Oct 1, 2024 05:17:18.043654919 CEST	49789	443	192.168.2.4	142.250.184.206
Oct 1, 2024 05:17:18.043724060 CEST	443	49789	142.250.184.206	192.168.2.4
Oct 1, 2024 05:17:18.043859005 CEST	49789	443	192.168.2.4	142.250.184.206
Oct 1, 2024 05:17:18.043876886 CEST	49789	443	192.168.2.4	142.250.184.206
Oct 1, 2024 05:17:18.043888092 CEST	443	49789	142.250.184.206	192.168.2.4
Oct 1, 2024 05:17:18.321990013 CEST	443	49789	142.250.184.206	192.168.2.4
Oct 1, 2024 05:17:18.322097063 CEST	443	49789	142.250.184.206	192.168.2.4
Oct 1, 2024 05:17:18.322185993 CEST	49789	443	192.168.2.4	142.250.184.206
Oct 1, 2024 05:17:18.322704077 CEST	49789	443	192.168.2.4	142.250.184.206
Oct 1, 2024 05:17:18.322726011 CEST	443	49789	142.250.184.206	192.168.2.4
Oct 1, 2024 05:17:18.613797903 CEST	443	49786	142.250.186.68	192.168.2.4
Oct 1, 2024 05:17:18.613866091 CEST	443	49786	142.250.186.68	192.168.2.4
Oct 1, 2024 05:17:18.613993883 CEST	49786	443	192.168.2.4	142.250.186.68
Oct 1, 2024 05:17:31.497858047 CEST	49786	443	192.168.2.4	142.250.186.68
Oct 1, 2024 05:17:31.497879028 CEST	443	49786	142.250.186.68	192.168.2.4
Oct 1, 2024 05:17:46.316095114 CEST	49791	443	192.168.2.4	142.250.184.206
Oct 1, 2024 05:17:46.316188097 CEST	443	49791	142.250.184.206	192.168.2.4
Oct 1, 2024 05:17:46.316318035 CEST	49791	443	192.168.2.4	142.250.184.206
Oct 1, 2024 05:17:46.318284035 CEST	49791	443	192.168.2.4	142.250.184.206
Oct 1, 2024 05:17:46.318317890 CEST	443	49791	142.250.184.206	192.168.2.4
Oct 1, 2024 05:17:46.948990107 CEST	443	49791	142.250.184.206	192.168.2.4
Oct 1, 2024 05:17:46.949321032 CEST	49791	443	192.168.2.4	142.250.184.206
Oct 1, 2024 05:17:46.949357986 CEST	443	49791	142.250.184.206	192.168.2.4
Oct 1, 2024 05:17:46.949877024 CEST	443	49791	142.250.184.206	192.168.2.4
Oct 1, 2024 05:17:46.950175047 CEST	49791	443	192.168.2.4	142.250.184.206
Oct 1, 2024 05:17:46.950259924 CEST	443	49791	142.250.184.206	192.168.2.4
Oct 1, 2024 05:17:46.950324059 CEST	49791	443	192.168.2.4	142.250.184.206
Oct 1, 2024 05:17:46.950342894 CEST	49791	443	192.168.2.4	142.250.184.206
Oct 1, 2024 05:17:46.950357914 CEST	443	49791	142.250.184.206	192.168.2.4
Oct 1, 2024 05:17:47.225008011 CEST	443	49791	142.250.184.206	192.168.2.4
Oct 1, 2024 05:17:47.225123882 CEST	443	49791	142.250.184.206	192.168.2.4
Oct 1, 2024 05:17:47.225172997 CEST	49791	443	192.168.2.4	142.250.184.206
Oct 1, 2024 05:17:47.225656986 CEST	49791	443	192.168.2.4	142.250.184.206
Oct 1, 2024 05:17:47.225680113 CEST	443	49791	142.250.184.206	192.168.2.4
Oct 1, 2024 05:17:47.611876965 CEST	49792	443	192.168.2.4	142.250.184.206
Oct 1, 2024 05:17:47.611965895 CEST	443	49792	142.250.184.206	192.168.2.4
Oct 1, 2024 05:17:47.612062931 CEST	49792	443	192.168.2.4	142.250.184.206
Oct 1, 2024 05:17:47.612329960 CEST	49792	443	192.168.2.4	142.250.184.206
Oct 1, 2024 05:17:47.612365007 CEST	443	49792	142.250.184.206	192.168.2.4
Oct 1, 2024 05:17:48.241384983 CEST	443	49792	142.250.184.206	192.168.2.4
Oct 1, 2024 05:17:48.242526054 CEST	49792	443	192.168.2.4	142.250.184.206
Oct 1, 2024 05:17:48.242558956 CEST	443	49792	142.250.184.206	192.168.2.4
Oct 1, 2024 05:17:48.243097067 CEST	443	49792	142.250.184.206	192.168.2.4
Oct 1, 2024 05:17:48.243371964 CEST	49792	443	192.168.2.4	142.250.184.206
Oct 1, 2024 05:17:48.243458033 CEST	443	49792	142.250.184.206	192.168.2.4
Oct 1, 2024 05:17:48.243514061 CEST	49792	443	192.168.2.4	142.250.184.206
Oct 1, 2024 05:17:48.243539095 CEST	49792	443	192.168.2.4	142.250.184.206
Oct 1, 2024 05:17:48.243596077 CEST	443	49792	142.250.184.206	192.168.2.4
Oct 1, 2024 05:17:48.518785000 CEST	443	49792	142.250.184.206	192.168.2.4
Oct 1, 2024 05:17:48.518924952 CEST	443	49792	142.250.184.206	192.168.2.4
Oct 1, 2024 05:17:48.518996000 CEST	49792	443	192.168.2.4	142.250.184.206
Oct 1, 2024 05:17:48.520644903 CEST	49792	443	192.168.2.4	142.250.184.206
Oct 1, 2024 05:17:48.520714045 CEST	443	49792	142.250.184.206	192.168.2.4
Oct 1, 2024 05:18:08.085717916 CEST	49793	443	192.168.2.4	142.250.186.68
Oct 1, 2024 05:18:08.085757971 CEST	443	49793	142.250.186.68	192.168.2.4
Oct 1, 2024 05:18:08.085835934 CEST	49793	443	192.168.2.4	142.250.186.68
Oct 1, 2024 05:18:08.086136103 CEST	49793	443	192.168.2.4	142.250.186.68
Oct 1, 2024 05:18:08.086148977 CEST	443	49793	142.250.186.68	192.168.2.4
Oct 1, 2024 05:18:08.730103016 CEST	443	49793	142.250.186.68	192.168.2.4
Oct 1, 2024 05:18:08.730408907 CEST	49793	443	192.168.2.4	142.250.186.68
Oct 1, 2024 05:18:08.730428934 CEST	443	49793	142.250.186.68	192.168.2.4
Oct 1, 2024 05:18:08.730750084 CEST	443	49793	142.250.186.68	192.168.2.4
Oct 1, 2024 05:18:08.731060028 CEST	49793	443	192.168.2.4	142.250.186.68
Oct 1, 2024 05:18:08.731118917 CEST	443	49793	142.250.186.68	192.168.2.4
Oct 1, 2024 05:18:08.780544996 CEST	49793	443	192.168.2.4	142.250.186.68

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 1, 2024 05:16:03.674165010 CEST	53	62191	1.1.1.1	192.168.2.4
Oct 1, 2024 05:16:03.683958054 CEST	52678	53	192.168.2.4	1.1.1.1
Oct 1, 2024 05:16:03.684125900 CEST	65200	53	192.168.2.4	1.1.1.1
Oct 1, 2024 05:16:03.690433025 CEST	53	52678	1.1.1.1	192.168.2.4
Oct 1, 2024 05:16:03.691104889 CEST	53	65200	1.1.1.1	192.168.2.4
Oct 1, 2024 05:16:03.700258970 CEST	53	64522	1.1.1.1	192.168.2.4
Oct 1, 2024 05:16:04.634928942 CEST	56041	53	192.168.2.4	1.1.1.1
Oct 1, 2024 05:16:04.635409117 CEST	64798	53	192.168.2.4	1.1.1.1
Oct 1, 2024 05:16:04.641638041 CEST	53	56041	1.1.1.1	192.168.2.4
Oct 1, 2024 05:16:04.641839027 CEST	53	64798	1.1.1.1	192.168.2.4
Oct 1, 2024 05:16:04.671154976 CEST	53	63111	1.1.1.1	192.168.2.4
Oct 1, 2024 05:16:07.971021891 CEST	54258	53	192.168.2.4	1.1.1.1
Oct 1, 2024 05:16:07.971158981 CEST	60375	53	192.168.2.4	1.1.1.1
Oct 1, 2024 05:16:07.977627039 CEST	53	60375	1.1.1.1	192.168.2.4
Oct 1, 2024 05:16:07.977637053 CEST	53	54258	1.1.1.1	192.168.2.4
Oct 1, 2024 05:16:09.812935114 CEST	53	54512	1.1.1.1	192.168.2.4
Oct 1, 2024 05:16:12.676702023 CEST	56282	53	192.168.2.4	1.1.1.1
Oct 1, 2024 05:16:12.676853895 CEST	59671	53	192.168.2.4	1.1.1.1
Oct 1, 2024 05:16:12.683196068 CEST	53	56282	1.1.1.1	192.168.2.4
Oct 1, 2024 05:16:12.683453083 CEST	53	59671	1.1.1.1	192.168.2.4
Oct 1, 2024 05:16:13.844566107 CEST	57978	53	192.168.2.4	1.1.1.1
Oct 1, 2024 05:16:13.844722033 CEST	56558	53	192.168.2.4	1.1.1.1
Oct 1, 2024 05:16:13.851432085 CEST	53	56558	1.1.1.1	192.168.2.4
Oct 1, 2024 05:16:13.851445913 CEST	53	57978	1.1.1.1	192.168.2.4
Oct 1, 2024 05:16:15.850754023 CEST	53	58181	1.1.1.1	192.168.2.4
Oct 1, 2024 05:16:20.897146940 CEST	138	138	192.168.2.4	192.168.2.255
Oct 1, 2024 05:16:21.741394997 CEST	53	49711	1.1.1.1	192.168.2.4
Oct 1, 2024 05:16:40.545603037 CEST	53	50238	1.1.1.1	192.168.2.4
Oct 1, 2024 05:17:03.299931049 CEST	53	55350	1.1.1.1	192.168.2.4
Oct 1, 2024 05:17:03.381419897 CEST	53	59666	1.1.1.1	192.168.2.4
Oct 1, 2024 05:17:08.031829119 CEST	56019	53	192.168.2.4	1.1.1.1
Oct 1, 2024 05:17:08.031956911 CEST	54739	53	192.168.2.4	1.1.1.1
Oct 1, 2024 05:17:08.038415909 CEST	53	56019	1.1.1.1	192.168.2.4
Oct 1, 2024 05:17:08.038429976 CEST	53	54739	1.1.1.1	192.168.2.4
Oct 1, 2024 05:17:14.619317055 CEST	53	55387	1.1.1.1	192.168.2.4
Oct 1, 2024 05:17:16.284707069 CEST	53369	53	192.168.2.4	1.1.1.1
Oct 1, 2024 05:17:16.284874916 CEST	60043	53	192.168.2.4	1.1.1.1
Oct 1, 2024 05:17:16.291435003 CEST	53	60043	1.1.1.1	192.168.2.4
Oct 1, 2024 05:17:16.293761969 CEST	53	53369	1.1.1.1	192.168.2.4
Oct 1, 2024 05:17:31.513679981 CEST	53	60854	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 1, 2024 05:16:03.683958054 CEST	192.168.2.4	1.1.1.1	0x43d3	Standard query (0)	youtube.com	A (IP address)	IN (0x0001)	false
Oct 1, 2024 05:16:03.684125900 CEST	192.168.2.4	1.1.1.1	0x1735	Standard query (0)	youtube.com	65	IN (0x0001)	false
Oct 1, 2024 05:16:04.634928942 CEST	192.168.2.4	1.1.1.1	0xf8b4	Standard query (0)	www.youtube.com	A (IP address)	IN (0x0001)	false
Oct 1, 2024 05:16:04.635409117 CEST	192.168.2.4	1.1.1.1	0xeef9	Standard query (0)	www.youtube.com	65	IN (0x0001)	false
Oct 1, 2024 05:16:07.971021891 CEST	192.168.2.4	1.1.1.1	0x9b3d	Standard query (0)	www.google.com	A (IP address)	IN (0x0001)	false
Oct 1, 2024 05:16:07.971158981 CEST	192.168.2.4	1.1.1.1	0xec4a	Standard query (0)	www.google.com	65	IN (0x0001)	false
Oct 1, 2024 05:16:12.676702023 CEST	192.168.2.4	1.1.1.1	0xe2da	Standard query (0)	accounts.youtube.com	A (IP address)	IN (0x0001)	false
Oct 1, 2024 05:16:12.676853895 CEST	192.168.2.4	1.1.1.1	0x9cc8	Standard query (0)	accounts.youtube.com	65	IN (0x0001)	false
Oct 1, 2024 05:16:13.844566107 CEST	192.168.2.4	1.1.1.1	0xe7df	Standard query (0)	play.google.com	A (IP address)	IN (0x0001)	false
Oct 1, 2024 05:16:13.844722033 CEST	192.168.2.4	1.1.1.1	0xf158	Standard query (0)	play.google.com	65	IN (0x0001)	false
Oct 1, 2024 05:17:08.031829119 CEST	192.168.2.4	1.1.1.1	0x83e1	Standard query (0)	www.google.com	A (IP address)	IN (0x0001)	false
Oct 1, 2024 05:17:08.031956911 CEST	192.168.2.4	1.1.1.1	0xa960	Standard query (0)	www.google.com	65	IN (0x0001)	false
Oct 1, 2024 05:17:16.284707069 CEST	192.168.2.4	1.1.1.1	0x42f8	Standard query (0)	play.google.com	A (IP address)	IN (0x0001)	false
Oct 1, 2024 05:17:16.284874916 CEST	192.168.2.4	1.1.1.1	0x888e	Standard query (0)	play.google.com	65	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 1, 2024 05:16:03.690433025 CEST	1.1.1.1	192.168.2.4	0x43d3	No error (0)	youtube.com		142.250.186.78	A (IP address)	IN (0x0001)	false
Oct 1, 2024 05:16:03.691104889 CEST	1.1.1.1	192.168.2.4	0x1735	No error (0)	youtube.com			65	IN (0x0001)	false
Oct 1, 2024 05:16:04.641638041 CEST	1.1.1.1	192.168.2.4	0xf8b4	No error (0)	www.youtube.com	youtube-ui.l.google.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 1, 2024 05:16:04.641638041 CEST	1.1.1.1	192.168.2.4	0xf8b4	No error (0)	youtube-ui.l.google.com		142.250.185.174	A (IP address)	IN (0x0001)	false
Oct 1, 2024 05:16:04.641638041 CEST	1.1.1.1	192.168.2.4	0xf8b4	No error (0)	youtube-ui.l.google.com		142.250.185.78	A (IP address)	IN (0x0001)	false
Oct 1, 2024 05:16:04.641638041 CEST	1.1.1.1	192.168.2.4	0xf8b4	No error (0)	youtube-ui.l.google.com		216.58.212.142	A (IP address)	IN (0x0001)	false
Oct 1, 2024 05:16:04.641638041 CEST	1.1.1.1	192.168.2.4	0xf8b4	No error (0)	youtube-ui.l.google.com		142.250.184.206	A (IP address)	IN (0x0001)	false
Oct 1, 2024 05:16:04.641638041 CEST	1.1.1.1	192.168.2.4	0xf8b4	No error (0)	youtube-ui.l.google.com		172.217.18.110	A (IP address)	IN (0x0001)	false
Oct 1, 2024 05:16:04.641638041 CEST	1.1.1.1	192.168.2.4	0xf8b4	No error (0)	youtube-ui.l.google.com		142.250.185.238	A (IP address)	IN (0x0001)	false
Oct 1, 2024 05:16:04.641638041 CEST	1.1.1.1	192.168.2.4	0xf8b4	No error (0)	youtube-ui.l.google.com		172.217.16.206	A (IP address)	IN (0x0001)	false
Oct 1, 2024 05:16:04.641638041 CEST	1.1.1.1	192.168.2.4	0xf8b4	No error (0)	youtube-ui.l.google.com		216.58.206.78	A (IP address)	IN (0x0001)	false
Oct 1, 2024 05:16:04.641638041 CEST	1.1.1.1	192.168.2.4	0xf8b4	No error (0)	youtube-ui.l.google.com		142.250.185.206	A (IP address)	IN (0x0001)	false
Oct 1, 2024 05:16:04.641638041 CEST	1.1.1.1	192.168.2.4	0xf8b4	No error (0)	youtube-ui.l.google.com		142.250.185.110	A (IP address)	IN (0x0001)	false
Oct 1, 2024 05:16:04.641638041 CEST	1.1.1.1	192.168.2.4	0xf8b4	No error (0)	youtube-ui.l.google.com		142.250.184.238	A (IP address)	IN (0x0001)	false
Oct 1, 2024 05:16:04.641638041 CEST	1.1.1.1	192.168.2.4	0xf8b4	No error (0)	youtube-ui.l.google.com		142.250.186.110	A (IP address)	IN (0x0001)	false
Oct 1, 2024 05:16:04.641638041 CEST	1.1.1.1	192.168.2.4	0xf8b4	No error (0)	youtube-ui.l.google.com		142.250.185.142	A (IP address)	IN (0x0001)	false
Oct 1, 2024 05:16:04.641638041 CEST	1.1.1.1	192.168.2.4	0xf8b4	No error (0)	youtube-ui.l.google.com		142.250.186.142	A (IP address)	IN (0x0001)	false
Oct 1, 2024 05:16:04.641638041 CEST	1.1.1.1	192.168.2.4	0xf8b4	No error (0)	youtube-ui.l.google.com		142.250.74.206	A (IP address)	IN (0x0001)	false
Oct 1, 2024 05:16:04.641638041 CEST	1.1.1.1	192.168.2.4	0xf8b4	No error (0)	youtube-ui.l.google.com		172.217.23.110	A (IP address)	IN (0x0001)	false
Oct 1, 2024 05:16:04.641839027 CEST	1.1.1.1	192.168.2.4	0xeef9	No error (0)	www.youtube.com	youtube-ui.l.google.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 1, 2024 05:16:04.641839027 CEST	1.1.1.1	192.168.2.4	0xeef9	No error (0)	youtube-ui.l.google.com			65	IN (0x0001)	false
Oct 1, 2024 05:16:07.977627039 CEST	1.1.1.1	192.168.2.4	0xec4a	No error (0)	www.google.com			65	IN (0x0001)	false
Oct 1, 2024 05:16:07.977637053 CEST	1.1.1.1	192.168.2.4	0x9b3d	No error (0)	www.google.com		142.250.185.132	A (IP address)	IN (0x0001)	false
Oct 1, 2024 05:16:12.683196068 CEST	1.1.1.1	192.168.2.4	0xe2da	No error (0)	accounts.youtube.com	www3.l.google.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 1, 2024 05:16:12.683196068 CEST	1.1.1.1	192.168.2.4	0xe2da	No error (0)	www3.l.google.com		172.217.16.206	A (IP address)	IN (0x0001)	false
Oct 1, 2024 05:16:12.683453083 CEST	1.1.1.1	192.168.2.4	0x9cc8	No error (0)	accounts.youtube.com	www3.l.google.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 1, 2024 05:16:13.851445913 CEST	1.1.1.1	192.168.2.4	0xe7df	No error (0)	play.google.com		172.217.18.110	A (IP address)	IN (0x0001)	false
Oct 1, 2024 05:17:08.038415909 CEST	1.1.1.1	192.168.2.4	0x83e1	No error (0)	www.google.com		142.250.186.68	A (IP address)	IN (0x0001)	false
Oct 1, 2024 05:17:08.038429976 CEST	1.1.1.1	192.168.2.4	0xa960	No error (0)	www.google.com			65	IN (0x0001)	false
Oct 1, 2024 05:17:16.293761969 CEST	1.1.1.1	192.168.2.4	0x42f8	No error (0)	play.google.com		142.250.184.206	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

youtube.com

www.youtube.com

fs.microsoft.com

https:

accounts.youtube.com

play.google.com

www.google.com

slscr.update.microsoft.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49731	142.250.186.78	443	4632	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-01 03:16:04 UTC	859	OUT	GET /account?=https://accounts.google.com/v3/signin/challenge/pwd HTTP/1.1 Host: youtube.com Connection: keep-alive sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "Windows" Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 X-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiTocsBCJz+zAEIhaDNAQjcvc0BCI/KzQEIucrNAQii0c0BCIrTzQEIntbNAQin2M0BCPnA1BUY9snNARi60s0BGOuNpRc= Sec-Fetch-Site: none Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-10-01 03:16:04 UTC	1704	IN	HTTP/1.1 301 Moved Permanently Content-Type: application/binary X-Content-Type-Options: nosniff Expires: Tue, 01 Oct 2024 03:16:04 GMT Date: Tue, 01 Oct 2024 03:16:04 GMT Cache-Control: private, max-age=31536000 Location: https://www.youtube.com/account?=https%3A%2F%2Faccounts.google.com%2Fv3%2Fsignin%2Fchallenge%2Fpwd X-Frame-Options: SAMEORIGIN Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Content-Security-Policy: require-trusted-types-for 'script' Cross-Origin-Opener-Policy: same-origin-allow-popups; report-to="youtube_main" Origin-Trial: AmhMBR6zCLzDDxpW+HfpP67BqwIknWnyMOXOQGfzYswFmJe+fgaI6XZgAzcxOrzNtP7hEDsOo1jdjFnVr2IdxQ4AAAB4eyJvcmlnaW4iOiJodHRwczovL3lvdXR1YmUuY29tOjQ0MyIsImZlYXR1cmUiOiJXZWJWaWV3WFJlcXVlc3RlZFdpdGhEZXByZWNhdGlvbiIsImV4cGlyeSI6MTc1ODA2NzE5OSwiaXNTdWJkb21haW4iOnRydWV9 Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Vary: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Report-To: {"group":"youtube_main","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/youtube_main"}]} Server: ESF Content-Length: 0 X-XSS-Protection: 0 Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49736	142.250.185.174	443	4632	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-01 03:16:05 UTC	877	OUT	GET /account?=https%3A%2F%2Faccounts.google.com%2Fv3%2Fsignin%2Fchallenge%2Fpwd HTTP/1.1 Host: www.youtube.com Connection: keep-alive Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 X-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiTocsBCJz+zAEIhaDNAQjcvc0BCI/KzQEIucrNAQii0c0BCIrTzQEIntbNAQin2M0BCPnA1BUY9snNARi60s0BGOuNpRc= Sec-Fetch-Site: none Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "Windows" Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-10-01 03:16:05 UTC	2634	IN	HTTP/1.1 303 See Other Content-Type: application/binary X-Content-Type-Options: nosniff Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Tue, 01 Oct 2024 03:16:05 GMT Location: https://accounts.google.com/ServiceLogin?service=youtube&uilel=3&passive=true&continue=https%3A%2F%2Fwww.youtube.com%2Fsignin%3Faction_handle_signin%3Dtrue%26app%3Ddesktop%26hl%3Den%26next%3Dhttps%253A%252F%252Fwww.youtube.com%252Faccount%253F%253Dhttps%25253A%25252F%25252Faccounts.google.com%25252Fv3%25252Fsignin%25252Fchallenge%25252Fpwd%26feature%3Dredirect_login&hl=en X-Frame-Options: SAMEORIGIN Strict-Transport-Security: max-age=31536000 Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Content-Security-Policy: require-trusted-types-for 'script' Cross-Origin-Opener-Policy: same-origin-allow-popups; report-to="youtube_main" Origin-Trial: AmhMBR6zCLzDDxpW+HfpP67BqwIknWnyMOXOQGfzYswFmJe+fgaI6XZgAzcxOrzNtP7hEDsOo1jdjFnVr2IdxQ4AAAB4eyJvcmlnaW4iOiJodHRwczovL3lvdXR1YmUuY29tOjQ0MyIsImZlYXR1cmUiOiJXZWJWaWV3WFJlcXVlc3RlZFdpdGhEZXByZWNhdGlvbiIsImV4cGlyeSI6MTc1ODA2NzE5OSwiaXNTdWJkb21haW4iOnRydWV9 Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Vary: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Report-To: {"group":"youtube_main","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/youtube_main"}]} P3P: CP="This is not a P3P policy! See http://support.google.com/accounts/answer/151657?hl=en for more info." Server: ESF Content-Length: 0 X-XSS-Protection: 0 Set-Cookie: GPS=1; Domain=.youtube.com; Expires=Tue, 01-Oct-2024 03:46:05 GMT; Path=/; Secure; HttpOnly Set-Cookie: YSC=E406Pb0AwX0; Domain=.youtube.com; Path=/; Secure; HttpOnly; SameSite=none; Partitioned Set-Cookie: VISITOR_INFO1_LIVE=b4Mh4jNSl4E; Domain=.youtube.com; Expires=Sun, 30-Mar-2025 03:16:05 GMT; Path=/; Secure; HttpOnly; SameSite=none; Partitioned Set-Cookie: VISITOR_PRIVACY_METADATA=CgJVUxIEGgAgCw%3D%3D; Domain=.youtube.com; Expires=Sun, 30-Mar-2025 03:16:05 GMT; Path=/; Secure; HttpOnly; SameSite=none; Partitioned Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49742	23.211.8.90	443

Timestamp	Bytes transferred	Direction	Data
2024-10-01 03:16:08 UTC	161	OUT	HEAD /fs/windows/config.json HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Encoding: identity User-Agent: Microsoft BITS/7.8 Host: fs.microsoft.com
2024-10-01 03:16:08 UTC	467	IN	HTTP/1.1 200 OK Content-Disposition: attachment; filename=config.json; filename*=UTF-8''config.json Content-Type: application/octet-stream ETag: "0x64667F707FF07D62B733DBCB79EFE3855E6886C9975B0C0B467D46231B3FA5E7" Last-Modified: Tue, 16 May 2017 22:58:00 GMT Server: ECAcc (lpl/EF06) X-CID: 11 X-Ms-ApiVersion: Distribute 1.2 X-Ms-Region: prod-neu-z1 Cache-Control: public, max-age=221353 Date: Tue, 01 Oct 2024 03:16:08 GMT Connection: close X-CID: 2

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49745	23.211.8.90	443

Timestamp	Bytes transferred	Direction	Data
2024-10-01 03:16:09 UTC	239	OUT	GET /fs/windows/config.json HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Encoding: identity If-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMT Range: bytes=0-2147483646 User-Agent: Microsoft BITS/7.8 Host: fs.microsoft.com
2024-10-01 03:16:09 UTC	535	IN	HTTP/1.1 200 OK Content-Type: application/octet-stream Last-Modified: Tue, 16 May 2017 22:58:00 GMT ETag: "0x64667F707FF07D62B733DBCB79EFE3855E6886C9975B0C0B467D46231B3FA5E7" ApiVersion: Distribute 1.1 Content-Disposition: attachment; filename=config.json; filename*=UTF-8''config.json X-Azure-Ref: 0WwMRYwAAAABe7whxSEuqSJRuLqzPsqCaTE9OMjFFREdFMTcxNQBjZWZjMjU4My1hOWIyLTQ0YTctOTc1NS1iNzZkMTdlMDVmN2Y= Cache-Control: public, max-age=221411 Date: Tue, 01 Oct 2024 03:16:09 GMT Content-Length: 55 Connection: close X-CID: 2
2024-10-01 03:16:09 UTC	55	IN	Data Raw: 7b 22 66 6f 6e 74 53 65 74 55 72 69 22 3a 22 66 6f 6e 74 73 65 74 2d 32 30 31 37 2d 30 34 2e 6a 73 6f 6e 22 2c 22 62 61 73 65 55 72 69 22 3a 22 66 6f 6e 74 73 22 7d Data Ascii: {"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49757	172.217.16.206	443	4632	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-01 03:16:13 UTC	1244	OUT	GET /accounts/CheckConnection?pmpo=https%3A%2F%2Faccounts.google.com&v=1556946213&timestamp=1727752571638 HTTP/1.1 Host: accounts.youtube.com Connection: keep-alive sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 sec-ch-ua-full-version: "117.0.5938.132" sec-ch-ua-arch: "x86" sec-ch-ua-platform: "Windows" sec-ch-ua-platform-version: "10.0.0" sec-ch-ua-model: "" sec-ch-ua-bitness: "64" sec-ch-ua-wow64: ?0 sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132" Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 X-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiTocsBCJz+zAEIhaDNAQjcvc0BCI/KzQEIucrNAQii0c0BCIrTzQEIntbNAQin2M0BCPnA1BUY9snNARi60s0BGOuNpRc= Sec-Fetch-Site: cross-site Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: iframe Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-10-01 03:16:13 UTC	1969	IN	HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 X-Frame-Options: ALLOW-FROM https://accounts.google.com Content-Security-Policy: frame-ancestors https://accounts.google.com Content-Security-Policy: script-src 'report-sample' 'nonce-TiK-5vDoQwMLLP-kT9mFag' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/AccountsDomainCookiesCheckConnectionHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/AccountsDomainCookiesCheckConnectionHttp/cspreport/allowlist Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/AccountsDomainCookiesCheckConnectionHttp/cspreport Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Tue, 01 Oct 2024 03:16:13 GMT Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Cross-Origin-Opener-Policy: same-origin Cross-Origin-Resource-Policy: cross-origin Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version reporting-endpoints: default="/_/AccountsDomainCookiesCheckConnectionHttp/web-reports?context=eJzjstDikmLw1JBikPj6kkkDiJ3SZ7AGAXHSv_OsRUB8ufsS63UgVu25xGoKxEUSV1ibgFiIh-Pvpbfb2QQOvL3Xy6Skl5RfGJ-ZkppXkllSmZKfm5iZl5yfn52ZWlycWlSWWhRvZGBkYmBpZKRnYBFfYAAACNMuPQ" Server: ESF X-XSS-Protection: 0 X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2024-10-01 03:16:13 UTC	1969	IN	Data Raw: 37 36 31 39 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 20 6e 6f 6e 63 65 3d 22 54 69 4b 2d 35 76 44 6f 51 77 4d 4c 4c 50 2d 6b 54 39 6d 46 61 67 22 3e 22 75 73 65 20 73 74 72 69 63 74 22 3b 74 68 69 73 2e 64 65 66 61 75 6c 74 5f 41 63 63 6f 75 6e 74 73 44 6f 6d 61 69 6e 63 6f 6f 6b 69 65 73 43 68 65 63 6b 63 6f 6e 6e 65 63 74 69 6f 6e 4a 73 3d 74 68 69 73 2e 64 65 66 61 75 6c 74 5f 41 63 63 6f 75 6e 74 73 44 6f 6d 61 69 6e 63 6f 6f 6b 69 65 73 43 68 65 63 6b 63 6f 6e 6e 65 63 74 69 6f 6e 4a 73 7c 7c 7b 7d 3b 28 66 75 6e 63 74 69 6f 6e 28 5f 29 7b 76 61 72 20 77 69 6e 64 6f 77 3d 74 68 69 73 3b 0a 74 72 79 7b 0a 5f 2e 5f 46 5f 74 6f 67 67 6c 65 73 5f 69 6e 69 74 69 61 6c 69 7a 65 3d 66 75 6e 63 74 69 6f 6e 28 61 29 7b 28 74 79 70 65 6f Data Ascii: 7619<html><head><script nonce="TiK-5vDoQwMLLP-kT9mFag">"use strict";this.default_AccountsDomaincookiesCheckconnectionJs=this.default_AccountsDomaincookiesCheckconnectionJs\|\|{};(function(_){var window=this;try{_._F_toggles_initialize=function(a){(typeo
2024-10-01 03:16:13 UTC	1969	IN	Data Raw: 54 72 69 64 65 6e 74 5c 2f 28 5c 64 2e 5c 64 29 2f 2e 65 78 65 63 28 62 29 2c 0a 63 5b 31 5d 3d 3d 22 37 2e 30 22 29 69 66 28 62 26 26 62 5b 31 5d 29 73 77 69 74 63 68 28 62 5b 31 5d 29 7b 63 61 73 65 20 22 34 2e 30 22 3a 61 3d 22 38 2e 30 22 3b 62 72 65 61 6b 3b 63 61 73 65 20 22 35 2e 30 22 3a 61 3d 22 39 2e 30 22 3b 62 72 65 61 6b 3b 63 61 73 65 20 22 36 2e 30 22 3a 61 3d 22 31 30 2e 30 22 3b 62 72 65 61 6b 3b 63 61 73 65 20 22 37 2e 30 22 3a 61 3d 22 31 31 2e 30 22 7d 65 6c 73 65 20 61 3d 22 37 2e 30 22 3b 65 6c 73 65 20 61 3d 63 5b 31 5d 3b 62 3d 61 7d 65 6c 73 65 20 62 3d 22 22 3b 72 65 74 75 72 6e 20 62 7d 76 61 72 20 64 3d 52 65 67 45 78 70 28 22 28 5b 41 2d 5a 5d 5b 5c 5c 77 20 5d 2b 29 2f 28 5b 5e 5c 5c 73 5d 2b 29 5c 5c 73 2a 28 3f 3a 5c 5c 28 Data Ascii: Trident\/(\d.\d)/.exec(b),c[1]=="7.0")if(b&&b[1])switch(b[1]){case "4.0":a="8.0";break;case "5.0":a="9.0";break;case "6.0":a="10.0";break;case "7.0":a="11.0"}else a="7.0";else a=c[1];b=a}else b="";return b}var d=RegExp("([A-Z][\\w ]+)/([^\\s]+)\\s*(?:\\(
2024-10-01 03:16:13 UTC	1969	IN	Data Raw: 74 63 68 28 74 79 70 65 6f 66 20 61 29 7b 63 61 73 65 20 22 6e 75 6d 62 65 72 22 3a 72 65 74 75 72 6e 20 69 73 46 69 6e 69 74 65 28 61 29 3f 61 3a 53 74 72 69 6e 67 28 61 29 3b 63 61 73 65 20 22 62 69 67 69 6e 74 22 3a 72 65 74 75 72 6e 28 41 61 3f 0a 61 3e 3d 42 61 26 26 61 3c 3d 43 61 3a 61 5b 30 5d 3d 3d 3d 22 2d 22 3f 75 61 28 61 2c 44 61 29 3a 75 61 28 61 2c 45 61 29 29 3f 4e 75 6d 62 65 72 28 61 29 3a 53 74 72 69 6e 67 28 61 29 3b 63 61 73 65 20 22 62 6f 6f 6c 65 61 6e 22 3a 72 65 74 75 72 6e 20 61 3f 31 3a 30 3b 63 61 73 65 20 22 6f 62 6a 65 63 74 22 3a 69 66 28 61 29 69 66 28 41 72 72 61 79 2e 69 73 41 72 72 61 79 28 61 29 29 7b 69 66 28 43 28 61 29 29 72 65 74 75 72 6e 7d 65 6c 73 65 20 69 66 28 46 61 26 26 61 21 3d 6e 75 6c 6c 26 26 61 20 69 6e Data Ascii: tch(typeof a){case "number":return isFinite(a)?a:String(a);case "bigint":return(Aa?a>=Ba&&a<=Ca:a[0]==="-"?ua(a,Da):ua(a,Ea))?Number(a):String(a);case "boolean":return a?1:0;case "object":if(a)if(Array.isArray(a)){if(C(a))return}else if(Fa&&a!=null&&a in
2024-10-01 03:16:13 UTC	1969	IN	Data Raw: 7b 76 61 72 20 62 3b 69 66 28 61 26 26 28 62 3d 51 61 29 21 3d 6e 75 6c 6c 26 26 62 2e 68 61 73 28 61 29 26 26 28 62 3d 61 2e 43 29 29 66 6f 72 28 76 61 72 20 63 3d 30 3b 63 3c 62 2e 6c 65 6e 67 74 68 3b 63 2b 2b 29 7b 76 61 72 20 64 3d 62 5b 63 5d 3b 69 66 28 63 3d 3d 3d 62 2e 6c 65 6e 67 74 68 2d 31 26 26 41 28 64 29 29 66 6f 72 28 76 61 72 20 65 20 69 6e 20 64 29 7b 76 61 72 20 66 3d 64 5b 65 5d 3b 41 72 72 61 79 2e 69 73 41 72 72 61 79 28 66 29 26 26 0a 52 61 28 66 2c 61 29 7d 65 6c 73 65 20 41 72 72 61 79 2e 69 73 41 72 72 61 79 28 64 29 26 26 52 61 28 64 2c 61 29 7d 61 3d 45 3f 61 2e 43 3a 4d 61 28 61 2e 43 2c 50 61 2c 76 6f 69 64 20 30 2c 76 6f 69 64 20 30 2c 21 31 29 3b 65 3d 21 45 3b 69 66 28 62 3d 61 2e 6c 65 6e 67 74 68 29 7b 64 3d 61 5b 62 2d Data Ascii: {var b;if(a&&(b=Qa)!=null&&b.has(a)&&(b=a.C))for(var c=0;c<b.length;c++){var d=b[c];if(c===b.length-1&&A(d))for(var e in d){var f=d[e];Array.isArray(f)&&Ra(f,a)}else Array.isArray(d)&&Ra(d,a)}a=E?a.C:Ma(a.C,Pa,void 0,void 0,!1);e=!E;if(b=a.length){d=a[b-
2024-10-01 03:16:13 UTC	1969	IN	Data Raw: 6f 6c 2e 69 74 65 72 61 74 6f 72 22 2c 66 75 6e 63 74 69 6f 6e 28 61 29 7b 69 66 28 61 29 72 65 74 75 72 6e 20 61 3b 61 3d 53 79 6d 62 6f 6c 28 22 63 22 29 3b 66 6f 72 28 76 61 72 20 62 3d 22 41 72 72 61 79 20 49 6e 74 38 41 72 72 61 79 20 55 69 6e 74 38 41 72 72 61 79 20 55 69 6e 74 38 43 6c 61 6d 70 65 64 41 72 72 61 79 20 49 6e 74 31 36 41 72 72 61 79 20 55 69 6e 74 31 36 41 72 72 61 79 20 49 6e 74 33 32 41 72 72 61 79 20 55 69 6e 74 33 32 41 72 72 61 79 20 46 6c 6f 61 74 33 32 41 72 72 61 79 20 46 6c 6f 61 74 36 34 41 72 72 61 79 22 2e 73 70 6c 69 74 28 22 20 22 29 2c 63 3d 30 3b 63 3c 62 2e 6c 65 6e 67 74 68 3b 63 2b 2b 29 7b 76 61 72 20 64 3d 57 61 5b 62 5b 63 5d 5d 3b 74 79 70 65 6f 66 20 64 3d 3d 3d 22 66 75 6e 63 74 69 6f 6e 22 26 26 74 79 70 65 Data Ascii: ol.iterator",function(a){if(a)return a;a=Symbol("c");for(var b="Array Int8Array Uint8Array Uint8ClampedArray Int16Array Uint16Array Int32Array Uint32Array Float32Array Float64Array".split(" "),c=0;c<b.length;c++){var d=Wa[b[c]];typeof d==="function"&&type
2024-10-01 03:16:13 UTC	1969	IN	Data Raw: 29 3b 65 28 22 66 72 65 65 7a 65 22 29 3b 65 28 22 70 72 65 76 65 6e 74 45 78 74 65 6e 73 69 6f 6e 73 22 29 3b 65 28 22 73 65 61 6c 22 29 3b 76 61 72 20 68 3d 30 2c 67 3d 66 75 6e 63 74 69 6f 6e 28 6b 29 7b 74 68 69 73 2e 67 3d 28 68 2b 3d 4d 61 74 68 2e 72 61 6e 64 6f 6d 28 29 2b 31 29 2e 74 6f 53 74 72 69 6e 67 28 29 3b 69 66 28 6b 29 7b 6b 3d 48 28 6b 29 3b 66 6f 72 28 76 61 72 20 6c 3b 21 28 6c 3d 6b 2e 6e 65 78 74 28 29 29 2e 64 6f 6e 65 3b 29 6c 3d 6c 2e 76 61 6c 75 65 2c 74 68 69 73 2e 73 65 74 28 6c 5b 30 5d 2c 6c 5b 31 5d 29 7d 7d 3b 67 2e 70 72 6f 74 6f 74 79 70 65 2e 73 65 74 3d 66 75 6e 63 74 69 6f 6e 28 6b 2c 6c 29 7b 69 66 28 21 63 28 6b 29 29 74 68 72 6f 77 20 45 72 72 6f 72 28 22 69 22 29 3b 64 28 6b 29 3b 69 66 28 21 49 28 6b 2c 66 29 29 Data Ascii: );e("freeze");e("preventExtensions");e("seal");var h=0,g=function(k){this.g=(h+=Math.random()+1).toString();if(k){k=H(k);for(var l;!(l=k.next()).done;)l=l.value,this.set(l[0],l[1])}};g.prototype.set=function(k,l){if(!c(k))throw Error("i");d(k);if(!I(k,f))
2024-10-01 03:16:13 UTC	1969	IN	Data Raw: 75 72 6e 20 67 2e 76 61 6c 75 65 7d 29 7d 3b 63 2e 70 72 6f 74 6f 74 79 70 65 2e 66 6f 72 45 61 63 68 3d 66 75 6e 63 74 69 6f 6e 28 67 2c 6b 29 7b 66 6f 72 28 76 61 72 20 6c 3d 74 68 69 73 2e 65 6e 74 72 69 65 73 28 29 2c 6d 3b 21 28 6d 3d 6c 2e 6e 65 78 74 28 29 29 2e 64 6f 6e 65 3b 29 6d 3d 0a 6d 2e 76 61 6c 75 65 2c 67 2e 63 61 6c 6c 28 6b 2c 6d 5b 31 5d 2c 6d 5b 30 5d 2c 74 68 69 73 29 7d 3b 63 2e 70 72 6f 74 6f 74 79 70 65 5b 53 79 6d 62 6f 6c 2e 69 74 65 72 61 74 6f 72 5d 3d 63 2e 70 72 6f 74 6f 74 79 70 65 2e 65 6e 74 72 69 65 73 3b 76 61 72 20 64 3d 66 75 6e 63 74 69 6f 6e 28 67 2c 6b 29 7b 76 61 72 20 6c 3d 6b 26 26 74 79 70 65 6f 66 20 6b 3b 6c 3d 3d 22 6f 62 6a 65 63 74 22 7c 7c 6c 3d 3d 22 66 75 6e 63 74 69 6f 6e 22 3f 62 2e 68 61 73 28 6b 29 Data Ascii: urn g.value})};c.prototype.forEach=function(g,k){for(var l=this.entries(),m;!(m=l.next()).done;)m=m.value,g.call(k,m[1],m[0],this)};c.prototype[Symbol.iterator]=c.prototype.entries;var d=function(g,k){var l=k&&typeof k;l=="object"\|\|l=="function"?b.has(k)
2024-10-01 03:16:13 UTC	1969	IN	Data Raw: 6f 6e 28 61 29 7b 72 65 74 75 72 6e 20 61 3f 61 3a 66 75 6e 63 74 69 6f 6e 28 62 29 7b 72 65 74 75 72 6e 20 74 79 70 65 6f 66 20 62 3d 3d 3d 22 6e 75 6d 62 65 72 22 26 26 69 73 4e 61 4e 28 62 29 7d 7d 29 3b 76 61 72 20 66 62 3d 66 62 7c 7c 7b 7d 2c 71 3d 74 68 69 73 7c 7c 73 65 6c 66 2c 67 62 3d 71 2e 5f 46 5f 74 6f 67 67 6c 65 73 7c 7c 5b 5d 2c 68 62 3d 66 75 6e 63 74 69 6f 6e 28 61 29 7b 61 3d 61 2e 73 70 6c 69 74 28 22 2e 22 29 3b 66 6f 72 28 76 61 72 20 62 3d 71 2c 63 3d 30 3b 63 3c 61 2e 6c 65 6e 67 74 68 3b 63 2b 2b 29 69 66 28 62 3d 62 5b 61 5b 63 5d 5d 2c 62 3d 3d 6e 75 6c 6c 29 72 65 74 75 72 6e 20 6e 75 6c 6c 3b 72 65 74 75 72 6e 20 62 7d 2c 69 62 3d 22 63 6c 6f 73 75 72 65 5f 75 69 64 5f 22 2b 28 4d 61 74 68 2e 72 61 6e 64 6f 6d 28 29 2a 31 45 Data Ascii: on(a){return a?a:function(b){return typeof b==="number"&&isNaN(b)}});var fb=fb\|\|{},q=this\|\|self,gb=q._F_toggles\|\|[],hb=function(a){a=a.split(".");for(var b=q,c=0;c<a.length;c++)if(b=b[a[c]],b==null)return null;return b},ib="closure_uid_"+(Math.random()*1E
2024-10-01 03:16:13 UTC	1969	IN	Data Raw: 74 65 78 74 5f 5f 39 38 34 33 38 32 3d 7b 7d 29 3b 61 2e 5f 5f 63 6c 6f 73 75 72 65 5f 5f 65 72 72 6f 72 5f 5f 63 6f 6e 74 65 78 74 5f 5f 39 38 34 33 38 32 2e 73 65 76 65 72 69 74 79 3d 62 7d 3b 76 61 72 20 71 62 3d 66 75 6e 63 74 69 6f 6e 28 61 2c 62 2c 63 29 7b 63 3d 63 7c 7c 71 3b 76 61 72 20 64 3d 63 2e 6f 6e 65 72 72 6f 72 2c 65 3d 21 21 62 3b 63 2e 6f 6e 65 72 72 6f 72 3d 66 75 6e 63 74 69 6f 6e 28 66 2c 68 2c 67 2c 6b 2c 6c 29 7b 64 26 26 64 28 66 2c 68 2c 67 2c 6b 2c 6c 29 3b 61 28 7b 6d 65 73 73 61 67 65 3a 66 2c 66 69 6c 65 4e 61 6d 65 3a 68 2c 6c 69 6e 65 3a 67 2c 6c 69 6e 65 4e 75 6d 62 65 72 3a 67 2c 63 61 3a 6b 2c 65 72 72 6f 72 3a 6c 7d 29 3b 72 65 74 75 72 6e 20 65 7d 7d 2c 74 62 3d 66 75 6e 63 74 69 6f 6e 28 61 29 7b 76 61 72 20 62 3d 68 Data Ascii: text__984382={});a.__closure__error__context__984382.severity=b};var qb=function(a,b,c){c=c\|\|q;var d=c.onerror,e=!!b;c.onerror=function(f,h,g,k,l){d&&d(f,h,g,k,l);a({message:f,fileName:h,line:g,lineNumber:g,ca:k,error:l});return e}},tb=function(a){var b=h
2024-10-01 03:16:13 UTC	1969	IN	Data Raw: 22 6e 75 6d 62 65 72 22 3a 66 3d 53 74 72 69 6e 67 28 66 29 3b 62 72 65 61 6b 3b 63 61 73 65 20 22 62 6f 6f 6c 65 61 6e 22 3a 66 3d 66 3f 22 74 72 75 65 22 3a 22 66 61 6c 73 65 22 3b 62 72 65 61 6b 3b 63 61 73 65 20 22 66 75 6e 63 74 69 6f 6e 22 3a 66 3d 28 66 3d 73 62 28 66 29 29 3f 66 3a 22 5b 66 6e 5d 22 3b 62 72 65 61 6b 3b 64 65 66 61 75 6c 74 3a 66 3d 0a 74 79 70 65 6f 66 20 66 7d 66 2e 6c 65 6e 67 74 68 3e 34 30 26 26 28 66 3d 66 2e 73 6c 69 63 65 28 30 2c 34 30 29 2b 22 2e 2e 2e 22 29 3b 63 2e 70 75 73 68 28 66 29 7d 62 2e 70 75 73 68 28 61 29 3b 63 2e 70 75 73 68 28 22 29 5c 6e 22 29 3b 74 72 79 7b 63 2e 70 75 73 68 28 77 62 28 61 2e 63 61 6c 6c 65 72 2c 62 29 29 7d 63 61 74 63 68 28 68 29 7b 63 2e 70 75 73 68 28 22 5b 65 78 63 65 70 74 69 6f 6e Data Ascii: "number":f=String(f);break;case "boolean":f=f?"true":"false";break;case "function":f=(f=sb(f))?f:"[fn]";break;default:f=typeof f}f.length>40&&(f=f.slice(0,40)+"...");c.push(f)}b.push(a);c.push(")\n");try{c.push(wb(a.caller,b))}catch(h){c.push("[exception

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49760	172.217.18.110	443	4632	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-01 03:16:14 UTC	549	OUT	OPTIONS /log?format=json&hasfast=true&authuser=0 HTTP/1.1 Host: play.google.com Connection: keep-alive Accept: / Access-Control-Request-Method: POST Access-Control-Request-Headers: x-goog-authuser Origin: https://accounts.google.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Sec-Fetch-Mode: cors Sec-Fetch-Site: same-site Sec-Fetch-Dest: empty Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-10-01 03:16:14 UTC	520	IN	HTTP/1.1 200 OK Access-Control-Allow-Origin: https://accounts.google.com Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Max-Age: 86400 Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: X-Playlog-Web,authorization,origin,x-goog-authuser Content-Type: text/plain; charset=UTF-8 Date: Tue, 01 Oct 2024 03:16:14 GMT Server: Playlog Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	49762	172.217.18.110	443	4632	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-01 03:16:14 UTC	549	OUT	OPTIONS /log?format=json&hasfast=true&authuser=0 HTTP/1.1 Host: play.google.com Connection: keep-alive Accept: / Access-Control-Request-Method: POST Access-Control-Request-Headers: x-goog-authuser Origin: https://accounts.google.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Sec-Fetch-Mode: cors Sec-Fetch-Site: same-site Sec-Fetch-Dest: empty Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-10-01 03:16:15 UTC	520	IN	HTTP/1.1 200 OK Access-Control-Allow-Origin: https://accounts.google.com Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Max-Age: 86400 Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: X-Playlog-Web,authorization,origin,x-goog-authuser Content-Type: text/plain; charset=UTF-8 Date: Tue, 01 Oct 2024 03:16:15 GMT Server: Playlog Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.4	49764	172.217.18.110	443	4632	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-01 03:16:15 UTC	1132	OUT	POST /log?format=json&hasfast=true&authuser=0 HTTP/1.1 Host: play.google.com Connection: keep-alive Content-Length: 505 sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-arch: "x86" Content-Type: application/x-www-form-urlencoded;charset=UTF-8 sec-ch-ua-full-version: "117.0.5938.132" sec-ch-ua-platform-version: "10.0.0" X-Goog-AuthUser: 0 sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132" sec-ch-ua-bitness: "64" sec-ch-ua-model: "" sec-ch-ua-wow64: ?0 sec-ch-ua-platform: "Windows" Accept: / Origin: https://accounts.google.com X-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiTocsBCJz+zAEIhaDNAQjcvc0BCI/KzQEIucrNAQii0c0BCIrTzQEIntbNAQin2M0BCPnA1BUY9snNARi60s0BGOuNpRc= Sec-Fetch-Site: same-site Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-10-01 03:16:15 UTC	505	OUT	Data Raw: 5b 5b 31 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 5b 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 22 65 6e 22 2c 6e 75 6c 6c 2c 22 33 30 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 47 6f 6f 67 6c 65 20 43 68 72 6f 6d 65 22 2c 22 31 31 37 22 5d 2c 5b 22 4e 6f 74 3b 41 3d 42 72 61 6e 64 22 2c 22 38 22 5d 2c 5b 22 43 68 72 6f 6d 69 75 6d 22 2c 22 31 31 37 22 5d 5d 2c 30 2c 22 57 69 6e 64 6f 77 73 22 2c 22 31 30 2e 30 2e 30 22 2c 22 78 38 36 22 2c 22 22 2c 22 31 31 37 2e 30 2e 35 39 33 38 2e 31 33 32 22 5d 2c 5b 31 2c 30 2c 30 2c 30 2c 30 5d 5d 5d 2c 31 38 32 38 2c 5b 5b 22 31 37 32 37 37 35 32 35 37 32 36 39 39 22 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c Data Ascii: [[1,null,null,null,null,null,null,null,null,null,[null,null,null,null,"en",null,"30",null,[[["Google Chrome","117"],["Not;A=Brand","8"],["Chromium","117"]],0,"Windows","10.0.0","x86","","117.0.5938.132"],[1,0,0,0,0]]],1828,[["1727752572699",null,null,null
2024-10-01 03:16:15 UTC	932	IN	HTTP/1.1 200 OK Access-Control-Allow-Origin: https://accounts.google.com Cross-Origin-Resource-Policy: cross-origin Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: X-Playlog-Web Set-Cookie: NID=518=R-aDPvwCsOJZj56IyEdKfNbd6dpItH7vNbB58_t4hd3O5OqbsQi17gT1cK9mtaeHf8oAcJqqBSVv62NEcg2HN9Nf-45GQCig1h5fu33gP6XK6yBV_SKSK2oKtxJCIwsuzHAfOb_TqAoZDU5XV4Ol0H2OKeUsuYzfCu1dHQyUVdR2Mz51Cg; expires=Wed, 02-Apr-2025 03:16:15 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=none P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info." Content-Type: text/plain; charset=UTF-8 Date: Tue, 01 Oct 2024 03:16:15 GMT Server: Playlog Cache-Control: private X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Expires: Tue, 01 Oct 2024 03:16:15 GMT Connection: close Transfer-Encoding: chunked
2024-10-01 03:16:15 UTC	137	IN	Data Raw: 38 33 0d 0a 5b 22 2d 31 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 41 4e 44 52 4f 49 44 5f 42 41 43 4b 55 50 22 2c 30 5d 2c 5b 22 42 41 54 54 45 52 59 5f 53 54 41 54 53 22 2c 30 5d 2c 5b 22 53 4d 41 52 54 5f 53 45 54 55 50 22 2c 30 5d 2c 5b 22 54 52 4f 4e 22 2c 30 5d 5d 2c 2d 33 33 33 34 37 33 37 35 39 34 30 32 34 39 37 31 32 32 35 5d 2c 5b 5d 2c 7b 22 31 37 35 32 33 37 33 37 35 22 3a 5b 31 30 30 30 30 5d 7d 5d 0d 0a Data Ascii: 83["-1",null,[[["ANDROID_BACKUP",0],["BATTERY_STATS",0],["SMART_SETUP",0],["TRON",0]],-3334737594024971225],[],{"175237375":[10000]}]
2024-10-01 03:16:15 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.4	49765	172.217.18.110	443	4632	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-01 03:16:15 UTC	1132	OUT	POST /log?format=json&hasfast=true&authuser=0 HTTP/1.1 Host: play.google.com Connection: keep-alive Content-Length: 519 sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-arch: "x86" Content-Type: application/x-www-form-urlencoded;charset=UTF-8 sec-ch-ua-full-version: "117.0.5938.132" sec-ch-ua-platform-version: "10.0.0" X-Goog-AuthUser: 0 sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132" sec-ch-ua-bitness: "64" sec-ch-ua-model: "" sec-ch-ua-wow64: ?0 sec-ch-ua-platform: "Windows" Accept: / Origin: https://accounts.google.com X-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiTocsBCJz+zAEIhaDNAQjcvc0BCI/KzQEIucrNAQii0c0BCIrTzQEIntbNAQin2M0BCPnA1BUY9snNARi60s0BGOuNpRc= Sec-Fetch-Site: same-site Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-10-01 03:16:15 UTC	519	OUT	Data Raw: 5b 5b 31 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 5b 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 22 65 6e 22 2c 6e 75 6c 6c 2c 22 33 30 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 47 6f 6f 67 6c 65 20 43 68 72 6f 6d 65 22 2c 22 31 31 37 22 5d 2c 5b 22 4e 6f 74 3b 41 3d 42 72 61 6e 64 22 2c 22 38 22 5d 2c 5b 22 43 68 72 6f 6d 69 75 6d 22 2c 22 31 31 37 22 5d 5d 2c 30 2c 22 57 69 6e 64 6f 77 73 22 2c 22 31 30 2e 30 2e 30 22 2c 22 78 38 36 22 2c 22 22 2c 22 31 31 37 2e 30 2e 35 39 33 38 2e 31 33 32 22 5d 2c 5b 31 2c 30 2c 30 2c 30 2c 30 5d 5d 5d 2c 31 38 32 38 2c 5b 5b 22 31 37 32 37 37 35 32 35 37 32 38 37 33 22 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c Data Ascii: [[1,null,null,null,null,null,null,null,null,null,[null,null,null,null,"en",null,"30",null,[[["Google Chrome","117"],["Not;A=Brand","8"],["Chromium","117"]],0,"Windows","10.0.0","x86","","117.0.5938.132"],[1,0,0,0,0]]],1828,[["1727752572873",null,null,null
2024-10-01 03:16:15 UTC	932	IN	HTTP/1.1 200 OK Access-Control-Allow-Origin: https://accounts.google.com Cross-Origin-Resource-Policy: cross-origin Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: X-Playlog-Web Set-Cookie: NID=518=cXqypJaQXr0HYb7LG9j-1ZTZ6W5nLVsjpotrLibBPTgOcpKiZ_fFstJwC5Ox4dPSOx7YXIbdtd8bG07m6w4j5yEtHICVWSjniC9yc69vqaCEdxfSb5WmLpInpn-9mIv4X6GqhURqynpnPYTPj_RdNNmnMq3l6OapYJLrZBjv1Qb2izc7OA; expires=Wed, 02-Apr-2025 03:16:15 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=none P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info." Content-Type: text/plain; charset=UTF-8 Date: Tue, 01 Oct 2024 03:16:15 GMT Server: Playlog Cache-Control: private X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Expires: Tue, 01 Oct 2024 03:16:15 GMT Connection: close Transfer-Encoding: chunked
2024-10-01 03:16:15 UTC	137	IN	Data Raw: 38 33 0d 0a 5b 22 2d 31 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 41 4e 44 52 4f 49 44 5f 42 41 43 4b 55 50 22 2c 30 5d 2c 5b 22 42 41 54 54 45 52 59 5f 53 54 41 54 53 22 2c 30 5d 2c 5b 22 53 4d 41 52 54 5f 53 45 54 55 50 22 2c 30 5d 2c 5b 22 54 52 4f 4e 22 2c 30 5d 5d 2c 2d 33 33 33 34 37 33 37 35 39 34 30 32 34 39 37 31 32 32 35 5d 2c 5b 5d 2c 7b 22 31 37 35 32 33 37 33 37 35 22 3a 5b 31 30 30 30 30 5d 7d 5d 0d 0a Data Ascii: 83["-1",null,[[["ANDROID_BACKUP",0],["BATTERY_STATS",0],["SMART_SETUP",0],["TRON",0]],-3334737594024971225],[],{"175237375":[10000]}]
2024-10-01 03:16:15 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.4	49741	142.250.185.132	443	4632	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-01 03:16:16 UTC	1221	OUT	GET /favicon.ico HTTP/1.1 Host: www.google.com Connection: keep-alive sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-arch: "x86" sec-ch-ua-full-version: "117.0.5938.132" sec-ch-ua-platform-version: "10.0.0" sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132" sec-ch-ua-bitness: "64" sec-ch-ua-model: "" sec-ch-ua-wow64: ?0 sec-ch-ua-platform: "Windows" Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8 X-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiTocsBCJz+zAEIhaDNAQjcvc0BCI/KzQEIucrNAQii0c0BCIrTzQEIntbNAQin2M0BCPnA1BUY9snNARi60s0BGOuNpRc= Sec-Fetch-Site: same-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: image Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: NID=518=cXqypJaQXr0HYb7LG9j-1ZTZ6W5nLVsjpotrLibBPTgOcpKiZ_fFstJwC5Ox4dPSOx7YXIbdtd8bG07m6w4j5yEtHICVWSjniC9yc69vqaCEdxfSb5WmLpInpn-9mIv4X6GqhURqynpnPYTPj_RdNNmnMq3l6OapYJLrZBjv1Qb2izc7OA
2024-10-01 03:16:16 UTC	706	IN	HTTP/1.1 200 OK Accept-Ranges: bytes Cross-Origin-Resource-Policy: cross-origin Cross-Origin-Opener-Policy-Report-Only: same-origin; report-to="static-on-bigtable" Report-To: {"group":"static-on-bigtable","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/static-on-bigtable"}]} Content-Length: 5430 X-Content-Type-Options: nosniff Server: sffe X-XSS-Protection: 0 Date: Mon, 30 Sep 2024 23:52:58 GMT Expires: Tue, 08 Oct 2024 23:52:58 GMT Cache-Control: public, max-age=691200 Last-Modified: Tue, 22 Oct 2019 18:30:00 GMT Content-Type: image/x-icon Vary: Accept-Encoding Age: 12198 Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-10-01 03:16:16 UTC	684	IN	Data Raw: 00 00 01 00 02 00 10 10 00 00 01 00 20 00 68 04 00 00 26 00 00 00 20 20 00 00 01 00 20 00 a8 10 00 00 8e 04 00 00 28 00 00 00 10 00 00 00 20 00 00 00 01 00 20 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff ff ff 30 fd fd fd 96 fd fd fd d8 fd fd fd f9 fd fd fd f9 fd fd fd d7 fd fd fd 94 fe fe fe 2e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fe fe fe 09 fd fd fd 99 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd 95 ff ff ff 08 00 00 00 00 00 00 00 00 00 00 00 00 fe fe fe 09 fd fd fd c1 ff ff ff ff fa fd f9 ff b4 d9 a7 ff 76 ba 5d ff 58 ab 3a ff 58 aa 3a ff 72 b8 59 ff ac d5 9d ff f8 fb f6 ff ff Data Ascii: h& ( 0.v]X:X:rY
2024-10-01 03:16:16 UTC	1390	IN	Data Raw: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd d8 fd fd fd 99 ff ff ff ff 92 cf fb ff 37 52 ec ff 38 46 ea ff d0 d4 fa ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd 96 fe fe fe 32 ff ff ff ff f9 f9 fe ff 56 62 ed ff 35 43 ea ff 3b 49 eb ff 95 9c f4 ff cf d2 fa ff d1 d4 fa ff 96 9d f4 ff 52 5e ed ff e1 e3 fc ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 30 00 00 00 00 fd fd fd 9d ff ff ff ff e8 ea fd ff 58 63 ee ff 35 43 ea ff 35 43 ea ff 35 43 ea ff 35 43 ea ff 35 43 ea ff 35 43 ea ff 6c 76 f0 ff ff ff ff ff ff ff ff ff fd fd fd 98 00 00 00 00 00 00 00 00 ff ff ff 0a fd fd fd c3 ff ff ff ff f9 f9 fe ff a5 ac f6 ff 5d 69 ee ff 3c Data Ascii: 7R8F2Vb5C;IR^0Xc5C5C5C5C5C5Clv]i<
2024-10-01 03:16:16 UTC	1390	IN	Data Raw: ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd d0 ff ff ff 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fd fd fd 8b ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff b1 d8 a3 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 60 a5 35 ff ca 8e 3e ff f9 c1 9f ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd 87 00 00 00 00 00 00 00 00 00 00 00 00 fe fe fe 25 fd fd fd fb ff ff ff ff ff ff ff ff ff ff ff ff c2 e0 b7 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 6e b6 54 ff 9f ce 8d ff b7 da aa ff b8 db ab ff a5 d2 95 ff 7b bc 64 ff 54 a8 35 ff 53 a8 34 ff 77 a0 37 ff e3 89 41 ff f4 85 42 ff f4 85 42 Data Ascii: S4S4S4S4S4S4S4S4S4S4S4S4S4S4`5>%S4S4S4S4S4S4nT{dT5S4w7ABB
2024-10-01 03:16:16 UTC	1390	IN	Data Raw: 42 ff f4 85 42 ff f4 85 42 ff f4 85 42 ff f4 85 42 ff f4 85 42 ff f4 85 42 ff fb d5 bf ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd ea fd fd fd cb ff ff ff ff ff ff ff ff ff ff ff ff 46 cd fc ff 05 bc fb ff 05 bc fb ff 05 bc fb ff 21 ae f9 ff fb fb ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd c8 fd fd fd 9c ff ff ff ff ff ff ff ff ff ff ff ff 86 df fd ff 05 bc fb ff 05 bc fb ff 15 93 f5 ff 34 49 eb ff b3 b8 f7 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff Data Ascii: BBBBBBBF!4I
2024-10-01 03:16:16 UTC	576	IN	Data Raw: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd d2 fe fe fe 24 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff ff ff 0a fd fd fd 8d fd fd fd fc ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd fb fd fd fd 8b fe fe fe 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fe fe fe 27 fd fd fd 9f fd fd fd f7 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff Data Ascii: $'

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.4	49773	4.175.87.197	443

Timestamp	Bytes transferred	Direction	Data
2024-10-01 03:16:20 UTC	306	OUT	GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=E5raopbcaRR14nd&MD=yW+G4tc+ HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33 Host: slscr.update.microsoft.com
2024-10-01 03:16:21 UTC	560	IN	HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Type: application/octet-stream Expires: -1 Last-Modified: Mon, 01 Jan 0001 00:00:00 GMT ETag: "XAopazV00XDWnJCwkmEWRv6JkbjRA9QSSZ2+e/3MzEk=_2880" MS-CorrelationId: 3d75d416-0b4e-4a0e-abf6-68303870c94e MS-RequestId: dd099b82-7de3-45c6-8833-924223005632 MS-CV: EUPu2ynVgkKAyZ+H.0 X-Microsoft-SLSClientCache: 2880 Content-Disposition: attachment; filename=environment.cab X-Content-Type-Options: nosniff Date: Tue, 01 Oct 2024 03:16:20 GMT Connection: close Content-Length: 24490
2024-10-01 03:16:21 UTC	15824	IN	Data Raw: 4d 53 43 46 00 00 00 00 92 1e 00 00 00 00 00 00 44 00 00 00 00 00 00 00 03 01 01 00 01 00 04 00 23 d0 00 00 14 00 00 00 00 00 10 00 92 1e 00 00 18 41 00 00 00 00 00 00 00 00 00 00 64 00 00 00 01 00 01 00 e6 42 00 00 00 00 00 00 00 00 00 00 00 00 80 00 65 6e 76 69 72 6f 6e 6d 65 6e 74 2e 63 61 62 00 78 cf 8d 5c 26 1e e6 42 43 4b ed 5c 07 54 13 db d6 4e a3 f7 2e d5 d0 3b 4c 42 af 4a 57 10 e9 20 bd 77 21 94 80 88 08 24 2a 02 02 d2 55 10 a4 a8 88 97 22 8a 0a d2 11 04 95 ae d2 8b 20 28 0a 88 20 45 05 f4 9f 80 05 bd ed dd f7 ff 77 dd f7 bf 65 d6 4a 66 ce 99 33 67 4e d9 7b 7f fb db 7b 56 f4 4d 34 b4 21 e0 a7 03 0a d9 fc 68 6e 1d 20 70 28 14 02 85 20 20 ad 61 10 08 e3 66 0d ed 66 9b 1d 6a 90 af 1f 17 f0 4b 68 35 01 83 6c fb 44 42 5c 7d 83 3d 03 30 be 3e ae be 58 Data Ascii: MSCFD#AdBenvironment.cabx\&BCK\TN.;LBJW w!$*U" ( EweJf3gN{{VM4!hn p( affjKh5lDB\}=0>X
2024-10-01 03:16:21 UTC	8666	IN	Data Raw: 04 01 31 2f 30 2d 30 0a 02 05 00 e1 2b 8a 50 02 01 00 30 0a 02 01 00 02 02 12 fe 02 01 ff 30 07 02 01 00 02 02 11 e6 30 0a 02 05 00 e1 2c db d0 02 01 00 30 36 06 0a 2b 06 01 04 01 84 59 0a 04 02 31 28 30 26 30 0c 06 0a 2b 06 01 04 01 84 59 0a 03 02 a0 0a 30 08 02 01 00 02 03 07 a1 20 a1 0a 30 08 02 01 00 02 03 01 86 a0 30 0d 06 09 2a 86 48 86 f7 0d 01 01 05 05 00 03 81 81 00 0c d9 08 df 48 94 57 65 3e ad e7 f2 17 9c 1f ca 3d 4d 6c cd 51 e1 ed 9c 17 a5 52 35 0f fd de 4b bd 22 92 c5 69 e5 d7 9f 29 23 72 40 7a ca 55 9d 8d 11 ad d5 54 00 bb 53 b4 87 7b 72 84 da 2d f6 e3 2c 4f 7e ba 1a 58 88 6e d6 b9 6d 16 ae 85 5b b5 c2 81 a8 e0 ee 0a 9c 60 51 3a 7b e4 61 f8 c3 e4 38 bd 7d 28 17 d6 79 f0 c8 58 c6 ef 1f f7 88 65 b1 ea 0a c0 df f7 ee 5c 23 c2 27 fd 98 63 08 31 Data Ascii: 1/0-0+P000,06+Y1(0&0+Y0 00*HHWe>=MlQR5K"i)#r@zUTS{r-,O~Xnm[`Q:{a8}(yXe\#'c1

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.4	49778	172.217.18.110	443	4632	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-01 03:16:22 UTC	1306	OUT	POST /log?format=json&hasfast=true&authuser=0 HTTP/1.1 Host: play.google.com Connection: keep-alive Content-Length: 1221 sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-arch: "x86" Content-Type: text/plain;charset=UTF-8 sec-ch-ua-full-version: "117.0.5938.132" sec-ch-ua-platform-version: "10.0.0" X-Goog-AuthUser: 0 sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132" sec-ch-ua-bitness: "64" sec-ch-ua-model: "" sec-ch-ua-wow64: ?0 sec-ch-ua-platform: "Windows" Accept: / Origin: https://accounts.google.com X-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiTocsBCJz+zAEIhaDNAQjcvc0BCI/KzQEIucrNAQii0c0BCIrTzQEIntbNAQin2M0BCPnA1BUY9snNARi60s0BGOuNpRc= Sec-Fetch-Site: same-site Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: NID=518=cXqypJaQXr0HYb7LG9j-1ZTZ6W5nLVsjpotrLibBPTgOcpKiZ_fFstJwC5Ox4dPSOx7YXIbdtd8bG07m6w4j5yEtHICVWSjniC9yc69vqaCEdxfSb5WmLpInpn-9mIv4X6GqhURqynpnPYTPj_RdNNmnMq3l6OapYJLrZBjv1Qb2izc7OA
2024-10-01 03:16:22 UTC	1221	OUT	Data Raw: 5b 5b 31 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 5b 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 22 65 6e 22 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 5b 5b 5b 22 47 6f 6f 67 6c 65 20 43 68 72 6f 6d 65 22 2c 22 31 31 37 22 5d 2c 5b 22 4e 6f 74 3b 41 3d 42 72 61 6e 64 22 2c 22 38 22 5d 2c 5b 22 43 68 72 6f 6d 69 75 6d 22 2c 22 31 31 37 22 5d 5d 2c 30 2c 22 57 69 6e 64 6f 77 73 22 2c 22 31 30 2e 30 2e 30 22 2c 22 78 38 36 22 2c 22 22 2c 22 31 31 37 2e 30 2e 35 39 33 38 2e 31 33 32 22 5d 2c 5b 34 2c 30 2c 30 2c 30 2c 30 5d 5d 5d 2c 35 35 38 2c 5b 5b 22 31 37 32 37 37 35 32 35 37 30 30 30 30 22 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c Data Ascii: [[1,null,null,null,null,null,null,null,null,null,[null,null,null,null,"en",null,null,null,[[["Google Chrome","117"],["Not;A=Brand","8"],["Chromium","117"]],0,"Windows","10.0.0","x86","","117.0.5938.132"],[4,0,0,0,0]]],558,[["1727752570000",null,null,null,
2024-10-01 03:16:22 UTC	940	IN	HTTP/1.1 200 OK Access-Control-Allow-Origin: https://accounts.google.com Cross-Origin-Resource-Policy: cross-origin Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: X-Playlog-Web Set-Cookie: NID=518=ojZzasqYL6mFOfvEjn9I-jgFu0blCISKMNQfGTGB8Bl7ZusBWevAN05Ttd3W0i99H4ePUX5dkhd6v9wwzC81mkHQyuILW2Cy9iS71ezmRJUUW3_HnvLrGl_WWfZUGS4-hnjRqcv6BpJEhKzaxwTvj4KNpnGs2BPIZVVgO-Rpxwb31--yApc7eFpPPA; expires=Wed, 02-Apr-2025 03:16:22 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=none P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info." Content-Type: text/plain; charset=UTF-8 Date: Tue, 01 Oct 2024 03:16:22 GMT Server: Playlog Cache-Control: private X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Expires: Tue, 01 Oct 2024 03:16:22 GMT Connection: close Transfer-Encoding: chunked
2024-10-01 03:16:22 UTC	137	IN	Data Raw: 38 33 0d 0a 5b 22 2d 31 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 41 4e 44 52 4f 49 44 5f 42 41 43 4b 55 50 22 2c 30 5d 2c 5b 22 42 41 54 54 45 52 59 5f 53 54 41 54 53 22 2c 30 5d 2c 5b 22 53 4d 41 52 54 5f 53 45 54 55 50 22 2c 30 5d 2c 5b 22 54 52 4f 4e 22 2c 30 5d 5d 2c 2d 33 33 33 34 37 33 37 35 39 34 30 32 34 39 37 31 32 32 35 5d 2c 5b 5d 2c 7b 22 31 37 35 32 33 37 33 37 35 22 3a 5b 31 30 30 30 30 5d 7d 5d 0d 0a Data Ascii: 83["-1",null,[[["ANDROID_BACKUP",0],["BATTERY_STATS",0],["SMART_SETUP",0],["TRON",0]],-3334737594024971225],[],{"175237375":[10000]}]
2024-10-01 03:16:22 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.4	49782	172.217.18.110	443	4632	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-01 03:16:46 UTC	1337	OUT	POST /log?format=json&hasfast=true&authuser=0 HTTP/1.1 Host: play.google.com Connection: keep-alive Content-Length: 1328 sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-arch: "x86" Content-Type: application/x-www-form-urlencoded;charset=UTF-8 sec-ch-ua-full-version: "117.0.5938.132" sec-ch-ua-platform-version: "10.0.0" X-Goog-AuthUser: 0 sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132" sec-ch-ua-bitness: "64" sec-ch-ua-model: "" sec-ch-ua-wow64: ?0 sec-ch-ua-platform: "Windows" Accept: / Origin: https://accounts.google.com X-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiTocsBCJz+zAEIhaDNAQjcvc0BCI/KzQEIucrNAQii0c0BCIrTzQEIntbNAQin2M0BCPnA1BUY9snNARi60s0BGOuNpRc= Sec-Fetch-Site: same-site Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: NID=518=ojZzasqYL6mFOfvEjn9I-jgFu0blCISKMNQfGTGB8Bl7ZusBWevAN05Ttd3W0i99H4ePUX5dkhd6v9wwzC81mkHQyuILW2Cy9iS71ezmRJUUW3_HnvLrGl_WWfZUGS4-hnjRqcv6BpJEhKzaxwTvj4KNpnGs2BPIZVVgO-Rpxwb31--yApc7eFpPPA
2024-10-01 03:16:46 UTC	1328	OUT	Data Raw: 5b 5b 31 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 5b 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 22 65 6e 22 2c 6e 75 6c 6c 2c 22 33 30 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 47 6f 6f 67 6c 65 20 43 68 72 6f 6d 65 22 2c 22 31 31 37 22 5d 2c 5b 22 4e 6f 74 3b 41 3d 42 72 61 6e 64 22 2c 22 38 22 5d 2c 5b 22 43 68 72 6f 6d 69 75 6d 22 2c 22 31 31 37 22 5d 5d 2c 30 2c 22 57 69 6e 64 6f 77 73 22 2c 22 31 30 2e 30 2e 30 22 2c 22 78 38 36 22 2c 22 22 2c 22 31 31 37 2e 30 2e 35 39 33 38 2e 31 33 32 22 5d 2c 5b 31 2c 30 2c 30 2c 30 2c 30 5d 5d 5d 2c 31 38 32 38 2c 5b 5b 22 31 37 32 37 37 35 32 36 30 34 34 36 36 22 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c Data Ascii: [[1,null,null,null,null,null,null,null,null,null,[null,null,null,null,"en",null,"30",null,[[["Google Chrome","117"],["Not;A=Brand","8"],["Chromium","117"]],0,"Windows","10.0.0","x86","","117.0.5938.132"],[1,0,0,0,0]]],1828,[["1727752604466",null,null,null
2024-10-01 03:16:46 UTC	523	IN	HTTP/1.1 200 OK Access-Control-Allow-Origin: https://accounts.google.com Cross-Origin-Resource-Policy: cross-origin Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: X-Playlog-Web Content-Type: text/plain; charset=UTF-8 Date: Tue, 01 Oct 2024 03:16:46 GMT Server: Playlog Cache-Control: private X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2024-10-01 03:16:46 UTC	137	IN	Data Raw: 38 33 0d 0a 5b 22 2d 31 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 41 4e 44 52 4f 49 44 5f 42 41 43 4b 55 50 22 2c 30 5d 2c 5b 22 42 41 54 54 45 52 59 5f 53 54 41 54 53 22 2c 30 5d 2c 5b 22 53 4d 41 52 54 5f 53 45 54 55 50 22 2c 30 5d 2c 5b 22 54 52 4f 4e 22 2c 30 5d 5d 2c 2d 33 33 33 34 37 33 37 35 39 34 30 32 34 39 37 31 32 32 35 5d 2c 5b 5d 2c 7b 22 31 37 35 32 33 37 33 37 35 22 3a 5b 31 30 30 30 30 5d 7d 5d 0d 0a Data Ascii: 83["-1",null,[[["ANDROID_BACKUP",0],["BATTERY_STATS",0],["SMART_SETUP",0],["TRON",0]],-3334737594024971225],[],{"175237375":[10000]}]
2024-10-01 03:16:46 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.4	49781	172.217.18.110	443	4632	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-01 03:16:46 UTC	1337	OUT	POST /log?format=json&hasfast=true&authuser=0 HTTP/1.1 Host: play.google.com Connection: keep-alive Content-Length: 1302 sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-arch: "x86" Content-Type: application/x-www-form-urlencoded;charset=UTF-8 sec-ch-ua-full-version: "117.0.5938.132" sec-ch-ua-platform-version: "10.0.0" X-Goog-AuthUser: 0 sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132" sec-ch-ua-bitness: "64" sec-ch-ua-model: "" sec-ch-ua-wow64: ?0 sec-ch-ua-platform: "Windows" Accept: / Origin: https://accounts.google.com X-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiTocsBCJz+zAEIhaDNAQjcvc0BCI/KzQEIucrNAQii0c0BCIrTzQEIntbNAQin2M0BCPnA1BUY9snNARi60s0BGOuNpRc= Sec-Fetch-Site: same-site Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: NID=518=ojZzasqYL6mFOfvEjn9I-jgFu0blCISKMNQfGTGB8Bl7ZusBWevAN05Ttd3W0i99H4ePUX5dkhd6v9wwzC81mkHQyuILW2Cy9iS71ezmRJUUW3_HnvLrGl_WWfZUGS4-hnjRqcv6BpJEhKzaxwTvj4KNpnGs2BPIZVVgO-Rpxwb31--yApc7eFpPPA
2024-10-01 03:16:46 UTC	1302	OUT	Data Raw: 5b 5b 31 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 5b 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 22 65 6e 22 2c 6e 75 6c 6c 2c 22 33 30 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 47 6f 6f 67 6c 65 20 43 68 72 6f 6d 65 22 2c 22 31 31 37 22 5d 2c 5b 22 4e 6f 74 3b 41 3d 42 72 61 6e 64 22 2c 22 38 22 5d 2c 5b 22 43 68 72 6f 6d 69 75 6d 22 2c 22 31 31 37 22 5d 5d 2c 30 2c 22 57 69 6e 64 6f 77 73 22 2c 22 31 30 2e 30 2e 30 22 2c 22 78 38 36 22 2c 22 22 2c 22 31 31 37 2e 30 2e 35 39 33 38 2e 31 33 32 22 5d 2c 5b 31 2c 30 2c 30 2c 30 2c 30 5d 5d 5d 2c 31 38 32 38 2c 5b 5b 22 31 37 32 37 37 35 32 36 30 34 36 38 37 22 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c Data Ascii: [[1,null,null,null,null,null,null,null,null,null,[null,null,null,null,"en",null,"30",null,[[["Google Chrome","117"],["Not;A=Brand","8"],["Chromium","117"]],0,"Windows","10.0.0","x86","","117.0.5938.132"],[1,0,0,0,0]]],1828,[["1727752604687",null,null,null
2024-10-01 03:16:46 UTC	523	IN	HTTP/1.1 200 OK Access-Control-Allow-Origin: https://accounts.google.com Cross-Origin-Resource-Policy: cross-origin Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: X-Playlog-Web Content-Type: text/plain; charset=UTF-8 Date: Tue, 01 Oct 2024 03:16:46 GMT Server: Playlog Cache-Control: private X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2024-10-01 03:16:46 UTC	137	IN	Data Raw: 38 33 0d 0a 5b 22 2d 31 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 41 4e 44 52 4f 49 44 5f 42 41 43 4b 55 50 22 2c 30 5d 2c 5b 22 42 41 54 54 45 52 59 5f 53 54 41 54 53 22 2c 30 5d 2c 5b 22 53 4d 41 52 54 5f 53 45 54 55 50 22 2c 30 5d 2c 5b 22 54 52 4f 4e 22 2c 30 5d 5d 2c 2d 33 33 33 34 37 33 37 35 39 34 30 32 34 39 37 31 32 32 35 5d 2c 5b 5d 2c 7b 22 31 37 35 32 33 37 33 37 35 22 3a 5b 31 30 30 30 30 5d 7d 5d 0d 0a Data Ascii: 83["-1",null,[[["ANDROID_BACKUP",0],["BATTERY_STATS",0],["SMART_SETUP",0],["TRON",0]],-3334737594024971225],[],{"175237375":[10000]}]
2024-10-01 03:16:46 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.4	49783	172.217.18.110	443	4632	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-01 03:16:46 UTC	1297	OUT	POST /log?hasfast=true&authuser=0&format=json HTTP/1.1 Host: play.google.com Connection: keep-alive Content-Length: 1038 sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-arch: "x86" sec-ch-ua-full-version: "117.0.5938.132" Content-Type: text/plain;charset=UTF-8 sec-ch-ua-platform-version: "10.0.0" sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132" sec-ch-ua-bitness: "64" sec-ch-ua-model: "" sec-ch-ua-wow64: ?0 sec-ch-ua-platform: "Windows" Accept: / Origin: https://accounts.google.com X-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiTocsBCJz+zAEIhaDNAQjcvc0BCI/KzQEIucrNAQii0c0BCIrTzQEIntbNAQin2M0BCPnA1BUY9snNARi60s0BGOuNpRc= Sec-Fetch-Site: same-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: NID=518=ojZzasqYL6mFOfvEjn9I-jgFu0blCISKMNQfGTGB8Bl7ZusBWevAN05Ttd3W0i99H4ePUX5dkhd6v9wwzC81mkHQyuILW2Cy9iS71ezmRJUUW3_HnvLrGl_WWfZUGS4-hnjRqcv6BpJEhKzaxwTvj4KNpnGs2BPIZVVgO-Rpxwb31--yApc7eFpPPA
2024-10-01 03:16:46 UTC	1038	OUT	Data Raw: 5b 5b 31 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 5b 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 22 65 6e 22 2c 6e 75 6c 6c 2c 22 62 6f 71 5f 69 64 65 6e 74 69 74 79 66 72 6f 6e 74 65 6e 64 61 75 74 68 75 69 73 65 72 76 65 72 5f 32 30 32 34 30 39 32 34 2e 30 32 5f 70 30 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 47 6f 6f 67 6c 65 20 43 68 72 6f 6d 65 22 2c 22 31 31 37 22 5d 2c 5b 22 4e 6f 74 3b 41 3d 42 72 61 6e 64 22 2c 22 38 22 5d 2c 5b 22 43 68 72 6f 6d 69 75 6d 22 2c 22 31 31 37 22 5d 5d 2c 30 2c 22 57 69 6e 64 6f 77 73 22 2c 22 31 30 2e 30 2e 30 22 2c 22 78 38 36 22 2c 22 22 2c 22 31 31 37 2e 30 2e 35 39 33 38 2e 31 33 32 22 5d 2c 5b 33 2c 30 2c 30 Data Ascii: [[1,null,null,null,null,null,null,null,null,null,[null,null,null,null,"en",null,"boq_identityfrontendauthuiserver_20240924.02_p0",null,[[["Google Chrome","117"],["Not;A=Brand","8"],["Chromium","117"]],0,"Windows","10.0.0","x86","","117.0.5938.132"],[3,0,0
2024-10-01 03:16:46 UTC	523	IN	HTTP/1.1 200 OK Access-Control-Allow-Origin: https://accounts.google.com Cross-Origin-Resource-Policy: cross-origin Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: X-Playlog-Web Content-Type: text/plain; charset=UTF-8 Date: Tue, 01 Oct 2024 03:16:46 GMT Server: Playlog Cache-Control: private X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2024-10-01 03:16:46 UTC	137	IN	Data Raw: 38 33 0d 0a 5b 22 2d 31 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 41 4e 44 52 4f 49 44 5f 42 41 43 4b 55 50 22 2c 30 5d 2c 5b 22 42 41 54 54 45 52 59 5f 53 54 41 54 53 22 2c 30 5d 2c 5b 22 53 4d 41 52 54 5f 53 45 54 55 50 22 2c 30 5d 2c 5b 22 54 52 4f 4e 22 2c 30 5d 5d 2c 2d 33 33 33 34 37 33 37 35 39 34 30 32 34 39 37 31 32 32 35 5d 2c 5b 5d 2c 7b 22 31 37 35 32 33 37 33 37 35 22 3a 5b 31 30 30 30 30 5d 7d 5d 0d 0a Data Ascii: 83["-1",null,[[["ANDROID_BACKUP",0],["BATTERY_STATS",0],["SMART_SETUP",0],["TRON",0]],-3334737594024971225],[],{"175237375":[10000]}]
2024-10-01 03:16:46 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.4	49784	4.175.87.197	443

Timestamp	Bytes transferred	Direction	Data
2024-10-01 03:16:59 UTC	306	OUT	GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=E5raopbcaRR14nd&MD=yW+G4tc+ HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33 Host: slscr.update.microsoft.com
2024-10-01 03:16:59 UTC	560	IN	HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Type: application/octet-stream Expires: -1 Last-Modified: Mon, 01 Jan 0001 00:00:00 GMT ETag: "vic+p1MiJJ+/WMnK08jaWnCBGDfvkGRzPk9f8ZadQHg=_1440" MS-CorrelationId: 87a94136-55ff-41a5-aaa6-51ce0fc7709f MS-RequestId: ba51d0f2-67f9-446c-8692-2420a133f564 MS-CV: u6MCZoQBY0ym0wQl.0 X-Microsoft-SLSClientCache: 1440 Content-Disposition: attachment; filename=environment.cab X-Content-Type-Options: nosniff Date: Tue, 01 Oct 2024 03:16:58 GMT Connection: close Content-Length: 30005
2024-10-01 03:16:59 UTC	15824	IN	Data Raw: 4d 53 43 46 00 00 00 00 8d 2b 00 00 00 00 00 00 44 00 00 00 00 00 00 00 03 01 01 00 01 00 04 00 5b 49 00 00 14 00 00 00 00 00 10 00 8d 2b 00 00 a8 49 00 00 00 00 00 00 00 00 00 00 64 00 00 00 01 00 01 00 72 4d 00 00 00 00 00 00 00 00 00 00 00 00 80 00 65 6e 76 69 72 6f 6e 6d 65 6e 74 2e 63 61 62 00 fe f6 51 be 21 2b 72 4d 43 4b ed 7c 05 58 54 eb da f6 14 43 49 37 0a 02 d2 b9 86 0e 41 52 a4 1b 24 a5 bb 43 24 44 18 94 90 92 52 41 3a 05 09 95 ee 54 b0 00 91 2e e9 12 10 04 11 c9 6f 10 b7 a2 67 9f bd cf 3e ff b7 ff b3 bf 73 ed e1 9a 99 f5 c6 7a d7 bb de f5 3e cf fd 3c f7 dc 17 4a 1a 52 e7 41 a8 97 1e 14 f4 e5 25 7d f4 05 82 82 c1 20 30 08 06 ba c3 05 02 11 7f a9 c1 ff d2 87 5c 1e f4 ed 65 8e 7a 1f f6 0a 40 03 1d 7b f9 83 2c 1c 2f db b8 3a 39 3a 58 38 ba 73 5e Data Ascii: MSCF+D[I+IdrMenvironment.cabQ!+rMCK\|XTCI7AR$C$DRA:T.og>sz><JRA%} 0\ez@{,/:9:X8s^
2024-10-01 03:16:59 UTC	14181	IN	Data Raw: 06 03 55 04 06 13 02 55 53 31 13 30 11 06 03 55 04 08 13 0a 57 61 73 68 69 6e 67 74 6f 6e 31 10 30 0e 06 03 55 04 07 13 07 52 65 64 6d 6f 6e 64 31 1e 30 1c 06 03 55 04 0a 13 15 4d 69 63 72 6f 73 6f 66 74 20 43 6f 72 70 6f 72 61 74 69 6f 6e 31 26 30 24 06 03 55 04 03 13 1d 4d 69 63 72 6f 73 6f 66 74 20 54 69 6d 65 2d 53 74 61 6d 70 20 50 43 41 20 32 30 31 30 30 1e 17 0d 32 33 31 30 31 32 31 39 30 37 32 35 5a 17 0d 32 35 30 31 31 30 31 39 30 37 32 35 5a 30 81 d2 31 0b 30 09 06 03 55 04 06 13 02 55 53 31 13 30 11 06 03 55 04 08 13 0a 57 61 73 68 69 6e 67 74 6f 6e 31 10 30 0e 06 03 55 04 07 13 07 52 65 64 6d 6f 6e 64 31 1e 30 1c 06 03 55 04 0a 13 15 4d 69 63 72 6f 73 6f 66 74 20 43 6f 72 70 6f 72 61 74 69 6f 6e 31 2d 30 2b 06 03 55 04 0b 13 24 4d 69 63 72 6f Data Ascii: UUS10UWashington10URedmond10UMicrosoft Corporation1&0$UMicrosoft Time-Stamp PCA 20100231012190725Z250110190725Z010UUS10UWashington10URedmond10UMicrosoft Corporation1-0+U$Micro

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.4	49788	142.250.184.206	443	4632	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-01 03:17:16 UTC	1337	OUT	POST /log?format=json&hasfast=true&authuser=0 HTTP/1.1 Host: play.google.com Connection: keep-alive Content-Length: 1336 sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-arch: "x86" Content-Type: application/x-www-form-urlencoded;charset=UTF-8 sec-ch-ua-full-version: "117.0.5938.132" sec-ch-ua-platform-version: "10.0.0" X-Goog-AuthUser: 0 sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132" sec-ch-ua-bitness: "64" sec-ch-ua-model: "" sec-ch-ua-wow64: ?0 sec-ch-ua-platform: "Windows" Accept: / Origin: https://accounts.google.com X-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiTocsBCJz+zAEIhaDNAQjcvc0BCI/KzQEIucrNAQii0c0BCIrTzQEIntbNAQin2M0BCPnA1BUY9snNARi60s0BGOuNpRc= Sec-Fetch-Site: same-site Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: NID=518=ojZzasqYL6mFOfvEjn9I-jgFu0blCISKMNQfGTGB8Bl7ZusBWevAN05Ttd3W0i99H4ePUX5dkhd6v9wwzC81mkHQyuILW2Cy9iS71ezmRJUUW3_HnvLrGl_WWfZUGS4-hnjRqcv6BpJEhKzaxwTvj4KNpnGs2BPIZVVgO-Rpxwb31--yApc7eFpPPA
2024-10-01 03:17:16 UTC	1336	OUT	Data Raw: 5b 5b 31 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 5b 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 22 65 6e 22 2c 6e 75 6c 6c 2c 22 33 30 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 47 6f 6f 67 6c 65 20 43 68 72 6f 6d 65 22 2c 22 31 31 37 22 5d 2c 5b 22 4e 6f 74 3b 41 3d 42 72 61 6e 64 22 2c 22 38 22 5d 2c 5b 22 43 68 72 6f 6d 69 75 6d 22 2c 22 31 31 37 22 5d 5d 2c 30 2c 22 57 69 6e 64 6f 77 73 22 2c 22 31 30 2e 30 2e 30 22 2c 22 78 38 36 22 2c 22 22 2c 22 31 31 37 2e 30 2e 35 39 33 38 2e 31 33 32 22 5d 2c 5b 31 2c 30 2c 30 2c 30 2c 30 5d 5d 5d 2c 31 38 32 38 2c 5b 5b 22 31 37 32 37 37 35 32 36 33 35 32 35 30 22 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c Data Ascii: [[1,null,null,null,null,null,null,null,null,null,[null,null,null,null,"en",null,"30",null,[[["Google Chrome","117"],["Not;A=Brand","8"],["Chromium","117"]],0,"Windows","10.0.0","x86","","117.0.5938.132"],[1,0,0,0,0]]],1828,[["1727752635250",null,null,null
2024-10-01 03:17:17 UTC	523	IN	HTTP/1.1 200 OK Access-Control-Allow-Origin: https://accounts.google.com Cross-Origin-Resource-Policy: cross-origin Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: X-Playlog-Web Content-Type: text/plain; charset=UTF-8 Date: Tue, 01 Oct 2024 03:17:17 GMT Server: Playlog Cache-Control: private X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2024-10-01 03:17:17 UTC	137	IN	Data Raw: 38 33 0d 0a 5b 22 2d 31 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 41 4e 44 52 4f 49 44 5f 42 41 43 4b 55 50 22 2c 30 5d 2c 5b 22 42 41 54 54 45 52 59 5f 53 54 41 54 53 22 2c 30 5d 2c 5b 22 53 4d 41 52 54 5f 53 45 54 55 50 22 2c 30 5d 2c 5b 22 54 52 4f 4e 22 2c 30 5d 5d 2c 2d 33 33 33 34 37 33 37 35 39 34 30 32 34 39 37 31 32 32 35 5d 2c 5b 5d 2c 7b 22 31 37 35 32 33 37 33 37 35 22 3a 5b 31 30 30 30 30 5d 7d 5d 0d 0a Data Ascii: 83["-1",null,[[["ANDROID_BACKUP",0],["BATTERY_STATS",0],["SMART_SETUP",0],["TRON",0]],-3334737594024971225],[],{"175237375":[10000]}]
2024-10-01 03:17:17 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.4	49789	142.250.184.206	443	4632	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-01 03:17:18 UTC	1337	OUT	POST /log?format=json&hasfast=true&authuser=0 HTTP/1.1 Host: play.google.com Connection: keep-alive Content-Length: 1331 sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-arch: "x86" Content-Type: application/x-www-form-urlencoded;charset=UTF-8 sec-ch-ua-full-version: "117.0.5938.132" sec-ch-ua-platform-version: "10.0.0" X-Goog-AuthUser: 0 sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132" sec-ch-ua-bitness: "64" sec-ch-ua-model: "" sec-ch-ua-wow64: ?0 sec-ch-ua-platform: "Windows" Accept: / Origin: https://accounts.google.com X-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiTocsBCJz+zAEIhaDNAQjcvc0BCI/KzQEIucrNAQii0c0BCIrTzQEIntbNAQin2M0BCPnA1BUY9snNARi60s0BGOuNpRc= Sec-Fetch-Site: same-site Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: NID=518=ojZzasqYL6mFOfvEjn9I-jgFu0blCISKMNQfGTGB8Bl7ZusBWevAN05Ttd3W0i99H4ePUX5dkhd6v9wwzC81mkHQyuILW2Cy9iS71ezmRJUUW3_HnvLrGl_WWfZUGS4-hnjRqcv6BpJEhKzaxwTvj4KNpnGs2BPIZVVgO-Rpxwb31--yApc7eFpPPA
2024-10-01 03:17:18 UTC	1331	OUT	Data Raw: 5b 5b 31 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 5b 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 22 65 6e 22 2c 6e 75 6c 6c 2c 22 33 30 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 47 6f 6f 67 6c 65 20 43 68 72 6f 6d 65 22 2c 22 31 31 37 22 5d 2c 5b 22 4e 6f 74 3b 41 3d 42 72 61 6e 64 22 2c 22 38 22 5d 2c 5b 22 43 68 72 6f 6d 69 75 6d 22 2c 22 31 31 37 22 5d 5d 2c 30 2c 22 57 69 6e 64 6f 77 73 22 2c 22 31 30 2e 30 2e 30 22 2c 22 78 38 36 22 2c 22 22 2c 22 31 31 37 2e 30 2e 35 39 33 38 2e 31 33 32 22 5d 2c 5b 31 2c 30 2c 30 2c 30 2c 30 5d 5d 5d 2c 31 38 32 38 2c 5b 5b 22 31 37 32 37 37 35 32 36 33 36 33 37 36 22 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c Data Ascii: [[1,null,null,null,null,null,null,null,null,null,[null,null,null,null,"en",null,"30",null,[[["Google Chrome","117"],["Not;A=Brand","8"],["Chromium","117"]],0,"Windows","10.0.0","x86","","117.0.5938.132"],[1,0,0,0,0]]],1828,[["1727752636376",null,null,null
2024-10-01 03:17:18 UTC	523	IN	HTTP/1.1 200 OK Access-Control-Allow-Origin: https://accounts.google.com Cross-Origin-Resource-Policy: cross-origin Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: X-Playlog-Web Content-Type: text/plain; charset=UTF-8 Date: Tue, 01 Oct 2024 03:17:18 GMT Server: Playlog Cache-Control: private X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2024-10-01 03:17:18 UTC	137	IN	Data Raw: 38 33 0d 0a 5b 22 2d 31 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 41 4e 44 52 4f 49 44 5f 42 41 43 4b 55 50 22 2c 30 5d 2c 5b 22 42 41 54 54 45 52 59 5f 53 54 41 54 53 22 2c 30 5d 2c 5b 22 53 4d 41 52 54 5f 53 45 54 55 50 22 2c 30 5d 2c 5b 22 54 52 4f 4e 22 2c 30 5d 5d 2c 2d 33 33 33 34 37 33 37 35 39 34 30 32 34 39 37 31 32 32 35 5d 2c 5b 5d 2c 7b 22 31 37 35 32 33 37 33 37 35 22 3a 5b 31 30 30 30 30 5d 7d 5d 0d 0a Data Ascii: 83["-1",null,[[["ANDROID_BACKUP",0],["BATTERY_STATS",0],["SMART_SETUP",0],["TRON",0]],-3334737594024971225],[],{"175237375":[10000]}]
2024-10-01 03:17:18 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.4	49791	142.250.184.206	443	4632	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-01 03:17:46 UTC	1337	OUT	POST /log?format=json&hasfast=true&authuser=0 HTTP/1.1 Host: play.google.com Connection: keep-alive Content-Length: 1223 sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-arch: "x86" Content-Type: application/x-www-form-urlencoded;charset=UTF-8 sec-ch-ua-full-version: "117.0.5938.132" sec-ch-ua-platform-version: "10.0.0" X-Goog-AuthUser: 0 sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132" sec-ch-ua-bitness: "64" sec-ch-ua-model: "" sec-ch-ua-wow64: ?0 sec-ch-ua-platform: "Windows" Accept: / Origin: https://accounts.google.com X-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiTocsBCJz+zAEIhaDNAQjcvc0BCI/KzQEIucrNAQii0c0BCIrTzQEIntbNAQin2M0BCPnA1BUY9snNARi60s0BGOuNpRc= Sec-Fetch-Site: same-site Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: NID=518=ojZzasqYL6mFOfvEjn9I-jgFu0blCISKMNQfGTGB8Bl7ZusBWevAN05Ttd3W0i99H4ePUX5dkhd6v9wwzC81mkHQyuILW2Cy9iS71ezmRJUUW3_HnvLrGl_WWfZUGS4-hnjRqcv6BpJEhKzaxwTvj4KNpnGs2BPIZVVgO-Rpxwb31--yApc7eFpPPA
2024-10-01 03:17:46 UTC	1223	OUT	Data Raw: 5b 5b 31 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 5b 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 22 65 6e 22 2c 6e 75 6c 6c 2c 22 33 30 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 47 6f 6f 67 6c 65 20 43 68 72 6f 6d 65 22 2c 22 31 31 37 22 5d 2c 5b 22 4e 6f 74 3b 41 3d 42 72 61 6e 64 22 2c 22 38 22 5d 2c 5b 22 43 68 72 6f 6d 69 75 6d 22 2c 22 31 31 37 22 5d 5d 2c 30 2c 22 57 69 6e 64 6f 77 73 22 2c 22 31 30 2e 30 2e 30 22 2c 22 78 38 36 22 2c 22 22 2c 22 31 31 37 2e 30 2e 35 39 33 38 2e 31 33 32 22 5d 2c 5b 31 2c 30 2c 30 2c 30 2c 30 5d 5d 5d 2c 31 38 32 38 2c 5b 5b 22 31 37 32 37 37 35 32 36 36 35 32 38 32 22 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c Data Ascii: [[1,null,null,null,null,null,null,null,null,null,[null,null,null,null,"en",null,"30",null,[[["Google Chrome","117"],["Not;A=Brand","8"],["Chromium","117"]],0,"Windows","10.0.0","x86","","117.0.5938.132"],[1,0,0,0,0]]],1828,[["1727752665282",null,null,null
2024-10-01 03:17:47 UTC	523	IN	HTTP/1.1 200 OK Access-Control-Allow-Origin: https://accounts.google.com Cross-Origin-Resource-Policy: cross-origin Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: X-Playlog-Web Content-Type: text/plain; charset=UTF-8 Date: Tue, 01 Oct 2024 03:17:47 GMT Server: Playlog Cache-Control: private X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2024-10-01 03:17:47 UTC	137	IN	Data Raw: 38 33 0d 0a 5b 22 2d 31 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 41 4e 44 52 4f 49 44 5f 42 41 43 4b 55 50 22 2c 30 5d 2c 5b 22 42 41 54 54 45 52 59 5f 53 54 41 54 53 22 2c 30 5d 2c 5b 22 53 4d 41 52 54 5f 53 45 54 55 50 22 2c 30 5d 2c 5b 22 54 52 4f 4e 22 2c 30 5d 5d 2c 2d 33 33 33 34 37 33 37 35 39 34 30 32 34 39 37 31 32 32 35 5d 2c 5b 5d 2c 7b 22 31 37 35 32 33 37 33 37 35 22 3a 5b 31 30 30 30 30 5d 7d 5d 0d 0a Data Ascii: 83["-1",null,[[["ANDROID_BACKUP",0],["BATTERY_STATS",0],["SMART_SETUP",0],["TRON",0]],-3334737594024971225],[],{"175237375":[10000]}]
2024-10-01 03:17:47 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.4	49792	142.250.184.206	443	4632	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-01 03:17:48 UTC	1337	OUT	POST /log?format=json&hasfast=true&authuser=0 HTTP/1.1 Host: play.google.com Connection: keep-alive Content-Length: 1451 sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-arch: "x86" Content-Type: application/x-www-form-urlencoded;charset=UTF-8 sec-ch-ua-full-version: "117.0.5938.132" sec-ch-ua-platform-version: "10.0.0" X-Goog-AuthUser: 0 sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132" sec-ch-ua-bitness: "64" sec-ch-ua-model: "" sec-ch-ua-wow64: ?0 sec-ch-ua-platform: "Windows" Accept: / Origin: https://accounts.google.com X-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiTocsBCJz+zAEIhaDNAQjcvc0BCI/KzQEIucrNAQii0c0BCIrTzQEIntbNAQin2M0BCPnA1BUY9snNARi60s0BGOuNpRc= Sec-Fetch-Site: same-site Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: NID=518=ojZzasqYL6mFOfvEjn9I-jgFu0blCISKMNQfGTGB8Bl7ZusBWevAN05Ttd3W0i99H4ePUX5dkhd6v9wwzC81mkHQyuILW2Cy9iS71ezmRJUUW3_HnvLrGl_WWfZUGS4-hnjRqcv6BpJEhKzaxwTvj4KNpnGs2BPIZVVgO-Rpxwb31--yApc7eFpPPA
2024-10-01 03:17:48 UTC	1451	OUT	Data Raw: 5b 5b 31 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 5b 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 22 65 6e 22 2c 6e 75 6c 6c 2c 22 33 30 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 47 6f 6f 67 6c 65 20 43 68 72 6f 6d 65 22 2c 22 31 31 37 22 5d 2c 5b 22 4e 6f 74 3b 41 3d 42 72 61 6e 64 22 2c 22 38 22 5d 2c 5b 22 43 68 72 6f 6d 69 75 6d 22 2c 22 31 31 37 22 5d 5d 2c 30 2c 22 57 69 6e 64 6f 77 73 22 2c 22 31 30 2e 30 2e 30 22 2c 22 78 38 36 22 2c 22 22 2c 22 31 31 37 2e 30 2e 35 39 33 38 2e 31 33 32 22 5d 2c 5b 31 2c 30 2c 30 2c 30 2c 30 5d 5d 5d 2c 31 38 32 38 2c 5b 5b 22 31 37 32 37 37 35 32 36 36 36 35 37 38 22 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c Data Ascii: [[1,null,null,null,null,null,null,null,null,null,[null,null,null,null,"en",null,"30",null,[[["Google Chrome","117"],["Not;A=Brand","8"],["Chromium","117"]],0,"Windows","10.0.0","x86","","117.0.5938.132"],[1,0,0,0,0]]],1828,[["1727752666578",null,null,null
2024-10-01 03:17:48 UTC	523	IN	HTTP/1.1 200 OK Access-Control-Allow-Origin: https://accounts.google.com Cross-Origin-Resource-Policy: cross-origin Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: X-Playlog-Web Content-Type: text/plain; charset=UTF-8 Date: Tue, 01 Oct 2024 03:17:48 GMT Server: Playlog Cache-Control: private X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2024-10-01 03:17:48 UTC	137	IN	Data Raw: 38 33 0d 0a 5b 22 2d 31 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 41 4e 44 52 4f 49 44 5f 42 41 43 4b 55 50 22 2c 30 5d 2c 5b 22 42 41 54 54 45 52 59 5f 53 54 41 54 53 22 2c 30 5d 2c 5b 22 53 4d 41 52 54 5f 53 45 54 55 50 22 2c 30 5d 2c 5b 22 54 52 4f 4e 22 2c 30 5d 5d 2c 2d 33 33 33 34 37 33 37 35 39 34 30 32 34 39 37 31 32 32 35 5d 2c 5b 5d 2c 7b 22 31 37 35 32 33 37 33 37 35 22 3a 5b 31 30 30 30 30 5d 7d 5d 0d 0a Data Ascii: 83["-1",null,[[["ANDROID_BACKUP",0],["BATTERY_STATS",0],["SMART_SETUP",0],["TRON",0]],-3334737594024971225],[],{"175237375":[10000]}]
2024-10-01 03:17:48 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Target ID:	0
Start time:	23:16:01
Start date:	30/09/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0x3f0000
File size:	917'504 bytes
MD5 hash:	67684FD9387321AABD2378BFADE0D6DB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	23:16:01
Start date:	30/09/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --app="https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --start-fullscreen --no-first-run --disable-session-crashed-bubble --disable-features=CrashRecovery
Imagebase:	0x7ff76e190000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	3
Start time:	23:16:01
Start date:	30/09/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2084 --field-trial-handle=2044,i,18315937055467420386,530209961681002181,262144 --disable-features=CrashRecovery /prefetch:8
Imagebase:	0x7ff76e190000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	4
Start time:	23:16:12
Start date:	30/09/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5292 --field-trial-handle=2044,i,18315937055467420386,530209961681002181,262144 --disable-features=CrashRecovery /prefetch:8
Imagebase:	0x7ff76e190000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	5
Start time:	23:16:12
Start date:	30/09/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5420 --field-trial-handle=2044,i,18315937055467420386,530209961681002181,262144 --disable-features=CrashRecovery /prefetch:8
Imagebase:	0x7ff76e190000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	1.8%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	7.3%
Total number of Nodes:	1434
Total number of Limit Nodes:	39

Executed Functions

Function 003F42DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 003F430D

Part of subcall function 003F6B57: _wcslen.LIBCMT ref: 003F6B6A

GetCurrentProcess.KERNEL32(?,0048CB64,00000000,?,?), ref: 003F4422
IsWow64Process.KERNEL32(00000000,?,?), ref: 003F4429
LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 003F4454
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 003F4466
GetNativeSystemInfo.KERNELBASE(?,?,?), ref: 003F4474
FreeLibrary.KERNEL32(00000000,?,?), ref: 003F447B
GetSystemInfo.KERNEL32(?,?,?), ref: 003F44A0

Strings

kernel32.dll, xrefs: 003F444F
|O, xrefs: 004336F8
GetNativeSystemInfo, xrefs: 003F4460

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
String ID: GetNativeSystemInfo$kernel32.dll$|O
API String ID: 3290436268-3101561225
Opcode ID: b1cee10e516bd46d09e9e84203cd76389c5e41f01ee8f8877ad728211e3f9a97
Instruction ID: 65b055973221c3423108a4a7dcaa7d479ff785e88e0267fcb6a57974a91e0508
Opcode Fuzzy Hash: b1cee10e516bd46d09e9e84203cd76389c5e41f01ee8f8877ad728211e3f9a97
Instruction Fuzzy Hash: EFA1C47191A2C4CFE753DB6A7C85DAA3FA46B67308F0459BAD84193B33D2344518CB2D

Function 003F42A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,003F50AA,?,?,00000000,00000000), ref: 003F42B2
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,003F50AA,?,?,00000000,00000000), ref: 003F42C9
LoadResource.KERNEL32(?,00000000,?,?,003F50AA,?,?,00000000,00000000,?,?,?,?,?,?,003F4F20), ref: 004335BE
SizeofResource.KERNEL32(?,00000000,?,?,003F50AA,?,?,00000000,00000000,?,?,?,?,?,?,003F4F20), ref: 004335D3
LockResource.KERNEL32(003F50AA,?,?,003F50AA,?,?,00000000,00000000,?,?,?,?,?,?,003F4F20,?), ref: 004335E6

Strings

SCRIPT, xrefs: 003F42BF

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: 38f6b0277ae3b0bf739573af78d6a7df592dd7a971b8df99fb5a75bea15be1a7
Instruction ID: d841ef5974cce5aab0ff4c7c7e0e9e8dad976f45b40c04fb66ee835856dcc312
Opcode Fuzzy Hash: 38f6b0277ae3b0bf739573af78d6a7df592dd7a971b8df99fb5a75bea15be1a7
Instruction Fuzzy Hash: C3117C70600704BFD7228B65DC88F2B7BB9EBC5B51F2049BDB502966A0DB71D8008771

Function 00432BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetCurrentDirectoryW.KERNEL32(?), ref: 003F2B6B

Part of subcall function 003F3A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,004C1418,?,003F2E7F,?,?,?,00000000), ref: 003F3A78

Part of subcall function 003F9CB3: _wcslen.LIBCMT ref: 003F9CBD

GetForegroundWindow.USER32(runas,?,?,?,?,?,004B2224), ref: 00432C10
ShellExecuteW.SHELL32(00000000,?,?,004B2224), ref: 00432C17

Strings

runas, xrefs: 00432C0B

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: CurrentDirectoryExecuteFileForegroundModuleNameShellWindow_wcslen
String ID: runas
API String ID: 448630720-4000483414
Opcode ID: 4dbc1965b661beb53b15e7af37002d2d23b3fd7d405171ac0c8c5e53bdfee3bd
Instruction ID: 38c4ee818cc67844554fe70f473565976caa44571bab50ed7e6bf58ab2c43841
Opcode Fuzzy Hash: 4dbc1965b661beb53b15e7af37002d2d23b3fd7d405171ac0c8c5e53bdfee3bd
Instruction Fuzzy Hash: 9211B431208309AAC707FF60D852EBEB7A4AF95340F44142EF6465B0A3CF35894A8716

Function 0045D4DC Relevance: 6.1, APIs: 4, Instructions: 86
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0045D501
Process32FirstW.KERNEL32(00000000,?), ref: 0045D50F
Process32NextW.KERNEL32(00000000,?), ref: 0045D52F
CloseHandle.KERNELBASE(00000000), ref: 0045D5DC

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: 3c8bd1aa3d7201af6d5015fd2c0f627c3de4d06eae77afc5bb8373610cb97cbd
Instruction ID: ba7b20c07a640273a48932ee7f22237718b2e37a28945cdfb2240ae4bf29b8ec
Opcode Fuzzy Hash: 3c8bd1aa3d7201af6d5015fd2c0f627c3de4d06eae77afc5bb8373610cb97cbd
Instruction Fuzzy Hash: 9131C971004304AFD311EF54C885B7F7BF8EF95344F10092EF585862A2EB719949CB92

Function 0045DBBE Relevance: 6.0, APIs: 4, Instructions: 29
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenW.KERNEL32(?,00435222), ref: 0045DBCE
GetFileAttributesW.KERNELBASE(?), ref: 0045DBDD
FindFirstFileW.KERNEL32(?,?), ref: 0045DBEE
FindClose.KERNEL32(00000000), ref: 0045DBFA

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: FileFind$AttributesCloseFirstlstrlen
String ID:
API String ID: 2695905019-0
Opcode ID: 9b4cfc1f2f108bfd37e059a3daacab74004c0a61c5395bfbef9206cfb4b92472
Instruction ID: a12e49bfc9c91cfecaf82d6b2d8c5e717d72b169da443c5135c3dcde2ff8c83f
Opcode Fuzzy Hash: 9b4cfc1f2f108bfd37e059a3daacab74004c0a61c5395bfbef9206cfb4b92472
Instruction Fuzzy Hash: DDF0A030C109109782316B78AC8D8AF37AC9E01336B144B5BF836C21E1EBB4595986AE

Function 00414CE8 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(004228E9,?,00414CBE,004228E9,004B88B8,0000000C,00414E15,004228E9,00000002,00000000,?,004228E9), ref: 00414D09
TerminateProcess.KERNEL32(00000000,?,00414CBE,004228E9,004B88B8,0000000C,00414E15,004228E9,00000002,00000000,?,004228E9), ref: 00414D10
ExitProcess.KERNEL32 ref: 00414D22

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 5d96ef67b9d71852ff6882b3d65b39ccafd685b7f3dc23fa5f611618997fcf9f
Instruction ID: 487eb974f610ee8be72e0f53e71575d54e2d179270d4add0611e32685d7e8990
Opcode Fuzzy Hash: 5d96ef67b9d71852ff6882b3d65b39ccafd685b7f3dc23fa5f611618997fcf9f
Instruction Fuzzy Hash: B2E0B631400148ABCF21AF55ED49A993B69FB81B85B104429FC098A222CB39DD82DB98

Function 003FBF40 Relevance: 2.4, Strings: 1, Instructions: 1178COMMON

Download Yara Rule

Strings

p#L, xrefs: 004407CE

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: BuffCharUpper
String ID: p#L
API String ID: 3964851224-1785973656
Opcode ID: 1e675d94665d07a4fec852ae7380d1598f30ec6b5109fcc174f23a0cec6e895b
Instruction ID: 1bd03a119d0f59a1c514e434d16ec1cbdf2d30d06306d7ba55aebc11ed2562a8
Opcode Fuzzy Hash: 1e675d94665d07a4fec852ae7380d1598f30ec6b5109fcc174f23a0cec6e895b
Instruction Fuzzy Hash: D4A2AC706083059FD721CF24C580B2BBBE5BF89304F14986EEA8A9B352D775EC45CB96

Function 0047AFF9 Relevance: 24.4, APIs: 16, Instructions: 418
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_wcslen.LIBCMT ref: 0047B198
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0047B1B0
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0047B1D4
_wcslen.LIBCMT ref: 0047B200
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0047B214
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0047B236
_wcslen.LIBCMT ref: 0047B332

Part of subcall function 004605A7: GetStdHandle.KERNEL32(000000F6), ref: 004605C6

_wcslen.LIBCMT ref: 0047B34B
_wcslen.LIBCMT ref: 0047B366
CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0047B3B6
GetLastError.KERNEL32(00000000), ref: 0047B407
CloseHandle.KERNEL32(?), ref: 0047B439
CloseHandle.KERNEL32(00000000), ref: 0047B44A
CloseHandle.KERNEL32(00000000), ref: 0047B45C
CloseHandle.KERNEL32(00000000), ref: 0047B46E
CloseHandle.KERNEL32(?), ref: 0047B4E3

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
String ID:
API String ID: 2178637699-0
Opcode ID: e94e7070a0ba6cda1bd4ca9cc424c1e9ed03394d03d43faa907edfa7d852ce58
Instruction ID: 1af12c3d673b1b983cc5350e35e3a6d32613947ac44c592da7cce824f3351053
Opcode Fuzzy Hash: e94e7070a0ba6cda1bd4ca9cc424c1e9ed03394d03d43faa907edfa7d852ce58
Instruction Fuzzy Hash: 2EF19B315042409FC715EF25C891BABBBE5EF85314F14855EF8899B2A2CB38EC44CB96

Function 003FD730 Relevance: 21.6, APIs: 14, Instructions: 621windowsleeptimeCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 003FD807
timeGetTime.WINMM ref: 003FDA07
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 003FDB28
TranslateMessage.USER32(?), ref: 003FDB7B
DispatchMessageW.USER32(?), ref: 003FDB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 003FDB9F
Sleep.KERNEL32(0000000A), ref: 003FDBB1

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: Message$Peek$DispatchInputSleepStateTimeTranslatetime
String ID:
API String ID: 2189390790-0
Opcode ID: 4626381d2cc6d041239114a6346cbba9d5578da48162b4767ae40df424d9f979
Instruction ID: c2d323f4624180da1c0d0607e50fdf0585a03f75de651d379a73b1a6a5e163da
Opcode Fuzzy Hash: 4626381d2cc6d041239114a6346cbba9d5578da48162b4767ae40df424d9f979
Instruction Fuzzy Hash: B9420430604346EFE726CF24C888B7AB7A6BF45304F54492EF955873A1D7B4E844CB9A

Function 003F2CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 003F2D07
RegisterClassExW.USER32(00000030), ref: 003F2D31
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 003F2D42
InitCommonControlsEx.COMCTL32(?), ref: 003F2D5F
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 003F2D6F
LoadIconW.USER32(000000A9), ref: 003F2D85
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 003F2D94

Strings

+, xrefs: 003F2CF0
AutoIt v3 GUI, xrefs: 003F2D23
TaskbarCreated, xrefs: 003F2D37
0, xrefs: 003F2CE9

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: fad3cef6dfe78fd91ec731ef2a6674f37ba630446f66f37a01709148756db7f9
Instruction ID: d150101ec41b0f835ecfed62eec4ad173a4b98d0ac5f8e67a3cfe46004bb8221
Opcode Fuzzy Hash: fad3cef6dfe78fd91ec731ef2a6674f37ba630446f66f37a01709148756db7f9
Instruction Fuzzy Hash: B421F2B1901309AFDB40DFA4EC89BDDBBB4FB09700F10852AFA11A62A0D7B54540CFA9

Function 0043065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0043039A: CreateFileW.KERNELBASE(00000000,00000000,?,00430704,?,?,00000000,?,00430704,00000000,0000000C), ref: 004303B7

GetLastError.KERNEL32 ref: 0043076F
__dosmaperr.LIBCMT ref: 00430776
GetFileType.KERNELBASE(00000000), ref: 00430782
GetLastError.KERNEL32 ref: 0043078C
__dosmaperr.LIBCMT ref: 00430795
CloseHandle.KERNEL32(00000000), ref: 004307B5
CloseHandle.KERNEL32(?), ref: 004308FF
GetLastError.KERNEL32 ref: 00430931
__dosmaperr.LIBCMT ref: 00430938

Strings

H, xrefs: 004308BD

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: b999123f7d6627a579346d60ed143eed659f1280d41a9af9b1a32c6fd3d6a47a
Instruction ID: 6b4c31d0b55ef2f61066c398b51a7f7e1a59686e36fd769a5285a97b1c820eda
Opcode Fuzzy Hash: b999123f7d6627a579346d60ed143eed659f1280d41a9af9b1a32c6fd3d6a47a
Instruction Fuzzy Hash: 6BA12C32A001088FDF19EF68DC61BAE7BA09B09324F14125EF8159B3D1D7399D53CB59

Function 003F344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 003F3A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,004C1418,?,003F2E7F,?,?,?,00000000), ref: 003F3A78

Part of subcall function 003F3357: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 003F3379

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 003F356A
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 0043318D
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 004331CE
RegCloseKey.ADVAPI32(?), ref: 00433210
_wcslen.LIBCMT ref: 00433277
_wcslen.LIBCMT ref: 00433286

Strings

\Include\, xrefs: 003F3527
\, xrefs: 0043328C
Include, xrefs: 00433184, 004331C5
Software\AutoIt v3\AutoIt, xrefs: 003F3560

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 98802146-2727554177
Opcode ID: ba503c4f138939a83af55ac1314950b330d5ae09fb0b794427c97416878d484f
Instruction ID: 1cd5442bb64ef6617565d239eb81c1e7ba2bf5b483d70ac39d66969a33a76fa0
Opcode Fuzzy Hash: ba503c4f138939a83af55ac1314950b330d5ae09fb0b794427c97416878d484f
Instruction Fuzzy Hash: 1C718D714043449EC355EF65DD81D6BBBE8BF89340F40093EF945972B0EBB89A48CB6A

Function 003F2B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 003F2B8E
LoadCursorW.USER32(00000000,00007F00), ref: 003F2B9D
LoadIconW.USER32(00000063), ref: 003F2BB3
LoadIconW.USER32(000000A4), ref: 003F2BC5
LoadIconW.USER32(000000A2), ref: 003F2BD7
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 003F2BEF
RegisterClassExW.USER32(?), ref: 003F2C40

Part of subcall function 003F2CD4: GetSysColorBrush.USER32(0000000F), ref: 003F2D07
Part of subcall function 003F2CD4: RegisterClassExW.USER32(00000030), ref: 003F2D31
Part of subcall function 003F2CD4: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 003F2D42
Part of subcall function 003F2CD4: InitCommonControlsEx.COMCTL32(?), ref: 003F2D5F
Part of subcall function 003F2CD4: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 003F2D6F
Part of subcall function 003F2CD4: LoadIconW.USER32(000000A9), ref: 003F2D85
Part of subcall function 003F2CD4: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 003F2D94

Strings

0, xrefs: 003F2C0F
#, xrefs: 003F2C16
AutoIt v3, xrefs: 003F2C2F

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: f8c61952da7b72cde504477a840cf5ed72b05f9ef759e0ef3add1e1993923a62
Instruction ID: bfb0cd6216ea3bc25b7beec8806d276159abdecfd6132b49f4b493f37bad7caf
Opcode Fuzzy Hash: f8c61952da7b72cde504477a840cf5ed72b05f9ef759e0ef3add1e1993923a62
Instruction Fuzzy Hash: 2E214C70E00358ABEB509FA5EC85EAE7FB4FB49B54F00043AEA01A66B1D3B54550CF98

Function 003F3170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,003F316A,?,?), ref: 003F31D8
KillTimer.USER32(?,00000001,?,?,?,?,?,003F316A,?,?), ref: 003F3204
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 003F3227
RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,003F316A,?,?), ref: 003F3232
CreatePopupMenu.USER32 ref: 003F3246
PostQuitMessage.USER32(00000000), ref: 003F3267

Strings

TaskbarCreated, xrefs: 003F322D

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: 2cfcc0e20451ef94b5650429a729d64eb07943068e15b5fce301a8540cf62991
Instruction ID: 7e2cf95654f0ed4deb10b222b929cd901332f19d02f5b0ae42bfd25645cd33de
Opcode Fuzzy Hash: 2cfcc0e20451ef94b5650429a729d64eb07943068e15b5fce301a8540cf62991
Instruction Fuzzy Hash: D1411935240209B6EB163B78DD4AF7E3619E706348F04453BFB06866B2CBB9DA40D76D

Function 003F1410 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 003F1459
CoUninitialize.COMBASE ref: 003F14F8
UnregisterHotKey.USER32(?), ref: 003F16DD
DestroyWindow.USER32(?), ref: 004324B9
FreeLibrary.KERNEL32(?), ref: 0043251E
VirtualFree.KERNEL32(?,00000000,00008000), ref: 0043254B

Strings

close all, xrefs: 003F1454

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: 563a55d0c8b4a5504891f88f9c642070699fc345b570e8c477c196c62570d450
Instruction ID: 16ff33e4e9a09f1f0ce1ab8438eadc33e3d1b044eb1d8ba664dd3ab6a409c838
Opcode Fuzzy Hash: 563a55d0c8b4a5504891f88f9c642070699fc345b570e8c477c196c62570d450
Instruction Fuzzy Hash: B1D1CD31701212DFCB2AEF15D595B29F7A4BF09700F1041AEE94AAB261DB34ED12CF98

Function 003F2C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 003F2C91
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 003F2CB2
ShowWindow.USER32(00000000,?,?,?,?,?,?,003F1CAD,?), ref: 003F2CC6
ShowWindow.USER32(00000000,?,?,?,?,?,?,003F1CAD,?), ref: 003F2CCF

Strings

edit, xrefs: 003F2CAC
AutoIt v3, xrefs: 003F2C89, 003F2C8E, 003F2C8F

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: 8ace152a60f1e6998520029a94757ed2e9439e0746df089901aafaea7afe98dd
Instruction ID: cb6807ddfa8c349b550dc6b0ba5d3bcc17e3cedd92a66164528da3c1086a480c
Opcode Fuzzy Hash: 8ace152a60f1e6998520029a94757ed2e9439e0746df089901aafaea7afe98dd
Instruction Fuzzy Hash: C4F0D4B56402D07AFB711B27AC48E7B2EBDD7CBF64B11406EFD00A25B1C6751850DAB8

Function 003F3B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,003F3B0F,SwapMouseButtons,00000004,?), ref: 003F3B40
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,003F3B0F,SwapMouseButtons,00000004,?), ref: 003F3B61
RegCloseKey.KERNELBASE(00000000,?,?,?,80000001,80000001,?,003F3B0F,SwapMouseButtons,00000004,?), ref: 003F3B83

Strings

Control Panel\Mouse, xrefs: 003F3B3E

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: 35e976c2053f2157473fec5205c43ff94ebebbc465c399ce52ec1dd6b98b90e5
Instruction ID: 8134270a2a92a796ddbbf04d5e29fbfcd8375d17960b1a58ebc70e2f9f1b5424
Opcode Fuzzy Hash: 35e976c2053f2157473fec5205c43ff94ebebbc465c399ce52ec1dd6b98b90e5
Instruction Fuzzy Hash: 6B112AB5511208FFDB228FA5DC94ABEB7BCEF05784B11486AA905D7210D2319E409764

Function 003F3923 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94windowCOMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 004333A2

Part of subcall function 003F6B57: _wcslen.LIBCMT ref: 003F6B6A

Shell_NotifyIconW.SHELL32(00000001,?), ref: 003F3A04

Strings

Line: , xrefs: 004333EB

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: IconLoadNotifyShell_String_wcslen
String ID: Line:
API String ID: 2289894680-1585850449
Opcode ID: 20245c67c2aef61b988c13804a2f5b73b63824bf2f242b16343e3fa9d1737e9a
Instruction ID: 5bf7fccd08c82845ef5e2a3be71ff9f2b6e7319d4444be06bdd48e536fe11cbe
Opcode Fuzzy Hash: 20245c67c2aef61b988c13804a2f5b73b63824bf2f242b16343e3fa9d1737e9a
Instruction Fuzzy Hash: 4431F671408308AAD322EB20DC45FFFB7E8AB45714F10492FFA99871A1DB749A48C7D6

Function 003F2DE3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 64COMMON

Download Yara Rule

APIs

GetOpenFileNameW.COMDLG32(?), ref: 00432C8C

Part of subcall function 003F3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,003F3A97,?,?,003F2E7F,?,?,?,00000000), ref: 003F3AC2

Part of subcall function 003F2DA5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 003F2DC4

Strings

`eK, xrefs: 00432C85
X, xrefs: 00432C5A

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen
String ID: X$`eK
API String ID: 779396738-1346537380
Opcode ID: 00a3d213ee1c8a27cd506201949b0684678050293de055b75c7589361d4d0e4e
Instruction ID: 4d216a2b983eae82d93032a25bc849f3dc27e6623970c1ca2f7626888c175191
Opcode Fuzzy Hash: 00a3d213ee1c8a27cd506201949b0684678050293de055b75c7589361d4d0e4e
Instruction Fuzzy Hash: 96219371A0029C9BDF02DF95C845BEE7BFCAF49304F00805AE505AB241DBB85A898F65

Function 0040FDDB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 00410668

Part of subcall function 004132A4: RaiseException.KERNEL32(?,?,?,0041068A,?,004C1444,?,?,?,?,?,?,0041068A,003F1129,004B8738,003F1129), ref: 00413304

__CxxThrowException@8.LIBVCRUNTIME ref: 00410685

Strings

Unknown exception, xrefs: 00410692

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID: Unknown exception
API String ID: 3476068407-410509341
Opcode ID: af54a20313602de25bc57c08ca5b33bf1c69dab63c203dc8149abdbd9d5aa57e
Instruction ID: 25b58e9dd00dabb8604053a941049d324499e1fde9e684c9002ce85352ccf7fb
Opcode Fuzzy Hash: af54a20313602de25bc57c08ca5b33bf1c69dab63c203dc8149abdbd9d5aa57e
Instruction Fuzzy Hash: 83F0283480030C77CB00BA65DC46DDE776D5E00344B60447BB818A19D1EFBDDADAC58C

Function 003F10F3 Relevance: 4.7, APIs: 3, Instructions: 153comCOMMON

Download Yara Rule

APIs

Part of subcall function 003F1BC3: MapVirtualKeyW.USER32(0000005B,00000000), ref: 003F1BF4
Part of subcall function 003F1BC3: MapVirtualKeyW.USER32(00000010,00000000), ref: 003F1BFC
Part of subcall function 003F1BC3: MapVirtualKeyW.USER32(000000A0,00000000), ref: 003F1C07
Part of subcall function 003F1BC3: MapVirtualKeyW.USER32(000000A1,00000000), ref: 003F1C12
Part of subcall function 003F1BC3: MapVirtualKeyW.USER32(00000011,00000000), ref: 003F1C1A
Part of subcall function 003F1BC3: MapVirtualKeyW.USER32(00000012,00000000), ref: 003F1C22

Part of subcall function 003F1B4A: RegisterWindowMessageW.USER32(00000004,?,003F12C4), ref: 003F1BA2

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 003F136A
OleInitialize.OLE32 ref: 003F1388
CloseHandle.KERNEL32(00000000,00000000), ref: 004324AB

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID:
API String ID: 1986988660-0
Opcode ID: 7b75df7ba1957b0be4f25a8544b78cc9142b1f6145d9096bcecf445f8dad1bcb
Instruction ID: d42dd8fe5398738003e78aa31e93bfc8e09452e6c2f0e273aa1b7fae4c113727
Opcode Fuzzy Hash: 7b75df7ba1957b0be4f25a8544b78cc9142b1f6145d9096bcecf445f8dad1bcb
Instruction Fuzzy Hash: 15719DB8915204AFC3C4EF7AA945E653AE0BB8A344754857ED10ACB373EB348411CF6D

Function 004286AE Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE

Download Yara Rule

APIs

CloseHandle.KERNELBASE(00000000,00000000,?,?,004285CC,?,004B8CC8,0000000C), ref: 00428704
GetLastError.KERNEL32(?,004285CC,?,004B8CC8,0000000C), ref: 0042870E
__dosmaperr.LIBCMT ref: 00428739

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: CloseErrorHandleLast__dosmaperr
String ID:
API String ID: 2583163307-0
Opcode ID: 4d8b93df137bab6849b0abe4c9433979cf5c79c647cfea4994315b2046695a5f
Instruction ID: 98e9af1c21c9f16a7be109a2694fc076fb17bcdfe0bc6e2884a96aa2092032d7
Opcode Fuzzy Hash: 4d8b93df137bab6849b0abe4c9433979cf5c79c647cfea4994315b2046695a5f
Instruction Fuzzy Hash: 3C012B3270663026D664A2357849B7F67594F91779FB9012FFC148B2D3DEBD8C82829C

Function 00401310 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 004017F6

Strings

CALL, xrefs: 004017C6

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID: CALL
API String ID: 1385522511-4196123274
Opcode ID: 7f7b62a8667ed6d157dbf8d53f1fc94b094d2def5a0fb56725f5f6bad7d5d569
Instruction ID: 34246cf11f6dba799eb682630f94ed96fe3260e9cda5e42e80c2c0e8fd571d54
Opcode Fuzzy Hash: 7f7b62a8667ed6d157dbf8d53f1fc94b094d2def5a0fb56725f5f6bad7d5d569
Instruction Fuzzy Hash: 9822AE706083419FD714DF15C880B2ABBF1BF85318F14892EF486AB3A1D779E945CB9A

Function 003F3837 Relevance: 3.1, APIs: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000000,?), ref: 003F3908

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: 6ffdc423c08181168fc51ec9569c199b52d7ebd22a1928f100e94534f12decad
Instruction ID: 2fdfb64ce8883bd6e6133c9525237989cba79af8320890d076a0bdb95453694e
Opcode Fuzzy Hash: 6ffdc423c08181168fc51ec9569c199b52d7ebd22a1928f100e94534f12decad
Instruction Fuzzy Hash: D731F7705043049FE761DF24D884BA7BBF8FF49748F00082EFA9987261D775AA48CB56

Function 003F4ECB Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 003F4E90: LoadLibraryA.KERNEL32(kernel32.dll,?,?,003F4EDD,?,004C1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 003F4E9C
Part of subcall function 003F4E90: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 003F4EAE
Part of subcall function 003F4E90: FreeLibrary.KERNEL32(00000000,?,?,003F4EDD,?,004C1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 003F4EC0

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,004C1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 003F4EFD

Part of subcall function 003F4E59: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00433CDE,?,004C1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 003F4E62
Part of subcall function 003F4E59: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 003F4E74
Part of subcall function 003F4E59: FreeLibrary.KERNEL32(00000000,?,?,00433CDE,?,004C1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 003F4E87

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: Library$Load$AddressFreeProc
String ID:
API String ID: 2632591731-0
Opcode ID: c0481ef253b6001c04fa6a45314aa8dd384696e479d87e67175133a4934a13c1
Instruction ID: 4befcbfb60330fab374d7ed69425debcaceff2151d42eea440f8930c58629fa4
Opcode Fuzzy Hash: c0481ef253b6001c04fa6a45314aa8dd384696e479d87e67175133a4934a13c1
Instruction Fuzzy Hash: 2A11C432610309AACB16BF60DC02FBE77A5AF54711F10442EF646AA1C1EE749A459754

Function 00428402 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT ref: 00428440

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: 055ba1b6159ae2e1dfd1874c1389d1dbb52a61d1bf20343ff8caca708035630d
Instruction ID: 70162e2c190b87383a57f39c932a33c805c569f76856d04f10e7a51082b8de19
Opcode Fuzzy Hash: 055ba1b6159ae2e1dfd1874c1389d1dbb52a61d1bf20343ff8caca708035630d
Instruction Fuzzy Hash: AF111C75A0410AAFCB15DF58E94199F7BF5EF48314F14405AF804AB311EA31DA21CB69

Function 00425000 Relevance: 1.6, APIs: 1, Instructions: 52COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00424C7D: RtlAllocateHeap.NTDLL(00000008,003F1129,00000000,?,00422E29,00000001,00000364,?,?,?,0041F2DE,00423863,004C1444,?,0040FDF5,?), ref: 00424CBE

_free.LIBCMT ref: 0042506C

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
Instruction ID: b7aa4ace691c3fa9388ad823ca72a9b2d79f95fd92dbd8f54c6512465cf70c33
Opcode Fuzzy Hash: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
Instruction Fuzzy Hash: BB014E723047146BE3318F55EC4195AFBECFB89370FA5051EE184932C0EA746805C778

Function 0041E602 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction ID: d6336db541ff7d66c6c3f37d936961023c9d9317fea76cbb03a445c41efcebf8
Opcode Fuzzy Hash: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction Fuzzy Hash: E2F0F936611A20A6C6313A679C05BDB33989F62338FD0071FF821922D2DB7C948285AD

Function 00424C7D Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,003F1129,00000000,?,00422E29,00000001,00000364,?,?,?,0041F2DE,00423863,004C1444,?,0040FDF5,?), ref: 00424CBE

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: ae0cfb8d460c7452d14d27c24fc40a82999089a9b1966282effc371482bd7829
Instruction ID: 481b8a76f8ebd0726c1620381c01897e6a32763c8268bfc426008805032caf7f
Opcode Fuzzy Hash: ae0cfb8d460c7452d14d27c24fc40a82999089a9b1966282effc371482bd7829
Instruction Fuzzy Hash: 38F0B43170223467DB215F6BBC09B9B3788EFC17A4B564127B819A73D1CB79D80286AC

Function 00423820 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,004C1444,?,0040FDF5,?,?,003FA976,00000010,004C1440,003F13FC,?,003F13C6,?,003F1129), ref: 00423852

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: e47686cac375aee37fb6717ffe37416794123936ba12cb01dc2fc74281a225f4
Instruction ID: c082febc26968f9271e9f87bf8f1d85995961c632468083047aa9a919ea7aad5
Opcode Fuzzy Hash: e47686cac375aee37fb6717ffe37416794123936ba12cb01dc2fc74281a225f4
Instruction Fuzzy Hash: 32E0A73230023456D6213E67BC04B9B36E9AB42BF6B550027BD059A6D1CB2DDD0245AD

Function 003F4F39 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,004C1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 003F4F6D

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: f0e73bc6dfee550889757df8e27d5d3347318757465732d7f0b8e96319b8cc06
Instruction ID: 730a743a23cd5328075d42e7c2cf07edb240f1bde0f2bc1607aec5310534251d
Opcode Fuzzy Hash: f0e73bc6dfee550889757df8e27d5d3347318757465732d7f0b8e96319b8cc06
Instruction Fuzzy Hash: D2F03971505756CFDB369F65E494827BBE4AF14329321897EE2EE82A21CB319888DF10

Function 003F30F2 Relevance: 1.5, APIs: 1, Instructions: 24windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000002,?), ref: 003F314E

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: de0d638dd16f1f609804fefca6494069c69854720e914ade67775dc435bdca06
Instruction ID: 52ea27b164f0d109d3d717c5c146914d1f4e8f89de96e8d7a6fc7303d3ac6d3c
Opcode Fuzzy Hash: de0d638dd16f1f609804fefca6494069c69854720e914ade67775dc435bdca06
Instruction Fuzzy Hash: 0DF037709143589FF7929B64DC45BD97BBCBB0170CF0000F9AA48962A2D7745798CF55

Function 003F2DA5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 003F2DC4

Part of subcall function 003F6B57: _wcslen.LIBCMT ref: 003F6B6A

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: LongNamePath_wcslen
String ID:
API String ID: 541455249-0
Opcode ID: bfc7144cba22afa4d10cc29b016370bb63ef9425329517520c7c1f7a1f621bb0
Instruction ID: 86f84363ddd292d969d236cdcdcd2105cb0b7f9d98f39792dfc7ffceee67c1d0
Opcode Fuzzy Hash: bfc7144cba22afa4d10cc29b016370bb63ef9425329517520c7c1f7a1f621bb0
Instruction Fuzzy Hash: E8E0CD72A001245BC711A2599C06FEA77DDDFC8790F0400B5FD09D7258D974AD808654

Function 003F2B3D Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 003F3837: Shell_NotifyIconW.SHELL32(00000000,?), ref: 003F3908

Part of subcall function 003FD730: GetInputState.USER32 ref: 003FD807

SetCurrentDirectoryW.KERNEL32(?), ref: 003F2B6B

Part of subcall function 003F30F2: Shell_NotifyIconW.SHELL32(00000002,?), ref: 003F314E

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: IconNotifyShell_$CurrentDirectoryInputState
String ID:
API String ID: 3667716007-0
Opcode ID: 4aa4c75e6ab31b9db5937063096e79e08ec7f5a008098b8e11dcdca15b81083f
Instruction ID: 4ab26b05608988dafcf4a0256790ff4c262fcd72a1929b3a555594ba0161244c
Opcode Fuzzy Hash: 4aa4c75e6ab31b9db5937063096e79e08ec7f5a008098b8e11dcdca15b81083f
Instruction Fuzzy Hash: 51E0863130424D06C60ABB759856A7DA759DBD2352F40153FF7464B163CF2489494356

Function 0043039A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,00000000,?,00430704,?,?,00000000,?,00430704,00000000,0000000C), ref: 004303B7

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 6a6fc04cf4828178c2204c10cf304cbe6646b1b9493a252b912170b3f24217c7
Instruction ID: d8207d25fba0f6e373fad7f4ce4beb1bb1fc988c68a86d93079d3847a9d8459d
Opcode Fuzzy Hash: 6a6fc04cf4828178c2204c10cf304cbe6646b1b9493a252b912170b3f24217c7
Instruction Fuzzy Hash: 6CD06C3204010DBBDF028F84DD86EDA3BAAFB48714F014010BE1856020C732E821AB94

Function 003F1CAD Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00002001,00000000,00000002), ref: 003F1CBC

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: InfoParametersSystem
String ID:
API String ID: 3098949447-0
Opcode ID: cb097745c172409f9c24ed381dda0df50bad7b56495c39a588a566205fd0aee3
Instruction ID: 32d945c50b8637ebd5a6344e7a18b3783812a0b046941af8aecc4f4b7364a3f9
Opcode Fuzzy Hash: cb097745c172409f9c24ed381dda0df50bad7b56495c39a588a566205fd0aee3
Instruction Fuzzy Hash: 98C09B35280314BFF6545780BD4AF157754A348B04F044411FA09555F3C3F11410D758

Non-executed Functions

Function 00489576 Relevance: 74.1, APIs: 39, Strings: 3, Instructions: 625windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00409BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00409BB2

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 0048961A
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0048965B
GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 0048969F
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 004896C9
SendMessageW.USER32 ref: 004896F2
GetKeyState.USER32(00000011), ref: 0048978B
GetKeyState.USER32(00000009), ref: 00489798
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 004897AE
GetKeyState.USER32(00000010), ref: 004897B8
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 004897E9
SendMessageW.USER32 ref: 00489810
SendMessageW.USER32(?,00001030,?,00487E95), ref: 00489918
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 0048992E
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 00489941
SetCapture.USER32(?), ref: 0048994A
ClientToScreen.USER32(?,?), ref: 004899AF
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 004899BC
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 004899D6
ReleaseCapture.USER32 ref: 004899E1
GetCursorPos.USER32(?), ref: 00489A19
ScreenToClient.USER32(?,?), ref: 00489A26
SendMessageW.USER32(?,00001012,00000000,?), ref: 00489A80
SendMessageW.USER32 ref: 00489AAE
SendMessageW.USER32(?,00001111,00000000,?), ref: 00489AEB
SendMessageW.USER32 ref: 00489B1A
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00489B3B
SendMessageW.USER32(?,0000110B,00000009,?), ref: 00489B4A
GetCursorPos.USER32(?), ref: 00489B68
ScreenToClient.USER32(?,?), ref: 00489B75
GetParent.USER32(?), ref: 00489B93
SendMessageW.USER32(?,00001012,00000000,?), ref: 00489BFA
SendMessageW.USER32 ref: 00489C2B
ClientToScreen.USER32(?,?), ref: 00489C84
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00489CB4
SendMessageW.USER32(?,00001111,00000000,?), ref: 00489CDE
SendMessageW.USER32 ref: 00489D01
ClientToScreen.USER32(?,?), ref: 00489D4E
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00489D82

Part of subcall function 00409944: GetWindowLongW.USER32(?,000000EB), ref: 00409952

GetWindowLongW.USER32(?,000000F0), ref: 00489E05

Strings

@GUI_DRAGID, xrefs: 0048997D
p#L, xrefs: 00489990
F, xrefs: 00489D07

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease
String ID: @GUI_DRAGID$F$p#L
API String ID: 3429851547-2489550902
Opcode ID: e476e02ad388ec1bddb0a62cc77f6db3b1f107830fe6bf4245d2421670fa687d
Instruction ID: f633a265bba9722d2351badf29d24c3c239b6685b30b448ce8d0fba5898ddef3
Opcode Fuzzy Hash: e476e02ad388ec1bddb0a62cc77f6db3b1f107830fe6bf4245d2421670fa687d
Instruction Fuzzy Hash: 36427B74204601AFD725EF24CC84EBEBBE5EF49310F180A2EF659972A1E735AC50CB59

Function 00484873 Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 566windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000408,00000000,00000000), ref: 004848F3
SendMessageW.USER32(00000000,00000188,00000000,00000000), ref: 00484908
SendMessageW.USER32(00000000,0000018A,00000000,00000000), ref: 00484927
SendMessageW.USER32(?,00000148,00000000,00000000), ref: 0048494B
SendMessageW.USER32(00000000,00000147,00000000,00000000), ref: 0048495C
SendMessageW.USER32(00000000,00000149,00000000,00000000), ref: 0048497B
SendMessageW.USER32(00000000,0000130B,00000000,00000000), ref: 004849AE
SendMessageW.USER32(00000000,0000133C,00000000,?), ref: 004849D4
SendMessageW.USER32(00000000,0000110A,00000009,00000000), ref: 00484A0F
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00484A56
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00484A7E
IsMenu.USER32(?), ref: 00484A97
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00484AF2
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00484B20
GetWindowLongW.USER32(?,000000F0), ref: 00484B94
SendMessageW.USER32(?,0000113E,00000000,00000008), ref: 00484BE3
SendMessageW.USER32(00000000,00001001,00000000,?), ref: 00484C82
wsprintfW.USER32 ref: 00484CAE
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00484CC9
GetWindowTextW.USER32(?,00000000,00000001), ref: 00484CF1
SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00484D13
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00484D33
GetWindowTextW.USER32(?,00000000,00000001), ref: 00484D5A

Strings

%d/%02d/%02d, xrefs: 00484CA8

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: MessageSend$MenuWindow$InfoItemText$Longwsprintf
String ID: %d/%02d/%02d
API String ID: 4054740463-328681919
Opcode ID: 78c74a077eda74a86836d290a62667887d56012af176781229621227e298d7a4
Instruction ID: 7fe0079997798d8a31590167c5497605e83a0aa2859e9ae0cde8744b56a6c5ef
Opcode Fuzzy Hash: 78c74a077eda74a86836d290a62667887d56012af176781229621227e298d7a4
Instruction Fuzzy Hash: EC120171500255ABEB25AF24CC49FAF7BF8AF85300F10492EFA15EB2E1D7789941CB58

Function 0040F98E Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,00000000,00000000), ref: 0040F998
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0044F474
IsIconic.USER32(00000000), ref: 0044F47D
ShowWindow.USER32(00000000,00000009), ref: 0044F48A
SetForegroundWindow.USER32(00000000), ref: 0044F494
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0044F4AA
GetCurrentThreadId.KERNEL32 ref: 0044F4B1
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0044F4BD
AttachThreadInput.USER32(?,00000000,00000001), ref: 0044F4CE
AttachThreadInput.USER32(?,00000000,00000001), ref: 0044F4D6
AttachThreadInput.USER32(00000000,000000FF,00000001), ref: 0044F4DE
SetForegroundWindow.USER32(00000000), ref: 0044F4E1
MapVirtualKeyW.USER32(00000012,00000000), ref: 0044F4F6
keybd_event.USER32(00000012,00000000), ref: 0044F501
MapVirtualKeyW.USER32(00000012,00000000), ref: 0044F50B
keybd_event.USER32(00000012,00000000), ref: 0044F510
MapVirtualKeyW.USER32(00000012,00000000), ref: 0044F519
keybd_event.USER32(00000012,00000000), ref: 0044F51E
MapVirtualKeyW.USER32(00000012,00000000), ref: 0044F528
keybd_event.USER32(00000012,00000000), ref: 0044F52D
SetForegroundWindow.USER32(00000000), ref: 0044F530
AttachThreadInput.USER32(?,000000FF,00000000), ref: 0044F557

Strings

Shell_TrayWnd, xrefs: 0044F46F

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: 8d8e68f77f8b3d2c62c95da8fbfebde7aa887a1c04bcdc22de93cd4745deb967
Instruction ID: c52cb7260694c843876bb6d7bdde4087a795f10093468c38476cc509c5c90d5e
Opcode Fuzzy Hash: 8d8e68f77f8b3d2c62c95da8fbfebde7aa887a1c04bcdc22de93cd4745deb967
Instruction Fuzzy Hash: 10315271A40228BBFB206BB55C8AFBF7E6CEB44B50F10043AF601E61D1D6B45D00AB79

Function 00451201 Relevance: 40.5, APIs: 19, Strings: 4, Instructions: 241COMMON

Download Yara Rule

APIs

Part of subcall function 004516C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0045170D
Part of subcall function 004516C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0045173A
Part of subcall function 004516C3: GetLastError.KERNEL32 ref: 0045174A

LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 00451286
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 004512A8
CloseHandle.KERNEL32(?), ref: 004512B9
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 004512D1
GetProcessWindowStation.USER32 ref: 004512EA
SetProcessWindowStation.USER32(00000000), ref: 004512F4
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00451310

Part of subcall function 004510BF: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,004511FC), ref: 004510D4
Part of subcall function 004510BF: CloseHandle.KERNEL32(?,?,004511FC), ref: 004510E9

Strings

, xrefs: 0045125A
winsta0, xrefs: 004512CC
ZK, xrefs: 00451392
default, xrefs: 0045130B

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
String ID: $default$winsta0$ZK
API String ID: 22674027-314871684
Opcode ID: 5e4da31269045a00b0a5d0370694203e845d05df465231bccd7317735c903891
Instruction ID: bd90cc5168fff163f2adba40d72f418b147b3928d9fe2f49864f36465760e3c2
Opcode Fuzzy Hash: 5e4da31269045a00b0a5d0370694203e845d05df465231bccd7317735c903891
Instruction Fuzzy Hash: A5818071900209ABDF119FA4DC89FEF7BB9EF05705F14412AFD10B62A1D7788949CB68

Function 00450B62 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 004510F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00451114
Part of subcall function 004510F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00450B9B,?,?,?), ref: 00451120
Part of subcall function 004510F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00450B9B,?,?,?), ref: 0045112F
Part of subcall function 004510F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00450B9B,?,?,?), ref: 00451136
Part of subcall function 004510F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0045114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00450BCC
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00450C00
GetLengthSid.ADVAPI32(?), ref: 00450C17
GetAce.ADVAPI32(?,00000000,?), ref: 00450C51
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00450C6D
GetLengthSid.ADVAPI32(?), ref: 00450C84
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00450C8C
HeapAlloc.KERNEL32(00000000), ref: 00450C93
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00450CB4
CopySid.ADVAPI32(00000000), ref: 00450CBB
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00450CEA
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00450D0C
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00450D1E
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00450D45
HeapFree.KERNEL32(00000000), ref: 00450D4C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00450D55
HeapFree.KERNEL32(00000000), ref: 00450D5C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00450D65
HeapFree.KERNEL32(00000000), ref: 00450D6C
GetProcessHeap.KERNEL32(00000000,?), ref: 00450D78
HeapFree.KERNEL32(00000000), ref: 00450D7F

Part of subcall function 00451193: GetProcessHeap.KERNEL32(00000008,00450BB1,?,00000000,?,00450BB1,?), ref: 004511A1
Part of subcall function 00451193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00450BB1,?), ref: 004511A8
Part of subcall function 00451193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00450BB1,?), ref: 004511B7

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 043f2300b61087703898eb2f9bbeef0440c6b14ca8897de4f35b984961cd45e5
Instruction ID: 073291be1dafe2583aeb4b706fc6174b64cce2e4df479bbc91933e632a99602a
Opcode Fuzzy Hash: 043f2300b61087703898eb2f9bbeef0440c6b14ca8897de4f35b984961cd45e5
Instruction Fuzzy Hash: 9B716E7590020AABDF109FE4DC84FEFBBB8BF05341F14452AED14A6292D779A909CB74

Function 0046EAFF Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(0048CC08), ref: 0046EB29
IsClipboardFormatAvailable.USER32(0000000D), ref: 0046EB37
GetClipboardData.USER32(0000000D), ref: 0046EB43
CloseClipboard.USER32 ref: 0046EB4F
GlobalLock.KERNEL32(00000000), ref: 0046EB87
CloseClipboard.USER32 ref: 0046EB91
GlobalUnlock.KERNEL32(00000000), ref: 0046EBBC
IsClipboardFormatAvailable.USER32(00000001), ref: 0046EBC9
GetClipboardData.USER32(00000001), ref: 0046EBD1
GlobalLock.KERNEL32(00000000), ref: 0046EBE2
GlobalUnlock.KERNEL32(00000000), ref: 0046EC22
IsClipboardFormatAvailable.USER32(0000000F), ref: 0046EC38
GetClipboardData.USER32(0000000F), ref: 0046EC44
GlobalLock.KERNEL32(00000000), ref: 0046EC55
DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 0046EC77
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 0046EC94
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 0046ECD2
GlobalUnlock.KERNEL32(00000000), ref: 0046ECF3
CountClipboardFormats.USER32 ref: 0046ED14
CloseClipboard.USER32 ref: 0046ED59

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
String ID:
API String ID: 420908878-0
Opcode ID: dae771855832b2eaa9a3583124490b6b30cd2ed757b157a1e5655d8ed22d9b48
Instruction ID: 0684fe9e9a54b24bb3d0b691779ee7251aaa38a0ec38b171573f140777eff25d
Opcode Fuzzy Hash: dae771855832b2eaa9a3583124490b6b30cd2ed757b157a1e5655d8ed22d9b48
Instruction Fuzzy Hash: C661E038204206AFD301EF21D884F3E77E4AF84744F14486EF5469B2A2EB35ED46CB66

Function 0046698F Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 004669BE
FindClose.KERNEL32(00000000), ref: 00466A12
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00466A4E
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00466A75

Part of subcall function 003F9CB3: _wcslen.LIBCMT ref: 003F9CBD

FileTimeToSystemTime.KERNEL32(?,?), ref: 00466AB2
FileTimeToSystemTime.KERNEL32(?,?), ref: 00466ADF

Strings

%03d, xrefs: 00466DA2
%4d%02d%02d%02d%02d%02d, xrefs: 00466B6A
%4d%02d%02d%02d%02d%02d%03d, xrefs: 00466B32
%4d, xrefs: 00466BB1
%02d, xrefs: 00466C00, 00466C0A, 00466C5A, 00466CAA, 00466CFA, 00466D4A

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
API String ID: 3830820486-3289030164
Opcode ID: a4765bf55f34f897874e0f31bbf86dcc85eda6d4a23d0cbdbac55c7df7e01a67
Instruction ID: bba600e9add7e16b1fd8e4686386a8a29d899c4e05b35af22a86b3cd2da9979b
Opcode Fuzzy Hash: a4765bf55f34f897874e0f31bbf86dcc85eda6d4a23d0cbdbac55c7df7e01a67
Instruction Fuzzy Hash: 7CD15271508304AFC711EBA4C995EBFB7ECAF88704F04491EF685D6291EB78DA44CB62

Function 00469642 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 00469663
GetFileAttributesW.KERNEL32(?), ref: 004696A1
SetFileAttributesW.KERNEL32(?,?), ref: 004696BB
FindNextFileW.KERNEL32(00000000,?), ref: 004696D3
FindClose.KERNEL32(00000000), ref: 004696DE
FindFirstFileW.KERNEL32(*.*,?), ref: 004696FA
SetCurrentDirectoryW.KERNEL32(?), ref: 0046974A
SetCurrentDirectoryW.KERNEL32(004B6B7C), ref: 00469768
FindNextFileW.KERNEL32(00000000,00000010), ref: 00469772
FindClose.KERNEL32(00000000), ref: 0046977F
FindClose.KERNEL32(00000000), ref: 0046978F

Strings

*.*, xrefs: 004696F5

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1409584000-438819550
Opcode ID: 17ea7cf86a05b511cce8368dcbbb00d687e531836ae481451436fdafd66a5913
Instruction ID: 7fe6b5ed52448be8fe6326f01f411f5e07291da937c7bea5d27ea174840358f3
Opcode Fuzzy Hash: 17ea7cf86a05b511cce8368dcbbb00d687e531836ae481451436fdafd66a5913
Instruction Fuzzy Hash: 2D31C532500219AADF14AFB4DC48AEF77AC9F49321F1045ABF805E2190EB78DD448F2D

Function 0046979D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 004697BE
FindNextFileW.KERNEL32(00000000,?), ref: 00469819
FindClose.KERNEL32(00000000), ref: 00469824
FindFirstFileW.KERNEL32(*.*,?), ref: 00469840
SetCurrentDirectoryW.KERNEL32(?), ref: 00469890
SetCurrentDirectoryW.KERNEL32(004B6B7C), ref: 004698AE
FindNextFileW.KERNEL32(00000000,00000010), ref: 004698B8
FindClose.KERNEL32(00000000), ref: 004698C5
FindClose.KERNEL32(00000000), ref: 004698D5

Part of subcall function 0045DAE5: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 0045DB00

Strings

*.*, xrefs: 0046983B

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 2640511053-438819550
Opcode ID: 3a2714aec42666de0049f63ba8102555422203971584de527f71cb83a0ffb4e8
Instruction ID: 85cb781c52fcea0d495235fcb5a3e89966cc2c3acec5e091c4662929bd4dd289
Opcode Fuzzy Hash: 3a2714aec42666de0049f63ba8102555422203971584de527f71cb83a0ffb4e8
Instruction Fuzzy Hash: 0B31C532500219AADB10BFB5EC48ADF77AC9F46324F1445ABE810A31D0EB78DD85CB6D

Function 0047BE44 Relevance: 17.0, APIs: 11, Instructions: 456registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0047C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0047B6AE,?,?), ref: 0047C9B5
Part of subcall function 0047C998: _wcslen.LIBCMT ref: 0047C9F1
Part of subcall function 0047C998: _wcslen.LIBCMT ref: 0047CA68
Part of subcall function 0047C998: _wcslen.LIBCMT ref: 0047CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0047BF3E
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?), ref: 0047BFA9
RegCloseKey.ADVAPI32(00000000), ref: 0047BFCD
RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 0047C02C
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 0047C0E7
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 0047C154
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 0047C1E9
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,?,?,?,00000000), ref: 0047C23A
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 0047C2E3
RegCloseKey.ADVAPI32(?,?,00000000), ref: 0047C382
RegCloseKey.ADVAPI32(00000000), ref: 0047C38F

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: QueryValue$Close_wcslen$BuffCharConnectOpenRegistryUpper
String ID:
API String ID: 3102970594-0
Opcode ID: 45505f90a495d27d60c83a4d13c57d12d0dc17c7b3b15dd02d084caa89ca3863
Instruction ID: d5236cfd69491b83aed463b0d66dbe7f4694735df460c04d40af01b1528fe834
Opcode Fuzzy Hash: 45505f90a495d27d60c83a4d13c57d12d0dc17c7b3b15dd02d084caa89ca3863
Instruction Fuzzy Hash: 94023B716042009FC715CF24C8D1E6ABBE5EF49308F18C4AEE84ADB2A2D735ED45CB95

Function 00468195 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00468257
SystemTimeToFileTime.KERNEL32(?,?), ref: 00468267
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00468273
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00468310
SetCurrentDirectoryW.KERNEL32(?), ref: 00468324
SetCurrentDirectoryW.KERNEL32(?), ref: 00468356
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 0046838C
SetCurrentDirectoryW.KERNEL32(?), ref: 00468395

Strings

*.*, xrefs: 0046839B

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local$System
String ID: *.*
API String ID: 1464919966-438819550
Opcode ID: 334648b0c3e877e6284be7ece79e463045a82e86158272a972a6550ac24e5f63
Instruction ID: 580c564203e25b3d38197bda0a6cf15bfac57c5bce2014f552f7f62c801850e5
Opcode Fuzzy Hash: 334648b0c3e877e6284be7ece79e463045a82e86158272a972a6550ac24e5f63
Instruction Fuzzy Hash: 0D615CB25043499FCB10EF60C8509AFB3E8FF89314F04496EF98997251EB39E945CB96

Function 0045D076 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON

Download Yara Rule

APIs

Part of subcall function 003F3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,003F3A97,?,?,003F2E7F,?,?,?,00000000), ref: 003F3AC2

Part of subcall function 0045E199: GetFileAttributesW.KERNEL32(?,0045CF95), ref: 0045E19A

FindFirstFileW.KERNEL32(?,?), ref: 0045D122
DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 0045D1DD
MoveFileW.KERNEL32(?,?), ref: 0045D1F0
DeleteFileW.KERNEL32(?,?,?,?), ref: 0045D20D
FindNextFileW.KERNEL32(00000000,00000010), ref: 0045D237

Part of subcall function 0045D29C: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,0045D21C,?,?), ref: 0045D2B2

FindClose.KERNEL32(00000000,?,?,?), ref: 0045D253
FindClose.KERNEL32(00000000), ref: 0045D264

Strings

\*.*, xrefs: 0045D0CD, 0045D0D6, 0045D0EB

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 1946585618-1173974218
Opcode ID: 2fc4216fcc0242c1b133bcef4fabbc3657e9c1df03a52fa44fdb26fe762d81bb
Instruction ID: a7c9c34f7002463335195d8d3a90de3284d034a3137ab6b2e17d23735afa76f2
Opcode Fuzzy Hash: 2fc4216fcc0242c1b133bcef4fabbc3657e9c1df03a52fa44fdb26fe762d81bb
Instruction Fuzzy Hash: 52617131C0110D9ACF16EBE1DA92AFEB7B5AF15341F2041AAE90177292EB345F0DCB65

Function 0046ED6A Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 0046ED91
EmptyClipboard.USER32 ref: 0046ED97
GlobalAlloc.KERNEL32(00000002,?), ref: 0046EDAC
CloseClipboard.USER32 ref: 0046EEA3

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: 6af8a6af3dafccd5ca04f38202dd9999767cd4289a2844c919f69a5ddeda336d
Instruction ID: e6a54b33e787f372e2cb1b64593f0cfe80895025e0ed091e825c0dbad0e58e01
Opcode Fuzzy Hash: 6af8a6af3dafccd5ca04f38202dd9999767cd4289a2844c919f69a5ddeda336d
Instruction Fuzzy Hash: 7841A0356046119FE310CF16D888F1ABBE1EF44318F14C4AEE4158B762D73AEC42CB95

Function 0045E8F6 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 004516C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0045170D
Part of subcall function 004516C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0045173A
Part of subcall function 004516C3: GetLastError.KERNEL32 ref: 0045174A

ExitWindowsEx.USER32(?,00000000), ref: 0045E932

Strings

@, xrefs: 0045E925
, xrefs: 0045E920
, xrefs: 0045E95C
SeShutdownPrivilege, xrefs: 0045E902

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $ $@$SeShutdownPrivilege
API String ID: 2234035333-3163812486
Opcode ID: 8644926976658be5dfa38ae75ccf324f0ffe35feb6db14f092ec66c74371ed81
Instruction ID: 311e2eccae07cfcdfa21d9a18e121fdb29cf93231e140cfba40e8c7a28c5d6e0
Opcode Fuzzy Hash: 8644926976658be5dfa38ae75ccf324f0ffe35feb6db14f092ec66c74371ed81
Instruction Fuzzy Hash: DF012BB2A10210ABEB1826B6AC86FBF725C9B14746F150827FC03E21D3D56C5D4882AD

Function 00471204 Relevance: 12.1, APIs: 8, Instructions: 113networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00471276
WSAGetLastError.WSOCK32 ref: 00471283
bind.WSOCK32(00000000,?,00000010), ref: 004712BA
WSAGetLastError.WSOCK32 ref: 004712C5
closesocket.WSOCK32(00000000), ref: 004712F4
listen.WSOCK32(00000000,00000005), ref: 00471303
WSAGetLastError.WSOCK32 ref: 0047130D
closesocket.WSOCK32(00000000), ref: 0047133C

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: ErrorLast$closesocket$bindlistensocket
String ID:
API String ID: 540024437-0
Opcode ID: ede64d9b52b68932799c62977b819e9ccff8421f6e6efefeac6eef0e356a10ec
Instruction ID: 08511185c3c24f917a5c46d1d8d21d171e02cd84c3081258841127ac7bce5a57
Opcode Fuzzy Hash: ede64d9b52b68932799c62977b819e9ccff8421f6e6efefeac6eef0e356a10ec
Instruction Fuzzy Hash: 6D417F316001009FD710EF68C488B6ABBE5AF46318F18C599D95A9F3A3C775ED81CBA5

Function 0045D3A9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON

Download Yara Rule

APIs

Part of subcall function 003F3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,003F3A97,?,?,003F2E7F,?,?,?,00000000), ref: 003F3AC2

Part of subcall function 0045E199: GetFileAttributesW.KERNEL32(?,0045CF95), ref: 0045E19A

FindFirstFileW.KERNEL32(?,?), ref: 0045D420
DeleteFileW.KERNEL32(?,?,?,?), ref: 0045D470
FindNextFileW.KERNEL32(00000000,00000010), ref: 0045D481
FindClose.KERNEL32(00000000), ref: 0045D498
FindClose.KERNEL32(00000000), ref: 0045D4A1

Strings

\*.*, xrefs: 0045D3F2

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: 66c6e72b62eaf4dc01903a922283a0c0b9ab42ce4a1717544b902526767f8653
Instruction ID: 6bcb26ea9e01d77ca04ac6416d81e0e7f8349eb86078c3c1d2d15145ad5e39f4
Opcode Fuzzy Hash: 66c6e72b62eaf4dc01903a922283a0c0b9ab42ce4a1717544b902526767f8653
Instruction Fuzzy Hash: 7C31A4714083499BC311EF64C8919BF77E8AE92301F404E2EF9D557192EB34AA0DC767

Function 0042E4FF Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 0042E645

Strings

1#IND, xrefs: 0042F83D
1#SNAN, xrefs: 0042F844
1#QNAN, xrefs: 0042F84B
1#INF, xrefs: 0042F852

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: 57f09f53f8d37f6f4c4c0f0068f32b774f68dfa9ef51e231f5d5adf96f5f8d3b
Instruction ID: 9f98ecc8430bec910c7e4ddca0fe9472fc3c710ba4f0e1d05ef24a4c1c44b0f2
Opcode Fuzzy Hash: 57f09f53f8d37f6f4c4c0f0068f32b774f68dfa9ef51e231f5d5adf96f5f8d3b
Instruction Fuzzy Hash: 9AC25B71E046288FDB25CE29ED407EAB7B5EB49304F9441EBD80DE7241E778AE858F44

Function 0046648E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 004664DC
CoInitialize.OLE32(00000000), ref: 00466639
CoCreateInstance.OLE32(0048FCF8,00000000,00000001,0048FB68,?), ref: 00466650
CoUninitialize.OLE32 ref: 004668D4

Strings

.lnk, xrefs: 004664BA, 00466524, 004665E0

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_wcslen
String ID: .lnk
API String ID: 886957087-24824748
Opcode ID: d073ecf12e6fb09b5aa6bdacd8104b9f417dfff1f0d207bc27119a99854eba73
Instruction ID: 544f2e9c5ba4d62641fb1384c23f6a27287910d558277ae8ff04f6961c76a7db
Opcode Fuzzy Hash: d073ecf12e6fb09b5aa6bdacd8104b9f417dfff1f0d207bc27119a99854eba73
Instruction Fuzzy Hash: CFD13B71508305AFC315EF24C881A6BB7E8FF94704F10496EF5968B291EB70ED09CB96

Function 004722DA Relevance: 9.1, APIs: 6, Instructions: 103COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,00000000), ref: 004722E8

Part of subcall function 0046E4EC: GetWindowRect.USER32(?,?), ref: 0046E504

GetDesktopWindow.USER32 ref: 00472312
GetWindowRect.USER32(00000000), ref: 00472319
mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 00472355
GetCursorPos.USER32(?), ref: 00472381
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 004723DF

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForeground
String ID:
API String ID: 2387181109-0
Opcode ID: d930e5ebabfe6f81e6c3f276db9466b5ba2dd3f55f7327bde70931a7da8b89c6
Instruction ID: 4ebbe1750ddf0d327e488d734bfbf524c847558f4c8d117f375eb37fdfc70295
Opcode Fuzzy Hash: d930e5ebabfe6f81e6c3f276db9466b5ba2dd3f55f7327bde70931a7da8b89c6
Instruction Fuzzy Hash: 7D31F272104315AFC720DF25D844B9BB7E9FF84314F00492EF88897281DB78EA08CB96

Function 00469B2B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 003F9CB3: _wcslen.LIBCMT ref: 003F9CBD

FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 00469B78
FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 00469C8B

Part of subcall function 00463874: GetInputState.USER32 ref: 004638CB
Part of subcall function 00463874: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00463966

Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 00469BA8
FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 00469C75

Strings

*.*, xrefs: 00469B5D

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
String ID: *.*
API String ID: 1972594611-438819550
Opcode ID: e8e4f1039cb9bfdc64570e3d5894a583d4c7650cf486eb6eb59f5ab266a02f45
Instruction ID: 605820135f6e4bb26281a564a982cc7f3169087bf829ca9f425a8473167c9def
Opcode Fuzzy Hash: e8e4f1039cb9bfdc64570e3d5894a583d4c7650cf486eb6eb59f5ab266a02f45
Instruction Fuzzy Hash: 6B417F7190420A9FDF15DF64C989AEE7BF8EF05310F20405BE805A6291EB749E84CF6A

Function 0040997D Relevance: 7.9, APIs: 5, Instructions: 375COMMON

Download Yara Rule

APIs

Part of subcall function 00409BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00409BB2

DefDlgProcW.USER32(?,?,?,?,?), ref: 00409A4E
GetSysColor.USER32(0000000F), ref: 00409B23
SetBkColor.GDI32(?,00000000), ref: 00409B36

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: Color$LongProcWindow
String ID:
API String ID: 3131106179-0
Opcode ID: 255f11b65ea05ff0ccb40c060c0824838551a0905ea3f90e13c05c86a674f6eb
Instruction ID: fe04ec96ec62c6ec10359c0861c373e3e924334048731d7f3ab06f440e2ecc91
Opcode Fuzzy Hash: 255f11b65ea05ff0ccb40c060c0824838551a0905ea3f90e13c05c86a674f6eb
Instruction Fuzzy Hash: ECA1E670209484BAF624AA298C88E7F365DDB86354B15412FF502E67D3CB3DAD03D67E

Function 00471806 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0047304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0047307A
Part of subcall function 0047304E: _wcslen.LIBCMT ref: 0047309B

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 0047185D
WSAGetLastError.WSOCK32 ref: 00471884
bind.WSOCK32(00000000,?,00000010), ref: 004718DB
WSAGetLastError.WSOCK32 ref: 004718E6
closesocket.WSOCK32(00000000), ref: 00471915

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
String ID:
API String ID: 1601658205-0
Opcode ID: 4a76c07dee760ba808fb0e6bb1512822a1ea7de1044e92f4c6c24762e0839ca0
Instruction ID: 2b66ff318420502d6065df80f90cefed1c7187256b00712b770aa750e8223089
Opcode Fuzzy Hash: 4a76c07dee760ba808fb0e6bb1512822a1ea7de1044e92f4c6c24762e0839ca0
Instruction Fuzzy Hash: 7251B271A00204AFDB11AF24C886F7AB7E5AB45718F04845DFA096F3D3C775AD41CBA5

Function 00481C41 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 00481CC0
IsWindowEnabled.USER32 ref: 00481CCE
GetForegroundWindow.USER32(?,?,00000001,?), ref: 00481CDB
IsIconic.USER32 ref: 00481CE9
IsZoomed.USER32 ref: 00481CF7

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: 43b3107eb9a0fb2402aa5f89bf8c8e2a93d2a52040e2b68959509aed08aa0b71
Instruction ID: cb59bca5fa3370ec20a06173ddb98f7430e66aee87a01861c9bfe6da02e3ceee
Opcode Fuzzy Hash: 43b3107eb9a0fb2402aa5f89bf8c8e2a93d2a52040e2b68959509aed08aa0b71
Instruction Fuzzy Hash: AF21B4317402115FD721AF1AD884B2F7BE9AF95314B18886EE8468B361C775EC43CB98

Function 003F8060 Relevance: 7.4, Strings: 5, Instructions: 1151COMMON

Download Yara Rule

Strings

VUUU, xrefs: 003F843C
VUUU, xrefs: 003F83E8
VUUU, xrefs: 00435DF0
ERCP, xrefs: 003F813C
VUUU, xrefs: 003F83FA

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID:
String ID: ERCP$VUUU$VUUU$VUUU$VUUU
API String ID: 0-1546025612
Opcode ID: 302623c617b9e85ab75d08a724f8ebebefb1456bd98590e8becfc5fa74e050d5
Instruction ID: 59be4759370dc74c725c7f11e24838bcf50dbe6cbddb6555d6b33b418d5d2621
Opcode Fuzzy Hash: 302623c617b9e85ab75d08a724f8ebebefb1456bd98590e8becfc5fa74e050d5
Instruction Fuzzy Hash: 70A28D70A0061ACBDF29CF58C8407BEB7B1BF58314F2585AAD915AB385DB389D81CF94

Function 00458298 Relevance: 6.6, APIs: 1, Strings: 3, Instructions: 568stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 004582AA

Strings

tbK, xrefs: 004584F4
(, xrefs: 004582F0
|, xrefs: 004582DA

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: lstrlen
String ID: ($tbK$|
API String ID: 1659193697-3035244722
Opcode ID: 13a197ae68fe2dd9e3ff36ab8579a017edbd099c5ce39df1f8c07947e07792b5
Instruction ID: a749ba32bf1c48e4820b0c0c85f79d3dda02e75221c8cfa9d47329a3178a22ca
Opcode Fuzzy Hash: 13a197ae68fe2dd9e3ff36ab8579a017edbd099c5ce39df1f8c07947e07792b5
Instruction Fuzzy Hash: 0E323775A00605DFCB28CF19C48196AB7F0FF48710B15C46EE89AEB7A2EB74E941CB44

Function 0045AA57 Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 0045AAAC
SetKeyboardState.USER32(00000080), ref: 0045AAC8
PostMessageW.USER32(?,00000102,00000001,00000001), ref: 0045AB36
SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 0045AB88

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 70749057ce740205606b89895c35752b268609b9ac83b77a0d3a5f811afb8811
Instruction ID: 5c52e394d77e22c0e1a1972649df64fffb4e2e483fb32a6108cccae0d2bed7d0
Opcode Fuzzy Hash: 70749057ce740205606b89895c35752b268609b9ac83b77a0d3a5f811afb8811
Instruction Fuzzy Hash: 58310C30A40204AEEB35CA658C05BFF77A6AB44312F04431BFA81562D2D37D9969C7EB

Function 0042BB6F Relevance: 6.1, APIs: 4, Instructions: 90timeCOMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0042BB7F

Part of subcall function 004229C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0042D7D1,00000000,00000000,00000000,00000000,?,0042D7F8,00000000,00000007,00000000,?,0042DBF5,00000000), ref: 004229DE
Part of subcall function 004229C8: GetLastError.KERNEL32(00000000,?,0042D7D1,00000000,00000000,00000000,00000000,?,0042D7F8,00000000,00000007,00000000,?,0042DBF5,00000000,00000000), ref: 004229F0

GetTimeZoneInformation.KERNEL32 ref: 0042BB91
WideCharToMultiByte.KERNEL32(00000000,?,004C121C,000000FF,?,0000003F,?,?), ref: 0042BC09
WideCharToMultiByte.KERNEL32(00000000,?,004C1270,000000FF,?,0000003F,?,?,?,004C121C,000000FF,?,0000003F,?,?), ref: 0042BC36

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorFreeHeapInformationLastTimeZone_free
String ID:
API String ID: 806657224-0
Opcode ID: acd75fe51d3ef231972aeba723b94b7cbd384d6c05aef2db1062710c5e8a874d
Instruction ID: d94c7b743aa40c3942a35d84ed9e3a7e3d16d106986a476efae849af600a5712
Opcode Fuzzy Hash: acd75fe51d3ef231972aeba723b94b7cbd384d6c05aef2db1062710c5e8a874d
Instruction Fuzzy Hash: B531AF74A04215DFCB11DF6AAC8096ABBB8FF4635075486AFE020E72B2D7349D41CB98

Function 0046CE44 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON

Download Yara Rule

APIs

InternetReadFile.WININET(?,?,00000400,?), ref: 0046CE89
GetLastError.KERNEL32(?,00000000), ref: 0046CEEA
SetEvent.KERNEL32(?,?,00000000), ref: 0046CEFE

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: ErrorEventFileInternetLastRead
String ID:
API String ID: 234945975-0
Opcode ID: d36118a6de63b8d520e21f09d2d8292e317fdb617fbac2b39557cf70651f1d74
Instruction ID: 6fd69dbb596f1f976382928fde943bb4333567920b32ea4666cac933a7999b1c
Opcode Fuzzy Hash: d36118a6de63b8d520e21f09d2d8292e317fdb617fbac2b39557cf70651f1d74
Instruction Fuzzy Hash: E821B2719003059BD720DF65C984BAB77FCEB10314F10482FE686D2291E779ED45CB69

Function 00465C97 Relevance: 4.6, APIs: 3, Instructions: 138fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00465CC1
FindNextFileW.KERNEL32(00000000,?), ref: 00465D17
FindClose.KERNEL32(?), ref: 00465D5F

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: Find$File$CloseFirstNext
String ID:
API String ID: 3541575487-0
Opcode ID: bb0b33337a1470abadff0bac4c5985594f71179ac88a4a1a6cc464ff9da0bb17
Instruction ID: 67f08c57896b3a10a4cb1ca082b00584dc7fd6c3dc782bd81a6779e754492ed5
Opcode Fuzzy Hash: bb0b33337a1470abadff0bac4c5985594f71179ac88a4a1a6cc464ff9da0bb17
Instruction Fuzzy Hash: B751AA34604A019FC714DF28C494A9AB7E4FF49314F14855EE95A8B3A2DB34EC45CF96

Function 00422622 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 0042271A
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00422724
UnhandledExceptionFilter.KERNEL32(?), ref: 00422731

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 0d304f03596e4d5eb0b7a0a34993804052941f3421d234722ad39ed024f0e480
Instruction ID: a219e0aa2b12b8eff35b4e9a5af7fad123db0344c0a59a8cfae10b5d186c1ea6
Opcode Fuzzy Hash: 0d304f03596e4d5eb0b7a0a34993804052941f3421d234722ad39ed024f0e480
Instruction Fuzzy Hash: B931D57490122CABCB21DF65DD887DDB7B8AF08310F5041EAE81CA7260E7749F818F48

Function 004651CD Relevance: 4.6, APIs: 3, Instructions: 76COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 004651DA
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00465238
SetErrorMode.KERNEL32(00000000), ref: 004652A1

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: 65e26a30c835de6280913aca387dbe72f1be27685affd2438c9dab49288f6ce7
Instruction ID: 0c60eb07c959b8bb812f03c6380b55dee195be3a269290e41cfac98c7708905e
Opcode Fuzzy Hash: 65e26a30c835de6280913aca387dbe72f1be27685affd2438c9dab49288f6ce7
Instruction Fuzzy Hash: B9317C35A00608DFDB00DF54D8C4EAEBBB4FF08314F048099E905AB3A2DB35E846CBA5

Function 004516C3 Relevance: 4.6, APIs: 3, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 0040FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00410668
Part of subcall function 0040FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00410685

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0045170D
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0045173A
GetLastError.KERNEL32 ref: 0045174A

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
String ID:
API String ID: 577356006-0
Opcode ID: be69c6b0d1d70917ff5fd412fb0695c27984e72286d07863bf246373107d776a
Instruction ID: 4e3e112dad5569d58963b8b6194e21b65dec5edb4a65ef0a4a1e6011dd9a7cf5
Opcode Fuzzy Hash: be69c6b0d1d70917ff5fd412fb0695c27984e72286d07863bf246373107d776a
Instruction Fuzzy Hash: F111EFB2400204AFD7289F68ECC6E6FB7B9EF44715B20843FE45652291EB74BC458B68

Function 0045D5EB Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0045D608
DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 0045D645
CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0045D650

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle
String ID:
API String ID: 33631002-0
Opcode ID: b5368b7af9eec359d5c1aca2cf5a200254bd02e3db8d405cc8d4af58dcdc8c46
Instruction ID: dda51014a2934f11b5369cfc33c8ed6cda2a95b3ce8a91c234a9fdf8444eb139
Opcode Fuzzy Hash: b5368b7af9eec359d5c1aca2cf5a200254bd02e3db8d405cc8d4af58dcdc8c46
Instruction Fuzzy Hash: AA117C71E01228BBDB208F949C84FAFBBBCEB45B50F108126F904E7290C2704A05CBA5

Function 00451663 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 0045168C
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 004516A1
FreeSid.ADVAPI32(?), ref: 004516B1

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: dbde4c0c343be2ce7c4a84ef4441a9086e54854892bf035656b246b95745d3ea
Instruction ID: f748b6454c4edb8ccf528cd1b0b120cdca00f2cc78586caea6f348348ebef68e
Opcode Fuzzy Hash: dbde4c0c343be2ce7c4a84ef4441a9086e54854892bf035656b246b95745d3ea
Instruction Fuzzy Hash: 37F04471940308FBDB00CFE09C89EAEBBBCEB08240F104865E900E2181E334AA048B64

Function 0044D27A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 0044D28C

Strings

X64, xrefs: 0044D2A8

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: NameUser
String ID: X64
API String ID: 2645101109-893830106
Opcode ID: 2f6696e813440278c15d3f7aed77439501eb84c5c84b623e299cddd2f0e9b942
Instruction ID: 84a25008eb27f6c5df07bc9252893a5e93eb98e6da9c457274aaed0503d3737b
Opcode Fuzzy Hash: 2f6696e813440278c15d3f7aed77439501eb84c5c84b623e299cddd2f0e9b942
Instruction Fuzzy Hash: 65D0C9B480111DEBCB90CBD0DCC8DDDB37CBB04345F1005A6F106A2140D77495498F24

Function 0041CAA0 Relevance: 3.5, APIs: 2, Instructions: 464COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction ID: c3c46fca687729c422bfa7242ffd74ed80dd7b6f335d34bf52ac463b181fce00
Opcode Fuzzy Hash: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction Fuzzy Hash: D4022C71E402199BDF14CFA9D9806EEFBF1EF48314F25816AD819E7384D734AE418B88

Function 003FCAF0 Relevance: 3.2, Strings: 2, Instructions: 659COMMON

Download Yara Rule

Strings

p#L, xrefs: 003FCF7F
Variable is not of type 'Object'., xrefs: 00440C40

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID:
String ID: Variable is not of type 'Object'.$p#L
API String ID: 0-783923862
Opcode ID: 90ba077a56e35e0f57816be9891694af4fbb2596477faf69f484385f29600efc
Instruction ID: 2bece344a6e175e998d5b8adc878964ff5bd3a191a3795c9c3fc1081dbd9cb7b
Opcode Fuzzy Hash: 90ba077a56e35e0f57816be9891694af4fbb2596477faf69f484385f29600efc
Instruction Fuzzy Hash: F932AF7095021CDBDF15DF90CA81BFEB7B9BF04304F20406AEA06AB292D779AD46CB54

Function 004668EE Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00466918
FindClose.KERNEL32(00000000), ref: 00466961

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 76faa1631f5fe8667c6b7db0af5ea6dce4e8877addd7223e5774c096c5d2bcd6
Instruction ID: 30d7fa737e54a4703d95f08e5b94e6d3c406f1b03438e1b1e3bb3f9a560de71a
Opcode Fuzzy Hash: 76faa1631f5fe8667c6b7db0af5ea6dce4e8877addd7223e5774c096c5d2bcd6
Instruction Fuzzy Hash: E111D3716042059FC710DF29C484A26BBE5FF85328F05C6ADE8698F3A2D734EC05CB91

Function 004637B5 Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,00474891,?,?,00000035,?), ref: 004637E4
FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,00474891,?,?,00000035,?), ref: 004637F4

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 018d31e640580b6140cd4a2e344f816178546b7eb4dbfccd3acf204d41144c7f
Instruction ID: 54fb8357f0f558eb79377d696b2ff75b333a5f76d995c86e815e646f9e5fbd00
Opcode Fuzzy Hash: 018d31e640580b6140cd4a2e344f816178546b7eb4dbfccd3acf204d41144c7f
Instruction Fuzzy Hash: 53F0E5B06042282AE7201B769C8DFEB7AAEEFC4762F00017AF509D2291D9709904C7B9

Function 0045B226 Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 0045B25D
keybd_event.USER32(?,75C0C0D0,?,00000000), ref: 0045B270

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: InputSendkeybd_event
String ID:
API String ID: 3536248340-0
Opcode ID: 733505f948a6ef6ab4d61ae09ab7081b24a8e0d2247fecdc57a7190df3f9d496
Instruction ID: eea58bebce05c6b7f0b544c5c95dafef81a446692f75237191dd1cea8f35761c
Opcode Fuzzy Hash: 733505f948a6ef6ab4d61ae09ab7081b24a8e0d2247fecdc57a7190df3f9d496
Instruction Fuzzy Hash: BDF01D7180424EABDF059FA0C805BAE7BB4FF04305F00845AFD55A5192C7798615DFA8

Function 004510BF Relevance: 3.0, APIs: 2, Instructions: 24COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,004511FC), ref: 004510D4
CloseHandle.KERNEL32(?,?,004511FC), ref: 004510E9

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: ae47f610f273932da0a9e6bad947e44103fdc79e7d4199aa89a93baa65744983
Instruction ID: a305cfd632bad06d6e2a4eb0c320cef69d77cbacad0e281f3a47fd41ffa974cc
Opcode Fuzzy Hash: ae47f610f273932da0a9e6bad947e44103fdc79e7d4199aa89a93baa65744983
Instruction Fuzzy Hash: D1E04F32014600AEE7252B61FC05E7777A9EF04310B20883EF8A6808F1DB72AC90DB68

Function 0042676B Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00426766,?,?,00000008,?,?,0042FEFE,00000000), ref: 00426998

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 0f6f8cf373c19db0cafb6da353ac90a78e8c77fcbebe12856703fcf8b749d963
Instruction ID: 746b2d5111b98ae883941f8475ca6b1203ad81cda077d2f194318e45adae05e2
Opcode Fuzzy Hash: 0f6f8cf373c19db0cafb6da353ac90a78e8c77fcbebe12856703fcf8b749d963
Instruction Fuzzy Hash: C2B1AD71610618CFD718CF28D486B657BE0FF05364F668699E899CF3A2C739E982CB44

Function 0040B119 Relevance: 1.8, Strings: 1, Instructions: 511COMMON

Download Yara Rule

Strings

, xrefs: 0044851F

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: ec12253f35108dfc8b7c36dbbf81e4fc54848952f7b9b31622f4923994ca1e3b
Instruction ID: 6900085956b6b060cf910e56fecef7413762fdd863792c1117bd9e11243611df
Opcode Fuzzy Hash: ec12253f35108dfc8b7c36dbbf81e4fc54848952f7b9b31622f4923994ca1e3b
Instruction Fuzzy Hash: F61242719002199BDB14CF58C8806EEB7F5FF48710F1481ABE849EB295DB789E81CF99

Function 0046EAA2 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 0046EABD

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: 67f65f8e4f2ae6092181d0ab90d5e86b7032dab5ea70b23324de38f68d0d799f
Instruction ID: f7448c00f591368967fa317901a400fa501513d41d87bca657aa42b758c0b722
Opcode Fuzzy Hash: 67f65f8e4f2ae6092181d0ab90d5e86b7032dab5ea70b23324de38f68d0d799f
Instruction Fuzzy Hash: C9E04F352102089FC710EF9AD844E9AF7E9AF98760F00842AFD49DB351EB74E8418BA5

Function 004109D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_000209E1,004103EE), ref: 004109DA

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 2829c6c2da43ce3b0c37f184dce7867ac60f53a594c3e9ab2dc7e71e26d4a827
Instruction ID: d0e709aa8d2f641bdb2537f7696b844225fea61a054d38b9bca8d8a97f40bdcd
Opcode Fuzzy Hash: 2829c6c2da43ce3b0c37f184dce7867ac60f53a594c3e9ab2dc7e71e26d4a827
Instruction Fuzzy Hash:

Function 0041781B Relevance: 1.5, Strings: 1, Instructions: 214COMMON

Download Yara Rule

Strings

0, xrefs: 0041798B

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction ID: af2484a871b91ec5c9b2172b16a3bac44c10e883e7efb707e17a36b6b99b472e
Opcode Fuzzy Hash: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction Fuzzy Hash: 01516AB165C60557EB38666988997FF27B59B02344F18090FE882C7382C61DDECAD35E

Function 00462046 Relevance: 1.3, Strings: 1, Instructions: 72COMMON

Download Yara Rule

Strings

0&L, xrefs: 00462053

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID:
String ID: 0&L
API String ID: 0-1738453533
Opcode ID: c9763597a9d4fab0522711f4ab896f7c80205ee2265d7e1f6598d4d697b82976
Instruction ID: 163846ebe3c7294f2d0536d1a4df63b8126fd7abb813d6662081484aa4982b7c
Opcode Fuzzy Hash: c9763597a9d4fab0522711f4ab896f7c80205ee2265d7e1f6598d4d697b82976
Instruction Fuzzy Hash: 5221E7323206158BD728CF79C92367E73E5A754310F14862EE4A7C33D0DEB9A904CB94

Function 00426DD9 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d665869f12da928c5a48bb69c834377d7ea66cc8a8204ba29c3fd44c0db6c8b4
Instruction ID: f65c9a0f7c73471ed7c427717fcf50ea9a24a6d4aada53c796c0f181cf5fa4a6
Opcode Fuzzy Hash: d665869f12da928c5a48bb69c834377d7ea66cc8a8204ba29c3fd44c0db6c8b4
Instruction Fuzzy Hash: B9324521E29F114DDB239634ED62336A249AFB73C5F55C737E81AB5EA5EB28C4C34108

Function 0040CC39 Relevance: .6, Instructions: 635COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5facdbc1b4d5ea5e33aa7b16c278d43fc266560ff58b3fb69aac2364d90916f2
Instruction ID: 6488bcc90f676bb7a18e3b6c882739e2df68c0c7f5433acf38fc374131aafc9c
Opcode Fuzzy Hash: 5facdbc1b4d5ea5e33aa7b16c278d43fc266560ff58b3fb69aac2364d90916f2
Instruction Fuzzy Hash: C9320131A051458BFF68CF29C4D067E77A1EB45304F2C863BD44AAB392D63C9D82DB49

Function 003F7920 Relevance: .6, Instructions: 563COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc54b4e5cd53ca7926116bea96877cb091a5c0cc94ce3ad90f75b544d1169dbe
Instruction ID: 36c2fe1ccc01e745cd47552d766217a6de674235299278c137e258a6ac812a49
Opcode Fuzzy Hash: cc54b4e5cd53ca7926116bea96877cb091a5c0cc94ce3ad90f75b544d1169dbe
Instruction Fuzzy Hash: 4222B170A04609DFDF14CFA5C941ABEB7F6FF48300F10452AE816AB291EB39AD55CB54

Function 003F91C0 Relevance: .5, Instructions: 475COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4dfc8b6f0ec8a69f2e291687ff47c026975b605a1059210f5804d934b7235316
Instruction ID: 495c5d09cdbe17819c077e14559fa4df16211b11b08d34a410291882e56bb63d
Opcode Fuzzy Hash: 4dfc8b6f0ec8a69f2e291687ff47c026975b605a1059210f5804d934b7235316
Instruction Fuzzy Hash: B902D6B0A00209EBCB05DF55D881BAEB7B5FF48304F10816AE9069B3D1EB35AE55CB85

Function 00429EEE Relevance: .3, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe59bbd8e322546dd73fe0f3edc438bc7ea771be5f87fa3c897884a040b7160b
Instruction ID: 8d1fc96e3d0cf6e4f5697250c97a2950add2a1f41efeb71dbbd83f932b8124dd
Opcode Fuzzy Hash: fe59bbd8e322546dd73fe0f3edc438bc7ea771be5f87fa3c897884a040b7160b
Instruction Fuzzy Hash: D5B11420E6AF505DD3239A398835336B65CAFBB6D6F91D32BFC1674D22EB2185834144

Function 00411C77 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction ID: 2bf4347a0ce3ed05ff47213f7f485f5427eb1f77f23ead914033aa23a1e90ea2
Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction Fuzzy Hash: 1591A9722080A349DB29437D95340BFFFE15A523A131A079FD5F2CB2E1FE18D595D624

Function 00411F32 Relevance: .2, Instructions: 244COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
Instruction ID: 02a46ae55677038e65c5fcda24a45a6f6c1f0222dfe3e9b2f4a8a6d35735930b
Opcode Fuzzy Hash: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
Instruction Fuzzy Hash: D491A9722090E30AD769833985740BFFFE15A923A130A079FD5F2CB2D5EE68C5E5D624

Function 004119B0 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction ID: 1ad9737a72e915d4ff449c5d7c299011eace6eec74750db6e1efab8a2e88f11f
Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction Fuzzy Hash: 1D91837220D0E34ADB2D437A85740BFFFE15A923A131A079FD5F2CA2E1FE189594D624

Function 00417A4A Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 708adbb178def6a08fb8acde08d0c93beda3b0232d291d05bf057c0d135bd854
Instruction ID: 02b8e5ec8e78c6a6b509e210014179d19901169035aee529bca9ca2f40c088ba
Opcode Fuzzy Hash: 708adbb178def6a08fb8acde08d0c93beda3b0232d291d05bf057c0d135bd854
Instruction Fuzzy Hash: 5561477124C70956DA349A288895BFF33B4DF41788F24091FE846DB382DB1DAEC2835E

Function 00417CA7 Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 342f8178a018657f773b98767da9b9097f1148eed2cf43963c418bbb4e52263f
Instruction ID: 78a2d8f6006ff2ec2fdd3592ef489464d0184cd4ea8cd28f93358a8e4dff718f
Opcode Fuzzy Hash: 342f8178a018657f773b98767da9b9097f1148eed2cf43963c418bbb4e52263f
Instruction Fuzzy Hash: A861467120C70D66DA384A28A895BFF23F59F42748F10095FE942DB381DA1EADC2825E

Function 00411706 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction ID: d866142b44ea800cf024f36c4dd321057e20df2be1f222eaf9e28af6c828f780
Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction Fuzzy Hash: 818185726090A309DB6D433A85744BFFFE15A923A131A079FD5F2CA3E1EE288594D624

Function 00443CD2 Relevance: .2, Instructions: 186COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a22b57c88e4e5f9c02036540c344223549d64365ecad51204bf9b24cbbcef656
Instruction ID: 4adeeeb875ce0d4ad19c6b140ff4379e30a4fb8d7c27c710906cae6d62e97358
Opcode Fuzzy Hash: a22b57c88e4e5f9c02036540c344223549d64365ecad51204bf9b24cbbcef656
Instruction Fuzzy Hash: 567128B49083C19FE766CF2080D9966BFE0EF12715B2A84FFC9864B193D634D946C70A

Function 00472ADE Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 486filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00472B30
DeleteObject.GDI32(00000000), ref: 00472B43
DestroyWindow.USER32 ref: 00472B52
GetDesktopWindow.USER32 ref: 00472B6D
GetWindowRect.USER32(00000000), ref: 00472B74
SetRect.USER32(?,00000000,00000000,00000007,00000002), ref: 00472CA3
AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 00472CB1
CreateWindowExW.USER32(?,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00472CF8
GetClientRect.USER32(00000000,?), ref: 00472D04
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00472D40
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00472D62
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00472D75
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00472D80
GlobalLock.KERNEL32(00000000), ref: 00472D89
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00472D98
GlobalUnlock.KERNEL32(00000000), ref: 00472DA1
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00472DA8
GlobalFree.KERNEL32(00000000), ref: 00472DB3
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00472DC5
OleLoadPicture.OLEAUT32(?,00000000,00000000,0048FC38,00000000), ref: 00472DDB
GlobalFree.KERNEL32(00000000), ref: 00472DEB
CopyImage.USER32(00000007,00000000,00000000,00000000,00002000), ref: 00472E11
SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 00472E30
SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00472E52
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0047303F

Strings

DISPLAY, xrefs: 00472EA2
, xrefs: 00472FC5
static, xrefs: 00472D3A, 00472E91
AutoIt v3, xrefs: 00472CF2

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: 866e2dd8e753ee3c633b67e23ea39956605f66ccddabe7c6e1700586462cd6ba
Instruction ID: 6f81a7561ef25761cb647595b8a919e013b4f7785f940648496f3455bb50c0f3
Opcode Fuzzy Hash: 866e2dd8e753ee3c633b67e23ea39956605f66ccddabe7c6e1700586462cd6ba
Instruction Fuzzy Hash: F1028C71900209AFDB14DF64CD89EAE7BB9EF49310F008569F919AB2A1D778ED01CF64

Function 004870D5 Relevance: 49.8, APIs: 33, Instructions: 273COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 0048712F
GetSysColorBrush.USER32(0000000F), ref: 00487160
GetSysColor.USER32(0000000F), ref: 0048716C
SetBkColor.GDI32(?,000000FF), ref: 00487186
SelectObject.GDI32(?,?), ref: 00487195
InflateRect.USER32(?,000000FF,000000FF), ref: 004871C0
GetSysColor.USER32(00000010), ref: 004871C8
CreateSolidBrush.GDI32(00000000), ref: 004871CF
FrameRect.USER32(?,?,00000000), ref: 004871DE
DeleteObject.GDI32(00000000), ref: 004871E5
InflateRect.USER32(?,000000FE,000000FE), ref: 00487230
FillRect.USER32(?,?,?), ref: 00487262
GetWindowLongW.USER32(?,000000F0), ref: 00487284

Part of subcall function 004873E8: GetSysColor.USER32(00000012), ref: 00487421
Part of subcall function 004873E8: SetTextColor.GDI32(?,?), ref: 00487425
Part of subcall function 004873E8: GetSysColorBrush.USER32(0000000F), ref: 0048743B
Part of subcall function 004873E8: GetSysColor.USER32(0000000F), ref: 00487446
Part of subcall function 004873E8: GetSysColor.USER32(00000011), ref: 00487463
Part of subcall function 004873E8: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00487471
Part of subcall function 004873E8: SelectObject.GDI32(?,00000000), ref: 00487482
Part of subcall function 004873E8: SetBkColor.GDI32(?,00000000), ref: 0048748B
Part of subcall function 004873E8: SelectObject.GDI32(?,?), ref: 00487498
Part of subcall function 004873E8: InflateRect.USER32(?,000000FF,000000FF), ref: 004874B7
Part of subcall function 004873E8: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 004874CE
Part of subcall function 004873E8: GetWindowLongW.USER32(00000000,000000F0), ref: 004874DB

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
String ID:
API String ID: 4124339563-0
Opcode ID: 4204965c4a7885b95cab7d1b51d79349b17615f5d90a66c36101865625a5ca6e
Instruction ID: 4db8d1974e26953b0362920e91dc8d463998d63b1df0dab4d4ce1c83034535af
Opcode Fuzzy Hash: 4204965c4a7885b95cab7d1b51d79349b17615f5d90a66c36101865625a5ca6e
Instruction Fuzzy Hash: 61A19372008311BFDB10AF64DC88A5F7BA9FB49320F100E2DF962961E1D775D945CB66

Function 00408D85 Relevance: 47.7, APIs: 26, Strings: 1, Instructions: 480windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?), ref: 00408E14
SendMessageW.USER32(?,00001308,?,00000000), ref: 00446AC5
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 00446AFE
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00446F43

Part of subcall function 00408F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00408BE8,?,00000000,?,?,?,?,00408BBA,00000000,?), ref: 00408FC5

SendMessageW.USER32(?,00001053), ref: 00446F7F
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00446F96
ImageList_Destroy.COMCTL32(00000000,?), ref: 00446FAC
ImageList_Destroy.COMCTL32(00000000,?), ref: 00446FB7

Strings

0, xrefs: 00446DCF

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: DestroyImageList_MessageSend$Window$InvalidateMoveRectRemove
String ID: 0
API String ID: 2760611726-4108050209
Opcode ID: 390395688ea9dca7435779d1a48391cf1ddcc099dfbaa62671fa515b61e77b1c
Instruction ID: fd27a577bb4a4d51c1acbde15a64e905f93f23f14c9b58531e696a8f0bc4ff60
Opcode Fuzzy Hash: 390395688ea9dca7435779d1a48391cf1ddcc099dfbaa62671fa515b61e77b1c
Instruction Fuzzy Hash: 2C12A070600211DFEB15CF14C984BAAB7E5FB46300F15447EE585DB262CB39EC52DB9A

Function 00472711 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 330windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 0047273E
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 0047286A
SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 004728A9
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 004728B9
CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 00472900
GetClientRect.USER32(00000000,?), ref: 0047290C
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 00472955
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00472964
GetStockObject.GDI32(00000011), ref: 00472974
SelectObject.GDI32(00000000,00000000), ref: 00472978
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 00472988
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00472991
DeleteDC.GDI32(00000000), ref: 0047299A
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 004729C6
SendMessageW.USER32(00000030,00000000,00000001), ref: 004729DD
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 00472A1D
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00472A31
SendMessageW.USER32(00000404,00000001,00000000), ref: 00472A42
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 00472A77
GetStockObject.GDI32(00000011), ref: 00472A82
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00472A8D
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 00472A97

Strings

DISPLAY, xrefs: 0047295A
msctls_progress32, xrefs: 00472A13
static, xrefs: 0047294F, 00472A71
AutoIt v3, xrefs: 004728F8

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: c237629a10aa0cac6875291068ee474f356d9d916eaa31520df21e861db4c87f
Instruction ID: 3c78963f6ef73bf949395c8a4c94b4923fe62d3c00a52e7ff2c28969f7795044
Opcode Fuzzy Hash: c237629a10aa0cac6875291068ee474f356d9d916eaa31520df21e861db4c87f
Instruction Fuzzy Hash: FBB17171A00219AFEB14DF68CD85FAE7BB9EB05714F008519FA15EB2A1D774ED00CBA4

Function 00464ADF Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00464AED
GetDriveTypeW.KERNEL32(?,0048CB68,?,\\.\,0048CC08), ref: 00464BCA
SetErrorMode.KERNEL32(00000000,0048CB68,?,\\.\,0048CC08), ref: 00464D36

Strings

FileBackedVirtual, xrefs: 00464CEC
RAMDisk, xrefs: 00464BF4
ATA, xrefs: 00464C98
Fibre, xrefs: 00464CAD
RAID, xrefs: 00464CBB
\\.\, xrefs: 00464B3F
Virtual, xrefs: 00464CE5
CDROM, xrefs: 00464BFB
SSA, xrefs: 00464CA6
Fixed, xrefs: 00464C09
iSCSI, xrefs: 00464CC2
MMC, xrefs: 00464CDE
USB, xrefs: 00464CB4
SSD, xrefs: 00464C4A
PhysicalDrive, xrefs: 00464B76
SAS, xrefs: 00464CC9
SATA, xrefs: 00464CD0
SCSI, xrefs: 00464C8A
ATAPI, xrefs: 00464C91
Unknown, xrefs: 00464BED, 00464C83
Removable, xrefs: 00464C10, 00464C15
Network, xrefs: 00464C02
1394, xrefs: 00464C9F

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: ad95ea66a8df863776bfaca11634450959eefd77222570526e5bb9be1b2924cc
Instruction ID: d49ee9f95d53a8e2f440c812ae9e275aa302d57f6f69503e27375d3ec739bda2
Opcode Fuzzy Hash: ad95ea66a8df863776bfaca11634450959eefd77222570526e5bb9be1b2924cc
Instruction Fuzzy Hash: 8A61B4706011059BCF04DF18C981ABD7BA4AF84744B268417F906AB791EB3DED42DB6F

Function 004873E8 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 00487421
SetTextColor.GDI32(?,?), ref: 00487425
GetSysColorBrush.USER32(0000000F), ref: 0048743B
GetSysColor.USER32(0000000F), ref: 00487446
CreateSolidBrush.GDI32(?), ref: 0048744B
GetSysColor.USER32(00000011), ref: 00487463
CreatePen.GDI32(00000000,00000001,00743C00), ref: 00487471
SelectObject.GDI32(?,00000000), ref: 00487482
SetBkColor.GDI32(?,00000000), ref: 0048748B
SelectObject.GDI32(?,?), ref: 00487498
InflateRect.USER32(?,000000FF,000000FF), ref: 004874B7
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 004874CE
GetWindowLongW.USER32(00000000,000000F0), ref: 004874DB
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0048752A
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00487554
InflateRect.USER32(?,000000FD,000000FD), ref: 00487572
DrawFocusRect.USER32(?,?), ref: 0048757D
GetSysColor.USER32(00000011), ref: 0048758E
SetTextColor.GDI32(?,00000000), ref: 00487596
DrawTextW.USER32(?,004870F5,000000FF,?,00000000), ref: 004875A8
SelectObject.GDI32(?,?), ref: 004875BF
DeleteObject.GDI32(?), ref: 004875CA
SelectObject.GDI32(?,?), ref: 004875D0
DeleteObject.GDI32(?), ref: 004875D5
SetTextColor.GDI32(?,?), ref: 004875DB
SetBkColor.GDI32(?,?), ref: 004875E5

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: 9f007ae9a8339038fd2d824250a8551b138518c1a4fb46acda990fc449883ce2
Instruction ID: 91834c63deecba1c28efbcf2012d82d1cff2ceb27d464145bb39742f0729ccd5
Opcode Fuzzy Hash: 9f007ae9a8339038fd2d824250a8551b138518c1a4fb46acda990fc449883ce2
Instruction Fuzzy Hash: E4616271900218BFDF019FA4DC89E9E7F79EB08720F214926F915B72A1D7749940DFA4

Function 00480FF3 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00481128
GetDesktopWindow.USER32 ref: 0048113D
GetWindowRect.USER32(00000000), ref: 00481144
GetWindowLongW.USER32(?,000000F0), ref: 00481199
DestroyWindow.USER32(?), ref: 004811B9
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 004811ED
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0048120B
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 0048121D
SendMessageW.USER32(00000000,00000421,?,?), ref: 00481232
SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 00481245
IsWindowVisible.USER32(00000000), ref: 004812A1
SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 004812BC
SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 004812D0
GetWindowRect.USER32(00000000,?), ref: 004812E8
MonitorFromPoint.USER32(?,?,00000002), ref: 0048130E
GetMonitorInfoW.USER32(00000000,?), ref: 00481328
CopyRect.USER32(?,?), ref: 0048133F
SendMessageW.USER32(00000000,00000412,00000000), ref: 004813AA

Strings

(, xrefs: 0048131B
0, xrefs: 004810D3
tooltips_class32, xrefs: 004811E6

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: 12ac5bf56569f90a352054741e58e76d93b533239eaa7f125d54f4d868906ecc
Instruction ID: 242c7cc1ddb4cb030afc4e5475ec2bf45860f46c87befa9398436a209498ba4f
Opcode Fuzzy Hash: 12ac5bf56569f90a352054741e58e76d93b533239eaa7f125d54f4d868906ecc
Instruction Fuzzy Hash: F6B15A71604341AFD700EF64C884B6FBBE8EF89350F00891EF999AB261D775E845CBA5

Function 00408891 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 282windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00408968
GetSystemMetrics.USER32(00000007), ref: 00408970
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 0040899B
GetSystemMetrics.USER32(00000008), ref: 004089A3
GetSystemMetrics.USER32(00000004), ref: 004089C8
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 004089E5
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 004089F5
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00408A28
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00408A3C
GetClientRect.USER32(00000000,000000FF), ref: 00408A5A
GetStockObject.GDI32(00000011), ref: 00408A76
SendMessageW.USER32(00000000,00000030,00000000), ref: 00408A81

Part of subcall function 0040912D: GetCursorPos.USER32(?), ref: 00409141
Part of subcall function 0040912D: ScreenToClient.USER32(00000000,?), ref: 0040915E
Part of subcall function 0040912D: GetAsyncKeyState.USER32(00000001), ref: 00409183
Part of subcall function 0040912D: GetAsyncKeyState.USER32(00000002), ref: 0040919D

SetTimer.USER32(00000000,00000000,00000028,004090FC), ref: 00408AA8

Strings

AutoIt v3 GUI, xrefs: 00408A20

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: 033c2a2e0d309e90c53fdc6ed5e2a36a84e4b8172550d34382854e843db8675f
Instruction ID: 61d346ab6a916e92a2445a6d3c66081714fe4aa408db14056f4900a4e2d0d9e0
Opcode Fuzzy Hash: 033c2a2e0d309e90c53fdc6ed5e2a36a84e4b8172550d34382854e843db8675f
Instruction Fuzzy Hash: CDB16E756002099FDF14EF68CD85BAE3BB5BB49314F11412AFA15A72D0DB38E841CF69

Function 00450D8B Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 004510F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00451114
Part of subcall function 004510F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00450B9B,?,?,?), ref: 00451120
Part of subcall function 004510F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00450B9B,?,?,?), ref: 0045112F
Part of subcall function 004510F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00450B9B,?,?,?), ref: 00451136
Part of subcall function 004510F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0045114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00450DF5
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00450E29
GetLengthSid.ADVAPI32(?), ref: 00450E40
GetAce.ADVAPI32(?,00000000,?), ref: 00450E7A
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00450E96
GetLengthSid.ADVAPI32(?), ref: 00450EAD
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00450EB5
HeapAlloc.KERNEL32(00000000), ref: 00450EBC
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00450EDD
CopySid.ADVAPI32(00000000), ref: 00450EE4
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00450F13
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00450F35
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00450F47
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00450F6E
HeapFree.KERNEL32(00000000), ref: 00450F75
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00450F7E
HeapFree.KERNEL32(00000000), ref: 00450F85
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00450F8E
HeapFree.KERNEL32(00000000), ref: 00450F95
GetProcessHeap.KERNEL32(00000000,?), ref: 00450FA1
HeapFree.KERNEL32(00000000), ref: 00450FA8

Part of subcall function 00451193: GetProcessHeap.KERNEL32(00000008,00450BB1,?,00000000,?,00450BB1,?), ref: 004511A1
Part of subcall function 00451193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00450BB1,?), ref: 004511A8
Part of subcall function 00451193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00450BB1,?), ref: 004511B7

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 29d8273838632a22e39becefdc94996d0b1a17e89ec8e9cb6dd2dd5a23081db1
Instruction ID: a9c90ce2fa76622eb654c8e7f2d484fa7f1d4e59cbe141a9431c3aa7294885e0
Opcode Fuzzy Hash: 29d8273838632a22e39becefdc94996d0b1a17e89ec8e9cb6dd2dd5a23081db1
Instruction Fuzzy Hash: 4371B176900209ABDF209FA0DC89FAFBBB8BF05301F14452AF914E6252D774D909CB74

Function 0047C3B7 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0047C4BD
RegCreateKeyExW.ADVAPI32(?,?,00000000,0048CC08,00000000,?,00000000,?,?), ref: 0047C544
RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 0047C5A4
_wcslen.LIBCMT ref: 0047C5F4
_wcslen.LIBCMT ref: 0047C66F
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 0047C6B2
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 0047C7C1
RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 0047C84D
RegCloseKey.ADVAPI32(?), ref: 0047C881
RegCloseKey.ADVAPI32(00000000), ref: 0047C88E
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 0047C960

Strings

REG_DWORD, xrefs: 0047C804
REG_QWORD, xrefs: 0047C8C3
REG_BINARY, xrefs: 0047C913
REG_SZ, xrefs: 0047C644
REG_EXPAND_SZ, xrefs: 0047C5CD
REG_MULTI_SZ, xrefs: 0047C6F5

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: Value$Close$_wcslen$ConnectCreateRegistry
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 9721498-966354055
Opcode ID: e411ca328eff1c3d55d5703460511c73fa1388ec7b7a9b8e78e4fdcf2c834b09
Instruction ID: 97c50a07fc5cdef53edee673525750b3a63c923f06d3bfff5c53a87d00291f17
Opcode Fuzzy Hash: e411ca328eff1c3d55d5703460511c73fa1388ec7b7a9b8e78e4fdcf2c834b09
Instruction Fuzzy Hash: 0D128A352042019FC715DF24C881A6AB7E5FF89714F05885EF98A9B3A2DB35FC45CB8A

Function 0048091E Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 372windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 004809C6
_wcslen.LIBCMT ref: 00480A01
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00480A54
_wcslen.LIBCMT ref: 00480A8A
_wcslen.LIBCMT ref: 00480B06
_wcslen.LIBCMT ref: 00480B81

Part of subcall function 0040F9F2: _wcslen.LIBCMT ref: 0040F9FD

Part of subcall function 00452BE8: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00452BFA

Strings

EXISTS, xrefs: 00480B7C, 00480B97
GETITEMCOUNT, xrefs: 00480C1E
CHECK, xrefs: 00480A85, 00480AA0
GETSELECTED, xrefs: 00480C4E
GETTOTALCOUNT, xrefs: 004809F2, 00480A17
ISCHECKED, xrefs: 00480CE1
UNCHECK, xrefs: 00480D3E
EXPAND, xrefs: 00480BF8
GETTEXT, xrefs: 00480C97
COLLAPSE, xrefs: 00480B01, 00480B1C
SELECT, xrefs: 00480D11

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 1103490817-4258414348
Opcode ID: 40e066e7687da88a65f8f897a3505bba67b6168c7b02f05346cf787d0c04dbcc
Instruction ID: 61d9b448b46a2b6aee3db2680cc004e277f8b78fe34c4a0bd7dc98d0e71a11b2
Opcode Fuzzy Hash: 40e066e7687da88a65f8f897a3505bba67b6168c7b02f05346cf787d0c04dbcc
Instruction Fuzzy Hash: 2CE1BF312183018FC754EF25C45096EB7E1BF99318B108D5EF89A9B3A2D738ED49CB99

Function 0047C998 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,0047B6AE,?,?), ref: 0047C9B5
_wcslen.LIBCMT ref: 0047C9F1
_wcslen.LIBCMT ref: 0047CA68
_wcslen.LIBCMT ref: 0047CA9E
_wcslen.LIBCMT ref: 0047CAF9
_wcslen.LIBCMT ref: 0047CB2F
_wcslen.LIBCMT ref: 0047CB7F

Strings

HKEY_CURRENT_CONFIG, xrefs: 0047CB79, 0047CB7E
HKCC, xrefs: 0047CBAC
HKCU, xrefs: 0047CBCE
HKEY_USERS, xrefs: 0047CBDF
HKCR, xrefs: 0047CB29, 0047CB2E
HKEY_LOCAL_MACHINE, xrefs: 0047CA62, 0047CA67
HKEY_CURRENT_USER, xrefs: 0047CBBD
HKLM, xrefs: 0047CA98, 0047CA9D
HKU, xrefs: 0047CBF0
HKEY_CLASSES_ROOT, xrefs: 0047CAF3, 0047CAF8

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 1256254125-909552448
Opcode ID: dbd06ef8be981e3cf8c8eb0f2afdbaa0a6eb5ae951d4f4af19646e697c78e885
Instruction ID: caae4f080c3d0fdd5dda2ebc6d117cd949d9e2419ad14b784b9e685741ba7212
Opcode Fuzzy Hash: dbd06ef8be981e3cf8c8eb0f2afdbaa0a6eb5ae951d4f4af19646e697c78e885
Instruction Fuzzy Hash: 1F71D67260012A8BCB20DE78D9816FB33919BA4754B25852FF859A7384EB3DDD45C3A8

Function 0048833C Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 196windowlibraryCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0048835A
_wcslen.LIBCMT ref: 0048836E
_wcslen.LIBCMT ref: 00488391
_wcslen.LIBCMT ref: 004883B4
LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 004883F2
LoadLibraryExW.KERNEL32(?,00000000,00000032,?,?,00000001,?,?,?,0048361A,?), ref: 0048844E
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00488487
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 004884CA
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00488501
FreeLibrary.KERNEL32(?), ref: 0048850D
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0048851D
DestroyIcon.USER32(?), ref: 0048852C
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00488549
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00488555

Strings

.icl, xrefs: 00488368
.dll, xrefs: 004883AB
.exe, xrefs: 00488388

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
String ID: .dll$.exe$.icl
API String ID: 799131459-1154884017
Opcode ID: 75671be36684c73dd877b3f26cb3f3f7a0b52367f522fa5353c8511fd2b5f849
Instruction ID: d24a7bf4f3b2d461f140946363a9c5e4630f8751b4d3cf0b3206c7ebc7174e9f
Opcode Fuzzy Hash: 75671be36684c73dd877b3f26cb3f3f7a0b52367f522fa5353c8511fd2b5f849
Instruction Fuzzy Hash: 8261E271500219BAEB14EF64CC81BFF77A8BF04B11F50491EF915D61D1EB78A980CBA8

Function 003F7778 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 273COMMON

Download Yara Rule

Strings

#OnAutoItStartRegister, xrefs: 003F7817
', xrefs: 00435169
", xrefs: 00435153
#cs, xrefs: 003F7873, 003F78C5
#ce, xrefs: 003F78ED
#include-once, xrefs: 003F782F
#pragma compile, xrefs: 003F77D3
#requireadmin, xrefs: 003F77FF
#comments-start, xrefs: 003F785F, 003F78B1
Unterminated group of comments, xrefs: 0043528C
Cannot parse #include, xrefs: 00435279
Bad directive syntax error, xrefs: 0043519A
#include, xrefs: 003F7847
#comments-end, xrefs: 003F78D9
#notrayicon, xrefs: 003F77E7

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID:
String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 0-1645009161
Opcode ID: 8030564e2d0ae4d79b24d7650ac8f982e344a523ae528287f0c13ae2c8b9eeac
Instruction ID: 5ec1a84a0bec16b83cb8704cee538f7b5b2734a956237b2a2dce8470ecd41c97
Opcode Fuzzy Hash: 8030564e2d0ae4d79b24d7650ac8f982e344a523ae528287f0c13ae2c8b9eeac
Instruction Fuzzy Hash: 56810971A04209BBDF21BF61CC42FBF3768AF14300F14403AFA04AA196EB79D955C7A9

Function 00463E79 Relevance: 28.2, APIs: 8, Strings: 8, Instructions: 205COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 00463EF8
_wcslen.LIBCMT ref: 00463F03
_wcslen.LIBCMT ref: 00463F5A
_wcslen.LIBCMT ref: 00463F98
GetDriveTypeW.KERNEL32(?), ref: 00463FD6
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0046401E
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00464059
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00464087

Strings

open, xrefs: 00463F54, 00463F59
close cd wait, xrefs: 00464072
wait, xrefs: 00464044
closed, xrefs: 00463F08, 00463F2D, 00463F46, 00463F7E, 00463F97
close, xrefs: 00463EFE, 00463F18
set cd door , xrefs: 00464028
type cdaudio alias cd wait, xrefs: 00464001
open , xrefs: 00463FE5

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: SendString_wcslen$BuffCharDriveLowerType
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 1839972693-4113822522
Opcode ID: be536db601e8ad1064833b188d884b223d0b32bee9e983ae283af94ab8ddffa3
Instruction ID: 64e83d3ee5d90f815dadee3e85df07253dc7313a150db357dc354c8621b38afc
Opcode Fuzzy Hash: be536db601e8ad1064833b188d884b223d0b32bee9e983ae283af94ab8ddffa3
Instruction Fuzzy Hash: 767120326042169FC710EF24C8809BBB7F4EF94758F00492EF99587291EB38ED45CB96

Function 00455A1B Relevance: 27.2, APIs: 18, Instructions: 198windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 00455A2E
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00455A40
SetWindowTextW.USER32(?,?), ref: 00455A57
GetDlgItem.USER32(?,000003EA), ref: 00455A6C
SetWindowTextW.USER32(00000000,?), ref: 00455A72
GetDlgItem.USER32(?,000003E9), ref: 00455A82
SetWindowTextW.USER32(00000000,?), ref: 00455A88
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00455AA9
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00455AC3
GetWindowRect.USER32(?,?), ref: 00455ACC
_wcslen.LIBCMT ref: 00455B33
SetWindowTextW.USER32(?,?), ref: 00455B6F
GetDesktopWindow.USER32 ref: 00455B75
GetWindowRect.USER32(00000000), ref: 00455B7C
MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 00455BD3
GetClientRect.USER32(?,?), ref: 00455BE0
PostMessageW.USER32(?,00000005,00000000,?), ref: 00455C05
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00455C2F

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
String ID:
API String ID: 895679908-0
Opcode ID: 0abc181ff462ebf40e0a64a9c3de8383f3d8d220860b3e1418fa98382fe20ec6
Instruction ID: 3495fe51c6e0ffadac55f969c2f5623708e7d08b569ff72682e92f627a629bf7
Opcode Fuzzy Hash: 0abc181ff462ebf40e0a64a9c3de8383f3d8d220860b3e1418fa98382fe20ec6
Instruction Fuzzy Hash: 9C719F31900B059FDB20DFA8CE99A6EBBF5FF48705F10092DE542A26A1D778F944CB58

Function 0046FE0E Relevance: 27.1, APIs: 18, Instructions: 128COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F89), ref: 0046FE27
LoadCursorW.USER32(00000000,00007F8A), ref: 0046FE32
LoadCursorW.USER32(00000000,00007F00), ref: 0046FE3D
LoadCursorW.USER32(00000000,00007F03), ref: 0046FE48
LoadCursorW.USER32(00000000,00007F8B), ref: 0046FE53
LoadCursorW.USER32(00000000,00007F01), ref: 0046FE5E
LoadCursorW.USER32(00000000,00007F81), ref: 0046FE69
LoadCursorW.USER32(00000000,00007F88), ref: 0046FE74
LoadCursorW.USER32(00000000,00007F80), ref: 0046FE7F
LoadCursorW.USER32(00000000,00007F86), ref: 0046FE8A
LoadCursorW.USER32(00000000,00007F83), ref: 0046FE95
LoadCursorW.USER32(00000000,00007F85), ref: 0046FEA0
LoadCursorW.USER32(00000000,00007F82), ref: 0046FEAB
LoadCursorW.USER32(00000000,00007F84), ref: 0046FEB6
LoadCursorW.USER32(00000000,00007F04), ref: 0046FEC1
LoadCursorW.USER32(00000000,00007F02), ref: 0046FECC
GetCursorInfo.USER32(?), ref: 0046FEDC
GetLastError.KERNEL32 ref: 0046FF1E

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: Cursor$Load$ErrorInfoLast
String ID:
API String ID: 3215588206-0
Opcode ID: d149824f84e950bbd30e28ca37fc0c1ad6c067239c1125e4830993c1eaf5c645
Instruction ID: f2a89f37b1f0beb69fd37fc62004a4e5c94f4eba6040b3f10d42b174444bab27
Opcode Fuzzy Hash: d149824f84e950bbd30e28ca37fc0c1ad6c067239c1125e4830993c1eaf5c645
Instruction Fuzzy Hash: 5E4163B0D043196ADB10DFBA9C8585EBFE8FF04754B50453AE119EB281DB78A9018F95

Function 004530F7 Relevance: 26.6, APIs: 8, Strings: 7, Instructions: 400COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0045318D
_wcslen.LIBCMT ref: 004531F8

Strings

[K, xrefs: 0045339A
TEXT, xrefs: 0045347C
REGEXPCLASS, xrefs: 00453255, 00453266
INSTANCE, xrefs: 00453453
CLASS, xrefs: 00453188, 004531A5
NAME, xrefs: 00453335, 00453346
CLASSNN, xrefs: 004531F3, 00453204

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: _wcslen
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT$[K
API String ID: 176396367-19976038
Opcode ID: d9d93d7e931d3af60e8367f718a0df0c4abe119ee0e8dae2db1b3feffc30f934
Instruction ID: 40ed83ab558472b0f145418a6bbaca29da164d73c8288926d44387cffdf2d2d0
Opcode Fuzzy Hash: d9d93d7e931d3af60e8367f718a0df0c4abe119ee0e8dae2db1b3feffc30f934
Instruction Fuzzy Hash: 81E1F731A00519ABCB149F74C4417EEFBB0BF44792F64816BEC56A7341DB38AE8D87A4

Function 004100C6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON

Download Yara Rule

APIs

__scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 004100C6

Part of subcall function 004100ED: InitializeCriticalSectionAndSpinCount.KERNEL32(004C070C,00000FA0,BB9D4817,?,?,?,?,004323B3,000000FF), ref: 0041011C
Part of subcall function 004100ED: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,004323B3,000000FF), ref: 00410127
Part of subcall function 004100ED: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,004323B3,000000FF), ref: 00410138
Part of subcall function 004100ED: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 0041014E
Part of subcall function 004100ED: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 0041015C
Part of subcall function 004100ED: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 0041016A
Part of subcall function 004100ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00410195
Part of subcall function 004100ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 004101A0

___scrt_fastfail.LIBCMT ref: 004100E7

Part of subcall function 004100A3: __onexit.LIBCMT ref: 004100A9

Strings

SleepConditionVariableCS, xrefs: 00410154
kernel32.dll, xrefs: 00410133
WakeAllConditionVariable, xrefs: 00410162
api-ms-win-core-synch-l1-2-0.dll, xrefs: 00410122
InitializeConditionVariable, xrefs: 00410148

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 66158676-1714406822
Opcode ID: 72a333e0619358093f2ec7e62cbe82aee84d43233197bc53c105db81bd637b15
Instruction ID: 9f2ad5eea65327db13b59e5608beb83f706174fc2d7d5cd35ffa8eefb7280e49
Opcode Fuzzy Hash: 72a333e0619358093f2ec7e62cbe82aee84d43233197bc53c105db81bd637b15
Instruction Fuzzy Hash: 2D21DA32645710ABD7116B64AC89BAE37D4DB44B55F10053FF901E2691DBFD98808BAC

Function 004644C0 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(00000000,00000000,0048CC08), ref: 00464527
_wcslen.LIBCMT ref: 0046453B
_wcslen.LIBCMT ref: 00464599
_wcslen.LIBCMT ref: 004645F4
_wcslen.LIBCMT ref: 0046463F
_wcslen.LIBCMT ref: 004646A7

Part of subcall function 0040F9F2: _wcslen.LIBCMT ref: 0040F9FD

GetDriveTypeW.KERNEL32(?,004B6BF0,00000061), ref: 00464743

Strings

ramdisk, xrefs: 004646F1
cdrom, xrefs: 0046458F, 00464594
unknown, xrefs: 00464708
fixed, xrefs: 00464635, 0046463A
network, xrefs: 0046469D, 004646A2
removable, xrefs: 004645EA, 004645EF
all, xrefs: 00464531, 00464536

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: _wcslen$BuffCharDriveLowerType
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2055661098-1000479233
Opcode ID: d48658873f1a559ad19d0538a2c299016bc3c6f4148521babe9ce3703eef0d3a
Instruction ID: 76bc457824fd5a8e38d641a3c6b30196ec379c60472df309a080d541101db248
Opcode Fuzzy Hash: d48658873f1a559ad19d0538a2c299016bc3c6f4148521babe9ce3703eef0d3a
Instruction Fuzzy Hash: E4B1DE716083029BCB10EF28C890A6BB7E5AFE5724F50491EF59687291E738D845CB6B

Function 0048911E Relevance: 24.7, APIs: 10, Strings: 4, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00409BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00409BB2

DragQueryPoint.SHELL32(?,?), ref: 00489147

Part of subcall function 00487674: ClientToScreen.USER32(?,?), ref: 0048769A
Part of subcall function 00487674: GetWindowRect.USER32(?,?), ref: 00487710
Part of subcall function 00487674: PtInRect.USER32(?,?,00488B89), ref: 00487720

SendMessageW.USER32(?,000000B0,?,?), ref: 004891B0
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 004891BB
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 004891DE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 00489225
SendMessageW.USER32(?,000000B0,?,?), ref: 0048923E
SendMessageW.USER32(?,000000B1,?,?), ref: 00489255
SendMessageW.USER32(?,000000B1,?,?), ref: 00489277
DragFinish.SHELL32(?), ref: 0048927E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 00489371

Strings

@GUI_DROPID, xrefs: 0048929E
@GUI_DRAGFILE, xrefs: 00489320
@GUI_DRAGID, xrefs: 004892E9
p#L, xrefs: 004892BB

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID$p#L
API String ID: 221274066-253960678
Opcode ID: 053a0a073e9784718b521d89a0069f54e98f3ddfd030b8667b4e440ec25b097a
Instruction ID: fa789d4e5e6cab69fc60fa375c44d4ebbe1f71fbe05fbe60f11454df0d127bd7
Opcode Fuzzy Hash: 053a0a073e9784718b521d89a0069f54e98f3ddfd030b8667b4e440ec25b097a
Instruction Fuzzy Hash: 7261AF71108305AFC702EF60DC85EAFBBE8EF89750F00092EF595971A1DB749A49CB66

Function 00473FE9 Relevance: 23.2, APIs: 11, Strings: 2, Instructions: 478libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,0048CC08), ref: 004740BB
GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 004740CD
GetModuleFileNameW.KERNEL32(?,?,00000104,?,?,?,0048CC08), ref: 004740F2
FreeLibrary.KERNEL32(00000000,?,0048CC08), ref: 0047413E
StringFromGUID2.OLE32(?,?,00000028,?,0048CC08), ref: 004741A8
SysFreeString.OLEAUT32(00000009), ref: 00474262
QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 004742C8
SysFreeString.OLEAUT32(?), ref: 004742F2

Strings

kernel32.dll, xrefs: 004740B6
GetModuleHandleExW, xrefs: 004740C7

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: FreeString$Library$AddressFileFromLoadModuleNamePathProcQueryType
String ID: GetModuleHandleExW$kernel32.dll
API String ID: 354098117-199464113
Opcode ID: c2bb9abe55e77e080aa3d84258cbdc034f6654104fce05ca05b5dbf8eb820013
Instruction ID: f2147ab93c94f37d51c5ce2fedcc006a2d0a9d6e43b07c965cb015b616f8c5b0
Opcode Fuzzy Hash: c2bb9abe55e77e080aa3d84258cbdc034f6654104fce05ca05b5dbf8eb820013
Instruction Fuzzy Hash: D9124971A00119EFDB14DF94C884EBEB7B9FF85318F24809AE9099B251C735ED46CBA4

Function 003F326F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(004C1990), ref: 00432F8D
GetMenuItemCount.USER32(004C1990), ref: 0043303D
GetCursorPos.USER32(?), ref: 00433081
SetForegroundWindow.USER32(00000000), ref: 0043308A
TrackPopupMenuEx.USER32(004C1990,00000000,?,00000000,00000000,00000000), ref: 0043309D
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 004330A9

Strings

0, xrefs: 003F327D

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
String ID: 0
API String ID: 36266755-4108050209
Opcode ID: 923de134647903d376f248aa5b625946dbd8fc3a4e664623e55e7b3bf5e2a8af
Instruction ID: 790bc4b8949cf919f172c53be374ab743087996417ec14102c960572519acd8c
Opcode Fuzzy Hash: 923de134647903d376f248aa5b625946dbd8fc3a4e664623e55e7b3bf5e2a8af
Instruction Fuzzy Hash: A1711B30640215BEEB259F25CD89FAFBF64FF05364F204217F614662E1C7B5A910DB98

Function 00486CD9 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 194windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,?), ref: 00486DEB

Part of subcall function 003F6B57: _wcslen.LIBCMT ref: 003F6B6A

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00486E5F
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00486E81
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00486E94
DestroyWindow.USER32(?), ref: 00486EB5
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,003F0000,00000000), ref: 00486EE4
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00486EFD
GetDesktopWindow.USER32 ref: 00486F16
GetWindowRect.USER32(00000000), ref: 00486F1D
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00486F35
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00486F4D

Part of subcall function 00409944: GetWindowLongW.USER32(?,000000EB), ref: 00409952

Strings

0, xrefs: 00486D98
tooltips_class32, xrefs: 00486E58, 00486EDD

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
String ID: 0$tooltips_class32
API String ID: 2429346358-3619404913
Opcode ID: 581f9d49fb2b03deef33777bd2574fc0136a1ffc379dfa9aaf3b224e396f35a4
Instruction ID: f63ad76f83c3ae4f629a091c1fe34e9af3b0f3fb2a73dcedcc98976084c7f895
Opcode Fuzzy Hash: 581f9d49fb2b03deef33777bd2574fc0136a1ffc379dfa9aaf3b224e396f35a4
Instruction Fuzzy Hash: 9E715B74104244AFDB61DF18D848FBBBBE9FB89304F14082EFA8997261D774E905CB29

Function 0046C476 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0046C4B0
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 0046C4C3
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 0046C4D7
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 0046C4F0
InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 0046C533
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 0046C549
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0046C554
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0046C584
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 0046C5DC
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 0046C5F0
InternetCloseHandle.WININET(00000000), ref: 0046C5FB

Strings

, xrefs: 0046C575

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
String ID:
API String ID: 3800310941-3916222277
Opcode ID: 4f6d69250b9a7a4bb3e6b1d5c2bea78fe964523ae783b9480366dd434ca855f3
Instruction ID: 4bfb902cb3bba7b8e87fdf5d3c32576428c75e43aa313e624adfa18d7b0ebd26
Opcode Fuzzy Hash: 4f6d69250b9a7a4bb3e6b1d5c2bea78fe964523ae783b9480366dd434ca855f3
Instruction Fuzzy Hash: 6A5130B1500205BFDB219F65CDC8ABB7BBCFB04754F00442EF98696650EB38E9449B6A

Function 0048856F Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,00000000,?), ref: 00488592
GetFileSize.KERNEL32(00000000,00000000), ref: 004885A2
GlobalAlloc.KERNEL32(00000002,00000000), ref: 004885AD
CloseHandle.KERNEL32(00000000), ref: 004885BA
GlobalLock.KERNEL32(00000000), ref: 004885C8
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 004885D7
GlobalUnlock.KERNEL32(00000000), ref: 004885E0
CloseHandle.KERNEL32(00000000), ref: 004885E7
CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 004885F8
OleLoadPicture.OLEAUT32(?,00000000,00000000,0048FC38,?), ref: 00488611
GlobalFree.KERNEL32(00000000), ref: 00488621
GetObjectW.GDI32(?,00000018,000000FF), ref: 00488641
CopyImage.USER32(?,00000000,00000000,?,00002000), ref: 00488671
DeleteObject.GDI32(00000000), ref: 00488699
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 004886AF

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: eb549dfc1ad53cc37aa46d7069b7f4794d7f9a9365acc5df1890d3dd53a7126e
Instruction ID: 0aa68d59621e6fd308911668f8624ebbcaa6517ec47231c89ee5ad573e867e2c
Opcode Fuzzy Hash: eb549dfc1ad53cc37aa46d7069b7f4794d7f9a9365acc5df1890d3dd53a7126e
Instruction Fuzzy Hash: 31410975600208AFDB119FA5DC88EAF7BB9EF89B11F10486DF905E7260DB349901DB64

Function 004614BD Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 360timeCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000000), ref: 00461502
VariantCopy.OLEAUT32(?,?), ref: 0046150B
VariantClear.OLEAUT32(?), ref: 00461517
VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 004615FB
VarR8FromDec.OLEAUT32(?,?), ref: 00461657
VariantInit.OLEAUT32(?), ref: 00461708
SysFreeString.OLEAUT32(?), ref: 0046178C
VariantClear.OLEAUT32(?), ref: 004617D8
VariantClear.OLEAUT32(?), ref: 004617E7
VariantInit.OLEAUT32(00000000), ref: 00461823

Strings

%4d%02d%02d%02d%02d%02d, xrefs: 00461625
Default, xrefs: 004616AF

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem
String ID: %4d%02d%02d%02d%02d%02d$Default
API String ID: 1234038744-3931177956
Opcode ID: 1baebdc7bf9a3db7b498dbc79fae0e70fb1b2e5577e41208850f2ee2e16f32f9
Instruction ID: accdc237d4657eb069f351c6ced8919dbe770439af802637189d647260ae1b85
Opcode Fuzzy Hash: 1baebdc7bf9a3db7b498dbc79fae0e70fb1b2e5577e41208850f2ee2e16f32f9
Instruction Fuzzy Hash: F4D1DE71A00205EBDB109F65D884B7AF7B5BF44700F18846BE407AB2A0EB38D845DB6B

Function 0047B60E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 003F9CB3: _wcslen.LIBCMT ref: 003F9CBD

Part of subcall function 0047C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0047B6AE,?,?), ref: 0047C9B5
Part of subcall function 0047C998: _wcslen.LIBCMT ref: 0047C9F1
Part of subcall function 0047C998: _wcslen.LIBCMT ref: 0047CA68
Part of subcall function 0047C998: _wcslen.LIBCMT ref: 0047CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0047B6F4
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0047B772
RegDeleteValueW.ADVAPI32(?,?), ref: 0047B80A
RegCloseKey.ADVAPI32(?), ref: 0047B87E
RegCloseKey.ADVAPI32(?), ref: 0047B89C
LoadLibraryA.KERNEL32(advapi32.dll), ref: 0047B8F2
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 0047B904
RegDeleteKeyW.ADVAPI32(?,?), ref: 0047B922
FreeLibrary.KERNEL32(00000000), ref: 0047B983
RegCloseKey.ADVAPI32(00000000), ref: 0047B994

Strings

advapi32.dll, xrefs: 0047B8ED
RegDeleteKeyExW, xrefs: 0047B8FE

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 146587525-4033151799
Opcode ID: b03cc10799f744469afed01e0e90d1ef8a2cd4ee33239e70b6b78b35e727a88f
Instruction ID: 218b47cb049260da9ea32acdcd5d692a3f09cd160b3b7e2f9cec2808d59cfb60
Opcode Fuzzy Hash: b03cc10799f744469afed01e0e90d1ef8a2cd4ee33239e70b6b78b35e727a88f
Instruction Fuzzy Hash: 87C18A70204201AFD715DF24C495F6ABBE5FF84308F14C49DE5AA8B3A2CB75E845CB96

Function 0047255C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 004725D8
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 004725E8
CreateCompatibleDC.GDI32(?), ref: 004725F4
SelectObject.GDI32(00000000,?), ref: 00472601
StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 0047266D
GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 004726AC
GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 004726D0
SelectObject.GDI32(?,?), ref: 004726D8
DeleteObject.GDI32(?), ref: 004726E1
DeleteDC.GDI32(?), ref: 004726E8
ReleaseDC.USER32(00000000,?), ref: 004726F3

Strings

(, xrefs: 0047268D

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: 37421b0e85a99f9bc7b1666a1fd7570f1cdb4db4bf485e9589eecd68ff011e1d
Instruction ID: e7d61e7dd733fc17fd61df119f419e9c388f969b69e005b856f26453acb11f16
Opcode Fuzzy Hash: 37421b0e85a99f9bc7b1666a1fd7570f1cdb4db4bf485e9589eecd68ff011e1d
Instruction Fuzzy Hash: D561E475D00219EFCF14CFA4D984AAEBBB5FF48310F20852EE959A7250E774A941CFA4

Function 0042DA5D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 0042DAA1

Part of subcall function 0042D63C: _free.LIBCMT ref: 0042D659
Part of subcall function 0042D63C: _free.LIBCMT ref: 0042D66B
Part of subcall function 0042D63C: _free.LIBCMT ref: 0042D67D
Part of subcall function 0042D63C: _free.LIBCMT ref: 0042D68F
Part of subcall function 0042D63C: _free.LIBCMT ref: 0042D6A1
Part of subcall function 0042D63C: _free.LIBCMT ref: 0042D6B3
Part of subcall function 0042D63C: _free.LIBCMT ref: 0042D6C5
Part of subcall function 0042D63C: _free.LIBCMT ref: 0042D6D7
Part of subcall function 0042D63C: _free.LIBCMT ref: 0042D6E9
Part of subcall function 0042D63C: _free.LIBCMT ref: 0042D6FB
Part of subcall function 0042D63C: _free.LIBCMT ref: 0042D70D
Part of subcall function 0042D63C: _free.LIBCMT ref: 0042D71F
Part of subcall function 0042D63C: _free.LIBCMT ref: 0042D731

_free.LIBCMT ref: 0042DA96

Part of subcall function 004229C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0042D7D1,00000000,00000000,00000000,00000000,?,0042D7F8,00000000,00000007,00000000,?,0042DBF5,00000000), ref: 004229DE
Part of subcall function 004229C8: GetLastError.KERNEL32(00000000,?,0042D7D1,00000000,00000000,00000000,00000000,?,0042D7F8,00000000,00000007,00000000,?,0042DBF5,00000000,00000000), ref: 004229F0

_free.LIBCMT ref: 0042DAB8
_free.LIBCMT ref: 0042DACD
_free.LIBCMT ref: 0042DAD8
_free.LIBCMT ref: 0042DAFA
_free.LIBCMT ref: 0042DB0D
_free.LIBCMT ref: 0042DB1B
_free.LIBCMT ref: 0042DB26
_free.LIBCMT ref: 0042DB5E
_free.LIBCMT ref: 0042DB65
_free.LIBCMT ref: 0042DB82
_free.LIBCMT ref: 0042DB9A

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 42914d15875655abcc3de14d65927093ca53d607e5bf383679f5f0a1481fdcea
Instruction ID: 8c6538349f1c1df214072464867c5d11e0170f903ba1a5be16ba73d058879983
Opcode Fuzzy Hash: 42914d15875655abcc3de14d65927093ca53d607e5bf383679f5f0a1481fdcea
Instruction Fuzzy Hash: EF314CB1B04224AFDB21AB3AF945B577BE9FF04315FD1442BE449D7291DA78AC808728

Function 0045365B Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 267windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 0045369C
_wcslen.LIBCMT ref: 004536A7
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00453797
GetClassNameW.USER32(?,?,00000400), ref: 0045380C
GetDlgCtrlID.USER32(?), ref: 0045385D
GetWindowRect.USER32(?,?), ref: 00453882
GetParent.USER32(?), ref: 004538A0
ScreenToClient.USER32(00000000), ref: 004538A7
GetClassNameW.USER32(?,?,00000100), ref: 00453921
GetWindowTextW.USER32(?,?,00000400), ref: 0045395D

Strings

%s%u, xrefs: 00453734

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout_wcslen
String ID: %s%u
API String ID: 4010501982-679674701
Opcode ID: ddd798a99de097ec0ffc45f866d9398ba511ef071a2e0c8a0ccb2817061bfdf6
Instruction ID: abd9ee5345c8a818c5140debdf3aade02df6db6b4d0bf682e42abd3070429a9d
Opcode Fuzzy Hash: ddd798a99de097ec0ffc45f866d9398ba511ef071a2e0c8a0ccb2817061bfdf6
Instruction Fuzzy Hash: 9F91D5B1204206AFD719DF24C884BEAF7A8FF44386F00452EFD95D2251D734EA49CB95

Function 00454954 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 253COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000400), ref: 00454994
GetWindowTextW.USER32(?,?,00000400), ref: 004549DA
_wcslen.LIBCMT ref: 004549EB
CharUpperBuffW.USER32(?,00000000), ref: 004549F7
_wcsstr.LIBVCRUNTIME ref: 00454A2C
GetClassNameW.USER32(00000018,?,00000400), ref: 00454A64
GetWindowTextW.USER32(?,?,00000400), ref: 00454A9D
GetClassNameW.USER32(00000018,?,00000400), ref: 00454AE6
GetClassNameW.USER32(?,?,00000400), ref: 00454B20
GetWindowRect.USER32(?,?), ref: 00454B8B

Strings

ThumbnailClass, xrefs: 00454A6F, 00454AF1

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
String ID: ThumbnailClass
API String ID: 1311036022-1241985126
Opcode ID: 6b05d6001487f36d9b32dea9f38fd2135f4c365dc7817afae152df95a3b63d46
Instruction ID: ecee6e1e79dac2bd9c8fa0e0af9f7954bafdb22244ef5df6c89adfe6976f0b63
Opcode Fuzzy Hash: 6b05d6001487f36d9b32dea9f38fd2135f4c365dc7817afae152df95a3b63d46
Instruction Fuzzy Hash: 3291A0710042059BDB05CF14C985BAB77E8EF84319F04446EFD859A296EB38ED89CB69

Function 0045BF30 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 190windowsleepCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(004C1990,000000FF,00000000,00000030), ref: 0045BFAC
SetMenuItemInfoW.USER32(004C1990,00000004,00000000,00000030), ref: 0045BFE1
Sleep.KERNEL32(000001F4), ref: 0045BFF3
GetMenuItemCount.USER32(?), ref: 0045C039
GetMenuItemID.USER32(?,00000000), ref: 0045C056
GetMenuItemID.USER32(?,-00000001), ref: 0045C082
GetMenuItemID.USER32(?,?), ref: 0045C0C9
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 0045C10F
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 0045C124
SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 0045C145

Strings

0, xrefs: 0045BF3D

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep
String ID: 0
API String ID: 1460738036-4108050209
Opcode ID: 2b01688d20dee86ae330ec5c8d26a2990627d7eca631faaf6306f1ea74c2d702
Instruction ID: 417a4e5458ba80015ae341c19f14753463cd91425f705b475d8c75f4d48e1611
Opcode Fuzzy Hash: 2b01688d20dee86ae330ec5c8d26a2990627d7eca631faaf6306f1ea74c2d702
Instruction Fuzzy Hash: 8E618070900359AFDF11CFA4DDC8AAF7BA9EB05349F00042AED01A3292C779AD09CB65

Function 0047CC34 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 0047CC64
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 0047CC8D
FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 0047CD48

Part of subcall function 0047CC34: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 0047CCAA
Part of subcall function 0047CC34: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 0047CCBD
Part of subcall function 0047CC34: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 0047CCCF
Part of subcall function 0047CC34: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 0047CD05
Part of subcall function 0047CC34: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 0047CD28

RegDeleteKeyW.ADVAPI32(?,?), ref: 0047CCF3

Strings

advapi32.dll, xrefs: 0047CCB8
RegDeleteKeyExW, xrefs: 0047CCC9

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2734957052-4033151799
Opcode ID: efabed42831bea0d84776824f154b62d964cd8ce39b1b7bcecd17ed30929dcbc
Instruction ID: b526d67e72e73fb48bd2b8ceb663a8e957b1de3830f45f813ee167ae50449fdd
Opcode Fuzzy Hash: efabed42831bea0d84776824f154b62d964cd8ce39b1b7bcecd17ed30929dcbc
Instruction Fuzzy Hash: C0318071901128BBD7219B90DCC8EFFBB7CEF46740F00456AA909E2240D6389A459BB8

Function 00463D1E Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 101fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00463D40
_wcslen.LIBCMT ref: 00463D6D
CreateDirectoryW.KERNEL32(?,00000000), ref: 00463D9D
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00463DBE
RemoveDirectoryW.KERNEL32(?), ref: 00463DCE
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 00463E55
CloseHandle.KERNEL32(00000000), ref: 00463E60
CloseHandle.KERNEL32(00000000), ref: 00463E6B

Strings

\, xrefs: 00463D77
:, xrefs: 00463D82
\??\%s, xrefs: 00463D5B

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove_wcslen
String ID: :$\$\??\%s
API String ID: 1149970189-3457252023
Opcode ID: 24319dfebb7c4985505829fca9a2eea7fdca3ed4d0abd6f6a07af41de7123418
Instruction ID: 1e382e41ae10885966ad57f550e6395beda85de448b66bcd71a751b4bf4b9e13
Opcode Fuzzy Hash: 24319dfebb7c4985505829fca9a2eea7fdca3ed4d0abd6f6a07af41de7123418
Instruction Fuzzy Hash: 55319271900249ABDB219FA0DC89FEF37BCEF88705F1040BAF505D61A0E77897448B29

Function 0045E6B0 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 0045E6B4

Part of subcall function 0040E551: timeGetTime.WINMM(?,?,0045E6D4), ref: 0040E555

Sleep.KERNEL32(0000000A), ref: 0045E6E1
EnumThreadWindows.USER32(?,Function_0006E665,00000000), ref: 0045E705
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 0045E727
SetActiveWindow.USER32 ref: 0045E746
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 0045E754
SendMessageW.USER32(00000010,00000000,00000000), ref: 0045E773
Sleep.KERNEL32(000000FA), ref: 0045E77E
IsWindow.USER32 ref: 0045E78A
EndDialog.USER32(00000000), ref: 0045E79B

Strings

BUTTON, xrefs: 0045E719

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: a3743c84d6e8489a8949d6a5cad09a7b5febcc016e476dc4155e81ba2e631b22
Instruction ID: e2c5064202ac8c686994d103c9979b7dd76f824764c19243a4c05ccf6ae69f59
Opcode Fuzzy Hash: a3743c84d6e8489a8949d6a5cad09a7b5febcc016e476dc4155e81ba2e631b22
Instruction Fuzzy Hash: 44219874200241AFEB055F22EDC9E2A3B59F75534AF50083AFC51911B2DFB59D049B3C

Function 0045E9FC Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 003F9CB3: _wcslen.LIBCMT ref: 003F9CBD

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 0045EA5D
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 0045EA73
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0045EA84
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 0045EA96
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 0045EAA7

Strings

play PlayMe wait, xrefs: 0045EA91
play PlayMe, xrefs: 0045EAA2
status PlayMe mode, xrefs: 0045EA58
alias PlayMe, xrefs: 0045EA36
open , xrefs: 0045EA0C
close PlayMe, xrefs: 0045EA6E, 0045EA9B

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: SendString$_wcslen
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2420728520-1007645807
Opcode ID: d3705989b8443b9896b469f3b719ed059ad1bfc1432184f59ba7cf101a811b33
Instruction ID: dc91014354a256df840c4ef1118a820b536ab44b4817d1352c2dcfcfa8b382c7
Opcode Fuzzy Hash: d3705989b8443b9896b469f3b719ed059ad1bfc1432184f59ba7cf101a811b33
Instruction Fuzzy Hash: 58119171A9022D79D725A7B2DC4AEFF6A7CEBD1B40F10042BB901A60D1EAB80E05C5B4

Function 00455CC6 Relevance: 18.2, APIs: 12, Instructions: 173COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 00455CE2
GetWindowRect.USER32(00000000,?), ref: 00455CFB
MoveWindow.USER32(?,0000000A,00000004,?,?,00000004,00000000), ref: 00455D59
GetDlgItem.USER32(?,00000002), ref: 00455D69
GetWindowRect.USER32(00000000,?), ref: 00455D7B
MoveWindow.USER32(?,?,00000004,00000000,?,00000004,00000000), ref: 00455DCF
GetDlgItem.USER32(?,000003E9), ref: 00455DDD
GetWindowRect.USER32(00000000,?), ref: 00455DEF
MoveWindow.USER32(?,0000000A,00000000,?,00000004,00000000), ref: 00455E31
GetDlgItem.USER32(?,000003EA), ref: 00455E44
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00455E5A
InvalidateRect.USER32(?,00000000,00000001), ref: 00455E67

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: ef846124f822d5ebb45979880061ad9cf44574ecf0e8a3c8a95c22a406d475fc
Instruction ID: 68f4ec4c7399b15aa5fed06fbe030034c976c0590e94e47072334237c65cce04
Opcode Fuzzy Hash: ef846124f822d5ebb45979880061ad9cf44574ecf0e8a3c8a95c22a406d475fc
Instruction Fuzzy Hash: B7512F71A00605AFDB18CFA8DD99AAE7BB5EF48301F108139F915E6291D7749E04CB64

Function 00408BCD Relevance: 18.2, APIs: 12, Instructions: 168timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00408F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00408BE8,?,00000000,?,?,?,?,00408BBA,00000000,?), ref: 00408FC5

DestroyWindow.USER32(?), ref: 00408C81
KillTimer.USER32(00000000,?,?,?,?,00408BBA,00000000,?), ref: 00408D1B
DestroyAcceleratorTable.USER32(00000000), ref: 00446973
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,00408BBA,00000000,?), ref: 004469A1
ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,00408BBA,00000000,?), ref: 004469B8
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,00408BBA,00000000), ref: 004469D4
DeleteObject.GDI32(00000000), ref: 004469E6

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: 450c4ccd013d975434d5f14a44cbe4eb6fac08a090564d986166592b97df96e5
Instruction ID: cff51711837a7755d254e110f7c7a09d9aa00feeac3b1f31cc69b681727ae8ed
Opcode Fuzzy Hash: 450c4ccd013d975434d5f14a44cbe4eb6fac08a090564d986166592b97df96e5
Instruction Fuzzy Hash: 8C61C370105600DFEB259F14DA48B2A77F1FB42316F10493EE082A6AB0CB79AC91DF6D

Function 00409838 Relevance: 18.1, APIs: 12, Instructions: 137COMMON

Download Yara Rule

APIs

Part of subcall function 00409944: GetWindowLongW.USER32(?,000000EB), ref: 00409952

GetSysColor.USER32(0000000F), ref: 00409862

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: 3ba0913c4a9d3c5ab2c17812261f1ad6a36a6a1ae097843ebc7cf3bba51138e8
Instruction ID: e56d64e9a509d78ad41d093bb80661f9a5cd843a4067bbc636f30823604fe752
Opcode Fuzzy Hash: 3ba0913c4a9d3c5ab2c17812261f1ad6a36a6a1ae097843ebc7cf3bba51138e8
Instruction Fuzzy Hash: 8E41AB71114650AFDB205F389CC8BBA3765EB46330F14462AF9A2973E3D7359C42DB29

Function 00428D45 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 300COMMONLIBRARYCODE

Download Yara Rule

Strings

.A, xrefs: 0042903A, 00428FD0, 00428FF2

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID:
String ID: .A
API String ID: 0-2826776520
Opcode ID: ed4fd0d8060d62199ee5f7c6ddece3ddc4c89bfc0c1bd70ae6fc6f5912388209
Instruction ID: 8cf2c7effa1f850d3715cad79c7d43916aab17ccac6f92877fc6e067f8a8d725
Opcode Fuzzy Hash: ed4fd0d8060d62199ee5f7c6ddece3ddc4c89bfc0c1bd70ae6fc6f5912388209
Instruction Fuzzy Hash: 94C11975F04259AFCB11DFA9E840BAE7BB0BF09310F44409EE41597392CB799D42CB69

Function 004596E2 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,?,?,0043F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?), ref: 00459717
LoadStringW.USER32(00000000,?,0043F7F8,00000001), ref: 00459720

Part of subcall function 003F9CB3: _wcslen.LIBCMT ref: 003F9CBD

GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,0043F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?,00000000), ref: 00459742
LoadStringW.USER32(00000000,?,0043F7F8,00000001), ref: 00459745
MessageBoxW.USER32(00000000,00000000,?,00011010), ref: 00459866

Strings

%s (%d) : ==> %s: %s %s, xrefs: 0045984A
Line %d (File "%s"):, xrefs: 0045978F
Line %d:, xrefs: 004597A0
^ ERROR, xrefs: 004597FB
Error: , xrefs: 0045981D

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wcslen
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 747408836-2268648507
Opcode ID: ae7829787c186171823cb23a585ae0135791a55462c55d449e7f24ed9e09bef9
Instruction ID: 2f5c110c2837358e32782d9d8956147eaaa1ec517660a7dcb968dd22bdd10b6f
Opcode Fuzzy Hash: ae7829787c186171823cb23a585ae0135791a55462c55d449e7f24ed9e09bef9
Instruction Fuzzy Hash: 2241427290021DAACB05FBE1DE86EFE7778AF14341F100066F60576192EB796F48CB65

Function 004506DE Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 003F6B57: _wcslen.LIBCMT ref: 003F6B6A

WNetAddConnection2W.MPR(?,?,?,00000000), ref: 004507A2
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 004507BE
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 004507DA
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00450804
CLSIDFromString.OLE32(?,000001FE,?,SOFTWARE\Classes\), ref: 0045082C
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00450837
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 0045083C

Strings

\IPC$, xrefs: 00450784
\CLSID, xrefs: 00450724
SOFTWARE\Classes\, xrefs: 0045070E

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 323675364-22481851
Opcode ID: bccbd0911d3a65ff2cfe09a53b97dfaad5d2853c832d2ef9617624317697a15d
Instruction ID: e63159ba8d502f5e09db7e3f390aba24c9e38df00547e5dd590cbdf234e98857
Opcode Fuzzy Hash: bccbd0911d3a65ff2cfe09a53b97dfaad5d2853c832d2ef9617624317697a15d
Instruction Fuzzy Hash: 8F41077681022DABDF12EBA4DC95DFEB778BF04390F14412AE905A7261EB745E04CBA4

Function 00473C30 Relevance: 16.8, APIs: 11, Instructions: 344fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00473C5C
CoInitialize.OLE32(00000000), ref: 00473C8A
CoUninitialize.OLE32 ref: 00473C94
_wcslen.LIBCMT ref: 00473D2D
GetRunningObjectTable.OLE32(00000000,?), ref: 00473DB1
SetErrorMode.KERNEL32(00000001,00000029), ref: 00473ED5
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,?), ref: 00473F0E
CoGetObject.OLE32(?,00000000,0048FB98,?), ref: 00473F2D
SetErrorMode.KERNEL32(00000000), ref: 00473F40
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00473FC4
VariantClear.OLEAUT32(?), ref: 00473FD8

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize_wcslen
String ID:
API String ID: 429561992-0
Opcode ID: 38bb333c1cd1d5b9623b235cf437e14a5e8935e90a19dbefdc8b4a68bc0b1bee
Instruction ID: c612b7ee773fdf2b635ca27ff4364f36e143851711818584a6f7e70554b50af8
Opcode Fuzzy Hash: 38bb333c1cd1d5b9623b235cf437e14a5e8935e90a19dbefdc8b4a68bc0b1bee
Instruction Fuzzy Hash: 9EC177716083059FC710DF28C88496BB7E9FF89749F10895EF98A9B210D734EE06CB56

Function 00467A96 Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00467AF3
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00467B8F
SHGetDesktopFolder.SHELL32(?), ref: 00467BA3
CoCreateInstance.OLE32(0048FD08,00000000,00000001,004B6E6C,?), ref: 00467BEF
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00467C74
CoTaskMemFree.OLE32(?,?), ref: 00467CCC
SHBrowseForFolderW.SHELL32(?), ref: 00467D57
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00467D7A
CoTaskMemFree.OLE32(00000000), ref: 00467D81
CoTaskMemFree.OLE32(00000000), ref: 00467DD6
CoUninitialize.OLE32 ref: 00467DDC

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
String ID:
API String ID: 2762341140-0
Opcode ID: bdeeac2d80cc18c1ec817d2041b3a46a68c12f51c9950c192b6bf0449598b86a
Instruction ID: 1b3dfa480e1c69578b7806e6ca6b33e78142c27a38e5d66da5e481c6d26a6627
Opcode Fuzzy Hash: bdeeac2d80cc18c1ec817d2041b3a46a68c12f51c9950c192b6bf0449598b86a
Instruction Fuzzy Hash: 13C13B75A04109AFCB14DFA4C884DAEBBF9FF48308B1484A9E91ADB361D734ED45CB94

Function 0048541D Relevance: 16.7, APIs: 11, Instructions: 191windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00485504
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00485515
CharNextW.USER32(00000158), ref: 00485544
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00485585
SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 0048559B
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 004855AC

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: MessageSend$CharNext
String ID:
API String ID: 1350042424-0
Opcode ID: 8d083cbe078b56b3399334424f043a02bcfec91aa5fd36a269ce03235201f63f
Instruction ID: 16c65f7e30c19403ed214845e6ab053deabf55a2e8c76e4d0bf2e2beb63a21ea
Opcode Fuzzy Hash: 8d083cbe078b56b3399334424f043a02bcfec91aa5fd36a269ce03235201f63f
Instruction Fuzzy Hash: 9261BF70900608EBDF11EF50CC84EFF7BB9EF05721F10485AF925A62A0D7388A81DB69

Function 0044FA88 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 0044FAAF
SafeArrayAllocData.OLEAUT32(?), ref: 0044FB08
VariantInit.OLEAUT32(?), ref: 0044FB1A
SafeArrayAccessData.OLEAUT32(?,?), ref: 0044FB3A
VariantCopy.OLEAUT32(?,?), ref: 0044FB8D
SafeArrayUnaccessData.OLEAUT32(?), ref: 0044FBA1
VariantClear.OLEAUT32(?), ref: 0044FBB6
SafeArrayDestroyData.OLEAUT32(?), ref: 0044FBC3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0044FBCC
VariantClear.OLEAUT32(?), ref: 0044FBDE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0044FBE9

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: e7b5b33dbdc9705b4981a343610715d9f6382a243faae686ab2f02f61029a568
Instruction ID: 220ce899de65be10a56fe4a29c84f37def32944f1d8faa819a0f92cf537007df
Opcode Fuzzy Hash: e7b5b33dbdc9705b4981a343610715d9f6382a243faae686ab2f02f61029a568
Instruction Fuzzy Hash: 41415F35A002199FDB00DF64D894DAEBBB9FF48744F00847AE915AB261DB34A945CFA4

Function 00459C79 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00459CA1
GetAsyncKeyState.USER32(000000A0), ref: 00459D22
GetKeyState.USER32(000000A0), ref: 00459D3D
GetAsyncKeyState.USER32(000000A1), ref: 00459D57
GetKeyState.USER32(000000A1), ref: 00459D6C
GetAsyncKeyState.USER32(00000011), ref: 00459D84
GetKeyState.USER32(00000011), ref: 00459D96
GetAsyncKeyState.USER32(00000012), ref: 00459DAE
GetKeyState.USER32(00000012), ref: 00459DC0
GetAsyncKeyState.USER32(0000005B), ref: 00459DD8
GetKeyState.USER32(0000005B), ref: 00459DEA

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: c9ab7946bb7f4edeee1501275429b07c6cdd78309a96b533a3c5059749a1895b
Instruction ID: 778489422927b60af10a842d20d1dbf47ef51cc5d508505e7aecb2b1b0e66306
Opcode Fuzzy Hash: c9ab7946bb7f4edeee1501275429b07c6cdd78309a96b533a3c5059749a1895b
Instruction Fuzzy Hash: 5241A6345047C9A9FF31966088443A7BEB06B11345F08805FDEC6567C3E7A99DCCC7AA

Function 0047055B Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 004705BC
inet_addr.WSOCK32(?), ref: 0047061C
gethostbyname.WSOCK32(?), ref: 00470628
IcmpCreateFile.IPHLPAPI ref: 00470636
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 004706C6
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 004706E5
IcmpCloseHandle.IPHLPAPI(?), ref: 004707B9
WSACleanup.WSOCK32 ref: 004707BF

Strings

Ping, xrefs: 00470676

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: db5a05e8f10a0c092c3ada48beb2ff1970bb45c7ac3c432de0779aabb4d33310
Instruction ID: f64d4ef6c2d671f1ca54230fd770b579a2d092135a22c753732f1fff025d68e0
Opcode Fuzzy Hash: db5a05e8f10a0c092c3ada48beb2ff1970bb45c7ac3c432de0779aabb4d33310
Instruction Fuzzy Hash: AB918B35605201EFD324DF25C488F5ABBE0AF44318F14C9AAE4699B7A2C738EC45CF95

Function 00478CD3 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,00000000,?), ref: 00478CF3

Part of subcall function 00458E54: _wcslen.LIBCMT ref: 00458E77

_wcslen.LIBCMT ref: 00478D4E
_wcslen.LIBCMT ref: 00478D9C
_wcslen.LIBCMT ref: 00478DDC
_wcslen.LIBCMT ref: 00478E6E

Strings

none, xrefs: 00478E65, 00478E6A
stdcall, xrefs: 00478DD6, 00478DDB
winapi, xrefs: 00478D96, 00478D9B
cdecl, xrefs: 00478D48, 00478D4D

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: _wcslen$BuffCharLower
String ID: cdecl$none$stdcall$winapi
API String ID: 707087890-567219261
Opcode ID: 09ef7fd9b15894f425f5316bc7593acb9816625f8b7bf247cd581d475caccc44
Instruction ID: 75cd0e73bd09a142bb394b5f6524e200b45c811073d8b225ded93bb323b281a5
Opcode Fuzzy Hash: 09ef7fd9b15894f425f5316bc7593acb9816625f8b7bf247cd581d475caccc44
Instruction Fuzzy Hash: D351A331A405169BCB24DF68C9449FEB7A5BF64324B20822FE52AE73C4DB38DD41C794

Function 0047372C Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32 ref: 00473774
CoUninitialize.OLE32 ref: 0047377F
CoCreateInstance.OLE32(?,00000000,00000017,0048FB78,?), ref: 004737D9
IIDFromString.OLE32(?,?), ref: 0047384C
VariantInit.OLEAUT32(?), ref: 004738E4
VariantClear.OLEAUT32(?), ref: 00473936

Strings

Failed to create object, xrefs: 004737E4, 0047389A
NULL Pointer assignment, xrefs: 0047381E
Invalid parameter, xrefs: 00473865

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 636576611-1287834457
Opcode ID: 7419f7f11f5e20f2eaeebeb8385d108b4eb62b0b4d08f8fb7beda04b9249b8c9
Instruction ID: 5f2d20d677643dccc01dffd8ed0ed1df1d2c7cc31a92e8f63aaa55bd461a7017
Opcode Fuzzy Hash: 7419f7f11f5e20f2eaeebeb8385d108b4eb62b0b4d08f8fb7beda04b9249b8c9
Instruction Fuzzy Hash: 9661B2706083019FD310EF54C884FAAB7E4AF45706F10885EF5899B291C778EE49DB9B

Function 00463388 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 149COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,?), ref: 004633CF

Part of subcall function 003F9CB3: _wcslen.LIBCMT ref: 003F9CBD

LoadStringW.USER32(00000072,?,00000FFF,?), ref: 004633F0

Strings

Incorrect parameters to object property !, xrefs: 004634AB
^ ERROR , xrefs: 0046349E
"%s" (%d) : ==> %s:, xrefs: 00463522
Line %d (File "%s"):, xrefs: 00463443, 0046345C
"%s" (%d) : ==> %s:%s%s, xrefs: 00463504
Error: , xrefs: 004634D1

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-3080491070
Opcode ID: daa04a994a06453badf91b2dd0f28a443abe077401f8cf2077ecd782cea18cd7
Instruction ID: 95ea1e9117fc4f38a5f834719469869b483dc7579d50c630a84982d0b3697d8b
Opcode Fuzzy Hash: daa04a994a06453badf91b2dd0f28a443abe077401f8cf2077ecd782cea18cd7
Instruction Fuzzy Hash: 1F51AD71900259BADF16EBA0CD42EFEB378AF04345F204066F505761A2EB392F58CB69

Function 0045B5C8 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 142COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 0045B5FC
_wcslen.LIBCMT ref: 0045B608
_wcslen.LIBCMT ref: 0045B64D
_wcslen.LIBCMT ref: 0045B68C
_wcslen.LIBCMT ref: 0045B6C7

Strings

EXISTS, xrefs: 0045B686, 0045B68B
REMOVE, xrefs: 0045B602, 0045B607
KEYS, xrefs: 0045B647, 0045B64C
APPEND, xrefs: 0045B6C1, 0045B6C6

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 1256254125-769500911
Opcode ID: 71f9ccbbabaf02fac191b382a772638057284d92238e479d5813efef7f832024
Instruction ID: bc3a8696c577d864c1dd772c32393e7e850f1a8e802c1afc1cc9c98f1848c76c
Opcode Fuzzy Hash: 71f9ccbbabaf02fac191b382a772638057284d92238e479d5813efef7f832024
Instruction Fuzzy Hash: 79411532A000269ACB106F7D88905BF77A1EFA0755B24412BEC21DB386E739CC85C7D5

Function 00465393 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 103COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 004653A0
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00465416
GetLastError.KERNEL32 ref: 00465420
SetErrorMode.KERNEL32(00000000,READY), ref: 004654A7

Strings

READY, xrefs: 00465460, 00465468
UNKNOWN, xrefs: 00465444
INVALID, xrefs: 00465459
READONLY, xrefs: 00465452
NOTREADY, xrefs: 0046544B

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: 0fa2dbc450afb02ff0b83afb1e3622fb82d9314b568e34626715cd83f11c5eb3
Instruction ID: 46efd04a48ac9cee71bf95231e9e041e98423be88451ed673366f7ddc9d80b0c
Opcode Fuzzy Hash: 0fa2dbc450afb02ff0b83afb1e3622fb82d9314b568e34626715cd83f11c5eb3
Instruction Fuzzy Hash: 6D31A335A006049FC711DF68C484BAA7BB4EF45305F1484ABE505CF392EB79DD86CBA6

Function 00483C46 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON

Download Yara Rule

APIs

CreateMenu.USER32 ref: 00483C79
SetMenu.USER32(?,00000000), ref: 00483C88
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00483D10
IsMenu.USER32(?), ref: 00483D24
CreatePopupMenu.USER32 ref: 00483D2E
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00483D5B
DrawMenuBar.USER32 ref: 00483D63

Strings

F, xrefs: 00483D4E
0, xrefs: 00483C54

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup
String ID: 0$F
API String ID: 161812096-3044882817
Opcode ID: 93b2ef4eb886156134c74200c467c13245f15e94f71088e3d04440399906161c
Instruction ID: 701700726a5e73681bb4a34ad9fa6c75977d20d783e24b6d982070f5b3702602
Opcode Fuzzy Hash: 93b2ef4eb886156134c74200c467c13245f15e94f71088e3d04440399906161c
Instruction Fuzzy Hash: 4D4179B5A01209AFDF14DF64D884EAE7BF5FF49341F14482EE90697360D734AA10CBA8

Function 00451EDF Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 003F9CB3: _wcslen.LIBCMT ref: 003F9CBD

Part of subcall function 00453CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00453CCA

SendMessageW.USER32(?,0000018C,000000FF,00020000), ref: 00451F64
GetDlgCtrlID.USER32 ref: 00451F6F
GetParent.USER32 ref: 00451F8B
SendMessageW.USER32(00000000,?,00000111,?), ref: 00451F8E
GetDlgCtrlID.USER32(?), ref: 00451F97
GetParent.USER32(?), ref: 00451FAB
SendMessageW.USER32(00000000,?,00000111,?), ref: 00451FAE

Strings

ComboBox, xrefs: 00451EEC
ListBox, xrefs: 00451F21

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_wcslen
String ID: ComboBox$ListBox
API String ID: 711023334-1403004172
Opcode ID: a7d79d2bb32643f602fbf3aa7283b2815bb87b3114f949e60829f44ff5d86b65
Instruction ID: 60f82a6205cf8b68426ea2cc488cd54fd8d8f336b84cdb1df9928e1855c25437
Opcode Fuzzy Hash: a7d79d2bb32643f602fbf3aa7283b2815bb87b3114f949e60829f44ff5d86b65
Instruction Fuzzy Hash: 1C21C871900114BBCF05AFA0DC85FFEBB74EF05350B10056AF951672A1DB395908DB78

Function 00451FC0 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Part of subcall function 003F9CB3: _wcslen.LIBCMT ref: 003F9CBD

Part of subcall function 00453CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00453CCA

SendMessageW.USER32(?,00000186,00020000,00000000), ref: 00452043
GetDlgCtrlID.USER32 ref: 0045204E
GetParent.USER32 ref: 0045206A
SendMessageW.USER32(00000000,?,00000111,?), ref: 0045206D
GetDlgCtrlID.USER32(?), ref: 00452076
GetParent.USER32(?), ref: 0045208A
SendMessageW.USER32(00000000,?,00000111,?), ref: 0045208D

Strings

ComboBox, xrefs: 00451FCD
ListBox, xrefs: 00452002

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_wcslen
String ID: ComboBox$ListBox
API String ID: 711023334-1403004172
Opcode ID: d5f54842e2b3d3eedfd2dc515788003d0b379de6ce334235ba0eb0d7dc5c2213
Instruction ID: c5facf04ff6c5a92450023a4a84ed29772c116862f70c48e7b504206f727b9af
Opcode Fuzzy Hash: d5f54842e2b3d3eedfd2dc515788003d0b379de6ce334235ba0eb0d7dc5c2213
Instruction Fuzzy Hash: 3521B371900218BBCF11AFA0DD85BFEBBB8AF05340F100467FA51A7292D6795518DB74

Function 00483A23 Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00483A9D
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00483AA0
GetWindowLongW.USER32(?,000000F0), ref: 00483AC7
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00483AEA
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00483B62
SendMessageW.USER32(?,00001074,00000000,00000007), ref: 00483BAC
SendMessageW.USER32(?,00001057,00000000,00000000), ref: 00483BC7
SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 00483BE2
SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 00483BF6
SendMessageW.USER32(?,00001008,00000000,00000007), ref: 00483C13

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: MessageSend$LongWindow
String ID:
API String ID: 312131281-0
Opcode ID: 61e5f68a12592320eefe39e223f5a63033595b32d1dceaea7b6139f812cda1f8
Instruction ID: acd38336165f97eb10b0d3ccfafaecd7a3a69742e923af650a003457ecb2b94a
Opcode Fuzzy Hash: 61e5f68a12592320eefe39e223f5a63033595b32d1dceaea7b6139f812cda1f8
Instruction Fuzzy Hash: D6618EB5900248AFDB10EF64CC81EEE77B8EF09704F10046AFA15A73A2D774AE45DB54

Function 0045B12F Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0045B151
GetForegroundWindow.USER32(00000000,?,?,?,?,?,0045A1E1,?,00000001), ref: 0045B165
GetWindowThreadProcessId.USER32(00000000), ref: 0045B16C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,0045A1E1,?,00000001), ref: 0045B17B
GetWindowThreadProcessId.USER32(?,00000000), ref: 0045B18D
AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,0045A1E1,?,00000001), ref: 0045B1A6
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,0045A1E1,?,00000001), ref: 0045B1B8
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,0045A1E1,?,00000001), ref: 0045B1FD
AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,0045A1E1,?,00000001), ref: 0045B212
AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,0045A1E1,?,00000001), ref: 0045B21D

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: 31c3cbedc4d90622b81189c819a9ff36a5e0ae8bc1c64d5d97b98cf04592cf49
Instruction ID: 62f5f9534366871ac0784898bb42fb7d2171c5c223e2ffd1be2894c7bada5e40
Opcode Fuzzy Hash: 31c3cbedc4d90622b81189c819a9ff36a5e0ae8bc1c64d5d97b98cf04592cf49
Instruction Fuzzy Hash: 4331A072540604AFDB509F65EC88FAE7BA9FB50357F10842AFD01D6291D7B899048FBC

Function 00422C80 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00422C94

Part of subcall function 004229C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0042D7D1,00000000,00000000,00000000,00000000,?,0042D7F8,00000000,00000007,00000000,?,0042DBF5,00000000), ref: 004229DE
Part of subcall function 004229C8: GetLastError.KERNEL32(00000000,?,0042D7D1,00000000,00000000,00000000,00000000,?,0042D7F8,00000000,00000007,00000000,?,0042DBF5,00000000,00000000), ref: 004229F0

_free.LIBCMT ref: 00422CA0
_free.LIBCMT ref: 00422CAB
_free.LIBCMT ref: 00422CB6
_free.LIBCMT ref: 00422CC1
_free.LIBCMT ref: 00422CCC
_free.LIBCMT ref: 00422CD7
_free.LIBCMT ref: 00422CE2
_free.LIBCMT ref: 00422CED
_free.LIBCMT ref: 00422CFB

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 0708d2ef0f31e2891347ff9ca25b756c5e6ce101c75d6a761a75db5828fffc9c
Instruction ID: b42d3b70af5c7a602d15bdbfb6c6c32db1967305625165700ea54422be7e08b3
Opcode Fuzzy Hash: 0708d2ef0f31e2891347ff9ca25b756c5e6ce101c75d6a761a75db5828fffc9c
Instruction Fuzzy Hash: CB1199B5300118BFCB02EF55EA42CDD3B65FF09354FC144AAF9485B222D675EA909B54

Function 00467DF0 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00467FAD
SetCurrentDirectoryW.KERNEL32(?), ref: 00467FC1
GetFileAttributesW.KERNEL32(?), ref: 00467FEB
SetFileAttributesW.KERNEL32(?,00000000), ref: 00468005
SetCurrentDirectoryW.KERNEL32(?), ref: 00468017
SetCurrentDirectoryW.KERNEL32(?), ref: 00468060
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 004680B0

Strings

*.*, xrefs: 00468066

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile
String ID: *.*
API String ID: 769691225-438819550
Opcode ID: 17953cfc1602a42c42505ebef596bd4a7dc4ae615f5cd041efe281340522b3e6
Instruction ID: 45c86177b29509e5d5e1356b82045de453a3487279a8ffb171b398051ba4f7f2
Opcode Fuzzy Hash: 17953cfc1602a42c42505ebef596bd4a7dc4ae615f5cd041efe281340522b3e6
Instruction Fuzzy Hash: EA81AF725083059BCB20EF54C4409ABB3E8AF88318F144D6FF885C7250EB3ADD498B5B

Function 003F5BEA Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 003F5C7A

Part of subcall function 003F5D0A: GetClientRect.USER32(?,?), ref: 003F5D30
Part of subcall function 003F5D0A: GetWindowRect.USER32(?,?), ref: 003F5D71
Part of subcall function 003F5D0A: ScreenToClient.USER32(?,?), ref: 003F5D99

GetDC.USER32 ref: 004346F5
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00434708
SelectObject.GDI32(00000000,00000000), ref: 00434716
SelectObject.GDI32(00000000,00000000), ref: 0043472B
ReleaseDC.USER32(?,00000000), ref: 00434733
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 004347C4

Strings

U, xrefs: 00434693

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: 90a8f7363154f8be7ec97b803557a29d0bbff73892839cf4f09d45c84bd0239a
Instruction ID: d33696807b31993a450d545f2cd8c7b3c174638107d7b16ca1433722f0297f0c
Opcode Fuzzy Hash: 90a8f7363154f8be7ec97b803557a29d0bbff73892839cf4f09d45c84bd0239a
Instruction Fuzzy Hash: EE710435400209DFCF219F64C985AFA7BB5FF8A314F14126AEE525A2A6C338A841DF64

Function 0046359C Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 150COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 004635E4

Part of subcall function 003F9CB3: _wcslen.LIBCMT ref: 003F9CBD

LoadStringW.USER32(004C2390,?,00000FFF,?), ref: 0046360A

Strings

"%s" (%d) : ==> %s:, xrefs: 00463742
Line %d (File "%s"):, xrefs: 0046366B
"%s" (%d) : ==> %s:%s%s, xrefs: 00463724
^ ERROR, xrefs: 004636C9
Error: , xrefs: 004636EF

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-2391861430
Opcode ID: 72cfa0e2beae5424a48875973e3dca64dcffd4211e08eb7423e351f2d5211c0f
Instruction ID: 9af0c90beb4d1bc8fc252cc1f4625a60772290acabbafe1c6e4bfb0f14c979b0
Opcode Fuzzy Hash: 72cfa0e2beae5424a48875973e3dca64dcffd4211e08eb7423e351f2d5211c0f
Instruction Fuzzy Hash: 83518C7190024DBADF16EFA0CC42EEEBB78AF04345F144126F605761A2EB341A99DF69

Function 0046C253 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0046C272
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0046C29A
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0046C2CA
GetLastError.KERNEL32 ref: 0046C322
SetEvent.KERNEL32(?), ref: 0046C336
InternetCloseHandle.WININET(00000000), ref: 0046C341

Strings

, xrefs: 0046C2BB

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: 388376ae60c827fc8b9c7ca6db6059fa806108f3edc909f9967ee361d3c13099
Instruction ID: 6d8a1149503b69150bc10fcfbc1d7ce4adafefc9567d9eaa33c397f341780048
Opcode Fuzzy Hash: 388376ae60c827fc8b9c7ca6db6059fa806108f3edc909f9967ee361d3c13099
Instruction Fuzzy Hash: 73316171500204AFD7219F6598C4A7B7AFCEB45744B10852EF88692340EB38DD459B7A

Function 0045989B Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00433AAF,?,?,Bad directive syntax error,0048CC08,00000000,00000010,?,?,>>>AUTOIT SCRIPT<<<), ref: 004598BC
LoadStringW.USER32(00000000,?,00433AAF,?), ref: 004598C3

Part of subcall function 003F9CB3: _wcslen.LIBCMT ref: 003F9CBD

MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 00459987

Strings

., xrefs: 0045996D
Error: , xrefs: 00459955
Line %d (File "%s"):, xrefs: 0045992D
Line %d:, xrefs: 00459912
%s (%d) : ==> %s.: %s %s, xrefs: 004598F1

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: HandleLoadMessageModuleString_wcslen
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 858772685-4153970271
Opcode ID: 84dd91e960b490426f9d1bd0fcb130098a3c07f9604a709d5a28cffca1b0b7be
Instruction ID: ab93eaadc188b7b52daa71c929ae79821ee9ac7d2bf2a5296f16afe8983c778e
Opcode Fuzzy Hash: 84dd91e960b490426f9d1bd0fcb130098a3c07f9604a709d5a28cffca1b0b7be
Instruction Fuzzy Hash: 91216D3190021EEBCF16EF90CC46FEE7775BF18345F04446BF615661A2EA39AA18CB25

Function 0045209F Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 004520AB
GetClassNameW.USER32(00000000,?,00000100), ref: 004520C0
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 0045214D

Strings

largeicons, xrefs: 004520E1
smallicons, xrefs: 00452115
details, xrefs: 004520FB
list, xrefs: 0045212F
SHELLDLL_DefView, xrefs: 004520CC

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: ClassMessageNameParentSend
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1290815626-3381328864
Opcode ID: 0ac19625b2fd4f9cb668a1775802cd742a7fc67ab182358c818783d8439fd8a4
Instruction ID: 1524e517af4764603b9711b45c3e74a2a7a168af88e335f1d7e8b11d7f138fd8
Opcode Fuzzy Hash: 0ac19625b2fd4f9cb668a1775802cd742a7fc67ab182358c818783d8439fd8a4
Instruction Fuzzy Hash: 7B112776688B07B9F60526219C06EEB739CCF06325B20002BFF04A40D3FAAD68465A2C

Function 0042CE90 Relevance: 13.7, APIs: 9, Instructions: 209COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 0042CEB7
_free.LIBCMT ref: 0042CF22
_free.LIBCMT ref: 0042CF48
_free.LIBCMT ref: 0042CF71
_free.LIBCMT ref: 0042CFA9
_free.LIBCMT ref: 0042CFDA
_free.LIBCMT ref: 0042D01B
SetEnvironmentVariableA.KERNEL32(00000000,00000000), ref: 0042D09C
_free.LIBCMT ref: 0042D0B5

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: _free$EnvironmentVariable___from_strstr_to_strchr
String ID:
API String ID: 1282221369-0
Opcode ID: 00b2e965584e3493bca76e3d109ab14ce37960e7799c1b363c6e2b61d8337e96
Instruction ID: 8ecf44d5ee49712c17a0e9b5bc95a0f2095afeaf3484a60eae8b7674395271ae
Opcode Fuzzy Hash: 00b2e965584e3493bca76e3d109ab14ce37960e7799c1b363c6e2b61d8337e96
Instruction Fuzzy Hash: E56157B1B04220ABDB21AFB5BD81A6E7B95AF05314F85026FF801973C1DA7D9941879C

Function 004850D4 Relevance: 13.7, APIs: 9, Instructions: 162windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00002001,00000000,00000000), ref: 00485186
ShowWindow.USER32(?,00000000), ref: 004851C7
ShowWindow.USER32(?,00000005,?,00000000), ref: 004851CD
SetFocus.USER32(?,?,00000005,?,00000000), ref: 004851D1

Part of subcall function 00486FBA: DeleteObject.GDI32(00000000), ref: 00486FE6

GetWindowLongW.USER32(?,000000F0), ref: 0048520D
SetWindowLongW.USER32(?,000000F0,00000000), ref: 0048521A
InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 0048524D
SendMessageW.USER32(?,00001001,00000000,000000FE), ref: 00485287
SendMessageW.USER32(?,00001026,00000000,000000FE), ref: 00485296

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: Window$MessageSend$LongShow$DeleteFocusInvalidateObjectRect
String ID:
API String ID: 3210457359-0
Opcode ID: d1c6426e5af813d27b88cd634e1e256572c5f37e34ef93d2a8d673bdecd5dd11
Instruction ID: c759cbd2254ed4867fc50ad5a8ca7815fd53d45b2dd3f0bf46e2c89658f3b6ec
Opcode Fuzzy Hash: d1c6426e5af813d27b88cd634e1e256572c5f37e34ef93d2a8d673bdecd5dd11
Instruction Fuzzy Hash: A951D130A40A08FEEF20AF25CC49BDD3B61FB05325F144867F614A62E1CB79A990DF59

Function 00408B06 Relevance: 13.7, APIs: 9, Instructions: 155windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 00446890
ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 004468A9
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 004468B9
ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 004468D1
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 004468F2
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00408874,00000000,00000000,00000000,000000FF,00000000), ref: 00446901
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 0044691E
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00408874,00000000,00000000,00000000,000000FF,00000000), ref: 0044692D

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend
String ID:
API String ID: 1268354404-0
Opcode ID: 376cbbbe15bcb53f4b290b9a06d34e3e7ca9671270b63a561e6807d754951b97
Instruction ID: 84fd6cea90f1d29cd7689acee7b7641abebe110f7ff8f1265664a147853fa1de
Opcode Fuzzy Hash: 376cbbbe15bcb53f4b290b9a06d34e3e7ca9671270b63a561e6807d754951b97
Instruction Fuzzy Hash: 56518CB0600209EFDB209F25CC91FAA7BB5FB45750F10452EF942A62E0DB78E991DB58

Function 0046C143 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0046C182
GetLastError.KERNEL32 ref: 0046C195
SetEvent.KERNEL32(?), ref: 0046C1A9

Part of subcall function 0046C253: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0046C272
Part of subcall function 0046C253: GetLastError.KERNEL32 ref: 0046C322
Part of subcall function 0046C253: SetEvent.KERNEL32(?), ref: 0046C336
Part of subcall function 0046C253: InternetCloseHandle.WININET(00000000), ref: 0046C341

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
String ID:
API String ID: 337547030-0
Opcode ID: 58737442260699c59b3e9b308e215ce3c4521683f7c7a2826b830af3c280cca7
Instruction ID: 971958e19a0c2fca2074c40f225e29c2f91d5a1e81ca7b4a91c23539293cb2a6
Opcode Fuzzy Hash: 58737442260699c59b3e9b308e215ce3c4521683f7c7a2826b830af3c280cca7
Instruction Fuzzy Hash: 5631A371900705AFDB219FA5DC94A7B7BF9FF14300B00486EF99682610E738E8159FA6

Function 004525A2 Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00453A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00453A57
Part of subcall function 00453A3D: GetCurrentThreadId.KERNEL32 ref: 00453A5E
Part of subcall function 00453A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,004525B3), ref: 00453A65

MapVirtualKeyW.USER32(00000025,00000000), ref: 004525BD
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 004525DB
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 004525DF
MapVirtualKeyW.USER32(00000025,00000000), ref: 004525E9
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00452601
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 00452605
MapVirtualKeyW.USER32(00000025,00000000), ref: 0045260F
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00452623
Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 00452627

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: 14971c79ce6c9cff1fb77cc9480cd0ea6c2f8031eec0e4acff6a784318b24479
Instruction ID: e3a82d68e153152d46bcf380948a0891d719f5be9c2a2ba830618d780ce29cb2
Opcode Fuzzy Hash: 14971c79ce6c9cff1fb77cc9480cd0ea6c2f8031eec0e4acff6a784318b24479
Instruction Fuzzy Hash: EC01D831390214BBFB1067699CCEF593F59DB4EB52F10042AF714AE0D5C9F114488A7D

Function 00451803 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,00451449,?,?,00000000), ref: 0045180C
HeapAlloc.KERNEL32(00000000,?,00451449,?,?,00000000), ref: 00451813
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00451449,?,?,00000000), ref: 00451828
GetCurrentProcess.KERNEL32(?,00000000,?,00451449,?,?,00000000), ref: 00451830
DuplicateHandle.KERNEL32(00000000,?,00451449,?,?,00000000), ref: 00451833
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00451449,?,?,00000000), ref: 00451843
GetCurrentProcess.KERNEL32(00451449,00000000,?,00451449,?,?,00000000), ref: 0045184B
DuplicateHandle.KERNEL32(00000000,?,00451449,?,?,00000000), ref: 0045184E
CreateThread.KERNEL32(00000000,00000000,00451874,00000000,00000000,00000000), ref: 00451868

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: e1f2bcb32b348bededf1a94df2a181ae54d85fb979895467402c097b396eeb07
Instruction ID: 0b3e0950913e9f6e315da38dbe2e5f02c675ea8af5bf8caebea2a0b432ac7692
Opcode Fuzzy Hash: e1f2bcb32b348bededf1a94df2a181ae54d85fb979895467402c097b396eeb07
Instruction Fuzzy Hash: 6401AC75240304BFE610ABA5DCCDF5B3B6CEB89B11F004425FA05DB1A1D6759C008F34

Function 00423E80 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 305COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 00423F0B
__alldvrm.LIBCMT ref: 0042410C
__alldvrm.LIBCMT ref: 0042412E

Strings

}}A, xrefs: 00423E96, 00423EF1, 00423F0A, 00424090
}}A, xrefs: 004240CD
}}A, xrefs: 00423E8A

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: __alldvrm$_strrchr
String ID: }}A$}}A$}}A
API String ID: 1036877536-1592832002
Opcode ID: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
Instruction ID: f3d7ceb3756fcc71c6d17f5e57dc4bc0656c58303c57c8c8bd55df100a5f2c16
Opcode Fuzzy Hash: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
Instruction Fuzzy Hash: 54A14671B002A69FDB11CF18E8817BABBF4EFA6354F54416FE5859B381C23C9982C758

Function 0047A0E2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON

Download Yara Rule

APIs

Part of subcall function 0045D4DC: CreateToolhelp32Snapshot.KERNEL32 ref: 0045D501
Part of subcall function 0045D4DC: Process32FirstW.KERNEL32(00000000,?), ref: 0045D50F
Part of subcall function 0045D4DC: CloseHandle.KERNELBASE(00000000), ref: 0045D5DC

OpenProcess.KERNEL32(00000001,00000000,?), ref: 0047A16D
GetLastError.KERNEL32 ref: 0047A180
OpenProcess.KERNEL32(00000001,00000000,?), ref: 0047A1B3
TerminateProcess.KERNEL32(00000000,00000000), ref: 0047A268
GetLastError.KERNEL32(00000000), ref: 0047A273
CloseHandle.KERNEL32(00000000), ref: 0047A2C4

Strings

SeDebugPrivilege, xrefs: 0047A18F

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: 1d128e88aac11bd9e28e5c592c460470e8afa0ac0c0fb88c1e61310e4b0cbbd5
Instruction ID: 7fb4c1f3cd712be01fb5f79ac461eb2860ba507073127fbc50c3578c3597b9f0
Opcode Fuzzy Hash: 1d128e88aac11bd9e28e5c592c460470e8afa0ac0c0fb88c1e61310e4b0cbbd5
Instruction Fuzzy Hash: 37618E31204242AFD710DF18C494F6ABBA1AF84318F54C49DE45A4F7A3C77AEC49CB96

Function 00483886 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00483925
SendMessageW.USER32(00000000,00001036,00000000,?), ref: 0048393A
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00483954
_wcslen.LIBCMT ref: 00483999
SendMessageW.USER32(?,00001057,00000000,?), ref: 004839C6
SendMessageW.USER32(?,00001061,?,0000000F), ref: 004839F4

Strings

SysListView32, xrefs: 004838F7

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: MessageSend$Window_wcslen
String ID: SysListView32
API String ID: 2147712094-78025650
Opcode ID: b48dd315ceb1d453af9d96dacd3e7e34f54b8533dce0de1c794f891649185232
Instruction ID: bd272f113395a3d6b098024b282a76ff9a8b622db33025bf7cf63d2ad3dc4924
Opcode Fuzzy Hash: b48dd315ceb1d453af9d96dacd3e7e34f54b8533dce0de1c794f891649185232
Instruction Fuzzy Hash: 3141B571A00218ABDB21AF64CC45FEF77A9EF08754F10092BF544E7291D7799E84CB98

Function 0045BC5E Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 0045BCFD
IsMenu.USER32(00000000), ref: 0045BD1D
CreatePopupMenu.USER32 ref: 0045BD53
GetMenuItemCount.USER32(00D57B30), ref: 0045BDA4
InsertMenuItemW.USER32(00D57B30,?,00000001,00000030), ref: 0045BDCC

Strings

0, xrefs: 0045BCA8
2, xrefs: 0045BD37

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup
String ID: 0$2
API String ID: 93392585-3793063076
Opcode ID: f7d21bcf5c476c9fa1d08e6d312352b7a2a63c22632ba8108dd78486b335cb92
Instruction ID: 669360b0a132cc908f36b1488d3c8567c7bf58da3dbca081db33a98ca9a5a5db
Opcode Fuzzy Hash: f7d21bcf5c476c9fa1d08e6d312352b7a2a63c22632ba8108dd78486b335cb92
Instruction Fuzzy Hash: 7C51D270600209ABDF11CFA9C8C4BAEBBF5EF44316F14412AEC4197392D778994DCBA9

Function 00412D20 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00412D4B
___except_validate_context_record.LIBVCRUNTIME ref: 00412D53
_ValidateLocalCookies.LIBCMT ref: 00412DE1
__IsNonwritableInCurrentImage.LIBCMT ref: 00412E0C
_ValidateLocalCookies.LIBCMT ref: 00412E61

Strings

&HA, xrefs: 00412DFE, 00412E07, 00412E18
csm, xrefs: 00412DF6

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: &HA$csm
API String ID: 1170836740-2536196076
Opcode ID: 29292c755217402edde40500423bf9af6e5cb993e8aab304d4a5674afb3d643e
Instruction ID: b52905374fc3345b515913f73822002b3adbc2d4077bef2c8be53d3ffb7c5d6e
Opcode Fuzzy Hash: 29292c755217402edde40500423bf9af6e5cb993e8aab304d4a5674afb3d643e
Instruction Fuzzy Hash: 3D41EA34A002089BCF10DF59D944ADFBBB4BF44314F148157E8149B352D7799AA1CBD8

Function 0045C874 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 0045C913

Strings

question, xrefs: 0045C8CC
warning, xrefs: 0045C8FC
stop, xrefs: 0045C8E4
blank, xrefs: 0045C895
info, xrefs: 0045C8B4

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: 9472258589d86b699e0ab7d5455766107a6894c55608acfa5e20af03263e036a
Instruction ID: be839510f23b6bd0e403d1db3147214e7c791531d13ad0a05edba74cb55ea798
Opcode Fuzzy Hash: 9472258589d86b699e0ab7d5455766107a6894c55608acfa5e20af03263e036a
Instruction Fuzzy Hash: 9E110872789306BEA7006B159CC2DEB679CDF1575AB21002FF900A6283DB7C5D4552AD

Function 0045DE27 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 70networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 0045DE42
gethostname.WSOCK32(?,00000100), ref: 0045DE5C
gethostbyname.WSOCK32(?), ref: 0045DE69
inet_ntoa.WSOCK32(?), ref: 0045DEAB
_strcat.LIBCMT ref: 0045DEB9
WSACleanup.WSOCK32 ref: 0045DEDE

Strings

0.0.0.0, xrefs: 0045DE87

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: CleanupStartup_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 642191829-3771769585
Opcode ID: fbb277c402a54225bf8f699578936de38cddf440550717832ca0df3da94430cc
Instruction ID: d0da2f6f9a0886d1a15ef13493f79cf781531c7d49adbf99d8d4f383cb4a990d
Opcode Fuzzy Hash: fbb277c402a54225bf8f699578936de38cddf440550717832ca0df3da94430cc
Instruction Fuzzy Hash: 1F112471800109ABCB34BB319C4AEEF37ACDF51316F00017FF805A6092EF788A858B68

Function 00489F86 Relevance: 12.3, APIs: 8, Instructions: 260windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00409BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00409BB2

GetSystemMetrics.USER32(0000000F), ref: 00489FC7
GetSystemMetrics.USER32(0000000F), ref: 00489FE7
MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 0048A224
SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 0048A242
SendMessageW.USER32(00000003,00000469,?,00000000), ref: 0048A263
ShowWindow.USER32(00000003,00000000), ref: 0048A282
InvalidateRect.USER32(?,00000000,00000001), ref: 0048A2A7
DefDlgProcW.USER32(?,00000005,?,?), ref: 0048A2CA

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
String ID:
API String ID: 1211466189-0
Opcode ID: 8490da7f5eb00f742a1aacaaf08e18165f8770dd6340efe2142f41433b361209
Instruction ID: 3b5882b487c0a15c45d9c454ef5e728710dff3498651276ca247834ba60ad70e
Opcode Fuzzy Hash: 8490da7f5eb00f742a1aacaaf08e18165f8770dd6340efe2142f41433b361209
Instruction Fuzzy Hash: AFB1CC31600215DFEF24DF68C9887AE3BB2BF44701F0884AAEC459B395D779A950CB66

Function 0045ED19 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 0045ED2A
_wcslen.LIBCMT ref: 0045ED3B
_wcslen.LIBCMT ref: 0045ED79
_wcslen.LIBCMT ref: 0045EDAF
_wcslen.LIBCMT ref: 0045EDDF
_wcslen.LIBCMT ref: 0045EDEF
_wcslen.LIBCMT ref: 0045EE2B
_wcslen.LIBCMT ref: 0045EE5A

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: _wcslen$LocalTime
String ID:
API String ID: 952045576-0
Opcode ID: 7c630a3ee097e0762e09864c7e82ea27388841e746dfb2281e6f7c0e96c8399b
Instruction ID: 6dd039c406e029797ef7acfcdba5246e1c7c1b26ad219757a6144ede4d3ee701
Opcode Fuzzy Hash: 7c630a3ee097e0762e09864c7e82ea27388841e746dfb2281e6f7c0e96c8399b
Instruction Fuzzy Hash: 474194B5D1011875CB11EBF6888A9CFB7A8AF45710F50846BE914E3162FB38D395C3AD

Function 0040F8D8 Relevance: 12.1, APIs: 8, Instructions: 124COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,0044682C,00000004,00000000,00000000), ref: 0040F953
ShowWindow.USER32(FFFFFFFF,00000006,?,00000000,?,0044682C,00000004,00000000,00000000), ref: 0044F3D1
ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,0044682C,00000004,00000000,00000000), ref: 0044F454

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: d5dc7160e44681f177dc8d5091257a94933e267f03d1af14b7c5176dff52b6c2
Instruction ID: 4ae75237f5a3adf2bfeadc1457be019f873211722d6c367b93a594fb068308c8
Opcode Fuzzy Hash: d5dc7160e44681f177dc8d5091257a94933e267f03d1af14b7c5176dff52b6c2
Instruction Fuzzy Hash: 7F412CB1208640BAD7349B39D888B2B7B91AB96314F54443FE44772FE1D63DA889CB1D

Function 00482D03 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00482D1B
GetDC.USER32(00000000), ref: 00482D23
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00482D2E
ReleaseDC.USER32(00000000,00000000), ref: 00482D3A
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00482D76
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00482D87
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00485A65,?,?,000000FF,00000000,?,000000FF,?), ref: 00482DC2
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00482DE1

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: 512d637d48f2e36fcaa6d1f6e621c47e8a413f6aa84988ce0649011add455911
Instruction ID: 265f3074ff6e72798320041ea92058bcd3945252ce9ac07fa5c3f96a6c726f8f
Opcode Fuzzy Hash: 512d637d48f2e36fcaa6d1f6e621c47e8a413f6aa84988ce0649011add455911
Instruction Fuzzy Hash: 3B319F72201214BFEB115F54CC89FEB3FA9EF09755F044469FE08AA291D6B99C41CBB8

Function 00455622 Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00455637
_memcmp.LIBVCRUNTIME ref: 00455659
_memcmp.LIBVCRUNTIME ref: 00455671
_memcmp.LIBVCRUNTIME ref: 00455684
_memcmp.LIBVCRUNTIME ref: 0045569E
_memcmp.LIBVCRUNTIME ref: 004556B1
_memcmp.LIBVCRUNTIME ref: 004556C9
_memcmp.LIBVCRUNTIME ref: 004556E4

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: f65fb9739d1d0244364257b7c85c55e005ab50f1328c522736ed28e3eb09b94b
Instruction ID: bdf6ebd21a75a77352c8f2b9a7832776332dc29246273ff3bbac6826e405e927
Opcode Fuzzy Hash: f65fb9739d1d0244364257b7c85c55e005ab50f1328c522736ed28e3eb09b94b
Instruction Fuzzy Hash: 0C21AD7164190DB7E21466124DA2FFF335CAF14346F640027FD085AA56F72CEE1986AD

Function 00474FAE Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON

Download Yara Rule

Strings

NULL Pointer assignment, xrefs: 0047502E, 00475383
Not an Object type, xrefs: 00475007

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: bf2e19673a08a325ffbf7a3a55e70778338e6997e95d2f6d8f7ac9b685d6b26e
Instruction ID: b27bd2729eb8a41d139a2653c365a6ae47eb832954383c612480dc811a8e78c4
Opcode Fuzzy Hash: bf2e19673a08a325ffbf7a3a55e70778338e6997e95d2f6d8f7ac9b685d6b26e
Instruction Fuzzy Hash: 1DD19171A0060A9FDB10CFA8C881BEEB7B5FF48344F14C46AE919AB291D7B4DD45CB64

Function 00431522 Relevance: 10.8, APIs: 7, Instructions: 268COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(?,?), ref: 004315CE
MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 00431651
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 004316E4
MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 004316FB

Part of subcall function 00423820: RtlAllocateHeap.NTDLL(00000000,?,004C1444,?,0040FDF5,?,?,003FA976,00000010,004C1440,003F13FC,?,003F13C6,?,003F1129), ref: 00423852

MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00431777
__freea.LIBCMT ref: 004317A2
__freea.LIBCMT ref: 004317AE

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
String ID:
API String ID: 2829977744-0
Opcode ID: 65df1a23ffff886cfe1a5814860cea1212cc5b0a9356bc944c93fc8649418824
Instruction ID: 45edd733506f9f27479bd6caa0d43713a0da16328a00b30d4480552909d7ece6
Opcode Fuzzy Hash: 65df1a23ffff886cfe1a5814860cea1212cc5b0a9356bc944c93fc8649418824
Instruction Fuzzy Hash: CE919371E00255ABDB208FA4C881EEF7BB59F4D714F18656BE801E7261DB39DC41CB68

Function 00474523 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00474648
VariantInit.OLEAUT32(?), ref: 00474749
VariantClear.OLEAUT32(?), ref: 00474753
VariantClear.OLEAUT32(?), ref: 004747B0

Strings

Null Object assignment in FOR..IN loop, xrefs: 004745D8, 00474706, 004747BE
Incorrect Object type in FOR..IN loop, xrefs: 0047472C

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: Variant$ClearInit
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2610073882-625585964
Opcode ID: 0f9b947d04244b72b4debb717c162122d37bd7ab32f0f7f7969fd8162bb7ebe0
Instruction ID: 8bb02bb70d6fc837ddbc89c827f5c0a06f5ada2ad9c6ebba196a46bc10258350
Opcode Fuzzy Hash: 0f9b947d04244b72b4debb717c162122d37bd7ab32f0f7f7969fd8162bb7ebe0
Instruction Fuzzy Hash: D2918071A00219ABDF24CFA5C884FEFB7B8AF85714F10855AF509AB280D7789945CFA4

Function 00461187 Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000001,?), ref: 0046125C
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00461284
SafeArrayUnaccessData.OLEAUT32(00000001), ref: 004612A8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 004612D8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 0046135F
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 004613C4
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00461430

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: ArraySafe$Data$Access$UnaccessVartype
String ID:
API String ID: 2550207440-0
Opcode ID: 870b920be71cf0de4bd058a6dd967d1f7177473ed4c9c1d8a40a8abf6782f3a4
Instruction ID: ed286f47d434b638abc8aa02ff81fc58ec016e27bcbc3c59595c3431cf02c4e2
Opcode Fuzzy Hash: 870b920be71cf0de4bd058a6dd967d1f7177473ed4c9c1d8a40a8abf6782f3a4
Instruction Fuzzy Hash: EB9105719002189FDB00DFA5C895BBE77B5FF44714F18406BE901EB3A1EB78A941CB9A

Function 0040948A Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: ac1a0513e709b68ba5ba63ba3a925b80bf45fd64a5d404562ca9ea325857b8a7
Instruction ID: 313451044a63bfadd1b2deac475ffb8ef511beae5d4e75b889b0bca4a7baca5a
Opcode Fuzzy Hash: ac1a0513e709b68ba5ba63ba3a925b80bf45fd64a5d404562ca9ea325857b8a7
Instruction Fuzzy Hash: D0910771900219EFCB10CFA9CC84AEEBBB8FF49324F14455AE515B7291D378AD42CB64

Function 00473947 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 0047396B
CharUpperBuffW.USER32(?,?), ref: 00473A7A
_wcslen.LIBCMT ref: 00473A8A
VariantClear.OLEAUT32(?), ref: 00473C1F

Part of subcall function 00460CDF: VariantInit.OLEAUT32(00000000), ref: 00460D1F
Part of subcall function 00460CDF: VariantCopy.OLEAUT32(?,?), ref: 00460D28
Part of subcall function 00460CDF: VariantClear.OLEAUT32(?), ref: 00460D34

Strings

Incorrect Parameter format, xrefs: 004739A6, 00473BA1
AUTOIT.ERROR, xrefs: 00473A80, 00473A85

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4137639002-1221869570
Opcode ID: bf6e71bdf0516bc2280bf8753ef8c3c901f9a31884162e0f8d2a13d955356e7a
Instruction ID: 2f169eab9eeb22e9f134df0c750203d55bbab39cdd791c520e39937ca0f48fe5
Opcode Fuzzy Hash: bf6e71bdf0516bc2280bf8753ef8c3c901f9a31884162e0f8d2a13d955356e7a
Instruction Fuzzy Hash: FA91AC756083059FC700EF24C4819AAB7E4FF89315F14886EF88A9B352DB34EE05CB96

Function 00474BAD Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

APIs

Part of subcall function 0045000E: CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,0044FF41,80070057,?,?,?,0045035E), ref: 0045002B
Part of subcall function 0045000E: ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0044FF41,80070057,?,?), ref: 00450046
Part of subcall function 0045000E: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0044FF41,80070057,?,?), ref: 00450054
Part of subcall function 0045000E: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0044FF41,80070057,?), ref: 00450064

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,00000001,?,?), ref: 00474C51
_wcslen.LIBCMT ref: 00474D59
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 00474DCF
CoTaskMemFree.OLE32(?), ref: 00474DDA

Strings

NULL Pointer assignment, xrefs: 00474E23, 00474E52

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
String ID: NULL Pointer assignment
API String ID: 614568839-2785691316
Opcode ID: f81a949bb7d2fb343f5d813cd70bd0bcc0b763da92742b2b819b7db806a95148
Instruction ID: f8176d7588c0b52adb6f1c3bcaaeadb2ae13b1b3a0adbcde8325838904c48a24
Opcode Fuzzy Hash: f81a949bb7d2fb343f5d813cd70bd0bcc0b763da92742b2b819b7db806a95148
Instruction Fuzzy Hash: 34914971D0021DAFDF11DFA4C881AEEB7B8FF48314F10816AE919AB241DB749A45CFA4

Function 004820FD Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 00482183
GetMenuItemCount.USER32(00000000), ref: 004821B5
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 004821DD
_wcslen.LIBCMT ref: 00482213
GetMenuItemID.USER32(?,?), ref: 0048224D
GetSubMenu.USER32(?,?), ref: 0048225B

Part of subcall function 00453A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00453A57
Part of subcall function 00453A3D: GetCurrentThreadId.KERNEL32 ref: 00453A5E
Part of subcall function 00453A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,004525B3), ref: 00453A65

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 004822E3

Part of subcall function 0045E97B: Sleep.KERNEL32 ref: 0045E9F3

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
String ID:
API String ID: 4196846111-0
Opcode ID: 82c270d1e90b99efd489710031b614b9d10211b8a6e0fdd28d0d6b0a9c2f2293
Instruction ID: 914b23103b3b2ca7426316afa636188ba956a78c6b47d11c6c1b55227994f55e
Opcode Fuzzy Hash: 82c270d1e90b99efd489710031b614b9d10211b8a6e0fdd28d0d6b0a9c2f2293
Instruction Fuzzy Hash: 2F71B175E00215AFCB11EF65C985AAEB7F1FF48310F1088AAE916EB341D778ED418B94

Function 00487E9E Relevance: 10.7, APIs: 7, Instructions: 193windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(00D57B08), ref: 00487F37
IsWindowEnabled.USER32(00D57B08), ref: 00487F43
SendMessageW.USER32(00000000,0000041C,00000000,00000000), ref: 0048801E
SendMessageW.USER32(00D57B08,000000B0,?,?), ref: 00488051
IsDlgButtonChecked.USER32(?,?), ref: 00488089
GetWindowLongW.USER32(00D57B08,000000EC), ref: 004880AB
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 004880C3

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID:
API String ID: 4072528602-0
Opcode ID: 610a548b3e5c3d3536c66fa734510f02d04d858bbd78c6e55a025ac0394f91f2
Instruction ID: aba79a2e80073a85230d81c029deab643fc7493ba99d1a1b567066ff242eaa53
Opcode Fuzzy Hash: 610a548b3e5c3d3536c66fa734510f02d04d858bbd78c6e55a025ac0394f91f2
Instruction Fuzzy Hash: 61717274508204AFDB21AF55C894FAF7BB5EF0A300F24485EEB5557361CB35E845DB28

Function 0045AEBA Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 0045AEF9
GetKeyboardState.USER32(?), ref: 0045AF0E
SetKeyboardState.USER32(?), ref: 0045AF6F
PostMessageW.USER32(?,00000101,00000010,?), ref: 0045AF9D
PostMessageW.USER32(?,00000101,00000011,?), ref: 0045AFBC
PostMessageW.USER32(?,00000101,00000012,?), ref: 0045AFFD
PostMessageW.USER32(?,00000101,0000005B,?), ref: 0045B020

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 6ec1cb589fa4e2c8f7d2853adf211fed068a35e0bc3eef70c793c4f4b089d6af
Instruction ID: fa96e349483240ad124fb07fdada7544f3738b45526bb548695f0b3d61ff48b1
Opcode Fuzzy Hash: 6ec1cb589fa4e2c8f7d2853adf211fed068a35e0bc3eef70c793c4f4b089d6af
Instruction Fuzzy Hash: E15104A16043D13DFB3242348C45BBBBEA99B06705F08898AF9D9555C3D39CACDCD3A9

Function 0045ACDA Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 0045AD19
GetKeyboardState.USER32(?), ref: 0045AD2E
SetKeyboardState.USER32(?), ref: 0045AD8F
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 0045ADBB
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 0045ADD8
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 0045AE17
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 0045AE38

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: d2916e6b68acdad78b14adab70b1664401aba45da69e470f59f2712a059cd8d4
Instruction ID: dc1c77052027c246d28d5bdb854a79b7e4b7183efe99ade29d1d828ab3aab3e8
Opcode Fuzzy Hash: d2916e6b68acdad78b14adab70b1664401aba45da69e470f59f2712a059cd8d4
Instruction Fuzzy Hash: B25128A15443D53DF73252248C46B7BBEA96B05302F08868AE4D5569C3D39CECACD36A

Function 0042542E Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(00433CD6,?,?,?,?,?,?,?,?,00425BA3,?,?,00433CD6,?,?), ref: 00425470
__fassign.LIBCMT ref: 004254EB
__fassign.LIBCMT ref: 00425506
WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,00433CD6,00000005,00000000,00000000), ref: 0042552C
WriteFile.KERNEL32(?,00433CD6,00000000,00425BA3,00000000,?,?,?,?,?,?,?,?,?,00425BA3,?), ref: 0042554B
WriteFile.KERNEL32(?,?,00000001,00425BA3,00000000,?,?,?,?,?,?,?,?,?,00425BA3,?), ref: 00425584

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: 6a3d6044c0102533efa9979a5210decad4a2218bf52b2cec01217fa531e07eca
Instruction ID: b7a9407c634d6c8942f921161e4259e0f3afa31962071d9b395fdc44d0df0e2b
Opcode Fuzzy Hash: 6a3d6044c0102533efa9979a5210decad4a2218bf52b2cec01217fa531e07eca
Instruction Fuzzy Hash: 5151E770A00618AFDB10CFA8E885AEEBBF5EF09301F14451FF555E7291D7349A81CB68

Function 004710B8 Relevance: 10.6, APIs: 7, Instructions: 110networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0047304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0047307A
Part of subcall function 0047304E: _wcslen.LIBCMT ref: 0047309B

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00471112
WSAGetLastError.WSOCK32 ref: 00471121
WSAGetLastError.WSOCK32 ref: 004711C9
closesocket.WSOCK32(00000000), ref: 004711F9

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: ErrorLast$_wcslenclosesocketinet_addrsocket
String ID:
API String ID: 2675159561-0
Opcode ID: f85aaa63fb9b55a999c1fc081e5317f29b3e3f78b2584c6b312c06829d0c1d91
Instruction ID: e3b74ee51a6ca19a9e774c5e219a92e00b6b74546dfdb8db5451935c9fba7c2d
Opcode Fuzzy Hash: f85aaa63fb9b55a999c1fc081e5317f29b3e3f78b2584c6b312c06829d0c1d91
Instruction Fuzzy Hash: CD41E431600208AFDB109F58C884BEAB7E9EF49324F54C06AF9099F2A1C774AD45CBE5

Function 0045CF00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0045DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,0045CF22,?), ref: 0045DDFD

Part of subcall function 0045DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,0045CF22,?), ref: 0045DE16

lstrcmpiW.KERNEL32(?,?), ref: 0045CF45
MoveFileW.KERNEL32(?,?), ref: 0045CF7F
_wcslen.LIBCMT ref: 0045D005
_wcslen.LIBCMT ref: 0045D01B
SHFileOperationW.SHELL32(?), ref: 0045D061

Strings

\*.*, xrefs: 0045CFF3

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
String ID: \*.*
API String ID: 3164238972-1173974218
Opcode ID: d974993517b62589f97ea490daa9bea6cf5e1c1316f497137acf236fa005405e
Instruction ID: 199423ff8edbf58b502e159ac034f84941b21d26e7586aa7afd18f8dd8184715
Opcode Fuzzy Hash: d974993517b62589f97ea490daa9bea6cf5e1c1316f497137acf236fa005405e
Instruction Fuzzy Hash: E6415872D452185FDF12EBA5DD81ADE77B8AF08385F1000EBE505EB142EA38A788CB54

Function 00482DFD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 00482E1C
GetWindowLongW.USER32(?,000000F0), ref: 00482E4F
GetWindowLongW.USER32(?,000000F0), ref: 00482E84
SendMessageW.USER32(?,000000F1,00000000,00000000), ref: 00482EB6
SendMessageW.USER32(?,000000F1,00000001,00000000), ref: 00482EE0
GetWindowLongW.USER32(?,000000F0), ref: 00482EF1
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00482F0B

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: d9be9ff7fbe9c7771ef50e19617c24206a5c30e6d50c89b85a038a57e329afce
Instruction ID: f1fc31ae0b9c14c825802eb533dc923572964ad7b88d60247902d420f1323702
Opcode Fuzzy Hash: d9be9ff7fbe9c7771ef50e19617c24206a5c30e6d50c89b85a038a57e329afce
Instruction Fuzzy Hash: D2312430604250AFDB21EF18DD84F6A37E0FB8A710F14057AFA009F2B2CBB5A840DB19

Function 00457726 Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00457769
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0045778F
SysAllocString.OLEAUT32(00000000), ref: 00457792
SysAllocString.OLEAUT32(?), ref: 004577B0
SysFreeString.OLEAUT32(?), ref: 004577B9
StringFromGUID2.OLE32(?,?,00000028), ref: 004577DE
SysAllocString.OLEAUT32(?), ref: 004577EC

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 93a16a87203962306b495b5351e75acbb9d8e29d1d4367b96b9f015100b0c01f
Instruction ID: d533f0c90f74d5267fa8e412a54d187f00867125110fdab2c7b0f349a79e0074
Opcode Fuzzy Hash: 93a16a87203962306b495b5351e75acbb9d8e29d1d4367b96b9f015100b0c01f
Instruction Fuzzy Hash: B921A176604219AFDB10DFA8EC88CBB77ACEB09764700843AFD04DB291D674EC458B68

Function 004577FD Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00457842
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00457868
SysAllocString.OLEAUT32(00000000), ref: 0045786B
SysAllocString.OLEAUT32 ref: 0045788C
SysFreeString.OLEAUT32 ref: 00457895
StringFromGUID2.OLE32(?,?,00000028), ref: 004578AF
SysAllocString.OLEAUT32(?), ref: 004578BD

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 20eaa86e18be136b19773c866ca6aa78b26ee0d6c4f3f63dfc68100aaa028b9b
Instruction ID: d5877a8f0f4abcbddc27c7edee66637174c27bb29250375e206213e958c0f864
Opcode Fuzzy Hash: 20eaa86e18be136b19773c866ca6aa78b26ee0d6c4f3f63dfc68100aaa028b9b
Instruction Fuzzy Hash: F5217731604114AFDB10AFA9EC8CDAB77ECEB097617108536F915CB2A2D674DC49CB78

Function 004604D2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 004604F2
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 0046052E

Strings

nul, xrefs: 00460567

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 5367b4b7f5ffb1a580b9f42ee2e5a7cb9eb02112a95a219b35b183c68f173425
Instruction ID: 0dbf230db5884ec295f617ece842c0e2cc6f96f0111282230d4174591bb19b2d
Opcode Fuzzy Hash: 5367b4b7f5ffb1a580b9f42ee2e5a7cb9eb02112a95a219b35b183c68f173425
Instruction Fuzzy Hash: 42216D75500305ABDB209F29DC44A9B77A4AF45724F204A2AF8A2D62E0F7749951CF29

Function 004605A7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 004605C6
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00460601

Strings

nul, xrefs: 00460639

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: b0ecbcda85782d1fef2eb4c8d8c48c989c91a3a73d938ae433bddaac5ac33c8f
Instruction ID: 4d1541fee30c211a2f062298cbcfc861c7d3724d49e4a6d43f37588eb8524a85
Opcode Fuzzy Hash: b0ecbcda85782d1fef2eb4c8d8c48c989c91a3a73d938ae433bddaac5ac33c8f
Instruction Fuzzy Hash: 652183755003059BDB209F69DC44A9B77E4AF95724F200A1AF8A1E73E0E7749861CB2A

Function 004840AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 003F600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 003F604C
Part of subcall function 003F600E: GetStockObject.GDI32(00000011), ref: 003F6060
Part of subcall function 003F600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 003F606A

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00484112
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 0048411F
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 0048412A
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00484139
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00484145

Strings

Msctls_Progress32, xrefs: 004840E3

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: 78cc188cb5d3c9e4c49a65c97e37d98b94f0f8523844e661962dc4e8e12f1f66
Instruction ID: 65bef063fa6f10532bc5e3f1f2f62f404983986353257fbc1a3ce481038c4555
Opcode Fuzzy Hash: 78cc188cb5d3c9e4c49a65c97e37d98b94f0f8523844e661962dc4e8e12f1f66
Instruction Fuzzy Hash: A411D3B115021A7EEF119F64CC85EEB7F5DEF08398F014111BA18A2150CB769C219BA4

Function 0042D7DF Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0042D7A3: _free.LIBCMT ref: 0042D7CC

_free.LIBCMT ref: 0042D82D

Part of subcall function 004229C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0042D7D1,00000000,00000000,00000000,00000000,?,0042D7F8,00000000,00000007,00000000,?,0042DBF5,00000000), ref: 004229DE
Part of subcall function 004229C8: GetLastError.KERNEL32(00000000,?,0042D7D1,00000000,00000000,00000000,00000000,?,0042D7F8,00000000,00000007,00000000,?,0042DBF5,00000000,00000000), ref: 004229F0

_free.LIBCMT ref: 0042D838
_free.LIBCMT ref: 0042D843
_free.LIBCMT ref: 0042D897
_free.LIBCMT ref: 0042D8A2
_free.LIBCMT ref: 0042D8AD
_free.LIBCMT ref: 0042D8B8

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction ID: cbba1242cf76be80aa107b77dbc11bd47c3308b046ae1a59affd0977960c5973
Opcode Fuzzy Hash: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction Fuzzy Hash: 331151B1B40B24BAD521BFB2EC47FCB7BDC6F44704FC0082EB2D9A6092DA6DB5454654

Function 0045DA5A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 0045DA74
LoadStringW.USER32(00000000), ref: 0045DA7B
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 0045DA91
LoadStringW.USER32(00000000), ref: 0045DA98
MessageBoxW.USER32(00000000,?,?,00011010), ref: 0045DADC

Strings

%s (%d) : ==> %s: %s %s, xrefs: 0045DAB9

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: HandleLoadModuleString$Message
String ID: %s (%d) : ==> %s: %s %s
API String ID: 4072794657-3128320259
Opcode ID: a51fb2b9a1add36f63a0a39218f6ad919f8f721b597aa5585aea0b4d0f5dff54
Instruction ID: 86c0e5dc60bcd9592ff5a18f621cf454be46611acc376a03ae1b87aca79c49ba
Opcode Fuzzy Hash: a51fb2b9a1add36f63a0a39218f6ad919f8f721b597aa5585aea0b4d0f5dff54
Instruction Fuzzy Hash: AB013BF69002087FE711A7A49DC9EEB776CEB04705F444867B745E2041E6749D844F79

Function 0046096B Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(00D54CC8,00D54CC8), ref: 0046097B
EnterCriticalSection.KERNEL32(00D54CA8,00000000), ref: 0046098D
TerminateThread.KERNEL32(?,000001F6), ref: 0046099B
WaitForSingleObject.KERNEL32(?,000003E8), ref: 004609A9
CloseHandle.KERNEL32(?), ref: 004609B8
InterlockedExchange.KERNEL32(00D54CC8,000001F6), ref: 004609C8
LeaveCriticalSection.KERNEL32(00D54CA8), ref: 004609CF

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: 29de9d8fa119c632128595272167775245ea5a808c63b50cd6ef144aa66eab2c
Instruction ID: ef34c5400e9c045df47060088d17aeb6c40dc9a32a8ba49d9f0e070ac5ec7bd6
Opcode Fuzzy Hash: 29de9d8fa119c632128595272167775245ea5a808c63b50cd6ef144aa66eab2c
Instruction Fuzzy Hash: B6F01D71442902ABD7415B94EECCADA7B25BF01712F40242AF101508A0D7749465CFA8

Function 003F5D0A Relevance: 9.3, APIs: 6, Instructions: 276COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 003F5D30
GetWindowRect.USER32(?,?), ref: 003F5D71
ScreenToClient.USER32(?,?), ref: 003F5D99
GetClientRect.USER32(?,?), ref: 003F5ED7
GetWindowRect.USER32(?,?), ref: 003F5EF8

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: Rect$Client$Window$Screen
String ID:
API String ID: 1296646539-0
Opcode ID: ce06fd5dee4b686f40e253e1d826f42d0cc8d05a9bafa8d5ad557b1dec5e07d8
Instruction ID: 9e748202583f0845f54d5ea4fc1624e998ab71bd7d48154b05fbddfb645c7933
Opcode Fuzzy Hash: ce06fd5dee4b686f40e253e1d826f42d0cc8d05a9bafa8d5ad557b1dec5e07d8
Instruction Fuzzy Hash: 67B17778A00A4ADBDB14CFA8C4807FEB7F1FF58310F14941AEAA9D7650DB34AA51CB54

Function 004201B7 Relevance: 9.3, APIs: 6, Instructions: 269COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 004200BA
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004200D6
__allrem.LIBCMT ref: 004200ED
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0042010B
__allrem.LIBCMT ref: 00420122
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00420140

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: c0aa086816e9a6b10c8594d9af3fc1b6618250ddc70608c46d0048b3e4fbc764
Instruction ID: 9afd728bf78528d33ddea05b7b68c68854bbbf4e3791c0cc6ed274505f208177
Opcode Fuzzy Hash: c0aa086816e9a6b10c8594d9af3fc1b6618250ddc70608c46d0048b3e4fbc764
Instruction Fuzzy Hash: F3811671B007129BE7209A29EC41BAB73E9AF41328F64412FF511D7382E7B9D9428798

Function 00471D10 Relevance: 9.3, APIs: 6, Instructions: 254networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00473149: select.WSOCK32(00000000,?,00000000,00000000,?,?,?,00000000,?,?,?,0047101C,00000000,?,?,00000000), ref: 00473195

__WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 00471DC0
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00471DE1
WSAGetLastError.WSOCK32 ref: 00471DF2
inet_ntoa.WSOCK32(?), ref: 00471E8C
htons.WSOCK32(?,?,?,?,?), ref: 00471EDB
_strlen.LIBCMT ref: 00471F35

Part of subcall function 004539E8: _strlen.LIBCMT ref: 004539F2

Part of subcall function 003F6D9E: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000002,?,?,?,?,0040CF58,?,?,?), ref: 003F6DBA
Part of subcall function 003F6D9E: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,?,?,?,0040CF58,?,?,?), ref: 003F6DED

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: ByteCharMultiWide_strlen$ErrorLasthtonsinet_ntoaselect
String ID:
API String ID: 1923757996-0
Opcode ID: c300d92fca3fd13fc5a86ada71f041b9cde29301dd62f34818084ba81c60681a
Instruction ID: 25a598bae56179c853050bbffb60c85c3052191c46874de6525c45c93a9b50d7
Opcode Fuzzy Hash: c300d92fca3fd13fc5a86ada71f041b9cde29301dd62f34818084ba81c60681a
Instruction Fuzzy Hash: 2BA1E170104300AFC324DF24C891F6BB7A5AF84318F54895EF55A5B2E2CB35ED46CB96

Function 004261FE Relevance: 9.2, APIs: 6, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,004182D9,004182D9,?,?,?,0042644F,00000001,00000001,8BE85006), ref: 00426258
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,0042644F,00000001,00000001,8BE85006,?,?,?), ref: 004262DE
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 004263D8
__freea.LIBCMT ref: 004263E5

Part of subcall function 00423820: RtlAllocateHeap.NTDLL(00000000,?,004C1444,?,0040FDF5,?,?,003FA976,00000010,004C1440,003F13FC,?,003F13C6,?,003F1129), ref: 00423852

__freea.LIBCMT ref: 004263EE
__freea.LIBCMT ref: 00426413

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: d09a7b82560bad3d8b21db730205a5a0e1246f118c2e66cc2301057749868281
Instruction ID: 34fe021adbb77e755b057b766828e16fbcc94b74aabafedccb2a05bd61310cc1
Opcode Fuzzy Hash: d09a7b82560bad3d8b21db730205a5a0e1246f118c2e66cc2301057749868281
Instruction Fuzzy Hash: DB51F472700226ABDB259F64EC81EAF77A9EF44714F96466EFC05D6240DB3CDC40CA68

Function 0047BBDB Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON

Download Yara Rule

APIs

Part of subcall function 003F9CB3: _wcslen.LIBCMT ref: 003F9CBD

Part of subcall function 0047C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0047B6AE,?,?), ref: 0047C9B5
Part of subcall function 0047C998: _wcslen.LIBCMT ref: 0047C9F1
Part of subcall function 0047C998: _wcslen.LIBCMT ref: 0047CA68
Part of subcall function 0047C998: _wcslen.LIBCMT ref: 0047CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0047BCCA
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0047BD25
RegCloseKey.ADVAPI32(00000000), ref: 0047BD6A
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 0047BD99
RegCloseKey.ADVAPI32(?,?,00000000), ref: 0047BDF3
RegCloseKey.ADVAPI32(?), ref: 0047BDFF

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
String ID:
API String ID: 1120388591-0
Opcode ID: 9f087fd341a7f2daed9ded637d4ff0b0786c9e4947a95c1dc63c0cca12db16b1
Instruction ID: 7603340aba0bda48f29219b23a6c1372181d713bd00339b738c7fe835240a149
Opcode Fuzzy Hash: 9f087fd341a7f2daed9ded637d4ff0b0786c9e4947a95c1dc63c0cca12db16b1
Instruction Fuzzy Hash: DE818970208241AFC715DF24C881F6ABBE5FF84308F14896EF5598B2A2DB35ED45CB96

Function 0044F7AD Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000035), ref: 0044F7B9
SysAllocString.OLEAUT32(00000001), ref: 0044F860
VariantCopy.OLEAUT32(0044FA64,00000000), ref: 0044F889
VariantClear.OLEAUT32(0044FA64), ref: 0044F8AD
VariantCopy.OLEAUT32(0044FA64,00000000), ref: 0044F8B1
VariantClear.OLEAUT32(?), ref: 0044F8BB

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: Variant$ClearCopy$AllocInitString
String ID:
API String ID: 3859894641-0
Opcode ID: f4df02cfb076ec6b8eb36d9ceb3bca3a96c3f37342eccdefea6a564026dd54be
Instruction ID: c719a68ebcd049e000274489fcd53646e2607ede520dcf2e4ffec57187c8777a
Opcode Fuzzy Hash: f4df02cfb076ec6b8eb36d9ceb3bca3a96c3f37342eccdefea6a564026dd54be
Instruction Fuzzy Hash: A251E771A00310BAEF24AB65D895B29B3A4EF45714B24847BE906DF291DB788C48C76F

Function 0046910C Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 383COMMON

Download Yara Rule

APIs

Part of subcall function 003F7620: _wcslen.LIBCMT ref: 003F7625

Part of subcall function 003F6B57: _wcslen.LIBCMT ref: 003F6B6A

GetOpenFileNameW.COMDLG32(00000058), ref: 004694E5
_wcslen.LIBCMT ref: 00469506
_wcslen.LIBCMT ref: 0046952D
GetSaveFileNameW.COMDLG32(00000058), ref: 00469585

Strings

X, xrefs: 00469412

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: _wcslen$FileName$OpenSave
String ID: X
API String ID: 83654149-3081909835
Opcode ID: b58697a0c9dceab4d3d7b26a5fb6c94c5241bd9627c749af0772557771e3277e
Instruction ID: a132103b52f64ca81d8ab58065db7a1d7215a6eb5088ac3b468a2556cf713ad0
Opcode Fuzzy Hash: b58697a0c9dceab4d3d7b26a5fb6c94c5241bd9627c749af0772557771e3277e
Instruction Fuzzy Hash: B8E1BF716083009FC725DF24C881A6AB7E4BF85314F04896EF9899B3A2EB74DD45CB96

Function 0040920C Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00409BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00409BB2

BeginPaint.USER32(?,?,?), ref: 00409241
GetWindowRect.USER32(?,?), ref: 004092A5
ScreenToClient.USER32(?,?), ref: 004092C2
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 004092D3
EndPaint.USER32(?,?,?,?,?), ref: 00409321
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 004471EA

Part of subcall function 00409339: BeginPath.GDI32(00000000), ref: 00409357

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
String ID:
API String ID: 3050599898-0
Opcode ID: ad838697b4298fe13d3bd8975c263a9c05ff9c6f862568c1b1195ffae116e0b6
Instruction ID: d372052d295b3b7446b610ed212f2def32226561701a6a69fe5d01f36d020ca7
Opcode Fuzzy Hash: ad838697b4298fe13d3bd8975c263a9c05ff9c6f862568c1b1195ffae116e0b6
Instruction Fuzzy Hash: FD418D70104201AFD711DF25CC84FAA7BA8EB4A324F14067EF954962F2C7359C46DB6A

Function 004607EF Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 0046080C
ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 00460847
EnterCriticalSection.KERNEL32(?), ref: 00460863
LeaveCriticalSection.KERNEL32(?), ref: 004608DC
ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 004608F3
InterlockedExchange.KERNEL32(?,000001F6), ref: 00460921

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
String ID:
API String ID: 3368777196-0
Opcode ID: 1c81048b31ef14b8e5b01b0e7f7dfe366ae0fd9db9f68490bc51ee10b7146940
Instruction ID: b093d6a1650cd82936426c0423fb1539a14a16f411ccb3f275c0385d6fdf4942
Opcode Fuzzy Hash: 1c81048b31ef14b8e5b01b0e7f7dfe366ae0fd9db9f68490bc51ee10b7146940
Instruction Fuzzy Hash: F4418871900205EBDF14EF55DC85AAB77B9FF44314F1040BAED00AA296DB34DE64CBA8

Function 004881DB Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,0044F3AB,00000000,?,?,00000000,?,0044682C,00000004,00000000,00000000), ref: 0048824C
EnableWindow.USER32(?,00000000), ref: 00488272
ShowWindow.USER32(FFFFFFFF,00000000), ref: 004882D1
ShowWindow.USER32(?,00000004), ref: 004882E5
EnableWindow.USER32(?,00000001), ref: 0048830B
SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 0048832F

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: a344fde779955aef25b9a678d6aae9e90f6b53e3bdddc4ef86e083c3b2271037
Instruction ID: cab391f7d7bf73d3d06a9e4e50dbc70949ecb73988f5c3dcea59cd2729f35113
Opcode Fuzzy Hash: a344fde779955aef25b9a678d6aae9e90f6b53e3bdddc4ef86e083c3b2271037
Instruction Fuzzy Hash: 1841C474601644AFDB22EF15C895FAD7BE0BB06714F5805BEE9088B372CB36A841CB58

Function 00454C7D Relevance: 9.1, APIs: 6, Instructions: 87windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00454C95
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00454CB2
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00454CEA
_wcslen.LIBCMT ref: 00454D08
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00454D10
_wcsstr.LIBVCRUNTIME ref: 00454D1A

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
String ID:
API String ID: 72514467-0
Opcode ID: ea792f716cf27fe7283f8c00c20f9a510ae25d774b39723b0460cd2c6dbc08d8
Instruction ID: 9b5f836ad33c864881fdf9b91b3317106ec9bde4f0f9aa1b79e3809d44870bee
Opcode Fuzzy Hash: ea792f716cf27fe7283f8c00c20f9a510ae25d774b39723b0460cd2c6dbc08d8
Instruction Fuzzy Hash: A621F8312041007BEB255B26DC45A7F7BA8DF85754F10403FFC05DE292EA79DC8992A4

Function 0046581E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON

Download Yara Rule

APIs

Part of subcall function 003F3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,003F3A97,?,?,003F2E7F,?,?,?,00000000), ref: 003F3AC2

_wcslen.LIBCMT ref: 0046587B
CoInitialize.OLE32(00000000), ref: 00465995
CoCreateInstance.OLE32(0048FCF8,00000000,00000001,0048FB68,?), ref: 004659AE
CoUninitialize.OLE32 ref: 004659CC

Strings

.lnk, xrefs: 00465876, 004658C1, 00465985

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
String ID: .lnk
API String ID: 3172280962-24824748
Opcode ID: b70289ae1f143f004f9b72516186d2c63564a3f2ffbe7bcc11ffa23c03b4b701
Instruction ID: 1f569d8d84d3528eca047b5256dbcc199f1f46dc9f07e21392d34acc3b63bdf3
Opcode Fuzzy Hash: b70289ae1f143f004f9b72516186d2c63564a3f2ffbe7bcc11ffa23c03b4b701
Instruction Fuzzy Hash: D3D153B06047059FC714DF25C480A2ABBE1FF89714F14895EF88A9B361EB35EC49CB96

Function 0045175D Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00450FB4: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00450FCA
Part of subcall function 00450FB4: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00450FD6
Part of subcall function 00450FB4: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00450FE5
Part of subcall function 00450FB4: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00450FEC
Part of subcall function 00450FB4: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00451002

GetLengthSid.ADVAPI32(?,00000000,00451335), ref: 004517AE
GetProcessHeap.KERNEL32(00000008,00000000), ref: 004517BA
HeapAlloc.KERNEL32(00000000), ref: 004517C1
CopySid.ADVAPI32(00000000,00000000,?), ref: 004517DA
GetProcessHeap.KERNEL32(00000000,00000000,00451335), ref: 004517EE
HeapFree.KERNEL32(00000000), ref: 004517F5

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: 31b06a3cbd7f5c1ea33d375d3de1b34234bfdb2164265e00760b4262d5edf206
Instruction ID: d5b1bf2c16d756b9835e9a7c90508a9b7c58f16db20fba89aa9b79171214367d
Opcode Fuzzy Hash: 31b06a3cbd7f5c1ea33d375d3de1b34234bfdb2164265e00760b4262d5edf206
Instruction Fuzzy Hash: 77118431500205FFDB109FA8DCC9BAF77A9EB46356F10452DF84197221D7399948CB68

Function 004514CE Relevance: 9.1, APIs: 6, Instructions: 64processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 004514FF
OpenProcessToken.ADVAPI32(00000000), ref: 00451506
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00451515
CloseHandle.KERNEL32(00000004), ref: 00451520
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0045154F
DestroyEnvironmentBlock.USERENV(00000000), ref: 00451563

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: 3f73f4dc6129ffe21b88d03bb2487bf9a1a3c772d8e80104d90c3aa7caef7092
Instruction ID: 6352e36ece4a548060da9bededa830ea963f946618aed91fb83e8328f225f85f
Opcode Fuzzy Hash: 3f73f4dc6129ffe21b88d03bb2487bf9a1a3c772d8e80104d90c3aa7caef7092
Instruction Fuzzy Hash: E9118C7210020DABDF118F98DD89FDE3BA9EF49745F044029FE05A2160D3758E65EB65

Function 00413382 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00413379,00412FE5), ref: 00413390
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0041339E
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 004133B7
SetLastError.KERNEL32(00000000,?,00413379,00412FE5), ref: 00413409

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: a9f472305e45b357ed301babce3aac17e972df0c2f03870b4c508fa343a72447
Instruction ID: f84962ed4c81748bb3fedc013a966b7bf523ee1d385cca25a2e32fce21532017
Opcode Fuzzy Hash: a9f472305e45b357ed301babce3aac17e972df0c2f03870b4c508fa343a72447
Instruction Fuzzy Hash: 69019E32709311ABAA253FB57CC56EB2A94EB0577B720033FF820852F1EF194D92565C

Function 00422D74 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00425686,00433CD6,?,00000000,?,00425B6A,?,?,?,?,?,0041E6D1,?,004B8A48), ref: 00422D78
_free.LIBCMT ref: 00422DAB
_free.LIBCMT ref: 00422DD3
SetLastError.KERNEL32(00000000,?,?,?,?,0041E6D1,?,004B8A48,00000010,003F4F4A,?,?,00000000,00433CD6), ref: 00422DE0
SetLastError.KERNEL32(00000000,?,?,?,?,0041E6D1,?,004B8A48,00000010,003F4F4A,?,?,00000000,00433CD6), ref: 00422DEC
_abort.LIBCMT ref: 00422DF2

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: eab66bdfc030f6dd3a27fa76a83ecab6cf8ea7131921e373235afc4d301d51e9
Instruction ID: 17afdb2d5ada70e8428e61248c23fc6ded1650e88ea7eeef4d3699cafd68ea83
Opcode Fuzzy Hash: eab66bdfc030f6dd3a27fa76a83ecab6cf8ea7131921e373235afc4d301d51e9
Instruction Fuzzy Hash: C6F0F93575453077C2522B3A7E46E5F1559AFC1765BA0052FF824922D2DFBC8802417C

Function 00488A24 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 00409639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00409693
Part of subcall function 00409639: SelectObject.GDI32(?,00000000), ref: 004096A2
Part of subcall function 00409639: BeginPath.GDI32(?), ref: 004096B9
Part of subcall function 00409639: SelectObject.GDI32(?,00000000), ref: 004096E2

MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 00488A4E
LineTo.GDI32(?,00000003,00000000), ref: 00488A62
MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 00488A70
LineTo.GDI32(?,00000000,00000003), ref: 00488A80
EndPath.GDI32(?), ref: 00488A90
StrokePath.GDI32(?), ref: 00488AA0

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: 7390b3c49dcf8b055916ba3cf8dcd984148a0dcae529bb44fe3148e0c59d40af
Instruction ID: afb1a8375d40acda1a75d697568ad6e627961b369819fbdd3ccccca546bc988e
Opcode Fuzzy Hash: 7390b3c49dcf8b055916ba3cf8dcd984148a0dcae529bb44fe3148e0c59d40af
Instruction Fuzzy Hash: 65110976400108FFDB129F90DC88EAE7F6DEB09394F008426BA199A1A1C7719D55DFA4

Function 004551FD Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00455218
GetDeviceCaps.GDI32(00000000,00000058), ref: 00455229
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00455230
ReleaseDC.USER32(00000000,00000000), ref: 00455238
MulDiv.KERNEL32(000009EC,?,00000000), ref: 0045524F
MulDiv.KERNEL32(000009EC,00000001,?), ref: 00455261

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: 3eb4fc8880fba15743b1fad68a41535b3940a998afa01a8b812bd74d25a05904
Instruction ID: 317e3ba14e41d5d56128b28b728f74f35f493501b22594faa8df60d53847d40f
Opcode Fuzzy Hash: 3eb4fc8880fba15743b1fad68a41535b3940a998afa01a8b812bd74d25a05904
Instruction Fuzzy Hash: 92014475A00714BBEB105BF59C89A5EBF78EF44751F04447AFA04E7281D6709805CFA4

Function 003F1BC3 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 003F1BF4
MapVirtualKeyW.USER32(00000010,00000000), ref: 003F1BFC
MapVirtualKeyW.USER32(000000A0,00000000), ref: 003F1C07
MapVirtualKeyW.USER32(000000A1,00000000), ref: 003F1C12
MapVirtualKeyW.USER32(00000011,00000000), ref: 003F1C1A
MapVirtualKeyW.USER32(00000012,00000000), ref: 003F1C22

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: 955b89a244ad8a0d98d23e33cc4b0276ed438343272a13ea9e30cfe56d55a3b3
Instruction ID: e64fb44cad9e3bee6c2abe41a45e626825a679d63d9fbb341b94087f606f6f5c
Opcode Fuzzy Hash: 955b89a244ad8a0d98d23e33cc4b0276ed438343272a13ea9e30cfe56d55a3b3
Instruction Fuzzy Hash: 7D016CB09027597DE3008F5A8C85B56FFA8FF19354F00411B915C47941C7F5A864CBE5

Function 0045EB20 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 0045EB30
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 0045EB46
GetWindowThreadProcessId.USER32(?,?), ref: 0045EB55
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0045EB64
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0045EB6E
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0045EB75

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: c93f4a86f41cc9c69bf9713ee956745a97c8e57a90d6ed1042a230705593edd4
Instruction ID: c540b0c06c12fb4b0c5d2550e6153285f0e0a863d3e88dedfbaae63eaf373b5c
Opcode Fuzzy Hash: c93f4a86f41cc9c69bf9713ee956745a97c8e57a90d6ed1042a230705593edd4
Instruction Fuzzy Hash: C8F01D72540158BBE62157529C8DEAF3A7CEBCAB11F00056DFA01E1191E7B05A018BB9

Function 00447439 Relevance: 9.0, APIs: 6, Instructions: 37windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?), ref: 00447452
SendMessageW.USER32(?,00001328,00000000,?), ref: 00447469
GetWindowDC.USER32(?), ref: 00447475
GetPixel.GDI32(00000000,?,?), ref: 00447484
ReleaseDC.USER32(?,00000000), ref: 00447496
GetSysColor.USER32(00000005), ref: 004474B0

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: ClientColorMessagePixelRectReleaseSendWindow
String ID:
API String ID: 272304278-0
Opcode ID: 8530eb0962a0aa702a64ebbd0eb0066cc47e9a84867e8d9fd2689a4894a5744f
Instruction ID: 948914efd47ae4ffc1c3a6e3e8cb207075136a5dde640de3c0884d74ed4f472a
Opcode Fuzzy Hash: 8530eb0962a0aa702a64ebbd0eb0066cc47e9a84867e8d9fd2689a4894a5744f
Instruction Fuzzy Hash: D3018B31400215FFEB515FA4EC48BAE7BB5FF04321F100879F915A21B1CB351E42AB69

Function 00451874 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 0045187F
UnloadUserProfile.USERENV(?,?), ref: 0045188B
CloseHandle.KERNEL32(?), ref: 00451894
CloseHandle.KERNEL32(?), ref: 0045189C
GetProcessHeap.KERNEL32(00000000,?), ref: 004518A5
HeapFree.KERNEL32(00000000), ref: 004518AC

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: a8f10c9a03e7cf66ecb36c13b280e806dd35c9a267142dbcf619e6a8a60026dd
Instruction ID: 584eea221131b221d6cbc4d2dfcb706ee0dac568cab3e5ad9e22825e072f82e2
Opcode Fuzzy Hash: a8f10c9a03e7cf66ecb36c13b280e806dd35c9a267142dbcf619e6a8a60026dd
Instruction Fuzzy Hash: 46E0E536004101BBDB016FA1ED8CD0EBF39FF49B22B108A38F22581474CB329421EF68

Function 003FBBE0 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 232COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 003FBEB3

Strings

D%L, xrefs: 003FBDED, 003FBD91, 003FBD1B
D%L, xrefs: 003FBCA2
D%L, xrefs: 003FBE9A
D%LD%L, xrefs: 003FBCA5

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID: D%L$D%L$D%L$D%LD%L
API String ID: 1385522511-3295220586
Opcode ID: 439f83a7d3914eede6197a9acd2658c1335732afc0bd1273881ca8232f3d6824
Instruction ID: 3b415746559d67da7ca13c1b774d6092dfb8eab9bb88adea9224e612642c2e92
Opcode Fuzzy Hash: 439f83a7d3914eede6197a9acd2658c1335732afc0bd1273881ca8232f3d6824
Instruction Fuzzy Hash: F1914AB5A0020ADFCB59CF58C190ABAF7F5FF58310B25816EEA45AB350D771E981CB90

Function 00477B7E Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 230COMMON

Download Yara Rule

APIs

Part of subcall function 00410242: EnterCriticalSection.KERNEL32(004C070C,004C1884,?,?,0040198B,004C2518,?,?,?,003F12F9,00000000), ref: 0041024D
Part of subcall function 00410242: LeaveCriticalSection.KERNEL32(004C070C,?,0040198B,004C2518,?,?,?,003F12F9,00000000), ref: 0041028A

Part of subcall function 003F9CB3: _wcslen.LIBCMT ref: 003F9CBD

Part of subcall function 004100A3: __onexit.LIBCMT ref: 004100A9

__Init_thread_footer.LIBCMT ref: 00477BFB

Part of subcall function 004101F8: EnterCriticalSection.KERNEL32(004C070C,?,?,00408747,004C2514), ref: 00410202
Part of subcall function 004101F8: LeaveCriticalSection.KERNEL32(004C070C,?,00408747,004C2514), ref: 00410235

Strings

5, xrefs: 00477C78
G, xrefs: 00477C7F
Variable must be of type 'Object'., xrefs: 00477C3A
+TD, xrefs: 00477E2E

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit_wcslen
String ID: +TD$5$G$Variable must be of type 'Object'.
API String ID: 535116098-2061947132
Opcode ID: 2111a3c31b0fd5c6f86c1fdcee1f7a43379764c757c1adc3aa54ea7e3741b758
Instruction ID: 51f77272207f5e95022d70ed6729936a409cf22c1552089f7fcc0ef5657b821f
Opcode Fuzzy Hash: 2111a3c31b0fd5c6f86c1fdcee1f7a43379764c757c1adc3aa54ea7e3741b758
Instruction Fuzzy Hash: 92918C74A04209AFCB15EF55C9819FEB7B1AF48304F50805EF80A9B392DB799E41CB59

Function 0045C5D0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191windowCOMMON

Download Yara Rule

APIs

Part of subcall function 003F7620: _wcslen.LIBCMT ref: 003F7625

GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0045C6EE
_wcslen.LIBCMT ref: 0045C735
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0045C79C
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 0045C7CA

Strings

0, xrefs: 0045C6AF

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: ItemMenu$Info_wcslen$Default
String ID: 0
API String ID: 1227352736-4108050209
Opcode ID: 25baf0254de117f4bd799aaf54d96a737411401827372c6f02c8d7bcbab0a45b
Instruction ID: 4f9cf93ffce41ef63766d4606d45ac9759bc83875567427ce8acbf4a38ed0afa
Opcode Fuzzy Hash: 25baf0254de117f4bd799aaf54d96a737411401827372c6f02c8d7bcbab0a45b
Instruction Fuzzy Hash: 0151DF71604302AFD7109F28C8C5B6B77E4AF49315F04092FFD95E26A2DB78D908CB9A

Function 0047AD64 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(0000003C), ref: 0047AEA3

Part of subcall function 003F7620: _wcslen.LIBCMT ref: 003F7625

GetProcessId.KERNEL32(00000000), ref: 0047AF38
CloseHandle.KERNEL32(00000000), ref: 0047AF67

Strings

<, xrefs: 0047AE6B
@, xrefs: 0047AE72

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: CloseExecuteHandleProcessShell_wcslen
String ID: <$@
API String ID: 146682121-1426351568
Opcode ID: 4912519e61d4b244eb32c069901bcbc7f8cc82c980e4a0a3a659c48b3778da3f
Instruction ID: 763e1e6196d3f7140a2daf2367decdd5182cd306ac9ad578af1e3092bebafaa5
Opcode Fuzzy Hash: 4912519e61d4b244eb32c069901bcbc7f8cc82c980e4a0a3a659c48b3778da3f
Instruction Fuzzy Hash: 4E715B70A00619DFCB15DF54C484AAEBBF1FF48314F0484AAE81AAB392C778ED55CB95

Function 0045719E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00457206
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 0045723C
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 0045724D
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 004572CF

Strings

DllGetClassObject, xrefs: 00457242

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: 4f7d035fbaf591a0f1c64dd75996ba5d801f5aabbb2405501792511ea36c554a
Instruction ID: 288d3ac3eff892292c188fc2529126eaae122ad65bb0a034ecc1ba18efdaba2b
Opcode Fuzzy Hash: 4f7d035fbaf591a0f1c64dd75996ba5d801f5aabbb2405501792511ea36c554a
Instruction Fuzzy Hash: CE419C71A04204AFDB15CF54D884A9A7BA9EF44311F2084BEBD099F20BD7B8D949CBA4

Function 00483D7C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00483E35
IsMenu.USER32(?), ref: 00483E4A
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00483E92
DrawMenuBar.USER32 ref: 00483EA5

Strings

0, xrefs: 00483D89

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert
String ID: 0
API String ID: 3076010158-4108050209
Opcode ID: 8299c17df2659600706619863ffa9c216fed3026fa191b69b166c19afa661cd0
Instruction ID: f6c2d2a1a4deea8a40c599ce2aad1867903000b5f97ddbe3c914a7a94992d74c
Opcode Fuzzy Hash: 8299c17df2659600706619863ffa9c216fed3026fa191b69b166c19afa661cd0
Instruction Fuzzy Hash: BE4157B5A00209EFDB10EF50D884EAEBBB9FF49751F04482AE905A7350D734AE41CF64

Function 00451DE2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON

Download Yara Rule

APIs

Part of subcall function 003F9CB3: _wcslen.LIBCMT ref: 003F9CBD

Part of subcall function 00453CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00453CCA

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00451E66
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00451E79
SendMessageW.USER32(?,00000189,?,00000000), ref: 00451EA9

Part of subcall function 003F6B57: _wcslen.LIBCMT ref: 003F6B6A

Strings

ComboBox, xrefs: 00451DF0
ListBox, xrefs: 00451E25

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: MessageSend$_wcslen$ClassName
String ID: ComboBox$ListBox
API String ID: 2081771294-1403004172
Opcode ID: 5dc14f54cec6e32e07c96cce0162c71804b7121a6da1f4b0525cb776535df312
Instruction ID: 35e224688e50caea6c60571086aaab4e7a76692bf33e5af16b58eec2849cb2bf
Opcode Fuzzy Hash: 5dc14f54cec6e32e07c96cce0162c71804b7121a6da1f4b0525cb776535df312
Instruction Fuzzy Hash: FC210471A00108BADB15AB61DC86EFFB7A99F41355B10452FFC21A72E2DB384D0E8624

Function 0047C9EA Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 91COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0047C9F1
_wcslen.LIBCMT ref: 0047CA68
_wcslen.LIBCMT ref: 0047CA9E
_wcslen.LIBCMT ref: 0047CAF9
_wcslen.LIBCMT ref: 0047CB2F
_wcslen.LIBCMT ref: 0047CB7F

Strings

HKEY_LOCAL_MACHINE, xrefs: 0047CA62, 0047CA67
HKLM, xrefs: 0047CA98, 0047CA9D

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: _wcslen
String ID: HKEY_LOCAL_MACHINE$HKLM
API String ID: 176396367-4004644295
Opcode ID: 48468bdab194bc85548e4afce6a1bb8230b9a9e900e594b311c2d653ddc757d3
Instruction ID: b7e7eb65bca5b4031bbc9e7d753f5d0299d88676c8994800b978ae144ae91521
Opcode Fuzzy Hash: 48468bdab194bc85548e4afce6a1bb8230b9a9e900e594b311c2d653ddc757d3
Instruction Fuzzy Hash: C2312572A0016A8BCB20EE2C99C03FF33915BA1755B05C02FEC09AB345E678CD8083A8

Function 00482F17 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00482F8D
LoadLibraryW.KERNEL32(?), ref: 00482F94
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00482FA9
DestroyWindow.USER32(?), ref: 00482FB1

Strings

SysAnimate32, xrefs: 00482F68

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: MessageSend$DestroyLibraryLoadWindow
String ID: SysAnimate32
API String ID: 3529120543-1011021900
Opcode ID: a6511de4a483d2e7a0ec0b2001a616e941f7e6537babdbcd07a0eeb507805df7
Instruction ID: 80d5de0af434f61668b32ccf88fd23c519f72086dc27d985c05a3c36bc0b2eff
Opcode Fuzzy Hash: a6511de4a483d2e7a0ec0b2001a616e941f7e6537babdbcd07a0eeb507805df7
Instruction Fuzzy Hash: E521DE71204205ABEB106F64DD80EBF37B9EF59324F100A2AFB10D22A0D7B5DC51E768

Function 00414D6D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00414D1E,004228E9,?,00414CBE,004228E9,004B88B8,0000000C,00414E15,004228E9,00000002), ref: 00414D8D
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00414DA0
FreeLibrary.KERNEL32(00000000,?,?,?,00414D1E,004228E9,?,00414CBE,004228E9,004B88B8,0000000C,00414E15,004228E9,00000002,00000000), ref: 00414DC3

Strings

mscoree.dll, xrefs: 00414D86
CorExitProcess, xrefs: 00414D98

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 4050e4f0fc484bbf60d369dde255f9506506b374edbb5025a27a51b794c1d269
Instruction ID: f67b8e7b84fa0227685d50cd649e1840f49ad20482eaef20398ac7bb5a572544
Opcode Fuzzy Hash: 4050e4f0fc484bbf60d369dde255f9506506b374edbb5025a27a51b794c1d269
Instruction Fuzzy Hash: 4FF04435540208BBDF115F90DC89BDEBFB5EF44752F0001BAF905A2650CB745984CB99

Function 003F4E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,003F4EDD,?,004C1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 003F4E9C
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 003F4EAE
FreeLibrary.KERNEL32(00000000,?,?,003F4EDD,?,004C1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 003F4EC0

Strings

kernel32.dll, xrefs: 003F4E94
Wow64DisableWow64FsRedirection, xrefs: 003F4EA8

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 145871493-3689287502
Opcode ID: b94aacea57ef6df3c4f139a12f76c71f64d28b04f1f358d8de4592f17554893a
Instruction ID: 8bbb6a6025578e0a075fafa09fb98840dada9822e9daaeda4258ba11409c1a2b
Opcode Fuzzy Hash: b94aacea57ef6df3c4f139a12f76c71f64d28b04f1f358d8de4592f17554893a
Instruction Fuzzy Hash: 0CE08635A025229B93331B257C9CB6F6554AF91F627060529FE00D2204DB74CD0586B8

Function 003F4E59 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00433CDE,?,004C1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 003F4E62
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 003F4E74
FreeLibrary.KERNEL32(00000000,?,?,00433CDE,?,004C1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 003F4E87

Strings

kernel32.dll, xrefs: 003F4E5B
Wow64RevertWow64FsRedirection, xrefs: 003F4E6E

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 145871493-1355242751
Opcode ID: 78c51bc9a8608a34c1f94b3ae0b9670e20980982652fe575c58df987e36d01b6
Instruction ID: 112e92a6e07d8ebd661fa414712a048df42e15fb21923cf218f380472265dcdc
Opcode Fuzzy Hash: 78c51bc9a8608a34c1f94b3ae0b9670e20980982652fe575c58df987e36d01b6
Instruction Fuzzy Hash: A8D0C231902A216747331B257C8CE9F2A18AF81F113060A29BA00A2114CF34CD058BF8

Function 00462947 Relevance: 7.8, APIs: 5, Instructions: 313fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00462C05
DeleteFileW.KERNEL32(?), ref: 00462C87
CopyFileW.KERNEL32(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00462C9D
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00462CAE
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00462CC0

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: File$Delete$Copy
String ID:
API String ID: 3226157194-0
Opcode ID: abc763d02e3c21c601dfa9fd2afdb053f6aa574d393f1ad955a8269352aed74c
Instruction ID: cff3721dd62224d4733f7ca604b5f28ffe661b59fce17a3db33d635910522b58
Opcode Fuzzy Hash: abc763d02e3c21c601dfa9fd2afdb053f6aa574d393f1ad955a8269352aed74c
Instruction Fuzzy Hash: 4AB16D71D00519ABDF21DFA5CD85EEEB7BDEF48304F0040ABF609E6141EA74AA448F66

Function 0047A387 Relevance: 7.8, APIs: 5, Instructions: 256COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 0047A427
OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 0047A435
GetProcessIoCounters.KERNEL32(00000000,?), ref: 0047A468
CloseHandle.KERNEL32(?), ref: 0047A63D

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: Process$CloseCountersCurrentHandleOpen
String ID:
API String ID: 3488606520-0
Opcode ID: e795a3ec31d8b3333b752ad5d69bdc4b2f37b02adf69dd92a506a603688d011c
Instruction ID: 9101f8349bdc645d4afa901e53c13368dac5fc0234f88971e44455973263b30f
Opcode Fuzzy Hash: e795a3ec31d8b3333b752ad5d69bdc4b2f37b02adf69dd92a506a603688d011c
Instruction Fuzzy Hash: 72A19271604301AFD720DF24C886F2AB7E5AF84714F14885EF99A9B3D2D7B4EC418B96

Function 0045E3FB Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0045DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,0045CF22,?), ref: 0045DDFD

Part of subcall function 0045DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,0045CF22,?), ref: 0045DE16

Part of subcall function 0045E199: GetFileAttributesW.KERNEL32(?,0045CF95), ref: 0045E19A

lstrcmpiW.KERNEL32(?,?), ref: 0045E473
MoveFileW.KERNEL32(?,?), ref: 0045E4AC
_wcslen.LIBCMT ref: 0045E5EB
_wcslen.LIBCMT ref: 0045E603
SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 0045E650

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
String ID:
API String ID: 3183298772-0
Opcode ID: c52508bdefd155e222fa4f3e5eaa5885c134e74de76ff19bf4067eeda301a85b
Instruction ID: 3e3792644c2b15de30c549d8b32823fbbe235963c53c8d08b541cb978745e86b
Opcode Fuzzy Hash: c52508bdefd155e222fa4f3e5eaa5885c134e74de76ff19bf4067eeda301a85b
Instruction Fuzzy Hash: 3D5143B24083455BC724DB91DC81ADF73DC9F85345F40491FFA89D3152EE78A68C876A

Function 0047B9C9 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 003F9CB3: _wcslen.LIBCMT ref: 003F9CBD

Part of subcall function 0047C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0047B6AE,?,?), ref: 0047C9B5
Part of subcall function 0047C998: _wcslen.LIBCMT ref: 0047C9F1
Part of subcall function 0047C998: _wcslen.LIBCMT ref: 0047CA68
Part of subcall function 0047C998: _wcslen.LIBCMT ref: 0047CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0047BAA5
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0047BB00
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 0047BB63
RegCloseKey.ADVAPI32(?,?), ref: 0047BBA6
RegCloseKey.ADVAPI32(00000000), ref: 0047BBB3

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
String ID:
API String ID: 826366716-0
Opcode ID: 41a178be56a2ea8d7cb7307a2e4d6122e9e20daf099e9f96be43dec5a2146b0e
Instruction ID: ea45b7f57c78be6f4c76c46cdf87d7c44c46ad107b91de1d7044262272379323
Opcode Fuzzy Hash: 41a178be56a2ea8d7cb7307a2e4d6122e9e20daf099e9f96be43dec5a2146b0e
Instruction Fuzzy Hash: EF618D71208205AFC715DF24C490F6ABBE5FF84348F14896EF4998B2A2DB35ED45CB92

Function 00458BB0 Relevance: 7.7, APIs: 5, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00458BCD
VariantClear.OLEAUT32 ref: 00458C3E
VariantClear.OLEAUT32 ref: 00458C9D
VariantClear.OLEAUT32(?), ref: 00458D10
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00458D3B

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType
String ID:
API String ID: 4136290138-0
Opcode ID: 66edca7ca2407f22df8dcef747c12ec4cf953db31d8008b5572c24ccf374b3f2
Instruction ID: 2e849b1ca5a765950828d2652af1a0bd95aecafebdcacea5f2f65136b40d39c9
Opcode Fuzzy Hash: 66edca7ca2407f22df8dcef747c12ec4cf953db31d8008b5572c24ccf374b3f2
Instruction Fuzzy Hash: C0516B75A00219EFCB10CF58D884AAAB7F4FF89314B15855EE905EB350EB34E915CF94

Function 00468AFB Relevance: 7.6, APIs: 5, Instructions: 143COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00468BAE
GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 00468BDA
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00468C32
WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00468C57
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00468C5F

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String
String ID:
API String ID: 2832842796-0
Opcode ID: 8437b4d471c9004fd50528f559cd9461b2550999f4ad9ff5e41214b1baf03c58
Instruction ID: 06d479ca2b3734b4fc8d86815b9aec287f033a0e40dd2e7c0faa41041c49d1e7
Opcode Fuzzy Hash: 8437b4d471c9004fd50528f559cd9461b2550999f4ad9ff5e41214b1baf03c58
Instruction Fuzzy Hash: 20517F35A002199FCB01DF65C880E6EBBF1FF49314F088499E949AB3A2DB35ED45CB95

Function 00478EE4 Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(?,00000000,?), ref: 00478F40
GetProcAddress.KERNEL32(00000000,?), ref: 00478FD0
GetProcAddress.KERNEL32(00000000,00000000), ref: 00478FEC
GetProcAddress.KERNEL32(00000000,?), ref: 00479032
FreeLibrary.KERNEL32(00000000), ref: 00479052

Part of subcall function 0040F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,00461043,?,753CE610), ref: 0040F6E6
Part of subcall function 0040F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,0044FA64,00000000,00000000,?,?,00461043,?,753CE610,?,0044FA64), ref: 0040F70D

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
String ID:
API String ID: 666041331-0
Opcode ID: 7bd57d15e0aced17d2e63fb0ca680dee1e7ba83762ca51ec0a8971681e9c4526
Instruction ID: 0b96e451d444d1befc40bed93c1fca63f9628f0bb71a743d2418cc9417b3235c
Opcode Fuzzy Hash: 7bd57d15e0aced17d2e63fb0ca680dee1e7ba83762ca51ec0a8971681e9c4526
Instruction Fuzzy Hash: A7513A34600249DFCB11DF54C4949AEBBB1FF49314B0480AAE909AB362DB35ED86CB95

Function 00486B76 Relevance: 7.6, APIs: 5, Instructions: 131windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(00000002,000000F0,?), ref: 00486C33
SetWindowLongW.USER32(?,000000EC,?), ref: 00486C4A
SendMessageW.USER32(00000002,00001036,00000000,?), ref: 00486C73
ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,0046AB79,00000000,00000000), ref: 00486C98
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 00486CC7

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: Window$Long$MessageSendShow
String ID:
API String ID: 3688381893-0
Opcode ID: d236bde336d61c8c334a227b673dab045b6264b6dfdaf5adf3288df920343702
Instruction ID: 623ace157d3bea4d880104249c5b191ce1a232678b5c1caea025d30bd5d9eeb2
Opcode Fuzzy Hash: d236bde336d61c8c334a227b673dab045b6264b6dfdaf5adf3288df920343702
Instruction Fuzzy Hash: 4441C475600114AFD764EF28CC94FAE7BA5EB09350F160A2AE855A73A0C375ED41CB58

Function 00422051 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 004220C3
_free.LIBCMT ref: 004220E3

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: b9ae378d6313329409288605c0d4c6f6edb9be359c2080908d4a38f9408c0551
Instruction ID: 7a157c230d35d069c80f036a311ef01fe8b9751b9955dd3cf69241c3fca3ae4f
Opcode Fuzzy Hash: b9ae378d6313329409288605c0d4c6f6edb9be359c2080908d4a38f9408c0551
Instruction Fuzzy Hash: D8410272B00210AFCB20DF79DA80A6EB3E1EF88314F55416AE605EB391DB75AD01CB84

Function 0040912D Relevance: 7.6, APIs: 5, Instructions: 121keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00409141
ScreenToClient.USER32(00000000,?), ref: 0040915E
GetAsyncKeyState.USER32(00000001), ref: 00409183
GetAsyncKeyState.USER32(00000002), ref: 0040919D

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: 9270e697019cca6681cef703a51e15bafb833c33720490776bddafa69a132760
Instruction ID: 12fdee1f1a38f8f84594a7dc0630a2f7cd4e6833b4cae735b61a70959561f857
Opcode Fuzzy Hash: 9270e697019cca6681cef703a51e15bafb833c33720490776bddafa69a132760
Instruction Fuzzy Hash: 21417E71A0861AFBEF059F64C844BEEB774FF05324F20822AE425A63D1C7786D51CB99

Function 00463874 Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 004638CB
TranslateAcceleratorW.USER32(?,00000000,?), ref: 00463922
TranslateMessage.USER32(?), ref: 0046394B
DispatchMessageW.USER32(?), ref: 00463955
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00463966

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchInputPeekState
String ID:
API String ID: 2256411358-0
Opcode ID: 4b8c11409db7c3290a3e43b1e8c0ea10d70eb96e8f9b577abb962b85bf3d2771
Instruction ID: bb1ff0287ce62bead86746fbf48ef47533d84099492166c5736764d55e5b6b23
Opcode Fuzzy Hash: 4b8c11409db7c3290a3e43b1e8c0ea10d70eb96e8f9b577abb962b85bf3d2771
Instruction Fuzzy Hash: DB3166F05042C29AEB25DF359848FB737A4EB06305F14056FD452822A1F7B89A49CF2B

Function 0046CF1A Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,00000000,?,?,?,0046C21E,00000000), ref: 0046CF38
InternetReadFile.WININET(?,00000000,?,?), ref: 0046CF6F
GetLastError.KERNEL32(?,00000000,?,?,?,0046C21E,00000000), ref: 0046CFB4
SetEvent.KERNEL32(?,?,00000000,?,?,?,0046C21E,00000000), ref: 0046CFC8
SetEvent.KERNEL32(?,?,00000000,?,?,?,0046C21E,00000000), ref: 0046CFF2

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: EventInternet$AvailableDataErrorFileLastQueryRead
String ID:
API String ID: 3191363074-0
Opcode ID: f6cfcfddf25a378e0b6e70594a4dff803ad210e5b1dbd442aaa3f498e52d02ba
Instruction ID: 9c3ddc967c751a7ade6131948b5875b9eb418af922d9731fab98147ca578dd46
Opcode Fuzzy Hash: f6cfcfddf25a378e0b6e70594a4dff803ad210e5b1dbd442aaa3f498e52d02ba
Instruction Fuzzy Hash: 5D315C71A00205EFDB24DFA5C8C49BBBBFAEB14314B10443FF556D2280E738AD419BA9

Function 00451901 Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00451915
PostMessageW.USER32(00000001,00000201,00000001), ref: 004519C1
Sleep.KERNEL32(00000000,?,?,?), ref: 004519C9
PostMessageW.USER32(00000001,00000202,00000000), ref: 004519DA
Sleep.KERNEL32(00000000,?,?,?,?), ref: 004519E2

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: 683055d965d5d0f73c51b6f6fd133979469e80bfe5981f1650b09e97bf5d5d84
Instruction ID: cf04c11d3479dd832bb7c9fdfa244a2dc0576a669271394121f6e7d81948690d
Opcode Fuzzy Hash: 683055d965d5d0f73c51b6f6fd133979469e80bfe5981f1650b09e97bf5d5d84
Instruction Fuzzy Hash: 7831C2B1900219EFCB00CFA8CD99BDE7BB5EB44315F10462AFD21A72E2C7749958CB95

Function 00485706 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001053,000000FF,?), ref: 00485745
SendMessageW.USER32(?,00001074,?,00000001), ref: 0048579D
_wcslen.LIBCMT ref: 004857AF
_wcslen.LIBCMT ref: 004857BA
SendMessageW.USER32(?,00001002,00000000,?), ref: 00485816

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: MessageSend$_wcslen
String ID:
API String ID: 763830540-0
Opcode ID: 72966cf34525744898a78ee17a24685e042b14eae7dd5649e8d215c81a639326
Instruction ID: 0d47ab0328f5a9c208649f48ef07d21c5610cdd67dc58b692b1031197a26bcd4
Opcode Fuzzy Hash: 72966cf34525744898a78ee17a24685e042b14eae7dd5649e8d215c81a639326
Instruction Fuzzy Hash: 0D21A7759046189ADB21EF60CC84AEEB778FF04724F108527E919EA290D7788985CF58

Function 00470930 Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00470951
GetForegroundWindow.USER32 ref: 00470968
GetDC.USER32(00000000), ref: 004709A4
GetPixel.GDI32(00000000,?,00000003), ref: 004709B0
ReleaseDC.USER32(00000000,00000003), ref: 004709E8

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: b759e1380aa9fb0443a342eaf71adcf890c0eb93bcb835d5617ca5a005acfb41
Instruction ID: 4c1a644bd39ab56d325f435d2930e39008f364ea49e56b9ee79d5bf206111a51
Opcode Fuzzy Hash: b759e1380aa9fb0443a342eaf71adcf890c0eb93bcb835d5617ca5a005acfb41
Instruction Fuzzy Hash: 6D218175600204EFD704EF69D984AAEBBE5EF45704F04847DE94AA7362DB34AC04CBA4

Function 0042CDBD Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 0042CDC6
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0042CDE9

Part of subcall function 00423820: RtlAllocateHeap.NTDLL(00000000,?,004C1444,?,0040FDF5,?,?,003FA976,00000010,004C1440,003F13FC,?,003F13C6,?,003F1129), ref: 00423852

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0042CE0F
_free.LIBCMT ref: 0042CE22
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0042CE31

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: 4d6b05fa62f437465cb8563c70870579fbf9c1cc48e8a53afa23ddc98cf11c36
Instruction ID: ab4ed7389d663d788e30138c24c69d3cb8b70599e5139791fe481282a1b180fb
Opcode Fuzzy Hash: 4d6b05fa62f437465cb8563c70870579fbf9c1cc48e8a53afa23ddc98cf11c36
Instruction Fuzzy Hash: 180171727016257F23211AB67CCCD7F696DDEC6BA1356022EFD05C7201EE698D0282B9

Function 00409639 Relevance: 7.6, APIs: 5, Instructions: 66COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00409693
SelectObject.GDI32(?,00000000), ref: 004096A2
BeginPath.GDI32(?), ref: 004096B9
SelectObject.GDI32(?,00000000), ref: 004096E2

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 526dfb5cbb1455cd06a52f5f5a82e9d3b92a70ef3f0ef95632353e41a43033a1
Instruction ID: 2a881fd673e7b3cbc4d62aaec86b14e62f606b0f94515031a8b1652ee97cccf8
Opcode Fuzzy Hash: 526dfb5cbb1455cd06a52f5f5a82e9d3b92a70ef3f0ef95632353e41a43033a1
Instruction Fuzzy Hash: 9A2160B0802205EBDB519F64EC48BAE3BA4BB52755F10063AF810A71F2D3799C51CF9C

Function 00455711 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00455726
_memcmp.LIBVCRUNTIME ref: 00455744
_memcmp.LIBVCRUNTIME ref: 00455757
_memcmp.LIBVCRUNTIME ref: 0045576F
_memcmp.LIBVCRUNTIME ref: 00455787

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 7425f36336aa67442cc9338bcc0d1a3785359cb47cedcc5c7eeea41754ae10e5
Instruction ID: 86b9a5f6793469b74cfd8333fb500d9ef4fa62afca46ad5172b5eb541b639a0b
Opcode Fuzzy Hash: 7425f36336aa67442cc9338bcc0d1a3785359cb47cedcc5c7eeea41754ae10e5
Instruction Fuzzy Hash: 1201F97124160DBBE20866129D52FFF735C9B24399F200037FE049A642F72CEE5983AD

Function 00422DF8 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,0041F2DE,00423863,004C1444,?,0040FDF5,?,?,003FA976,00000010,004C1440,003F13FC,?,003F13C6), ref: 00422DFD
_free.LIBCMT ref: 00422E32
_free.LIBCMT ref: 00422E59
SetLastError.KERNEL32(00000000,003F1129), ref: 00422E66
SetLastError.KERNEL32(00000000,003F1129), ref: 00422E6F

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 7c1006676edab45d8dc8d4cb77b2bf3a6f1949eaab4604221b88ec36b6634287
Instruction ID: 2db0e56773ff726ca93f7f38992ab5d06686d5ce61b175164cda994466f7cd4a
Opcode Fuzzy Hash: 7c1006676edab45d8dc8d4cb77b2bf3a6f1949eaab4604221b88ec36b6634287
Instruction Fuzzy Hash: 6801D672345620778612273A7E86D2F166DABD53697E2053FF815A2292EBFC8C02613C

Function 0045000E Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,0044FF41,80070057,?,?,?,0045035E), ref: 0045002B
ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0044FF41,80070057,?,?), ref: 00450046
lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0044FF41,80070057,?,?), ref: 00450054
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0044FF41,80070057,?), ref: 00450064
CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0044FF41,80070057,?,?), ref: 00450070

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: b75d027f48b5e825f79303bb7c96ad05e951ca0622817d7c2c7dec60e943b104
Instruction ID: fc89c02eb80fed6cdd141bffd8de87b6559dfa88b645db80e913d4ba3ac1a0b9
Opcode Fuzzy Hash: b75d027f48b5e825f79303bb7c96ad05e951ca0622817d7c2c7dec60e943b104
Instruction Fuzzy Hash: 8901FD7A600204BFDB105F68EC84BAE7AEDEF44B93F144429FC01E2251E778DD048BA4

Function 0045E97B Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?), ref: 0045E997
QueryPerformanceFrequency.KERNEL32(?), ref: 0045E9A5
Sleep.KERNEL32(00000000), ref: 0045E9AD
QueryPerformanceCounter.KERNEL32(?), ref: 0045E9B7
Sleep.KERNEL32 ref: 0045E9F3

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: a50324662d0e1218a8f906d5f687127e41ca479a453d0824f51454bae5559095
Instruction ID: 4137c17ad77bb62216778add15f27ee6110b0852c3f8c11cc8e355379e2a0a52
Opcode Fuzzy Hash: a50324662d0e1218a8f906d5f687127e41ca479a453d0824f51454bae5559095
Instruction Fuzzy Hash: 4F016171C01529DBCF049FE6DD896DDBB78FF09301F00095AD911B2251DB349659CB69

Function 004510F9 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00451114
GetLastError.KERNEL32(?,00000000,00000000,?,?,00450B9B,?,?,?), ref: 00451120
GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00450B9B,?,?,?), ref: 0045112F
HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00450B9B,?,?,?), ref: 00451136
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0045114D

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: 54acf899d3f826e15941afc8124a1ce44435828d79866adfd4a533c73fb8452f
Instruction ID: d6a950919ce7e060bbcd3bb3dad89b07e16068d242b1c11f48d1781e22f832b3
Opcode Fuzzy Hash: 54acf899d3f826e15941afc8124a1ce44435828d79866adfd4a533c73fb8452f
Instruction Fuzzy Hash: 06014675200605AFDB115BA4EC89A6B3B6EEF893A1B210869FA41C2360DB31DC008F74

Function 00450FB4 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00450FCA
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00450FD6
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00450FE5
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00450FEC
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00451002

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: f4fdfc6e0cabfd99bfa9bc54e1668afa6d2fe72fb22b90dca39f707b7007cc22
Instruction ID: ce851017a9f58ef336ed916b4544e7cf8b38b34f99dcbe3cc2704e8e171c0e87
Opcode Fuzzy Hash: f4fdfc6e0cabfd99bfa9bc54e1668afa6d2fe72fb22b90dca39f707b7007cc22
Instruction Fuzzy Hash: 34F04F35141311ABD7214FA4AC8DF5B3BADEF8AB62F504829FD45D62A1CB74DC408B74

Function 00451014 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 0045102A
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00451036
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00451045
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 0045104C
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00451062

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: cb21f6d07ac06f4d43d6caf5f994881beaafa7d8420d551a81cc04dd43097b56
Instruction ID: 164a38c24bf4a6539ec3f7a2a760c9aff5126220a3ef2c4113a7a064d732aa83
Opcode Fuzzy Hash: cb21f6d07ac06f4d43d6caf5f994881beaafa7d8420d551a81cc04dd43097b56
Instruction Fuzzy Hash: 9AF04F35140311ABD7215FA4EC89F5B3B6DEF8AB61F100829FD45D62A1CB74D840CB74

Function 0046030F Relevance: 7.5, APIs: 6, Instructions: 41COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,?,?,0046017D,?,004632FC,?,00000001,00432592,?), ref: 00460324
CloseHandle.KERNEL32(?,?,?,?,0046017D,?,004632FC,?,00000001,00432592,?), ref: 00460331
CloseHandle.KERNEL32(?,?,?,?,0046017D,?,004632FC,?,00000001,00432592,?), ref: 0046033E
CloseHandle.KERNEL32(?,?,?,?,0046017D,?,004632FC,?,00000001,00432592,?), ref: 0046034B
CloseHandle.KERNEL32(?,?,?,?,0046017D,?,004632FC,?,00000001,00432592,?), ref: 00460358
CloseHandle.KERNEL32(?,?,?,?,0046017D,?,004632FC,?,00000001,00432592,?), ref: 00460365

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 5185918a845fcdd9aceb98c9b0b4cf673fb398ae1863ed5e9ce3ed2012f917b2
Instruction ID: 79afb20e9566886d2cdd39e5621b3e7b1233f217922f30f39840716d7f77f868
Opcode Fuzzy Hash: 5185918a845fcdd9aceb98c9b0b4cf673fb398ae1863ed5e9ce3ed2012f917b2
Instruction Fuzzy Hash: B001D872800B118FCB30AF66D880803FBF9BE602063048A3FD19252A30C3B4A988CF85

Function 0042D73A Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0042D752

Part of subcall function 004229C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0042D7D1,00000000,00000000,00000000,00000000,?,0042D7F8,00000000,00000007,00000000,?,0042DBF5,00000000), ref: 004229DE
Part of subcall function 004229C8: GetLastError.KERNEL32(00000000,?,0042D7D1,00000000,00000000,00000000,00000000,?,0042D7F8,00000000,00000007,00000000,?,0042DBF5,00000000,00000000), ref: 004229F0

_free.LIBCMT ref: 0042D764
_free.LIBCMT ref: 0042D776
_free.LIBCMT ref: 0042D788
_free.LIBCMT ref: 0042D79A

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: abc00fba19c6e91fa9deaf960f98d5961126151f6999db5aabdc3789142fd0b0
Instruction ID: 9e1c207d8a0d9f7407614b5cfa84085a86f8c1a38e624d5d5de8273868220900
Opcode Fuzzy Hash: abc00fba19c6e91fa9deaf960f98d5961126151f6999db5aabdc3789142fd0b0
Instruction Fuzzy Hash: 63F0ECB2B44224AB9621FB65FAC5C1777DDBB88715BE40D1AF048D7601C76CFC80866C

Function 00455C44 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 00455C58
GetWindowTextW.USER32(00000000,?,00000100), ref: 00455C6F
MessageBeep.USER32(00000000), ref: 00455C87
KillTimer.USER32(?,0000040A), ref: 00455CA3
EndDialog.USER32(?,00000001), ref: 00455CBD

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: 216099eb2b955b81a1792f92980d30318e7a680943043a079a3d001227e67805
Instruction ID: 32dd5cd1801b477c65f7b53c62ab59eedc3f083d42b01472c63915e64471c120
Opcode Fuzzy Hash: 216099eb2b955b81a1792f92980d30318e7a680943043a079a3d001227e67805
Instruction Fuzzy Hash: C6018B305007049BFB215B10DD9EFBA77B8BF00706F00057EA553B14E2D7F459488B59

Function 004222A0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 004222BE

Part of subcall function 004229C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0042D7D1,00000000,00000000,00000000,00000000,?,0042D7F8,00000000,00000007,00000000,?,0042DBF5,00000000), ref: 004229DE
Part of subcall function 004229C8: GetLastError.KERNEL32(00000000,?,0042D7D1,00000000,00000000,00000000,00000000,?,0042D7F8,00000000,00000007,00000000,?,0042DBF5,00000000,00000000), ref: 004229F0

_free.LIBCMT ref: 004222D0
_free.LIBCMT ref: 004222E3
_free.LIBCMT ref: 004222F4
_free.LIBCMT ref: 00422305

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: d5ee93e41e12c7ffbbc2cf98eb2c60c47a2bfc1de676cb4884282ddf3e87377f
Instruction ID: 0b8c2972e45432dc30bbcc891f9b4d0b469a72404b429d80875f93a0bccd7faa
Opcode Fuzzy Hash: d5ee93e41e12c7ffbbc2cf98eb2c60c47a2bfc1de676cb4884282ddf3e87377f
Instruction Fuzzy Hash: 04F030F8A00131EB8652BF55BD81C493B64FF19751781066FF410D2272C7B904919BAC

Function 004095C5 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 004095D4
StrokeAndFillPath.GDI32(?,?,004471F7,00000000,?,?,?), ref: 004095F0
SelectObject.GDI32(?,00000000), ref: 00409603
DeleteObject.GDI32 ref: 00409616
StrokePath.GDI32(?), ref: 00409631

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: 37b56608fd0a9edbbd3517e72b309d242598582344d7d5688000c0e732398a37
Instruction ID: b4656f6ba40105e4bde705fbcafd01e4f7162818cf746b4be2cdf904052431e7
Opcode Fuzzy Hash: 37b56608fd0a9edbbd3517e72b309d242598582344d7d5688000c0e732398a37
Instruction Fuzzy Hash: 6AF0AF71006604EBCB964F65EC5CB693F61BB02362F008238F425651F2C73589A1DF2C

Function 00420F47 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE

Download Yara Rule

APIs

__freea.LIBCMT ref: 004210F9
__freea.LIBCMT ref: 00421117

Part of subcall function 00421537: _free.LIBCMT ref: 0042154F

Strings

am/pm, xrefs: 0042117A
a/p, xrefs: 004211DE

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: __freea$_free
String ID: a/p$am/pm
API String ID: 3432400110-3206640213
Opcode ID: 6239c0da9ff634ac9cefcff382925dcf8355d0b3b7c7384fffb35dc4a677069a
Instruction ID: c5e4698813a9c4af943c3db86f69e1997b95dafd2aff0732bbe73b9414966e94
Opcode Fuzzy Hash: 6239c0da9ff634ac9cefcff382925dcf8355d0b3b7c7384fffb35dc4a677069a
Instruction Fuzzy Hash: 19D1F431B00225DADB24CF68E4457BBB7B2EF25300FA4415BE901ABB61D37D9D81CB59

Function 004761D0 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 324COMMON

Download Yara Rule

APIs

Part of subcall function 00410242: EnterCriticalSection.KERNEL32(004C070C,004C1884,?,?,0040198B,004C2518,?,?,?,003F12F9,00000000), ref: 0041024D
Part of subcall function 00410242: LeaveCriticalSection.KERNEL32(004C070C,?,0040198B,004C2518,?,?,?,003F12F9,00000000), ref: 0041028A

Part of subcall function 004100A3: __onexit.LIBCMT ref: 004100A9

__Init_thread_footer.LIBCMT ref: 00476238

Part of subcall function 004101F8: EnterCriticalSection.KERNEL32(004C070C,?,?,00408747,004C2514), ref: 00410202
Part of subcall function 004101F8: LeaveCriticalSection.KERNEL32(004C070C,?,00408747,004C2514), ref: 00410235

Part of subcall function 0046359C: LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 004635E4
Part of subcall function 0046359C: LoadStringW.USER32(004C2390,?,00000FFF,?), ref: 0046360A

Strings

x#L, xrefs: 0047633A
x#L, xrefs: 0047636F
x#L, xrefs: 00476353

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: CriticalSection$EnterLeaveLoadString$Init_thread_footer__onexit
String ID: x#L$x#L$x#L
API String ID: 1072379062-3109749233
Opcode ID: a9cbc0aee36071dee9835f0b49b30dbb090aa2190b47d74fb44cd61a196791cd
Instruction ID: 64644cbfe21e81e3d8290094617c863be5274d764b31de8964612e44997157cf
Opcode Fuzzy Hash: a9cbc0aee36071dee9835f0b49b30dbb090aa2190b47d74fb44cd61a196791cd
Instruction Fuzzy Hash: C7C18171A00509AFCB15DF58C890EFEB7BAEF48304F15806EE9099B291D778ED45CB54

Function 00425AA9 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 186COMMONLIBRARYCODE

Download Yara Rule

Strings

JO?, xrefs: 00425BA8, 00425C6C

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID:
String ID: JO?
API String ID: 0-1137422323
Opcode ID: eabc6ac64bf6bd6d2587887213e2c3239758e657dc529657201679f9eb187f5e
Instruction ID: 42bf14f644f9c70790bf9e70532f370fee053671a2c07c4e20b76aa06930915e
Opcode Fuzzy Hash: eabc6ac64bf6bd6d2587887213e2c3239758e657dc529657201679f9eb187f5e
Instruction Fuzzy Hash: F6511471F006299FCB209FA6E845FEFBFB4AF05314F90005BF405A7291E6799942CB69

Function 00428A61 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 124COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,00000002,00000000,?,?,?,00000000,?,?,?,?), ref: 00428B6E
GetLastError.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,00000000,00001000,?), ref: 00428B7A
__dosmaperr.LIBCMT ref: 00428B81

Strings

.A, xrefs: 00428A63

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: ByteCharErrorLastMultiWide__dosmaperr
String ID: .A
API String ID: 2434981716-2826776520
Opcode ID: 131ef08a987c4dd4d9255f4d742dd388d46d7bb78814c50dfcd2795cd6d4ecfe
Instruction ID: 2bf43f7b5097ca5df13844b0e462b77683e189a96c08f26ea9d9117d1d311627
Opcode Fuzzy Hash: 131ef08a987c4dd4d9255f4d742dd388d46d7bb78814c50dfcd2795cd6d4ecfe
Instruction Fuzzy Hash: 38419B70705065AFDB249F24E880A7E3FA5DB86304F2841AFF88587642DE399C13879C

Function 00452716 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0045B403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,004521D0,?,?,00000034,00000800,?,00000034), ref: 0045B42D

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00452760

Part of subcall function 0045B3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,004521FF,?,?,00000800,?,00001073,00000000,?,?), ref: 0045B3F8

Part of subcall function 0045B32A: GetWindowThreadProcessId.USER32(?,?), ref: 0045B355
Part of subcall function 0045B32A: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00452194,00000034,?,?,00001004,00000000,00000000), ref: 0045B365
Part of subcall function 0045B32A: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00452194,00000034,?,?,00001004,00000000,00000000), ref: 0045B37B

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 004527CD
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 0045281A

Strings

@, xrefs: 00452832

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: dd9a91d6a072d4fcc85a7a71ff187ec7cd56c2a0713f776e6c93ad0c9c5991b1
Instruction ID: e90668d93938a6279794ad72d79abc866fc818a7bee1e7e1b9a656a0eacace2f
Opcode Fuzzy Hash: dd9a91d6a072d4fcc85a7a71ff187ec7cd56c2a0713f776e6c93ad0c9c5991b1
Instruction Fuzzy Hash: 8A413072900218BFDB11DFA4CD81AEEBBB8EF09304F00405AFA55B7181DB746E49CBA4

Function 0042172E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\file.exe,00000104), ref: 00421769
_free.LIBCMT ref: 00421834
_free.LIBCMT ref: 0042183E

Strings

C:\Users\user\Desktop\file.exe, xrefs: 00421760, 00421767, 00421796, 004217CE

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\file.exe
API String ID: 2506810119-1957095476
Opcode ID: 2832ee6f2c2c3f58f2def3893771a0290dbc36084f807ca731990cf8b3b2db84
Instruction ID: 1ea8e1ab5315a3f54a44d33a7c22d0e7cdba99f2ca4594f1815c1ad48fee725b
Opcode Fuzzy Hash: 2832ee6f2c2c3f58f2def3893771a0290dbc36084f807ca731990cf8b3b2db84
Instruction Fuzzy Hash: 30318375B00228ABDB21DF99A885D9FBBBCEB95310B9041ABF404D7221D6748E40CB98

Function 0045C27D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 0045C306
DeleteMenu.USER32(?,00000007,00000000), ref: 0045C34C
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,004C1990,00D57B30), ref: 0045C395

Strings

0, xrefs: 0045C2DF

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: Menu$Delete$InfoItem
String ID: 0
API String ID: 135850232-4108050209
Opcode ID: 1425a686ac82443ea7252776575d4838a706adf5f26b9009950c577c51ef2059
Instruction ID: add060372f03583cecbcdaf44b3f711b842cc66fec8595c972d70fc03e72a044
Opcode Fuzzy Hash: 1425a686ac82443ea7252776575d4838a706adf5f26b9009950c577c51ef2059
Instruction Fuzzy Hash: 7C41A0312043059FD720DF25D884B5BBBE4AF85315F048A1EFDA597392D738A908CB6A

Function 00484416 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,0048CC08,00000000,?,?,?,?), ref: 004844AA
GetWindowLongW.USER32 ref: 004844C7
SetWindowLongW.USER32(?,000000F0,00000000), ref: 004844D7

Strings

SysTreeView32, xrefs: 0048447C

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: afe2ad2cef35db5cbcafa7ebd194f7480a4ad15c5cd822b730c08d1f026c6f02
Instruction ID: 2cf99836bc4f48fdab76a98b0447a851685c2ace728a725cdfaef6106466cd33
Opcode Fuzzy Hash: afe2ad2cef35db5cbcafa7ebd194f7480a4ad15c5cd822b730c08d1f026c6f02
Instruction Fuzzy Hash: 3F31C131100206AFDB11AE78DC45BEF77A9EB48734F204B2AF975A22E0D778EC508764

Function 00456E71 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 92memoryCOMMON

Download Yara Rule

APIs

SysReAllocString.OLEAUT32(?,?), ref: 00456EED
VariantCopyInd.OLEAUT32(?,?), ref: 00456F08
VariantClear.OLEAUT32(?), ref: 00456F12

Strings

*jE, xrefs: 00456E8B, 00456E90, 00456EF8

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: Variant$AllocClearCopyString
String ID: *jE
API String ID: 2173805711-1396648982
Opcode ID: e2fb6829a1ca3b16d0031f8432823324313d5630aeaa728750f02c722f096386
Instruction ID: 99c24ddcb65b185a27d1f66cb27b117fc476fe0d11e576f07aec29c828396c7b
Opcode Fuzzy Hash: e2fb6829a1ca3b16d0031f8432823324313d5630aeaa728750f02c722f096386
Instruction Fuzzy Hash: 4931D572B04209DFCB05AF64E8918BE7776EF41301B5104AAF9064F3A2C7389916DBD9

Function 0047304E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0047335B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,00473077,?,?), ref: 00473378

inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0047307A
_wcslen.LIBCMT ref: 0047309B
htons.WSOCK32(00000000,?,?,00000000), ref: 00473106

Strings

255.255.255.255, xrefs: 00473095, 0047309A

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: ByteCharMultiWide_wcslenhtonsinet_addr
String ID: 255.255.255.255
API String ID: 946324512-2422070025
Opcode ID: 04a1b72b5d4d5c9ca727ec21764a4fa63870153be77be0588000162e723cb9ca
Instruction ID: df8d1bb0e29c041594ad45fb59a291a3d65859afcdc4808d2d78e24de66b505a
Opcode Fuzzy Hash: 04a1b72b5d4d5c9ca727ec21764a4fa63870153be77be0588000162e723cb9ca
Instruction Fuzzy Hash: 773104392002459FCB20DF28C585EEA77E0EF14319F64C09AE9198F392DB3AEE45D765

Function 00483EB8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00483F40
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00483F54
SendMessageW.USER32(?,00001002,00000000,?), ref: 00483F78

Strings

SysMonthCal32, xrefs: 00483F0B

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: 06617190fa9dbda3c7e4545b1f750867804897d449853bc6a17b693a306e63f8
Instruction ID: f13a9eb5eff0674d8fb5e1fd2f24cd496aee3b63822705db7b93e9bc87b6e012
Opcode Fuzzy Hash: 06617190fa9dbda3c7e4545b1f750867804897d449853bc6a17b693a306e63f8
Instruction Fuzzy Hash: 6921DD32600219BBDF129F50CC86FEE3B75EF48718F110619FB056B190D6B9A8508BA4

Function 00484653 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00484705
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00484713
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 0048471A

Strings

msctls_updown32, xrefs: 00484684

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: 7aec3c8bedd70fa77579d7593d362f490542b86dfa62499b80c47dc2662f7215
Instruction ID: ac5090f713269a23a6e3698d3d26a0c0042a83fb5f1205bcf89921b4507b2825
Opcode Fuzzy Hash: 7aec3c8bedd70fa77579d7593d362f490542b86dfa62499b80c47dc2662f7215
Instruction Fuzzy Hash: 4A214CB5600209AFDB11EF64DCC1DBB37ADEB8A398B14045AFA009B361DB74EC11CB64

Function 004595AD Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 85COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0045961D

Strings

#requireadmin, xrefs: 004595D9
#OnAutoItStartRegister, xrefs: 004595F3
#notrayicon, xrefs: 004595B7

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: _wcslen
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 176396367-2734436370
Opcode ID: fceb15f2c9b39c84d44ec1d59db50b7068fba9b0f32d5c7ee053f69f86feb084
Instruction ID: 38d54739f330acf163edd163feb456cba4994d2f0005ec645b1fab792eb184f7
Opcode Fuzzy Hash: fceb15f2c9b39c84d44ec1d59db50b7068fba9b0f32d5c7ee053f69f86feb084
Instruction Fuzzy Hash: 6B214672204214A6C731BA25D802FBB73D89FA0311F54443BFD49DB282EB5CAD9EC29D

Function 004837B7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00483840
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00483850
MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00483876

Strings

Listbox, xrefs: 0048380F

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: 80da046da61dc168ad6b88be062ac94df8f0284c97e23ad442574e95b965a020
Instruction ID: 172d8a895e10a3dc37e1b00a5c65662c75bb55efccbb1e87ff71bf6579525d45
Opcode Fuzzy Hash: 80da046da61dc168ad6b88be062ac94df8f0284c97e23ad442574e95b965a020
Instruction Fuzzy Hash: 2321C272610118BBEF11AF54CC85FBF37AEEF89B50F108525F9049B290CA75DC5287A4

Function 004649F4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00464A08
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00464A5C
SetErrorMode.KERNEL32(00000000,?,?,0048CC08), ref: 00464AD0

Strings

%lu, xrefs: 00464A6F

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: ErrorMode$InformationVolume
String ID: %lu
API String ID: 2507767853-685833217
Opcode ID: 97aacbc36b8044d25b4fd8df39f6dabdcb92055492918e1ae35c3a6cf4b61055
Instruction ID: d04aff682bde99685981fa4f1e50e51ca13b72045f524ffed2065ab9e75a3f50
Opcode Fuzzy Hash: 97aacbc36b8044d25b4fd8df39f6dabdcb92055492918e1ae35c3a6cf4b61055
Instruction Fuzzy Hash: E6315E75A00108AFDB11DF54C8C5EAE7BF8EF48308F1480AAE909DB252D775ED45CB65

Function 004841EB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 0048424F
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00484264
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00484271

Strings

msctls_trackbar32, xrefs: 00484226

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: 481b04683586f995457d41140bce1b511f0e5710579673831528240fa1424656
Instruction ID: 7f3a72d5a9822bbddb3227102a6f4a82b6ebfb50ca3d9e2da9344c7aea177102
Opcode Fuzzy Hash: 481b04683586f995457d41140bce1b511f0e5710579673831528240fa1424656
Instruction Fuzzy Hash: 5E1127312442097EEF206F24CC06FAB3BACEFC5764F110525FA50E21A0D675D8119724

Function 00452F52 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

Part of subcall function 003F6B57: _wcslen.LIBCMT ref: 003F6B6A

Part of subcall function 00452DA7: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00452DC5
Part of subcall function 00452DA7: GetWindowThreadProcessId.USER32(?,00000000), ref: 00452DD6
Part of subcall function 00452DA7: GetCurrentThreadId.KERNEL32 ref: 00452DDD
Part of subcall function 00452DA7: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00452DE4

GetFocus.USER32 ref: 00452F78

Part of subcall function 00452DEE: GetParent.USER32(00000000), ref: 00452DF9

GetClassNameW.USER32(?,?,00000100), ref: 00452FC3
EnumChildWindows.USER32(?,0045303B), ref: 00452FEB

Strings

%s%d, xrefs: 00452FFF

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
String ID: %s%d
API String ID: 1272988791-1110647743
Opcode ID: e0628f99ed7d24c239f641f339120c05aaa841d817fddf00b13e0305ef5fec28
Instruction ID: 0f82be62f6a8490b1144474ad14ea74c86ebd7a04d8a69c83dd0b48039bb3a05
Opcode Fuzzy Hash: e0628f99ed7d24c239f641f339120c05aaa841d817fddf00b13e0305ef5fec28
Instruction Fuzzy Hash: 2211C3712002096BCF517F618C96EEE376AAF84306F04407ABD09AB297DE74590D8B74

Function 00485882 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 004858C1
SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 004858EE
DrawMenuBar.USER32(?), ref: 004858FD

Strings

0, xrefs: 0048588F

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: Menu$InfoItem$Draw
String ID: 0
API String ID: 3227129158-4108050209
Opcode ID: 886237e3b9b1cfeffd6e1ae6984496f1cfa279cee6bbe02ca9d150e1d0e5ed96
Instruction ID: e81381b3c9e6d46153f12fa51f79368ad6beb73434b0621be6f651ac08f47256
Opcode Fuzzy Hash: 886237e3b9b1cfeffd6e1ae6984496f1cfa279cee6bbe02ca9d150e1d0e5ed96
Instruction Fuzzy Hash: 3A016D71500218EFDB21AF11DC44BAFBBB4FB45760F1084AAE849D62A1DB348A84DF79

Function 0044D3A0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 30libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,GetSystemWow64DirectoryW), ref: 0044D3BF
FreeLibrary.KERNEL32 ref: 0044D3E5

Strings

X64, xrefs: 0044D2A8
GetSystemWow64DirectoryW, xrefs: 0044D3B9

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: AddressFreeLibraryProc
String ID: GetSystemWow64DirectoryW$X64
API String ID: 3013587201-2590602151
Opcode ID: aaf8e93f4021ca041538ed19166f6528c15e24d6a2970b83f0293bc7c6039c5f
Instruction ID: b0696bc86667217f37066244b90b1209df304a4af4e88c7892c2e4331e05b46a
Opcode Fuzzy Hash: aaf8e93f4021ca041538ed19166f6528c15e24d6a2970b83f0293bc7c6039c5f
Instruction Fuzzy Hash: 1FF0A731D0561197F77166105CD8A9E3314BF11B01B9485ABE801F5259D7BCCD454BAE

Function 0045007F Relevance: 6.3, APIs: 4, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8c6dfed696f992a9b071a2c212b819ba703cefb8ff64526375d46fdc43ec3b6
Instruction ID: b8d31c8e30f9867714135620b3f5367c86e0ec053039b3b191a7ae0cb794b4a4
Opcode Fuzzy Hash: e8c6dfed696f992a9b071a2c212b819ba703cefb8ff64526375d46fdc43ec3b6
Instruction Fuzzy Hash: 50C18D79A00206EFCB14CFA4C894EAEB7B5FF48705F208599E805EB252C735ED46CB94

Function 0047342E Relevance: 6.3, APIs: 4, Instructions: 257COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00473459
CoUninitialize.OLE32 ref: 00473463
VariantInit.OLEAUT32(?), ref: 0047346E
VariantClear.OLEAUT32(?), ref: 0047371B

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: Variant$ClearInitInitializeUninitialize
String ID:
API String ID: 1998397398-0
Opcode ID: 7c8f2fea7515512d3d85448716bfda3ec14cfefdda6625f16279de89057be490
Instruction ID: 2f1fbab8f1ada27a1bdf2192cd2baa2b6ffd6938156badaa2e9b301142842e70
Opcode Fuzzy Hash: 7c8f2fea7515512d3d85448716bfda3ec14cfefdda6625f16279de89057be490
Instruction Fuzzy Hash: CEA19875204300AFC710DF28C485A6AB7E4FF89714F04885EF98A9B362DB34EE05CB96

Function 00450436 Relevance: 6.2, APIs: 4, Instructions: 230COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,0048FC08,?), ref: 004505F0
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,0048FC08,?), ref: 00450608
CLSIDFromProgID.OLE32(?,?,00000000,0048CC40,000000FF,?,00000000,00000800,00000000,?,0048FC08,?), ref: 0045062D
_memcmp.LIBVCRUNTIME ref: 0045064E

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: 4738a6d5a88af72bedc714a16ced976f71545bfd4d60eff557b8e10973dfcb13
Instruction ID: 29e10c40c47206fd5e757fb4c94852a8b08ef0dd0a47c255cd2fa2bf66d597b4
Opcode Fuzzy Hash: 4738a6d5a88af72bedc714a16ced976f71545bfd4d60eff557b8e10973dfcb13
Instruction Fuzzy Hash: 54816D75A00109EFCB04DF94C984EEEB7B9FF89305F204559F906AB251DB35AE0ACB64

Function 0047A67C Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0047A6AC
Process32FirstW.KERNEL32(00000000,?), ref: 0047A6BA

Part of subcall function 003F9CB3: _wcslen.LIBCMT ref: 003F9CBD

Process32NextW.KERNEL32(00000000,?), ref: 0047A79C
CloseHandle.KERNEL32(00000000), ref: 0047A7AB

Part of subcall function 0040CE60: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,00433303,?), ref: 0040CE8A

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
String ID:
API String ID: 1991900642-0
Opcode ID: 310141131a26403fc8d1edc6b8fdc6368201d79b2c74d6f6b070a117ae7528f9
Instruction ID: 6aefa082078bfe665e11c855dec7822fee06fda605e69b5183af7871881dff64
Opcode Fuzzy Hash: 310141131a26403fc8d1edc6b8fdc6368201d79b2c74d6f6b070a117ae7528f9
Instruction Fuzzy Hash: BC515F71508304AFD711EF25C886A6FBBE8FF89754F00892EF58997291EB34D904CB96

Function 00431391 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 004314C0

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 0ba9fd2ae4cb58d8a7af2469aa0a1e9ff2116a13a1de738134a8cb7651d0ddf7
Instruction ID: 65fe38f356106820a60d04bc5fa76b51e77e4f2d3ce91d67af362e7d655ff17d
Opcode Fuzzy Hash: 0ba9fd2ae4cb58d8a7af2469aa0a1e9ff2116a13a1de738134a8cb7651d0ddf7
Instruction Fuzzy Hash: 24417031B001106BDB217BBE9C456AF3AA5EF59374F14526FF419C22A1EA3C4842436A

Function 00486278 Relevance: 6.1, APIs: 4, Instructions: 138COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 004862E2
ScreenToClient.USER32(?,?), ref: 00486315
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 00486382

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: 911c606af295a787b4a3766a439d3a019795d3c26aa58ff2fbf9cadacde17486
Instruction ID: bf26de3b5c76c2014d17e6e465147e70337d8c0d6b767f2a7dd65807d9177419
Opcode Fuzzy Hash: 911c606af295a787b4a3766a439d3a019795d3c26aa58ff2fbf9cadacde17486
Instruction Fuzzy Hash: 81513974A00209EFCB50EF68D880AAE7BB5FF45360F11896AF9159B3A0D734ED81CB54

Function 00471AD6 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 00471AFD
WSAGetLastError.WSOCK32 ref: 00471B0B
#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00471B8A
WSAGetLastError.WSOCK32 ref: 00471B94

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: ErrorLast$socket
String ID:
API String ID: 1881357543-0
Opcode ID: 8428283f8050416f5ebf7b0488561589f8f98d5f5026d1d3822289270874f467
Instruction ID: 04d587302480ff1a46039f1ae9838fab5bd6750dec5dc57913cc03559adced7c
Opcode Fuzzy Hash: 8428283f8050416f5ebf7b0488561589f8f98d5f5026d1d3822289270874f467
Instruction Fuzzy Hash: E941CD34640200AFE720AF24C886F7A77E5AB44718F54C45DFA1A9F3D3D676ED428B94

Function 0042B41F Relevance: 6.1, APIs: 4, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a512941bc1d3be2d9f402dc0c0347049f94c0bc74d8be09866ba624549a42d5f
Instruction ID: 4dbbb687ce08803d6b2904b2abc85c9ed469ba79cba645b179599302d466ca5d
Opcode Fuzzy Hash: a512941bc1d3be2d9f402dc0c0347049f94c0bc74d8be09866ba624549a42d5f
Instruction Fuzzy Hash: 5A412871B00714BFD724AF39DC41BAABBA9EB88724F50452FF041DB291D379994187C8

Function 004656D9 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00465783
GetLastError.KERNEL32(?,00000000), ref: 004657A9
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 004657CE
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 004657FA

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: 287492ebae11acef57f92375cb3566da5ab585361ac42739bd4f0cd59289034a
Instruction ID: 6db8cb94d8adb7e77959142d57c7ce9fd982ee05a20edcc8404dc74d812db1c7
Opcode Fuzzy Hash: 287492ebae11acef57f92375cb3566da5ab585361ac42739bd4f0cd59289034a
Instruction Fuzzy Hash: A2415F39600615DFCB11EF15C544A2EBBE2EF49720F188889E94A9F362DB74FD04CB95

Function 0042D8C3 Relevance: 6.1, APIs: 4, Instructions: 110COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,?,00416D71,00000000,00000000,004182D9,?,004182D9,?,00000001,00416D71,?,00000001,004182D9,004182D9), ref: 0042D910
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0042D999
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 0042D9AB
__freea.LIBCMT ref: 0042D9B4

Part of subcall function 00423820: RtlAllocateHeap.NTDLL(00000000,?,004C1444,?,0040FDF5,?,?,003FA976,00000010,004C1440,003F13FC,?,003F13C6,?,003F1129), ref: 00423852

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: 45e4b629cabeb92348585a4bce684911f2aa2609615f5cba37da1d56d055a9eb
Instruction ID: 2d21967d96219998749e279bb71ecf0606d33e7e3d333c3a58ce5c69c84fec97
Opcode Fuzzy Hash: 45e4b629cabeb92348585a4bce684911f2aa2609615f5cba37da1d56d055a9eb
Instruction Fuzzy Hash: 0531A2B1A0021AABDB24DF65EC85EAF7BA5EF40310F55416AFC04D6250D739CD90CB94

Function 004852C1 Relevance: 6.1, APIs: 4, Instructions: 104windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001024,00000000,?), ref: 00485352
GetWindowLongW.USER32(?,000000F0), ref: 00485375
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00485382
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 004853A8

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: LongWindow$InvalidateMessageRectSend
String ID:
API String ID: 3340791633-0
Opcode ID: ba6f3999685d0090d5ab95176e841b19abb24325cec4f3446a5bc94c2a8094bf
Instruction ID: e70f3620527e6c2764c816a27b9ffa480f7a1e11828a126de148c2cbba6651d0
Opcode Fuzzy Hash: ba6f3999685d0090d5ab95176e841b19abb24325cec4f3446a5bc94c2a8094bf
Instruction Fuzzy Hash: 5931D434A55A08FFEB31AA14CC45FEE3761AB05391F584817FE10962E1C7B89E40975A

Function 0045AB9C Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,75C0C0D0,?,00008000), ref: 0045ABF1
SetKeyboardState.USER32(00000080,?,00008000), ref: 0045AC0D
PostMessageW.USER32(00000000,00000101,00000000), ref: 0045AC74
SendInput.USER32(00000001,?,0000001C,75C0C0D0,?,00008000), ref: 0045ACC6

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 7d4cbe66620f7de7d23d469b15cfc3d21ba169c9687879f13cca2997caa7c61a
Instruction ID: 4564a86129828aa74d7430e056d0f9d07519d8dd45eaf3e8c792136e9bbbd318
Opcode Fuzzy Hash: 7d4cbe66620f7de7d23d469b15cfc3d21ba169c9687879f13cca2997caa7c61a
Instruction Fuzzy Hash: 3D311A309002186FEF36CB6588097FF7AA5AB45312F04471FE885562D2D37C89A9875A

Function 00487674 Relevance: 6.1, APIs: 4, Instructions: 102windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 0048769A
GetWindowRect.USER32(?,?), ref: 00487710
PtInRect.USER32(?,?,00488B89), ref: 00487720
MessageBeep.USER32(00000000), ref: 0048778C

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: c4b38b935814676999221f87bff22fc02c9c679519accbbda6eefcd573613144
Instruction ID: 33f65d4ad6bc72ac19a14467af8ca03fdc10735e762505de6fa8c2415a8587c7
Opcode Fuzzy Hash: c4b38b935814676999221f87bff22fc02c9c679519accbbda6eefcd573613144
Instruction Fuzzy Hash: 4F419C786052149FCB01EF58C8A4EAD77F4FB4A314F2848AAE8149B361D338F941DF98

Function 004816DA Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 004816EB

Part of subcall function 00453A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00453A57
Part of subcall function 00453A3D: GetCurrentThreadId.KERNEL32 ref: 00453A5E
Part of subcall function 00453A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,004525B3), ref: 00453A65

GetCaretPos.USER32(?), ref: 004816FF
ClientToScreen.USER32(00000000,?), ref: 0048174C
GetForegroundWindow.USER32 ref: 00481752

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: b5c39435ed996edab490c315d1c37d66f5a4a2c00e300833b467c14cb8b8b8f7
Instruction ID: 873be6987ef57565644f96d5261316af38b997820b4839d611ea5a08d4c5e351
Opcode Fuzzy Hash: b5c39435ed996edab490c315d1c37d66f5a4a2c00e300833b467c14cb8b8b8f7
Instruction Fuzzy Hash: EA316375D00249AFC700EFA9C881CAEB7FDEF48304B50446EE515E7211D7359E45CBA4

Function 00488FC9 Relevance: 6.1, APIs: 4, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00409BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00409BB2

GetCursorPos.USER32(?), ref: 00489001
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00447711,?,?,?,?,?), ref: 00489016
GetCursorPos.USER32(?), ref: 0048905E
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00447711,?,?,?), ref: 00489094

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: 8e3744e6610c1db73ec4652158673a4499d8772b61d8b77c237cd8a45dbf94ca
Instruction ID: f545f30ff115bfb87a4bb7a597e0e07735d77431f3fc65bbbe1c1214c80004ab
Opcode Fuzzy Hash: 8e3744e6610c1db73ec4652158673a4499d8772b61d8b77c237cd8a45dbf94ca
Instruction Fuzzy Hash: 17218035600418EFCB159F94CC98EFF7BB9EB4A350F18446AF50657261C3399D50EB64

Function 0045D2C1 Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,0048CB68), ref: 0045D2FB
GetLastError.KERNEL32 ref: 0045D30A
CreateDirectoryW.KERNEL32(?,00000000), ref: 0045D319
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,0048CB68), ref: 0045D376

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: b8c16c7a2b396faa9b40f1cf2c293b32620aa9a38ec57e1c8638ce89e1cf9064
Instruction ID: 7480bcd365b1839bf4ad789e6773b70588f94403a762613714b2cb3a41a4d2a5
Opcode Fuzzy Hash: b8c16c7a2b396faa9b40f1cf2c293b32620aa9a38ec57e1c8638ce89e1cf9064
Instruction Fuzzy Hash: 5B21B4709052019F8310DF24C88196F77E4AE55365F104A6EFC99C72A2D734D90ACB97

Function 00451571 Relevance: 6.1, APIs: 4, Instructions: 78memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00451014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 0045102A
Part of subcall function 00451014: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00451036
Part of subcall function 00451014: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00451045
Part of subcall function 00451014: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 0045104C
Part of subcall function 00451014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00451062

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 004515BE
_memcmp.LIBVCRUNTIME ref: 004515E1
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00451617
HeapFree.KERNEL32(00000000), ref: 0045161E

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: d22d1c8aeee8fe0e9bea036b78023a41a082773f4326d2f6d3e5519a341669a7
Instruction ID: 708d80028e30d103f1581c5b261554e3694ae9a963a13cf1c0f622b2cc6efdff
Opcode Fuzzy Hash: d22d1c8aeee8fe0e9bea036b78023a41a082773f4326d2f6d3e5519a341669a7
Instruction Fuzzy Hash: 7F218E31E40108EFDF00DFA4C985BEFB7B8EF44345F08445AE851A7252E738AA09CBA4

Function 00482782 Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 0048280A
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00482824
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00482832
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 00482840

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: 8cc2dd4e0feabf636a3510d7a681e67ed5a1c67c3bc24a79fbac06610b889924
Instruction ID: 0b9e71695a6da889295fcdcb40523162e44daf6eb8dbd385221ecdd65c634f7a
Opcode Fuzzy Hash: 8cc2dd4e0feabf636a3510d7a681e67ed5a1c67c3bc24a79fbac06610b889924
Instruction Fuzzy Hash: B8210331204511AFDB14BB24C984FAEBB95EF45324F14865EF8268B6E2C7B9FC42C794

Function 004578F5 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00458D7D: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,0045790A,?,000000FF,?,00458754,00000000,?,0000001C,?,?), ref: 00458D8C
Part of subcall function 00458D7D: lstrcpyW.KERNEL32(00000000,?,?,0045790A,?,000000FF,?,00458754,00000000,?,0000001C,?,?,00000000), ref: 00458DB2
Part of subcall function 00458D7D: lstrcmpiW.KERNEL32(00000000,?,0045790A,?,000000FF,?,00458754,00000000,?,0000001C,?,?), ref: 00458DE3

lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,00458754,00000000,?,0000001C,?,?,00000000), ref: 00457923
lstrcpyW.KERNEL32(00000000,?,?,00458754,00000000,?,0000001C,?,?,00000000), ref: 00457949
lstrcmpiW.KERNEL32(00000002,cdecl,?,00458754,00000000,?,0000001C,?,?,00000000), ref: 00457984

Strings

cdecl, xrefs: 0045797B

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: c32c09608d1b7c2659380caf498bc9fc4eb018b1747d9f974abff436c41aea6d
Instruction ID: eba83ae82543d235a64b1b3eeb507fb383546400172e47e14a996bb93330b060
Opcode Fuzzy Hash: c32c09608d1b7c2659380caf498bc9fc4eb018b1747d9f974abff436c41aea6d
Instruction Fuzzy Hash: A611E47A200241ABDB159F35D884E7B77A5FF85351B10403FEC02C73A6EB359805C7A9

Function 00487CC2 Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 00487D0B
SetWindowLongW.USER32(00000000,000000F0,?), ref: 00487D2A
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 00487D42
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,0046B7AD,00000000), ref: 00487D6B

Part of subcall function 00409BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00409BB2

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: Window$Long
String ID:
API String ID: 847901565-0
Opcode ID: b91eb02d5017581bbbecc1bbbec7c083d4ed65961bbf244036779149a5c89ef8
Instruction ID: e755ed532245cf58aae579a9894451f8e52385cf6d2a872ff709b529a7d1c4b9
Opcode Fuzzy Hash: b91eb02d5017581bbbecc1bbbec7c083d4ed65961bbf244036779149a5c89ef8
Instruction Fuzzy Hash: A211C032504614AFCB10AF28CC54E6A3BA4AF463A0B258B39F835D72F0E734D911CB58

Function 00485660 Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001060,?,00000004), ref: 004856BB
_wcslen.LIBCMT ref: 004856CD
_wcslen.LIBCMT ref: 004856D8
SendMessageW.USER32(?,00001002,00000000,?), ref: 00485816

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: MessageSend_wcslen
String ID:
API String ID: 455545452-0
Opcode ID: 3bb96afa704a5a26be2ec43385794c604ea98f28719872ff7185309e01c9760e
Instruction ID: d19430b1cf300465235462a6f7ddad68ece222a7b8f65f06225857e5dc0e7603
Opcode Fuzzy Hash: 3bb96afa704a5a26be2ec43385794c604ea98f28719872ff7185309e01c9760e
Instruction Fuzzy Hash: 7711E17560060896DF20FF61CC81BEF77ACAF01764B10482BF919E6181EB78CA84CB68

Function 00421D09 Relevance: 6.1, APIs: 4, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 19e2e92c2c135f162d0f94fe89e72a60bd69d68c70ed0c4d4348da8133e7c6f6
Instruction ID: cdc8c5e3c210a284f70de2a395bab3b4bfe26e5a938eb59c667212c1ec70a138
Opcode Fuzzy Hash: 19e2e92c2c135f162d0f94fe89e72a60bd69d68c70ed0c4d4348da8133e7c6f6
Instruction Fuzzy Hash: 3701A2F231562ABEF62116797CC0F27661CDF513B8BB1072BF521912E2DB78AC414178

Function 00451A27 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00451A47
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00451A59
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00451A6F
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00451A8A

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 858eaf93702a05780f6710ead0720aaa13c8bb139259831702c86703b0003869
Instruction ID: 155ce6991d4b67cf5d9cf5077bb4da9994e553436604a270445afca39f600bcc
Opcode Fuzzy Hash: 858eaf93702a05780f6710ead0720aaa13c8bb139259831702c86703b0003869
Instruction Fuzzy Hash: F4113C3AD01219FFEB11DBA5CD85FADBB78EB04750F2000A6EA00B7290D6716E50DB98

Function 0045E1D6 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0045E1FD
MessageBoxW.USER32(?,?,?,?), ref: 0045E230
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 0045E246
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 0045E24D

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait
String ID:
API String ID: 2880819207-0
Opcode ID: d57009abc8b0a8a07c854bab77bc9e927cf9f4516044d260973ef8a22a89a3eb
Instruction ID: 0fdd78955012a35e7a50c88c50ded66ec9ae3a0577fac1a87a1a4478523b885d
Opcode Fuzzy Hash: d57009abc8b0a8a07c854bab77bc9e927cf9f4516044d260973ef8a22a89a3eb
Instruction Fuzzy Hash: 25110872904254BBD7059FA9AC49E9F7FACDB45315F00466AFC24D32A2D6B48E0487B8

Function 0041D1CC Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,?,0041CFF9,00000000,00000004,00000000), ref: 0041D218
GetLastError.KERNEL32 ref: 0041D224
__dosmaperr.LIBCMT ref: 0041D22B
ResumeThread.KERNEL32(00000000), ref: 0041D249

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: Thread$CreateErrorLastResume__dosmaperr
String ID:
API String ID: 173952441-0
Opcode ID: 08e25b354951f1c0dd05cac1a3489100ce8e14b2ab71963222abf8c890f95aba
Instruction ID: ea23e5cb49b2f9a058dcd1a7e7182827785a7648d8e1e47843ae33961e0331a0
Opcode Fuzzy Hash: 08e25b354951f1c0dd05cac1a3489100ce8e14b2ab71963222abf8c890f95aba
Instruction Fuzzy Hash: 160126B6D041047BC7115BA6DC49BEF7B69DF81334F20026EF825921D0CB758882C7A9

Function 00489EF3 Relevance: 6.1, APIs: 4, Instructions: 55COMMON

Download Yara Rule

APIs

Part of subcall function 00409BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00409BB2

GetClientRect.USER32(?,?), ref: 00489F31
GetCursorPos.USER32(?), ref: 00489F3B
ScreenToClient.USER32(?,?), ref: 00489F46
DefDlgProcW.USER32(?,00000020,?,00000000,?,?,?), ref: 00489F7A

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID:
API String ID: 4127811313-0
Opcode ID: 6196870a7da3a9268960c1df6adaffcb5d97f620f1558e7d5c2449df051d2306
Instruction ID: 6c8fdab96d30f23f3801f4e475ba7da2af5b4883d525d5c9bd4658821f25b927
Opcode Fuzzy Hash: 6196870a7da3a9268960c1df6adaffcb5d97f620f1558e7d5c2449df051d2306
Instruction Fuzzy Hash: 06116A3150051AABDB05EF59C885DFE77B8FB05311F04086AFA02E3151D338BE81CBA9

Function 003F600E Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 003F604C
GetStockObject.GDI32(00000011), ref: 003F6060
SendMessageW.USER32(00000000,00000030,00000000), ref: 003F606A

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID:
API String ID: 3970641297-0
Opcode ID: 3de90b0be5d9082c450123add0be58aaac9c90bccaec4198b30f0fc11a1a363c
Instruction ID: cb805cffc32a631ee514fb4a1c3ec3acb275646e226185e981e3f945f4fcae02
Opcode Fuzzy Hash: 3de90b0be5d9082c450123add0be58aaac9c90bccaec4198b30f0fc11a1a363c
Instruction Fuzzy Hash: BE118B7210550EBFEF124FA48C85EFABB69EF083A4F110226FA0552020DB329C60DBA4

Function 00413B3C Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 00413B56

Part of subcall function 00413AA3: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 00413AD2
Part of subcall function 00413AA3: ___AdjustPointer.LIBCMT ref: 00413AED

_UnwindNestedFrames.LIBCMT ref: 00413B6B
__FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 00413B7C
CallCatchBlock.LIBVCRUNTIME ref: 00413BA4

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
String ID:
API String ID: 737400349-0
Opcode ID: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction ID: 0f63c6f4fba2aa4e331f40f41c64457b5adeaca745f58fb13cca8157044ebeb1
Opcode Fuzzy Hash: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction Fuzzy Hash: 2A014072100148BBDF115E96CC42EEB3F6DEF88759F04401AFE4856121D73AE9A1DBA4

Function 00423073 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,003F13C6,00000000,00000000,?,0042301A,003F13C6,00000000,00000000,00000000,?,0042328B,00000006,FlsSetValue), ref: 004230A5
GetLastError.KERNEL32(?,0042301A,003F13C6,00000000,00000000,00000000,?,0042328B,00000006,FlsSetValue,00492290,FlsSetValue,00000000,00000364,?,00422E46), ref: 004230B1
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,0042301A,003F13C6,00000000,00000000,00000000,?,0042328B,00000006,FlsSetValue,00492290,FlsSetValue,00000000), ref: 004230BF

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: f4ddf92c34f8531e2a71e11ef54e8b32ddf90b0df4921d10bfbe1a406d6ecb7a
Instruction ID: a72b0896432964981b10554a49ad5ac60cc6df7d2df6b5a655a47aad46782a79
Opcode Fuzzy Hash: f4ddf92c34f8531e2a71e11ef54e8b32ddf90b0df4921d10bfbe1a406d6ecb7a
Instruction Fuzzy Hash: 8201D832741236ABC7214E78BC8495777A89F05B62B500A35F905E3244C73DD901C7F8

Function 00457464 Relevance: 6.1, APIs: 4, Instructions: 51registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000), ref: 0045747F
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 00457497
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 004574AC
RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 004574CA

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: 0f5de836845b58a9110449f0ecedc88268bb53e79c24e422514f2d14a148bc58
Instruction ID: 6bd56ac1acfb4f64e91b87b1af515c939a419867e8b570f856d89a0ab287a723
Opcode Fuzzy Hash: 0f5de836845b58a9110449f0ecedc88268bb53e79c24e422514f2d14a148bc58
Instruction Fuzzy Hash: 9411A1B1205310ABE7208F24ED48F967BFCEB01B01F10857EEE16D6152D774E948DBA5

Function 0045B0A8 Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,0045ACD3,?,00008000), ref: 0045B0C4
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,0045ACD3,?,00008000), ref: 0045B0E9
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,0045ACD3,?,00008000), ref: 0045B0F3
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,0045ACD3,?,00008000), ref: 0045B126

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: a2dcaf173d5d01ad79728f0c8fa1be6449115417faf9b6635410db79523a5e32
Instruction ID: ee867ad59def7efabe93f633a680ae38d2aba54d8ef32ddd81d9c959849d6d3a
Opcode Fuzzy Hash: a2dcaf173d5d01ad79728f0c8fa1be6449115417faf9b6635410db79523a5e32
Instruction Fuzzy Hash: 07115E31C0191CE7CF00AFE5D9986EEBB78FF09752F10449AD941B2286CB3455558BA9

Function 00487E14 Relevance: 6.0, APIs: 4, Instructions: 46COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00487E33
ScreenToClient.USER32(?,?), ref: 00487E4B
ScreenToClient.USER32(?,?), ref: 00487E6F
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00487E8A

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: 80d1a173c37a97c6e55b1eabff071eab7e4fcabeb761f877d09646504da3ba7f
Instruction ID: 785e13a838e5945cab849a65381a0fd07e56071f69a4e4886ccf7e1206afa025
Opcode Fuzzy Hash: 80d1a173c37a97c6e55b1eabff071eab7e4fcabeb761f877d09646504da3ba7f
Instruction Fuzzy Hash: 0E1156B9D0020AAFDB41DF98C884AEEBBF5FF08310F505466E925E3210D735AA54CF64

Function 00452DA7 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00452DC5
GetWindowThreadProcessId.USER32(?,00000000), ref: 00452DD6
GetCurrentThreadId.KERNEL32 ref: 00452DDD
AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00452DE4

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: f4c5248827b2d2522d2f6581495337f4db9706d865129cb870306f496eb75569
Instruction ID: 4a7181158fd758e8389356ccdb70296c6c4d816c4fb4366791348b1a0ad8357e
Opcode Fuzzy Hash: f4c5248827b2d2522d2f6581495337f4db9706d865129cb870306f496eb75569
Instruction Fuzzy Hash: 8FE06D711412247AD7201B62AC8DFEB3E6CEB43BA2F00052AB905E1081AAA88849C7B4

Function 00488863 Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00409639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00409693
Part of subcall function 00409639: SelectObject.GDI32(?,00000000), ref: 004096A2
Part of subcall function 00409639: BeginPath.GDI32(?), ref: 004096B9
Part of subcall function 00409639: SelectObject.GDI32(?,00000000), ref: 004096E2

MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 00488887
LineTo.GDI32(?,?,?), ref: 00488894
EndPath.GDI32(?), ref: 004888A4
StrokePath.GDI32(?), ref: 004888B2

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: f00771b6e33574313da17159c0d68837b3eae0e3b5a17d96ff1ca9f4c0999387
Instruction ID: bf58733776772d6f6cef47067b1d94fd51f29bc13e0285c622ae118d30030de2
Opcode Fuzzy Hash: f00771b6e33574313da17159c0d68837b3eae0e3b5a17d96ff1ca9f4c0999387
Instruction Fuzzy Hash: 3DF03A36041258FADB126F94AC49FCE3B59AF06310F448429FA11651E2C7B95511CFAD

Function 004098B0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 004098CC
SetTextColor.GDI32(?,?), ref: 004098D6
SetBkMode.GDI32(?,00000001), ref: 004098E9
GetStockObject.GDI32(00000005), ref: 004098F1

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: Color$ModeObjectStockText
String ID:
API String ID: 4037423528-0
Opcode ID: a25465d619de842e9eddbea3d1797facefca1aed0756ff273ea85f70b548d9a4
Instruction ID: 3084669143e3b42f37cee25a02c4bf846bf0e195b17a2f0655dae9eab89bc20b
Opcode Fuzzy Hash: a25465d619de842e9eddbea3d1797facefca1aed0756ff273ea85f70b548d9a4
Instruction Fuzzy Hash: F6E06531244240BEEB215B74BC4DBED3F10AB11335F04862EF6F5581E1C37556419F24

Function 0045162B Relevance: 6.0, APIs: 4, Instructions: 22threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 00451634
OpenThreadToken.ADVAPI32(00000000,?,?,?,004511D9), ref: 0045163B
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,004511D9), ref: 00451648
OpenProcessToken.ADVAPI32(00000000,?,?,?,004511D9), ref: 0045164F

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: 9308e8288ff3231809e6777c344af42d0f8fd138b8850db35bce294ae59073ee
Instruction ID: 6da2111cf45dcd7b1c4ab75b25fc3d76e34d1fba515434d7f42e88afbb5813e9
Opcode Fuzzy Hash: 9308e8288ff3231809e6777c344af42d0f8fd138b8850db35bce294ae59073ee
Instruction Fuzzy Hash: CAE04F316012119BD7201BF4AD4DB4B3B68AF56792F154C2DF646C9090D638444587A8

Function 0044D858 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 0044D858
GetDC.USER32(00000000), ref: 0044D862
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0044D882
ReleaseDC.USER32(?), ref: 0044D8A3

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: b575fdd04b5741a331108a805ac3fffd82ae8a3a4789143bb800cd5e29319459
Instruction ID: 99c979eb747547dd4dd6bc36a802745f9c9227c1c7ad9ed7ba9e6754b043d6b9
Opcode Fuzzy Hash: b575fdd04b5741a331108a805ac3fffd82ae8a3a4789143bb800cd5e29319459
Instruction Fuzzy Hash: 61E01AB4C00205DFCB41AFF4D94866DFBB2FB48310F108829E906F7250D7384902AF69

Function 0044D86C Relevance: 6.0, APIs: 4, Instructions: 18COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 0044D86C
GetDC.USER32(00000000), ref: 0044D876
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0044D882
ReleaseDC.USER32(?), ref: 0044D8A3

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: f20b1af578cd7b14dc56216c9b09a9e2836dc538b2cd5d03bdbef0a4535b0687
Instruction ID: d2794ebbd97957c92b67e3e79c0d2f79d4b04198eb684f3a331811f0b7f56c38
Opcode Fuzzy Hash: f20b1af578cd7b14dc56216c9b09a9e2836dc538b2cd5d03bdbef0a4535b0687
Instruction Fuzzy Hash: 1CE01A74C00204DFCB419FB4D84866DBBB1BB48310B108829E90AF7250D7385902AF64

Function 00464D87 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON

Download Yara Rule

APIs

Part of subcall function 003F7620: _wcslen.LIBCMT ref: 003F7625

WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 00464ED4

Strings

LPT, xrefs: 00464DFB
*, xrefs: 00464E10

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: Connection_wcslen
String ID: *$LPT
API String ID: 1725874428-3443410124
Opcode ID: dc7ab85eeeed8f049c14426c73a4698b13a3b6f12aa3e887bcbb5f6af3d7f625
Instruction ID: dcd355d666b1b54ac28dde6d93a25ecd94d18034b52544ac1b7b774975fe1ceb
Opcode Fuzzy Hash: dc7ab85eeeed8f049c14426c73a4698b13a3b6f12aa3e887bcbb5f6af3d7f625
Instruction Fuzzy Hash: B8915275A00204DFCB15DF54C484EAABBF1BF85304F15809AE40A9F3A2D779EE85CB96

Function 0041E27D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 0041E30D

Strings

pow, xrefs: 0041E2E5, 0041E302

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: dd1f4dbc635365349f16cc0bbeb0318d2190158ef328d040d6d824dbb31d304c
Instruction ID: ba01213e67fe3d53cc0ddc5762218ac8b8eb004e4a90bb2ce69e75d96788fcf0
Opcode Fuzzy Hash: dd1f4dbc635365349f16cc0bbeb0318d2190158ef328d040d6d824dbb31d304c
Instruction Fuzzy Hash: 15519D75B0C11696CB117726D9413FB3B94AB10740F7489BBE8A5823E9DB3C8CC19A4E

Function 00477771 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(0044569E,00000000,?,0048CC08,?,00000000,00000000), ref: 004778DD

Part of subcall function 003F6B57: _wcslen.LIBCMT ref: 003F6B6A

CharUpperBuffW.USER32(0044569E,00000000,?,0048CC08,00000000,?,00000000,00000000), ref: 0047783B

Strings

<sK, xrefs: 004777C8

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: BuffCharUpper$_wcslen
String ID: <sK
API String ID: 3544283678-925661131
Opcode ID: f444af60002007334f2516599114996cc39040fef85855513c95570659e02502
Instruction ID: dad47bb313354f1058a1043a51790bea501ef376986ad03f30b8db2fea784a56
Opcode Fuzzy Hash: f444af60002007334f2516599114996cc39040fef85855513c95570659e02502
Instruction Fuzzy Hash: 326182B691411DAACF06FBA4CC91DFEB3B4BF14300B844526E606B7191EF785A05CBA5

Function 0040E187 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON

Download Yara Rule

Strings

#, xrefs: 0040E1B1

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: 2440b0f3792a3e41879cd639ed595abd2a9ee93bba7ee2aa31b8a06dcf989439
Instruction ID: 3b3e955dd0938784010ff088bc04d699b5e65e78dd195bcb016fdb6a90862baf
Opcode Fuzzy Hash: 2440b0f3792a3e41879cd639ed595abd2a9ee93bba7ee2aa31b8a06dcf989439
Instruction Fuzzy Hash: D5512235500246DFEB15DF2AC0816BA7BA4FF15320F2444ABED91AB3D0D6389D53CBA9

Function 0040F291 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 0040F2A2
GlobalMemoryStatusEx.KERNEL32(?), ref: 0040F2BB

Strings

@, xrefs: 0040F2AF

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: ff86ace38ad50c242942c2da51fe4fa8429775e908fe6b7b403cc42f6278cd4b
Instruction ID: d71ef60d6d28df093a1bd47a7fec7bf62fff155a859680e9ebda4eca05d0413b
Opcode Fuzzy Hash: ff86ace38ad50c242942c2da51fe4fa8429775e908fe6b7b403cc42f6278cd4b
Instruction Fuzzy Hash: 7E516B714187499BD320AF14D886BAFBBF8FF84304F81885DF295451A5EB308529CB6A

Function 00475745 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,00000003,?,?), ref: 004757E0
_wcslen.LIBCMT ref: 004757EC

Strings

CALLARGARRAY, xrefs: 004757E6, 004757EB

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: BuffCharUpper_wcslen
String ID: CALLARGARRAY
API String ID: 157775604-1150593374
Opcode ID: 3c1bde3c91842aa1de9cdbca21c4e229995d9f17009ae9420a5ea8b63d03b76a
Instruction ID: 6ad8ce6d639ad521ac0f53c792e6e2658fa01199f4ec9469f7fb7f91ccb03421
Opcode Fuzzy Hash: 3c1bde3c91842aa1de9cdbca21c4e229995d9f17009ae9420a5ea8b63d03b76a
Instruction Fuzzy Hash: 6741C331A001099FCB14EFAAC8819FEBBB4EF59314F11806FE509AB391D7789D81CB95

Function 0046D0F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98networkCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0046D130
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 0046D13A

Strings

|, xrefs: 0046D10B

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: CrackInternet_wcslen
String ID: |
API String ID: 596671847-2343686810
Opcode ID: c17dcebfa271b5bfc7af6e3aa754f062b81ec15eda6f6e11a5167fe05911fce3
Instruction ID: 821326b579eb6f70cd99bbf15193cc7c6946395a5b9ef2a8d782d8a7e47e2499
Opcode Fuzzy Hash: c17dcebfa271b5bfc7af6e3aa754f062b81ec15eda6f6e11a5167fe05911fce3
Instruction Fuzzy Hash: 41315D71D00209ABCF15EFA5CD85AEFBFB9FF15300F00001AF915AA261E775AA46CB65

Function 0048356C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 00483621
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 0048365C

Strings

static, xrefs: 004835BC

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: 70a8a61678a4369193dd1c73f6307122edf6d88a49b2d26cd3ce36d3cf5ed91b
Instruction ID: e83edfcdf0dc67c7699a9147ffd355f3409b9cee61ad98b817227ed9203f3f3a
Opcode Fuzzy Hash: 70a8a61678a4369193dd1c73f6307122edf6d88a49b2d26cd3ce36d3cf5ed91b
Instruction Fuzzy Hash: 0E31A171110604AADB20EF28DC80EBF73A9FF48B24F108A1EF95597290DA34AD81C768

Function 00484537 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000027,00001132,00000000,?), ref: 0048461F
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00484634

Strings

', xrefs: 0048458E

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: d1dc95981cc3bea59e580ab29c8111d41d413f96a16d6d1a7778da92cd078879
Instruction ID: 37667daf07ac6d207e9b774d3a0ffd8943d16143bea6b5b7a1cee2fcca5f2084
Opcode Fuzzy Hash: d1dc95981cc3bea59e580ab29c8111d41d413f96a16d6d1a7778da92cd078879
Instruction Fuzzy Hash: FD313B74A0130AAFDB14DF69C980BDE7BB5FF49300F10446AEA04AB351E774A941CF94

Function 004831EF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 0048327C
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00483287

Strings

Combobox, xrefs: 00483249

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: 650782aca9830cc24231331b53894bcc6d0bcb1114ca101288279bb128657dd0
Instruction ID: b50a2c0fa1905e0fe9f2230b493bf8a7fd59f102dfbe8c1e8dc15dd6ec523132
Opcode Fuzzy Hash: 650782aca9830cc24231331b53894bcc6d0bcb1114ca101288279bb128657dd0
Instruction Fuzzy Hash: C611E2713002087FEF21AF94DC80EBF376AEB947A5F10092AF91897290D6399D518764

Function 00483710 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 003F600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 003F604C
Part of subcall function 003F600E: GetStockObject.GDI32(00000011), ref: 003F6060
Part of subcall function 003F600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 003F606A

GetWindowRect.USER32(00000000,?), ref: 0048377A
GetSysColor.USER32(00000012), ref: 00483794

Strings

static, xrefs: 00483757

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: a8f36c70c47c451fcafbd036c14ce7749d5aca08f70bde0c460f1388066573e4
Instruction ID: a5bbf71c25b5a8e37c54d464ec363aee4df3fc81e342fe45c1e8bf28d0903bed
Opcode Fuzzy Hash: a8f36c70c47c451fcafbd036c14ce7749d5aca08f70bde0c460f1388066573e4
Instruction Fuzzy Hash: C7112CB2610209AFDF01EFA8CC45EEE7BB8EB08715F004929FD55E2250D739E8519B64

Function 0046CD1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 0046CD7D
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 0046CDA6

Strings

<local>, xrefs: 0046CD66

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: 6b987dc0bb975297d6b6c6ecf4dd23fd29772f8bd8ee67fb7b584689486d32b7
Instruction ID: c289eba94e55c98190403c0229ddabb3ee848b5623763387be6dc5b6a9a52223
Opcode Fuzzy Hash: 6b987dc0bb975297d6b6c6ecf4dd23fd29772f8bd8ee67fb7b584689486d32b7
Instruction Fuzzy Hash: F111E3712416327AD7244A668CC4EF7BE68EB127A4F00423BB18982180E2789841D6F6

Function 00483429 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 004834AB
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 004834BA

Strings

edit, xrefs: 0048348F

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: 5b4670f76a7e6c0d0025eed22a16ab55b088ddf301a9595303d92ffe039dda13
Instruction ID: 3edef9051a05f4ad5ede105c0293ca18cbe50c15722231db17cad7db1dda5cd1
Opcode Fuzzy Hash: 5b4670f76a7e6c0d0025eed22a16ab55b088ddf301a9595303d92ffe039dda13
Instruction Fuzzy Hash: CE11B271100108ABEF126E64DC84EBF3769EF05B79F504B25F961932E0C779DC519B68

Function 00456C86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 003F9CB3: _wcslen.LIBCMT ref: 003F9CBD

CharUpperBuffW.USER32(?,?,?), ref: 00456CB6
_wcslen.LIBCMT ref: 00456CC2

Strings

STOP, xrefs: 00456CBC, 00456CC1

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: STOP
API String ID: 1256254125-2411985666
Opcode ID: 4ddcda6b33ab4b053888bc70450a495843f25384eccdeda6961d041ef25db502
Instruction ID: c72283bdb6e785cd5a50e9544192f77368ef9428af47e7499e6fb7ccb397521d
Opcode Fuzzy Hash: 4ddcda6b33ab4b053888bc70450a495843f25384eccdeda6961d041ef25db502
Instruction Fuzzy Hash: 63012B326005268BCB129FBDDC809BF73B4EF60711782093AEC5297292FB39D808C654

Function 00451CDE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 003F9CB3: _wcslen.LIBCMT ref: 003F9CBD

Part of subcall function 00453CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00453CCA

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00451D4C

Strings

ComboBox, xrefs: 00451CEB
ListBox, xrefs: 00451D16

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 4907fa2e5991e1cb294c09c5f90dbd1e115a517d504e23239bd94f07866e1ea1
Instruction ID: 6e709eae5c10d8f685173847b66a73278914703210920fa0a1c6060094d2e0cc
Opcode Fuzzy Hash: 4907fa2e5991e1cb294c09c5f90dbd1e115a517d504e23239bd94f07866e1ea1
Instruction Fuzzy Hash: B901B571641218AB8B05EFA4CD51BFE7778EB46391B14051BEC226B3D2EA35690CC664

Function 00451BD8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 003F9CB3: _wcslen.LIBCMT ref: 003F9CBD

Part of subcall function 00453CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00453CCA

SendMessageW.USER32(?,00000180,00000000,?), ref: 00451C46

Strings

ComboBox, xrefs: 00451BE5
ListBox, xrefs: 00451C10

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: ad7aa2dd8cb4464c225eef58c790f77a582bf1bfed07d793e763b794a8147ed3
Instruction ID: 5321e339e67e64625824bc12bd4a71fb9a5194f200638ddf89c1eebbfba71e29
Opcode Fuzzy Hash: ad7aa2dd8cb4464c225eef58c790f77a582bf1bfed07d793e763b794a8147ed3
Instruction Fuzzy Hash: 9701A77568110867CF16EBA0CA51BFF77A89F11381F14001BED0677292EA299E0CC6B9

Function 00451C5C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 003F9CB3: _wcslen.LIBCMT ref: 003F9CBD

Part of subcall function 00453CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00453CCA

SendMessageW.USER32(?,00000182,?,00000000), ref: 00451CC8

Strings

ComboBox, xrefs: 00451C69
ListBox, xrefs: 00451C94

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: f1f9707c8f4858ac27dbf61d995e8284c2eca17baa8ff2fdebb5b0cdd90bbcae
Instruction ID: b6c09de2dc953b272af3a22bfd5aef36263feba1326fdbee55ae27234e447657
Opcode Fuzzy Hash: f1f9707c8f4858ac27dbf61d995e8284c2eca17baa8ff2fdebb5b0cdd90bbcae
Instruction Fuzzy Hash: DE01A77168011867CB06EBA1CA01BFF77A89B11381F14001BBD0177292EA299F0CD679

Function 0040A4D6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 0040A529

Part of subcall function 003F9CB3: _wcslen.LIBCMT ref: 003F9CBD

Strings

3yD, xrefs: 0040A545, 0040A54D, 0040A552
,%L, xrefs: 0040A509

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: Init_thread_footer_wcslen
String ID: ,%L$3yD
API String ID: 2551934079-3642919373
Opcode ID: b3c75a500e0fd76480ba2bc3a5cee3abc44875f4a4ef9b739c66b580d7da03dc
Instruction ID: 5ab62c6bd05ac69ddcd140697fe3376f5014cf52d054cb5af948ff70202326f7
Opcode Fuzzy Hash: b3c75a500e0fd76480ba2bc3a5cee3abc44875f4a4ef9b739c66b580d7da03dc
Instruction Fuzzy Hash: D301D431600714A7C601B7699D56FAE3354AB05710F50407BF6016B2C2DEE86D41869F

Function 00451D68 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46windowCOMMON

Download Yara Rule

APIs

Part of subcall function 003F9CB3: _wcslen.LIBCMT ref: 003F9CBD

Part of subcall function 00453CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00453CCA

SendMessageW.USER32(?,0000018B,00000000,00000000), ref: 00451DD3

Strings

ComboBox, xrefs: 00451D75
ListBox, xrefs: 00451DA0

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: e163158c79c73a60ce01bea80725fa3901ff15d0474f127445aabb3f4c497a13
Instruction ID: 612fc270ae02a47e251d1cb6befa42ca734e6dbb07ad02f81a04ff397a0b50bd
Opcode Fuzzy Hash: e163158c79c73a60ce01bea80725fa3901ff15d0474f127445aabb3f4c497a13
Instruction Fuzzy Hash: A1F0F971A4021867CB05EBA4CD51BFF7778AB01381F04091BFD22672D2DA74690C8278

Function 00488172 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 40processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,004C3018,004C305C), ref: 004881BF
CloseHandle.KERNEL32 ref: 004881D1

Strings

\0L, xrefs: 0048818A

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: \0L
API String ID: 3712363035-986396046
Opcode ID: 35cf3ea13c74382cb6998ddb586b3a8a126fab2cfdd7352e71f3decc0878cc01
Instruction ID: da257b87bb91ff51fcf37b2d2a1594b93bdbb2c958f9b001e785ba8557aedd20
Opcode Fuzzy Hash: 35cf3ea13c74382cb6998ddb586b3a8a126fab2cfdd7352e71f3decc0878cc01
Instruction Fuzzy Hash: A1F05EB6640304BAE2606F62AC45FBB7A5CEB05756F00843ABF08D51A2D6798E5093BC

Function 0047747E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00477493
_wcslen.LIBCMT ref: 004774B9

Strings

3, 3, 16, 1, xrefs: 00477483

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: _wcslen
String ID: 3, 3, 16, 1
API String ID: 176396367-3042988571
Opcode ID: 0e076b82779361c2bb68f1a79e6eb005a6d962856891511f7669d524e1ba6d63
Instruction ID: 36233daa3f9898c654f70fd0fcf7ceb5be08fc8c5b6e64ef883a8eb51223dc5c
Opcode Fuzzy Hash: 0e076b82779361c2bb68f1a79e6eb005a6d962856891511f7669d524e1ba6d63
Instruction Fuzzy Hash: 1FE02B52214220109231127B9CC1AFF56C9DFC57A0754182FF989C2376EA9C8DD193A8

Function 00450B15 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00450B23

Strings

Error allocating memory., xrefs: 00450B1C
AutoIt, xrefs: 00450B17

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: Message
String ID: AutoIt$Error allocating memory.
API String ID: 2030045667-4017498283
Opcode ID: 026466bfe67cbba3a90cabec3f1bbda13b81c69114465ba3ee418a443f62ddbb
Instruction ID: 869d1843a7365dc1a8f51508c66bf949824a20061e35050d80445225caa36c0b
Opcode Fuzzy Hash: 026466bfe67cbba3a90cabec3f1bbda13b81c69114465ba3ee418a443f62ddbb
Instruction Fuzzy Hash: 27E0923124430826D22037957C43F8D7A848F05B15F20087BFB58695C38AF9649406FD

Function 00410D42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 0040F7C9: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00410D71,?,?,?,003F100A), ref: 0040F7CE

IsDebuggerPresent.KERNEL32(?,?,?,003F100A), ref: 00410D75
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,003F100A), ref: 00410D84

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00410D7F

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 55579361-631824599
Opcode ID: e0cd60ce23fa2ecb8f36239a59c21b3e263680f1713eb660d56893c8d6122463
Instruction ID: c4277ac6cd3ab9bb44b547bbcadcbf513f2423766d1c8734ad5e2c3276531fa6
Opcode Fuzzy Hash: e0cd60ce23fa2ecb8f36239a59c21b3e263680f1713eb660d56893c8d6122463
Instruction Fuzzy Hash: 30E065742003418BD3709FBDE4447567BE0AB04744F004D7FE485C6661DBF8E4888BA9

Function 0040E398 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 21COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 0040E3D5

Strings

8%L, xrefs: 0040E3CA
0%L, xrefs: 0040E3B5

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID: 0%L$8%L
API String ID: 1385522511-1843137276
Opcode ID: 0f7adedca6ebbddbdec51a2c67c4fa9d5de1fa10f6ea186bfbbcf27f1e1e70ea
Instruction ID: 10d0eae6355482df773069b516a3310d1c73e7b1f18e7878440c28dfc4b59d9e
Opcode Fuzzy Hash: 0f7adedca6ebbddbdec51a2c67c4fa9d5de1fa10f6ea186bfbbcf27f1e1e70ea
Instruction Fuzzy Hash: B4E02631404D20EBC644971AFA54E8B3751AB05324B9005BFE912DB2D19FFCA881864D

Function 00463017 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?,00000001), ref: 0046302F
GetTempFileNameW.KERNEL32(?,aut,00000000,?), ref: 00463044

Strings

aut, xrefs: 00463038

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: 3cea96de7a3df90bc702ffe997299be339f960b961d6c14e78d223247a584d19
Instruction ID: f912b82e12f10efe338c51d993a90e7a0776d82cb6828ee697e7147ce3013bc1
Opcode Fuzzy Hash: 3cea96de7a3df90bc702ffe997299be339f960b961d6c14e78d223247a584d19
Instruction Fuzzy Hash: DFD05E7290032867DA20A7A4AC4EFCB3A6CDB05750F0006A2B655E20D1DAB49984CBE4

Function 0044D21C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 0044D220

Strings

%.3d, xrefs: 0044D22B
X64, xrefs: 0044D2A8

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: LocalTime
String ID: %.3d$X64
API String ID: 481472006-1077770165
Opcode ID: b7ec393e3a1cfec2d5cb17c0ecd44d28c060e3016eae38446b5c684628432f47
Instruction ID: 41b13a4bfb4db8a0a1ca279ee16640d4413be2f21cfbd5ce45bb72d9b4e9f8bb
Opcode Fuzzy Hash: b7ec393e3a1cfec2d5cb17c0ecd44d28c060e3016eae38446b5c684628432f47
Instruction Fuzzy Hash: A6D01271C08109EADB9096D0DC499B9B3BCBB18301F6084F7F806A1080D67CD50AAB6B

Function 00482356 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0048236C
PostMessageW.USER32(00000000), ref: 00482373

Part of subcall function 0045E97B: Sleep.KERNEL32 ref: 0045E9F3

Strings

Shell_TrayWnd, xrefs: 00482365

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 1d23d2627472f676ef8bcec9cb10a70fe0cf15fc92ff182b941620b284c292e1
Instruction ID: b14a1ba4671a0685fec3fd162f3559e034165f786b7be58066e99570eb128328
Opcode Fuzzy Hash: 1d23d2627472f676ef8bcec9cb10a70fe0cf15fc92ff182b941620b284c292e1
Instruction Fuzzy Hash: 9ED0A932380310BAE668A3319C4FFCA66049B00B00F10092A7601AA0D1C8B8A8058B2C

Function 00482322 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0048232C
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 0048233F

Part of subcall function 0045E97B: Sleep.KERNEL32 ref: 0045E9F3

Strings

Shell_TrayWnd, xrefs: 00482325

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: b7b262553f65fb67b2463da8379f08ce7c2362fd3c30e2ac9042e5b9bef5c53b
Instruction ID: 0d71512fa325f669820b90115187d654578d191bf0ad3af7a0155e1ea1293dd2
Opcode Fuzzy Hash: b7b262553f65fb67b2463da8379f08ce7c2362fd3c30e2ac9042e5b9bef5c53b
Instruction Fuzzy Hash: EDD0A932380310B6E668A3319C4FFCA6A049B00B00F10092A7605AA0D1C8B8A8058B28

Function 0042BDFD Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,?,?,00000000,?,?,?,?,?,00000000,?), ref: 0042BE93
GetLastError.KERNEL32 ref: 0042BEA1
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0042BEFC

Memory Dump Source

Source File: 00000000.00000002.1701602090.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1701589019.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701646157.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701683289.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701698916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: 8ccf57f277798dd0a3b58693584c1dd79b6faec761580d3b8ade76109032e562
Instruction ID: 03eea1cc856796477a0e63fbe9924034ba77201f0c32bb72e704a9de58a0cb08
Opcode Fuzzy Hash: 8ccf57f277798dd0a3b58693584c1dd79b6faec761580d3b8ade76109032e562
Instruction Fuzzy Hash: 02413831700226AFCF218F65ED84ABB7BA5EF01350F56416EF959973A1DB348C01CBA8

Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown	TCP traffic detected without corresponding DNS query: 23.211.8.90
Source: unknown	TCP traffic detected without corresponding DNS query: 23.211.8.90
Source: unknown	TCP traffic detected without corresponding DNS query: 23.211.8.90
Source: unknown	TCP traffic detected without corresponding DNS query: 23.211.8.90
Source: unknown	TCP traffic detected without corresponding DNS query: 23.211.8.90
Source: unknown	TCP traffic detected without corresponding DNS query: 23.211.8.90
Source: unknown	TCP traffic detected without corresponding DNS query: 23.211.8.90
Source: unknown	TCP traffic detected without corresponding DNS query: 23.211.8.90
Source: unknown	TCP traffic detected without corresponding DNS query: 23.211.8.90
Source: unknown	TCP traffic detected without corresponding DNS query: 23.211.8.90
Source: unknown	TCP traffic detected without corresponding DNS query: 23.211.8.90
Source: unknown	TCP traffic detected without corresponding DNS query: 23.211.8.90
Source: unknown	TCP traffic detected without corresponding DNS query: 23.211.8.90
Source: unknown	TCP traffic detected without corresponding DNS query: 23.211.8.90
Source: unknown	TCP traffic detected without corresponding DNS query: 23.211.8.90
Source: unknown	TCP traffic detected without corresponding DNS query: 23.211.8.90
Source: unknown	TCP traffic detected without corresponding DNS query: 23.211.8.90
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 2.19.126.163
Source: unknown	TCP traffic detected without corresponding DNS query: 2.19.126.163
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /account?=https://accounts.google.com/v3/signin/challenge/pwd HTTP/1.1Host: youtube.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7X-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiTocsBCJz+zAEIhaDNAQjcvc0BCI/KzQEIucrNAQii0c0BCIrTzQEIntbNAQin2M0BCPnA1BUY9snNARi60s0BGOuNpRc=Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /account?=https%3A%2F%2Faccounts.google.com%2Fv3%2Fsignin%2Fchallenge%2Fpwd HTTP/1.1Host: www.youtube.comConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7X-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiTocsBCJz+zAEIhaDNAQjcvc0BCI/KzQEIucrNAQii0c0BCIrTzQEIntbNAQin2M0BCPnA1BUY9snNARi60s0BGOuNpRc=Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentsec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /fs/windows/config.json HTTP/1.1Connection: Keep-AliveAccept: /Accept-Encoding: identityIf-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMTRange: bytes=0-2147483646User-Agent: Microsoft BITS/7.8Host: fs.microsoft.com
Source: global traffic	HTTP traffic detected: GET /accounts/CheckConnection?pmpo=https%3A%2F%2Faccounts.google.com&v=1556946213&timestamp=1727752571638 HTTP/1.1Host: accounts.youtube.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-full-version: "117.0.5938.132"sec-ch-ua-arch: "x86"sec-ch-ua-platform: "Windows"sec-ch-ua-platform-version: "10.0.0"sec-ch-ua-model: ""sec-ch-ua-bitness: "64"sec-ch-ua-wow64: ?0sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7X-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiTocsBCJz+zAEIhaDNAQjcvc0BCI/KzQEIucrNAQii0c0BCIrTzQEIntbNAQin2M0BCPnA1BUY9snNARi60s0BGOuNpRc=Sec-Fetch-Site: cross-siteSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: iframeReferer: https://accounts.google.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /favicon.ico HTTP/1.1Host: www.google.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-arch: "x86"sec-ch-ua-full-version: "117.0.5938.132"sec-ch-ua-platform-version: "10.0.0"sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132"sec-ch-ua-bitness: "64"sec-ch-ua-model: ""sec-ch-ua-wow64: ?0sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8X-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiTocsBCJz+zAEIhaDNAQjcvc0BCI/KzQEIucrNAQii0c0BCIrTzQEIntbNAQin2M0BCPnA1BUY9snNARi60s0BGOuNpRc=Sec-Fetch-Site: same-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://accounts.google.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: NID=518=cXqypJaQXr0HYb7LG9j-1ZTZ6W5nLVsjpotrLibBPTgOcpKiZ_fFstJwC5Ox4dPSOx7YXIbdtd8bG07m6w4j5yEtHICVWSjniC9yc69vqaCEdxfSb5WmLpInpn-9mIv4X6GqhURqynpnPYTPj_RdNNmnMq3l6OapYJLrZBjv1Qb2izc7OA
Source: global traffic	HTTP traffic detected: GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=E5raopbcaRR14nd&MD=yW+G4tc+ HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic	HTTP traffic detected: GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=E5raopbcaRR14nd&MD=yW+G4tc+ HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Chrome Cache Entry: 73

Chrome Cache Entry: 74

Chrome Cache Entry: 75

Chrome Cache Entry: 76

Chrome Cache Entry: 77

Chrome Cache Entry: 78

Chrome Cache Entry: 79

Chrome Cache Entry: 80

Chrome Cache Entry: 81

Chrome Cache Entry: 82

Chrome Cache Entry: 83

Chrome Cache Entry: 84

Chrome Cache Entry: 85

Chrome Cache Entry: 86

Chrome Cache Entry: 87

Static File Info

General

File Icon

Static PE Info

Windows Analysis Report
file.exe

Function 003F42DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Function 003F42A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Function 00432BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Function 0045D4DC Relevance: 6.1, APIs: 4, Instructions: 86
processCOMMON

Function 0045DBBE Relevance: 6.0, APIs: 4, Instructions: 29
filestringCOMMON

Function 0047AFF9 Relevance: 24.4, APIs: 16, Instructions: 418
processCOMMON

Function 003F2CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Function 0043065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Function 003F344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Function 003F2B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Function 003F3170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
windowtimeregistryCOMMON

Function 003F1410 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332
COMMON

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre